3TB JMS538S WD - KB3 output does not show DEK1

[HX-Notts]

Hi there, i have a faulty WD My Book Studio and hope you can help me.

I have follow all your instruction on the pdf but not able to get DEK1 result on the line seventeenth.

I could not remember whether or not i have set the password when i first activate my WD warranty back in 2015 and i am stuck.

here is my kb.bin output

00000000 57 44 76 31 fe 1a 00 00 00 a0 4f 5d 01 00 00 00 |WDv1......O]....| 00000010 00 00 00 00 00 00 f0 00 00 00 00 00 00 00 00 00 |................| 00000020 01 00 00 00 00 00 46 50 00 00 00 00 00 00 00 00 |......FP........| 00000030 00 02 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 20 00 26 16 00 00 0d 9a 00 00 00 00 57 44 76 31 | .&.........WDv1| 00000060 15 a2 91 d9 23 b0 54 83 4b ec 17 4c d8 b6 98 ba |....#.T.K..L....| 00000070 2c ce d5 7f 11 56 9a 88 90 de 89 d3 b3 84 fb ce |,....V..........| 00000080 e1 9b 80 ec 02 9b 4b 07 db 43 b9 c8 da b4 64 79 |......K..C....dy| 00000090 68 f5 a3 a4 66 ea ab 41 83 be e8 be e3 33 fa 3e |h...f..A.....3.>| 000000a0 c5 e4 45 82 d7 0d 51 ae 4d 60 0c e5 b0 07 87 95 |..E...Q.M......| 000000b0 2a b6 93 03 df a5 de ed 61 44 aa 3e 11 04 41 9c |*.......aD.>..A.| 000000c0 dd 68 1d d0 83 b1 47 47 5c bd 72 7c be a8 3b ae |.h....GG\.r|..;.| 000000d0 69 2f f0 97 bb 57 ea f3 4e 6e 20 57 a8 b2 ef ad |i/...W..Nn W....| 000000e0 ef c9 d8 4a b5 5b 0c 7f af e6 76 9c 5a 0e c9 bc |...J.[....v.Z...| 000000f0 f3 84 3f 01 b6 df 39 1a 2f ff 12 0a 9c a3 be c0 |..?...9./.......| 00000100 30 68 17 0a e1 d4 a7 91 cc 32 fb 4d 2f 35 e4 20 |0h.......2.M/5. | 00000110 48 6f 00 ea 0f 60 bb 2a 03 b5 aa ea 38 6a e2 20 |Ho....*....8j. | 00000120 72 fe 12 a3 ad b8 fb a7 e1 e5 74 03 8b b2 11 65 |r.........t....e| 00000130 59 b4 0d 7d 10 0c 09 b3 41 9e 7d 46 ce cb bf 10 |Y..}....A.}F....| 00000140 ca f6 e4 28 b5 b9 d7 3e 1e 83 fa 57 aa 6e de ae |...(...>...W.n..| 00000150 7f 92 70 fc 1e 21 0b 1b 12 39 cd f5 d8 7d 5c c3 |..p..!...9...}.| 00000160 d5 90 71 37 f9 e0 c9 bd 6e de de 47 7f 74 95 7f |..q7....n..G.t..| 00000170 1c 05 8c f4 19 b2 48 1b 10 59 6b 2e 3c bb f3 5a |......H..Yk.<..Z| 00000180 a6 9e 4e 77 6d c7 ed 9b d5 17 fd e9 db 61 16 d4 |..Nwm........a..| 00000190 e8 50 a4 d7 7f 3f c7 99 ed 09 8d 42 61 5d b0 51 |.P...?.....Ba].Q| 000001a0 90 be c7 80 18 43 e9 69 12 e0 89 83 86 b8 c9 3d |.....C.i.......=| 000001b0 e0 86 5a c0 b4 de 62 b6 21 79 d3 d3 52 45 b5 39 |..Z...b.!y..RE.9| 000001c0 0c 1e e6 b5 95 b6 4d 52 c3 cc ee b3 f6 3b 20 a7 |......MR.....; .| 000001d0 a4 d4 c1 40 76 d6 7b e9 2b f4 5b 02 10 45 45 85 |...@v.{.+.[..EE.| 000001e0 d4 79 35 d9 44 34 56 fb 56 c7 d5 ce 27 90 f9 a1 |.y5.D4V.V...'...| 000001f0 a6 e3 0e 10 31 7c 82 e4 25 89 c9 8a 41 f8 3a 1a |....1|..%...A.:.| 00000200

