April 28th, 2024, 13:36
April 28th, 2024, 13:49
April 28th, 2024, 17:35
fzabkar wrote:When the drive is in the enclosure, what is the capacity, in sectors, reported by the USB mass storage device? If it is less than the native capacity of the bare drive, this would suggest that there is a reserved section at the end of the user area. If there is no reserved area, then this would suggest that the encryption key is stored in the bridge firmware.
fzabkar wrote:Can you upload the first 100 sectors or so of the encrypted drive? This might help to determine the encryption algorithm.
fzabkar wrote:Can you dump the contents of any flash devices on the bridge PCB?
April 28th, 2024, 17:54
0x000000003A386010 = 0x3A386030 - 0x20
0x000000003A380FF0 = 0x3A386030 - 0x5040
0x0000000000005040
0x000000000012C000
0x0000000000131040
0x000000003A24FFB0 = 0x3A386030 - 0x136080 (0x136080 = 0x131040 + 0x5040)
0x0000000000000000
0x0000000000000020
0x0000000000000020
0x0000000000005020
April 28th, 2024, 19:18
fzabkar wrote:The native capacity of your drive is 0x3A386030 sectors.
0x136080 x 512 bytes = 650 MB
ISTM that interesting things happen at those LBAs.
April 28th, 2024, 19:33
April 28th, 2024, 20:21
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ <-- zeros
00000010 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
........
000001A0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
000001B0 BB A7 33 84 03 CB E9 C8 9D E0 B8 31 2F 23 F6 DD »§3„.ËéÈ.à¸1/#öÝ
000001C0 2B E5 45 24 B2 34 32 C5 E9 01 38 09 BE 06 D1 B9 +åE$²42Åé.8.¾.ѹ <-- single partition
000001D0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ <-- empty partition
000001E0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ <-- empty partition
000001F0 C2 0E A0 E5 C1 5F A6 33 77 82 AF 29 32 D1 48 68 Â. åÁ_¦3w‚¯)2ÑHh
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00007E00 11 D5 8E CA CA 0A 33 E9 3C 61 02 47 59 55 67 66 .ÕŽÊÊ.3é<a.GYUgf
00007E10 38 D9 DC 98 04 72 B3 0D 51 EC B2 FA 07 15 85 F6 8Ùܘ.r³.Qì²ú..…ö
00007E20 DE 4A B3 1B D2 30 A3 C9 B0 04 9B D1 A8 43 41 4C ÞJ³.Ò0£É°.›Ñ¨CAL
00007E30 22 F0 7E 13 A0 FD 7A 6F 53 07 29 44 46 41 3F 50 "ð~. ýzoS.)DFA?P
00007E40 B5 C5 C8 79 C0 93 A2 9E 6D 00 D8 48 A0 27 86 66 µÅÈyÀ“¢žm.ØH '†f
00007E50 F3 63 38 61 FE 20 26 57 38 1B 82 B3 51 91 52 59 óc8aþ &W8.‚³Q‘RY
00007E60 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
00007E70 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
........
00007EF0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
00007F00 A8 3A 79 43 D8 6D E4 65 C9 0E CE CF 7B 8E 89 EB ¨:yCØmäeÉ.ÎÏ{Ž‰ë
00007F10 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
........
00007FE0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
00007FF0 C2 0E A0 E5 C1 5F A6 33 77 82 AF 29 32 D1 48 68 Â. åÁ_¦3w‚¯)2ÑHh
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00008A00 11 D5 8E CA CA 0A 33 E9 3C 61 02 47 59 55 67 66 .ÕŽÊÊ.3é<a.GYUgf
00008A10 38 D9 DC 98 04 72 B3 0D 51 EC B2 FA 07 15 85 F6 8Ùܘ.r³.Qì²ú..…ö
00008A20 DE 4A B3 1B D2 30 A3 C9 B0 04 9B D1 A8 43 41 4C ÞJ³.Ò0£É°.›Ñ¨CAL
00008A30 22 F0 7E 13 A0 FD 7A 6F 53 07 29 44 46 41 3F 50 "ð~. ýzoS.)DFA?P
00008A40 B5 C5 C8 79 C0 93 A2 9E 6D 00 D8 48 A0 27 86 66 µÅÈyÀ“¢žm.ØH '†f
00008A50 F3 63 38 61 FE 20 26 57 38 1B 82 B3 51 91 52 59 óc8aþ &W8.‚³Q‘RY
00008A60 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
April 28th, 2024, 20:47
fzabkar wrote:Offset 0x26208000 is the end of the VCD and the beginning of an encrypted file system image.
