All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 63 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 4th, 2016, 19:06 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
Here are the two firmware modules identified by the security researchers in the abovementioned paper:

Module 0x127

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  52 4F 59 4C 01 00 1E 00 27 01 01 00 B9 1B 92 B9  ROYL....'...¹.’¹
00000010  4E 4F 54 5F 49 4E 49 54 00 00 00 00 00 00 00 00  NOT_INIT........
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20  ..             
00000040  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000050  00 00 57 44 43 57 44 43 57 44 43 57 44 43 57 44  ..WDCWDCWDCWDCWD
00000060  43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43  CWDCWDCWDCWDCWDC
00000070  57 00 FE FF 00 00 00 00 00 00 00 00 00 00 00 00  W.þÿ............

Module 0x124

Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  52 4F 59 4C 01 00 1E 00 24 01 01 00 C9 77 97 BE  ROYL....$...Éw—¾
00000010  4E 4F 54 5F 49 4E 49 54 00 00 00 00 00 00 00 00  NOT_INIT........

Notice that the default user password consists of 30 spaces while the default master password is "WDCWDC ...". The researchers bypassed the SED lock (using PC3000) and accessed these modules in the normal way.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 5th, 2016, 17:25 
Offline

Joined: October 5th, 2015, 18:53
Posts: 478
Location: US
I don't think they talked about modules. I think they talked about offset in module.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 5th, 2016, 18:59 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
They refer to "SA area" and "different SAs". That doesn't sound like they are referring to offsets. ???

Quote:
By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption.

Quote:
We located the location of the ATA password and some (unknown) connection to the AES password in different SAs from the internal 2.5" SATA HDD.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 5th, 2016, 19:44 
Offline

Joined: October 5th, 2015, 18:53
Posts: 478
Location: US
Will see.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 10th, 2016, 9:56 
Offline

Joined: July 25th, 2016, 9:40
Posts: 16
Location: Europe
fzabkar wrote:
@dx486, is there any reason why you can't provide us with the USBDeview or UVCView output?

What is the full model number, including the suffix, eg WD10JMVW-11AJGS1?

Can you remove the PCB from the drive and upload a detailed photo of the component side?

"andlabs" needs to identify the bridge IC in order to determine the type of encryption being used. Then we need to bypass the bridge in order to search for the key sector. That said, if you have a SED drive, then the key will be in the System Area (SA), not in the user area, IIUC.

Waiting for your info ...

Hello fzabkar,

USBdeview output is here.

Here is a detailed photo of the drive.

I will try to use reallymine but I could not connect the drive via SATA. I see there are [12 pins] - USB port and [2 pins] on the drive. They don't seem compatible with SATA cables. I have found this article but it is an old one and my drive seems different.

Here is a close picture.

If you have any idea please share with me.

If you want me provide any other info please tell me.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 10th, 2016, 15:50 
Offline

Joined: July 25th, 2016, 9:40
Posts: 16
Location: Europe
Here is the circuit photo. Thank you!


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 10th, 2016, 16:34 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
AIUI, the drive is a SED (VID/PID = 1058/0810):

http://www.hddoracle.com/viewtopic.php? ... 9069#p9069

This means that encryption is handled by the drive rather than the bridge. Therefore I don't think that reallymine would be applicable in your case. You could always ask the author, though.

Note that your drive will have a locked SA which means that you will need special techniques to gain access:

viewtopic.php?f=1&t=33822&p=236436

You could wait for WDMarvel (US$15) to add this feature (if it doesn't have it already?).

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 11th, 2016, 14:33 
Offline

Joined: December 17th, 2009, 22:57
Posts: 142
Location: Macedonia
One of the heads is weak or dead.

_________________
Sistrum Data Recovery
http://www.sistrum.mk/en


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 11th, 2016, 17:30 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
dx486 wrote:
I will try to use reallymine but I could not connect the drive via SATA. I see there are [12 pins] - USB port and [2 pins] on the drive. They don't seem compatible with SATA cables. I have found this article but it is an old one and my drive seems different.

This thread explains what you need to do:
viewtopic.php?f=1&t=27819

Notice that removing (or defeating) U14 causes the bridge IC to behave like an ordinary "dumb" bridge. In this state you will probably find that the drive then reports, via the ATA Identify Device command, that it is locked by an ATA password (if I understand the research paper correctly). You will also be able to search the end of the drive's user area for a key (which will probably not be stored there).

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 18th, 2016, 16:27 
Offline

Joined: July 25th, 2016, 9:40
Posts: 16
Location: Europe
I am desperately trying to figure out how can a software unlock WD Security software after 5 wrong entries.

What exactly does cause this counter to be reset? Turning the power for the drive on and off?

Disabling/enabling the drive using "devcon" does not reset the counter.

I guess coding a program which will reset the counter variable in memory to prevent unlock is a difficult task... Just an idea...

Does anybody know where does WD Security software store the counter for wrong entries?

Can a "USB-over-TCP/IP program" be a solution?

