andlabs / reallymine

WD MyBook encrypted hard drive decryption (still WIP).
https://github.com/andlabs/reallymine/issues/38
GNU General Public License v3.0
216 stars 48 forks source link

Forgot password of WD my passport essential #67

Open Purefreeman opened 6 years ago

Purefreeman commented 6 years ago

I forgot the password to my passport essential, and i am just wondering if it is possible to unlock and get the files from it?. I am a windows user, i have looked through the issues sections to try to find some sort of help on how to use this program on windows, since that didn't work i thought i should just ask.

Purefreeman commented 6 years ago

@themaddoctor what would be a valid prove? I've had it for years (so receipt of purchase isn't going to an option). All I know is that the content inside are some pictures of me and other files.

themaddoctor commented 6 years ago

If you read my comments before I deleted them, then please disregard what I said.

Passports can only be done if you are able to remove the USB-SATA card (older models) or bypass the USB (newer models). Here is a link to one person who did it: http://blog.acelaboratory.com/pc-3000-hdd-how-to-solder-a-sata-adapter-to-the-usb-western-digital-drive.html

Unless you can (1) prove that you own the drive, and (2) get access to the raw drive, I cannot be any help.

themaddoctor commented 6 years ago

If you registered with WD for the warranty, they can send you an email to verify your ownership.

Or if you know some of the password, that might be enough to prove it.

In any case, you have to gain access to the raw drive first, and I have already given you everything that I know about how to do that.

Purefreeman commented 6 years ago

@themaddoctor a I totally understand. Thanks for your time

andlabs commented 6 years ago

reallymine can only decrypt a password-protected drive without knowing the password if it uses a very specific chip where the password was not stored securely. The only way to find out which chip you have is to run reallymine on the raw drive, alas. (It was mainly intended for recovering a drive whose USB parts had broken, meaning all you have is the raw drive.)

The paper at https://eprint.iacr.org/2015/1002.pdf that first successfully described how the encryption works does talk about vulnerabilities in the way WD did encryption on the other chips that would make it easier to figure out the password, but I haven't written those in reallymine yet, and in some cases they wouldn't even be feasible to have in reallymine...

themaddoctor commented 6 years ago

@andlabs I know how to do a few of them.

Purefreeman commented 6 years ago

Thanks for all the sources, i doubt i will be able to execute any of them. I will just have to continue looking at My passport hoping one day i remember it; or find an alternative method.

d8ytes commented 6 years ago

@themaddoctor I have a WD my book essentials 1TB drive and have forgotten the password I used to lock the drive.

I had registered my drive with WD and have that record and account listing the hard drive in.

I can also prove my ownership in different valid ways kindly help me out on how to decrypt the drive in Linux ( I’lll use the Kubuntu release ) or may be if you can help me recover the first 4 letters of the password ( I can list you all possible combinations I used) this or it would be great if you could remotely help me out

I am ready to put in efforts to perform this just need a kick start from your experience

Thanks

themaddoctor commented 6 years ago

Post your ownership documents and tell me which chip is on the USB-SATA bridge card.

d8ytes commented 6 years ago

Thanks for replying. Can I share the email I got from WD when I registered the drive ? I can also list folder names in the drive which I have, and can share possible pasword keyword I used , but how can I send you this info in a Private message here or if you can share your email address, I am not comfortable sharing those details here in Public.

EDIT: can you also direct me which cable / I need to purchase to be able to connect the drive from the motherboard, I saw some video of taking out the hard drive from enclosure and hooking up a SATA - USB cable on the pins placed on the motherboard.

d8ytes commented 6 years ago

I managed to open the drive, but cant identify the chip on USB-SATA bridge card, how to know that ? Should I remove the 2 side screws and remove the SATA connector chip too ?

themaddoctor commented 6 years ago

I sent you an email, so you can just reply to it with your attachments.

The bridge card should be a square or triangular card that is plugged into the SATA port on the drive, and held in place with a screw or two. If you remove the screw(s), slide it off carefully in the direction that you would use to unplug the drive's SATA cable.

To connect to a motherboard, use a normal internal SATA cable. DO NOT connect to a windows system, unless you don't mind destroying the master boot record. Use linux or mac.

themaddoctor commented 6 years ago

I received your email. If you have more questions, you should ask them here, and not in email.

