Samsung PM871 password protected ... I tried everything ...

[saronno]

This is a lenovo-samsung model ...
PM871
MZ7LN256HCHP-000L7
firmware EMT03L6Q

As you probably already know, this is substantially just a samsung 850 evo.
The drive resulted password protected.

My originally idea was to use PSID revert to reset everything (I don't care about the data).

Unfortunately, it shows up as no compatible with OPAL, no matter what you try to use.

I tried with samsung magician .... everything is pratically greyed out ... no firmware update, no secure erase, no data security ...
I tried samsung psid revert ... no way, driver not compatible.
I tried the utily form lenovo to update the firmware ... it's passoword protected so no way.
I tried sedutil ... windows version, linux version, bootable version ... no change ... no opal

Of course the drive IS OPAL compatible ... you can find that information eveywhere and is even written on the label.

So ... is there a way to re-enable OPAL??

[saronno]

I think the reason I can't use PSID is this ...



https://www.samsung.com/semiconductor/g ... e_v1.1.pdf

So I run out of ideas ...

[sourcerer]

Perhaps you can use hdparm to send a secure erase with the PSID?

[saronno]

Perhaps you can use hdparm to send a secure erase with the PSID?

I dont' think so .... linux assing a device only for few moment ... this is true in safe mode and normal mode.
You see some kernel messages assign, for example, /dev/sdc to the drive .... ma if you use hdparm to access
it .... nothing.

IMHO the way to go is this ...



If, as I think, there is only ata password with no master password capability set to maximum (you can use master password
if you want when you try to unlock the drive), the ata password should be present in plain-text in slot 465.
This is true for 840 EVO. They say is teh same for 850 EVO.
PM871 is a 850 EVO for enterprise ... same hardware ... hope not too many firmware changes.

[sourcerer]

As far as I remember, the firmware of the PM series and also the 850 series looked very different from each other, as if different teams had developed it, even though they were using the same hardware.

[saronno]

My hope is they are similar at least for the password part.

Anyway I am fighting at the moment with my jtag interface (a modified wiggler ..... same thing but different pinout),
because I have to modify it in order not to fry the ssd (it's made for use with 3,3v target).

[guru]

Maybe it’s a Dual Core MEX or tri core R4 MGX that’s the difference?


But being Lenovo I suspect it’s OEM configured FW.

[saronno]

Full size https://i.imgur.com/IBoz4oh.jpg

[saronno]

Does anybody know how to interface the NAND chip with openOCD?
I was able to dump the ram memory through jtag/openocd, but I have some difficulties
interfacing the NAND chip.
This ssd, as I said previously, hardware similar, if not identical, to EVO 850.

My goal is to get the "crypto blob" because my guess is that the password is just a simple ATA password.
So, no OPAL, no ATA maximum security, ... in other word, following the famous paper who analyze ssd security
of various model, I should find the ATA password in plain text into the crypto blob.

There is no trace of the crypto blob in memory from what I see .... so I need to acccess the NAND to get it.

TIA

[saronno]

An interesting thing I found in memory is PSID: it's all over the place. So, if someone need it because has lost the ssd label OR PSID is not reported
on the label, with jtag you can easily get it: just dump the memory of the device.

[saronno]

This if the memory dump from 0x0 to 0x00ffffff ...

change the extension from txt to bin ... it's in binary format ... I named it as .txt to
be able to upload here.

Attachments

pm871full.txt

Samsung PM871 memory dump

(16 MiB) Downloaded 549 times

[saronno]

Mmmm .... something doesn't add up.
No presence of PSID in the full dump ..... in the chunk is dump in the previous days it was all over the place.

does anyone know why?

[saronno]

This is a second dump where you can see the PSID.

Attachments

pm871full-mex-bis.txt

another pm871 memory dump

(16 MiB) Downloaded 510 times

[saronno]

Since it has been downloaded 13 times up to now, has anyone found anything interisting??

[sourcerer]

Does anybody know how to interface the NAND chip with openOCD?

Yes, but it doesn't work fully reliably yet. The SSD needs to be in the right state that it works, and I dont know how to initialize it into that state if it isn't. And in some ways I have the problem that I can only send one command, but any further commands do not work correctly. But perhaps you can figure out those things...

I was able to dump the ram memory through jtag/openocd, but I have some difficulties
interfacing the NAND chip.

Yes, you need to talk to the NAND flash controller through the memory mapped interface.

This ssd, as I said previously, hardware similar, if not identical, to EVO 850.

Then my research on the EVO840 should apply to get it running, the flash controller of the EVO 850 is nearly identical to the one on the EVO 840 (but many other things have changed in the hardware)

My goal is to get the "crypto blob" because my guess is that the password is just a simple ATA password.

So, no OPAL, no ATA maximum security, ... in other word, following the famous paper who analyze ssd security
of various model, I should find the ATA password in plain text into the crypto blob.

So there are 2 ways: You can either get the crypto blob from NAND flash (with chip-off or through JTAG) or you can take it from RAM.

There is no trace of the crypto blob in memory from what I see .... so I need to acccess the NAND to get it.

The crypto blob is loaded into RAM and properly wiped directly after it is used. So you have to take a look at the RAM at the right point of time to see it.

[saronno]

I was able to dump the ram memory through jtag/openocd, but I have some difficulties
interfacing the NAND chip.

Yes, you need to talk to the NAND flash controller through the memory mapped interface.

If I understand correctly, MEX2 and MEX3 are the ones who can access the nand talking directly to the NAND controller (memory mapped).
Am I right? If so, I should select MEX2 or MEX3 to try to give any instruction to the controller ...

There is no trace of the crypto blob in memory from what I see .... so I need to acccess the NAND to get it.

The crypto blob is loaded into RAM and properly wiped directly after it is used. So you have to take a look at the RAM at the right point of time to see it.

Great hint, thank you. So, there is no need to access the NAND ... I can launch any command who force the controller to load the crypto-blob in memory
and make a dump. I will give it a try using hdparm unlock.

[sourcerer]

If I understand correctly, MEX2 and MEX3 are the ones who can access the nand talking directly to the NAND controller (memory mapped).
Am I right? If so, I should select MEX2 or MEX3 to try to give any instruction to the controller ...

On the EVO840 all 3 controllers can access the nand controller, but in the firmware, it's primarily MEX2 and MEX3's job. (Well, MEX1 also does it during bootup to load the firmware to RAM, before the other 2 cores get woken up)
On the EVO850 there is only MEX1 and MEX2 (perhaps the ARM license for the third core would have been to expensive?), so MEX1 is caring about SATA and MEX2 about NAND FLASH there.

Great hint, thank you. So, there is no need to access the NAND ... I can launch any command who force the controller to load the crypto-blob in memory
and make a dump. I will give it a try using hdparm unlock.

Yes, that is likely the easiest way in your case.

[saronno]

I am wondering if I will find "secu0.01clas" in plain text as they say in the famous paper where they
give a check about security and encryption in various ssd (840 and 850 included).

[Agrail]

You need to read the firmware from the drive. Then put the SSD into safe mode and write the firmware back. This will reinitialize the drive and reset the password.
But for such manipulations, you will need software such as PC-3000.

[fzabkar]

@saronno, perhaps if you stopped being cryptic and posted a link to the actual source of your information, you might get more replies.

https://www.ru.nl/publish/pages/909282/draft-paper.pdf