Help with decrypting 4TB Mybook WDBFJK0040HBK

[coolwenwen]

Hi,

I have a WD Mybook 4TB with P/N WDBFJK0040HBK-04. A couple days ago it simply couldn't power up. So I tried a new power adaptor but with no luck. I opened it and found the PCB 4061-705149-001 Rev. AA. The chip on the bridge board is As 1051W. After searching online for PCB replacement but with no much luck I decided to try this tool.

Preparation: purchased a generic enclosure from amazon, put HD in, connected it to mac, did't do anything (and anything stupid), chose "ignore" when prompted to initialize the HD, ejected HD, reconnect to mac and chose to connect to a linux VM in my MBP.

Step 1: wu@ubuntu:~$ more /proc/partitions major minor #blocks name

7 0 91264 loop0 7 1 144044 loop1 7 2 55812 loop2 7 3 15100 loop3 7 4 15100 loop4 7 5 43828 loop5 7 6 55812 loop6 7 7 3732 loop7 11 0 1048575 sr0 8 0 20971520 sda 8 1 20969472 sda1 7 8 1008 loop8 7 9 91240 loop9 7 10 956 loop10 7 11 153508 loop11 7 12 4300 loop12 7 13 45240 loop13 7 14 3736 loop14 7 15 144044 loop15 7 16 159780 loop16 7 17 4300 loop17 8 16 3906985816 sdb 8 17 8355839 sdb1 8 18 740640391 sdb2

At this step it is showing something differently from the pdf. First, I could see sdb1 and sdb2. Second, I was seeing 3906985816 instead of something close to 7814031392. So the following command failed:

sudo dd if=/dev/sdb bs=512 skip=7814031392 count=1 of=kb.bin

The script in Appendix E also failed to find the keyblock.

Outputs for a couple commands that I saw themaddoctor suggested:

wu@ubuntu:~$ sudo fdisk -l /dev/sdb Disk /dev/sdb: 3.7 TiB, 4000753476096 bytes, 7813971633 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes Disklabel type: dos Disk identifier: 0x495ae72d

Device Boot Start End Sectors Size Id Type /dev/sdb1 1 76805 76805 37.5M ee GPT /dev/sdb2 76806 244217437 244140632 116.4G af HFS / HFS+ /dev/sdb3 244250368 610461183 366210816 174.6G 7 HPFS/NTFS/exFAT /dev/sdb4 610461184 976713466 366252283 174.7G af HFS / HFS+

Partition 1 does not start on physical sector boundary. Partition 2 does not start on physical sector boundary.

wu@ubuntu:~$ sudo fdisk -l /dev/sdb1 Disk /dev/sdb1: 8 GiB, 8556379648 bytes, 16711679 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes

wu@ubuntu:~$ sudo fdisk -l /dev/sdb2 Disk /dev/sdb2: 706.3 GiB, 758415760384 bytes, 1481280782 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes

wu@ubuntu:~$ sudo file -s /dev/sdb1 /dev/sdb1: data wu@ubuntu:~$ sudo file -s /dev/sdb2 /dev/sdb2: data wu@ubuntu:~$ sudo file -s /dev/sdb /dev/sdb: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 76805 sectors; partition 2 : ID=0xaf, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 76806, 244140632 sectors; partition 3 : ID=0x7, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 244250368, 366210816 sectors; partition 4 : ID=0xaf, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 610461184, 366252283 sectors

To the best of my knowledge, there should be three partitions on the disk, probably corresponding to the following: /dev/sdb2 76806 244217437 244140632 116.4G af HFS / HFS+ /dev/sdb3 244250368 610461183 366210816 174.6G 7 HPFS/NTFS/exFAT /dev/sdb4 610461184 976713466 366252283 174.7G af HFS / HFS+

I am relatively sure that the drive is encrypted. I have also done re-partition before. But I have not connected it to Windows after taking out from WD enclosure. I wonder if anyone can provide me suggestion on how to proceed? Thanks.

[themaddoctor]

If I remember correctly, the AS1051W does not encrypt. It might be using a different block size from what your OS is expecting, like when you reported this:

Sector size (logical/physical): 512 bytes / 4096 bytes

You could try doing a loop device aimed at sdb4, if you can calculate the correct offset and use hfsplus instead of ntfs-ng for the filesystem type. Look at the end of the PDF for examples of the commands.

p.s. the PDF instructions do not include the AS1051W and do not really handle Mac partitions and Mac filesystems.

