HDD GURU FORUMS

Data recovery and HDD repair discussions
http://forum.hddguru.com/

seagate hard disk permanent unlock

http://forum.hddguru.com/viewtopic.php?f=28&t=45246

Page 1 of 1

seagate hard disk permanent unlock

Posted: April 8th, 2025, 2:24
by piyush
Hi

i have rosewood harddisk ST2000LM009 fw : SED! . Anyone know how we create 1d2 module from 1d1 module or what change we do in module 1d2 so drive get parmanet unlock.

thanks and regards
piyush

Re: seagate hard disk permanent unlock

Posted: April 13th, 2025, 13:18
by jackass25
How to Generate/Modify 1D2 Module for Permanent Unlock
1. Understand the Modules:
1D1 Module → Contains the Media Key (Encryption Key).
1D2 Module → Contains the password hash and unlock rules.
To disable password protection, you need to modify 1D2 to bypass authentication.

2. Method 1: Copy 1D1 to 1D2 (Basic Unlock)
Some technicians copy the first 0x200 bytes of 1D1 into 1D2 (effectively making the password check pass).
Steps:
Dump 1D1 and 1D2 (using PC-3000, MRT, or Seagate Terminal).
Open 1D1 in a hex editor (e.g., HxD).
Copy the first 0x200 bytes of 1D1.
Paste them into 1D2 (overwriting the first 0x200 bytes).
Write the modified 1D2 back to the drive.

3. Method 2: Patch 1D2 to Disable Password (Advanced)
Some drives require specific patches in 1D2 to disable security.
Common patches:
Change password hash to all zeros.
Modify unlock flags (e.g., set "No Password Required" bit).
Example Patch (Hex Edit):
Find and replace password-related structures in 1D2 with 00 or FF.
Some versions require specific offsets (varies by firmware).

4. Method 3: Use a Pre-Patched 1D2 (Community-Shared)
Some data recovery forums share pre-patched 1D2 modules for certain Rosewood FWs. (use yandex.com, bing.com etc)
Search for:
"ST2000LM009 SED unlock 1D2 patch"
"Rosewood 1D2 permanent unlock"

Risks:
Wrong modifications can brick the drive permanently.
Some drives re-lock after power cycle if not patched correctly.

Tools Needed:
PC-3000, MRT, or Seagate Terminal (to read/write modules).
Hex Editor (HxD, WinHex).

Re: seagate hard disk permanent unlock

Posted: April 13th, 2025, 13:39
by fzabkar
@jackass25, there was an MRT thread that used a different method. If you upload your 0x1D1 and 0x1D2 modules, I'll show you how they did it.

Re: seagate hard disk permanent unlock

Posted: May 24th, 2025, 5:25
by piyush
hi
I am attach the 1d1 and 1d2 module. please guide how do i do patch.

Re: seagate hard disk permanent unlock

Posted: May 24th, 2025, 20:49
by fzabkar
Extract a copy of 0x1D2 from 0x1D1 at 0x22000 - 0x38fff.

Code:
Offset(h) 00       04       08       0C

00022000  C2BD120B 80000000 00000000 80000000
00022010  00000000 00000000 01000000 81000000
00022020  00000000 00000000 00000000 00000000
00022030  00000000 00000000 00000000 00000000
00022040  01000000 81000000 00000000 00000000
00022050  00000000 00000000 00000000 00000000
00022060  00000000 00000000 00000000 00000000
00022070  01000000 81000000 00000000 80000000
00022080  10000000 00000000 FFFF0000 00000000
00022090  00000000 00000000 00000000 00000000
000220A0  00000000 00000000 00000000 00000000
000220B0  00000000 00000000 00000000 00000000
000220C0  00000000 00000000 00000000 00000000
000220D0  00000000 00000000 00000000 00000000
000220E0  00000000 00000000 00000000 00000000
000220F0  00000000 00000000 00000000 00000000
00022100  00000000 00000000 FFFF0000 FFFF0000
00022110  00000000 00000000 00000000 FFFF0000
00022120  01000000 00000000 00000000 00000000
00022130  00000000 00000000 00000000 63F08B44
........
00023C70  00000101 00000000 00000001 00000000  ................
00023C80  00000000 00000000 1C930000 00000000  .........“......
                            ^^^^
                            little-endian checksum of previous 16-bit words

The carved file is very similar to your 1D2.

There are differences at the beginning:

Code:
Offset(h) 00       04       08       0C

00000000  C2BD120B FF000000 00000000 81000000
00000010  00000000 00000000 01000000 81000000
00000020  00000000 00000000 00000000 00000000
00000030  00000000 00000000 00000000 00000000
00000040  01000000 81000000 00000000 00000000
00000050  00000000 00000000 00000000 00000000
00000060  00000000 00000000 00000000 00000000
00000070  01000000 81000000 00000000 81000000
00000080  10000000 00000000 FFFF0000 00000000
00000090  00000000 00000000 00000000 00000000
000000A0  00000000 00000000 00000000 00000000
000000B0  00000000 00000000 00000000 00000000
000000C0  00000000 00000000 00000000 00000000
000000D0  00000000 00000000 00000000 00000000
000000E0  00000000 00000000 00000000 00000000
000000F0  00000000 00000000 00000000 00000000
00000100  00000000 00000000 FFFFFFFF FFFFFFFF
00000110  FFFFFFFF FFFFFFFF 00000000 FFFF0000
00000120  01000000 00000000 00000000 00000000
00000130  00000000 00000000 00000000 63F08B44

This is the remaining difference (apart from the checksum):

Code:
Offset(h) 00       04       08       0C

00001BD0  00000000 00000000 00000000 00010000
00001BE0  61000000 00000000 00000000 00000000
00001BF0  00000000 00000000 00000B00 30000500

Code:
Offset(h) 00       04       08       0C

00001BD0  00000000 00000000 00000000 00010000
00001BE0  E1000000 00000000 00000000 00000000
00001BF0  00000000 00000000 00000B00 30000500

To "permanently unlock" 1D1, change offset 0x04 from 0x80 to 0x81 and add 1 to the checksum word at 0x1C88.

I don't understand why there are so many differences between 1D2 and the version that was carved from 1D1, but this method has worked twice in the past.
All times are UTC - 5 hours [ DST ]
Page 1 of 1
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/