Smartware problem.

[unknown]

Hello!
I have received My passport 500 GB drive (encrypted with Initio)
The customer swear that he didn't put a password.
When the drive connected via USB it shows ABRT and WD smartware shows as protected with smartware password.
When connected via SATA interface the drive scan normally with no defects ( but surely encrypted )
When trying to decrypt via MRT it shows error.
I believe that the customer didn't put any password and it's a FW problem.
Any suggestions?
Thanks in advance.

[unknown]

Full model : WD5000BMVV-11GNWS0
Encryption IC : INITIO NIC-1607E

Any help will be appreciated.

[michael chiklis]

Maybe this can help you:
viewtopic.php?f=28&t=35093

[DR-Kiev]

Check key sector on the back , most probably, there is garbage.

[fzabkar]

Does module 25 or 38 have a valid key?

[unknown]

Key sector and the key in module 25 are matched.

Attachments

Sector.rar

(582 Bytes) Downloaded 469 times

25.rar

(807 Bytes) Downloaded 441 times

[fzabkar]

You might like to ask Roberto about his "WD My Passport Decryption Tool":
memberlist.php?mode=viewprofile&u=31982

... or try reallymine:
http://www.hddoracle.com/viewtopic.php?f=22&t=1488

[unknown]

Maybe this can help you:
viewtopic.php?f=28&t=35093

My case is different from this topic. I tried to load mod. 25, auto check and load the key sector but MRT gave me error.

Check key sector on the back , most probably, there is garbage.

Key sector and mod. 25 are matched. The problem is the drive is asking for smartware password that doesn't exist.

You might like to ask Roberto about his "WD My Passport Decryption Tool":
memberlist.php?mode=viewprofile&u=31982

... or try reallymine:
http://www.hddoracle.com/viewtopic.php?f=22&t=1488

That won't help me sir at this case.
Thanks for the replies all. I do really appreciate your replies.

Any thoughts?

[unknown]

Is it possible to take an image to an identical donor with the same FW, Capacity and encryption(INITIO NIC-1607E)?
Is it possible to decrypt the data?

[Roberto]

Is it possible to take an image to an identical donor with the same FW, Capacity and encryption(INITIO NIC-1607E)?

This will not help in your case. I have checked your key sector... it is not decryptable without password. At least not with my software solution.

Is it possible to decrypt the data?

Yes, but it is very complicated... I don't think your client is willing to pay the needed effort.

[unknown]

Is it possible to take an image to an identical donor with the same FW, Capacity and encryption(INITIO NIC-1607E)?

This will not help in your case. I have checked your key sector... it is not decryptable without password. At least not with my software solution.

Is it possible to decrypt the data?

Yes, but it is very complicated... I don't think your client is willing to pay the needed effort.

I don't think so, too.
Thank you very much anyway.

[fzabkar]

Is there a "hint" sector?

http://www.hddoracle.com/viewtopic.php?f=3&t=998&p=4459&hilit=password+hint#p4459

[unknown]

Is there a "hint" sector?

http://www.hddoracle.com/viewtopic.php?f=3&t=998&p=4459&hilit=password+hint#p4459

No.
The WD security said : "No hint".

[dan_sm]

The KEK in your case is just 32 times a zero byte, i.e (hexadecimal):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
instead of the default one (hexadecimal):
03 14 15 92 65 35 89 79 32 38 46 26 43 38 32 79 fc eb ea 6d 9a ca 76 86 cd c7 b9 d9 bc c7 cd 86

This means that given the following edek (encrypted DEK sector from 25.rpm):

Code:

