Help with a JMicron JMS538S WD My Book Essential

[rbolser]

Hello

First of all, I want to thank you for your great tutorial. I hope you have a minute to look at my steps and output as I am stuck....

A week ago a friend asked if I could look at their dead WD My Book Essential 1TB(JMicron JMS538S chip). As with most of these, the unit was dead. I was told that their was a password. I have the password.

First I attached to windows via a dock. Figured it had some type of encryption, move to Linux.

First step under Linux was to make a copy of the drive using dd.

I followed your steps and the only way I could get the hex files to match yours was to use the defaut kek.hex (03141592653589793238462643383279fcebea6d9aca7686cdc7b9d9bcc7cd86).

Any help would be most appreciated.

My steps:

sudo file -s /dev/sda

./wd_kdf.sh mypassword > kek.hex
echo 03141592653589793238462643383279fcebea6d9aca7686cdc7b9d9bcc7cd86 > kek.hex

sudo dd if=/dev/sda bs=512 skip=1953519648 count=1 of=kb.bin

hexdump -C kb.bin

0000000  57 44 76 31 14 0e 00 00  00 68 6f 74 00 00 00 00  |WDv1.....hot....|
00000010  00 00 00 00 00 00 f0 00  00 00 00 00 00 00 00 00  |................|
00000020  01 00 00 00 00 00 46 50  00 00 00 00 00 00 00 00  |......FP........|
00000030  00 02 ff 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000050  20 00 2c ac 00 00 00 01  00 00 00 00 57 44 76 31  | .,.........WDv1|
00000060  9f a8 5a 1f 22 96 af 5a  57 56 b2 54 87 08 c5 b6  |..Z."..ZWV.T....|
00000070  cf 1f 09 f0 f8 ed b1 d0  c0 a3 c9 26 b3 13 fc 47  |...........&...G|
00000080  80 e5 54 83 67 78 85 38  e2 57 92 aa 6d a1 3b bb  |..T.gx.8.W..m.;.|
00000090  fb a9 fe 7e 55 ad 91 b3  0b 4f 08 9f 5f ec da cb  |...~U....O.._...|
000000a0  05 06 d6 64 0f 52 a8 5d  fc cc da fa 3e 9e 12 a8  |...d.R.]....>...|
000000b0  6f 94 59 43 62 43 50 b5  9a 92 bc 7a c7 01 5a 42  |o.YCbCP....z..ZB|
000000c0  53 48 6e f6 e7 bb c8 7c  dc 0e 2c d1 bc 77 d1 40  |SHn....|..,..w.@|
000000d0  ce 20 f4 27 9c 24 59 9f  1b d5 29 40 b5 b0 45 7b  |. .'.$Y...)@..E{|
000000e0  96 ab bd 05 4b b7 ca f4  7d 1b 5d 0a 27 f1 7a 1e  |....K...}.].'.z.|
000000f0  85 ee 14 0f 5b 4e 7a 65  a8 17 6c 9c f1 e3 e5 b3  |....[Nze..l.....|
00000100  1d 0c 02 b8 ba 1a 14 d1  d9 85 01 c4 79 a6 1d b3  |............y...|
00000110  4f 3d 06 15 85 c4 3a f0  96 85 57 7a a3 38 2f d5  |O=....:...Wz.8/.|
00000120  cd e6 ad 10 29 83 b1 c4  02 fd b4 6f 47 24 aa 62  |....)......oG$.b|
00000130  0f 57 e5 bc bd 9d 74 16  8f 32 30 07 56 03 9f b5  |.W....t..20.V...|
00000140  b8 79 7a fd 59 ec 3f cd  4f 2e 42 fb af 27 bb 6f  |.yz.Y.?.O.B..'.o|
00000150  24 59 b5 6b ca 52 7a ca  7a 40 62 1b 93 68 bd c0  |$Y.k.Rz.z@b..h..|
00000160  26 93 d0 c5 d9 f8 13 85  b4 ab be b7 a7 b5 b4 77  |&..............w|
00000170  6d bb 6c 42 76 18 c0 85  31 bb 05 53 62 0d 35 fe  |m.lBv...1..Sb.5.|
00000180  e8 8b 67 1b e6 14 37 d1  64 f3 d9 5d e4 b7 4b 6c  |..g...7.d..]..Kl|
00000190  18 d9 11 54 7c 89 c1 3c  c2 3b 9e 6a 4c da b9 39  |...T|..<.;.jL..9|
000001a0  ef fa 2e 33 95 45 0e f7  98 58 fc a0 d4 2e f5 ec  |...3.E...X......|
000001b0  8b f9 fb 98 44 07 9e 68  6d f7 85 14 58 ea ed a8  |....D..hm...X...|
000001c0  9e 4b a2 96 6a 1a 4d 27  4c b1 19 60 41 ee 5c 5b  |.K..j.M'L..`A.\[|
000001d0  e5 15 41 c4 ec fa a5 26  cc 47 9d 91 fd 30 44 33  |..A....&.G...0D3|
000001e0  5f cf f6 c6 2b 3e 7c 80  c3 94 ad b3 f1 4b 5a 07  |_...+>|......KZ.|
000001f0  c9 da b9 cf ea a2 d2 72  69 b0 42 86 0d ae b7 f8  |.......ri.B.....|
00000200