and my output on my kb3 file is below

00000000 82 a2 a9 ff 4b 4b 0f fe 5f 2d e8 11 d8 22 d6 56 |....KK..-...".V| 00000010 0f ef 48 20 45 eb 9e eb dd 15 4a 0c 5f a8 93 cc |..H E.....J....| 00000020 15 d2 c8 40 d8 e5 c3 68 35 d4 f6 ff c7 36 59 88 |...@...h5....6Y.| 00000030 10 cf 7a 85 ea fa a1 60 5c 0f e9 a9 3d 6d de f3 |..z....\...=m..| 00000040 d0 62 f2 36 84 01 37 aa 75 67 2b 93 c1 1f 4f f2 |.b.6..7.ug+...O.| 00000050 a5 56 0a 1a 8e ff ff c1 90 1b 37 de c0 26 35 c1 |.V........7..&5.| 00000060 6d 8d e3 b9 10 4f 2d 0c 9f f1 c9 e6 98 4c 97 8f |m....O-......L..| 00000070 10 55 7a 4f 06 54 2f 38 46 5f 2c 1a 62 95 ad 18 |.UzO.T/8F_,.b...| 00000080 62 36 e7 22 c6 62 5c 1a 45 f7 d0 88 51 02 9d 7b |b6.".b\.E...Q..{| 00000090 22 38 13 db cc 06 a8 ae e1 29 a8 52 c4 9c 4b 7b |"8.......).R..K{| 000000a0 78 a8 38 42 1f 35 bb 53 18 4a 3f c2 56 fe e2 c8 |x.8B.5.S.J?.V...| 000000b0 dc 66 62 95 74 ec 58 73 60 f9 05 1e 02 00 e6 e6 |.fb.t.Xs.......| 000000c0 0e 64 9c cb b9 9c d9 c3 58 73 b5 08 9e 61 b3 f9 |.d......Xs...a..| 000000d0 30 f5 7c 27 61 08 7b 71 59 76 33 8f 01 b9 bf 59 |0.|'a.{qYv3....Y| 000000e0 f2 5e 28 24 9c 13 8b ba 7f 13 a8 f5 5c 30 bb fe |.^($........\0..| 000000f0 ff ee b4 d4 59 e5 09 84 48 11 7d 52 76 c6 83 f3 |....Y...H.}Rv...| 00000100 ac 06 1f c4 dc 40 4e e4 10 14 42 ee 88 54 c2 fb |.....@N...B..T..| 00000110 2b 0d 15 1f 16 09 a5 d8 67 6e 0d 41 ff cd e0 50 |+.......gn.A...P| 00000120 8f 70 5d 94 9d 31 0a ac cf 51 55 47 08 f1 fa 10 |.p]..1...QUG....| 00000130 b3 8d 40 2d f7 06 07 87 16 3c 84 45 47 23 d7 7e |..@-.....<.EG#.~| 00000140 f3 de 06 a1 a4 1c 9b 0a e9 18 08 ee cb cb f5 fb |................| 00000150 98 8c f8 6c 89 c3 9b e3 81 fd 44 66 5f db 51 5f |...l......Df.Q| 00000160 01 2e d3 7a 41 b2 ca 94 ce be d7 17 ec 42 64 9f |...zA........Bd.| 00000170 ba b3 f0 46 ad 82 ee c4 b8 15 b3 b4 ee 29 51 1f |...F.........)Q.| 00000180 46 2b f4 aa 4c 26 a5 cf ec e0 82 b5 15 15 e0 13 |F+..L&..........| 00000190 cb 25 46 82 5e 72 e2 ac a5 86 50 08 50 02 78 31 |.%F.^r....P.P.x1| 000001a0 74 3a 10 27 c9 f9 70 b3 a1 67 81 10 f9 82 15 74 |t:.'..p..g.....t| 000001b0 0f 9b 6a 8c b2 67 2f f9 8e 58 0b 4b 96 ee 21 6b |..j..g/..X.K..!k| 000001c0 de 51 46 c6 0e ef 49 72 9e fa d6 c5 0c 36 c2 f8 |.QF...Ir.....6..| 000001d0 29 74 e7 11 b3 df 86 b9 75 c5 e9 3d 3c fe 0d b1 |)t......u..=<...| 000001e0 46 90 77 3b 77 a7 9e cb e6 5e 7c 3d e9 a2 6f 88 |F.w;w....^|=..o.| 000001f0 ae cd a0 cb 3f e2 98 8e ed c7 1c eb 1c d1 aa e7 |....?...........| 00000200