If you have the INIC chip, there is no easy backdoor to open in. It requires checking all possible passwords until one works. I might have to ask for some money to do this.

To do it, I will need sectors 0, 2048, and 1953519624 from the disk.

d8ytes commented 6 years ago

Hi, contd from the email convo...

I have some quetions:

I am ready to pay you a reasonable amount for the help you do for me either decrypting the drive for me or helping me with few digits of the password so I can relate and enter the correct one.

Thanks a lot man.

themaddoctor commented 6 years ago

Any linux except Kali should work. I would choose the one that actually encloses the disk. The data on the disk can be accessed once the key is found. Image it if you want to. I need those three sectors in order to start, and reading them from the disk is trivial. It's an all-or-nothing procedure. The entire key or none of it. No "few digits".

d8ytes commented 6 years ago

Great, I will begin then. Will follow your instructions for the INIC 1607E chip. Once connected to the Linux system, I will image the disk may take a day or so as I will leave it unattended. And contact you back with required info, hope this is OK. Thanks a lot.

EDIT: I hope the local enclosure chip wont affect the drive or anything on it. Also, is your solution going to change anything on device for which I must image the disc first ? I am asking this as I do not currently have a spare 1 TB drive to image this and would basically be risking out the disc without backup.

themaddoctor commented 6 years ago

@d8ytes I haven't heard back from you. And I don't understand your question. Making an image gives you a backup in case you somehow damage the data. The procedures I use don't care if you use the original disk or an image. The only difference is what level of risk you accept.

design-bytes commented 6 years ago

@themaddoctor Hi, sorry for keeping you waiting, had trouble installing Ubuntu on the ssd in my laptop don’t know for what reason it never got installed , I’m yet to image the disk to start further, please allow me a few days to come back to you.

I will image the disk using the imaging option in u Ubuntu, is that good enough ? Or can you suggest some other tool ?

themaddoctor commented 6 years ago

I use ddrescue, aka dd_rescue or gddrescue. Just be careful that you read the manual for it, because you can destroy data if you accidentally write to the wrong disk.

design-bytes commented 6 years ago

Hi, how bout if I use this Create Disk Image option in Ubuntu ? Would this do the job ? Else I'll try the ddrescue or if any other GUI based tool you could recommend ? As I am naive at Linux commands, but getting to comprehend the same gradually ,

themaddoctor commented 6 years ago

I don't know that tool.

design-bytes commented 6 years ago

Hi, sorry it took me long to arrange a backup drive for imaging the affected one, but now i\ve got one.

But I have a question, now my affected drive is in ntfs 1tb and backup drive ntfs 2tb , both connected to ubuntu, is it ok if I image the afftected drive as is to the ntfs backup drive ( while in ubuntu ) or is it recommended to format the backup drive into ext4 and then make that ntfs ( affected drive ) image ? Just curious, please suggest. will target image be a partition of type ntfs / ext4 ? Currently the affected drive shows as unknown type, but im sure its ntfs

Also, once image is done I will work on the image than the actual drive to be safe, mounting the same in ubuntu.

themaddoctor commented 6 years ago

Do a "dd_rescue /dev/sdX /path/to/image.file.to.be.created" where X is the right thing for source disk and replace /path... with the path to the image file you want to make. dd_rescue has an instruction page (do "man dd_rescue").

The format of the disk where you write the image shouldn't matter.

design-bytes commented 6 years ago

EDIT 3: I managed to install ddrescue-GUI , can I use that for imaging ? If yes, I will chose source as sdc ( not sdc1, as I want to cover whole of my source drive ) and will chose sdd ( and not sdd1 , as my destination drive ) , also can you guide what to chose in log file option ?

Is this OK ?

EDIT 2: I tried imaging a 2GB pendrive at /dev/sdc1 to the 2tb drive at /dev/sdd1 with following command user@user-X555UA:~$ ddrescue /dev/sdc1 /dev/sdd1/image/ got the below error ddrescue: Can't open input file: Permission denied any help ?

