Unlocking ATA Password of PM863a SSD possible?

[blunden]

I see that most of the tools and discussions here are related to regular spinning hard drives, not SSDs. With that said, are there any tools out there that can unlock Samsung SSDs that were locked with an ATA password?

Based on output from hdparm (see below), I can see that the drive is locked with an unknown user password, that the master password hasn't been changed and that the security level has been set to maximum which prevents me from just setting a new master password and then using that to secure erase or unlock it.

Code:

Security:
   Master password revision code = 65534
      supported
      enabled
      locked
   not   frozen
   not   expired: security count
      supported: enhanced erase
   Security level maximum


I have tried the common master passwords I could find (32 t:s, 32 spaces, space, NULL, empty string) as well as common words and hardcoded passwords used by some tools and guides like "password", "pass", "xxxx", "p", "Eins", "synology", etc. without success (both as master and user passwords). I also searched for the datasheet of the drive and managed to find a "Samsung Confidential"-marked copy but unlike the datasheet for some of the consumer drivers, it did not mention the master password used.

Are there any tools available to unlock these drives or are there any unlocking services available? I'm not interested in the data so wiping the drive would be fine.

The drive identifies itself as SAMSUNG MZ7LM3T8HMLP-00005 and has a production date of December 2016 running firmware GXT5204Q, if that is any help.

[conxentra]

Hi,

Did you manage to find a way to unlock this drive? I contacted Samsung, but their consumer division they do not handle this product, as this is an enterprise drive. I've filed a support query with their enterprise division but haven't heard back.

I tried it on different PC's. On the more recent ones, it displays a code and request the password. If I don't put the correct password or press ESC, the PC boots (from the main disk) normally but doesn't even see the locked HD in the BIOS. So, Samsung Magician (for enterprise SSD) doesn't see the drive.

I've seen some people had success unlocking SATA drives using ZU with Ultimate Boot CD with the BIOS set in compatible (not AHCI) mode and will be trying this shortly.

[blunden]

Hi,

Did you manage to find a way to unlock this drive? I contacted Samsung, but their consumer division they do not handle this product, as this is an enterprise drive. I've filed a support query with their enterprise division but haven't heard back.

I tried it on different PC's. On the more recent ones, it displays a code and request the password. If I don't put the correct password or press ESC, the PC boots (from the main disk) normally but doesn't even see the locked HD in the BIOS. So, Samsung Magician (for enterprise SSD) doesn't see the drive.

I've seen some people had success unlocking SATA drives using ZU with Ultimate Boot CD with the BIOS set in compatible (not AHCI) mode and will be trying this shortly.

No, I have not been able to unlock it yet and I have a feeling that I probably won't until we get new tools or I find someone with contacts at Samsung that can unlock it for me off the books or something. They could easily do it if they wanted to since Samsung obviously knows the master password.

Do you also have one of these drive locked in the same way (security level maximum)? If your drive is locked with Security level high, you can supposedly just set a new master password without knowing the existing one and then use that to secure erase the drive. That's not possible with security level maximum though.

As far as I'm aware, ZU doesn't work with modern SSDs since it uses vendor-specific commands that don't exist on their modern SSDs. Feel free to try it and let me know though, I would happily be proven wrong.

[conxentra]

I contacted Samsung, who initially agreed to RMA so that they can factory erase it.

However, upon sending the photos of the unit, they said these SSD are OEM units and as such, they do not have the software to factory erase it.

Do these OEM units have different firmware?

[blunden]

I contacted Samsung, who initially agreed to RMA so that they can factory erase it.

However, upon sending the photos of the unit, they said these SSD are OEM units and as such, they do not have the software to factory erase it.

Do these OEM units have different firmware?

They might have slight differences I suppose but in the case of the PM863 it would presumably be very similar as that is also sold as a retail drive in the US. I suppose they might have different master passwords though.

There also seem to be different definitions of OEM here, one which is branded by a company like Dell etc. (you can find images of those on eBay) and these which are sold in bulk but no visible branding besides Samsung's.

Could you ask them if these drives have different master passwords or if there is something else that is different?

[blunden]

I contacted Samsung, who initially agreed to RMA so that they can factory erase it.

However, upon sending the photos of the unit, they said these SSD are OEM units and as such, they do not have the software to factory erase it.

Do these OEM units have different firmware?

It seems like the company behind the PC3000 toolset has a new SSD add-on that seems to be able to read or reset the existing password.

https://www.acelaboratory.com/pc3000-SSD.php

Specifically the following feature:

- View the password and reset the password that was earlier set on an SSD (bypass the ATA security)

Now I just need to find a company with such a tool that is willing to help for a reasonable price.

Have you had any luck yet?

[conxentra]

I contacted Samsung, who initially agreed to RMA so that they can factory erase it.