the line 17th (00000100) does not show DEK1. I have tried other password using your script (in Appendix A), unfortunately, I still get no DEK1 on that line.

Are you able to help?

I can send you proof of my registration that i own the product if you would like to see it?

Thanks.

[themaddoctor]

Looks like you did set a password. Dump sector 0 and let me see it. Also, tell me the date of manufacture on the label of the disk (not on the enclosure).

[HX-Notts]

Hi, here are the info dump0 8 16 2930266584 sdb

date of manufacture: 11 Jan 2015

[themaddoctor]

Sorry. I need a hexdump of the first 512 bytes on the drive.

[HX-Notts]

Hi, just want to confirm the command in linux, can i use below to locate the first 512? sudo dd if=/dev/sdb bs=512 count=1 of=dump.bin

[themaddoctor]

yes

[HX-Notts]

Hi, see below hexdump -C dump0.bin 00000000 03 af 64 e5 01 b2 97 ef 41 e3 14 b1 37 57 2b 28 |..d.....A...7W+(| 000001b0 25 b8 0e 47 41 5e 44 28 8a cc bb c1 1d fc 32 d1 |%..GA^D(......2.| 000001c0 bc 9b 94 36 cd f6 5b 76 79 41 4a 35 11 97 90 9b |...6..[vyAJ5....| 000001d0 03 af 64 e5 01 b2 97 ef 41 e3 14 b1 37 57 2b 28 |..d.....A...7W+(| 000001f0 6c e8 a5 ed 95 b5 06 ce 7b 53 92 27 48 5c a8 43 |l.......{S.'H.C| 00000200

[themaddoctor]

OK. I have your DEK. I just need to see your proof of ownership.

[HX-Notts]

see this image of the email registration when i first bought the drive.

[themaddoctor]

Alright. Here's your DEK: 38838ee3d623f0373824110a88079a86dfb026a4e69af86d1f3085f1736a0d38 I used it to successfully decrypt sector 0. Let me know if you need anything else.

[HX-Notts]

Hi, I believe the drive has decrypted, where I got the result below

/dev/mapper/wd: x86 boot sector

But it was not automatically mount. So I follow your guide mounting using kpartx. On the last command, sudo mount /dev/mapper/wd /mnt/wd

I got an error of mount: you must specify the filesystem type

And I continue to use mount the loop device because I believe the MBR is corrupted because second command show "data"

But still show same error when trying to mount.

Is the harddrive partition has gone?

[themaddoctor]

The MBR that you sent me looks like a 1TB drive:

Device                                      Boot Start        End     Blocks  Id System
HX-Notts_3TB_JMS538S_sector0_decrypted.bin1          1 4294967288 2147483644  ee GPT

Send me a hexdump of sector 1024 and I will see if there is a file system there. Do you have the NTFS driver? It might be in a package called ntfs-3g or it might be built into the kernel. For the kernel, look at /proc/filesystems Also try sudo mount -t ntfs /dev/mapper/wd /mnt/wd or sudo mount -t ntfs-3g /dev/mapper/wd /mnt/wd

[themaddoctor]

Sorry, I meant sector 2048.

