themaddoctor
commented
7 years ago I think that error indicates that dek.hex is too short. Do "cat dek.hex" and see what's in it.
Open thomas-burrdett opened 7 years ago
themaddoctor
commented
7 years ago I think that error indicates that dek.hex is too short. Do "cat dek.hex" and see what's in it.
thomas-burrdett
commented
7 years ago @themaddoctor , you were right. I didn't realize after one of the commands that in the "cat dek.hex | xxd -p -r" step it threw an error for not having permissions on the file. The previous command wrote the file with no write permissions, so I just needed to chmod.
All other steps have successfully worked. Now I've run into one or two more issues, depending on the answer to the first.
I think I might be having the same issue as #41 . The last step in your PDF now reports data instead of the decrypted text, but I believe the partitions themselves were unaffected and decrypted, but I don't have any way of accessing them? I saw your suggestion in https://github.com/andlabs/reallymine/issues/41#issuecomment-305778730 but don't know how to apply it to my situation.
Thanks for your help!
themaddoctor
commented
7 years ago You said that you had two partitions. That means you must have repartitioned after you bought the disk. If Windows overwrote your MBR it destroys DOS partition tables. If you had a GPT table, it might still be in sectors 2-2047. You might try these things:
sudo dd if=/dev/mapper/wd of=backup-0-2048.bin count=2049
Run testdisk on /dev/mapper/wd and hope it can rescue your old partition table.
Create a DOS partition table in /dev/mapper/wd that has one partition of type 0xEE and that starts in sector 1 and ends at the end of the disk. You see, GPT tables are inside of a DOS table's partition. For example, I have a disk with this DOS table:
Disklabel type: dos
Disk identifier: 0x100f59dcDevice Boot Start End Blocks Id System test.img1 1 1953525167 976762583+ ee GPT
but really it has a GPT table starting in sector 1:Disklabel type: gpt Disk identifier: 79C83B4D-DAB7-498C-8535-93F2FD2AA096
Device Start End Size Type /dev/sda1 2048 4095 1M BIOS boot partition /dev/sda2 4096 135167 64M Microsoft basic data /dev/sda3 135168 266239 64M Microsoft basic data /dev/sda4 266240 397311 64M Microsoft basic data /dev/sda5 397312 528383 64M Microsoft basic data /dev/sda6 528384 17305600 8G Microsoft basic data /dev/sda7 17307648 59250687 20G Microsoft basic data /dev/sda8 59250688 101193727 20G Microsoft basic data /dev/sda9 101193728 143136767 20G Microsoft basic data /dev/sda10 143136768 227022847 40G Microsoft basic data /dev/sda12 227022848 268965887 20G Microsoft basic data
Only try this if 1 fails.
3. You could dump sectors 0-2047 and post them here. Only do that if 1 & 2 fail.testdisk yielded the following on /dev/mapper/wd:
Unknown 42986690 217409658561 217366671872 [M-rjPM-<]
Unknown 75813058 217442484929 217366671872 [M-rjPM-<]It's only about 10% of the way through the drive so far, but I presume these are my two partitions?
I don't know if this counts as a failure so I didn't do the 2nd item, and I unfortunately don't know how to dump sectors like you referred to in the 3rd item. Sorry.
themaddoctor
commented
7 years ago If those are start, end, and size numbers, then I would take that as a failure.
Dump the first 2049 sectors like this: sudo dd if=/dev/mapper/wd of=backup-0-2048.bin count=2049 Most of that will be zeroes or junk, but show it to us: hexdump -C backup-0-2048.bin
themaddoctor
commented
7 years ago What do you get if you do this?
gdisk -l /dev/mapper/wd
thomas-burrdett
commented
7 years ago What do you get if you do this?
gdisk -l /dev/mapper/wd0
GPT fdisk (gdisk) version 1.0.1
Partition table scan:
MBR: not present
BSD: not present
APM: not present
GPT: not present
Creating new GPT entries.
