ST1000LM048

[unknown]

Hello gurus,

Need to extract user password from this 30A sysfile.
I appreciate any help

Attachments

Volume_3 FID_30A.rar

(420 Bytes) Downloaded 22 times

[fzabkar]

The user and master passwords have a length of 32 bytes. I wonder if these are the encrypted passwords?

Code:

Offset(h) 00   02   04   06   08   0A   0C   0E

000000B0            0F63 0D24 66E1 76BD 36A8 C628
000000C0  2825 C963 817F 79E6 2DF5 48C6 640C 58C6
000000D0  4A06 E425

Code:

Offset(h) 00   02   04   06   08   0A   0C   0E

00000140                 3958 3B06 C09A 9566 0447
00000150  F82F 4943 AA71 32EF 2E22 9F00 7FEC 7826
00000160  EB36 602F B91B

Can you experiment with a donor drive and compare the sys file before and after setting a known password?

If you set the same password on two donors, does the sys file change in the same way? If not, then there must be some key or salt that makes them unique.

[unknown]

Thanks a lot for your input Mr. Franc.
I did really an experiment with a donor drive with a known password set by me.
I found a lot of differences before and after in sysfile 30A in several places, and I didn't see the password Iput.
I will upload both tomorrow as I'm not at the office now.
Appreciate your help.

[fzabkar]

I guess that the password is encrypted. If the same password produces different encrypted results on different donors, then I can't see any solution.

Edit:

Do you know the master password? Perhaps you could replace the encrypted string for the user password with the encrypted string for the master password, and then use the master password as your user password?

[unknown]

I did really an experiment with a donor drive with a known password set by me.

Here we go :
Password : Ahmed

Attachments

Volume_3 FID_30AUnlocked.rar

(429 Bytes) Downloaded 21 times

Volume_3 FID_30ALocked.rar

(429 Bytes) Downloaded 23 times

[unknown]

I guess that the password is encrypted. If the same password produces different encrypted results on different donors, then I can't see any solution.

Edit:

Do you know the master password? Perhaps you could replace the encrypted string for the user password with the encrypted string for the master password, and then use the master password as your user password?

Will try and post results.

Thanks for your help.

[unknown]

If the same password produces different encrypted results on different donors

This one tested and it's unfortunately true.

[fzabkar]

Assuming that you have set a user password, I think this is the master password in the donor:

Code:

Offset(h) 00   02   04   06   08   0A   0C   0E

00000060            22CD FCE1 6D60 2297 0B2E 8E18
00000070  0930 4736 75E9 F218 EF31 4E72 F302 C9E1
00000080  0000 0000 0000 0000 0000 0000 0000 0000
00000090  0000 0000 0000 0000 0000 0000 0000 0000
000000A0  0000 0000 0000 0000 0000 0000 0000 0000
000000B0  2000 0000 9A11 24DB 14FB 0D76 970B 519B
000000C0  1C87 3FFF B8B0 BF69 B347 523F E9FE 3DEC
000000D0  9B0A DCA5

Master password in patient:

Code:

Offset(h) 00   02   04   06   08   0A   0C   0E

00000060            BCFB BBC5 654E 4034 0ABF 2B8D
00000070  11B9 7ECD A8A5 D52D 3D82 5390 03F6 906A
00000080  0000 0000 0000 0000 0000 0000 0000 0000
00000090  0000 0000 0000 0000 0000 0000 0000 0000
000000A0  0000 0000 0000 0000 0000 0000 0000 0000
000000B0  2000 0000 0F63 0D24 66E1 76BD 36A8 C628
000000C0  2825 C963 817F 79E6 2DF5 48C6 640C 58C6
000000D0  4A06 E425

These are the user password regions:

Patient:

Code:

Offset(h) 00   02   04   06   08   0A   0C   0E

000000F0                 7233 23ED 8B92 EC3C ACBF
00000100  8B2B A281 3232 9423 D684 1477 6AF8 B92D
00000110  E6AC 0000 0000 0000 0000 0000 0000 0000
00000120  0000 0000 0000 0000 0000 0000 0000 0000
00000130  0000 0000 0000 0000 0000 0000 0000 0000
00000140  0000 2000 0000 3958 3B06 C09A 9566 0447
00000150  F82F 4943 AA71 32EF 2E22 9F00 7FEC 7826
00000160  EB36 602F B91B

Unlocked donor:

Code:

Offset(h) 00   02   04   06   08   0A   0C   0E

000000F0                 9609 3126 F9AF 0284 9EE0
00000100  2D48 BAD7 03C6 7DA7 DC70 445E A131 7310
00000110  E83E 0000 0000 0000 0000 0000 0000 0000
00000120  0000 0000 0000 0000 0000 0000 0000 0000
00000130  0000 0000 0000 0000 0000 0000 0000 0000
00000140  0000 2000 0000 DBE8 00E3 7B06 2745 DE1A
00000150  4AA2 BBC2 0A96 216A 1C63 7576 B911 250F
00000160  554F 839C 25E3

Locked donor:

Code:

Offset(h) 00   02   04   06   08   0A   0C   0E

000000F0                 D4A2 395B F80E DFBD 2E85
00000100  BB34 E0EC 7C83 0E5F 1365 7481 649D BCE3
00000110  D7D8 0000 0000 0000 0000 0000 0000 0000
00000120  0000 0000 0000 0000 0000 0000 0000 0000
00000130  0000 0000 0000 0000 0000 0000 0000 0000
00000140  0000 2000 0000 9D2C 8781 F53D C189 9A0D
00000150  C4DA 7088 297F 5471 2045 43B7 335D 4A44
00000160  0958 C09C 3691

Perhaps you could paste the user password area from your donor into the patient? Then maybe you could unlock the patient with "Ahmed". This area comprises a 32-byte encrypted password plus 28 unique bytes that may be a salt or key of some kind (I'm probably mangling the terminology because I have zero experience in this area).

