reallymine
reallymine copied to clipboard
andlabs
Decrypting My Book Essential 2TB after connecting it to Windows
The board on my 2TB My Book was failing so I took the drive out of the case and put it into my PC with running Windows. I had no clue about the encryption at the time, so I opened it in Disk Manager and it asked me to switch to MDR so I did. I did not format the disk. The board has the JMS538S chip. I've tried running reallymine but it's been 5 hours and the decrypted image is still only 7GB. I followed the instructions by the @themaddoctor for DEK extraction and this should be it: 956c6e39a0e479b0c9dd1442ba658a30f96df590bffe06234a4672b98a5b10b8
Can I still recover my data? How long can I expect the decryption to take? I'm currently running Mint from an USB stick, but I need Windows for work, so if it's expected to take days I should figure out a different setup.
I would think that for 2TB it would take at least 48 hours. That's how long it takes me to fill a 2TB disk in a USB enclosure with random numbers. It sounds like it's going to take you even more time, probably due to the overhead of decrypting.
It might be faster to use the cryptsetup method in the instructions you mentioned, but only if you are comfortable working with linux and compiling stuff. In this case the kernel will be handling the decryption. Or, if you are certain that you did not format, and Windows did not zero out the first sector of the new partition, then the data partition should still be at sector 2048, and you can mount using the last section of the instructions (about using a loop device). You can find out if Windows corrupted the data partition by this command (replace X with the right thing): sudo dd if=/dev/sdX skip=2048 count=1 status=none | hexdump If the output is
0000000 0000 0000 0000 0000 0000 0000 0000 0000
*
0000200
then you have been corrupted.
Unfortunately I have close to zero Linux experience, so while following your instructions I got stuck at Appendix D. I tried to use the unedited module from the instructions, but it did not work, it does not create the rev16.ko file.
mint@mint:~$ make -C /lib/modules/`uname -r`/build M=$PWD
make: Entering directory '/usr/src/linux-headers-5.4.0-26-generic'
CC [M] /home/mint/rev16.o
/home/mint/rev16.c: In function ‘rev16_fini’:
/home/mint/rev16.c:71:1: error: expected declaration or statement at end of input
71 | crypto_unregister_alg(&rev16_alg);
| ^~~~~~~~~~~~~~~~~~~~~
At top level:
/home/mint/rev16.c:69:20: warning: ‘rev16_fini’ defined but not used [-Wunused-function]
69 | static void __exit rev16_fini(void)
| ^~~~~~~~~~
/home/mint/rev16.c:65:19: warning: ‘rev16_init’ defined but not used [-Wunused-function]
65 | static int __init rev16_init(void)
| ^~~~~~~~~~
make[1]: *** [scripts/Makefile.build:275: /home/mint/rev16.o] Error 1
make: *** [Makefile:1719: /home/mint] Error 2
make: Leaving directory '/usr/src/linux-headers-5.4.0-26-generic'
mint@mint:~$ sudo insmod rev16.ko
insmod: ERROR: could not load module rev16.ko: No such file or directory
Dunno if I missed something somewhere. I'm running Linux mint 5.4.0-26-generic if you'd be willing to help with that.
Output from the command you wrote is as follows:
mint@mint:~$ sudo dd if=/dev/sdd skip=2048 count=1 status=none | hexdump
0000000 c629 50b9 8853 dc5f 4e35 9b6d f9dd e777
0000010 64a6 f03c 10cb 92c5 f7af c197 d001 59fd
0000020 76e1 cee6 f297 1dd2 a159 648f 5c71 6b05
0000030 d84a 8b42 5736 a4b4 c76c de79 50c1 ec06
0000040 471e dbad a7df 77cb f4a2 876f d571 c800
0000050 4a85 6897 80f3 89d4 3516 fd4d ad9d 386a
0000060 64a3 0b04 96f7 793d c8c5 d67c bd97 5b78
0000070 d496 c433 71f9 da05 5fdb 1534 3727 6fbf
0000080 90c9 859c ab24 df4b cc42 c450 3c4c d177
0000090 5c96 b016 ea80 990b e033 a035 8e32 e4c9
00000a0 1b51 f78b df5b 65d5 2c1a 250f dd47 c2ed
00000b0 7777 44a7 e6b8 c6de b590 e961 dd82 e5eb
00000c0 d9ec ebc7 3290 3a87 379f 54d3 1ca3 2e57
00000d0 7382 4794 0c6e 84c8 39f6 05cb 55b8 94b6
00000e0 da9b 48e4 4fe4 0fa3 9683 af6b f122 3c1a
00000f0 e201 7ed6 06aa bb10 73a5 77cf 60ff 2baf
0000100 5c93 482b c088 2ac5 3efc 79e4 1caf efb5
0000110 493d a24c 24f9 5d2b c55e 26de b73c 784f
0000120 8d30 8677 e3fc e780 b43b 8c83 1f88 6aac
0000130 cc57 4062 d284 5230 18dc 6860 38a9 69ed
0000140 a796 6c58 12bc 5bcf 714a a6c9 8942 a147
0000150 44d4 aceb 3ab5 b10f 2ddf 4e1b 1124 07b4
0000160 988d 3987 1473 cbe4 13a3 46a9 1c42 46a0
0000170 e34a e0ce c98d ea5c 3dbc 3688 7d3f 9c18
0000180 6ce7 543b 742d 2a9f dcfe af8a 2dc6 3ddd
0000190 2716 8ece ecd3 41b1 da34 3a55 2aeb 9cd9
00001a0 a9c2 3270 5ed7 9c0e dd64 7dc4 c2ff 966c
00001b0 d95e dc6e 97b6 76cc 757b f794 8de5 857e
00001c0 9a99 00ae 480f f5c6 91e5 76c5 cde4 0fa3
00001d0 f000 4459 a2e6 c8c9 36e5 7560 25f8 2761
00001e0 5d7e 6091 eb54 8e08 bc5d 7979 82a9 4a7a
00001f0 3933 333f dd6e cafc 1079 9644 89c5 4c0d
0000200
I assume that means I'm good to proceed. I suppose I'll have to run Linux virtually so I can keep working on Windows in the meantime?
