search

themaddoctor / linux-mybook-tools

tools for opening some encrypted WD My Book drives in linux
GNU General Public License v3.0
186 stars 26 forks source link

Is the disk permanently decrypted? #5

Open reedickulus opened 7 years ago

reedickulus commented 7 years ago

Thank you for this guide. After a lot of trouble shooting from some of the steps, I was able to see the files on my hard drive in ubuntu. I am wondering, now that it is decrypted, can I plug it into a windows machine and access the files? I didn't want to try until I knew this wouldn't corrupt the MBR or cause other issues. Thanks.

reedickulus commented 7 years ago

Also, I was using an ubuntu Live CD. So after I restarted my system, the directory I made "wd" including dek.hex and rev16.ko are gone. Can I re-create this following the same steps in the original directions, or am I out of luck since the drive was already decrypted once?

themaddoctor commented 7 years ago

For the first one: No, definitely not. Backup your files while you are still in Ubuntu. The disk is still encrypted; you merely have a decryption filter running in Ubuntu.

For the second one: Yeah, you have to do it again. The drive is still encrypted.

Can you send me a copy of your keyblock and tell me the size of your drive (to help refine things)?

reedickulus commented 7 years ago

Thanks for the reply. I put everything back away as I don't have a spare HDD at the movement to move the files. When I get the new HDD and make another attempt I will send you the keyblock. It is a 3TB drive.

reedickulus commented 7 years ago

Also, this may be a point of clarification for your guide. I just wanted to put it here in case someone else is google searching and stumbles upon this and is stuck.

If you are trying to decrypt a drive with the JMS538S chip and get stuck on the part:

In order to extract the disk encryption key (DEK), we have to reverse each block of 16 bytes, decrypt
with AES in ECB mode, and then reverse each block again. These three commands will do it:
for i in `seq 0 31`; do
dd if=kb.bin bs=16 count=1 skip=$i status=none | \
xxd -p | grep -o .. | tac | echo "$(tr -d '\n')" | \
xxd -p -r >> kb1.bin
done
openssl enc -d -aes-256-ecb -K `cat kek1.hex` \
-nopad -in kb1.bin -out kb2.bin
for i in `seq 0 31`; do
dd if=kb2.bin bs=16 count=1 skip=$i status=none | \
xxd -p | grep -o .. | tac | echo "$(tr -d '\n')" | \
xxd -p -r >> kb3.bin
done

I couldn't clearly see what the three codes were. I tried putting in different parts in the terminal command, and nothing happened correctly.

Finally I used terminal and typed 'gedit.' This opened up a text browser. I copied the above code (DELETE THE BACKSLASHES AND PUT THEM ON THE SAME LINE) and name it "script.sh." I left this script in the wd folder. Then I used terminal command chmod +x script.sh

I then ran the script by typing ./script.sh while I was in the wd folder.

This worked for me for creating kb3.bin file.

ALSO, when it came time to build the new encryption module and reverse the order of each 16-byte block, there was code and instructions in Appendix D. It was a bit unclear based on the PDF and a help thread here (https://github.com/andlabs/reallymine/issues/47) on where to place the files, but I somehow got things working OK using this code:

/*
 * Cryptographic API.
 *
 * very simple cipher to reverse each block of 16 bytes
 *
 * Thomas Kaeding, 20160120
 *
 * ---------------------------------------------------------------------------
 */

#include <linux/module.h>
#include <linux/init.h>
#include <linux/types.h>
#include <linux/errno.h>
#include <linux/crypto.h>
#include <asm/byteorder.h>

int rev16_setkey(struct crypto_tfm *tfm, const u8 *in_key, unsigned int key_len)
{
        return 0;
}

