reallymine
reallymine copied to clipboard
andlabs
bridge type PLX (Oxford Semiconductor)
I have a WD Duo with two 2TB drives that I configured as RAID 1, naively believing that if something happened to one of the drives that I would be able to recover my data. Well, the device died and I have two mirrored drives that I can't access. I found your tool and found that I have the PLX controller. Would you be able to assist with a decryptor? I ran the dumpkeysector option and saved it to a file. I also ran the dumplast option and have that output saved to a file. Both are included in the attached zip file.
What other information would you need to develop something?
I saw in another post the you requested the person to run dumpfirst so I included it in the attached zip file.
Also, here is the output of dumpkeysector if you need it for any reason.
$ sudo ./reallymine dumpkeysector /dev/sda sda-dumpkeysector.bin
sector at 0x105ED363400
bridge type PLX (Oxford Semiconductor)
I wonder if something is wrong with your keyblock. It looks suspicious. Can you dump these two sectors? 3907029888 and 3907029896
sudo dd if=/dev/sda count=1 skip=3907029888 of=3907029888.bin sudo dd if=/dev/sda count=1 skip=3907029896 of=3907029896.bin
Both report zero bytes
I have the drive connected as a physical drve to a Linux guest in VMware. fdisk -l list the /dev/sda but dd gives this message:
dd: /dev/sda: cannot skip: Invalid argument
$ sudo fdisk -l
Disk /dev/sda: 1.84 TiB, 2000398934016 bytes, 3907029168 sectors
Disk model: VMware Virtual S
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Or dump more of the end of the disk? Adjust the numbers until your dump is about 4MB.
BTW, using the keyblock that you posted does not give the correct key needed to decrypt the start-of-disk sample you also posted.
Alright. I'm setting up a physical Linux system. I may try the dumpkeysector again on the physical system. Does this look correct to dump the last 4MB? 4MB is 8000 sectors so I subtracted that from the fdisk sector count.
sudo dd if=/dev/sda skip=3907021896 of=last4MB.bin
Are you still using the WD enclosure or bridge card? You need to use SATA or a generic enclosure.
The WD enclosure died so I've been putting one of the hard drives in a Startech dock and connecting it via USB.
I was going to use a spare Intel NUC that I have that way. I'll open it up and connect it with the spare SATA port it has.
The dock should work fine. Yes on sudo dd if=/dev/sda skip=3907021896 of=last4MB.bin
Here's the last 4MB of the drive, well, 8K sectors. I'm running dumpkeysector on this physical Linux system again, just in case. It took a few days on the Linux VM though.
Also, I noticed that the two sectors you asked me to dump go beyond the sector count of the drive. Are there two other sectors you would like me to dump?
The last 4MB contains only zeroes.
It took so long because it kept looking, even when it should have stopped.
Please look at the bridge card and verify the chip number.
Alright, I'll take a look at it tonight. I'll post again tomorrow. Thanks!
I have the Duo taken apart but I'm not sure which chip has the information you need? I've attached the pictures of the front and back.
That's what I was afraid of. You have the JMS561 chip, which we do not yet understand. It might be that the key is stored on one of the EPROM chips. If you have the ability to remove and read a chip, then you should start with U1, which seems to be directly connected to the JMS561. Another option is that the key is stored in a service-area module on the disk itself. Then you would use a tool called HDDSupertool (http://www.hddsuperclone.com/sitev1/). If you can read the chip or dump the modules, I would be happy to look at them.
BTW, the reason the program ran so long and told you that you had a PLX chip is that it kept going until it found a 4-character string ("SinE") that it recognized. That string was present in your data only by accident.
Is the free version enough or should I purchase the temporary license of the Pro version?
I'm looking through the user manual but I'm not sure what command to run? I see the various scripts and hddmenu. Use hddmenu, VSC, 6) WD royl (Marvel) dump all modules? Also, I see a few warnings that commands may not work on USB drives so I should connect the drive to the open SATA port on the NUC?
I received an error dumping all modules VSC, option 6. The output is below as well as the output for Identify device and Smart info.
Thank you!
