Decryption MyBook Essential 2tb sw6316 Stuck please help

[ghost]

I need your help. I am stuck trying to decrypt WD 2tb HDD with sw6316 chip. This was my backup drive. At the time all of my photos were stored on my laptop as I had large enough HDD but periodically I would back them up on my external drive. It so happened that the same week my laptop was stolen, my external drive controlled stopped working. So now all of my family photos, that I am so desperately trying to recovered, are locked on this drive. Photos of my late father and my dogs are gone. In a panic mode I removed the drive and used different HDD enclosure as well as connecting directly to my desktop. HDD was recognized as RAW/unallocated. I tried assigning a drive letter as well as various recovery programs, but nothing helped. Drive was never formatted nor written on since the incident. Little that I realized that the drive was hardware encrypted. Doing some research I came across your tutorial, but I am stuck. I need your help and I am willing to compensate you for it!

I tried KNOPPIX on USB stick but I encounter some issues with installing/using python. On a empty drive I installed Ubuntu 20.04 but I am still having issues. I am new to LINUX but I am doing my best.

I am stuck on unwrapping the disk key. When i enter command :

./unwrap.py xxd -p -c 40 edek.bin cat kek.hex > dek0.hex

I get this error: Traceback (most recent call last): File "./unwrap.py", line 32, in KEK = binascii.unhexlify(sys.argv[2]) TypeError: Odd-length string

I copied appendix B to the letter in unwrap.py Also, there is a file sw6316 fine with a longer code. Tried that one as well, but with the one I am getting even more errors.

This is a furthest I was able to get without errors. Not sure if it matters, but when I did:

sudo file -s /dev/sda

I get OS/MBR boot sector MS-MBR Windows 7 english at offset 0x163 "Invalid partition table" at offset 0x17b "Error loading operating system" at offset 0x19a "Missing operating system", disk signature 0xf5deeba; partition 1 : ID=0xee, start-CHS (0x0,0,1), end-CHS (0x3ff,254,63), startsector 1, 3907029167 sector

Don't know if that is a problem. I apologize for lengthy post, any help is appreciated.

[themaddoctor]

If sda is the WD drive, then you corrupted the MBR and partition table by plugging it into your computer while Windows was running. Windows thinks it's smarter than you are, so it destroys data for your own good.

Anyway, if you dump the keyblock with a hexdump -C command, and place the results in a comment on this thread, then I will see if I can extract the key.

[ghost]

Hi themaddoctor, thank you so much for responding and for your help. I cannot tell you how much I appreciate that.

I took me a while to respond because I managed to brick ubuntu. In you manual it states that this only works with python version 2, and I have python 2 and 3 installed. In attempt to make a progress i uninstalled python version 3 and crashed the system. I reinstalled everything and doing it from the begging.

Python versions

Results for the hexdump -C

nem@nem-MS-7B44:~/Desktop/wd$ hexdump -C kb0.bin 00000000 57 4d 59 53 ea f5 01 f8 00 00 00 00 02 00 00 00 |WMYS............| 00000010 36 96 33 9a 8f 6b 88 7b 48 00 eb 13 15 f6 31 5c |6.3..k.{H.....1| 00000020 50 90 46 3d f2 18 cb f4 4e 98 f5 f8 c5 53 7e c7 |P.F=....N....S~.| 00000030 3f 94 20 dd b5 d2 58 d3 15 88 b9 b5 72 b1 03 20 |?. ...X.....r.. | 00000040 f3 65 eb 88 91 70 f9 e7 09 9a ee cb 58 05 ad 97 |.e...p......X...| 00000050 e3 6e b3 6d 5f 78 c9 cd fe cb 85 c0 43 50 06 8d |.n.m_x......CP..| 00000060 0f b6 50 6e 1a 36 30 8c 8e 25 9b fa 32 26 6b 6a |..Pn.60..%..2&kj| 00000070 04 02 72 61 c0 a9 f3 65 a1 b4 b5 55 0c d4 e7 c7 |..ra...e...U....| 00000080 f1 52 3b f2 46 b3 e8 69 00 00 00 00 00 00 00 00 |.R;.F..i........| 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000001c0 00 88 df e8 00 00 00 00 00 02 00 00 00 00 00 00 |................| 000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000200

Again thank you for your help!