Disk /dev/mapper/wd0: 5860533168 sectors, 2.7 TiB
Logical sector size: 512 bytes
Disk identifier (GUID): D15AC583-4555-4439-B3CA-93A8E1C0AA62
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 5860533134
Partitions will be aligned on 2048-sector boundaries
Total free space is 5860533101 sectors (2.7 TiB)
Number Start (sector) End (sector) Size Code Namehexdump -C backup-0-2048.bin
00000000 d0 9b c3 88 1b fa 4e a7 87 97 d9 95 75 3a c3 1a |......N.....u:..|
00000010 1c 11 fe 5f 7a 51 e9 37 09 2a 15 60 88 23 14 88 |..._zQ.7.*.`.#..|
00000020 36 a8 6a de ab 3a f1 c9 7b a2 f7 b0 85 75 5c 1b |6.j..:..{....u\.|
00000030 55 02 19 61 f6 49 e0 a5 33 20 be 8d 31 be f3 f9 |U..a.I..3 ..1...|
00000040 f4 73 e5 2c c7 e2 b3 f7 8c 6d 12 e0 ca 6f 0d 4a |.s.,.....m...o.J|
00000050 25 f2 6c 85 72 0e 3d 0a 61 69 54 d1 7b 17 97 9b |%.l.r.=.aiT.{...|
00000060 fa 71 9d cd 9f d1 d3 54 85 a6 94 a9 58 41 b2 7a |.q.....T....XA.z|
00000070 ae 03 42 fb f6 41 37 ea 8d 30 2a d6 2e 99 be 96 |..B..A7..0*.....|
00000080 25 4d aa 63 c5 e5 09 6e 1e a7 8d fe 6a 86 36 6b |%M.c...n....j.6k|
00000090 4a 00 be 92 0d f7 d8 f8 e8 f8 63 e5 06 f3 4b b3 |J.........c...K.|
000000a0 2d 94 c6 73 98 c5 a9 a4 90 c5 eb c5 01 fa 76 ff |-..s..........v.|
000000b0 57 9a 67 ed 22 6f 2c 9b 1d eb f8 9e 73 af 21 f4 |W.g."o,.....s.!.|
000000c0 da f9 5d e4 86 47 4c 06 28 85 f2 8b c1 00 92 70 |..]..GL.(......p|
000000d0 e8 db da 61 bf 15 47 b8 b1 bd 38 7a 71 0a 76 66 |...a..G...8zq.vf|
000000e0 74 5e cc 56 85 41 09 9d 2d cf 5c c8 64 c8 d5 d3 |t^.V.A..-.\.d...|
000000f0 21 b6 15 d6 1a 28 62 91 9d d9 3b 3e e3 87 07 5b |!....(b...;>...[|
00000100 b1 05 5d 05 b8 0c 55 60 e5 e3 a0 96 6c 39 6a dc |..]...U`....l9j.|
00000110 3b 25 d1 7c 36 bf cf d1 b6 d8 8b 3d 0c 6f c0 31 |;%.|6......=.o.1|
00000120 6e 2f 07 f4 65 10 69 48 6d a7 76 92 26 89 52 75 |n/..e.iHm.v.&.Ru|
00000130 33 19 2a fe 8a 62 11 32 ef ac 32 c3 3e a6 3d a2 |3.*..b.2..2.>.=.|
00000140 f0 17 b1 aa cd 37 d6 69 24 35 2d ac e2 b2 fb be |.....7.i$5-.....|
00000150 ac 62 48 18 38 6b 59 34 4f 0a 47 a7 bf 70 91 ad |.bH.8kY4O.G..p..|
00000160 3c a7 70 ae d1 2e 66 06 cc 86 f9 4d d2 89 61 fe |<.p...f....M..a.|
00000170 24 ce 39 77 b6 d0 ca 4d e5 bf 3e 58 c0 b3 dc a5 |$.9w...M..>X....|
00000180 ae 32 36 9d a8 32 0e 1d b9 5c f8 ee 81 ae 49 c6 |.26..2...\....I.|
00000190 3a 07 37 7e 8d ed d4 36 61 a5 de 1a b7 67 2e 3c |:.7~...6a....g.<|
000001a0 4d ba de bd 96 82 8f 77 54 2f d1 a6 31 24 a1 5b |M......wT/..1$.[|
000001b0 6e 71 34 1d 5f 6a 8e 86 63 ae a0 f5 d0 0a 0f 0e |nq4._j..c.......|
000001c0 8b ad ef dc 3f 8f fe 46 28 1b 05 f3 af e6 4f 7e |....?..F(.....O~|
000001d0 fc be ba dd 13 53 99 3e d5 a6 91 36 20 06 5a 24 |.....S.>...6 .Z$|
000001e0 9f a1 0e 3a f3 6b 32 6b 05 2f 82 ea 67 75 93 9f |...:.k2k./..gu..|