This looks like an encrypted MBR sector 0, with a single partition and no MBR code.
- Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00000000 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ <-- zeros
00000010 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
........
000001A0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
000001B0 BB A7 33 84 03 CB E9 C8 9D E0 B8 31 2F 23 F6 DD »§3„.ËéÈ.à¸1/#öÝ
000001C0 2B E5 45 24 B2 34 32 C5 E9 01 38 09 BE 06 D1 B9 +åE$²42Åé.8.¾.ѹ <-- single partition
000001D0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ <-- empty partition
000001E0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ <-- empty partition
000001F0 C2 0E A0 E5 C1 5F A6 33 77 82 AF 29 32 D1 48 68 Â. åÁ_¦3w‚¯)2ÑHh
This looks like an encrypted boot sector (sector 63) with a BIOS Parameter Block but no boot code:
- Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00007E00 11 D5 8E CA CA 0A 33 E9 3C 61 02 47 59 55 67 66 .ÕŽÊÊ.3é<a.GYUgf
00007E10 38 D9 DC 98 04 72 B3 0D 51 EC B2 FA 07 15 85 F6 8Ùܘ.r³.Qì²ú..…ö
00007E20 DE 4A B3 1B D2 30 A3 C9 B0 04 9B D1 A8 43 41 4C ÞJ³.Ò0£É°.›Ñ¨CAL
00007E30 22 F0 7E 13 A0 FD 7A 6F 53 07 29 44 46 41 3F 50 "ð~. ýzoS.)DFA?P
00007E40 B5 C5 C8 79 C0 93 A2 9E 6D 00 D8 48 A0 27 86 66 µÅÈyÀ“¢žm.ØH '†f
00007E50 F3 63 38 61 FE 20 26 57 38 1B 82 B3 51 91 52 59 óc8aþ &W8.‚³Q‘RY
00007E60 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
00007E70 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
........
00007EF0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
00007F00 A8 3A 79 43 D8 6D E4 65 C9 0E CE CF 7B 8E 89 EB ¨:yCØmäeÉ.ÎÏ{Ž‰ë
00007F10 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
........
00007FE0 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
00007FF0 C2 0E A0 E5 C1 5F A6 33 77 82 AF 29 32 D1 48 68 Â. åÁ_¦3w‚¯)2ÑHh
Offset 0x8A00 is a copy of the boot sector (logical sector #6), so it's a FAT file system.
- Code:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00008A00 11 D5 8E CA CA 0A 33 E9 3C 61 02 47 59 55 67 66 .ÕŽÊÊ.3é<a.GYUgf
00008A10 38 D9 DC 98 04 72 B3 0D 51 EC B2 FA 07 15 85 F6 8Ùܘ.r³.Qì²ú..…ö
00008A20 DE 4A B3 1B D2 30 A3 C9 B0 04 9B D1 A8 43 41 4C ÞJ³.Ò0£É°.›Ñ¨CAL
00008A30 22 F0 7E 13 A0 FD 7A 6F 53 07 29 44 46 41 3F 50 "ð~. ýzoS.)DFA?P
00008A40 B5 C5 C8 79 C0 93 A2 9E 6D 00 D8 48 A0 27 86 66 µÅÈyÀ“¢žm.ØH '†f
00008A50 F3 63 38 61 FE 20 26 57 38 1B 82 B3 51 91 52 59 óc8aþ &W8.‚³Q‘RY
00008A60 58 E8 5D AB 9E B0 D2 35 AD D5 FA 19 D8 47 8E CC Xè]«ž°Ò5.Õú.ØGŽÌ
April 28th, 2024, 21:02
April 28th, 2024, 21:06
fzabkar wrote:I feel that there is something special in the last 0x20 sectors, but I don't know what that is.
April 28th, 2024, 21:09
April 29th, 2024, 15:24
April 29th, 2024, 16:21
* Encryption is only supported with Windows PCs. If encryption is enabled, you will not be able to use the drive with a Macintosh computer. Disable encryption before using this device with Mac OS.
April 30th, 2024, 1:28
Powered by phpBB © phpBB Group.