Progress indicator

[tinyapps]

Hi Pietro,

Thanks so much for crafting and sharing reallymine - phenomenal piece of work!

I sadly found it shortly after ordering a replacement USB PCB for an older 2TB MyBook. The replacement PCB worked out, but I wanted to test reallymine on an image made from the bare SATA drive. It is working wonderfully, decrypting the image file (disk.img) and dumping the result to another connected (but unmounted, of course) SATA drive (dev/sdc):

# reallymine getdek disk.img
bridge type Initio
DEK: 6ACCE335BEA69952917C1CC969C4EC4ABA7BF52D9038F52752AB07CA1835FDD1
decryption steps: swaplongs decrypt swaplongs

# reallymine decryptfile disk.img /dev/sdc
6ACCE335BEA69952917C1CC969C4EC4ABA7BF52D9038F52752AB07CA1835FDD1 "swaplongs decrypt swaplongs"

reallymine has been running for about a day and a half. I've done some cursory data recovery from /dev/sdc via photorec (which confirmed the process was working successfully), and have been monitoring reallymine via iotop and strace to make sure it is still working:

# iotop
...
  TID  PRIO  USER     DISK READ  DISK WRITE  SWAPIN     IO>    COMMAND                                    
 5573 be/4 root       16.54 M/s    8.30 M/s  0.00 % 19.85 % reallymine~longs decrypt swaplongs
...
# strace -y -x -p 5573
write(4</dev/sdc>, "hex data appears here", 16) = 16
write(4</dev/sdc>, "hex data appears here", 16) = 16
...

A progress indicator might come in handy, especially when restoring to devices instead of image files (which can easily be monitored for size to keep tabs on progress).

Thanks again - hopefully others will find your amazing tool before purchasing and waiting for replacement USB bridges (assuming they are even in stock/in working condition/etc).

Aloha,

Miles

[Bhlowe]

I am in the same boat-- nothing appears to be happening.

How long should reallymine getdek /dev/sdc take?
I have a My Passport 2TB for Mac. Plugging it in to a ubuntu adds /dev: sdc, sdc1, sdc2, sdc3 I did a chmod +r /dev/sdc* so I could run without root. But over an hour, no output.. ran decrypt and no bytes added to the 0 byte .img file after an hour.

[themaddoctor]

Doesn't work unless you bypass the encryption chip on Passport drives. The fact that your Ubuntu machine recognizes the partition table tells me that it should also be able to read the data. Do this to be sure:

sudo file -s /dev/sdc*

[andlabs]

reallymine is really only intended if your bridge chip doesn't work. If you can still get to your data, traditional backup tools will suffice.

[Bhlowe]

I didn't see that about the bridge chip not working. This is a case of a lost password, which is required by to mount on the Mac.. Although the data partition is also unmountable from Ubuntu.

sudo file -s /dev/sdc* /dev/sdc: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 3906963455 sectors, extended partition table (last) /dev/sdc1: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "BSD 4.4", sectors/track 32, heads 16, sectors 409600 (volumes > 32 MB), FAT (32 bit), sectors/FAT 3151, serial number 0x3861bf7, label: "EFI " /dev/sdc2: data /dev/sdc3: Macintosh HFS Extended version 4 data last mounted by: 'HFSJ', created: Fri Apr 8 10:51:18 2011, last modified: Tue Apr 5 21:05:05 2016, last checked: Fri Apr 8 16:51:18 2011, block size: 4096, number of blocks: 32768, free blocks: 21957

sudo mount /dev/sdc2 /data/mypassport/c2 mount: /data/mypassport/d2: wrong fs type, bad option, bad superblock on /dev/sdc2, missing codepage or helper program, or other error.

Still would be nice to know what it is "doing" when the commands are run. Thanks for the open source.

[themaddoctor]

Can you do "cat /proc/partitions" so I can see how big /dev/sdc2 is, and whether the keyblock is hidden from you?

[Bhlowe]

Its a 2TB "WD My Passport for Mac" WD20NMVW drive with a May 19 2014 date.

8 32 1953481728 sdc 8 33 204800 sdc1 8 34 1953145816 sdc2 8 35 131072 sdc3

GParted says sdc2 Unable to detect file system! Possible reasons: file system damaged, file system is unknown, unfomratted, device entry /dev/sdc2 is missing.

I have two of these drives -- the other mounts the partitions and show the same info. I am attempting to recover for a friend who lost her husband and didn't know the passwords.. So I assumed one drive was encrpyted using the WD and the other was not encrypted..

[themaddoctor]

I'm just curious. Can you do "sudo hexdump -C /dev/sdc2 -n 1024" ?

[Bhlowe]

sudo hexdump -C /dev/sdc2 -n 1024 00000000 f1 a6 c3 3e ff ff ff ff 01 00 10 00 01 14 05 02 |...>............| 00000010 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 00 60 8f aa d1 01 00 00 00 00 00 00 00 00 00 00 |.`..............| 00000050 00 00 00 00 00 00 00 00 43 53 01 00 00 00 04 00 |........CS......| 00000060 00 10 00 00 00 00 40 00 f5 98 1a 1d 00 00 00 00 |......@.........| 00000070 f5 9c 1a 1d 00 00 00 00 f5 a0 1a 1d 00 00 00 00 |................| 00000080 f5 a4 1a 1d 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000000a0 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 |................| 000000b0 de 25 4c fb b3 91 86 62 d8 18 de 83 a4 81 23 b1 |.%L....b......#.| 000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000130 5d 3f c7 e9 36 67 44 3e b4 2f 07 92 4e 2f 1c d6 |]?..6gD>./..N/..| 00000140 dd 7d c2 f1 d4 b0 4f de 80 96 bf 3a 17 a5 cb cb |.}....O....:....| 00000150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

Happy to help. Thank you for taking the time.

[themaddoctor]

That's not encrypted.