000001f0 22 6e d4 31 ca af 0d 5b 69 9a b7 65 44 d8 89 f3 |"n.1...[i..eD...|
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001000 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 e5 |................|
*
00100000 2d a4 ce 4d 18 50 5c de 97 d8 63 5d b5 17 d6 b6 |-..M.P\...c]....|
00100010 b0 db 58 67 55 92 2f 82 0d 91 18 56 4f 76 a8 47 |..XgU./....VOv.G|
00100020 cd 5f e8 9a 6c ae 1d 6d 4b 34 eb 40 e9 6a 78 d2 |._..l..mK4.@.jx.|
00100030 13 5b d4 d6 41 a4 9e 53 d1 33 00 23 35 4d 19 8d |.[..A..S.3.#5M..|
00100040 20 ed d5 9a e7 d0 55 45 1c 6e 02 79 9b b3 14 92 | .....UE.n.y....|
00100050 07 a3 f6 e8 b9 9d fd 6c f9 e2 b3 97 0e 84 36 71 |.......l......6q|
00100060 1f 7b f1 58 b3 35 af 8c 0d 8f c7 16 9a b7 7b 2a |.{.X.5........{*|
00100070 fb fb ee 9c dc 91 c8 15 d5 64 8c d3 2d 78 54 e3 |.........d..-xT.|
00100080 5c 2e 30 ee 83 94 d9 1e 84 50 29 21 76 31 c0 40 |\.0......P)!v1.@|
00100090 58 83 f3 bb e3 b4 f7 6a 29 32 04 5c 76 c6 61 ae |X......j)2.\v.a.|
001000a0 59 d3 4f 10 60 eb aa d4 6e 7f 9e 43 66 4e 20 75 |Y.O.`...n..CfN u|
001000b0 ce 2d 7a f4 ee 2c 66 01 c4 32 5e 51 b3 f4 3e 88 |.-z..,f..2^Q..>.|
001000c0 23 00 98 9a 0f 29 74 8b c3 46 0e f5 b8 0f b2 96 |#....)t..F......|
001000d0 fc b2 05 48 2a 12 e1 50 bf 5c cd 4d bb f0 f0 9f |...H*..P.\.M....|
001000e0 ff 7c c1 e3 8a 6f 2d 7b b2 05 5c 32 3f b4 a3 bd |.|...o-{..\2?...|
001000f0 98 91 0f f7 48 c3 dd be 6e 76 f3 bf 84 52 55 f6 |....H...nv...RU.|
00100100 9e 1c 71 f8 e0 be 9c c8 ec 15 79 1c 83 03 58 4b |..q.......y...XK|
00100110 d1 a2 bf eb d1 b6 83 a6 a6 47 f6 b2 f4 ee c4 26 |.........G.....&|
00100120 d5 51 5c f5 29 49 b4 04 43 5a 99 a5 ac 03 b4 b6 |.Q\.)I..CZ......|
00100130 af f2 a7 85 8f 5b 23 04 60 e1 10 b1 30 7e 0f b9 |.....[#.`...0~..|
00100140 48 2a 6f 29 56 02 7e 99 43 b3 9e f2 a1 18 da 79 |H*o)V.~.C......y|
00100150 f6 f5 59 86 be 71 95 d1 b9 00 6e 22 61 59 44 ec |..Y..q....n"aYD.|
00100160 b4 16 fc 05 6d 09 64 d6 c2 d4 98 e2 20 16 95 59 |....m.d..... ..Y|
00100170 9a 86 40 03 6d 7a 08 d1 22 06 9f 5e 1f e3 2e ef |..@.mz.."..^....|
00100180 89 52 46 74 bd 9e 54 ad 6d 99 8e 1c 7e 36 24 b8 |.RFt..T.m...~6$.|
00100190 c3 42 89 a9 47 e1 55 22 f9 06 7f 79 a7 9b 76 e5 |.B..G.U"...y..v.|
001001a0 94 c4 0a 6a 59 57 b5 31 90 76 32 f1 c9 57 cb e5 |...jYW.1.v2..W..|
001001b0 ab cc fc 35 00 b2 51 18 d9 31 c4 6d 9d 1b 06 9a |...5..Q..1.m....|
001001c0 40 6c 75 5a f6 06 e5 cf 0b 01 5e 0f 8c c3 e4 ab |@luZ......^.....|
001001d0 ca 71 43 73 18 1a ba e2 cc 92 ca e6 9d a6 4d 8a |.qCs..........M.|
001001e0 7a 76 ea 3d 01 4c f3 78 8c 8e 84 b8 a3 94 0f 8c |zv.=.L.x........|
001001f0 03 fd 4c 27 81 b8 63 4f 04 71 e8 e2 55 70 4c d5 |..L'..cO.q..UpL.|
00100200
I'm sorry, but what is wd0? Is that a typo?
