WD Notebook 1.5TB encryption card lost/reformatted/need help recovering older data

[inzainia]

this is an older 12-15 yr old drive that failed due to the board shorting out a long time ago. I had a ton of pics of my family and kids growing up on it and thought i had lost them all, so i took it apart and stuck it into the pc thinking i could at least get some storage use out of it, and reformatted it. i then wrote NOTHING more to it as the next week i built a new pc, and bought a 4tb hd so didnt need it, so it was stuck in a drawer for 5+ years. i recently saw some info on recovering these drives using linux etc.. so i dug it out.

here is the drive info if needed: wd green, 1.5TB,sata/16MB cache, WD15EACS,SN: WCAZA3727696, mdl#-WD15EACS-11BHUB0

The drive spins up, is detectable and originally had 2 partitions on it, it was NOT password protected i assume, i could use it with my jailbroke wii to store games, and on the pc for storage freely without ever entering any password. i cannot give the info off the encryption card, as it was partially scorched when i removed it, and it was lost i just know it was triangular shaped.

any info getting started would be greatly appreciated. i am very computer literate, i have access to vmware, and another pc if necessary to install linux on, though i know little about it beyond the older redhat that i tinkered on 20 years ago, but i can learn fast if given the info.

thanks in advance for any info or help to recover these partitions (if possible).

[themaddoctor]

Dump sectors 2930272000 - 2930278000 and post any that are nonzero. After that I can give you an opinion.

[inzainia]

ill search the net on how to provide the above info, unless you see this and can give me the command to do so. i know very little about linux, but can get it installed and working to follow along fairly easily with given instructions. just need some basic info, should i be dumping in windows or linux? if linux then just need the commands to accomplish what ya need. if a program is needed, just gimme a name and ill get it done! thanks for the fast response, your time is appreciated!

[themaddoctor]

linux: dd if=/dev/sdX skip=2930272000 count=6000 | hexdump -C where X is replaced with the right thing for the WD disk. Do "ls /dev/" to see what the choices are.

[inzainia]

Sorry it took do long, i am frequently away from the computer for periods, and it took a short bit to figure out how to unlock the drive so i could access it in linux"permission denied" etc.. here is the hex dump

HEXDUMP.TXT

thanks again for any help.

[themaddoctor]

Well, you have two keyblocks. One is for a bridge with the JMS538S chip and had disk key 5dcd119a06d4ebb77f6263e93e2125dfa6b0599d1b452e5ebe445090f70c374c. The other is for the SW6316 chip and has key 5863387f3583abb788866a3080464f61557321ede091fa704d758c818da353fe.

The disk must have been used with two different bridge cards. If YOU did that, then your data recovery work has now doubled. If not, then determining which it was will not be entirely easy, because you reformatted. I would need to see some of the encrypted data from an area of the disk that was not affected by the format, and which when decrypted contains data that I could recognize as a known file type. You could try to send me something from the middle of the disk like this:

dd if=/dev/sdX skip=1500000000 count=10000 of=dump.bin

[inzainia]

what i did, was buy an identical drive, of which i then put the controller on this drive, and tried to see if it would work, it did not hehe. it was a shot in the dark because i could get the drive for 30 bucks so i gave it a go. the controller was on it for 5 minutes or so, i stuck it in an external usb /sata connector, and tried to recover the mbr and whatnots, it failed (due to encryption) and i removed it. didnt mention this as i had no clue it would have done anything to the drive, if itll help i can pull the second drive apart and get the bridge number from it, and then we know which is the original. also, still need data from middle of the drive?

[themaddoctor]

Not needed if you can find the chip number.

[inzainia]

the chip on the replacement bridge(test fix) was the JMS538(S or 5) (its very tiny) so the original controller was the SW6316 bridge.

