search

andlabs / reallymine

WD MyBook encrypted hard drive decryption (still WIP).
https://github.com/andlabs/reallymine/issues/38
GNU General Public License v3.0
215 stars 48 forks source link

Mac key sector not found #106

Open syakuronabdan opened 4 years ago

syakuronabdan commented 4 years ago

Is there any step by step how properly use this?

I have WD My Book 1 TB, no password, I shucked it because the power died.

Mac recognized the drive, but can't read the data.

The chip is JMicron JMS358S on the dead PCB...

When I run reallymine decrypt /dev/disk4 a.img

error key sector not found

from sudo dd if=/dev/disk4 bs=512 skip=1953519648 count=1 of=kb.bin, I got this:

00000000 57 44 76 31 e7 ca 00 00 00 68 6f 74 00 00 00 00 |WDv1.....hot....| 00000010 00 00 00 00 00 00 f0 00 00 00 00 00 00 00 00 00 |................| 00000020 01 00 00 00 00 00 46 50 00 00 00 00 00 00 00 00 |......FP........| 00000030 00 03 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 20 00 61 2e 00 00 00 05 00 00 00 00 57 44 76 31 | .a.........WDv1| 00000060 b5 b6 bb 04 89 03 85 2b 7e 12 58 88 17 0c fa 95 |.......+~.X.....| 00000070 fc 5e b4 28 d1 d3 66 49 ab 8d 48 8b f1 21 8f 9c |.^.(..fI..H..!..| 00000080 be 01 14 4b f0 eb 24 7f 2d 99 2e 45 80 40 23 4f |...K..$.-..E.@#O| 00000090 e0 19 03 23 18 c6 82 0e c8 f7 c8 ef 67 88 b8 13 |...#........g...| 000000a0 4e b0 15 8f d6 8e 87 03 55 fd a6 dd 4c 4f a6 ef |N.......U...LO..| 000000b0 e0 15 03 2d 56 1a bc 97 cc eb 5f a2 df c8 d7 60 |...-V....._....| 000000c0 d7 67 89 5a cb ca d7 a5 73 f7 69 35 ce 79 fb d3 |.g.Z....s.i5.y..| 000000d0 ae 0f 80 72 cd d8 80 db d4 aa 5c db 10 08 61 84 |...r.........a.| 000000e0 ae 14 42 54 d6 f5 54 84 b8 fd 55 23 0c 47 96 96 |..BT..T...U#.G..| 000000f0 af 84 55 2d f1 e2 d2 38 fc bb ba f4 a2 b9 c1 2c |..U-...8.......,| 00000100 c6 d3 86 90 42 3e 44 fa 5a c8 9b 10 3c e8 dc 53 |....B>D.Z...<..S| 00000110 f4 b7 10 14 b8 c0 81 be af 07 e1 1d 4e 88 a3 0a |............N...| 00000120 cd c9 b9 f6 91 6d e9 b3 10 d9 7e 86 a2 bc 41 4e |.....m....~...AN| 00000130 0e c7 27 82 23 52 e4 cf d2 88 53 55 b8 14 37 02 |..'.#R....SU..7.| 00000140 78 35 2e d4 e6 b3 f9 c9 57 7a c3 25 65 6d d0 2a |x5......Wz.%em.*| 00000150 5a 96 ca cf 64 6e cf 36 e5 48 b2 80 4d 18 f6 d5 |Z...dn.6.H..M...| 00000160 8e 3d ba 41 49 c6 74 4c a9 f3 f6 84 16 fb 4a 9b |.=.AI.tL......J.| 00000170 d8 3b b6 16 e3 e8 1c 3f 35 a5 74 fa a4 ae f4 84 |.;.....?5.t.....| 00000180 65 7c 17 13 47 64 4d 34 9c ed cf df 7e 03 f7 f2 |e|..GdM4....~...| 00000190 a4 a0 a1 eb da 78 e4 0c 2e 18 f6 6b fa fb ff 5f |.....x.....k..._| 000001a0 a0 7c 93 a8 a3 3c e8 8a 9d 14 24 a5 0b 38 fc fb |.|...<....$..8..| 000001b0 58 33 4e d8 91 f7 bb b9 ff c3 71 67 a1 59 4c cb |X3N.......qg.YL.| 000001c0 95 ff c6 d6 d5 c7 d0 b3 d2 ae 99 53 42 35 11 80 |...........SB5..| 000001d0 9a 26 70 4c 5c 7a db d0 c0 db 5b f8 0d 5c 3d d0 |.&pL\z....[..\=.| 000001e0 58 59 2d 2f 2f 79 0e 50 f9 fb a9 d8 f5 dc c2 31 |XY-//y.P.......1| 000001f0 c0 e7 cf 39 5a c6 bc 75 5b 0e 05 e1 58 f9 40 61 |...9Z..u[...X.@a| 00000200`

But I don't know what to do next with it...

Help is very much appreciated, thank you

themaddoctor commented 4 years ago

Please edit your comment with triple ` so that the hexdump is formatted nicely.

themaddoctor commented 4 years ago

Never mind. Here is your disk key (DEK): b88b4df174a01dbcbfc57e3260f4e6e26e68807946c06bc5f9878a53b5ef8d1d

syakuronabdan commented 4 years ago

Thanks for the super quick reply. Pardon my ignorance...

But, what do I do next with the DEK?

Should I run decryptfile infile outfile dek decrpyt-steps (what's the decrypt-steps)

I have scoured the issues, and couldn't find the next step

themaddoctor commented 4 years ago

I don't know how to use ReallyMine, but judging by your use of "sud dd if=....", it looks like you have a copy of my guide for decrypting in linux. Follow its instructions, but for mac use filesystem hfsplus instead of ntfs-3g.