The first sector is unrecognizable. But you expect that, because the drive was repartitioned without its USB-SATA bridge, right?
But sector 2048, which is usually the start of the first partition, is also unrecognizable.
Can you dump the same sectors for /dev/sdX (replace "sdX" with the right thing)?
thomas-burrdett
commented
7 years ago wd0 is what I used instead of wd. Just seemed weird to have a a partition without a number.
Below is the same sectors for /dev/sdX
00000000 33 c0 8e d0 bc 00 7c 8e c0 8e d8 be 00 7c bf 00 |3.....|......|..|
00000010 06 b9 00 02 fc f3 a4 50 68 1c 06 cb fb b9 04 00 |.......Ph.......|
00000020 bd be 07 80 7e 00 00 7c 0b 0f 85 10 01 83 c5 10 |....~..|........|
00000030 e2 f1 cd 18 88 56 00 55 c6 46 11 05 c6 46 10 00 |.....V.U.F...F..|
00000040 b4 41 bb aa 55 cd 13 5d 72 0f 81 fb 55 aa 75 09 |.A..U..]r...U.u.|
00000050 f7 c1 01 00 74 03 fe 46 10 66 60 80 7e 10 00 74 |....t..F.f`.~..t|
00000060 26 66 68 00 00 00 00 66 ff 76 08 68 00 00 68 00 |&fh....f.v.h..h.|
00000070 7c 68 01 00 68 10 00 b4 42 8a 56 00 8b f4 cd 13 ||h..h...B.V.....|
00000080 9f 83 c4 10 9e eb 14 b8 01 02 bb 00 7c 8a 56 00 |............|.V.|
00000090 8a 76 01 8a 4e 02 8a 6e 03 cd 13 66 61 73 1e fe |.v..N..n...fas..|
000000a0 4e 11 0f 85 0c 00 80 7e 00 80 0f 84 8a 00 b2 80 |N......~........|
000000b0 eb 82 55 32 e4 8a 56 00 cd 13 5d eb 9c 81 3e fe |..U2..V...]...>.|
000000c0 7d 55 aa 75 6e ff 76 00 e8 8a 00 0f 85 15 00 b0 |}U.un.v.........|
000000d0 d1 e6 64 e8 7f 00 b0 df e6 60 e8 78 00 b0 ff e6 |..d......`.x....|
000000e0 64 e8 71 00 b8 00 bb cd 1a 66 23 c0 75 3b 66 81 |d.q......f#.u;f.|
000000f0 fb 54 43 50 41 75 32 81 f9 02 01 72 2c 66 68 07 |.TCPAu2....r,fh.|
00000100 bb 00 00 66 68 00 02 00 00 66 68 08 00 00 00 66 |...fh....fh....f|
00000110 53 66 53 66 55 66 68 00 00 00 00 66 68 00 7c 00 |SfSfUfh....fh.|.|
00000120 00 66 61 68 00 00 07 cd 1a 5a 32 f6 ea 00 7c 00 |.fah.....Z2...|.|
00000130 00 cd 18 a0 b7 07 eb 08 a0 b6 07 eb 03 a0 b5 07 |................|
00000140 32 e4 05 00 07 8b f0 ac 3c 00 74 fc bb 07 00 b4 |2.......<.t.....|
00000150 0e cd 10 eb f2 2b c9 e4 64 eb 00 24 02 e0 f8 24 |.....+..d..$...$|
00000160 02 c3 49 6e 76 61 6c 69 64 20 70 61 72 74 69 74 |..Invalid partit|
00000170 69 6f 6e 20 74 61 62 6c 65 00 45 72 72 6f 72 20 |ion table.Error |
00000180 6c 6f 61 64 69 6e 67 20 6f 70 65 72 61 74 69 6e |loading operatin|
