Open mkarer opened 1 year ago
mkarer
commented
1 year ago I tried the steps listed in themaddoctor's PDF using the default KEK, sudo file -sL /dev/mapper/wd returns /dev/mapper/wd: data - I guess there's really a password set using the WD software?
themaddoctor
commented
1 year ago If you have a list of possible passwords, you could try them each until you can decrypt the DEK. Or you might try contacting the authors of this paper: https://eprint.iacr.org/2015/1002.pdf
MrDecay
commented
1 year ago From my understanding there is..I know mad doctor has more info but, I believe when the user password is set, that adds another layer...it has been a while since I looked into this
On Mon, Aug 28, 2023, 8:16 AM Martin Karer @.***> wrote:
I tried the steps listed in themaddoctor's PDF using the default KEK, sudo file -sL /dev/mapper/wd returns /dev/mapper/wd: data - I guess there's really a password set using the WD software?
— Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/143#issuecomment-1695683827, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEATVRJ7FF2FUOTSTEUH3RLXXSK3JANCNFSM6AAAAAA4BLDYOU . You are receiving this because you are subscribed to this thread.Message ID: @.***>
mkarer
commented
1 year ago If you have a list of possible passwords, you could try them each until you can decrypt the DEK. Or you might try contacting the authors of this paper: https://eprint.iacr.org/2015/1002.pdf
Thanks, interesting read, sounds like it is quite easy to bypass the protection if you have the right skills (which I don't).
I'll ask him for a list of possible passwords and how important the data on the disk is for him.
mkarer
commented
1 year ago I just called him and tried his passwords without success. He also told me that the disk only started asking for a password on his new computer and it was working fine when he used it on his old computer (which got replaced).
I assume he might have set a password many years ago and checked "remember password" on the old computer or the firmware of his drive might be affected by this bug reported here: https://superuser.com/a/1615217 (Sadly I can't find anything else related to that bug)
mkarer
commented
1 year ago Short update: He brought me his old nonworking notebook that recognized the disk before, so I cloned the windows disk, applied the oldest restoration point I've found and it still asks for the password.
@themaddoctor Sorry for bothering you with this, I just talked to my friend (his daughter) and the data on the disk is important for him. Do you still help out directly occasionally? I can ask him to register here and provide proof of ownership and whatever is needed to not break any laws.
themaddoctor
commented
1 year ago The only thing I could do is try a list of passwords. Ask your friend for all of the passwords that he could ever have used.
If the problem is the bug you mentioned, then the key is lost forever.
mkarer
commented
1 year ago The only thing I could do is try a list of passwords. Ask your friend for all of the passwords that he could ever have used.
Do you have different tools to test the passwords, or is it the same if I just test them using reallymine (that's what I tried before, but none of the passwords he told me worked).
themaddoctor
commented
1 year ago I can automate it and try some variations, but essentially it's the same.
My friend's father seems to have set a password on his WD Live Essentials 1TB disk (he isn't sure, but I guess there's a password set if reallymine asks for it?).
I removed the USB case and connected it directly using SATA, because it gave read errors otherwise. Is there a way to tell if there's really a password set or if the USB case has an issue?
It's a WD10EARS (MF: 29 NOV 2009), controller is a INIC-1607B.
Keysector:
Thank you very much.