Bufalo Samsung hdd Encryption

[einstein9]

Hi guys,

I got this case Buffalo hdd, i managed to fix the samsung drive but i found that it comes with a Password Protected and encryption tech. inside

it reads (as i guess) from the Winbond 25x10av chip. which am working on now.

my best guess here is to take this chip to my programmer and dump the chip content then open it with Winhex
and see how it goes..

am i correct on this? or had anyone got such a similar case to this?

thnx

[einstein9]

here is the chip dump from the programmer

Attachments

Buf-Dump.rar

(9.97 KiB) Downloaded 1063 times

[fzabkar]

AISI, you have a Buffalo LinkStation Live v2 that enumerates as a "USB-SATA Bridge 1607". The bridge is an Initio chip of some kind. The flash memory contains references to an Initio INIC-1615. Therefore I suspect that the bridge is either an INIC-1615 or an INIC-1607, or perhaps an INIC-1607E. AIUI, the "E" suffix denotes AES hardware encryption.

That said, I would expect that the bridge IC is under the control of the host CPU (ARM9 ?), and that any password protection would be managed by the host. If so, then any password must be stored somewhere else.

[fzabkar]

The product brief for the INIC-1615 makes no mention of encryption:
http://www.initio.com/Html/Doc/INIC-161 ... 0Brief.pdf

However, Initio's product page does:
http://www.initio.com/Html/inic-1615.html

BTW, is the device a LinkStation, or just a plain external HDD?

[einstein9]

The product brief for the INIC-1615 makes no mention of encryption:
http://www.initio.com/Html/Doc/INIC-161 ... 0Brief.pdf

However, Initio's product page does:
http://www.initio.com/Html/inic-1615.html

BTW, is the device a LinkStation, or just a plain external HDD?

thnx man for the reply, it is the MiniStation 320GB USB

[guru]

why not ask the user?

[einstein9]

I tried the password which the user provided but was incorrect

thats why am turning around it, i do believe that this USB Adapter comes with the Chip Mentioned 25x10 which stores the password inside it. the DUMP file contains the pass. but looks encrypted too or maybe, i dono really

[einstein9]

forgot to attach the USB Images

it is here: http://dr.xploitbox.info/files-case-php ... g%20Inside

i cannot upload it here coz high res. + size

[guru]

AFAIK it uses an integrate internal turbo 8051 uP with 32KB embedded SRAM

AISI, you have a Buffalo LinkStation Live v2 that enumerates as a "USB-SATA Bridge 1607". The bridge is an Initio chip of some kind. The flash memory contains references to an Initio INIC-1615. Therefore I suspect that the bridge is either an INIC-1615 or an INIC-1607, or perhaps an INIC-1607E. AIUI, the "E" suffix denotes AES hardware encryption.

That said, I would expect that the bridge IC is under the control of the host CPU (ARM9 ?), and that any password protection would be managed by the host. If so, then any password must be stored somewhere else.

[fzabkar]

Sorry for my error. In the absence of detailed product information in the original post, I examined the firmware dump and found a Vendor ID of 0x0411 and a Product ID of 0x0177. I then found a reference to these IDs in the following thread:

http://forum.buffalo.nas-central.org/vi ... 39&t=22184

Unfortunately there were two Buffalo devices, a LinkStation Live 500 v2 and a HD-PXU2. I only noticed the first one. <slaps forehead>

Offset 0x1000
-------------
25 C9 01 01 1D 60 00 10 10 07 03 02 F7 56 03 00 00 00 00 00 00 00 1D 60 42 55 46 46 41 4C 4F 20 20 20 20 20 20 20 20 20 02 00 00 08 07 00 00 00 55 53 42 2D 53 41 54 41 20 42 72 69 64 67 65 20 31 36 30 37 20 20 20 20 20 20 20 20 20 20 20 20 FF 7F FF 7F 00 00 00 00 04 11 01 77 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Manufacturer: BUFFALO --- 16 bytes?
Product: USB-SATA Bridge 1607 --- 32 bytes?
SerialNumber: 001010070302F75603 --- 16 bytes?
Vendor ID: 0411 --- Buffalo (Melco)
Product ID: 0177 --- HD-PXU2

Offset 0x8080
-------------
25 C9 01 01 1D 60 00 10 10 07 40 00 00 00 03 00 00 00 00 00 00 00 07 40 49 6E 69 74 69 6F 20 20 20 20 20 20 20 20 20 20 02 00 81 00 00 00 00 00 49 4E 49 43 2D 31 36 31 35 20 20 20 20 20 20 20 49 4E 49 43 2D 31 36 31 35 5F 31 20 20 20 20 20 FF 7F FF 7F 00 00 00 00 13 FD 1D 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Manufacturer: Initio --- 16 bytes?
INIC-1615 --- 16 bytes?
INIC-1615 --- 16 bytes?
Vendor ID: 13FD --- Initio Corporation

[fzabkar]

Referring to the aforementioned LinkStation thread, ISTM that the external drive may configured similarly to WD's INIC-1607E products. That is, it appears to have a VCD.

