Switch to full style
In-depth technology research: finding new ways to recover data, accessing firmware, writing programs, reading bits off the platter, recovering data from dust.

Forum rules

Please do not post questions about data recovery cases here (use this forum instead). This forum is for topics on finding new ways to recover data. Accessing firmware, writing programs, reading bits off the platter, recovering data from dust...
Post a reply

Solution for new WD/HGST firmware architecture

May 23rd, 2019, 3:01

The following thread appears to confirm that the WD drives in a "My Book Pro Duo" RAID store the encryption key and RAID metadata in firmware modules 25h and 38h. Transferring these two modules, and module 02, to two clone drives enabled the cloned RAID array to be detected and decrypted by the enclosure.

SED WD "My Book Pro Duo" RAID:
https://groups.google.com/forum/#!topic/datarecoverycertification/mmoEbpk-x0E

Here is a 16TB My Book Duo with two HGST/WD helium drives:

https://www.datarecoveryguru.com/blog/2019/5/17/how-to-recover-data-from-a-raid0-wd-my-book-duo-with-x2-8tb-wd-red-helium-hard-drives

ISTM that if one were to intercept the SATA interface with a protocol analyser, one may see the VSCs that the bridge transmits to the drive when these firmware modules are updated. Could this be the secret to cracking this new architecture?

Re: Solution for new WD/HGST firmware architecture

September 19th, 2022, 1:03

I have a case where 2 drives came from a My Book Live (the older silver one) which were in mirror raid password protected. The failing drive was cloned 99.9%, the other drive was accidentally reused before it could be recovered.

I used an idential drive for the clone, switched Mods 02, 25 and 38, but the controller will not allow any access to the drive saying the raid structures are damaged. The only way I can see to unlock the drive is through WD Security, which won't allow you to enter a password unless the drive is properly configured and not damaged, and WD Utilities says the Raid volume has errors and cannot access the data, and the only option is to reconfigure it. So the drive appears as 0lba and gives no direct access to it.

I could try reconfiguring it which would probably change those Mods and write a new empty file system, but then rewrite 25 and 38 and then try again, hopefully it might prompt for the password, decrypt it properly and then I could scan the rest of the drive that wasn't overwritten by the reconfiguring.

Re: Solution for new WD/HGST firmware architecture

September 19th, 2022, 1:10

jordash wrote:I have a case where 2 drives came from a My Book Live (the older silver one) which were in mirror raid password protected. The failing drive was cloned 99.9%, the other drive was accidentally reused before it could be recovered.

I used an idential drive for the clone, switched Mods 02, 25 and 38, but the controller will not allow any access to the drive saying the raid structures are damaged. The only way I can see to unlock the drive is through WD Security, which won't allow you to enter a password unless the drive is properly configured and not damaged, and WD Utilities says the Raid volume has errors and cannot access the data, and the only option is to reconfigure it. So the drive appears as 0lba and gives no direct access to it.

I could try reconfiguring it which would probably change those Mods and write a new empty file system, but then rewrite 25 and 38 and then try again, hopefully it might prompt for the password, decrypt it properly and then I could scan the rest of the drive that wasn't overwritten by the reconfiguring.


You guys missed a lot. IF you would read carefully all UFS pro updates you would know, that bridge encryption already supported more than year, including user password support. Even for clones, no need to load SA modules to donor's sa, you can simply attach encryption key sector to the end of hdd , to allow UFS detects it automatically.
Post a reply