[coolwenwen]

Dear Sir,

Thanks for your kind comments. With that in mind I started to cast doubt on the impression of it being encrypted which was formed as I read through some discussion on the PCB encryption and PCB versions... And so I tried to calculate the correct size based on the information below:

wu@ubuntu:~$ sudo file -s /dev/sdb /dev/sdb: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 1, 76805 sectors; partition 2 : ID=0xaf, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 76806, 244140632 sectors; partition 3 : ID=0x7, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 244250368, 366210816 sectors; partition 4 : ID=0xaf, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 610461184, 366252283 sectors

Multiplying the starting sectors by 4096 and mounting a loop drive using:

"sudo mount /dev/sdb /mnt/wd2 -t ntfs-3g -o loop,offset=1000449507328" for NTFS and "sudo mount /dev/sdb /mnt/wd3 -o loop,offset=2500449009664,size=1500169351168" for hfsplus

AND I SUCCEEDED!

Now as I look back, it is indeed pretty clear that the drive is highly likely to be unencrypted as it has the partition information, at the very least the partition types, for all three partitions... Otherwise we should just see "data" as you indicated in your pdf.

So to summarize, AS1051W do not do encryption. The other thing that I would like to add, although it is not very relevant to this issue, is that to mount hgfs+, we need to specify its size besides offset, otherwise there will be error message and the drive won't be mounted.

--coolwenwen

If I remember correctly, the AS1051W does not encrypt. It might be using a different block size from what your OS is expecting, like when you reported this:

Sector size (logical/physical): 512 bytes / 4096 bytes

You could try doing a loop device aimed at sdb4, if you can calculate the correct offset and use hfsplus instead of ntfs-ng for the filesystem type. Look at the end of the PDF for examples of the commands.

p.s. the PDF instructions do not include the AS1051W and do not really handle Mac partitions and Mac filesystems.

[themaddoctor]

That's good new. Thanks for the information about adding size to hfsplus.

[coolwenwen]

Sorry for the typo. The command should be: sudo mount /dev/sdb /mnt/wd3 -t hfsplus -o loop,offset=2500449009664,sizelimit=1500169351168

Also it turned out that I need to use "sudo rsync" for copying all the files as some seems to have permission issue so it won't allow me to copy without sudo. And forcing to mount the hfsplus in R/W mode and then try to change the permission using chmod doesn't seem to solve the issue. But at least "sudo rsync" solved most the problems for me.

[themaddoctor]

Yeah, the hfsplus driver doesn't do R/W very well. The documentation says that journaling has to be turned off on the filesystem, but that can only be done by a Mac. Even then, I have had problems with writing to disks. The uid= option might allow you to read the files without sudo. Run "man mount" to see all the options for hfs.

[Stuistic]

Sorry to dredge up an old topic, but I have a drive that has this same problem (ASMedia chip, bridge board is dead, drive shows up as unintialized when plugged into a different enclosure, sectors are reporting 512 / 4096, drive is formatted HFS+).

When trying: sudo mount /dev/sdc /mnt/wd -t hfsplus -o loop,offset=4096,sizelimit=

The problem I have is that this is a 3TB partition, so the size limit I calculated (732558335×4096=3.00055894×10¹²) goes way beyond what the mount command can handle. "mount" doesn't accept hexadecimal or octal numbers either, so it just throws an error when I try those.

Any ideas?

[themaddoctor]

Try just using the offset, and do not use the sizelimit. The filesystem should know how large it is.

[coolwenwen]

What command have you tried? At least 1.5T works fine for me for a 4T drive. The command I used was:

sudo mount /dev/sdb /mnt/wd3 -t hfsplus -o loop,offset=2500449009664,sizelimit=1500169351168

Sorry to dredge up an old topic, but I have a drive that has this same problem (ASMedia chip, bridge board is dead, drive shows up as unintialized when plugged into a different enclosure, sectors are reporting 512 / 4096, drive is formatted HFS+).

When trying: sudo mount /dev/sdc /mnt/wd -t hfsplus -o loop,offset=4096,sizelimit=

The problem I have is that this is a 3TB partition, so the size limit I calculated (732558335×4096=3.00055894×10¹²) goes way beyond what the mount command can handle. "mount" doesn't accept hexadecimal or octal numbers either, so it just throws an error when I try those.

Any ideas?

[Stuistic]

I tried the command without sizelimit specified and it came up with an error. But I've managed to successfully recover from the drive by using TestDisk to change the sector size from 512 to 4096 and then created an image of the drive with the new sector size. So problem solved!

[themaddoctor]

Excellent. Congrats.