[HX-Notts]

the result of mouting command - ntfs-3g

sudo mount -t ntfs-3g /dev/mapper/wd /mnt/wd NTFS signature is missing. Failed to mount '/dev/mapper/wd': Invalid argument The device '/dev/mapper/wd' doesn't seem to have a valid NTFS. Maybe the wrong device is used? Or the whole disk instead of a partition (e.g. /dev/sda, not /dev/sda1)? Or the other way around?

the sector 2048 - i use this command - sudo dd if=/dev/sdb bs=512 count=3 of=sector2.bin - the count 3 should copy up to 2048

hexdump -C sector2.bin 00000000 03 af 64 e5 01 b2 97 ef 41 e3 14 b1 37 57 2b 28 |..d.....A...7W+(| 000001b0 25 b8 0e 47 41 5e 44 28 8a cc bb c1 1d fc 32 d1 |%..GA^D(......2.| 000001c0 bc 9b 94 36 cd f6 5b 76 79 41 4a 35 11 97 90 9b |...6..[vyAJ5....| 000001d0 03 af 64 e5 01 b2 97 ef 41 e3 14 b1 37 57 2b 28 |..d.....A...7W+(| 000001f0 6c e8 a5 ed 95 b5 06 ce 7b 53 92 27 48 5c a8 43 |l.......{S.'H.C| 00000200 3c 22 ed d1 ef 1a 66 43 42 33 4a 3f 84 e3 66 32 |<"....fCB3J?..f2| 00000210 f2 aa 15 62 22 d0 95 a2 af c6 c6 f6 be 58 ef 03 |...b"........X..| 00000220 b6 9f 25 50 be fe f4 a3 5f f3 34 d5 77 0f 23 85 |..%P.....4.w.#.| 00000230 91 72 3c 63 58 f9 b1 86 5a 6d 36 4f a7 dc 98 00 |.r<cX...Zm6O....| 00000240 5e 4b ef 5f a8 e1 2f 45 d6 96 a3 52 39 4a cb 9b |^K.../E...R9J..| 00000250 de 67 f0 52 10 82 a0 a4 00 f9 cc 1b 9a ca 6b 55 |.g.R..........kU| 00000260 03 af 64 e5 01 b2 97 ef 41 e3 14 b1 37 57 2b 28 |..d.....A...7W+(| 00000400 f1 89 7b 6a 70 8e 31 79 2c 4d ff 55 e4 bb 2c 42 |..{jp.1y,M.U..,B| 00000410 c2 e0 22 a5 6f b8 25 10 50 e0 cf 35 32 9a 56 08 |..".o.%.P..52.V.| 00000420 be 02 bc 85 1b a1 51 46 a9 34 4a b7 87 83 4b c0 |......QF.4J...K.| 00000430 83 44 7e 03 7e 72 19 c3 98 70 86 be d4 f3 9f f1 |.D~.~r...p......| 00000440 36 18 ea 8e c5 e5 8b fd 52 77 03 4f 4a 2f bc 79 |6.......Rw.OJ/.y| 00000450 c9 dd fb bd 98 23 27 2a 30 3d 06 08 78 16 34 17 |.....#'0=..x.4.| 00000460 03 af 64 e5 01 b2 97 ef 41 e3 14 b1 37 57 2b 28 |..d.....A...7W+(| 00000480 f8 3b 0c f6 6a 7f 65 e4 12 bf 0c ae 02 a1 6d 6d |.;..j.e.......mm| 00000490 56 1e b4 36 79 d0 ba 87 45 66 8e f8 4c 88 80 d5 |V..6y...Ef..L...| 000004a0 38 a3 70 2a 58 3d b5 37 f3 9c 54 72 03 b0 d7 c9 |8.pX=.7..Tr....| 000004b0 5e fa 51 2d 3c 50 04 11 4e 78 2a 42 43 f0 74 3b |^.Q-<P..NxBC.t;| 000004c0 43 77 b5 1e 5c 4f 73 57 c6 6f eb d4 0f 50 ea 0b |Cw..\OsW.o...P..| 000004d0 c9 dd fb bd 98 23 27 2a 30 3d 06 08 78 16 34 17 |.....#'0=..x.4.| 000004e0 03 af 64 e5 01 b2 97 ef 41 e3 14 b1 37 57 2b 28 |..d.....A...7W+(| * 00000600