00000190 67 20 73 79 73 74 65 6d 00 4d 69 73 73 69 6e 67 |g system.Missing|
000001a0 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65 | operating syste|
000001b0 6d 00 00 00 00 62 7a 99 0d 0f 16 71 05 75 80 20 |m....bz....q.u. |
000001c0 21 00 07 fe ff ff 00 08 00 00 00 f0 ff ff 00 38 |!..............8|
000001d0 e4 ff 07 ff ff ff 00 f8 ff ff 00 a0 50 5d 00 00 |............P]..|
000001e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 60 bd 23 c1 f2 64 20 16 a9 40 4e cd e2 45 9a a2 |`.#..d ..@N..E..|
*
00001000 78 eb 21 a4 2d 14 3e 83 ec 37 ba 4c c7 47 2c 1b |x.!.-.>..7.L.G,.|
*
00100000 eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 |.R.NTFS .....|
00100010 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 08 00 00 |........?.......|
00100020 00 00 00 00 80 00 80 00 ff ef ff ff 00 00 00 00 |................|
00100030 00 00 0c 00 00 00 00 00 ff fe ff 0f 00 00 00 00 |................|
00100040 f6 00 00 00 01 00 00 00 40 32 b4 e4 58 b4 e4 20 |........@2..X.. |
00100050 00 00 00 00 fa 33 c0 8e d0 bc 00 7c fb 68 c0 07 |.....3.....|.h..|
00100060 1f 1e 68 66 00 cb 88 16 0e 00 66 81 3e 03 00 4e |..hf......f.>..N|
00100070 54 46 53 75 15 b4 41 bb aa 55 cd 13 72 0c 81 fb |TFSu..A..U..r...|
00100080 55 aa 75 06 f7 c1 01 00 75 03 e9 d2 00 1e 83 ec |U.u.....u.......|
00100090 18 68 1a 00 b4 48 8a 16 0e 00 8b f4 16 1f cd 13 |.h...H..........|
001000a0 9f 83 c4 18 9e 58 1f 72 e1 3b 06 0b 00 75 db a3 |.....X.r.;...u..|
001000b0 0f 00 c1 2e 0f 00 04 1e 5a 33 db b9 00 20 2b c8 |........Z3... +.|
001000c0 66 ff 06 11 00 03 16 0f 00 8e c2 ff 06 16 00 e8 |f...............|
001000d0 40 00 2b c8 77 ef b8 00 bb cd 1a 66 23 c0 75 2d |@.+.w......f#.u-|
001000e0 66 81 fb 54 43 50 41 75 24 81 f9 02 01 72 1e 16 |f..TCPAu$....r..|
001000f0 68 07 bb 16 68 70 0e 16 68 09 00 66 53 66 53 66 |h...hp..h..fSfSf|
00100100 55 16 16 16 68 b8 01 66 61 0e 07 cd 1a e9 6a 01 |U...h..fa.....j.|
00100110 90 90 66 60 1e 06 66 a1 11 00 66 03 06 1c 00 1e |..f`..f...f.....|
00100120 66 68 00 00 00 00 66 50 06 53 68 01 00 68 10 00 |fh....fP.Sh..h..|
00100130 b4 42 8a 16 0e 00 16 1f 8b f4 cd 13 66 59 5b 5a |.B..........fY[Z|
00100140 66 59 66 59 1f 0f 82 16 00 66 ff 06 11 00 03 16 |fYfY.....f......|
00100150 0f 00 8e c2 ff 0e 16 00 75 bc 07 1f 66 61 c3 a0 |........u...fa..|
00100160 f8 01 e8 08 00 a0 fb 01 e8 02 00 eb fe b4 01 8b |................|
00100170 f0 ac 3c 00 74 09 b4 0e bb 07 00 cd 10 eb f2 c3 |..<.t...........|