Also, sorry, I'm a bit confused about this bit:
Or, if you are certain that you did not format, and Windows did not zero out the first sector of the new partition, then the data partition should still be at sector 2048, and you can mount using the last section of the instructions (about using a loop device).
I understood from your instructions that the mounting procedure comes only after doing the whole cryptsetup method?
Appendix D has two pages. The second page starts with a curly brace.
"I understood from your instructions that the mounting procedure comes only after doing the whole cryptsetup method?" yes
Good new: your sector 2048 decrypts to the first sector of an NTFS partition:
cat electromistress-sector2048.bin | permute 16 fedcba9876543210 | openssl enc -d -K 956c6e39a0e479b0c9dd1442ba658a30f96df590bffe06234a4672b98a5b10b8 -aes-256-ecb -nopad | permute 16 fedcba9876543210 | hexdump -C
00000000 eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 |.R.NTFS .....|
00000010 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 08 00 00 |........?.......|
00000020 00 00 00 00 80 00 80 00 ff 7f df e8 00 00 00 00 |................|
00000030 00 00 0c 00 00 00 00 00 02 00 00 00 00 00 00 00 |................|
00000040 f6 00 00 00 01 00 00 00 3f 8a 42 b0 93 42 b0 c6 |........?.B..B..|
00000050 00 00 00 00 fa 33 c0 8e d0 bc 00 7c fb 68 c0 07 |.....3.....|.h..|
00000060 1f 1e 68 66 00 cb 88 16 0e 00 66 81 3e 03 00 4e |..hf......f.>..N|
00000070 54 46 53 75 15 b4 41 bb aa 55 cd 13 72 0c 81 fb |TFSu..A..U..r...|
00000080 55 aa 75 06 f7 c1 01 00 75 03 e9 dd 00 1e 83 ec |U.u.....u.......|
00000090 18 68 1a 00 b4 48 8a 16 0e 00 8b f4 16 1f cd 13 |.h...H..........|
000000a0 9f 83 c4 18 9e 58 1f 72 e1 3b 06 0b 00 75 db a3 |.....X.r.;...u..|
000000b0 0f 00 c1 2e 0f 00 04 1e 5a 33 db b9 00 20 2b c8 |........Z3... +.|
000000c0 66 ff 06 11 00 03 16 0f 00 8e c2 ff 06 16 00 e8 |f...............|
000000d0 4b 00 2b c8 77 ef b8 00 bb cd 1a 66 23 c0 75 2d |K.+.w......f#.u-|
000000e0 66 81 fb 54 43 50 41 75 24 81 f9 02 01 72 1e 16 |f..TCPAu$....r..|
000000f0 68 07 bb 16 68 70 0e 16 68 09 00 66 53 66 53 66 |h...hp..h..fSfSf|
00000100 55 16 16 16 68 b8 01 66 61 0e 07 cd 1a 33 c0 bf |U...h..fa....3..|
00000110 28 10 b9 d8 0f fc f3 aa e9 5f 01 90 90 66 60 1e |(........_...f`.|
00000120 06 66 a1 11 00 66 03 06 1c 00 1e 66 68 00 00 00 |.f...f.....fh...|
00000130 00 66 50 06 53 68 01 00 68 10 00 b4 42 8a 16 0e |.fP.Sh..h...B...|
00000140 00 16 1f 8b f4 cd 13 66 59 5b 5a 66 59 66 59 1f |.......fY[ZfYfY.|
00000150 0f 82 16 00 66 ff 06 11 00 03 16 0f 00 8e c2 ff |....f...........|
00000160 0e 16 00 75 bc 07 1f 66 61 c3 a0 f8 01 e8 09 00 |...u...fa.......|
00000170 a0 fb 01 e8 03 00 f4 eb fd b4 01 8b f0 ac 3c 00 |..............<.|
00000180 74 09 b4 0e bb 07 00 cd 10 eb f2 c3 0d 0a 41 20 |t.............A |
00000190 64 69 73 6b 20 72 65 61 64 20 65 72 72 6f 72 20 |disk read error |
000001a0 6f 63 63 75 72 72 65 64 00 0d 0a 42 4f 4f 54 4d |occurred...BOOTM|
000001b0 47 52 20 69 73 20 6d 69 73 73 69 6e 67 00 0d 0a |GR is missing...|
000001c0 42 4f 4f 54 4d 47 52 20 69 73 20 63 6f 6d 70 72 |BOOTMGR is compr|
000001d0 65 73 73 65 64 00 0d 0a 50 72 65 73 73 20 43 74 |essed...Press Ct|
000001e0 72 6c 2b 41 6c 74 2b 44 65 6c 20 74 6f 20 72 65 |rl+Alt+Del to re|
000001f0 73 74 61 72 74 0d 0a 00 8c a9 be d6 00 00 55 aa |start.........U.|
00000200
Urgh, I dunno how I missed copying that! It's been a long day.
I got it decrypted and am copying files now, thanks so much!