All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 99 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 14:54 
Offline

Joined: May 16th, 2009, 9:32
Posts: 329
Location: UNited Kingdom
Well I finally dug out my old, locked, xbox WD 8GB drive (WD80EB)
and fired it up with MHDD
MHDD says PWD (ie locked)
Security: MAX, ON
Max = need unique and currently unknown user password only
as opposed to the other possibility of HIGH where either the Master or User password can be used, and the Master may or may not be the factory default

So I guess there is no way to unlock it, to get to any data
(I dont have the user password)
without something like a PC3000

Note - I dont need the data or the drive really, this is just for testing of if it was possible

I'll probably force erase the drive (which should be poosible)
so that I can use it to play with setting Master and User passwords

Any maybe some kind person will give any tip of any other possible method
(shorting of other jumper pins etc)
although that will be specific to this drive
and wont help me in the future if I ever get a real, important, locked drive to look at
(my friends are always asking me to recover corrupt partition tables etc)


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 15:04 
Offline

Joined: May 16th, 2009, 9:32
Posts: 329
Location: UNited Kingdom
And looks like a cant do an erase in MAX security mode (from MHDD)

ie cant send a SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT

or maybe I've overlooked how to do it from MHDD


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 15:17 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
I will help you and for free to get rig of that password !!!!

First just to grab a copy of MHDD prior to the latest version.
Download MHDD 4.5 from here :
http://hddguru.com/content/en/software/2005.10.02-MHDD/
You will need it because it contain the ATA terminal that you will need for our little experience. Also use the floppy version, if you use the CD ISO you will end up with a "virtual ram drive" when you boot the MHDD and not the real a: assigned to the floppy.

Then open your notepad and past the following script :

Code:
; rm modul id 42
reset
waitnbsy
regs = $57 $44 $43 $00 $00 $a0 $8a
waitnbsy
regs = $00 $02 $00 $00 $0F $E0 $21
waitnbsy
checkdrq
sectorsto = 42.bin
; End.


save the file with a simple name, like "wdpwd" and remove the .txt extension to the file. You should end up with a filename witjout extension. Save that file to the "Scripts" folder of your MHDD 4.5

Now boot your MHDD copy and detect the locked drive. Mhdd will tell you the drive is locked. Don't worry and issue a .wdpwd or whatever you named the file.

You should end up with a file named 42.bin on the disk you used to boot mhdd.
If you have booted from cd you will have to copy the file out of it to a floppy, etc ...
Post the content here, if you can't figure out where the password is ;)

Happy unlocking for free !
Without expensive tools.
That experience will also give you an idea about the true importance of vendor-specific ata commands.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 15:27 
Offline

Joined: May 16th, 2009, 9:32
Posts: 329
Location: UNited Kingdom
Wow, thanks
I'll give that a try

Now that is the sort of friendly interaction and helpful advise I was expecting on here


I've also dug out another old drive
Maxtor 6L040L2
that supports ATA passwords

Shows Security: high, Off

I am able to set and remove user passwords
Can't seem to unlock with a Master password, but then I don't have the Master password (and cant seem to find it on the web etc)

And looks like I was wrong in that it in not possible (or not easily possible) to change the default Master password

Not that the Master password helps you when in Max mode


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 15:39 
Offline

Joined: May 16th, 2009, 9:32
Posts: 329
Location: UNited Kingdom
Sorry one more question
(I want this thread to be the definitive ATA Password thread)

In MHDD with my Maxtor drive Security: high, OFF
is there a way to put it in MAX security mode ?