[HX-Notts]

just realise i copy the drive not the decryted mapper, see below for the /dev/mapper/wd hex

hexdump -C sector-test.bin 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe |................| 000001c0 ff ff ee fe ff ff 01 00 00 00 f8 ff ff ff 00 00 |................| 000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.| 00000200 45 46 49 20 50 41 52 54 00 00 01 00 5c 00 00 00 |EFI PART.......| 00000210 f2 d6 71 61 00 00 00 00 01 00 00 00 00 00 00 00 |..qa............| 00000220 ff 9f 4f 5d 01 00 00 00 22 00 00 00 00 00 00 00 |..O]....".......| 00000230 de 9f 4f 5d 01 00 00 00 f0 c1 e0 c8 05 be b4 4f |..O]...........O| 00000240 a1 db a2 44 b1 1a 08 74 02 00 00 00 00 00 00 00 |...D...t........| 00000250 80 00 00 00 80 00 00 00 62 a3 4e 5a 00 00 00 00 |........b.NZ....| 00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000400 28 73 2a c1 1f f8 d2 11 ba 4b 00 a0 c9 3e c9 3b |(s......K...>.;| 00000410 c4 b7 c6 a4 11 01 69 4d 81 81 6a d6 e4 ea 37 20 |......iM..j...7 | 00000420 28 00 00 00 00 00 00 00 27 40 06 00 00 00 00 00 |(.......'@......| 00000430 00 00 00 00 00 00 00 00 45 00 46 00 49 00 20 00 |........E.F.I. .| 00000440 53 00 79 00 73 00 74 00 65 00 6d 00 20 00 50 00 |S.y.s.t.e.m. .P.| 00000450 61 00 72 00 74 00 69 00 74 00 69 00 6f 00 6e 00 |a.r.t.i.t.i.o.n.| 00000460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000480 a2 a0 d0 eb e5 b9 33 44 87 c0 68 b6 b7 26 99 c7 |......3D..h..&..| 00000490 da 04 62 fc 84 7f 71 49 a0 a6 6d 31 b9 78 34 c9 |..b...qI..m1.x4.| 000004a0 00 48 06 00 00 00 00 00 ff 97 4f 5d 01 00 00 00 |.H........O]....| 000004b0 00 00 00 00 00 00 00 00 42 00 61 00 73 00 69 00 |........B.a.s.i.| 000004c0 63 00 20 00 64 00 61 00 74 00 61 00 20 00 70 00 |c. .d.a.t.a. .p.| 000004d0 61 00 72 00 74 00 69 00 74 00 69 00 6f 00 6e 00 |a.r.t.i.t.i.o.n.| 000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000600

[themaddoctor]

dd if=/dev/mapper/wd skip=2048 count=1 | hexdump -C

[HX-Notts]

00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

[HX-Notts]

fyi - i did read with windows machine before using linux, so maybe all data is corrupted?

[themaddoctor]

Maybe. Try fdisk -l /dev/mapper/wd and see where it thinks your partition is.

[HX-Notts]

Just run the command and show

cannot open /dev/mapper/wd

[themaddoctor]

Use sudo. sudo fdisk -l /dev/mapper/wd

Also dump sector 2049 (the next one after 2048). Did you "initialize" the disk in Windows? Doing so overwrites the first sector of the data partition with zeroes. Looking at the second sector in the partition will tell.

[HX-Notts]

Note: sector size is 4096 (not 512)

Disk /dev/mapper/wd: 3000.6 GB, 3000592982016 bytes 255 heads, 63 sectors/track, 45600 cylinders, total 732566646 sectors Units = sectors of 1 * 4096 = 4096 bytes Sector size (logical/physical): 4096 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes Disk identifier: 0x00000000

     Device Boot      Start         End      Blocks   Id  System

/dev/mapper/wd1 1 4294967288 4294967264 ee GPT

[HX-Notts]

i did initialize the disk but then it prompt to redo the gpt and i cancel it.

[HX-Notts]

about dump 2049 Soory i am not sure about this but I thought running this command you mentioned - dd if=/dev/mapper/wd skip=2048 count=1 | hexdump -C will dump next sector after 2048?

[themaddoctor]

No. Counting starts with zero, so use skip=2049.