57 44 01 14 00 00 00 00 02 70 00 00 00 00 00 00
00 00 00 00 3a 37 88 00 00 00 00 00 3a 37 88 00
00 00 00 00 00 00 c8 00 20 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 57 44 01 14
e4 c9 b8 be 69 db fa 9d e0 c2 39 fc 95 2c 0f 78
1c 12 f5 96 a6 56 a5 30 be 4c 77 7f 2f 57 07 1e
d2 19 5c c0 07 28 95 24 2a a1 1e 1b 1b 85 2b 1e
96 36 c8 f1 e0 f4 17 c6 9a 1d 86 b6 8a 62 f8 c1
09 94 df ca 50 f6 e8 31 4f 54 30 b5 2a 51 e2 fe
33 ad 33 45 4b 0d ce de 3d 5f e3 b7 86 32 cb c3
34 11 54 e9 8c 3f a7 22 10 76 6a 68 f0 6a 75 df
4e 6e d4 05 86 b8 75 26 67 07 a3 fe fe a9 d9 60
b4 bf 48 d3 0f ed e2 5d c0 d7 1b df 3b 8a 5b 85
13 55 e3 5e d5 85 16 8a e8 32 b3 07 02 77 88 c1
57 d3 33 2d 2c ed e8 f8 26 0a 46 e8 ae 15 99 7a
81 0f 6b e2 eb 43 fc 3e be 7c 7b fd d4 c7 92 59
d0 f4 3b 8f 67 e4 81 4b 55 7c ac cc 8c bc cd c4
00 dc e3 62 54 7e 34 04 fc f9 7b 17 29 a6 2a d8
3d 22 db 71 71 0b 1d 2c 67 53 22 12 4f bf d0 4d
bd ac 64 e4 e4 7a 20 83 e2 16 41 35 85 42 8f 37
9b 90 d4 91 37 68 f2 e9 9a 5b 00 51 2d 96 b1 21
d6 1e 5c 2e e8 10 16 15 f9 b6 88 c3 f1 aa 0e 21
39 c6 53 3e 0c b9 31 68 a7 e7 40 48 81 ef 46 97
df 84 b7 20 f5 2e 8e d6 e7 87 8b 13 e9 49 d5 62
b6 eb 5e 6a ac 2a f2 82 cd 82 39 94 b2 02 03 20
5a 54 6a c2 de 47 67 9d 12 8c c0 19 0b 33 df ad
05 a2 f0 f3 0a 60 43 94 5b 75 b4 a6 e8 e4 20 b2
1e 43 d7 8b 8d 46 98 a0 71 01 1a 71 5b 89 eb 7b
58 0f d0 70 3e 55 92 cb 20 38 96 c4 0e 45 ab 7f
78 49 fb c5 fc 38 1e 22 9a 3b 80 45 e8 19 7f 21
46 b3 bd cd 01 cc cb 07 e5 d9 aa 40 40 8a 83 47
54 c5 b5 b5 40 cd 82 a9 4d 8e 00 70 08 d4 a1 4e

it can be decrypted (AES-256-ECB) to:

Code:

57 44 01 14 00 00 00 00 02 70 00 00 00 00 00 00
00 00 00 00 3a 37 88 00 00 00 00 00 3a 37 88 00
00 00 00 00 00 00 c8 00 20 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 57 44 01 14
00 00 2d 02 00 00 00 00 00 00 00 00 00 00 00 00
00 00 bd 04 00 00 00 00 00 00 00 00 00 00 00 00
00 00 f8 76 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ce 13 00 00 00 00 00 00 00 00 00 00 00 00
00 00 75 3f 00 00 00 00 00 00 00 00 00 00 00 00
00 00 30 8e 00 00 00 00 00 00 00 00 00 00 00 00
00 00 d4 e3 00 00 00 00 00 00 00 00 00 00 00 00
00 00 15 99 00 00 00 00 00 00 00 00 00 00 00 00
00 00 5b a8 00 00 00 00 00 00 00 00 00 00 00 00
00 00 bf b7 00 00 00 00 00 00 00 00 00 00 00 00
00 00 07 22 00 00 00 00 00 00 00 00 00 00 00 00
00 00 eb 45 00 00 00 00 00 00 00 00 00 00 00 00
00 00 27 14 00 00 00 00 00 00 00 00 00 00 00 00
00 00 b1 4a 00 00 00 00 00 00 00 00 00 00 00 00
00 00 be 6c 00 00 00 00 00 00 00 00 00 00 00 00
00 00 e6 28 00 00 00 00 00 00 00 00 00 00 00 00
00 00 4a 91 00 00 00 00 00 00 00 00 00 00 00 00
00 00 b9 8b 00 00 00 00 00 00 00 00 00 00 00 00
00 00 e0 91 00 00 00 00 00 00 00 00 00 00 00 00
00 00 a7 e8 00 00 00 00 00 00 00 00 00 00 00 00
00 00 41 a5 00 00 00 00 00 00 00 00 00 00 00 00
27 5d ba 35 a0 d0 39 9b 00 00 00 20 6c d5 f6 6f
c2 15 5e b2 5b 51 0e 55 38 a9 5b b1 27 df 90 00
82 c5 0c e6 c5 31 19 38 6e 52 8c 90 00 00 08 5e
00 00 cb 24 00 00 00 00 00 00 00 00 00 00 00 00
00 00 14 22 00 00 00 00 00 00 00 00 00 00 00 00
00 00 44 12 00 00 00 00 00 00 00 00 00 00 00 00
00 00 45 8f 00 00 00 00 00 00 00 00 00 00 00 00