[inzainia]

no rush really i took 2 weeks to even get the rig going lol. but we now have the key, 5863387f3583abb788866a3080464f61557321ede091fa704d758c818da353fe what do i need to do with it sir? again answer at your leisure, as this has sat for many years, so not trying to rush you, just the above felt like a "you have the key, get on with it" kinda moment hehe, and i forgot to mention, i had no clue what to get on with! lol

[themaddoctor]

You should use the key with ReallyMine to make a decrypted copy of the disk. Please ask @andlabs how to get that going. After that, you need to do data recovery on the decrypted copy.

[inzainia]

ty sir i will follow up here upon success or failure as to letcha know how it went.

[inzainia]

ok, got everything setup, ran the getdek it found the dek, came back with symwave dek:5863387f3583abb788866a3080464f61557321ede091fa704d758c818da353fe decryption steps: decrypt

i then ran the sudo ./reallymine decrypt /dev/sda wdback.img

and a file was created, and went up to about 104 megs then after about 10 mins or so it quit out with the following:

error running decrypt: read /dev/sda: input output error

bad sectors maybe? did i do something wrong? and if bad sectors should i attemt to img the drive FIRST with gddrescue or ddrescue? thanks in advance

[themaddoctor]

sure. do that.

[inzainia]

i guess when the drive went out, it damaged the internals somehow. running gnu ddrescue, first pass, rescued 27000MB so far in 11 hours, and 1874 errors so far. :( i would assume this is a LOT of errors and its still going up ever so slowly. im gonna let it finish, but outlook is not so good. unless im completely wrong and this is not so abnormal for these drives when they short out. just an update, thanks again for all the help.

[MrDecay]

Could be a bad head...and that zone is having issues

On Fri, Apr 12, 2019, 9:47 AM inzainia notifications@github.com wrote:

i guess when the drive went out, it damaged the internals somehow. running gnu ddrescue, first pass, rescued 27000MB so far in 11 hours, and 1874 errors so far. :( i would assume this is a LOT of errors and its still going up ever so slowly. im gonna let it finish, but outlook is not so good. unless im completely wrong and this is not so abnormal for these drives when they short out. just an update, thanks again for all the help.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/84#issuecomment-482602226, or mute the thread https://github.com/notifications/unsubscribe-auth/AQE6xbMmpkLoQ-k83vuRNAJAwNiz4cd_ks5vgJx8gaJpZM4cUUuZ .

[inzainia]

update, we are just over 1tb cloned, with 1600MB in errorsize dirst pass still, i would assume some of this will be recovered on the next few passes as it slims the errors down. this is like 0.1% or less of the drive bad, is this within acceptable range? does this point at a bad head still? or just an aged drive? still got fingers crossed here, lol. for all i know it could be disastrous results!!

[MrDecay]

As long as you get the magic sector cloned over, your in good shape it will just decrypt the missing sectors over ...that data will be lost...but its recovery...10 photos out of 20 is still better than 0 out of 20

On Tue, Apr 23, 2019, 4:34 PM inzainia notifications@github.com wrote:

update, we are just over 1tb cloned, with 1600MB in errorsize dirst pass still, i would assume some of this will be recovered on the next few passes as it slims the errors down. this is like 0.1% or less of the drive bad, is this within acceptable range? does this point at a bad head still? or just an aged drive? still got fingers crossed here, lol. for all i know it could be disastrous results!!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/84#issuecomment-485983518, or mute the thread https://github.com/notifications/unsubscribe-auth/AEATVRPPQ5RHOP7S7BE74D3PR56ETANCNFSM4HCRJOMQ .

[themaddoctor]

@MrDecay What is the 'magic sector'? Thanks

[MrDecay]

Magic sector is the catch all term for the default location for the decryption key Usually at the end of the raw user partition location..and worst case scenario module 25 I think, from the firmware

On Tue, Apr 23, 2019, 10:58 PM themaddoctor notifications@github.com wrote:

@MrDecay https://github.com/MrDecay What is the 'magic sector'? Thanks

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/84#issuecomment-486057993, or mute the thread https://github.com/notifications/unsubscribe-auth/AEATVRMZEQ7QCN44DYVQOF3PR7LEVANCNFSM4HCRJOMQ .