[HX-Notts]

sudo dd if=/dev/mapper/wd skip=2049 count=1 | hexdump -C 1+0 records in 1+0 records out 512 bytes (512 B) copied00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| , 5.0766e-05 s, 10.1 MB/s * 00000200

[themaddoctor]

That's bad news. Let's hope the partition is somewhere else.

Try querying the GPT partition table: sudo gdisk -l /dev/mapper/wd

That is "gdisk", not "fdisk".

The GPT table is in sectors 1, 2, 3, ..., which you have not sent me.

[HX-Notts]

GPT fdisk (gdisk) version 0.8.8

Partition table scan: MBR: protective BSD: not present APM: not present GPT: not present

Creating new GPT entries. Disk /dev/mapper/wd: 732566646 sectors, 2.7 TiB Logical sector size: 4096 bytes Disk identifier (GUID): 088ABD48-2004-45C9-AE21-D801B8FB7A40 Partition table holds up to 128 entries First usable sector is 6, last usable sector is 732566640 Partitions will be aligned on 256-sector boundaries Total free space is 732566635 sectors (2.7 TiB)

Number Start (sector) End (sector) Size Code Name

[HX-Notts]

the command result did not show any sector for the table.

[themaddoctor]

I see.

Well, I found another 3TB WD drive with an NTFS filesystem (actually, I only have the first two megabytes). I was hoping to be able to copy over the missing pieces of the NTFS headers, but there might be too much damage, and we still don't know the extent of it. So can you dump the first 2MB and let me look at it myself? sudo dd if=/dev/mapper/wd count=4096 of=dump.bin Then put dump.bin into a zip file and upload it.

[HX-Notts]

dump4096-1.zip

[themaddoctor]

Did you repartition or reformat this disk before you used it? See below for what I get from gdisk. Other than the partition tables, everything else in the dump is zeroes. You can try looking for a filesystem at sector 411648.

gdisk -l dump4096-1.bin
GPT fdisk (gdisk) version 0.8.10

Warning! Disk size is smaller than the main header indicates! Loading
secondary header from the last sector of the disk! You should use 'v' to
verify disk integrity, and perhaps options on the experts' menu to repair
the disk.
Caution: invalid backup GPT header, but valid main header; regenerating
backup header from main header.

Warning! One or more CRCs don't match. You should repair the disk!

Partition table scan:
  MBR: protective
  BSD: not present
  APM: not present
  GPT: damaged

****************************************************************************
Caution: Found protective or hybrid MBR and corrupt GPT. Using GPT, but disk
verification and recovery are STRONGLY recommended.
****************************************************************************
Disk dump4096-1.bin: 4096 sectors, 2.0 MiB
Logical sector size: 512 bytes
Disk identifier (GUID): C8E0C1F0-BE05-4FB4-A1DB-A244B11A0874
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 5860466654
Partitions will be aligned on 8-sector boundaries
Total free space is 4029 sectors (2.0 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  EFI System Partition
   2          411648      5860464639   2.7 TiB     0700  Basic data partition

[themaddoctor]

The warnings are probably because the dump is smaller than the disk.

[HX-Notts]

Hi, i have not repartition or reformat, when i insert the disk via other usb enclosure to read the disk that time, windows offer to repartition or rewrite the gpt and i cancel it and remove the disk and then i found your post in github and so on...

does this mean all data in the disk is gone?

[themaddoctor]

I don't know. If that is the original GPT table, it does not look familiar. But let's see what is at sectors 411648 and 411649.

[HX-Notts]

Hi, I'm not familiar with the dd command, can you please help?

[themaddoctor]

sudo dd if=/dev/mapper/wd skip=411648 count=2 status=none | hexdump -C

[HX-Notts]

