Unlock WD My Book Essential

[aena9200]

Hi,

I have a Mybook Essential Western Digital external hard drive. For some reason I cannot unlock the drive, even though I am quite sure about the password I use but it says the password is invalid. I tried to get the drive out of the USB enclosure and it turned out the drive inside the enclosure is just a 1TB WD caviar green WD10EADS. I tried to check whether the drive is locked or not, so I connected it directly via a SATA cable to the PC. Using mhdd I could not see the disk is locked so I did a stupid thing that I locked it then unlocked it again. When I tried to connect it via the USB enclosure again I noticed that when the drive prompts for the password the password hint does not exist anymore, so my guess is that the password section was overwritten. My conclusion is that the USB controller encodes/encrypts all the data written to the drive so it is not possible to retrieve that data without bypassing the USB controller. But at the same time the password to lock the drive is not used to encrypt the data so this means at least in theory it should be possible to reset that password at least to a known password value. Any thoughts/ideas are welcomed.

Regards,

[pclab]

Search the forum about WD enclosures and their system passwords.
There are a few topics about it.

[Bjerringbro]

There are a couple people I know for this. You can PM me, I'll just direct to their website.

[aena9200]

I tried to save a raw image of the drive, reset the locking by the format utility and finally restore the image back but I got the message that the disk is locked again. I guess this means that the password information is stored on the disk it self not the system area. Any ideas, help???

[Samo]

USB enclosure have its own encryption. The password you have set on your drive while it was outside is completely different thing.
If you want to remove password with mhdd you have to use DISPWD it locks out drive forever, UNLOCK is only till you reboot.

[Nick_CT]

Read through this thread:

unlocking-ata-password-for-western-digital-t8374.html

[DR-Kiev]

As i understood right, topic not about ATA password protection, it is about WD Smartware system .
This is another story.

[aena9200]

Sure you are right, what I am trying now is to
*unlock the drive which means it would erase everything on it
*dump an image of the first around 700MB which represents the CD area where I believe the password is stored
*restore the full image that contains the password and which makes the drive locked
*finally restore the CD image that I got after unlocking the drive
Hopfully this will unlock the drive after those long steps, any are appreciated

[DR-Kiev]

Sure you are right, what I am trying now is to
*unlock the drive which means it would erase everything on it
*dump an image of the first around 700MB which represents the CD area where I believe the password is stored
*restore the full image that contains the password and which makes the drive locked
*finally restore the CD image that I got after unlocking the drive
Hopfully this will unlock the drive after those long steps, any are appreciated

Won't work.
Buy same enclouser and do few experiments with locking/unlocking , compare those VCD (CD area you called). It is stored not of the first around 700MB but at the end of drive , and it is sure not encrypted.
In this area stored script which manipulate of Inic bridge. Don't lose it.
After this , probably you will understand how it is work .

[aena9200]

Sure you are right, what I am trying now is to
*unlock the drive which means it would erase everything on it
*dump an image of the first around 700MB which represents the CD area where I believe the password is stored
*restore the full image that contains the password and which makes the drive locked
*finally restore the CD image that I got after unlocking the drive
Hopfully this will unlock the drive after those long steps, any are appreciated

Won't work.
Buy same enclouser and do few experiments with locking/unlocking , compare those VCD (CD area you called). It is stored not of the first around 700MB but at the end of drive , and it is sure not encrypted.
In this area stored script which manipulate of Inic bridge. Don't lose it.
After this , probably you will understand how it is work .

Thanks a lot DR, you saved me another day, I guess all the magic is in sector 1953517576 I will try to replace it with the data from the unlocked VCD and let's see

[aena9200]

That did not work . I replaced that sector with another sector that I got after unlocking the drive, I got the drive unlocked but I cannot see my data. I would try again but with a sector with locking information for which I know the password. I noticed that that data are encrypted in 16 bytes blocks. any ideas?

[fzabkar]

Could we see the two sectors?

[aena9200]

Could we see the two sectors?

Thanks for your interest, as you see in the pics the difference is in the last 448 bytes of the sector. The sector starts with 'WD'.

Attachments

VCD sector unlocked

VCD sector locked

[aena9200]

Replacing the sector with one for which the password is known did not work either. I guess the encryption key is stored in those 448 bytes, anyway I ran out of ideas hopefully someone here can provide some ideas

[DR-Kiev]

That did not work . I replaced that sector with another sector that I got after unlocking the drive, I got the drive unlocked but I cannot see my data. I would try again but with a sector with locking information for which I know the password. I noticed that that data are encrypted in 16 bytes blocks. any ideas?

I told you : Won't work .

When you replaced those sector you are not just removed the password request, you have changed whole decrypting key.
Don't work with pacient drive not to spoil something.
Did you bought new same enclouser for this game?
Now you are working "arsy-versy" , think more and widely.

[aena9200]

That did not work . I replaced that sector with another sector that I got after unlocking the drive, I got the drive unlocked but I cannot see my data. I would try again but with a sector with locking information for which I know the password. I noticed that that data are encrypted in 16 bytes blocks. any ideas?

I told you : Won't work .

When you replaced those sector you are not just removed the password request, you have changed whole decrypting key.
Don't work with pacient drive not to spoil something.
Did you bought new same enclouser for this game?
Now you are working "arsy-versy" , think more and widely.

OK DR, that is what I have discovered and mentioned in the previous post so every time you reset the password (by formatting) a new key is generated. I compared the VCD of some locked/unlocked states and found only 448 bytes of one sector that change, as I showed in the previous post. There is a risk with buying new enclosure that the firmware of the newer enclosure would be recent and not like the one I have and then I would be in pain again to revert it to the firmware version I have. Anyway I do not think that WD are really stupid or naive, I guess even the stored encryption key is encrypted based on the provided password (hopefully not).

I have a full raw image of the drive so I guess it is safe to experiment with it because I can restore that image at anytime. The encryption used as claimed is AES 256 bit that means the key is 32 bytes of the 448 bytes. If you can help with this or give me some hints to narrow the scope of trying I would be grateful or probably you have an idea of how to bruteforce this password offline just to avoid the 5 times trials

[aena9200]

where can I find inic-1607E chipset datasheet?

[Doomer]

I have a full raw image of the drive so I guess it is safe to experiment with it because I can restore that image at anytime. The encryption used as claimed is AES 256 bit that means the key is 32 bytes of the 448 bytes.

1. AES256 key is 32 bytes in length
2. This key stored encrypted in the sector you showed
3. If you set a password on a drive the key will be encrypted with the password you set and stored in the sector
4.The keys are unique and key from similar drive will not work

That means you don't have pure key and you won't have it if you don't know the password

[aena9200]

I have a full raw image of the drive so I guess it is safe to experiment with it because I can restore that image at anytime. The encryption used as claimed is AES 256 bit that means the key is 32 bytes of the 448 bytes.

1. AES256 key is 32 bytes in length
2. This key stored encrypted in the sector you showed
3. If you set a password on a drive the key will be encrypted with the password you set and stored in the sector
4.The keys are unique and key from similar drive will not work

That means you don't have pure key and you won't have it if you don't know the password

Do you know how the key is stored in that sector? i.e. where is the key in those 448 bytes?

[Doomer]

Do you know how the key is stored in that sector? i.e. where is the key in those 448 bytes?

No, I don't know
Why would it matter?
It's encrypted and even if encryption of the sector itself is also AES256 to encrypt/decrypt the sector with password, the password should be hashed (and possibly salted). I believe the hash algorithm wasn't released into public documents