However, upon sending the photos of the unit, they said these SSD are OEM units and as such, they do not have the software to factory erase it.

Do these OEM units have different firmware?

It seems like the company behind the PC3000 toolset has a new SSD add-on that seems to be able to read or reset the existing password.

https://www.acelaboratory.com/pc3000-SSD.php

Specifically the following feature:

- View the password and reset the password that was earlier set on an SSD (bypass the ATA security)

Now I just need to find a company with such a tool that is willing to help for a reasonable price.

Have you had any luck yet?

When inserted in a PC, the SSD requests a password so it can be accessed. Using the master password which is specific for the BIOS, I managed to get one step further which allowed me to erase the SSD. After erasing the SSD though, it still asks me for user password upon boot though.

Since the OEM version of the SSD does not have the PSID printed on the drive itself, one of the ways to get the user password would be using brute force. However, the drive allows gives 3 attempts before locking up. Re-powering the drive after the lock allows another 3 attempts. Someone wrote a script and used a small board to re-power the drive after 3 failed attempts, while storing the passwords tried. He managed to get the password after the computer ran for 2 days.

[blunden]

Nevermind. It seems like the PM863a is probably to new for the current PC3000 version.

https://blog.acelaboratory.com/pc-3000- ... dated.html

I guess I'll just have to wait and see if they ever add support for it. At least I found a local company with that product that might be able to help if the support status changes.

[Lox]

Nevermind. It seems like the PM863a is probably to new for the current PC3000 version.

https://blog.acelaboratory.com/pc-3000- ... dated.html

I guess I'll just have to wait and see if they ever add support for it. At least I found a local company with that product that might be able to help if the support status changes.

Hello. I have the same problem with my SSD and just wanted to know if you found a way to fix it.

[sflx]

I'm struggling with the same problem with two PM863a drives, ATA Secutiry level maximum, can't be Secure Erased due to unknown master password. No PSID on the printed label. Firmware is GXT5204Q. I don't need the data and my goal is to Secure Erase and reuse these drives.

JTAG works good. I'm using J-link V11 adapter to access it. I've tried OpenOCD 0.12.x on Linux via libkaylink and J-link's own software J-link Commander. I'v somehow failed to get stable and good performance with OpenOCD and switched to J-link commander although it can only access core0 in it's default configuration.

I'm trying to follow this brilliant paper to dump drive's crypto blob:

https://cs.ru.nl/~cmeijer/publications/ ... Drives.pdf

Of course, I'v failed to read this blob.
As expected from an academic paper, some important details are missing from their description. Already found out what 3-step vendor unlock sequence was not fully described:
Before issuing CMD=0x85 FEAT=0x46 unlock command with given data buffer you need to issue FEAT 0x49, and FEAT 0x53 commands without data to advance unlock process through steps 1 and 2.

Still, even after step 3 unlock was performed, CMD=0x83 FEAT=0x12 to read out crypto block is not working. They mention the blow was increased to 128kBytes in 850 Evo, so I suppose this is the size for PM863a. I'v tried to read both 128k and 64k bytes via ATA Pass-through (12) and (16) commands and they all are failing. I suspect something else is missing from the paper.

Of course I'v tried to use 840 EVO knowledge accumlated by sourcerer, but still no luck.
The questions are:
- how to find SATA command table ?
- Any hints on how to find master password HMAC comparision routine? I'm totally out of ideas on how to locate this code because command handling is really obscure;

BTW, while doing lots of memory reads, async core halts and runs, I've managed to somehow disrupt normal firmware functioning and failed into ERRORMOD state. ERRORMOD state resets ATA security to high. After running "download firmware - secure erase" of ERRORMOD repair by uploading fake, 512-byte short firmware and performing secure erase I was able to accidentally restore one of my two drives.

However, some important SMART data was damaged after ERRORMOD. I still hope to find a better way to repair the second drive. The best thing is to find and patch master password compare routine, but I'm unable to find it in firmware dumps...

[sflx]

Looks like I've found command handler for CMD 0x83. Feature codes 0x12, 0x13 are not supported at all. I think either feature mapping is now different or some other command is now used for crypto blob handling.
Unsurprisingly, academic paper was a little misguiding again. Or DC drives use their own vendor command set.

[sourcerer]

From my analysis, every different drive had a completely different firmware. To me it seemed like even completely different firmware codebases, likely developed by different teams. Different data structures, different ways of doing things, ... and also different commands on SATA.

[blunden]

I'm struggling with the same problem with two PM863a drives, ATA Secutiry level maximum, can't be Secure Erased due to unknown master password. No PSID on the printed label. Firmware is GXT5204Q. I don't need the data and my goal is to Secure Erase and reuse these drives.

