I managed to solve the problem. So I assumed I need to have an unknown master password to remove the password protection from the hard drive. Then I found
this document. It has a fancy table which reveals that I don't have to know the master password to remove the password protection, as long as the security level is „high”, and the user password is known. That the Lenovo ThinkPad BIOS requires the master password to remove the user password is only a software restriction of the BIOS interface, and not a requirement of the ATA standards.
With that being known, I should have been able to remove the password with hdparm:
- Code:
root@thinkpad:~# hdparm --security-disable PASSWORD /dev/sdb
security_password="PASSWORD"
/dev/sdb:
Issuing SECURITY_DISABLE command, password="PASSWORD", user=user
SECURITY_UNLOCK: Input/output error
It failed. Somewhere I've read that many BIOS-es encode the HDD password in keyboard scan codes, and not in ASCII. I encoded the password into keyboard scan codes, but I was still unable to disable security. It probably means that the Lenovo BIOS encodes the HDD password in an unknown way.
In theory, setting another password does not require to supply the old password. So I should be able to supply an arbitrary new password when the hard drive is unlocked, and then try SECURITY_DISABLE with the correctly encoded password. However, I found this method too dangerous, for the following reasons: if I set a password that doesn't conform with the Lenovo BIOS encoding style, the Lenovo BIOS will not allow me to unlock the HDD anymore. Thus, I could have really ended up with a HDD that I can not even unlock, and then it's game over. Theoretically, issuing a SECURITY_SET_PASSWORD immediately followed by a SECURITY_DISABLE should be fool-proof, but honestly, I did not dare to take the risk. If I manage to set a new password, but still unable to disable security, that would suck big times.
Then I've found
Jethro Beekman's post. This guy has reverse engineered the algorithm that the Lenovo BIOS uses to encode HDD passwords. He also
has a Ruby tool which reproduces this algorithm. Its output can be used with hdparm.
Here are the commands those helped me to remove the password (it is based on the tool's original instructions, adapted to my situation):
- Code:
root@thinkpad:~# hdparm --Istdout /dev/sdb > sdb.ata_identify
root@thinkpad:~# P="$(ruby pw.rb sdb.ata_identify)"
Enter password: <<interactively asks for password>>
root@thinkpad:~# hdparm --security-disable $P /dev/sdb
security_password="GARBAGE"
/dev/sdb:
Issuing SECURITY_DISABLE command, password="GARBAGE", user=user
Now, hdparm -I gives me the following:
- Code:
Security:
Master password revision code = 16385
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
94min for SECURITY ERASE UNIT. 94min for ENHANCED SECURITY ERASE UNIT.
Yeah! It says, security is disabled! Now I have no password anymore!
The same should work with my other drive too.
In theory, if this doesn't work, you can set a new password and then disable security. But, as I wrote earlier, I find it dangerous. I only publish this method for the sake of completeness. If you are really desperate, you can try it, but be warned – if it won't work, you could permanently lock your hard drive. If it won't work, don't power off your drive until you find another solution, because once it will be locked, probably you may never be able to unlock it again.
- Code:
hdparm --security-set-pass ARBITRARY /dev/sdb
hdparm --security-disable ARBITRARY /dev/sdb
Once again, be warned: if the first command succeeds but the second one fails, your BIOS will not unlock your drive anymore.