[   40.263426] scsi 2:0:0:0: Direct-Access     BUFFALO  HD-PXU2          0.81 PQ: 0 ANSI: 4
[   40.287670] scsi 2:0:0:1: CD-ROM            BUFFALO  Virtual Cdrom    0.81 PQ: 0 ANSI: 0
[   40.381985] sd 2:0:0:0: [sdb] 623872560 512-byte logical blocks: (319 GB/297 GiB)

Assuming the password is stored in the flash memory and not on the drive (?), then one way to find out where it lives would be to obtain a similar product and dump the firmware before and after a password change.

[dick]

then one way to find out where it lives would be to obtain a similar product and dump the firmware before and after a password change.

If I understand correctly the drive user dosn't input a password to be used by the initio encryption so I don't think that method can be used. Or have I misunderstood?

[fzabkar]

If I understand correctly the drive user dosn't input a password to be used by the initio encryption so I don't think that method can be used. Or have I misunderstood?

The data are hardware-encrypted, whether or not a password has been set. However, the user can still supply a password for privacy purposes, not for encryption purposes.

[einstein9]

Referring to the aforementioned LinkStation thread, ISTM that the external drive may configured similarly to WD's INIC-1607E products. That is, it appears to have a VCD.

[   40.263426] scsi 2:0:0:0: Direct-Access     BUFFALO  HD-PXU2          0.81 PQ: 0 ANSI: 4
[   40.287670] scsi 2:0:0:1: CD-ROM            BUFFALO  Virtual Cdrom    0.81 PQ: 0 ANSI: 0
[   40.381985] sd 2:0:0:0: [sdb] 623872560 512-byte logical blocks: (319 GB/297 GiB)

Assuming the password is stored in the flash memory and not on the drive (?), then one way to find out where it lives would be to obtain a similar product and dump the firmware before and after a password change.

thnx man for this, well the one i have is the: HD-PXU2 (320GB)

i bought a new one, i made a dump of this blank CHIP (attaching both)

now here is what i did:

1- I used the new Blank USB adapter with my client hdd - did not work means cannot access data
2- I used the client USB Adapter with my new HDD - did not work means cannot access data

i wrote the new Blank USB CHIP to the Client chip n tried - same

i dono what else can be done here.... made me crazy really

Attachments

Buffalo.rar

Blank New Chip Dump

(19.93 KiB) Downloaded 868 times

[fzabkar]

AISI, there is no password in the client's flash memory. The differences in your firmware dumps are only in the serial number.

Code:

D:\Temp\HDD\Firmware\Buffalo>dir

BUFFO-~1           131,072  03-26-11  6:04p buffo-Org-Chip--Encrypted
BUFFO-~2           131,072  03-27-11  7:05p buffo-Org-Chip--Mine

D:\Temp\HDD\Firmware\Buffalo>fc /b buffo-~1 buffo-~2
Comparing files buffo-Org-Chip--Encrypted and buffo-~2
0000100B: 02 05
0000100C: F7 D2
0000100D: 56 BB


If there is any password, are you sure it isn't just an ordinary ATA password that is written to the drive?

BTW, when you say "cannot access data", do you mean that the data are encrypted, or do you mean that the user LBAs cannot be accessed at all?

Although the INIC-1615 datasheet doesn't mention it, is it possible that each Initio bridge chip has some customised ROM data??? BTW, is it an INIC-1607E or INIC-1615?

Could it be that the unique serial number in the flash memory is somehow linked to a particular HDD? Is it possible that the HDD has a copy of the bridge serial number in its VCD area or in the user LBAs beyond the VCD???

The LinkStation thread indicates that the visible user area consists of "623872560 512-byte logical blocks". I would dump the LBAs between sector 623872560 and the end of the drive. Do this for both drives and compare them.

If there is no difference, then is there a small HPA? Could the drive have a password or key that is derived from the serial number in the flash? Did you try your client's bridge with your new HDD, after writing your own flash code to it?

[einstein9]

Thnx again

about accessing the DATA, well i cannot read any sector in UDMA, DE, all sectors un-readable

in client hdd, i can see the Virtual CD Partition Only, it has a password utility i ran it, the password manager which asks for the password, but whatever password the client told me is WRONG, and when you enter the password wrong it ejects the DATA partition.

i tried the NEW hdd USB Adapter (blank password ) i bought with the the Client HDD attached, i can see the HDD but NO ACCESS.

i tried all possibilities with no success of accessing the DATA.

1- NEW Blank Password USB PCB with client HDD = no data access not asking for pass.
2- Client Pass. protected USB PCB with client HDD = asking for pass which is wrong.

heheh made me more crazy now

[fzabkar]

AIUI, the drive is organised as follows:

user LBAs --- VCD LBAs --- Initio LBAs

Assuming the password lives in either the VCD or Initio LBAs, then ISTM that a sensible approach to locate it would be to use your own drive and bridge PCB to ...

- set a password via USB using the VCD software
- connect to the drive via SATA
- dump the VCD and Initio LBAs
- reconnect via USB and change the password
- dump the VCD and Initio LBAs again via SATA
- compare the two dumps

The user LBAs appear to range from LBA 0 to LBA 623872559. A utility such as HDDScan should be able to confirm this. HDDScan should also be able to report the full size of the drive when connected via SATA.

[einstein9]

thnx man i will go through this and update you soon