EDIT 1: I tried man ddrescue and it worked, is it the correct one ? May be the new version ? Could you confirm if I can Do a "ddrescue /dev/sdX /path/to/image.file.to.be.created" ?

hi, I'm new at linux, and this is what I got when I did

user@user-X555UA:~$ man dd_rescue No manual entry for dd_rescue

themaddoctor commented 6 years ago

I don't know what ddrescue-GUI is, but I'm sure that it is not dd_rescue. You probably installed ddrescue.

I use "sudo" when I don't have permissions. sudo ddrescue /dev/sdX /path/to/image

MrDecay commented 6 years ago

sudo ddrescue -v-v -P /dev/sdX /path/to/image /path/to/log file.map On Sat, Sep 1, 2018, 9:52 AM themaddoctor notifications@github.com wrote:

I don't know what ddrescue-GUI is, but I'm sure that it is not dd_rescue. You probably installed ddrescue.

I use "sudo" when I don't have permissions. sudo ddrescue /dev/sdX /path/to/image

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/67#issuecomment-417864784, or mute the thread https://github.com/notifications/unsubscribe-auth/AQE6xQ3xQlB1d4nTqu3B6Hful5py3aPOks5uWp8ogaJpZM4UHhkP .

design-bytes commented 6 years ago

Hi, Thanks for suggestions guys. I tried doing the below, and got an error, did the same thing for 2gb ntfs drive to 8gb ntfs drive it worked flawlessly, don't know what's happening with these bigger drives

user1@user1-X555UA:~$ sudo ddrescue /dev/sdd /media/user1/MyPassport/backup/backup.img /media/user1/MyPassport/backup/backup.log
[sudo] password for user1: 
ddrescue: Can't open output file: No such file or directory
user1@user1-X555UA:~$ 

my target drive is mounted at /media/user1/MyPassport/ , then I have made a folder inside it as backup its also denoted by /dev/sdc1 , the workable file partition, can I replace the mount path with /dev/sdc1 , will it be ok and not be disturbing existing data on that partition ?

Please rectify me

design-bytes commented 6 years ago

Update: I had a dual boot ubuntu/windows system, while having the affected drive connected to ubuntu rebooted in windows by mistake, but took off the drive immidiately on login screen looks like windows did its worst already and mbr is corrupted now, any hopes remaining for my data ? Earlier windows recognized this drive while the wd chip is on, now it just shows a CD Drive which vanishes away and I get a message The USB device connected has malfunctioned ( never got this message earlier ) , I'm rocked!!

Please help.

MrDecay commented 6 years ago

Should decrypt fine if it was just the mbr that took the hit.

On Thu, Sep 6, 2018, 1:29 PM design-bytes notifications@github.com wrote:

Update: I had a dual boot ubuntu/windows system, while having the affected drive connected to ubuntu rebooted in windows by mistake, but took off the drive immidiately on login screen looks like windows did its worst already and mbr is corrupted now, any hopes remaining for my data ? Earlier windows recognized this drive while the wd chip is on, now it just shows a CD Drive which vanishes away and I get a message The USB device connected has malfunctioned ( never got this message earlier ) , I'm rocked!!

Please help.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/67#issuecomment-419196188, or mute the thread https://github.com/notifications/unsubscribe-auth/AQE6xVGD3bP0EdrwGWK7GYAxTjKlhZtSks5uYWmjgaJpZM4UHhkP .

MrDecay commented 6 years ago

Should decrypt fine if it was just the mbr that

On Thu, Sep 6, 2018, 1:29 PM design-bytes notifications@github.com wrote:

Update: I had a dual boot ubuntu/windows system, while having the affected drive connected to ubuntu rebooted in windows by mistake, but took off the drive immidiately on login screen looks like windows did its worst already and mbr is corrupted now, any hopes remaining for my data ? Earlier windows recognized this drive while the wd chip is on, now it just shows a CD Drive which vanishes away and I get a message The USB device connected has malfunctioned ( never got this message earlier ) , I'm rocked!!

Please help.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/67#issuecomment-419196188, or mute the thread https://github.com/notifications/unsubscribe-auth/AQE6xVGD3bP0EdrwGWK7GYAxTjKlhZtSks5uYWmjgaJpZM4UHhkP .

themaddoctor commented 6 years ago

The answer to your question is 'no'. Try touching the output file to see where you went wrong:

touch /media/user1/MyPassport/backup/backup.img

design-bytes commented 6 years ago

I think I have given up with ddrescue; sorry; can’t take the shocker of data loss

I just right clicked the affected drive, selected, image partition option and saving it to the 2tb drive , the inbuilt Ubuntu drive option and it’s going to take about 7 hours; I hope this is ok, I’m using Ubuntu 18.04

design-bytes commented 6 years ago

I’m worried that I’ve messed up with the data or the partition , could you clarify me a little what could have happened when I connected the drive in windows boot and just took it off while still on login screen 😐,

what are the possibilities that my data will be safe still ??