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 15:42 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
Quote:
I've also dug out another old drive
Maxtor 6L040L2
that supports ATA passwords


You can try to read the MAXTOR password with HDDRepair 2.0 from here :

http://files.hddguru.com/download/Softw ... pair.v2.0/

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 17:00 
Offline

Joined: May 16th, 2009, 9:32
Posts: 329
Location: UNited Kingdom
THis is what the end of the 42.bin of my WD drive gives

00000390 00 00 00 00 00 00 00 00-57 44 43 57 44 43 57 44 *........WDCWDCWD*
000003A0 43 57 44 43 57 44 43 57-44 43 57 44 43 57 44 43 *CWDCWDCWDCWDCWDC*
000003B0 57 44 43 57 44 43 57 44-A9 4A D6 A8 31 9D 6B 3A *WDCWDCWD.J..1.k:*
000003C0 93 D1 13 9D 15 0F 55 B8-CF 89 D4 96 00 00 00 00 *......U.........*
000003D0 00 00 00 00 00 00 00 00-57 44 43 20 57 44 38 30 *........WDC WD80*
000003E0 45 42 2D 32 38 43 47 48-31 20 20 20 20 20 20 20 *EB-28CGH1 *
000003F0 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 * *

(the *'s are from my hex editor)
Shows the default master password
Then 32bytes of hex (could be the user password, but not in a user enterable form)
Then the details of the WDC WD80EB drive

or have I missed something ?

Since it was locked by an xbox 'bios', I guess the random password it used doesnt have to be ascii ?

Thanks


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 17:12 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD

This is the Master Password for your drive.

In High security mode, you can unlock the disk with either the user or master password, using the "SECURITY UNLOCK DEVICE" ATA command. There is an attempt limit, normally set to 5, after which you must power cycle or hard-reset the disk before you can attempt again.

In Maximum security mode, you cannot unlock the disk! The only way to get the disk back to a usable state is to issue the SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT. The SECURITY ERASE UNIT command requires the Master password and will completely erase all data on the disk.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 17:17 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
Quote:
Note - I dont need the data or the drive really, this is just for testing of if it was possible


If you don't want the data on the drive you can use the master password on MHDD to secure erase the disk. All data will be erased but you can use the drive again ;)
Just open your MHDD and secure erase the disk, supply the master password and don't close MHDD. When the Busy light disapears you will know that the process is finished and the password should be disabled too.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 17:28 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
By the way, this Vendor Specific Command should bypass the security settings of the drive.

$57 $44 $43 $00 $00 $a0 $8a

So after you run the script that i gave to you on MHDD you should be able to scan the drive like if it was an unlock drive. If you manage to do so you can copy the data out. If you don't re-power the drive the drive should still be working under the Techno Key and should be "unlocked".
If data is important and if you want to play arround a little bit with it we can try to read other modules with a variation of the $00 $02 $00 $00 $0F $E0 $21 command. If the USER password is stored somewhere on one of the firmware modules we might be able to find it ;)
I will get an old WD drive and try to lock it with a known password, download all modules and check if the password is stored there somewhere and if so, where.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 17:41 
Offline

Joined: August 12th, 2008, 13:11
Posts: 3241
Location: USA
xsoliman wrote:
THis is what the end of the 42.bin of my WD drive gives

or have I missed something ?


Try writing your own password to it and seeing what changes.

_________________
You don't have to backup all of your files, just the ones you want to keep.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 17:48 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
Maybe the password is encoded there :)
I will have to test it too ... if only i had more time ....
I'm preparing a full review of my experiments with Seagate to post here, when i finish i will start to do some experiments with WD ...
If data is important try to use the script that i've send you and you should have access to the data until you re-power the drive (re-initialize). Than you can use the secure erase function on MHDD and supply the Master Password that you now have and know for sure to be valid for your drive WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCWD and you should have a functional drive when the command completes. You can try to dispassword the drive with master password and MHDD will tell you that you will delete all your data if you continue.
Either way you will end up with a working drive on the end that you can use to play with ;)

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 17:56 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
Quote:
Then 32bytes of hex (could be the user password, but not in a user enterable form)
Since it was locked by an xbox 'bios', I guess the random password it used doesnt have to be ascii ?