[themaddoctor]

Thank you. He already has that, and the key.

[MrDecay]

10-4.. @maddoc thanks again for your killer technique on this decryption stuff

On Thu, Apr 25, 2019, 6:59 AM themaddoctor notifications@github.com wrote:

Thank you. He already has that, and the key.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/84#issuecomment-486642515, or mute the thread https://github.com/notifications/unsubscribe-auth/AEATVRLAM56S4UXV5BLRL5DPSGMIXANCNFSM4HCRJOMQ .

[inzainia]

ok we are sitting at scraping failed blocks, after 31 days of total work. rescued is 1498G err size is 9.6G with 42k errors.

it is still successfully scraping a block here and there, but it does get up into the hours at times per successful read. does this program end? or just do this indefinitely? is it safe, and should i if so, hit CTRL+C to stop it, and begin decoding it etc.. now? or just let it keep going, its done several passes now, forward, backward, 2 working on bad blocks etc.. so really is it worth it letting it go longer for a few blocks it might scrape out is what im asking. if so ill let it go, if its just wasting time ill get started on the next step hehe. thanks in advance for the info.

[themaddoctor]

I'm no expert on that, but I would have quit after a few days. Try decrypting--let's see what you get.

[inzainia]

ok we are finally done and ready to decrypt, unfortunately after 30 mins of trying i cannot figure out the command arguments , ive tried the decryptfile, cant seem to get it to work, any help here? here is the info,

sdb1 has the image wdback.dd on it (that we got with ddrescue) and sda1 is the brand new 3tb hd to dump it to.

i tried sudo ./reallymine decrypt /dev/sdb1/wdback.dd /dev/sda1/backup.img and of course get an error because that argument is looking for a drive not a file, so i tried decryptfile instead and it just pops up the help file, so i tried a few other things, thanks in advance for any help. we are almost home guys, your patience has been appreciated!

[themaddoctor]

/dev/sdb1/wdback.dd is not a thing. Did sdb1 have a filesystem? Did you write to a file on that file system and call it wdback.dd? Then you have to mount sdb1 and decrypt the file that you created.

On the other hand, if you wrote directly to /dev/sdb1, then /dev/sdb1 is your backup, and you need to decrypt it.

I really don't know what the scenario is, without seeing the exact command that you used to make the backup.

[inzainia]

oops yeah you are right, sorry, the webpage i got the command off of used that as an example so i assumed it was the typical ext. i copied the drive to an image file on a drive, not directly to the actual drive, and named it wdback.dd so i will have to mount the file and decrypt that.

so with that in mind, im wanting to decrypt the saved file image of the recovered drive, to a newly installed and mounted drive on the system. im sure i can figure out how to mount the image as a drive, and then i what, use the standard sudo ./reallymine decrypt /dev/sdx /dev/sda1/backup.img where sdx is whatever identifier is ssigned to the image when mounted?

had to work, sorry so late in replying, and sorry about the confusion!

[themaddoctor]

I think so. But I don't use ReallyMine. I do know that you do not need to add any permutation of the data like "reverseblocks" to the command, because you have the SW chip.

You could also decrypt it with openssl, if you know how. You have the key, and the mode is aes-256-ecb.

[inzainia]

and, another update: got the image mounted as /dev/loop0, for any who find this thread (kinda why i keep updating what ive done) i had to go into the little file explorer, right click on the rescued image, and select load with mounting tool, this mounted it as the above name.

then the command that seems to be working was: sudo ./reallymine decrypt /dev/loop0 /media/zain/storage/decbackup.img

where /media/zain/storage is the location the system gave the new 3tb storage drive i installed for this, and decbackup.img is the new output file for reallymine.

it worked and was running and then the power flickered off LOL so i had to just restart, and thought id update here for future reference incase it does it again.

after 1.5 days though, the file on the recovery drive was almost 900G so something is happening :) fingers still crossed! next i get to find and figure out how to use some partition recovery software, to recover the 2 original partitions on the image, and then maybe get some of the files back. if you've any recommendations, toss em my way, as starting with those will be as easy as starting with something i scrounge up that may or may not work! thanks again for all the help and patience of everyone who has been helping me with this.