/* Why must we use a temp array?
 * Without it, only the first 8 bytes are affected. Why?
 */
static void rev16_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
{
        int i;
        u8 temp[16];
        for (i=0;i<16;i++)
                temp[i] = in[i];
        for (i=0;i<16;i++)
                out[i] = temp[15-i];
        return;
}

static struct crypto_alg rev16_alg = {
        .cra_name               =       "rev16",
        .cra_driver_name        =       "rev16",
        .cra_priority           =       100,
        .cra_flags              =       CRYPTO_ALG_TYPE_CIPHER,
        .cra_blocksize          =       16,
        .cra_ctxsize            =       0,
        .cra_alignmask          =       3,
        .cra_module             =       THIS_MODULE,
        .cra_u                  =       {
                .cipher = {
                        .cia_min_keysize        = 0,
                        .cia_max_keysize        = 32,
                        .cia_setkey             = rev16_setkey,
                        .cia_encrypt            = rev16_encrypt,
                        .cia_decrypt            = rev16_encrypt
                }
        }
};

static int __init rev16_init(void)
{
        return crypto_register_alg(&rev16_alg);
}

static void __exit rev16_fini(void)
{
        crypto_unregister_alg(&rev16_alg);
}

module_init(rev16_init);
module_exit(rev16_fini);

MODULE_DESCRIPTION("reverses the bytes of each 16-byte block");
MODULE_LICENSE("GPL");
MODULE_ALIAS("rev16");

I didn't quite understand the "makefile" command part, but I put the rev16.c file (made with gedit) in the wd folder and then followed the Make file and Build commands in the PDF. rev16.ko ended up in the /usr/src/**ubunt-or-linux-version/crypto

I had plugged my HDD into a windows system before attempting this rescue operation so I had to mount with a loop device.

Unlike the instructions I only got "data" as a response for the second command.

I felt like I got some error message about a Windows file system, but lo and behold, was able to access my files in /mnt/wd.

Hope this helps someone else out there who may be doing their Google research etc trying to fix this common problem that WD won't address.

Also I don't know how much more of a thank you can be given to Thomas Kaeding. He is clearly a brilliant mind and his selflessness and willingness is admirable and inspirational.

themaddoctor commented 7 years ago

Thanks for the praise. I deserve only the smallest part of it.

I don't think that the instructions need to be changed, because if you type them exactly as you see them, they work. Plus, I made scripts that extract the keys and you can download them from this github project.

The rev16.c you have is old, and includes some headers that aren't necessary. But it doesn't matter.

Can you send me the keyblock, and the manufacture date (printed on the disk label)? Like this:

hexdump -vC kb.bin

then post the output into a comment. Thanks.

themaddoctor commented 7 years ago

Still interested in a copy of your keyblock, please.

reedickulus commented 7 years ago

Will absolutely send it to you. Sorry for the delay, please give me just a bit more time. I ordered a new HDD on Cyber Monday and I am awaiting its arrival. Once it arrives I will do the file exchange (likely on a weekend or overnight when I don't need my laptop) and will grab the keyblock at that time. Should be fairly soon - thanks!

reedickulus commented 6 years ago

Just got my new HDD. Enclosure with USB 3.0 for the old HDD is on the way. Once I get it and tackle this I will post the keyblock here. Any other specific info you need while I'm working on this project? What's best way to get the keyblock?

themaddoctor commented 6 years ago

Use the script on this repostitory: findkeyblock.sh

reedickulus commented 6 years ago

3TB HD,

I got this error when trying the script:

"./findkeyblock.sh: line 7: syntax error near unexpected token newline' ./findkeyblock.sh: line 7:<!DOCTYPE html>"

I'll see if I can get it using instructions you gave to another user;
use command: hexdump -C kb.bin

