Forgot WD My Passport password - brute force

[dx486]

I have a Western Digital My Passport Ultra external hard drive. I have an idea about my password but I can't remember it exactly. I have tried many times with no success. It takes a lot of time and I want to find to automatize this process if possible.

I guess the answer will be no but let me still ask: Is there a way to retrieve my password? If no, is there a script or software to brute force disk password, by giving some keywords and let the software use them with number combinations? The software should auto eject/insert the drive at every 5-6 tries as the password entry option gets locked each time.

[jermy]

I don't know if there is one but you can definitely write one (if you have the necessary skills)
The problem is the law side, I don't know who is gonna do it for you (if you don't find it or you dont have the skills to DIY)

[drHDD]

How much you gonna pay for this software?

[Kum Ruzvelt]

How much you gonna pay for this software?

Download for free from torrent or warez sites

[dx486]

How much you gonna pay for this software?

Download for free from torrent or warez sites

Which software do you suggest?

[dx486]

I don't know if there is one but you can definitely write one (if you have the necessary skills)
The problem is the law side, I don't know who is gonna do it for you (if you don't find it or you dont have the skills to DIY)

I may learn programming. Which language/IDE would be practical for this purpose? I prefer a way which is easy to learn and easy to implement.

[fzabkar]

Most of the work has already been done and it's open source. I suggest you contact the author.

reallymine: Western Digital MyBook/MyPassport decryption:
https://github.com/andlabs/reallymine
https://github.com/andlabs/reallymine/a ... master.zip

reallymine is a program that decrypts the encrypted hard drives of Western Digital MyBook and MyPassport external hard drives (and some rebranded derivatives).

Currently, it can only decrypt JMicron and Initio bridge chip-based devices that use AES-256-ECB encryption. I'd love to expand this to cover Symwave [already done] and PLX/Oxford Semiconductor bridge chips and the other known encryption modes, but I need your help; see below. It also does not currently handle entering passwords; if your drive is password-protected (and the bridge chip requires a password) but most of the work is already there (in kek.go); I just need to write the code that actually lets you type in a password, and then we'll be fine.

[fzabkar]

The way that I would approach this problem is to adapt the code in reallymine.

Locate the "key sector" on the HDD.

Identify the bridge IC and the corresponding encryption algorithm.

Locate a sector that is known to be filled with encrypted zeros.

Extract the 16-byte pattern corresponding to 16 zeros.

Use reallymine to decrypt this 16-byte sequence by using passwords from a dictionary file.

Stop if result is 16 zeros, else try next password.

[fzabkar]

Actually the brute-force method doesn't need to test the data. It only needs to test the decrypted key sector by looking for certain strings.

got HW crypto? On the (in)security of a Self-Encrypting Drive series:
http://eprint.iacr.org/2015/1002.pdf

In any case, IIUC, My Passport Ultra's the HDD controller is doing the decryption/encryption, not the USB-SATA bridge.

The INIC-3608 microprocessor is based on an ARC 600 CPU to bridge USB to SATA once again. This chip does not have a hardware accelerated AES engine. At first this seemed rather suspicious, as the package of the device advertises with hardware based encryption. If done in software there is no chance with an observed clock speed below 100 Mhz to encrypt at USB3.0 speed. Nevertheless as advertised, the MP-Slim and MP-Ultra do hardware accelerated AES encryption, but not on the bridge. It turns out, the HDD controller is doing the en- and decryption of user data. The USB to SATA is performing the user authentication and supports the standard VSCs from WD.

We tried to connect the SATA HDD directly over the PCB [4] for accessing a raw sector, but did not succeed. The data access is restricted by a set ATA-password in the SATA-HDD. The bridge is therefore doing user authentication by setting an ATA password, once the user generates his password. If the user does not supply a password, the user data is inaccessible when connecting directly to the SATA ports.

Finally, we were able to bypass the ATA password with commercial tools. Nevertheless, this is not an off-the-self solution offered, so we worked our way through to the AES protection. We located the location of the ATA password and some (unknown) connection to the AES password in different SAs from the internal 2.5" SATA HDD. After resetting the ATA password, we had complete access to the decrypted user data, as the SATA chip decrypted on-the-fly. Regardless of the user-password, KEK or DEK.

Here is what the researchers have to say about SED encryption for drives based on the JMS569 bridge:

Facing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.

[dx486]

The way that I would approach this problem is to adapt the code in reallymine.

Locate the "key sector" on the HDD.

Identify the bridge IC and the corresponding encryption algorithm.

Locate a sector that is known to be filled with encrypted zeros.

Extract the 16-byte pattern corresponding to 16 zeros.

Use reallymine to decrypt this 16-byte sequence by using passwords from a dictionary file.

Stop if result is 16 zeros, else try next password.

Thank you very much for guiding me fzabkar. I do very much aprreciate.