00100180 0d 0a 41 20 64 69 73 6b 20 72 65 61 64 20 65 72 |..A disk read er|
00100190 72 6f 72 20 6f 63 63 75 72 72 65 64 00 0d 0a 42 |ror occurred...B|
001001a0 4f 4f 54 4d 47 52 20 69 73 20 6d 69 73 73 69 6e |OOTMGR is missin|
001001b0 67 00 0d 0a 42 4f 4f 54 4d 47 52 20 69 73 20 63 |g...BOOTMGR is c|
001001c0 6f 6d 70 72 65 73 73 65 64 00 0d 0a 50 72 65 73 |ompressed...Pres|
001001d0 73 20 43 74 72 6c 2b 41 6c 74 2b 44 65 6c 20 74 |s Ctrl+Alt+Del t|
001001e0 6f 20 72 65 73 74 61 72 74 0d 0a 00 00 00 00 00 |o restart.......|
001001f0 00 00 00 00 00 00 00 00 80 9d b2 ca 00 00 55 aa |..............U.|
00100200Well, there you go. You can't find the first partition because it's not encrypted. Either the disk was never encrypted, or you reformatted after you removed it from the enclosure.
Here is a dump of the partition table in your unencrypted MBR:
Disk mbr0.bin: 512 B, 512 bytes, 1 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x71160f0d
Device Boot Start End Blocks Id System
mbr0.bin1 * 2048 4294965247 2147481600 7 HPFS/NTFS/exFAT
mbr0.bin2 4294965248 5860530175 782782464 7 HPFS/NTFS/exFATFurthermore, sector 2048 looks like an NTFS partition.
themaddoctor
commented
7 years ago Now I'm curious what your keyblock looks like. Can you send hexdump -C kb.bin ?
thomas-burrdett
commented
7 years ago The drive wasn't turning on. I took it out of the WD enclosure and put it in one I had and it powered up just fine. I figured the issue at that point was the case. After it powered up I connected it to Windows and found that the data didn't seem to load.
I don't recall formatting it.
From there I did some research and came across this project. I executed the reallymine getdek command , and it spat out a key, and everything that looked like a expected result
bridge type JMicron
DEK: 1A5C60F089AE413D710B70E30DB20547C9AD5F1F1C215749E126C6627102D1E2
decryption steps: reverse decrypt reverseI didn't even start the decryption attempt as I saw in several tickets that the process was slow, and I had a 3TB drive. I only need ~5GB of data from the drive , and saw that you posted in a lot of tickets , and came across your PDF, which seemed like a quicker solution to just get the 5GB I needed.
Even going through that, everything seemed as expected. WDV1 was in my output which matched the document you provided.
Below, I've provided the output you asked.
