I think the reason I can't use PSID is this ...
https://www.samsung.com/semiconductor/g ... e_v1.1.pdf
So I run out of ideas ...
| HDD GURU FORUMS http://forum.hddguru.com/ |
|
| Samsung PM871 password protected ... I tried everything ... http://forum.hddguru.com/viewtopic.php?f=10&t=40440 |
Page 1 of 2 |
| Author: | saronno [ September 29th, 2020, 17:01 ] |
| Post subject: | Samsung PM871 password protected ... I tried everything ... |
This is a lenovo-samsung model ... PM871 MZ7LN256HCHP-000L7 firmware EMT03L6Q As you probably already know, this is substantially just a samsung 850 evo. The drive resulted password protected. My originally idea was to use PSID revert to reset everything (I don't care about the data). Unfortunately, it shows up as no compatible with OPAL, no matter what you try to use. I tried with samsung magician .... everything is pratically greyed out ... no firmware update, no secure erase, no data security ... I tried samsung psid revert ... no way, driver not compatible. I tried the utily form lenovo to update the firmware ... it's passoword protected so no way. I tried sedutil ... windows version, linux version, bootable version ... no change ... no opal Of course the drive IS OPAL compatible ... you can find that information eveywhere and is even written on the label. So ... is there a way to re-enable OPAL?? |
|
| Author: | saronno [ December 21st, 2020, 17:00 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
I think the reason I can't use PSID is this ... https://www.samsung.com/semiconductor/g ... e_v1.1.pdf So I run out of ideas ... |
|
| Author: | sourcerer [ December 21st, 2020, 17:38 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
Perhaps you can use hdparm to send a secure erase with the PSID? |
|
| Author: | saronno [ December 28th, 2020, 18:09 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
sourcerer wrote: Perhaps you can use hdparm to send a secure erase with the PSID? I dont' think so .... linux assing a device only for few moment ... this is true in safe mode and normal mode. You see some kernel messages assign, for example, /dev/sdc to the drive .... ma if you use hdparm to access it .... nothing. IMHO the way to go is this ...  If, as I think, there is only ata password with no master password capability set to maximum (you can use master password if you want when you try to unlock the drive), the ata password should be present in plain-text in slot 465. This is true for 840 EVO. They say is teh same for 850 EVO. PM871 is a 850 EVO for enterprise ... same hardware ... hope not too many firmware changes. |
|
| Author: | sourcerer [ January 1st, 2021, 15:19 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
As far as I remember, the firmware of the PM series and also the 850 series looked very different from each other, as if different teams had developed it, even though they were using the same hardware. |
|
| Author: | saronno [ January 3rd, 2021, 7:42 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
My hope is they are similar at least for the password part. Anyway I am fighting at the moment with my jtag interface (a modified wiggler ..... same thing but different pinout), because I have to modify it in order not to fry the ssd (it's made for use with 3,3v target). |
|
| Author: | guru [ January 3rd, 2021, 12:43 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
Maybe it’s a Dual Core MEX or tri core R4 MGX that’s the difference? But being Lenovo I suspect it’s OEM configured FW. |
|
| Author: | saronno [ January 4th, 2021, 9:43 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
 Full size https://i.imgur.com/IBoz4oh.jpg |
|
| Author: | saronno [ July 30th, 2021, 18:36 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
Does anybody know how to interface the NAND chip with openOCD? I was able to dump the ram memory through jtag/openocd, but I have some difficulties interfacing the NAND chip. This ssd, as I said previously, hardware similar, if not identical, to EVO 850. My goal is to get the "crypto blob" because my guess is that the password is just a simple ATA password. So, no OPAL, no ATA maximum security, ... in other word, following the famous paper who analyze ssd security of various model, I should find the ATA password in plain text into the crypto blob. There is no trace of the crypto blob in memory from what I see .... so I need to acccess the NAND to get it. TIA |
|
| Author: | saronno [ July 31st, 2021, 7:13 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
An interesting thing I found in memory is PSID: it's all over the place. So, if someone need it because has lost the ssd label OR PSID is not reported on the label, with jtag you can easily get it: just dump the memory of the device. |
|
| Author: | saronno [ August 3rd, 2021, 7:52 ] | ||
| Post subject: | Re: Samsung PM871 password protected ... I tried everything | ||
This if the memory dump from 0x0 to 0x00ffffff ... change the extension from txt to bin ... it's in binary format ... I named it as .txt to be able to upload here.