reedickulus commented 6 years ago

00000000 57 44 76 31 3f 94 00 00 00 a0 4f 5d 01 00 00 00 |WDv1?.....O]....| 00000010 03 00 00 00 00 00 f0 00 00 00 00 00 00 00 00 00 |................| 00000020 01 00 00 00 00 00 46 50 00 00 00 00 00 00 00 00 |......FP........| 00000030 00 03 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 20 00 cb 8a 00 00 00 04 00 00 00 00 57 44 76 31 | ...........WDv1| 00000060 fd 07 3f 49 2d dd 76 1f 16 5b 81 92 dd fa 23 e7 |..?I-.v..[....#.| 00000070 95 02 d7 1b 7e c3 51 93 51 58 49 0a d8 d2 b3 98 |....~.Q.QXI.....| 00000080 a4 83 ce 5d 0d 2d 9c 56 2e 4e 2c 6a 5b 28 7d bc |...].-.V.N,j[(}.| 00000090 f3 35 23 1b 8d 4b cb 65 29 ad 17 65 a4 ee 64 1c |.5#..K.e)..e..d.| 000000a0 e1 c5 8f dc d4 d5 08 f9 87 72 18 68 e9 12 5d 8f |.........r.h..].| 000000b0 a0 76 54 93 26 72 a1 c7 dc 08 1e af ce 54 cd b5 |.vT.&r.......T..| 000000c0 c8 0c ba 09 7c 63 68 69 56 a5 69 64 fa 26 16 46 |....|chiV.id.&.F| 000000d0 80 5e 88 8a 99 7c 55 78 eb c5 72 d6 98 5d 74 6c |.^...|Ux..r..]tl| 000000e0 82 cd d0 a6 03 80 63 4f aa 5c a5 07 0b 6e 47 ed |......cO.\...nG.| 000000f0 48 84 cd 68 2c d6 52 5f 1f 6b fd 86 47 72 13 70 |H..h,.R_.k..Gr.p| 00000100 6e 2f f2 26 ef 16 3a b7 ee 54 d3 49 58 b8 97 97 |n/.&..:..T.IX...| 00000110 e8 af 7b 8a e3 a1 d8 75 8f 2f 53 81 a1 32 35 22 |..{....u./S..25"| 00000120 67 de fa 05 05 08 7f d0 c9 58 0d bd 3e 04 ce 2c |g........X..>..,| 00000130 1f 18 5a 7b ef 4c a7 de 14 ae 4d 76 91 b6 b6 d8 |..Z{.L....Mv....| 00000140 2d 0f f9 22 75 1c 9b 54 aa d1 a6 c4 ae e2 1c bb |-.."u..T........| 00000150 4d 99 fa 11 5c 03 10 ca e9 58 1c 20 3d e7 47 f8 |M...\....X. =.G.| 00000160 b8 c1 73 f3 a1 0a 38 19 43 ba d4 b5 43 74 5b 18 |..s...8.C...Ct[.| 00000170 64 9c 44 d6 28 f3 18 fd ac 1a f8 ea 40 da bb 8c |d.D.(.......@...| 00000180 cd aa 94 98 2f a6 80 9a 6d 5b be a7 e0 6d 2d a2 |..../...m[...m-.| 00000190 a6 49 ce ed b7 7d 4b 7b c4 49 39 a9 73 56 84 6e |.I...}K{.I9.sV.n| 000001a0 d0 be 5d 0c d0 57 04 dc 84 d6 1c 54 71 37 6d 2e |..]..W.....Tq7m.| 000001b0 7d eb 70 d7 f0 8e fd 39 26 d2 5c 67 4b a8 f4 23 |}.p....9&.\gK..#| 000001c0 b9 9c d4 30 de 3b 5f 17 80 2b 79 fe 25 0f 16 55 |...0.;_..+y.%..U| 000001d0 ff 3b 44 c6 07 41 9b 27 0b 59 36 d8 18 b2 6f 31 |.;D..A.'.Y6...o1| 000001e0 9b 23 99 e9 d3 9c eb 8d 8f 78 e6 1e 66 35 6c 45 |.#.......x..f5lE| 000001f0 b9 96 0a a1 33 31 5e c8 ab 74 bd 44 cf 07 ed b3 |....31^..t.D....| 00000200

Is this correct?

reedickulus commented 6 years ago

Found my error with the script. Now I have the correct script with chmod +x activated. I get this error:

expr: non-integer argument expr: syntax error keyblock not found

I am going to try and put it in a different folder. Maybe the script needs to go in the mounted "wd" folder.

reedickulus commented 6 years ago

Still getting the no keyblock found error despite multiple attempts. I decrypted my drive fine, so not sure what the issue is. I coped the code raw directly from the repository. Ran it with proper permissions form the wd folder (where all .bin and .hex files live)

reedickulus commented 6 years ago

Here is my kek.hex:

061fcbeff23ddd2115ba82c0ae8e617670304c1813101cfadcd7d7373a085606

reedickulus commented 6 years ago

From "hexdump -C kb.bin"