hexdump -C kb.bin
00000000 57 44 76 31 72 0d 00 00 00 a0 4f 5d 01 00 00 00 |WDv1r.....O]....|
00000010 03 00 00 00 00 00 f0 00 00 00 00 00 00 00 00 00 |................|
00000020 01 00 00 00 00 00 46 50 00 00 00 00 00 00 00 00 |......FP........|
00000030 00 02 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 20 00 ef e3 00 00 00 01 00 00 00 00 57 44 76 31 | ...........WDv1|
00000060 f8 38 10 a4 6f be 91 80 82 29 9c 7c f7 fa 92 91 |.8..o....).|....|
00000070 e3 eb 07 a2 79 fe 19 43 97 65 c2 c6 6a 6e d6 2e |....y..C.e..jn..|
00000080 07 fd 8e 20 ce 6f 25 8d 72 51 e3 cd fd 2e b9 91 |... .o%.rQ......|
00000090 27 bd 72 fb 31 6e 41 2c 67 81 9b 8c 56 ae 53 a5 |'.r.1nA,g...V.S.|
000000a0 84 74 3d e5 3f 01 4e 57 15 c5 64 0f 84 b4 37 65 |.t=.?.NW..d...7e|
000000b0 50 40 7f bd 64 4a 9f 46 bf 72 6c fa 8f c0 29 91 |P@..dJ.F.rl...).|
000000c0 cf 48 e9 26 97 7d 11 3f f1 59 dc ae 30 90 dd e3 |.H.&.}.?.Y..0...|
000000d0 2c 80 98 28 cc 78 ca cd a6 b5 cb 9a 6d 05 14 8d |,..(.x......m...|
000000e0 fb eb 16 28 23 9b 44 a2 d5 a8 be 2c a8 d7 31 38 |...(#.D....,..18|
000000f0 0a 4d 68 d6 63 5f 61 d0 4e ad a1 30 73 2c c9 7c |.Mh.c_a.N..0s,.||
00000100 d5 32 d7 3c be 56 a1 af 4e df d7 21 2b 53 10 a9 |.2.<.V..N..!+S..|
00000110 9a b7 73 fd b7 51 79 9e 24 55 a1 12 d7 f3 92 2b |..s..Qy.$U.....+|
00000120 ea 36 8e 3f f4 5d dc b3 ea 67 a2 39 60 3d 05 b7 |.6.?.]...g.9`=..|
00000130 db df 43 ff a7 c3 8a f4 e0 47 37 97 11 74 42 71 |..C......G7..tBq|
00000140 ba cc 9d 2a 56 0d 8f 80 66 57 13 24 bd ba 46 6e |...*V...fW.$..Fn|
00000150 fb bf 94 e7 35 3d e6 83 e8 d3 e6 80 ad ff 81 d7 |....5=..........|
00000160 7a b7 38 be 0a 18 b1 c7 e7 cc 5d 9d 3c b1 ca 49 |z.8.......].<..I|
00000170 57 42 38 8c 2a 2b 25 15 e3 f1 96 78 e2 f0 fb ec |WB8.*+%....x....|
00000180 19 09 e1 00 88 c1 87 b8 27 59 ff bb 2c 9a c7 bd |........'Y..,...|
00000190 39 2c 33 99 5e 8e af bb 63 ef c9 29 c3 60 f6 d6 |9,3.^...c..).`..|
000001a0 73 8f 56 78 00 ae 58 81 27 6b be 2e d2 f9 cc 1c |s.Vx..X.'k......|
000001b0 e9 38 11 ed 8a a7 d9 a7 54 08 08 12 5f 3d 50 0e |.8......T..._=P.|
000001c0 7e d1 73 4f 53 f9 3a 87 73 5a 3a 93 50 83 d6 91 |~.sOS.:.sZ:.P...|
000001d0 f3 d4 b0 9f 06 1b d3 93 f1 df fe fd 46 e4 cc 39 |............F..9|
000001e0 fc 61 e0 51 fb 85 66 51 78 a6 40 79 8d 52 be 86 |.a.Q..fQx.@y.R..|
000001f0 89 71 0d 80 88 a0 02 1f c5 61 f0 b7 95 e3 0d df |.q.......a......|Are you sure it's a JMS538S and not a JMS569?
Does the linux computer recognize it? You should remove the decryption filter: sudo cryptsetup remove wd-layer2 sudo cryptsetup remove wd-layer1 sudo cryptsetup remove wd0
You might have to partprobe or kpartx -a /dev/sdX. If it doesn't pop up automatically, mount with sudo mkdir -p /mnt/wd{1,2} sudo mount -t ntfs-3g /dev/sdX1 /mnt/wd1 sudo mount -t ntfs-3g /dev/sdX2 /mnt/wd2
themaddoctor
commented
7 years ago BTW, I don't see anything unusual about the keyblock, at first glance.
thomas-burrdett
commented
7 years ago Are you sure it's a JMS538S and not a JMS569?