[themaddoctor]

If the partition table is intact, there is no need for "partition recovery software". Something like "sudo kpartx -a /media/zain/storage/decbackup.img" would add entries in /dev/mapper for the partitions.

[inzainia]

oh i was under the impression it was lost. cause i took it out of the case and put it into a windows machine, and when it couldnt access anything on the drive it asked to "setup the drive" which repartitioned it. the recovered image(ddr copy), shows up in linux as a drive with the typical windows boot system files etc.. on it, and nothing of the old (2 partitions of storage) but maybe i have to wait till its decrypted to actually see the partitions that were there before i took it out of the case. its somewhat confusing lol.

but i hope yer right, it would be great to just run that command, and boom be able to try and grab what was there.

[themaddoctor]

oh. then you have broken the first partition's headers as well. You really will need recovery software.

[MrDecay]

When your done recovering.. You can try 2 things....one run testdisk..to see if it can identify the partition...or...try mounting the file system at the mount point...for example..sector offset 63 or 2048 (@maddoctor correct me if im wrong) by passing the master boot record.....I did it on an old initio wdc that the guy before me initialized before he passed it on to me...

On Tue, May 28, 2019, 1:51 PM themaddoctor notifications@github.com wrote:

oh. then you have broken the first partition's headers as well. You really will need recovery software.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/84?email_source=notifications&email_token=AEATVRKXUSP3DPYFMB25UPDPXV5KTA5CNFSM4HCRJOM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWNCWMA#issuecomment-496642864, or mute the thread https://github.com/notifications/unsubscribe-auth/AEATVRLTDCOPIMRCMMSYAMDPXV5KTANCNFSM4HCRJOMQ .

[themaddoctor]

It depends. Sometimes Windows "initializes" the new partition by overwriting its first sector with zeroes. IF it did not, then you are correct.

[themaddoctor]

@inzainia You don't have to wait for decryption to finish. In a separate terminal, you can ask the decbackup.img what its partition table looks like with "sudo fdisk -l /path/to/decbackup.img". And you can look at the first sector of its partition with "sudo dd if=/path/to/decbackup.img skip=2048 count=1 | hexdump -Cv " (or, less likely, 63). If you see all zeroes, then you are boned, probably.

[inzainia]

ran the command here is the dump:

zain@zain-virtual-machine ~/rmine $ sudo fdisk -l /media/zain/storage/backup.img Disk /media/zain/storage/backup.img: 1.4 TiB, 1500301910016 bytes, 2930277168 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes dump.txt

there was all kinda stuff in it, so i did both the 2048 and 63 dumps , hopefull or boned? lol

[themaddoctor]

You were supposed to run the command on the DECRYPTED backup. Anyway, it is clear that the block at 2048 is NOT all zeroes. That's a good sign.

[inzainia]

oh whoops, that was actually the decrypted version, when the power failed the other day and i had to restart, it got changed to just backup.img as it was and still is the only file on the 3tb drive

ran the kpart command, and it did something, working now to figue out what (as im learning everything as i go from a lil ways back, through now and beyond) so im assuming i need to mount this new image, like i did the other, then try and see if anything is accessible, holler if im screwing anything up lol. and thanks again for helping to get me this far!

EDIT** after checking its already in drives under loop, but i dont actually see the drive in the filesystem, or the linix file manager app. hmmm still tinkering.

[inzainia]

hmmm after several hours of tinkering, im stuck at, the image shows as a loop in disks, nothing referencing it in files(linux file explorer) if i fdisk the loop it shows up that its a 1.5tb drive etc.. if i run testdisk, it does not show in the list, only the host drive ( that the image is on) and the main drive. im lost, any info on what to try or do form here would be appreciated. thanks.