VSC menu
q) Quit
p) Previous menu
h) Toggle script help
1) WD dump mod 42 (older Caviar drives)
2) WD royl (Marvel) dump mod 02
3) WD royl (Marvel) dump mod 32
4) WD royl (Marvel) patch mod 02 (slow fix)
5) WD royl (Marvel) patch mod 32 (slow fix additional)
6) WD royl (Marvel) dump all modules
7) WD royl (Marvel) dump selected module
8) WD royl (Marvel) read rom
9) WD royl (Marvel) check rom file
10) WD royl (Marvel) write rom (dangerous)
11) WD royl (Marvel) write module (dangerous)
Enter your choice:
> 6
6
identify
Model: WDC WD20EFRX-68EUZN0
Serial: WD-WCC4M6TDKL93
enable vsc
Command failed!
sense_key=0x5 asc=0x24 ascq=0x0
error=0x0 count=0x0 lba=0x0 device=0x0 status=0x0 altstatus=0x0
command_status= 0x0
data_transferred= 0x0
Device information menu
q) Quit
p) Previous menu
h) Toggle script help
1) Identify device
2) Smart info
Enter your choice:
> 1
1
Raw buffer:
0: 7a 42 ff 3f 37 c8 10 00 00 00 00 00 3f 00 00 00 zB.?7.......?...
10: 00 00 00 00 20 20 20 20 57 20 2d 44 43 57 34 43 .... W -DCW4C
20: 36 4d 44 54 4c 4b 33 39 00 00 00 00 00 00 32 38 6MDTLK39......28
30: 30 2e 41 30 32 38 44 57 20 43 44 57 30 32 46 45 0.A028DW CDW02FE
40: 58 52 36 2d 45 38 5a 55 30 4e 20 20 20 20 20 20 XR6-E8ZU0N
50: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 10 80 ..
60: 00 40 00 2f 01 40 00 00 00 00 07 00 ff 3f 10 00 .@./.@.......?..
70: 3f 00 10 fc fb 00 00 01 ff ff ff 0f 00 00 07 00 ?...............
80: 03 00 78 00 78 00 78 00 78 00 00 00 00 00 00 00 ..x.x.x.x.......
90: 00 00 00 00 00 00 1f 00 0e 9f 06 00 4c 00 44 00 ............L.D.
a0: fe 03 00 00 6b 74 61 7d 33 67 69 74 41 bc 23 67 ....kta}3gitA.#g
b0: 7f 40 89 00 89 00 00 00 fe ff 00 00 00 00 08 00 .@..............
c0: 00 00 00 00 a0 86 01 00 b0 88 e0 e8 00 00 00 00 ................
d0: 00 00 00 00 03 60 00 00 01 50 e2 4e 9b 0d d3 ef .....`...P.N....
e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 40 ...............@
f0: 1c 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .@..............
100: 21 00 00 04 01 00 00 00 00 00 00 00 00 00 00 00 !...............
110: 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 ................
120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
190: 00 00 00 00 00 00 00 00 00 00 00 00 3d 70 00 00 ............=p..
1a0: 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
1b0: 00 00 18 15 00 00 00 00 00 00 00 00 3e 10 00 00 ............>...
1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1d0: 00 00 00 00 01 00 00 10 00 00 00 00 00 00 00 00 ................
1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a5 86 ................
Model= WDC WD20EFRX-68EUZN0
Serial= WD-WCC4M6TDKL93
Firmware revision= 82.00A82
supports 48 bit commands = 1
total addressable sectors= 3907029168
words per logical sector= 0
Size in bytes= 2000398934016
Size in MiB= 1907729
logical sectors per physical sector(2^x)= 3
enhanced_security_erase_supported= 1
security_count_expired= 0
security_frozen= 0
security_locked= 0
security_enabled= 0
security_supported= 1
error_recovery_control= 1
long_sector_access =0
drive look ahead supported= 1
drive look ahead status= 1
write_uncorrectable supported= 1
Device information menu
q) Quit
p) Previous menu
h) Toggle script help
1) Identify device
2) Smart info
Enter your choice:
> 2
2
Smart structure version= 16
ID# FLAG VALUE WORST THRESH RAW DATA ATTRIBUTE NAME
1 0x002f 200 200 51 0x00000000000000 Read Error Rate
3 0x0027 173 172 21 0x000000000010e5 Spin-Up Time
4 0x0032 36 36 0 0x0000000000fdab Start/Stop Count
5 0x0033 200 200 140 0x00000000000000 Reallocated Sectors Count
7 0x002e 200 200 0 0x00000000000000 Seek Error Rate
9 0x0032 95 95 0 0x00000000000fd4 Power-On Hours Count
10 0x0032 100 100 0 0x00000000000000 Spin Retry Count
11 0x0032 100 100 0 0x00000000000000 Calibration Retries
12 0x0032 36 36 0 0x0000000000fda9 Power Cycle Count
192 0x0032 183 183 0 0x00000000003374 Power-Off Retract Cycles
193 0x0032 182 182 0 0x0000000000d516 Load/Unload Cycles
194 0x0022 117 89 0 0x0000000000001e Temperature
196 0x0032 200 200 0 0x00000000000000 Reallocation Events
197 0x0032 200 200 0 0x00000000000000 Current Pending Sectors
198 0x0030 100 253 0 0x00000000000000 Off-line Uncorrectable
199 0x0032 200 200 0 0x00000000000000 UDMA CRC Error Rate
200 0x0008 200 200 0 0x00000000000000 Write Error Rate
This page suggests that if you replace the bridge card with an identical one, then the disks are decrypted like they were with the original card. That could mean that the key is stored in the modules somewhere. It could also mean that you could get your data back if you can buy a replacement card.