sudo dd if=/dev/mapper/wd skip=411648 count=2 | hexdump -C 2+0 records in 2+0 records out 00000000 eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 |.R.NTFS .....| 1024 bytes (1.0 kB) copied00000010 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 48 06 00 |........?....H..| 00000020 00 00 00 00 80 00 80 00 ff 4f 49 5d 01 00 00 00 |.........OI]....| , 6.795 s, 0.2 kB/s 00000030 00 00 0c 00 00 00 00 00 02 00 00 00 00 00 00 00 |................| 00000040 f6 00 00 00 01 00 00 00 7d 14 a0 64 47 a0 64 ee |........}..dG.d.| 00000050 00 00 00 00 fa 33 c0 8e d0 bc 00 7c fb 68 c0 07 |.....3.....|.h..| 00000060 1f 1e 68 66 00 cb 88 16 0e 00 66 81 3e 03 00 4e |..hf......f.>..N| 00000070 54 46 53 75 15 b4 41 bb aa 55 cd 13 72 0c 81 fb |TFSu..A..U..r...| 00000080 55 aa 75 06 f7 c1 01 00 75 03 e9 dd 00 1e 83 ec |U.u.....u.......| 00000090 18 68 1a 00 b4 48 8a 16 0e 00 8b f4 16 1f cd 13 |.h...H..........| 000000a0 9f 83 c4 18 9e 58 1f 72 e1 3b 06 0b 00 75 db a3 |.....X.r.;...u..| 000000b0 0f 00 c1 2e 0f 00 04 1e 5a 33 db b9 00 20 2b c8 |........Z3... +.| 000000c0 66 ff 06 11 00 03 16 0f 00 8e c2 ff 06 16 00 e8 |f...............| 000000d0 4b 00 2b c8 77 ef b8 00 bb cd 1a 66 23 c0 75 2d |K.+.w......f#.u-| 000000e0 66 81 fb 54 43 50 41 75 24 81 f9 02 01 72 1e 16 |f..TCPAu$....r..| 000000f0 68 07 bb 16 68 70 0e 16 68 09 00 66 53 66 53 66 |h...hp..h..fSfSf| 00000100 55 16 16 16 68 b8 01 66 61 0e 07 cd 1a 33 c0 bf |U...h..fa....3..| 00000110 28 10 b9 d8 0f fc f3 aa e9 5f 01 90 90 66 60 1e |(........_...f`.| 00000120 06 66 a1 11 00 66 03 06 1c 00 1e 66 68 00 00 00 |.f...f.....fh...| 00000130 00 66 50 06 53 68 01 00 68 10 00 b4 42 8a 16 0e |.fP.Sh..h...B...| 00000140 00 16 1f 8b f4 cd 13 66 59 5b 5a 66 59 66 59 1f |.......fY[ZfYfY.| 00000150 0f 82 16 00 66 ff 06 11 00 03 16 0f 00 8e c2 ff |....f...........| 00000160 0e 16 00 75 bc 07 1f 66 61 c3 a0 f8 01 e8 09 00 |...u...fa.......| 00000170 a0 fb 01 e8 03 00 f4 eb fd b4 01 8b f0 ac 3c 00 |..............<.| 00000180 74 09 b4 0e bb 07 00 cd 10 eb f2 c3 0d 0a 41 20 |t.............A | 00000190 64 69 73 6b 20 72 65 61 64 20 65 72 72 6f 72 20 |disk read error | 000001a0 6f 63 63 75 72 72 65 64 00 0d 0a 42 4f 4f 54 4d |occurred...BOOTM| 000001b0 47 52 20 69 73 20 6d 69 73 73 69 6e 67 00 0d 0a |GR is missing...| 000001c0 42 4f 4f 54 4d 47 52 20 69 73 20 63 6f 6d 70 72 |BOOTMGR is compr| 000001d0 65 73 73 65 64 00 0d 0a 50 72 65 73 73 20 43 74 |essed...Press Ct| 000001e0 72 6c 2b 41 6c 74 2b 44 65 6c 20 74 6f 20 72 65 |rl+Alt+Del to re| 000001f0 73 74 61 72 74 0d 0a 00 8c a9 be d6 00 00 55 aa |start.........U.| 00000200 07 00 42 00 4f 00 4f 00 54 00 4d 00 47 00 52 00 |..B.O.O.T.M.G.R.| 00000210 04 00 24 00 49 00 33 00 30 00 00 d4 00 00 00 24 |..$.I.3.0......