[themaddoctor]

Your DEK is 16a736b9c9d6597179047b66463f4c8b8ded43fa4948cb34c3b9c195ec974723

[themaddoctor]

You won't need Python any more.

[ghost]

Thank you for responding so fast, and for that information. What do I do now?

[themaddoctor]

Follow the instructions in the PDF.

[ghost]

I apologize, but I am confused.

I am following the instructions... after hexdump -C I did 3 line command for reversing the order, then extracted the wrapped disk encryption key Created unwrap.py from appendix B and when I try to unwrap the disk encryption I get the same error. I get this

Being that you said the I dont need python no longer. I'm not sure what to do next. I believe that Crypto.Cipher is package under python.

But since you said that my DEK is 16a736b9c9d6597179047b66463f4c8b8ded43fa4948cb34c3b9c195ec974723

do i need to create dek0.hex and copy that line in there, and then run the next line to fix the endianness of the DEK?

[ghost]

I apologize if I am annoying.

So I created dek0.hex and I copied DEK that you gave me. then I entered the line to fix endianness of the DEK, which game me dek.hex then I ran command to set up the encryptyon filter and I get this error.

Not sure what now? Thank you for your assistance

[ghost]

testdisk is showing the encrypted disk as /dev/sda disks is showing the same disk as /dev/sda1. So I tried that as well and I am still getting the error that drive is already mapped or mounted

[themaddoctor]

The DEK I sent you is the final DEK. No fixing is necessary.

[ghost]

I did that as well. Created dek.hex and copied the line that you gave me and tried to set up encrypted filter. Getting " WARNING: Device /dev/sda already contains a 'gpt' partition signature. Cannot use device /dev/sda which is in use (already mapped or mounted). "

[ghost]

[themaddoctor]

The last section of the tutorial might help (mounting with loopback device). The problem is that you reinitialized the disk in Windows, and it created a partition table. If you also reformatted, then you are screwed.

[ghost]

I restarted the system. And with only DEK that you gave me in dek.hex file finished the tutorial.

I followed the mounting in the tutorial and I was getting errors along the way. At one point Disks in Ubuntu saw my old partition, and was able to mount it through Disks. I and was able to see the old partition and some folder/file systems but I was not able to copy or open anything. I can see inside some folders and see pictures in them but cannot open them or copy them. Some folders were empty and was getting errors along the way. Soon Ubuntu got errors and closed the screen.

Trying right now to mount the HDD again, but so far no luck.

HDD was reinitialized in Windows. I never formatted the drive! Any suggestions?

[themaddoctor]

The sudo command can be used to copy files when you don't have permission to do so. sudo cp -var /mnt/wd/whatever /path/to/destination/

[ghost]

Dos it make sense to run ddrecue and clone the drive before mounting it with decryption? Or do I need to mount it again, and while mounted run ddresue?

[ghost]

Is this normal to get this error every time I try to setup encryption filter?

[ghost]

I am no longer able to get pass the "at dek.hex | xxd -p -r | sudo cryptsetup -d - --hash=plain --key-size=256 -c aes-ecb create wd /dev/sda" command.

every time I try it I get this return

from there if I try sudo file -sL /dev/mapper/wd I get "no such file or directory"

I was able only once to mount the drive for a short period of time. And I dont think that I did anything differently.

[ghost]

Restarted and retried. Got this and I'm started loosing it.