|
|||
| Author: | saronno [ August 3rd, 2021, 8:07 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
Mmmm .... something doesn't add up. No presence of PSID in the full dump ..... in the chunk is dump in the previous days it was all over the place. does anyone know why? |
|
| Author: | saronno [ August 3rd, 2021, 9:30 ] | ||
| Post subject: | Re: Samsung PM871 password protected ... I tried everything | ||
This is a second dump where you can see the PSID.
|
|||
| Author: | saronno [ August 4th, 2021, 6:17 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
Since it has been downloaded 13 times up to now, has anyone found anything interisting?? |
|
| Author: | sourcerer [ August 6th, 2021, 5:08 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
saronno wrote: Does anybody know how to interface the NAND chip with openOCD? Yes, but it doesn't work fully reliably yet. The SSD needs to be in the right state that it works, and I dont know how to initialize it into that state if it isn't. And in some ways I have the problem that I can only send one command, but any further commands do not work correctly. But perhaps you can figure out those things... saronno wrote: I was able to dump the ram memory through jtag/openocd, but I have some difficulties interfacing the NAND chip. Yes, you need to talk to the NAND flash controller through the memory mapped interface. saronno wrote: This ssd, as I said previously, hardware similar, if not identical, to EVO 850. Then my research on the EVO840 should apply to get it running, the flash controller of the EVO 850 is nearly identical to the one on the EVO 840 (but many other things have changed in the hardware) saronno wrote: My goal is to get the "crypto blob" because my guess is that the password is just a simple ATA password. saronno wrote: So, no OPAL, no ATA maximum security, ... in other word, following the famous paper who analyze ssd security of various model, I should find the ATA password in plain text into the crypto blob. So there are 2 ways: You can either get the crypto blob from NAND flash (with chip-off or through JTAG) or you can take it from RAM. saronno wrote: There is no trace of the crypto blob in memory from what I see .... so I need to acccess the NAND to get it. The crypto blob is loaded into RAM and properly wiped directly after it is used. So you have to take a look at the RAM at the right point of time to see it. |
|
| Author: | saronno [ August 6th, 2021, 5:31 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
Quote: saronno wrote: I was able to dump the ram memory through jtag/openocd, but I have some difficulties interfacing the NAND chip. Yes, you need to talk to the NAND flash controller through the memory mapped interface. If I understand correctly, MEX2 and MEX3 are the ones who can access the nand talking directly to the NAND controller (memory mapped). Am I right? If so, I should select MEX2 or MEX3 to try to give any instruction to the controller ... Quote: saronno wrote: There is no trace of the crypto blob in memory from what I see .... so I need to acccess the NAND to get it. The crypto blob is loaded into RAM and properly wiped directly after it is used. So you have to take a look at the RAM at the right point of time to see it. Great hint, thank you. So, there is no need to access the NAND ... I can launch any command who force the controller to load the crypto-blob in memory and make a dump. I will give it a try using hdparm unlock. |
|
| Author: | sourcerer [ August 6th, 2021, 6:19 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
saronno wrote: If I understand correctly, MEX2 and MEX3 are the ones who can access the nand talking directly to the NAND controller (memory mapped). Am I right? If so, I should select MEX2 or MEX3 to try to give any instruction to the controller ... On the EVO840 all 3 controllers can access the nand controller, but in the firmware, it's primarily MEX2 and MEX3's job. (Well, MEX1 also does it during bootup to load the firmware to RAM, before the other 2 cores get woken up) On the EVO850 there is only MEX1 and MEX2 (perhaps the ARM license for the third core would have been to expensive?), so MEX1 is caring about SATA and MEX2 about NAND FLASH there. saronno wrote: Great hint, thank you. So, there is no need to access the NAND ... I can launch any command who force the controller to load the crypto-blob in memory and make a dump. I will give it a try using hdparm unlock. Yes, that is likely the easiest way in your case. |
|
| Author: | saronno [ August 6th, 2021, 6:26 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
I am wondering if I will find "secu0.01clas" in plain text as they say in the famous paper where they give a check about security and encryption in various ssd (840 and 850 included). 
|
|
| Author: | Agrail [ August 11th, 2021, 4:57 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
You need to read the firmware from the drive. Then put the SSD into safe mode and write the firmware back. This will reinitialize the drive and reset the password. But for such manipulations, you will need software such as PC-3000. |
|
| Author: | fzabkar [ August 11th, 2021, 15:41 ] |
| Post subject: | Re: Samsung PM871 password protected ... I tried everything |
@saronno, perhaps if you stopped being cryptic and posted a link to the actual source of your information, you might get more replies. https://www.ru.nl/publish/pages/909282/draft-paper.pdf |
|
| Page 1 of 2 | All times are UTC - 5 hours [ DST ] |
| Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group http://www.phpbb.com/ |
|