$| 00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000250 00 00 00 00 00 00 eb 22 90 90 05 00 4e 00 54 00 |......."....N.T.| 00000260 4c 00 44 00 52 00 00 00 00 00 00 00 00 00 00 00 |L.D.R...........| 00000270 00 00 00 00 00 00 00 00 00 00 66 0f b7 06 0b 00 |..........f.....| 00000280 66 0f b6 1e 0d 00 66 f7 e3 66 a3 52 02 66 8b 0e |f.....f..f.R.f..| 00000290 40 00 80 f9 00 0f 8f 0e 00 f6 d9 66 b8 01 00 00 |@..........f....| 000002a0 00 66 d3 e0 eb 08 90 66 a1 52 02 66 f7 e1 66 a3 |.f.....f.R.f..f.| 000002b0 66 02 66 0f b7 1e 0b 00 66 33 d2 66 f7 f3 66 a3 |f.f.....f3.f..f.| 000002c0 56 02 e8 95 04 66 8b 0e 4e 02 66 89 0e 26 02 66 |V....f..N.f..&.f| 000002d0 03 0e 66 02 66 89 0e 2a 02 66 03 0e 66 02 66 89 |..f.f...f..f.f.| 000002e0 0e 2e 02 66 03 0e 66 02 66 89 0e 3e 02 66 03 0e |...f..f.f..>.f..| 000002f0 66 02 66 89 0e 46 02 66 b8 90 00 00 00 66 8b 0e |f.f..F.f.....f..| 00000300 26 02 e8 83 09 66 0b c0 0f 84 5e fe 66 a3 32 02 |&....f....^.f.2.| 00000310 66 b8 a0 00 00 00 66 8b 0e 2a 02 e8 6a 09 66 a3 |f.....f..*..j.f.| 00000320 36 02 66 b8 b0 00 00 00 66 8b 0e 2e 02 e8 58 09 |6.f.....f.....X.| 00000330 66 a3 3a 02 66 a1 32 02 66 0b c0 0f 84 2b fe 67 |f.:.f.2.f....+.g| 00000340 80 78 08 00 0f 85 22 fe 67 66 8d 50 10 67 03 42 |.x....".gf.P.g.B| 00000350 04 67 66 0f b6 48 0c 66 89 0e 72 02 67 66 8b 48 |.gf..H.f..r.gf.H| 00000360 08 66 89 0e 6e 02 66 a1 6e 02 66 0f b7 0e 0b 00 |.f..n.f.n.f.....| 00000370 66 33 d2 66 f7 f1 66 a3 76 02 66 a1 46 02 66 03 |f3.f..f.v.f.F.f.| 00000380 06 6e 02 66 a3 4a 02 66 83 3e 36 02 00 0f 84 1d |.n.f.J.f.>6.....| 00000390 00 66 83 3e 3a 02 00 0f 84 cf fd 66 8b 1e 3a 02 |.f.>:......f..:.| 000003a0 1e 07 66 8b 3e 4a 02 66 a1 2e 02 e8 e0 01 66 0f |..f.>J.f......f.| 000003b0 b7 0e 00 02 66 b8 02 02 00 00 e8 22 08 66 0b c0 |....f......".f..| 000003c0 0f 85 16 00 66 0f b7 0e 5a 02 66 b8 5c 02 00 00 |....f...Z.f....| 000003d0 e8 0c 08 66 0b c0 0f 84 42 0c 67 66 8b 00 1e 07 |...f....B.gf....| 000003e0 66 8b 3e 3e 02 e8 3f 06 66 a1 3e 02 66 bb 20 00 |f.>>..?.f.>.f. .| 000003f0 00 00 66 b9 00 00 00 00 66 ba 00 00 00 00 e8 e4 |..f.....f.......| 00000400

[themaddoctor]

That looks like the beginning of an NTFS file system. Try this: sudo losetup -o 210763776 -f /dev/mapper/wd

Then ask it which loop device it uses: sudo losetup -j /dev/mapper/wd

If the answer is loop1, then sudo mount /dev/loop1 /mnt/wd Change the number depending on what the previous command says.

[HX-Notts]

Wow i can access the files now, thanks so much!! You are star!

[themaddoctor]

You're welcome. If you are feeling generous, you might buy me a book. https://www.amazon.com/hz/wishlist/ls/1M9FEQ1ZPGMIE

[themaddoctor]

Thanks/cheers either way.

[HX-Notts]

Hi, I just bought you 2 books, hope you enjoy them. Thanks again for all your help!