andlabs / reallymine

WD MyBook encrypted hard drive decryption (still WIP).
https://github.com/andlabs/reallymine/issues/38
GNU General Public License v3.0
216 stars 48 forks source link

When keyblock does not reside on the disk #49

Open mhetes opened 7 years ago

mhetes commented 7 years ago

Enhancement idea: When keyblock does not reside on the disk (is stored exclusively in U14) the reallymine will run for hours trying to find the keyblock on the disk without any error. I think it may be vital to add check like if the keyblock was not found in the last 4-10MB of the disk it should quit with error informing that keyblock cannot be found / is not located on the disk.

This was exactly my case and I was not sure what was going on. In the end I found the presentation where WD external drives vulnerabilities were described and also @themaddoctor 's document, so I did investigation on the HDD dump where I could find only unencrypted partition with WD SmartWare software and manuals after the main encrypted partition but no sign of any keyblock blob.

Luckily, it ended quite well for my case. Usb connector on my circuit board was ripped out so I investigated option to decrypt disk from the usb hub. But my circuit board had also FireWire connectors, so after finding an old computer with FireWire I could backup all the data using that connection.

My disk is: WD My Book Studio 2TB ProductNo: WDBAAJ0020HSL-EESN Chip on the circuit board: OXUF943SE

andlabs commented 7 years ago

If you have the keyblock you can run the individual commands to get what you need and run decryptfile yourself.

Reading the service area directly is planned; the ata folder is the start of that.

themaddoctor commented 7 years ago

What's your OS? @Martin77Punk

themaddoctor commented 7 years ago

@andlabs Where is this ata folder? I experimented a bit trying to figure out the raw disk commands from HDDSuperTool scripts, but didn't get much further than reading out the disk's ID.

andlabs commented 7 years ago

I thought I pushed it on master; it's pushed on concurrent-decryption instead. But that codebase can't be used anyway (I would have to write it in C, so if you're not building with cgo or don't have a C compiler you won't be able to use it).

mhetes commented 7 years ago

@andlabs I understand that I could use step by step approach by executing individual commands, but in my case the problem was that I coudn't obtain keyblock neither with reallymine getdek or find it anywhere in the disk dump.

@themaddoctor I've tried reallymine and done disk dumps on Ubuntu machine as on Windows it was failing on seek function...

themaddoctor commented 7 years ago

@Martin77Punk Would you be willing to try HDDSuperTool (http://www.sdcomputingservice.com/hddsupertool/download) to dump the service area, so we can see if the keyblock is there?

If so, it only runs on linux. In the menu, choose "VSC", then "dump all modules". Zip them together (use 7zip) and post them.

Thank you.

themaddoctor commented 7 years ago

I have, so far, only seen one OXUF disk with the keyblock in the user area of the disk.

mhetes commented 7 years ago

@themaddoctor So, I've connected encrypted disk again to USB hub and in HDDSuperTool executed: VCS / WD royl (Marvel) dump all modules

Many modules were dumped, but it quits with the error:

Module ID = 0x0  Size in sectors = 0x6a
enable vsc
prepare to read
Command failed!
sense_key=0x0 asc=0x0 ascq=0x1d
error=0x4 count=0x46 lba=0x510037 device=0x4 status=0x51 altstatus=0x0
command_status= 0x0
data_transferred= 0x200

So I'm really not sure if all modules were really dumped correctly.

Full output from module dump here: HDDSuperTool_output.txt

Dumped modules so far: ModulesDump.zip

At this moment I was not able to find any occurence of keyword SInE that would indicate a keyblock for OXUF943SE, but maybe you may have more luck...

I'm also sending you last 5MBs dumped from HDD for you to see that there also isn't any sign of keyblock. You may see a few bytes from the unencrypted UDF image with WD SmartWare installer, but nothing interesting is at the end of the disk... HDD_last_5MB.zip

themaddoctor commented 7 years ago

Nope, not finding it.

The next step would be to get an EPROM reader.

themaddoctor commented 7 years ago

By "connected encrypted disk again to USB hub", you mean with a different enclosure, and no OXUF board. Right?

mhetes commented 7 years ago

@themaddoctor Yeah, different enclosure, no OXUF board... Any EPROM reader that you can recommend? From eBay, Amazon, Aliexpres?

andlabs commented 7 years ago

If you connect the hard drive directly to your computer without using a spare MyBook PCB, what happens? I must have missed it...

themaddoctor commented 7 years ago

@Martin77Punk I've never used an eprom reader, so I can't be much help with that. I was shopping for one a while ago, but haven't bought it. The one that looked best to me was: https://www.amazon.com/gp/product/B01MA497YA/ref=ox_sc_sfl_title_8?ie=UTF8&psc=1&smid=A1VTL661FOEJB1 but the price has gone up dramatically since the time I first looked. Since you already have your data back, you might not think it's worth the expense or effort.

@andlabs I'm a bit confused. I thought this is what we all were doing (removing the board and using the SATA connector or a new nonWD enclosure). When you do that, you see the bare drive, with the encrypted data and the keyblock (if it's there). You must be acquiring your disk images in some other way, yes?

andlabs commented 7 years ago

Marking this as relevant to #45 — I could try the specific values there first (after trying the service area, of course, if possible) and then go back to the slow search if all else fails.