[themaddoctor]

Read the section on mouning by a loop device in my PDF on the linux-mybook-tools project here on github.

[inzainia]

got it, the only thing i should need now, is what if for 2 partitions, this drive had 2? wish id found this earlier lol. the example you gave, shows everything to do for a single partition, is anything initally different when there are 2?

[themaddoctor]

Do you know at which sector the 2nd partition starts? You destroyed the partition table.

Maybe testdisk can find it.

[MrDecay]

For test disk..you can loaded it up by going to the folder where the decrypted image is and typing testdisk image.dd

On Thu, May 30, 2019, 10:47 PM inzainia notifications@github.com wrote:

hmmm after several hours of tinkering, im stuck at, the drive shows as a loop in disks, nothing referencing it in files(linux file explorer) if i fdisk the loop it shows up that its a 1.5tb drive etc.. if i run testdisk, it does not show in the list, only the host drive ( that the image is on) and the main drive. im lost, any info on what to try or do form here would be appreciated. thanks.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/84?email_source=notifications&email_token=AEATVRKNZY5WYA3LDI7JKOLPYCNVZA5CNFSM4HCRJOM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWUD2IY#issuecomment-497564963, or mute the thread https://github.com/notifications/unsubscribe-auth/AEATVRMMT2CNP6QCWN2Y62TPYCNVZANCNFSM4HCRJOMQ .

[inzainia]

thanks, got the testdisk to run, did a full analyze and a deeper scan it found a solitary ntfs partition, (im assuming the one windows made when i removed it from the case) nothing else was found. any ideas on what to try from here? thanks

[inzainia]

ok! found foremost...used it, i am finding stuff, tons of files, pics i had on the drive etc... its amazing a lot of stuff was saved! thanks so much @themaddoctor and @MrDecay for all the help and patience! and also @andlabs for making this program in the first place! now that i know the drive was successfully decrypted/copied etc.. is there software out there i can use to rebuild the mbr/header/whatever its called to restore the file structure that was originally there prior to the repartition? foremost is just scraping the drive giving me about a billion images and archive files, but many of the archives had particular names, and were stored in particular folders based on what they were lol. as we see a lil info leads me in the right direction, and i find my way, so just a pointer will help tremendously!

regardless though, we have already managed to recover stuff i had honestly thought was just lost forever, so thank you guys again!

[MrDecay]

You could try .and these are not free solutions.....get data back classic. Or rstudio data recovery.. Ive also played around with Minitools partition wizard. Check with these tools..to see if the structures can be recognized..then you can proceed knowing that the file system is still intact and only lost the partition entry...

On Sat, Jun 1, 2019, 10:02 AM inzainia notifications@github.com wrote:

ok! found foremost...used it, i am finding stuff, tons of files, pics i had on the drive etc... its amazing a lot of stuff was saved! thanks so much @themaddoctor https://github.com/themaddoctor and @MrDecay https://github.com/MrDecay for all the help and patience! and also @andlabs https://github.com/andlabs for making this program in the first place! now that i know the drive was successfully decrypted/copied etc.. is there software out there i can use to rebuild the mbr/header/whatever its called to restore the file structure that was originally there prior to the repartition? foremost is just scraping the drive giving me about a billion images and archive files, but many of the archives had particular names, and were stored in particular folders based on what they were lol. as we see a lil info leads me in the right direction, and i find my way, so just a pointer will help tremendously!

regardless though, we have already managed to recover stuff i had honestly thought was just lost forever, so thank you guys again!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/84?email_source=notifications&email_token=AEATVRJUB3KVQGRVJQKWX2LPYKFRJA5CNFSM4HCRJOM2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWXCI7I#issuecomment-497951869, or mute the thread https://github.com/notifications/unsubscribe-auth/AEATVRKTTTA6ZKUNMZGGZS3PYKFRJANCNFSM4HCRJOMQ .

[inzainia]

get data back worked like a charm. i was able to recover not only some, but ALL of the lost images and documents i was after... thanks ever so much to all who helped! i never would have gotten them without it!