[unknown]

Perhaps you could paste the user password area from your donor into the patient? Then maybe you could unlock the patient with "Ahmed".

Didn't work.

I believe it's not that simple.
However, I wonder this is my first case seeing a Rosewood drive locked by ATA password after all this years.
I didn't expect to be that hard to unlock like older families.

Anyway, I do really appreciate all your help and assistance Mr. Franc.

[fzabkar]

Maybe there is a flag that indicates when a password is set, in which case the solution could be as simple as resetting the flag.

Have you tried copying the entire sys file between two donors? If this doesn't work, then there must be some additional security related firmware component.

[unknown]

Maybe there is a flag that indicates when a password is set, in which case the solution could be as simple as resetting the flag.

I wish it was that simple Mr. Franc. But I don't think so.

Have you tried copying the entire sys file between two donors? If this doesn't work, then there must be some additional security related firmware component.

Yes I did and still locked no luck.
Agree that there's other sysfiles related to security system, not only 30A.

I wonder if anyone have PC3K confirm that there's no solution for that case ?

[fzabkar]

Is there any difference in 0x1d1 and 0x1d2 in your donor before and after setting a password? I recall a post where someone said that MRT "unlocks" a drive by manipulating 0x1d2.

[unknown]

I found difference in 0x1d3 :

44 00 A5 66 Locked
44 00 A5 62 Unlocked

[fzabkar]

Sorry, I meant sys files 0x1d1 and 0x1d2.

[unknown]

I think I found interesting stuff in 0x1d1 in patient drive.
Tomorrow I will post from donor before and after setting pwd.

Please take a look :

Attachments

Volume_3 FID_1D1.rar

(12.13 KiB) Downloaded 15 times

[fzabkar]

I have extracted 0x1D2 from 0x1D1.

Attachments

1D2_from_1D1.7z

(4.21 KiB) Downloaded 13 times

[fzabkar]

These are your passwords in 0x1D1:

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00039000  00 00 00 00 01 00 00 05 00 00 00 00 BC FB BB C5
00039010  65 4E 40 34 0A BF 2B 8D 11 B9 7E CD A8 A5 D5 2D
00039020  3D 82 53 90 03 F6 90 6A 00 00 00 00 00 00 00 00
00039030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00039040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00039050  00 00 00 00 00 00 00 00 20 00 00 00 0F 63 0D 24
00039060  66 E1 76 BD 36 A8 C6 28 28 25 C9 63 81 7F 79 E6
00039070  2D F5 48 C6 64 0C 58 C6 4A 06 E4 25 00 00 00 00
00039080  00 00 00 00 00 00 00 00 C8 8F 00 00 09 20 20 03
00039090  00 00 00 00 00 00 00 00 00 00 00 00 72 33 23 ED
000390A0  8B 92 EC 3C AC BF 8B 2B A2 81 32 32 94 23 D6 84
000390B0  14 77 6A F8 B9 2D E6 AC 00 00 00 00 00 00 00 00
000390C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000390D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000390E0  00 00 00 00 00 00 00 00 20 00 00 00 39 58 3B 06
000390F0  C0 9A 95 66 04 47 F8 2F 49 43 AA 71 32 EF 2E 22
00039100  9F 00 7F EC 78 26 EB 36 60 2F B9 1B 00 00 00 00

[unknown]

These are your passwords in 0x1D1:

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00039000  00 00 00 00 01 00 00 05 00 00 00 00 BC FB BB C5
00039010  65 4E 40 34 0A BF 2B 8D 11 B9 7E CD A8 A5 D5 2D
00039020  3D 82 53 90 03 F6 90 6A 00 00 00 00 00 00 00 00
00039030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00039040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00039050  00 00 00 00 00 00 00 00 20 00 00 00 0F 63 0D 24
00039060  66 E1 76 BD 36 A8 C6 28 28 25 C9 63 81 7F 79 E6
00039070  2D F5 48 C6 64 0C 58 C6 4A 06 E4 25 00 00 00 00
00039080  00 00 00 00 00 00 00 00 C8 8F 00 00 09 20 20 03
00039090  00 00 00 00 00 00 00 00 00 00 00 00 72 33 23 ED
000390A0  8B 92 EC 3C AC BF 8B 2B A2 81 32 32 94 23 D6 84
000390B0  14 77 6A F8 B9 2D E6 AC 00 00 00 00 00 00 00 00
000390C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000390D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000390E0  00 00 00 00 00 00 00 00 20 00 00 00 39 58 3B 06
000390F0  C0 9A 95 66 04 47 F8 2F 49 43 AA 71 32 EF 2E 22
00039100  9F 00 7F EC 78 26 EB 36 60 2F B9 1B 00 00 00 00

These are already stored in sysfile 30A.

Maybe I should patch 30A and 1D1 both from donor to patient ?

I appreciate your efforts Mr. Franc.

[fzabkar]

I would first experiment with your donor. I would dump 0x1D1 and 0x30A before and after setting a password on your donor. Then write back the unlocked versions of both modules to your donor. If this unlocks the drive, then we know that these are the only modules involved.

[unknown]

I would first experiment with your donor. I would dump 0x1D1 and 0x30A before and after setting a password on your donor. Then write back the unlocked versions of both modules to your donor. If this unlocks the drive, then we know that these are the only modules involved.

Totally agree