cat kek.hex | grep -o .. | tac | tr -d '\n' > kek1.hex

for i in `seq 0 31`; do
dd if=kb.bin bs=16 count=1 skip=$i status=none | \
xxd -p | grep -o .. | tac | tr -d '\n' | \
xxd -p -r >> kb1.bin
done
openssl enc -d -aes-256-ecb -K `cat kek1.hex` \
-nopad -in kb1.bin -out kb2.bin
for i in `seq 0 31`; do
dd if=kb2.bin bs=16 count=1 skip=$i status=none | \
xxd -p | grep -o .. | tac | tr -d '\n' | \
xxd -p -r >> kb3.bin
done

hexdump -C kb3.bin
OUTPUT:
00000000  06 88 a4 fb 66 4a cd f5  e4 21 be 8c 26 e6 3c c9  |....fJ...!..&.<.|
00000010  0f ef 48 20 45 eb 9e eb  dd 15 4a 0c 5f a8 93 cc  |..H E.....J._...|
00000020  15 d2 c8 40 d8 e5 c3 68  35 d4 f6 ff c7 36 59 88  |...@...h5....6Y.|
00000030  10 cf 7a 85 ea fa a1 60  5c 0f e9 a9 3d 6d de f3  |..z....`\...=m..|
00000040  d0 62 f2 36 84 01 37 aa  75 67 2b 93 c1 1f 4f f2  |.b.6..7.ug+...O.|
00000050  55 01 d3 86 c2 b6 8a b2  32 65 af b9 cc ee 07 c4  |U.......2e......|
00000060  54 00 00 00 dd 00 00 00  74 00 00 00 bc 00 00 00  |T.......t.......|
00000070  b8 00 00 00 19 00 00 00  8e 00 00 00 b9 00 00 00  |................|
00000080  76 00 00 00 62 00 00 00  7d 00 00 00 8c 00 00 00  |v...b...}.......|
00000090  67 00 00 00 b3 00 00 00  f7 00 00 00 94 00 00 00  |g...............|
000000a0  86 00 00 00 e6 00 00 00  45 00 00 00 0c 00 00 00  |........E.......|
000000b0  fe 00 00 00 a4 00 00 00  59 00 00 00 4c 00 00 00  |........Y...L...|
000000c0  3c 00 00 00 21 00 00 00  0e 00 00 00 20 00 00 00  |<...!....... ...|
000000d0  61 00 00 00 cc 00 00 00  a5 00 00 00 36 00 00 00  |a...........6...|
000000e0  a0 00 00 00 f8 00 00 00  db 00 00 00 0b 00 00 00  |................|
000000f0  ee 00 00 00 1a 00 00 00  3f 00 00 00 90 00 00 00  |........?.......|
00000100  44 45 4b 31 81 52 00 00  02 36 b0 eb 5e ec 6e 39  |DEK1.R...6..^.n9|
00000110  4a 50 3d 7f cb cf f9 24  d6 c1 05 fb ba 05 77 25  |JP=....$......w%|
00000120  55 e2 ec e3 0b 3d f3 69  16 23 b4 e3 29 5e f8 da  |U....=.i.#..)^..|
00000130  1f 34 86 5b 00 00 00 00  00 00 00 00 00 00 00 00  |.4.[............|
00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000150  00 00 00 00 e5 bf 72 52  20 00 00 00 00 00 00 00  |......rR .......|
00000160  8a 00 00 00 18 00 00 00  e1 00 00 00 55 00 00 00  |............U...|
00000170  b2 00 00 00 98 00 00 00  78 00 00 00 42 00 00 00  |........x...B...|
00000180  1c 00 00 00 40 00 00 00  c2 00 00 00 85 00 00 00  |....@...........|
00000190  57 00 00 00 6c 00 00 00  5d 00 00 00 ed 00 00 00  |W...l...].......|
000001a0  ab 00 00 00 16 00 00 00  c1 00 00 00 34 00 00 00  |............4...|
000001b0  7e 00 00 00 3d 00 00 00  4e 00 00 00 e2 00 00 00  |~...=...N.......|
000001c0  e4 00 00 00 9b 00 00 00  c9 00 00 00 6b 00 00 00  |............k...|
000001d0  4d 00 00 00 53 00 00 00  cd 00 00 00 ca 00 00 00  |M...S...........|
000001e0  da 00 00 00 64 00 00 00  02 00 00 00 de 00 00 00  |....d...........|
000001f0  c5 00 00 00 95 00 00 00  e9 00 00 00 0a 00 00 51  |...............Q|
00000200