JTAG works good. I'm using J-link V11 adapter to access it. I've tried OpenOCD 0.12.x on Linux via libkaylink and J-link's own software J-link Commander. I'v somehow failed to get stable and good performance with OpenOCD and switched to J-link commander although it can only access core0 in it's default configuration.

I'm trying to follow this brilliant paper to dump drive's crypto blob:

https://cs.ru.nl/~cmeijer/publications/ ... Drives.pdf

Of course, I'v failed to read this blob.
As expected from an academic paper, some important details are missing from their description. Already found out what 3-step vendor unlock sequence was not fully described:
Before issuing CMD=0x85 FEAT=0x46 unlock command with given data buffer you need to issue FEAT 0x49, and FEAT 0x53 commands without data to advance unlock process through steps 1 and 2.

Still, even after step 3 unlock was performed, CMD=0x83 FEAT=0x12 to read out crypto block is not working. They mention the blow was increased to 128kBytes in 850 Evo, so I suppose this is the size for PM863a. I'v tried to read both 128k and 64k bytes via ATA Pass-through (12) and (16) commands and they all are failing. I suspect something else is missing from the paper.

Of course I'v tried to use 840 EVO knowledge accumlated by sourcerer, but still no luck.
The questions are:
- how to find SATA command table ?
- Any hints on how to find master password HMAC comparision routine? I'm totally out of ideas on how to locate this code because command handling is really obscure;

BTW, while doing lots of memory reads, async core halts and runs, I've managed to somehow disrupt normal firmware functioning and failed into ERRORMOD state. ERRORMOD state resets ATA security to high. After running "download firmware - secure erase" of ERRORMOD repair by uploading fake, 512-byte short firmware and performing secure erase I was able to accidentally restore one of my two drives.

However, some important SMART data was damaged after ERRORMOD. I still hope to find a better way to repair the second drive. The best thing is to find and patch master password compare routine, but I'm unable to find it in firmware dumps...

I thought this thread was essentially dead so I never checked back on it until now.

It seems like you made some progress at least, even if you didn't manage to find a way to dump the crypto blob, nor to patch the password comparison code.

What was the SMART data that got damaged btw?

[blunden]

This blog post also seems interesting, including the comments.

https://blog.muwave.de/2019/09/samsung- ... urrection/

[fzabkar]

I have a couple of ideas to try to provoke the firmware into entering an ERROMOD state. These involve disabling the temperature sensor or the power loss data protection circuitry.

If you can upload a detailed photo of the PCB, I can show you what to do.

[blunden]

I have a couple of ideas to try to provoke the firmware into entering an ERROMOD state. These involve disabling the temperature sensor or the power loss data protection circuitry.

If you can upload a detailed photo of the PCB, I can show you what to do.

I had some trouble finding the SSD at first and then to find a matching pentalobe screwdriver bit that fit, but I eventually found what I needed and got it open. It's night time right now though so the pictures didn't turn out all that great.

https://imgur.com/a/1YsoSnu

I can try again tomorrow when there is more natural light, if needed.

[fzabkar]

Referring to this photo ...

https://i.imgur.com/fPozb1R.jpeg

... there is an 8-pin IC in the centre of the PCB, immediately to the left of the NAND array. That's the temperature sensor. Also, there is a larger 20-pin chip below the NAND array (MP5505). That's the chip that controls the power loss protection circuitry.

Can you provide a close-up shot of each chip?

Power Loss Protection:
http://www.hddoracle.com/viewtopic.php?p=21248#p21248

If the EN pin of the MP5505 is not strapped directly to Vcc, ie if it is tied up to Vcc via a pullup resistor, then you can short this pin to ground while powering up the SSD, and then release the short after the SSD identifies itself. Hopefully this will induce ERRORMOD.

I suspect that the pinout of the temperature sensor may be similar to this IC:

http://ww1.microchip.com/downloads/en/DeviceDoc/20005192B.pdf

If so, then you could short SCL or SDA to ground during power-on and then release the short.

[blunden]

Referring to this photo ...

https://i.imgur.com/fPozb1R.jpeg

... there is an 8-pin IC in the centre of the PCB, immediately to the left of the NAND array. That's the temperature sensor. Also, there is a larger 20-pin chip below the NAND array (MP5505). That's the chip that controls the power loss protection circuitry.

Can you provide a close-up shot of each chip?

I updated the imgur link with more photos taken in daylight, including close-up shots of those two chips.

[Lardman]

I suspect that the pinout of the temperature sensor may be similar to this IC:

http://ww1.microchip.com/downloads/en/DeviceDoc/20005192B.pdf

If so, then you could short SCL or SDA to ground during power-on and then release the short.

If it is, you may well find them on the i/o holes far bottom right.

[fzabkar]

I would try shorting SCL (temp sensor) or EN (MP5505) to ground, as explained previously.

Attachments

MCP9844_pinout.gif (4.55 KiB) Viewed 95745 times