reallymine icon indicating copy to clipboard operation
reallymine copied to clipboard
verified publisher icon andlabs

I am curious if anyone have an idea...

Open Zibri opened this issue 2 years ago • 6 comments

I have a 14 TB My book in it's enclosure. I reverse engineered all WD apps and got my personal list of commands for the drive (which does not differ much from the known one). I have notice this: If you do an ERASE (rekey) and then try to read the raw drive (still in the enclosure) you will find "apparently random" data all over the drive, BUT only in the blocks that have been written at least once. In any other block, you wil find ZEROES.

Also: I wrote a TB of zeroes and then issued the erase. Now, obviously in that terabyte of data I have "random" bytes. BUT... I was expecting to find repetitions in those bytes, but there are not any!

What is happening is that the drinve encryption key changes when you issue the erase command, so when you read back the data you read data encrypted with KEY "A" and decrypted with key "B".

I also found out that the HANDY STORE, stays the same and while WD uses only one block, 16 blocks of 512 are available.

Do you have any idea how to retrieve the encryption key? After an erase the default is gone. (not talking about the password)

Zibri avatar Jan 20 '23 21:01 Zibri

"I was expecting to find repetitions in those bytes, but there are not any!" This is unexpected.

I can recover the destroyed key after an erase only for the JMS538S chip.

themaddoctor avatar Jan 20 '23 22:01 themaddoctor

For the OXUF943SE chip, there is a backup keyblock. I don't know if it is overwritten in a quick erase.

themaddoctor avatar Jan 20 '23 22:01 themaddoctor

I don't know what controller is this.. I haven't opened it yet. Inside there is this drive: WDC WD140EDGZ-11B1PA0 (7200 rpm) You can get it with this command:

dev=$(sg_scan |grep "My Book"|cut -d' ' -f 1)

sg_raw 2>/dev/null $dev -r 512 85 08 0e 00 00 00 01 00 00 00 00 00 00 00 ec 00 -o -|xxd -c 0 -ps|cut -c 109-165|while read -N2 a;do read -N2 b;echo -n $b$a;done|xxd -r -p

Zibri avatar Jan 20 '23 23:01 Zibri

I also was trying to disable drive encryption so that the usb bridge becomes transparent, but I didn't find a way.

Zibri avatar Jan 20 '23 23:01 Zibri

I use the cryptsetup program and the AES module built into my kernel to use my drive after I took it out of the case and installed it into my desktop.

themaddoctor avatar Jan 20 '23 23:01 themaddoctor

Also.. it seems that is the drive to have encryption and not the bridge: These are the specifications of WDC WD140EDGZ-11B1PA0 : https://documents.westerndigital.com/content/dam/doc-library/en_us/assets/public/western-digital/product/data-center-drives/ultrastar-dc-hc500-series/product-manual-ultrastar-dc-hc530-sata-oem-spec.pdf

Zibri avatar Jan 21 '23 00:01 Zibri