[themaddoctor]

Try "fdisk -l /dev/sdb" to see what partitions it thinks it has. If there is only one and it starts at 2048, then: sudo cryptsetup remove wd cat dek.hex | xxd -p -r | sudo cryptsetup -d - --hash=plain --key-size=256 -c aes-ecb create wd /dev/sdb1

The difference is the "1" at the end, to use the partition instead of the whole disk.

[ghost]

I believe that I have successfully mounted the encrypted drive. But when I tried to copy files through "Files" I am getting this error

I also triedsudo comand that you gave me sudo cp -var /mnt/wd/whatever /path/to/destination/ but I am still getting "Input/output error"

How do I proceed? Thank you so much for your time and your help

[themaddoctor]

I/O errors could be anything. Skip that file. See what happens.

[ghost]

Im getting that error on all of them

[ghost]

If i do ddrescue and force a copy of a whole partition, would the copy also be encrypted?

[themaddoctor]

Not if you copy /dev/mapper/wd It is a partition seen through the decryption layer.

[ghost]

If I ddrescue the whole HDD and not only /dev/mapper/wd, everything is copying fine. But when I try to ddrecue partition pass the decryption layer, then ddrescue cannot copy anything. The whole HDD falls under non-scrapped. I really appreciate your help and everything that you did. If you can please point me in the direction... Thank you

[themaddoctor]

Did you use sudo?

[ghost]

Yes, I used sudo.

I tried to copy pictures folder only with sudo command that you gave me above. I tried to do sudo ddrescue just the Pictures folder, and tried sudo ddrescue /dev/mapper/wd. None of that worked. When I try to copy anything from the drive I get I/O error on every single file.

While I was waiting for your response, I tried ddrescue of /dev/sdc to an external drive and that was working really fast averaging 115mb/s with no bad reads/sectors. When I tried ddrescue of just /dev/mapper/wd that was returning mostly bad reads and working really slow, less than 1kb/s. I also tried sudo testdisk on /dev/mapper/wd to see if that can fix the situation, but that unmounted the drive and then I stopped trying.

When I was trying to do data recovery in windows, before coming across your tutorial, I did test the disk as well. It had no bad sectors or issues. It was used less than 50h before sata bridge died. Because of that I am confused as to way I am getting I/O errors and cant access files and some folders. Does it take some time for decryption to do its thing?

I am about to get into a bidding war on ebay trying to bay same drive and use its PCB for decoding.

[themaddoctor]

Decryption does use some processing. It decrypts each sector when that sector is read. It's a filter, not do-it-once-and-it's-done kind of thing. It does everything in the kernel. Still, I don't know why it would be that slow.

I don't think ddrescue copies individual folders, only devices.

Now that you have the disk key, maybe you would have better luck with the ReallyMine program that decrypts whole disks. It has a project here on github. Or you could read the partition and pipe it through openssl and then onto a new disk. If you do, then the encryption mode is ECB, the algorithm is AES, and there is no padding. Something like sudo dd if=/dev/sdc1 | openssl enc -d -aes-256-ecb -K yourdiskkeyinhex -nopad | sudo dd of=/dev/newdisk

[ghost]

Thank you for that. Not sure what you mean by "yourdiskkeyinhex" do I point to dek.hex file or do I put down the actual key? Thank you

[themaddoctor]

the actual key 16a736b9c9d6597179047b66463f4c8b8ded43fa4948cb34c3b9c195ec974723

[ghost]

Again, thank you so much! I just tried this last command that you gave me, and no luck Tried with /dev/sdc1 and with /dev/sdc

I don't know if this makes a difference /dev/sdc1 is 134mb Microsoft Reserved and /dev/sdc is "free space" where my partition should be

[ghost]

When I mounted the loop8 this last time as /mnt/wd, which works and it gives me My Book ntfs partition, I opened the pictures folder and got into random sub folder. It took a while but a few of my photos got decrypted, but then it stopped doing it. Those photos I can copy. But I can't get it do open anything else...

[themaddoctor]

Whatever the problem is, it is not with the decryption. Try making a clone of the disk and working from the clone. Good luck.