All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Samsung PM871 password protected ... I tried everything ...
PostPosted: September 29th, 2020, 17:01 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
This is a lenovo-samsung model ...
PM871
MZ7LN256HCHP-000L7
firmware EMT03L6Q

As you probably already know, this is substantially just a samsung 850 evo.
The drive resulted password protected.

My originally idea was to use PSID revert to reset everything (I don't care about the data).

Unfortunately, it shows up as no compatible with OPAL, no matter what you try to use.

I tried with samsung magician .... everything is pratically greyed out ... no firmware update, no secure erase, no data security ...
I tried samsung psid revert ... no way, driver not compatible.
I tried the utily form lenovo to update the firmware ... it's passoword protected so no way.
I tried sedutil ... windows version, linux version, bootable version ... no change ... no opal

Of course the drive IS OPAL compatible ... you can find that information eveywhere and is even written on the label.

So ... is there a way to re-enable OPAL??


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: December 21st, 2020, 17:00 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
I think the reason I can't use PSID is this ...

Image

https://www.samsung.com/semiconductor/g ... e_v1.1.pdf

So I run out of ideas ...


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: December 21st, 2020, 17:38 
Offline

Joined: August 13th, 2016, 17:10
Posts: 193
Location: Vienna, Austria
Perhaps you can use hdparm to send a secure erase with the PSID?


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: December 28th, 2020, 18:09 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
sourcerer wrote:
Perhaps you can use hdparm to send a secure erase with the PSID?


I dont' think so .... linux assing a device only for few moment ... this is true in safe mode and normal mode.
You see some kernel messages assign, for example, /dev/sdc to the drive .... ma if you use hdparm to access
it .... nothing.

IMHO the way to go is this ...

Image

If, as I think, there is only ata password with no master password capability set to maximum (you can use master password
if you want when you try to unlock the drive), the ata password should be present in plain-text in slot 465.
This is true for 840 EVO. They say is teh same for 850 EVO.
PM871 is a 850 EVO for enterprise ... same hardware ... hope not too many firmware changes.


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: January 1st, 2021, 15:19 
Offline

Joined: August 13th, 2016, 17:10
Posts: 193
Location: Vienna, Austria
As far as I remember, the firmware of the PM series and also the 850 series looked very different from each other, as if different teams had developed it, even though they were using the same hardware.


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: January 3rd, 2021, 7:42 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
My hope is they are similar at least for the password part.

Anyway I am fighting at the moment with my jtag interface (a modified wiggler ..... same thing but different pinout),
because I have to modify it in order not to fry the ssd (it's made for use with 3,3v target).


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: January 3rd, 2021, 12:43 
Offline
User avatar

Joined: May 5th, 2004, 20:06
Posts: 2782
Location: England
Maybe it’s a Dual Core MEX or tri core R4 MGX that’s the difference?


But being Lenovo I suspect it’s OEM configured FW.

_________________
All went well until I plugged the drive in.


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: January 4th, 2021, 9:43 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
Image

Full size https://i.imgur.com/IBoz4oh.jpg


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: July 30th, 2021, 18:36 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
Does anybody know how to interface the NAND chip with openOCD?
I was able to dump the ram memory through jtag/openocd, but I have some difficulties
interfacing the NAND chip.
This ssd, as I said previously, hardware similar, if not identical, to EVO 850.

My goal is to get the "crypto blob" because my guess is that the password is just a simple ATA password.
So, no OPAL, no ATA maximum security, ... in other word, following the famous paper who analyze ssd security
of various model, I should find the ATA password in plain text into the crypto blob.

There is no trace of the crypto blob in memory from what I see .... so I need to acccess the NAND to get it.

TIA


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: July 31st, 2021, 7:13 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
An interesting thing I found in memory is PSID: it's all over the place. So, if someone need it because has lost the ssd label OR PSID is not reported
on the label, with jtag you can easily get it: just dump the memory of the device.


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 3rd, 2021, 7:52 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
This if the memory dump from 0x0 to 0x00ffffff ...

change the extension from txt to bin ... it's in binary format ... I named it as .txt to
be able to upload here.


Attachments:
File comment: Samsung PM871 memory dump
pm871full.txt [16 MiB]
Downloaded 539 times
Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 3rd, 2021, 8:07 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
Mmmm .... something doesn't add up.
No presence of PSID in the full dump ..... in the chunk is dump in the previous days it was all over the place.

does anyone know why?


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 3rd, 2021, 9:30 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
This is a second dump where you can see the PSID.


Attachments:
File comment: another pm871 memory dump
pm871full-mex-bis.txt [16 MiB]
Downloaded 502 times
Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 4th, 2021, 6:17 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
Since it has been downloaded 13 times up to now, has anyone found anything interisting??