randy@randylinux:~/Downloads/wd$ hexdump -C kb3.bin

dd if=kb3.bin bs=1 skip=268 count=16 of=dek0.bin status=none
dd if=kb3.bin bs=1 skip=288 count=16 status=none >> dek0.bin

xxd -p -c 32 dek0.bin | grep -o .. | tac | tr -d '\n' > dek.hex

echo | sudo cryptsetup -d - -c rev16-ecb \
create wd-layer1 /dev/sda
cat dek.hex | xxd -p -r | sudo cryptsetup -d - --hash=plain \
--key-size=256 -c aes-ecb create wd-layer2 /dev/mapper/wd-layer1
echo | sudo cryptsetup -d - -c rev16-ecb \
create wd /dev/mapper/wd-layer2

sudo file -sL /dev/mapper/wd

OUTPUT: 
/dev/mapper/wd: DOS/MBR boot sector MS-MBR XP english at offset 0x12c "Invalid partition table" at offset 0x144 "Error loading operating system" at offset 0x163 "Missing operating system", disk signature 0x2de38; partition 1 : ID=0x7, start-CHS (0x0,32,33), end-CHS (0x3ff,254,63), startsector 2048, 1953456128 sectors

sudo file -s /dev/sda
OUTPUT:
/dev/sda: data

sudo dd if=/dev/sda skip=2048 count=16 | file -
OUTPUT:
16+0 records in
16+0 records out
8192 bytes (8.2 kB, 8.0 KiB) copied, 7.479e-05 s, 110 MB/s
/dev/stdin: data

sudo file -s /dev/mapper/wd
OUTPUT:
/dev/mapper/wd: symbolic link to ../dm-2

sudo dd if=/dev/mapper/wd skip=2048 count=16 | file -
OUTPUT:
16+0 records in
16+0 records out
8192 bytes (8.2 kB, 8.0 KiB) copied, 0.000778024 s, 10.5 MB/s
/dev/stdin: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "-FVE-FS-", sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 2048, FAT (32 bit), sectors/FAT 8160, serial number 0x0, unlabeled; NTFS, sectors/track 63, physical drive 0x1fe0, $MFT start cluster 393217, serial number 02020454d414e204f, checksum 0x41462020

sudo kpartx -a /dev/mapper/wd
sudo mkdir -p /mnt/w
sudo mount /dev/mapper/wd1 /mnt/wd

OUTPUT: 
mount: /mnt/wd: unknown filesystem type 'BitLocker'.

Thanks

Randy

[themaddoctor]

It looks like you have an NTFS partition at sector 2048. Try the loopback method instead of kpartx.

[rbolser]

It looks like you have an NTFS partition at sector 2048. Try the loopback method instead of kpartx.

Did the loopback and here is the output. I must be missing something. Thanks for the help.

randy@randylinux:~/Downloads/wd$ sudo losetup -o 1048576 -f /dev/mapper/wd
randy@randylinux:~/Downloads/wd$ sudo losetup -j /dev/mapper/wd
/dev/loop11: [0005]:644 (/dev/dm-2), offset 1048576
randy@randylinux:~/Downloads/wd$ sudo mkdir -p /mnt/wd
randy@randylinux:~/Downloads/wd$ sudo mount /dev/loop11 /mnt/wd
mount: /mnt/wd: unknown filesystem type 'BitLocker'.
randy@randylinux:~/Downloads/wd$ 

[themaddoctor]

Well, if that is accurate, then your friend set up an encrypted partition with a piece of software called BitLocker that comes with Windows. That must be the thing for which he gave you the password.

I can't help you with BitLocker. I suggest you dd (or ddrescue or dd_rescue) the drive from /dev/mapper/wd to another 1-TB disk, and then give the new disk to your friend. That way, it won't be encrypted by WD, only by BitLocker.

https://en.wikipedia.org/wiki/BitLocker

[rbolser]

Just wanted to thank you again. Recovered the drive completely. Bitlocker was a treat.