(you actually also need to byte-swap the output afterwards, as projects like reallymine are also able to do.. but that's just a straightforward thing...)

What is probably more important for you is, that this means the DEK is (hexadecimal again): 6ff6d56cb25e15c2550e515bb15ba9380090df27e60cc582381931c5908c526e

and the AES key for decrypting the data is therefore (just rearrange the DEK bytes as reallymine etc are also automatically doing): 38a95bb15b510e55c2155eb26cd5f66f6e528c90c531193882c50ce627df9000

The only remaining questions are why the KEK is all-zeros and if using this DEK/AES key to decrypt the data works for you.

I hope you (or your client) gets the data back soon. Good luck.

[dan_sm]

The KEK in your case is just 32 times a zero byte, i.e (hexadecimal):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
instead of the default one (hexadecimal):
03 14 15 92 65 35 89 79 32 38 46 26 43 38 32 79 fc eb ea 6d 9a ca 76 86 cd c7 b9 d9 bc c7 cd 86

This means that given the following edek (encrypted DEK sector from 25.rpm):

Code:

57 44 01 14 00 00 00 00 02 70 00 00 00 00 00 00
00 00 00 00 3a 37 88 00 00 00 00 00 3a 37 88 00
00 00 00 00 00 00 c8 00 20 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 57 44 01 14
e4 c9 b8 be 69 db fa 9d e0 c2 39 fc 95 2c 0f 78
1c 12 f5 96 a6 56 a5 30 be 4c 77 7f 2f 57 07 1e
d2 19 5c c0 07 28 95 24 2a a1 1e 1b 1b 85 2b 1e
96 36 c8 f1 e0 f4 17 c6 9a 1d 86 b6 8a 62 f8 c1
09 94 df ca 50 f6 e8 31 4f 54 30 b5 2a 51 e2 fe
33 ad 33 45 4b 0d ce de 3d 5f e3 b7 86 32 cb c3
34 11 54 e9 8c 3f a7 22 10 76 6a 68 f0 6a 75 df
4e 6e d4 05 86 b8 75 26 67 07 a3 fe fe a9 d9 60
b4 bf 48 d3 0f ed e2 5d c0 d7 1b df 3b 8a 5b 85
13 55 e3 5e d5 85 16 8a e8 32 b3 07 02 77 88 c1
57 d3 33 2d 2c ed e8 f8 26 0a 46 e8 ae 15 99 7a
81 0f 6b e2 eb 43 fc 3e be 7c 7b fd d4 c7 92 59
d0 f4 3b 8f 67 e4 81 4b 55 7c ac cc 8c bc cd c4
00 dc e3 62 54 7e 34 04 fc f9 7b 17 29 a6 2a d8
3d 22 db 71 71 0b 1d 2c 67 53 22 12 4f bf d0 4d
bd ac 64 e4 e4 7a 20 83 e2 16 41 35 85 42 8f 37
9b 90 d4 91 37 68 f2 e9 9a 5b 00 51 2d 96 b1 21
d6 1e 5c 2e e8 10 16 15 f9 b6 88 c3 f1 aa 0e 21
39 c6 53 3e 0c b9 31 68 a7 e7 40 48 81 ef 46 97
df 84 b7 20 f5 2e 8e d6 e7 87 8b 13 e9 49 d5 62
b6 eb 5e 6a ac 2a f2 82 cd 82 39 94 b2 02 03 20
5a 54 6a c2 de 47 67 9d 12 8c c0 19 0b 33 df ad
05 a2 f0 f3 0a 60 43 94 5b 75 b4 a6 e8 e4 20 b2
1e 43 d7 8b 8d 46 98 a0 71 01 1a 71 5b 89 eb 7b
58 0f d0 70 3e 55 92 cb 20 38 96 c4 0e 45 ab 7f
78 49 fb c5 fc 38 1e 22 9a 3b 80 45 e8 19 7f 21
46 b3 bd cd 01 cc cb 07 e5 d9 aa 40 40 8a 83 47
54 c5 b5 b5 40 cd 82 a9 4d 8e 00 70 08 d4 a1 4e