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 6th, 2021, 5:08 
Offline

Joined: August 13th, 2016, 17:10
Posts: 193
Location: Vienna, Austria
saronno wrote:
Does anybody know how to interface the NAND chip with openOCD?

Yes, but it doesn't work fully reliably yet. The SSD needs to be in the right state that it works, and I dont know how to initialize it into that state if it isn't. And in some ways I have the problem that I can only send one command, but any further commands do not work correctly. But perhaps you can figure out those things...

saronno wrote:
I was able to dump the ram memory through jtag/openocd, but I have some difficulties
interfacing the NAND chip.

Yes, you need to talk to the NAND flash controller through the memory mapped interface.

saronno wrote:
This ssd, as I said previously, hardware similar, if not identical, to EVO 850.

Then my research on the EVO840 should apply to get it running, the flash controller of the EVO 850 is nearly identical to the one on the EVO 840 (but many other things have changed in the hardware)

saronno wrote:
My goal is to get the "crypto blob" because my guess is that the password is just a simple ATA password.


saronno wrote:
So, no OPAL, no ATA maximum security, ... in other word, following the famous paper who analyze ssd security
of various model, I should find the ATA password in plain text into the crypto blob.


So there are 2 ways: You can either get the crypto blob from NAND flash (with chip-off or through JTAG) or you can take it from RAM.

saronno wrote:
There is no trace of the crypto blob in memory from what I see .... so I need to acccess the NAND to get it.


The crypto blob is loaded into RAM and properly wiped directly after it is used. So you have to take a look at the RAM at the right point of time to see it.


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 6th, 2021, 5:31 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
Quote:
saronno wrote:
I was able to dump the ram memory through jtag/openocd, but I have some difficulties
interfacing the NAND chip.

Yes, you need to talk to the NAND flash controller through the memory mapped interface.


If I understand correctly, MEX2 and MEX3 are the ones who can access the nand talking directly to the NAND controller (memory mapped).
Am I right? If so, I should select MEX2 or MEX3 to try to give any instruction to the controller ...


Quote:
saronno wrote:
There is no trace of the crypto blob in memory from what I see .... so I need to acccess the NAND to get it.


The crypto blob is loaded into RAM and properly wiped directly after it is used. So you have to take a look at the RAM at the right point of time to see it.


Great hint, thank you. So, there is no need to access the NAND ... I can launch any command who force the controller to load the crypto-blob in memory
and make a dump. I will give it a try using hdparm unlock.


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 6th, 2021, 6:19 
Offline

Joined: August 13th, 2016, 17:10
Posts: 193
Location: Vienna, Austria
saronno wrote:
If I understand correctly, MEX2 and MEX3 are the ones who can access the nand talking directly to the NAND controller (memory mapped).
Am I right? If so, I should select MEX2 or MEX3 to try to give any instruction to the controller ...

On the EVO840 all 3 controllers can access the nand controller, but in the firmware, it's primarily MEX2 and MEX3's job. (Well, MEX1 also does it during bootup to load the firmware to RAM, before the other 2 cores get woken up)
On the EVO850 there is only MEX1 and MEX2 (perhaps the ARM license for the third core would have been to expensive?), so MEX1 is caring about SATA and MEX2 about NAND FLASH there.

saronno wrote:
Great hint, thank you. So, there is no need to access the NAND ... I can launch any command who force the controller to load the crypto-blob in memory
and make a dump. I will give it a try using hdparm unlock.


Yes, that is likely the easiest way in your case.


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 6th, 2021, 6:26 
Offline

Joined: November 8th, 2018, 12:18
Posts: 29
Location: Italy
I am wondering if I will find "secu0.01clas" in plain text as they say in the famous paper where they
give a check about security and encryption in various ssd (840 and 850 included).

Image


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 11th, 2021, 4:57 
Offline

Joined: May 12th, 2015, 5:37
Posts: 30
Location: Russia
You need to read the firmware from the drive. Then put the SSD into safe mode and write the firmware back. This will reinitialize the drive and reset the password.
But for such manipulations, you will need software such as PC-3000.


Top
 Profile  
 
 Post subject: Re: Samsung PM871 password protected ... I tried everything
PostPosted: August 11th, 2021, 15:41 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15461
Location: Australia
@saronno, perhaps if you stopped being cryptic and posted a link to the actual source of your information, you might get more replies.

https://www.ru.nl/publish/pages/909282/draft-paper.pdf

_________________
A backup a day keeps DR away.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 23 posts ]  Go to page 1, 2  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 19 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group