All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 9 posts ] 
Author Message
 Post subject: WD Passport Essential encription recovery
PostPosted: January 17th, 2020, 19:16 
Offline

Joined: January 17th, 2020, 18:55
Posts: 3
Location: France
Hello everyone,

I found in a one of my drawers a WD Passport Essential which is containing photos, and financial informations. It was untouched for many years until today and of course, I don't remember the password.
After many researches, I found out that this drive has an Initio INIC-1607E and there is a vulnerability which would maybe let me recover the data. To perform the decryption, I need to extract the encrypted DEK (encryption key) at the sector 1465143304 (because it is the 750Gb drive) to bruteforce it (which is possible because of the vulnerability). To do so, I removed the capacitors C13/C18/C31/C33 and soldered wires to E71/E72/E73/E75 and the ground. I then connected the sata port and the USB (for the power) to a computer and nothing. On two different motherboards, the drive isn't detected in the bios or in linux with fdisk -l. I can hear it spinning but nothing from the reading head. I checked my connections and nothing weird. What do you suggest?

I join pictures to show you the situation.


Attachments:
IMG_3312.jpg
IMG_3312.jpg [ 2.19 MiB | Viewed 8375 times ]
IMG_3311.jpg
IMG_3311.jpg [ 2.16 MiB | Viewed 8375 times ]
IMG_3310.jpg
IMG_3310.jpg [ 1.62 MiB | Viewed 8375 times ]
IMG_1663.jpg
IMG_1663.jpg [ 3.35 MiB | Viewed 8375 times ]
IMG_3307.jpg
IMG_3307.jpg [ 2.23 MiB | Viewed 8375 times ]
Top
 Profile  
 
 Post subject: Re: WD Passport Essential encription recovery
PostPosted: January 17th, 2020, 19:50 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
I haven't checked your wiring, but you could use the following SATA PCB, with the same MCU, to follow the tracks from MCU to SATA connector.

https://images-na.ssl-images-amazon.com/images/I/71MqebSA8aL._SL1296_.jpg

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: WD Passport Essential encription recovery
PostPosted: January 18th, 2020, 17:29 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
steakdu38 wrote:
After many researches, I found out that this drive has an Initio INIC-1607E and there is a vulnerability which would maybe let me recover the data. To perform the decryption, I need to extract the encrypted DEK (encryption key) at the sector 1465143304 (because it is the 750Gb drive) to bruteforce it (which is possible because of the vulnerability).

Bruteforcing DEK on INIC-1607E it's not as easy as it sounds, it's actually very hard.
Although you can try to bruteforce the password, which should be easier, especially if you can guesstimate lists of possible password you might have used.

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD Passport Essential encription recovery
PostPosted: January 18th, 2020, 18:21 
Offline

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy
I think those wires are too long, they've to be very short (less than 4 cm).

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ


Top
 Profile  
 
 Post subject: Re: WD Passport Essential encription recovery
PostPosted: January 19th, 2020, 12:42 
Offline

Joined: January 17th, 2020, 18:55
Posts: 3
Location: France
Hello,

@Michael Thanks for that suggestion, I will try this solution when I'll have a bit more time.
What should I see in Linux ? Something which looks like as a normal WD drive ?

@Doomer According to what you say, I might have possibly misunderstood this research: https://eprint.iacr.org/2015/1002.pdf
At the page 26: "This currently leaves us with a bruteforce attack to predict any on-device DEK key material from INIC-1607E with a complexity of 2^10 ∗ 2^15 = 2^25 .
This has been implemented as a PoC and multiple tests verify the complexity."

It seems to me that the complexity isn't that huge.
What do you suggest to implement the brute force attack on the password? Generate a "random" password, hash it to create a KEK and try it to decrypt the DEK ?

Thanks. :D


Top
 Profile  
 
 Post subject: Re: WD Passport Essential encription recovery
PostPosted: January 25th, 2020, 1:51 
Offline

Joined: November 22nd, 2017, 21:47
Posts: 309
Location: France
You could send a message to member “kaeding” (author of a dedicated tool called reallymine), who is very knowledgeable about that kind of issue with encrypted WD drives, and not greedy when it comes to the pricing of his services. If he were to help you he would request a proof of ownership.


Top
 Profile  
 
 Post subject: Re: WD Passport Essential encription recovery
PostPosted: January 25th, 2020, 3:20 
Offline

Joined: January 25th, 2020, 3:05
Posts: 9
Location: England
Hi! Well I'm a NOOB so I can only say what I'd try and what's worked for me in the past...

Firstly, Hiren's Boot Disc. That's got some excellent password removal tools on it. It's a free download, easily google-able.

Secondly - and I am NOT an affiliate or have anything to do with this lot, mods! - Stellar Data Recovery's a good tool for recovering data from passworded drives. I use it but am nothing to do with the company.

Another great utility, which I've also nothing to do with, is A-FF Repair Station. It's a VERY fast - on the whole - password remover. Again, I've used it loads.

Hope this helps!

Yours respectfully

Chris.


Top
 Profile  
 
 Post subject: Re: WD Passport Essential encription recovery
PostPosted: January 25th, 2020, 23:05 
Offline
User avatar

Joined: September 29th, 2005, 12:02
Posts: 3561
Location: Chicago
steakdu38 wrote:
@Doomer According to what you say, I might have possibly misunderstood this research: https://eprint.iacr.org/2015/1002.pdf
At the page 26: "This currently leaves us with a bruteforce attack to predict any on-device DEK key material from INIC-1607E with a complexity of 2^10 ∗ 2^15 = 2^25 .
This has been implemented as a PoC and multiple tests verify the complexity."
It seems to me that the complexity isn't that huge.

2^25 is a little bit wishful thinking
Because you would need to overcome GetTickCount delta problem. After of course you actually implement the algo for GetTickCount and HW RNG32, which is also one hell of a research to do.


Moving back to Algorithm 7, the inner for loop has a call to GetTickCnt() for each iteration. So we
need to measure how many opcodes are executed in each iteration of the loop. This turned out to vary
within a narrow interval, and it turns out that different calls to HW RNG32() adds different tick deltas,
based on the state of the RNG


steakdu38 wrote:
What do you suggest to implement the brute force attack on the password? Generate a "random" password, hash it to create a KEK and try it to decrypt the DEK ?

I suggest you grab a list of passwords you might have used and try them

_________________
SAN, NAS, RAID, Server, and HDD Data Recovery.


Top
 Profile  
 
 Post subject: Re: WD Passport Essential encription recovery
PostPosted: February 5th, 2020, 15:31 
Offline

Joined: January 17th, 2020, 18:55
Posts: 3
Location: France
Thanks for all your comments and information.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 9 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 40 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group