Somebody from this site told me that the software can "do it by itself if I will solder small board which could repower drive if software will ask about it". I don't understand what it is meant by that. Can somebody please explain it to me how can I do that or direct me to a tutorial?

I have posted a question about this issue on stackoverflow as well.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 18th, 2016, 18:10 
Offline

Joined: October 5th, 2015, 18:53
Posts: 478
Location: US
It was me.
It's easy to solder primitive board (control through lpt port) which will be able to switch power on and off.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 19th, 2016, 4:30 
Offline

Joined: July 25th, 2016, 9:40
Posts: 16
Location: Europe
Just to note here for others who may be interested: A friend told me to use a USB relay like this one. He told me to cut the cable and connect red cable to the relay. :)


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 23rd, 2016, 13:21 
Offline

Joined: March 30th, 2016, 12:29
Posts: 127
Location: Germany
dx486 wrote:
What exactly does cause this counter to be reset? Turning the power for the drive on and off?

Yes.

dx486 wrote:
Does anybody know where does WD Security software store the counter for wrong entries?

I think the wrong password attempts are counted in the drives firmware.
The counting of the WD software is irrelevant.

dx486 wrote:
Can a "USB-over-TCP/IP program" be a solution?

No I don't see a way too fool out the drives firmware with this solution.
Even if it would work... it wouldn't be an efficient solution.

If you still want to decrypt the drive I could maybe help you.
The easiest way would be to send the drive to me.
Please send me a private message for this purpose.

Best Regards


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 23rd, 2016, 16:36 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
dx486 wrote:
Just to note here for others who may be interested: A friend told me to use a USB relay like this one. He told me to cut the cable and connect red cable to the relay. :)

You would need to write a batch routine to test 4 passwords, then send a command to switch off the relay, wait for 1 second, switch the relay back on, and then wait for a few seconds for the drive to spin up again.

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 27th, 2016, 7:33 
Offline

Joined: July 25th, 2016, 9:40
Posts: 16
Location: Europe
fzabkar wrote:
dx486 wrote:
Just to note here for others who may be interested: A friend told me to use a USB relay like this one. He told me to cut the cable and connect red cable to the relay. :)

You would need to write a batch routine to test 4 passwords, then send a command to switch off the relay, wait for 1 second, switch the relay back on, and then wait for a few seconds for the drive to spin up again.


Do you think using this method might decrease the drive's lifespan?


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 27th, 2016, 13:46 
Offline

Joined: October 16th, 2013, 13:21
Posts: 713
Location: Brazil
Every power up/shutdown cycle decreases it a little. So, if you are doing a couple hundred/thousands/more cycles, yes, it will decrease .


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 29th, 2016, 12:55 
Offline

Joined: October 5th, 2015, 18:53
Posts: 478
Location: US
dx486 wrote:
fzabkar wrote:
dx486 wrote:
Just to note here for others who may be interested: A friend told me to use a USB relay like this one. He told me to cut the cable and connect red cable to the relay. :)

You would need to write a batch routine to test 4 passwords, then send a command to switch off the relay, wait for 1 second, switch the relay back on, and then wait for a few seconds for the drive to spin up again.


Do you think using this method might decrease the drive's lifespan?

It will take a lot of time to check significant number of passwords.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: August 29th, 2016, 13:24 
Offline

Joined: March 30th, 2016, 12:29
Posts: 127
Location: Germany
drHDD wrote:
It will take a lot of time to check significant number of passwords.


Too much time in my opinion.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: September 27th, 2016, 18:55 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15463
Location: Australia
reallymine now supports password entry. One could probably use a shell script to try a list of passwords, but I expect that it would be slow.

From the author ...
http://www.hddoracle.com/viewtopic.php? ... 9638#p9638

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Forgot WD My Passport password - brute force
PostPosted: October 5th, 2016, 18:51 
Offline

Joined: July 25th, 2016, 9:40
Posts: 16
Location: Europe
fzabkar wrote:
reallymine now supports password entry. One could probably use a shell script to try a list of passwords, but I expect that it would be slow.

From the author ...
http://www.hddoracle.com/viewtopic.php? ... 9638#p9638

When I connect my drive using USB port it sees two drives, lsblk output is:
Code:
sdb             8:16   0 931,5G  0 disk 
sr0            11:0    1    30M  0 rom   /run/media/dx486/WD Unlocker

When the drive is connected normally via usb, this command:
Code:
% sudo ./reallymine-linux-amd64 dumpkeysector /dev/sdb outfile.bin

gives this output:
Code:
error running dumpkeysector: read /dev/sdb: input/output error


[portion of this message was deleted]

I am trying to find a way to

1. Read the key sector (Can you please simply explain to me how can I read this drive's key sector?)
2. Use reallymine's new version to try passwords. (How should I connect the drive and what is the command for trying passwords? I think it is related with "kek" option but I am confused with its documentation, my tries did not work)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 63 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: ddd123, Google Adsense [Bot] and 108 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group