https://forum.hddguru.com/viewtopic.php?f=1&t=36609&sid=086cee23d2cfee3a654ec5b9eeb638be&start=20
Can you try talking to the creator of HDDSupertool about the error? I am very curious to know where that key is kept. Not only will that information help you, but someone comes along with a WD Duo every few months with the same problem.
I have the same issue and also a platine with the JMS561.
Connecting the drive directly to my native Linux gives me
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
sda 8:0 0 5.5T 0 disk
nvme0n1 259:0 0 238.5G 0 disk
├─nvme0n1p1 259:1 0 512M 0 part /efi
├─nvme0n1p2 259:2 0 50G 0 part /
└─nvme0n1p3 259:3 0 188G 0 part
└─home 254:0 0 188G 0 crypt /home
which surprises me, because I know there should be multiple partitions.
The output of hddsupertools looks disheartening as well
VSC menu
q) Quit
p) Previous menu
h) Toggle script help
1) WD dump mod 42 (older Caviar drives)
2) WD royl (Marvel) dump mod 02
3) WD royl (Marvel) dump mod 32
4) WD royl (Marvel) patch mod 02 (slow fix)
5) WD royl (Marvel) patch mod 32 (slow fix additional)
6) WD royl (Marvel) dump all modules
7) WD royl (Marvel) dump selected module
8) WD royl (Marvel) read rom
9) WD royl (Marvel) check rom file
10) WD royl (Marvel) write rom (dangerous)
11) WD royl (Marvel) write module (dangerous)
Enter your choice:
> 6
6
identify
Command failed!
sense_key=0x5 asc=0x24 ascq=0x0
error=0x0 count=0x0 lba=0x0 device=0x0 status=0x0 altstatus=0x0
command_status= 0x0
data_transferred= 0x200
Device information menu
q) Quit
p) Previous menu
h) Toggle script help
1) Identify device
2) Smart info
Enter your choice:
> 1
1
Command failed!
sense_key=0x5 asc=0x24 ascq=0x0
error=0x0 count=0x0 lba=0x0 device=0x0 status=0x0 altstatus=0x0
command_status= 0x0
data_transferred= 0x200
Device information menu
q) Quit
p) Previous menu
h) Toggle script help
1) Identify device
2) Smart info
Enter your choice:
> 2
2
Command failed!
sense_key=0x5 asc=0x24 ascq=0x0
error=0x0 count=0x0 lba=0x0 device=0x0 status=0x0 altstatus=0x0
command_status= 0x0
data_transferred= 0x200
I am able to retrieve data like so
sudo dd if=/dev/sda of=wdtest.dmp bs=128M count=1
but it appears to just be a huge blob nonsensical data.
I'm afraid I can't be of much help at this point. Your only hope is if the disk was partitioned with a nonstandard block size (some are this way). If you dump sector 0 and post it, that will tell me if it is really encrypted etc.
sudo dd if=/dev/sda count=1 | hexdump -C
benj@benj-xps13:~# sudo dd if=/dev/sda count=1 | hexdump -C
00000000 0c b2 8e 0f 0b e2 bc ea 78 93 1d d7 72 bd e5 21 |........x...r..
*
000001c0 56 e3 b7 4d 15 60 5e 64 32 87 9d 4a a1 fc 44 31 |V..M.`^d2..J..D
000001d0 0c b2 8e 0f 0b e2 bc ea 78 93 1d d7 72 bd e5 21 |........x...r..
*
000001f0 e9 7d 67 fc 77 a1 0d 61 c3 f0 44 15 00 dd b6 f7 |.}g.w..a..D....
1+0 records in
1+0 records out
512 bytes copied, 0.000576027 s, 889 kB/s
00000200
Seems to me like there is some part missing?