Forgot WD My Passport password - brute force

[fzabkar]

Here are the two firmware modules identified by the security researchers in the abovementioned paper:

Module 0x127

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  52 4F 59 4C 01 00 1E 00 27 01 01 00 B9 1B 92 B9  ROYL....'...¹.’¹
00000010  4E 4F 54 5F 49 4E 49 54 00 00 00 00 00 00 00 00  NOT_INIT........
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20  ..             
00000040  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                 
00000050  00 00 57 44 43 57 44 43 57 44 43 57 44 43 57 44  ..WDCWDCWDCWDCWD
00000060  43 57 44 43 57 44 43 57 44 43 57 44 43 57 44 43  CWDCWDCWDCWDCWDC
00000070  57 00 FE FF 00 00 00 00 00 00 00 00 00 00 00 00  W.þÿ............

Module 0x124

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  52 4F 59 4C 01 00 1E 00 24 01 01 00 C9 77 97 BE  ROYL....$...Éw—¾
00000010  4E 4F 54 5F 49 4E 49 54 00 00 00 00 00 00 00 00  NOT_INIT........

Notice that the default user password consists of 30 spaces while the default master password is "WDCWDC ...". The researchers bypassed the SED lock (using PC3000) and accessed these modules in the normal way.

[drHDD]

I don't think they talked about modules. I think they talked about offset in module.

[fzabkar]

They refer to "SA area" and "different SAs". That doesn't sound like they are referring to offsets. ???

By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption.

We located the location of the ATA password and some (unknown) connection to the AES password in different SAs from the internal 2.5" SATA HDD.

[drHDD]

Will see.

[dx486]

@dx486, is there any reason why you can't provide us with the USBDeview or UVCView output?

What is the full model number, including the suffix, eg WD10JMVW-11AJGS1?

Can you remove the PCB from the drive and upload a detailed photo of the component side?

"andlabs" needs to identify the bridge IC in order to determine the type of encryption being used. Then we need to bypass the bridge in order to search for the key sector. That said, if you have a SED drive, then the key will be in the System Area (SA), not in the user area, IIUC.

Waiting for your info ...

Hello fzabkar,

USBdeview output is here.

Here is a detailed photo of the drive.

I will try to use reallymine but I could not connect the drive via SATA. I see there are [12 pins] - USB port and [2 pins] on the drive. They don't seem compatible with SATA cables. I have found this article but it is an old one and my drive seems different.

Here is a close picture.

If you have any idea please share with me.

If you want me provide any other info please tell me.

[dx486]

Here is the circuit photo. Thank you!

[fzabkar]

AIUI, the drive is a SED (VID/PID = 1058/0810):

http://www.hddoracle.com/viewtopic.php? ... 9069#p9069

This means that encryption is handled by the drive rather than the bridge. Therefore I don't think that reallymine would be applicable in your case. You could always ask the author, though.

Note that your drive will have a locked SA which means that you will need special techniques to gain access:

viewtopic.php?f=1&t=33822&p=236436

You could wait for WDMarvel (US$15) to add this feature (if it doesn't have it already?).

[Kum Ruzvelt]

One of the heads is weak or dead.

[fzabkar]

I will try to use reallymine but I could not connect the drive via SATA. I see there are [12 pins] - USB port and [2 pins] on the drive. They don't seem compatible with SATA cables. I have found this article but it is an old one and my drive seems different.

This thread explains what you need to do:
viewtopic.php?f=1&t=27819

Notice that removing (or defeating) U14 causes the bridge IC to behave like an ordinary "dumb" bridge. In this state you will probably find that the drive then reports, via the ATA Identify Device command, that it is locked by an ATA password (if I understand the research paper correctly). You will also be able to search the end of the drive's user area for a key (which will probably not be stored there).

[dx486]

I am desperately trying to figure out how can a software unlock WD Security software after 5 wrong entries.

What exactly does cause this counter to be reset? Turning the power for the drive on and off?