I think you are correct. The password can be is HEX instead of ascii. Either that or encoded. Most likely it's because your XBox locked it with HEX password.
I'm just gessing because i still didn't have the time to "play" with the passwords on those drives yet.
I'm working on Seagate on the moment and i will only start to stidy another manufactory when i have time.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 18:48 
Offline

Joined: May 16th, 2009, 9:32
Posts: 329
Location: UNited Kingdom
Thanks for all the really useful info

I assume the '42' is a refernce to some particular SA block
although theres no $2a in the command sequence

If I modified the 42.bin file, is there a command sequence to write it back to the same place on the disk !
I'm sure there is, but not sure if you would be willing to share it ?

Hopefully this block isnt checksummed

Similarly I'd really like to know what the cmd codes do
eg which is the rd cmd and which specifies the SA block or -ve track etc
(and the info isn't too valuable as these 5GB drives are ancient, unless it works on all WD drives ...)
In fact youve already said that
$00 $02 $00 $00 $0F $E0 $21
is the bit that specifies the block to read

ANd good luck with your Seagate work.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 19:06 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
This is the wdc_super_on= 0000 57 44 43 00 00 a0 8a
First you issue this command to be able to access the firmware, etc ... It will place your drive under a special vendor mode.
That command is the equivalent to $57 $44 $43 $00 $00 $a0 $8a
It's an ATA command, a specific one.

0000 00 02 00 00 0F e0 21

Will read module 42 - Configuration Module on the SA of the drive.

The commands will work on *Many* WD drives, all WDC based. For Marvell you will neeed another set of commands.

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 19th, 2009, 19:08 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
You can use this tool to check all modules on your WC drive :

http://nazyura.newmail.ru/Chk_wd.zip

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 20th, 2009, 15:13 
Offline

Joined: May 16th, 2009, 9:32
Posts: 329
Location: UNited Kingdom
Thanks yet again

After the wdc_super_on ($57 $44 $43 $00 $00 $a0 $8a)
I can then successfully read some sectors, but not all

Doing an F4 scan I get the following
(where M is a grey block of varying intensity ie a 255 sector block read ok)

MAMxMxMAMx
----> further on
same
further on
similar
further on - all reads ok (from about 24% into the 5GB drive)

is this expected ?
I haven't actually looked at the raw data in the readable blocks yet


Also my WD80EB has started staying BUSY for long periods after a 'spark' when plugging in to a live system
(thought I'd totally fried it at first)

In fact its stopped responding now and F4 gives me clicking .... as does power cycling it.
Looks like I'll have to get another disk for experiments


This is the most hacking fun I've had for many a month :-)


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: May 20th, 2009, 16:29 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
If the block that you think that contain the USER password in HEX form does indeed contain the USER password you can edit the module, replacing the password and write it back to the drive if you manage to figure out the specific vendor command to write it back.



Quote:
In fact its stopped responding now and F4 gives me clicking .... as does power cycling it.
Looks like I'll have to get another disk for experiments


Maybe the drive is bad or maybe scan it with Super On enabled it wasn't a good idea to start with ;)

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: June 11th, 2009, 23:09 
Offline

Joined: June 9th, 2009, 15:38
Posts: 5
Location: new york
Spildit,
hey i been searching to unlock a maxtor
the ata password tool shows this
maxtor 6y230p0

rev yar41bw0

ata password tool v1.1
shows plus signs under
S, E, L, F, X, V
+ + + - - h

i wanted to know if its possible for me to unlock the drive? thanks and sorry to bother you but you wrote in a few topics to pm you to unlock a specific drive if you could help me out let me know.


Top
 Profile  
 
 Post subject: Re: ATA password bypassing
PostPosted: July 13th, 2009, 16:46 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 11040
Location: Portugal
@ateam201

You can try to read the MAXTOR password with HDDRepair 2.0

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 99 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google Adsense [Bot] and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group