Help recovering data from a 3TB Mybook studio

[mikeakers]

Hi everyone, I had a 3TB Mybook studio drive (one of the ones with firewire 800 and an e-ink display). A few months ago, not knowing about the hardware encryption, I decided to take it apart and put the drive in a new enclosure that supported USB3 since I no longer have a machine with firewire 800 and USB2 is slow. The drive wasn't recognized in the new enclosure and when I tried connecting to the old board again it still didn't work. I got distracted by other problems and didn't come back to trying to recover my data until today, but unfortunately the old board got lost so I can't tell you what kind of chip it had.

running reallymine getdek fails after a few minutes with an input/output error so I currently can't get a a dek. I'm attaching the output of reallymine dumplast to this post in case that's helpful. Please let me know if theres any additional data I can share to help me get to my data.

dumplast.bin.zip

Thanks!

[themaddoctor]

No, it wasn't useful.

Can you dump sectors 0, 2048, 2049, and 5860528136 through 5860533128 ?

[mikeakers]

Here you go:

dumps.zip

[themaddoctor]

What you sent has sectors 0, 2048, 2049 all full of the same 16-byte pattern. Possible the encryption of zeroes.

The last thing you sent covers the area where a keyblock would be stored. But it was all zeroes.

[themaddoctor]

What is the manufacture date? I have a trick, but it's a longshot, and probably won't work.

[mikeakers]

The drive was manufactured on Jan 22, 2011

[themaddoctor]

It didn't work.

[mikeakers]

Looking at my command history I think I overwrote the dump for sector 0 with the contents of sector 2048... I've redone them all and attached the updated dumps.

updateddumps.zip

Can you verify that I ran the right commands to dump the sectors you asked for?

dd if=/dev/sdb of=0.bin skip=0 count=1 bs=512
dd if=/dev/sdb of=2048.bin skip=2048 count=1 bs=512
dd if=/dev/sdb of=2049.bin skip=2049 count=1 bs=512
dd if=/dev/sdb of=5860528136.bin skip=5860528136 count=4992 bs=512

[themaddoctor]

That last command leaves out the last block that I want to see. Use count=5000 just to be safe.

[themaddoctor]

I'm going to say it looks like an apple disk, because it has a partition table, but no filesystem at sector 2048. The hard part now is to find your keyblock.

[mikeakers]

Here's the last dump, count 5000. Looks like there's some data there but idk if it's significant.

5860528136.bin.zip

BTW thanks for the help and fast responses, I really appreciate it!

[themaddoctor]

Sorry. You could try looking in the service-area modules for the keyblock. On linux I use hddsupertool. Google knows where to find it. If it's not there, then it might be in one of the ROM chips, but you lost the board, so that won't help.

[mikeakers]

Here's a dump of the service area with hddsupertool, I tried grepping for SInE but wasn't able to find anything :/

vscdump.zip

[themaddoctor]

I didn't find a keyblock for any of the chips I know about. Sorry.

[mikeakers]

Thanks for all the help @themaddoctor, it's good to know that I tried every option available... I'll keep the drive around untouched incase the board shows up.

-Mike