[snydez]

hi @coolwenwen @themaddoctor my disk is the same as @coolwenwen unfortunately i didn't understand what to do i try to copy the command @coolwenwen's gives, with no luck.

could you please advise me, what and how to calculate, or find out what to do with mine.

here's mine `more /proc/partition

major minor #blocks name

7 0 163996 loop0 7 1 78812 loop1 7 2 248236 loop2 7 3 2496 loop3 7 4 956 loop4 7 5 63580 loop5 7 6 56268 loop6 7 7 179736 loop7 8 0 234431064 sda 8 1 541696 sda1 8 2 102400 sda2 8 3 16384 sda3 8 4 86379520 sda4 8 5 15358976 sda5 8 6 25600000 sda6 8 7 106429440 sda7 11 0 1048575 sr0 7 8 96032 loop8 7 9 144044 loop9 7 10 160440 loop10 7 11 2472 loop11 7 12 956 loop12 7 13 56132 loop13 7 14 15104 loop14 7 15 276 loop15 7 16 56264 loop16 7 17 179300 loop17 7 18 96176 loop18 7 19 261700 loop19 7 20 132744 loop20 7 21 368 loop21 7 22 266968 loop22 8 16 3906985816 sdb 8 17 334772992 sdb1 8 18 153600000 sdb2

sudo file -s /dev/sdb /dev/sdb: DOS/MBR boot sector; partition 1 : ID=0x7, start-CHS (0x0,4,5), end-CHS (0x3ff,254,63), startsector 256, 669545984 sectors; partition 2 : ID=0x83, start-CHS (0x3ff,254,63), end-CHS (0x3ff,254,63), startsector 669546240, 307200000 sectors

`

I really appreciate your help in resolving the problem

[themaddoctor]

Instructions are in the PDF "Mounting encrypted .... "

[snydez]

hi @themaddoctor since mine is A1051W , it is not listed in your pdf. so i try to follow @coolwenwen command, but since i don't understand about the command and how to calculate sector(?) , it is still failed.

[themaddoctor]

coolwenwen has a disk that is formatted for a mac. Do you?

[snydez]

no, as far as i remember, it is format under windows, or ubuntu. so I cannot go the same steps as @coolwenwen ? because the chips is A1051 and it's not in your list.

could you please advise me whether i should go through with all the steps even tough it's not the same chips?

[themaddoctor]

Instead of hfsplus, use ntfs-3g if it is an NTFS filesystem. Use nothing if it is a linux filesystem. Leave out the "sizelimit" part. The offset is also different, if the first partition is at 1MB. sudo mkdir -p /mnt/wd sudo mount /dev/sdX /mnt/wd -t ntfs-3g -o loop,offset=1048576 Change "X" to the right thing for your disk.

[snydez]

wow thank you verymuch @themaddoctor partition 1 is HPFS/NTFS/exFAT partition 2 is Linux it is mounted now. only it cannot simultaneously both partition mounted. but at least i can see my data.

thank you very much sir

[themaddoctor]

you are welcome

[SSoft7]

@themaddoctor Sorry for bumping an old issue. But I had a similar issue and finding the offset was quite difficult for me, but I was able to find out the offset of all partitions using the windows app disk drill (in case anyone needs just check the disk drill logs).

Now, that I have backed up all the data, I want to reuse it on my windows machine as a normal internal drive (currently it is connected directly via a SATA cable internally). So, can you tell me the appropriate way to re-initialize+format this HDD to use it on windows? I have read several of your comments mentioning that initializing the drive in windows will corrupt/damaged things.

Thanks in advance.

[themaddoctor]

You can initialize and format the disk in Windows, but then all of the data on it will be lost forever. Since you have already backed that up (to a different disk, I suppose), you can go ahead.

[neverwd]

Hi @themaddoctor. Not sure if you're still active here but I'm desperate for help. I have the AS1151W chip which I can't seem to find any helpful info on but I assume doesn't do decryption based on the info in your threads regarding ASM chips in general. However I can't get this drive to be readable no matter what I do. My Reddit post on it is here, which probably answers a bunch of the basic questions. Would you have any other ideas on things I can try? I'm really in need of getting this data off this drive if I can, and I do know the password.

[themaddoctor]

I can only help if you use a linux computer. Once you have that, connect the disk either directly or with a non-WD enclosure and dump the first few sectors, so I can see if you are able to access anything. Use this command: sudo dd if=/dev/sdX count=2 | hexdump -C where you replace "sdX" with the correct label assigned by the OS to your drive. Copy and paste the output into a comment. No screenshots, please.

[themaddoctor]

After I read this:

Spent the entire day trying to read anything I could on it from a Linux VM, a Linux live USB, and from various drive recovery tools on Windows, all with no luck. For the most part they all just hang when trying to do anything, including the Linux commands (all I can see is that it's /dev/sda), and I don't really hear any drive heads moving except briefly during boot up.

I have doubts that I can help, and you might be better off going to a data-recovery shop in your city.

[neverwd]

Understood, I appreciate your reply anyway. In case it's useful information at all as to what the issue might be, this is my dd output (or lack thereof):

sudo dd if=/dev/sda count=2 | hexdump -C dd: error reading '/dev/sda': Input/output error 0+0 records in 0+0 records out 0 bytes copied, 0.490401 s, 0.0 kB/s

I have a new HDD PCB coming in and my last resort is to try changing that out along with swapping the BIOS chip to see if that might get the drive at least back to functioning properly again. I've never even so much as moved it from its spot so no clue what would have done this outside of an electrical issue.