PLX/Oxford decryption...

[hyllm]

Still not possible? Can submit samples if needed. Got the 4TB harddrive here. :)

[themaddoctor]

See my other comment, please.

My technique at https://github.com/themaddoctor/linux-mybook-tools works, if you can find the keyblock. Dump sectors 7814036350 through 7814036365 for me, to find out.

sudo if=/dev/sdX skip=7814036350 count=16 of=4tbplx.bin (replace X with the right thing)

[andlabs]

Yes, samples would be nice. This will be blocked by #38 in the meantime.

[themaddoctor]

If I get your keyblock, I can give you the key, and you can use reallymine to decrypt.

[hyllm]

Sorry for very late reply... but some medical problems forced me to be in hospital for over a year. :( Still possible to send keyblock?

[themaddoctor]

yes

[hyllm]

4tbplx.zip ok. made bin with sudo dd if=/dev/sdb skip=7814036350 count=16 of=4tbplx.bin

here it is.

[hyllm]

i really don't know, which of the two disk it is, so here is the second dump... 4tbplx_disk2.zip

[themaddoctor]

Your dumps contain only zeroes. Maybe the keyblock is in the service area modules. For that, you could use HDDSuperTool (find it with google) to dump the modules. If it's not there, then the key would be have to be stored in one of the chips on the PCB card. Sorry.

[themaddoctor]

BTW, drives with that chip (PLX) have been a problem. The only ones I have gotten to work are the 3TB drives.

[hyllm]

installed the hddsupreclone (part of it is hddsupertool)... any guide please? not so experienced, not with linux. :(

[themaddoctor]

hddsupertool is menu-driven. Choose VSC ("vendor-specific commands") and choose to dump all modules. I forget the exact numbers of the options.

[hyllm]

ATA passthrouch mode, I think, yes? (IRST is in AHCI mode)

[hyllm]

ok.. dumped. fingers crossed. :) disk1.zip disk2.zip

[themaddoctor]

I'm sorry, but I don't see anything that I recognize as a keyblock.

[hyllm]

so... no change to decrypt? even in specialised companies? decrypt key is gone with the usb-sata board? :(

[themaddoctor]

I really can't say for sure. The key might be stored on an EEPROM on the drive itself. I just don't know. Good luck, though.

[tinyapps]

Hi @themaddoctor,

If I get your keyblock, I can give you the key, and you can use reallymine to decrypt.

Thanks to your excellent guide, I can generate the DEK for my 3TB PLX OXUF943SE chip drive.

To use the DEK with reallymine to create a decrypted image file from the encrypted image I made, what decryption steps should be specified below please?

$ reallymine decryptfile encrypted.img decrypted.img myDEK decryption-steps

P.S. Thanks also for this beautiful reply to conrad10781.

[themaddoctor]

I believe that it's just a straight decryption, without any special steps. I do not know the specific syntax for reallymine. Perhaps @andlabs can help.

[tinyapps]

Thanks so much for your quick reply, @themaddoctor!

I was hoping to leverage reallymine as the disk was formatted as HFS+, and I wanted to work under macOS if possible.

However, thanks to your linux-mybook-tools, I was able to assemble the necessary DEK file and mount the HFS+ disk in Linux.

A humble suggestion for your excellent PDF guide: running

$ sudo kpartx -l /dev/mapper/wd

after

$ sudo kpartx -a /dev/mapper/wd

may help readers determine the correct partition, e.g.,

$ sudo kpartx -l /dev/mapper/wd
GPT:Primary header thinks Alt. header is not at the end of the disk.
GPT:Alternate GPT header not at the end of the disk.
GPT: Use GNU Parted to correct GPT errors.
wd1 : 0 409600 /dev/mapper/wd 40
wd2 : 0 5859794864 /dev/mapper/wd 409640

$ sudo mount /dev/mapper/wd2 /mnt/wd -o ro