Disabling/enabling the drive using "devcon" does not reset the counter.

I guess coding a program which will reset the counter variable in memory to prevent unlock is a difficult task... Just an idea...

Does anybody know where does WD Security software store the counter for wrong entries?

Can a "USB-over-TCP/IP program" be a solution?

Somebody from this site told me that the software can "do it by itself if I will solder small board which could repower drive if software will ask about it". I don't understand what it is meant by that. Can somebody please explain it to me how can I do that or direct me to a tutorial?

I have posted a question about this issue on stackoverflow as well.

[drHDD]

It was me.
It's easy to solder primitive board (control through lpt port) which will be able to switch power on and off.

[dx486]

Just to note here for others who may be interested: A friend told me to use a USB relay like this one. He told me to cut the cable and connect red cable to the relay.

[Roberto]

What exactly does cause this counter to be reset? Turning the power for the drive on and off?

Yes.

Does anybody know where does WD Security software store the counter for wrong entries?

I think the wrong password attempts are counted in the drives firmware.
The counting of the WD software is irrelevant.

Can a "USB-over-TCP/IP program" be a solution?

No I don't see a way too fool out the drives firmware with this solution.
Even if it would work... it wouldn't be an efficient solution.

If you still want to decrypt the drive I could maybe help you.
The easiest way would be to send the drive to me.
Please send me a private message for this purpose.

Best Regards

[fzabkar]

Just to note here for others who may be interested: A friend told me to use a USB relay like this one. He told me to cut the cable and connect red cable to the relay. :)

You would need to write a batch routine to test 4 passwords, then send a command to switch off the relay, wait for 1 second, switch the relay back on, and then wait for a few seconds for the drive to spin up again.

[dx486]

Just to note here for others who may be interested: A friend told me to use a USB relay like this one. He told me to cut the cable and connect red cable to the relay.

You would need to write a batch routine to test 4 passwords, then send a command to switch off the relay, wait for 1 second, switch the relay back on, and then wait for a few seconds for the drive to spin up again.

Do you think using this method might decrease the drive's lifespan?

[rogfanther]

Every power up/shutdown cycle decreases it a little. So, if you are doing a couple hundred/thousands/more cycles, yes, it will decrease .

[drHDD]

Just to note here for others who may be interested: A friend told me to use a USB relay like this one. He told me to cut the cable and connect red cable to the relay.

You would need to write a batch routine to test 4 passwords, then send a command to switch off the relay, wait for 1 second, switch the relay back on, and then wait for a few seconds for the drive to spin up again.

Do you think using this method might decrease the drive's lifespan?

It will take a lot of time to check significant number of passwords.

[Roberto]

It will take a lot of time to check significant number of passwords.

Too much time in my opinion.

[fzabkar]

reallymine now supports password entry. One could probably use a shell script to try a list of passwords, but I expect that it would be slow.

From the author ...
http://www.hddoracle.com/viewtopic.php? ... 9638#p9638

[dx486]

reallymine now supports password entry. One could probably use a shell script to try a list of passwords, but I expect that it would be slow.

From the author ...
http://www.hddoracle.com/viewtopic.php? ... 9638#p9638

When I connect my drive using USB port it sees two drives, lsblk output is:

Code:

sdb             8:16   0 931,5G  0 disk 
sr0            11:0    1    30M  0 rom   /run/media/dx486/WD Unlocker

When the drive is connected normally via usb, this command:

Code:

% sudo ./reallymine-linux-amd64 dumpkeysector /dev/sdb outfile.bin

gives this output:

Code:

error running dumpkeysector: read /dev/sdb: input/output error

[portion of this message was deleted]

I am trying to find a way to

1. Read the key sector (Can you please simply explain to me how can I read this drive's key sector?)
2. Use reallymine's new version to try passwords. (How should I connect the drive and what is the command for trying passwords? I think it is related with "kek" option but I am confused with its documentation, my tries did not work)