MBR Error When Determining Device Location

[swingerfunky]

Hello Everyone,

I am just now trying to recover my data from a WD MyBook Essentials 2TB (WDBAAF0020HBK) that fell off my desk a few years ago and snapped the USB jack off the USB-Sata bridge board. At the time I had no I idea about the encryption and simply removed the drive from the enclosure and threw the enclosure out. Needless to say, when I used another enclosure and attempted to mount the drive to my windows PC, I was unable to read the data and I likely corrupted the MBR. This is when I started researching the issue and learned about the encryption. Fast forward four years and I have finally gotten around to building a Linux machine (Ubuntu 18.04.3 LTS) in an effort to retrieve the priceless photos of my children (I know, I know, back up your data...).

Here is the issue I am running into. First, because I threw away the original enclosure, I have no way of knowing what chip was used, so I am just going to try every way listed in the PDF until it works. Second, when I use Terminal to verify the location of the drive, i get the following message when running the "sudo file -s /dev/sdb (mine is located at sdb).

My first question is; am I getting this error because the MBR is corrupt? I tried to use the loop device but it does not return "data" for the second and third commands (see below ).

Here's the WD location:

My next question is: There is another WD with my exact model number on Ebay right now. If my MBR is corrupt, will I be able to recover the data if I put it in an identical enclosure?

Any help with this would be amazing! I am trying to recover the family pictures as a surprise for my wife's upcoming birthday in November.

[themaddoctor]

number 1 is not an error. It is merely telling you what is written in the MBR, which happens to include error messages. All Windows MBRs look like that.

number 1.5: it's "file -s" that you need, not "fdisk" (my mistake). It will only work after the decryption filter is in place; i.e., you have to do all the "cryptsetup" commands first.

number 2: Maybe. Better dump your keysector first and keep a copy of it, in case the new enclosure overwrites it with a new one. Also, the chips on the bridge card have to be the same. BTW, if it works, I think it will only work in linux, because Windows will just overwrite the MBR again, and if you "initialize" the disk it will also destroy the filesystem headers in the partition.

[swingerfunky]

Hi Thomas, thanks for the quick response and clarification. It is really exceptional how you take the time to help people recover their priceless data!!! One more thing, in regards to the standard KEK (I did not set a password initially) when you say copy it into a file, what do you mean? I copied and pasted the line of code but Terminal did respond with anything. just another command line prompt.

[swingerfunky]

So I am at the step to obtain my keyblock. Here is what was returned.

I am confused on how to use Appendix E. Do I copy and paste all the lines into Terminal? It doesn't seem to do anything when i do that.

[themaddoctor]

NOT your keyblock. All you got were zeroes. Which chip do you have?

[themaddoctor]

And the command is "hexdump -C". Case matters.

[swingerfunky]

Not sure which chip I have since I threw away the case years ago. I plan on going through each possible chip until I find the one that works. Do you know if a quick way to determine which chip was used in the original enclosure?

[themaddoctor]

sudo dd if=/dev/sdb skip=3907024900 | hexdump -C and see what you get

[swingerfunky]

Hi again Thomas! Sorry I couldn't get back to you sooner, been busy with work. You are amazing! your recommendation worked but I am showing multiple "WD" locations see below and let me know what you think:

[themaddoctor]

Follow the instructions for the Initio chip.

[swingerfunky]

So I ran the directions for the Initio chip and got the same result from your directions above. I have successfully made it to Appendix C and am unsure how to move forward with my kernel (uname -r results in 5.0.0-27-generic). After cd /usr/src I have these folders listed:

My question is: which folder do I use to help determine how to modify the the module listed in Appendix C, or do I even need to do this?

Here's where I am at in the Initio directions, everything seems to be working since I have not received an error after each step.

[swingerfunky]

So I ran everything per the instructions on a whim (I have nothing else going on right now) and got all the way to this step and returned this error.

I'm guessing it's because I have a different kernel build so if you can explain what I need to do to overcome the differences, I may be almost ready then!

One other note, I have not yet run the loop machine and I don't even know if I even need to at this point since I was able to successfully locate the key block. Any help would be greatly appreciated Thomas!! Thanks again for helping out so much!!

[themaddoctor]

Your running kernel has to match the linux-headers version. It should do that automatically.

Try doing the "su" command to log in as admin, then "insmod rev4.ko"

[swingerfunky]

keep getting "Authentication failure" after running "su" command. I tried 4 times with my password.

[swingerfunky]

Here's the screen grab:

"sudo su" got me to root but still nothing.

[swingerfunky]

I reset my root (linux) password (don't remember setting this to begin with but whatever...) just to see what happens and still get this:

[themaddoctor]

Do this and tell me the output: "ls -ld . *"

[swingerfunky]

Hi again!

I think I am amost there (hopefully)!! I restarted and reran everything just in case i made a mistake. Here is the screen grab of where i am as of now. I saved your script in a gnome text editor and changed it to direct to "/dev/sdb".

Here is the "ls -ld . *" return:

Finally, here is the error I get when trying to run the script in Appendix E (top portion is not included since I just copied and pasted directly from the pdf).

I went to build the file using "nano /dev/sdb" but I'm not sure if this is the correct name to call the script file and it's trying to save the file over my WD drive directory (/dev/sdb in this case). If I know what to save the bash script as (file name wise) at this point I think I can finish the decryption! Let me know what you think.

[themaddoctor]

You ignored all the error messages. You can't edit a device ("nano /dev/sdb"). I asked you to do "ls -ld . *" to troubleshoot the kernel module, which you have now erased by starting over. I already told you which chip you have, and the instructions tell you which sector is the keyblock, so you don't need to run a script to find it.

Please find someone locally to do it for you, or try github.com/andlabs/reallymine I don't have the time to do everything that you are going to need.

[swingerfunky]

Hi Thomas,

Thanks for taking the time to assist me. I will try reallymine.