it can be decrypted (AES-256-ECB) to:

Code:

57 44 01 14 00 00 00 00 02 70 00 00 00 00 00 00
00 00 00 00 3a 37 88 00 00 00 00 00 3a 37 88 00
00 00 00 00 00 00 c8 00 20 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 57 44 01 14
00 00 2d 02 00 00 00 00 00 00 00 00 00 00 00 00
00 00 bd 04 00 00 00 00 00 00 00 00 00 00 00 00
00 00 f8 76 00 00 00 00 00 00 00 00 00 00 00 00
00 00 ce 13 00 00 00 00 00 00 00 00 00 00 00 00
00 00 75 3f 00 00 00 00 00 00 00 00 00 00 00 00
00 00 30 8e 00 00 00 00 00 00 00 00 00 00 00 00
00 00 d4 e3 00 00 00 00 00 00 00 00 00 00 00 00
00 00 15 99 00 00 00 00 00 00 00 00 00 00 00 00
00 00 5b a8 00 00 00 00 00 00 00 00 00 00 00 00
00 00 bf b7 00 00 00 00 00 00 00 00 00 00 00 00
00 00 07 22 00 00 00 00 00 00 00 00 00 00 00 00
00 00 eb 45 00 00 00 00 00 00 00 00 00 00 00 00
00 00 27 14 00 00 00 00 00 00 00 00 00 00 00 00
00 00 b1 4a 00 00 00 00 00 00 00 00 00 00 00 00
00 00 be 6c 00 00 00 00 00 00 00 00 00 00 00 00
00 00 e6 28 00 00 00 00 00 00 00 00 00 00 00 00
00 00 4a 91 00 00 00 00 00 00 00 00 00 00 00 00
00 00 b9 8b 00 00 00 00 00 00 00 00 00 00 00 00
00 00 e0 91 00 00 00 00 00 00 00 00 00 00 00 00
00 00 a7 e8 00 00 00 00 00 00 00 00 00 00 00 00
00 00 41 a5 00 00 00 00 00 00 00 00 00 00 00 00
27 5d ba 35 a0 d0 39 9b 00 00 00 20 6c d5 f6 6f
c2 15 5e b2 5b 51 0e 55 38 a9 5b b1 27 df 90 00
82 c5 0c e6 c5 31 19 38 6e 52 8c 90 00 00 08 5e
00 00 cb 24 00 00 00 00 00 00 00 00 00 00 00 00
00 00 14 22 00 00 00 00 00 00 00 00 00 00 00 00
00 00 44 12 00 00 00 00 00 00 00 00 00 00 00 00
00 00 45 8f 00 00 00 00 00 00 00 00 00 00 00 00


(you actually also need to byte-swap the output afterwards, as projects like reallymine are also able to do.. but that's just a straightforward thing...)

What is probably more important for you is, that this means the DEK is (hexadecimal again): 6ff6d56cb25e15c2550e515bb15ba9380090df27e60cc582381931c5908c526e

and the AES key for decrypting the data is therefore (just rearrange the DEK bytes as reallymine etc are also automatically doing): 38a95bb15b510e55c2155eb26cd5f66f6e528c90c531193882c50ce627df9000

The only remaining questions are why the KEK is all-zeros and if you succeed in using this KEK/AES key to decrypt the data.

I hope you (or your client) gets the data back soon. Good luck.