Although I am enthusiastic about computers I am not knowledgeable about drives and about these steps. If you could tell me exactly which tools should I use to identify the bridge and encryption algorhytm, locating the sector and applying other steps, I would be grateful.

I can pay you if you would like, for your time and expertise, if you can help me recover this drive's password.

[einstein9]

@ dx486

Download this App. from WD website
Run it, and tell me ur Drive FW

http://download.wdc.com/fwupdater/Win/W ... pdater.zip

and the Release Date of ur Drive also (Printed on HDD Sticker, i.e. Jan. 2014)

[dx486]

@ dx486

Download this App. from WD website
Run it, and tell me ur Drive FW

http://download.wdc.com/fwupdater/Win/W ... pdater.zip

and the Release Date of ur Drive also (Printed on HDD Sticker, i.e. Jan. 2014)

Thank you for your help.

Drive FW: v1.049

I don't see a date on the drive. I see:

P/N: WDBZFP0010BBK-03
S/N: WX7...H67
3514B R/N: D8B DAAHFA

I alsa see a part number and lot number on a sticker attached on its USB 3.0 cable.

[fzabkar]

@dx486, I suggest you contact the author of "reallymine". I can write a program, but I'm not a programmer.

As for identifying the bridge IC, you could use a tool such as UVCView or USBDeview.

http://www.nirsoft.net/utils/usb_devices_view.html
http://download.microsoft.com/download/e/b/a/eba1050f-a31d-436b-9281-92cdfeae4b45/UVCView.x64.exe
http://www.users.on.net/~fzabkar/USB_IDs/UVCView.x86.exe

Here is an example of what you are looking for:

Code:

          ---===>Device Information<===---
English product name: "My Book 1140"

ConnectionStatus:                 
Current Config Value:              0x00  -> Device Bus Speed: Full
Device Address:                    0x02
Open Pipes:                           0
*!*ERROR:  No open pipes!

          ===>Device Descriptor<===
bLength:                           0x12
bDescriptorType:                   0x01
bcdUSB:                          0x0210
bDeviceClass:                      0x00  -> This is an Interface Class Defined Device
bDeviceSubClass:                   0x00
bDeviceProtocol:                   0x00
bMaxPacketSize0:                   0x40 = (64) Bytes
idVendor:                        0x1058 = Western Digital Technologies, Inc.
idProduct:                       0x1140
bcdDevice:                       0x1012
iManufacturer:                     0x01
     English (United States)  "Western Digital"
iProduct:                          0x02
     English (United States)  "My Book 1140"
iSerialNumber:                     0x05
     English (United States)  "574D43315431323833333632"
bNumConfigurations:                0x01

The VID and PID are 0x1058:0x1140. The tables at the following thread identify the bridge IC as a JMS538S. In this particular example the decryption is handled by the bridge.

http://www.hddoracle.com/viewtopic.php? ... 9069#p9069

[einstein9]

Ref. Link: http://www.cheadledatarecovery.co.uk/wp ... tWare1.jpg

i mean like this form : Dec. 5th 2009 (as in imaged attached)

@ dx486

Download this App. from WD website
Run it, and tell me ur Drive FW

http://download.wdc.com/fwupdater/Win/W ... pdater.zip

and the Release Date of ur Drive also (Printed on HDD Sticker, i.e. Jan. 2014)

Thank you for your help.

Drive FW: v1.049

I don't see a date on the drive. I see:

P/N: WDBZFP0010BBK-03
S/N: WX7...H67
3514B R/N: D8B DAAHFA

I alsa see a part number and lot number on a sticker attached on its USB 3.0 cable.

[dx486]

Should I remove the case of the external drive?

Ref. Link: http://www.cheadledatarecovery.co.uk/wp ... tWare1.jpg

i mean like this form : Dec. 5th 2009 (as in imaged attached)

[dx486]

I removed the case.

MDL: WD10JMVW
Date: 11 Feb 2014

Please help me @einstein9

[dx486]

@fzabkar I contacted with the author of "reallymine". For those who are interested here is the thread we are discussing this.

[fzabkar]

@dx486, is there any reason why you can't provide us with the USBDeview or UVCView output?

What is the full model number, including the suffix, eg WD10JMVW-11AJGS1?

Can you remove the PCB from the drive and upload a detailed photo of the component side?

"andlabs" needs to identify the bridge IC in order to determine the type of encryption being used. Then we need to bypass the bridge in order to search for the key sector. That said, if you have a SED drive, then the key will be in the System Area (SA), not in the user area, IIUC.

Waiting for your info ...

[dx486]

Here is the picture of the drive: https://www.dropbox.com/s/9t4sc68uy2szhty/DSC_1666.JPG?dl=0

[fzabkar]

Your drive appears to be SED locked. If you invalidate the bridge firmware, you should be able to see the HDD's entire user area. This will enable you to search the SmartWare area for a key sector. However, my understanding is that the key is stored in the "discware" area, not in the user area. This means that you will need to follow the procedures outlined in the abovementioned PDF document.