To be honest, I'm not sure. The drive wouldn't power up inside the case. I took it out and put it in an enclosure I had, and when the drive connected it showed my partitions, but they didn't have my data. I did some searching around and found this project. Ran the getdek command and it came back with the result above so I thought the data was encrypted.
Does the linux computer recognize it?
The partitions do appear in the file explorer, but they appear empty when I click them.
Sorry for the lack of response yesterday. I got stuck at work.
themaddoctor
commented
7 years ago You should be doing all data recovery in linux, to avoid the possibility of corruption and to have better free tools. Try mounting the partitions in linux, with the commands in my previous post.
thomas-burrdett
commented
7 years ago I guess my confusion is how I can do the data recovery when everything is encrypted. Again, that's based on just the fact that no data loaded, some minimal web research, and the fact that the getdek command returned a key, and decryption steps, and one of the steps from your PDF provided the WDV1 which seemed to all indicate it was encrypted.
I've started the same testdisk scan, and will report the results.
I'm not trying to be a pain, I truly appreciate the help, I'm just confused.
themaddoctor
commented
7 years ago Two days ago I said, based on the information that you sent, that the drive is NOT encrypted. Just mount it as is.
MrDecay
commented
7 years ago @thomas "The drive wouldn't power up inside the case. I took it out and put it in an enclosure I had, and when the drive connected it showed my partitions, but they didn't have my data. "
Was this a generic enclosure or another wdc one. Maybe your enclosure is not seeing the whole 3tb or the o.s. is not handling the Gpt structure. Just throwing some thoughts out there.
On Jun 8, 2017 9:29 AM, "themaddoctor" notifications@github.com wrote:
Two days ago I said, based on the information that you sent, that the drive is NOT encrypted. Just mount it as is.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/42#issuecomment-307120922, or mute the thread https://github.com/notifications/unsubscribe-auth/AQE6xTdegMESnmFOtYcI-krGaqzdFMNvks5sCAVBgaJpZM4NxWxn .
themaddoctor
commented
7 years ago @thomas-burrdett @MrDecay I've heard there is a problem with LBA being 512 vs. 4k or whatever, so Windoes has problems with the bare drives.
themaddoctor
commented
7 years ago Anyway, use linux.
MrDecay
commented
7 years ago Oh yeah advance 4k formatting...that's how come we are at sector 2048 opposed to 63 due to partition alignments. It would cause performance issues in x.p. if you repartition the drive. But as mad doctor said. Work in Linux for a better controlled environment.
On Jun 8, 2017 9:45 AM, "themaddoctor" notifications@github.com wrote:
@thomas-burrdett https://github.com/thomas-burrdett @MrDecay https://github.com/mrdecay I've heard there is a problem with LBA being 512 vs. 4k or whatever, so Windoes has problems with the bare drives.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/42#issuecomment-307125826, or mute the thread https://github.com/notifications/unsubscribe-auth/AQE6xSQ2TQaudx1NRuYtvL3lvcKu24wjks5sCAkKgaJpZM4NxWxn .
andlabs
commented
7 years ago Uhhh, I'm pretty sure Linux will be fooled by a 512/4096 sector size mismatch. OS X is fooled too (I can confirm this). Unless Linux has magic code that can correct for this?
themaddoctor
commented
7 years ago Linux IS magic.
themaddoctor
commented
7 years ago Seriously, I think I heard of a windows system that saw no data, but linux did. One of the self-encrypting ones.
andlabs
commented
7 years ago Where in the kernel source is this code then? I can't personally test this theory until I get home tonight, since that's where my old laptop with Linux installed is. (I have two different HDD enclosures, one of which always reports 512 and one of which is honest, so I can test this.)
themaddoctor
commented
7 years ago @andlabs I really don't know enough to answer. Doing the test will tell us.
I have an enclosure that split my 4TB disk into two 2TB drives. Is this the same issue? Even if it is the same issue, I was able to see my data with linux.
@themaddoctor , I didn't see a repository or anything for the PDF you created, so I'm creating my issue here.
I'm following your guide on a 3TB JMicron.
Everything is working up to the point of
I'm not sure if this has anything to do with it, but the drive has two partitions. I didn't think so as this command doesn't seem to point to anything about disk/partition size, but mentioned just in case.
Any ideas?