00000000 57 44 76 31 3f 94 00 00 00 a0 4f 5d 01 00 00 00 |WDv1?.....O]....| 00000010 03 00 00 00 00 00 f0 00 00 00 00 00 00 00 00 00 |................| 00000020 01 00 00 00 00 00 46 50 00 00 00 00 00 00 00 00 |......FP........| 00000030 00 03 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000050 20 00 cb 8a 00 00 00 04 00 00 00 00 57 44 76 31 | ...........WDv1| 00000060 fd 07 3f 49 2d dd 76 1f 16 5b 81 92 dd fa 23 e7 |..?I-.v..[....#.| 00000070 95 02 d7 1b 7e c3 51 93 51 58 49 0a d8 d2 b3 98 |....~.Q.QXI.....| 00000080 a4 83 ce 5d 0d 2d 9c 56 2e 4e 2c 6a 5b 28 7d bc |...].-.V.N,j[(}.| 00000090 f3 35 23 1b 8d 4b cb 65 29 ad 17 65 a4 ee 64 1c |.5#..K.e)..e..d.| 000000a0 e1 c5 8f dc d4 d5 08 f9 87 72 18 68 e9 12 5d 8f |.........r.h..].| 000000b0 a0 76 54 93 26 72 a1 c7 dc 08 1e af ce 54 cd b5 |.vT.&r.......T..| 000000c0 c8 0c ba 09 7c 63 68 69 56 a5 69 64 fa 26 16 46 |....|chiV.id.&.F| 000000d0 80 5e 88 8a 99 7c 55 78 eb c5 72 d6 98 5d 74 6c |.^...|Ux..r..]tl| 000000e0 82 cd d0 a6 03 80 63 4f aa 5c a5 07 0b 6e 47 ed |......cO....nG.| 000000f0 48 84 cd 68 2c d6 52 5f 1f 6b fd 86 47 72 13 70 |H..h,.R.k..Gr.p| 00000100 6e 2f f2 26 ef 16 3a b7 ee 54 d3 49 58 b8 97 97 |n/.&..:..T.IX...| 00000110 e8 af 7b 8a e3 a1 d8 75 8f 2f 53 81 a1 32 35 22 |..{....u./S..25"| 00000120 67 de fa 05 05 08 7f d0 c9 58 0d bd 3e 04 ce 2c |g........X..>..,| 00000130 1f 18 5a 7b ef 4c a7 de 14 ae 4d 76 91 b6 b6 d8 |..Z{.L....Mv....| 00000140 2d 0f f9 22 75 1c 9b 54 aa d1 a6 c4 ae e2 1c bb |-.."u..T........| 00000150 4d 99 fa 11 5c 03 10 ca e9 58 1c 20 3d e7 47 f8 |M.......X. =.G.| 00000160 b8 c1 73 f3 a1 0a 38 19 43 ba d4 b5 43 74 5b 18 |..s...8.C...Ct[.| 00000170 64 9c 44 d6 28 f3 18 fd ac 1a f8 ea 40 da bb 8c |d.D.(.......@...| 00000180 cd aa 94 98 2f a6 80 9a 6d 5b be a7 e0 6d 2d a2 |..../...m[...m-.| 00000190 a6 49 ce ed b7 7d 4b 7b c4 49 39 a9 73 56 84 6e |.I...}K{.I9.sV.n| 000001a0 d0 be 5d 0c d0 57 04 dc 84 d6 1c 54 71 37 6d 2e |..]..W.....Tq7m.| 000001b0 7d eb 70 d7 f0 8e fd 39 26 d2 5c 67 4b a8 f4 23 |}.p....9&.\gK..#| 000001c0 b9 9c d4 30 de 3b 5f 17 80 2b 79 fe 25 0f 16 55 |...0.;..+y.%..U| 000001d0 ff 3b 44 c6 07 41 9b 27 0b 59 36 d8 18 b2 6f 31 |.;D..A.'.Y6...o1| 000001e0 9b 23 99 e9 d3 9c eb 8d 8f 78 e6 1e 66 35 6c 45 |.#.......x..f5lE| 000001f0 b9 96 0a a1 33 31 5e c8 ab 74 bd 44 cf 07 ed b3 |....31^..t.D....| 00000200

themaddoctor commented 6 years ago

thank you

themaddoctor commented 6 years ago

It seems to be password-protected. Can you share the password with me? And the date of manufacture, please.