Would you be able to help me with the image now I’m making ???

design-bytes commented 6 years ago

@themaddoctor did you mean the data is lost ?? @MrDecay could you please clarify what are my chances now ? I booted while the bare drive was connected to laptop while booting into windows but I hooked it off while login screen just appeared

themaddoctor commented 6 years ago

The answer to your question "can I use /dev/sdc1/user1/..." is NO

design-bytes commented 6 years ago

@themaddoctor and now after windows boot, what are the possibilities with the data ?

themaddoctor commented 6 years ago

I don't know until I see some samples. Send the first and last 2MB of the image.

design-bytes commented 6 years ago

@themaddoctor Just FYI, out of curiosity I plugged in the drive with encryption chip ON to another windows machine and it shows me the WD MyBook partition as is, moreover when trying to unlock the drive using WD SmartWare app I could see the same password hint on the SmartWare login prompt, can I assume MBR and Partition table is intact ?

EDIT PS. I will send you the info you need tomorrow after I image the drive, which will take about 8 hours , meanwhile can you guide me on how to take out those first and last 2MB's ?

design-bytes commented 6 years ago

@themaddoctor can you guide/link me on how to take out those first and last 2MB's ?

design-bytes commented 6 years ago

@themaddoctor hi, can you help me on how can I take out those first and last 2 MB's ?

themaddoctor commented 6 years ago

Use dd. There is a manual page for it at "man dd" Something like dd if=image.img count=4096 of=start.bin

design-bytes commented 6 years ago

@themaddoctor PFA the 2MB as per your command dd if=image.img count=4096 of=start.bin , let me know if I need to do something else, eagerly waiting for your reply. PS. was strange to learn 'if' means input file of made sense though :)

2MB.zip

themaddoctor commented 6 years ago

I don't see any obvious damage.

design-bytes commented 6 years ago

@themaddoctor so is it good ? What did you see ? Could you see any data ? Please help me further in de-crypting the drive and taking data out. I will continue working on the image file than the actual disk.

themaddoctor commented 6 years ago

I don't see any obvious damage.

themaddoctor commented 6 years ago

Did you tell me which chip is has? How large the disk is? Can you dump the last 2MB by adding skip=... to the dd command?

design-bytes commented 6 years ago

Yes, in this thread itself I posted the details earlier. I even showed you a valid proof of ownership via email, I will post again.

Details : INIC 1607E chip 1 TB WD My Book Essentials

I will try for last 2 MB, can you give me the exact command for skip , is ... ok ?

themaddoctor commented 6 years ago

I have a lot going on, and this thread is now 4 months old, so I forget the details. Sorry. And my head hurts.

For that chip and disk size, try dd if=image.img bs=512 count=1 skip=1953519624 of=keyblock.bin

Then do a hexdump to see if you got the right thing: hexdump -C keyblock.bin

You should see "WD" in the first line of the output. The hex code is 57 44 01 14.

Then send me keyblock.bin and everything you can remember about the password.

design-bytes commented 6 years ago

Hi, I did as per your commands and this is what I get

user@user-X555UA:~$ dd if=/media/user/My Passport/07092018.img bs=512 count=1 skip=1953519624 of=/media/user/My Passport/keyblock.bin 1+0 records in 1+0 records out 512 bytes copied, 0.430474 s, 1.2 kB/s user@user-X555UA:~$ hexdump -C /media/user/My Passport/keyblock.bin 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000200

*not sure why the github editor is striking off some text above

Can't see WD in first line, and how do I see the HEX code ? its all 0's as I see Did I do something wrong ? I am working on the 1TB .img file stored on a different hard drive.

BIN file attached

keyblock.zip

themaddoctor commented 6 years ago

remove "count=1" and play with the "skip" number until you get a file 2 or 3MB. Send that file and I will look at it