reallymine icon indicating copy to clipboard operation
reallymine copied to clipboard

Published 20 hours ago verified publisher icon andlabs

Recovery - My Passport Ultra Metal

Open ellamarvin opened this issue 2 years ago • 2 comments

Hi guys. Hope u can help me :) Specs:

  • VID/PID = 1058:082a
  • Chip P/N = JMS569 - Controller: 2060-771961-001 REV A
  • Product Name = 1 TB My Passport Ultra Metal production date: 11. Oct 2014
  • FW Version: v1.012

My password is missing. I lost it some years ago and cant remember...it´s WD-Locked - Full Disk Encryption

Some infos about the chip...

JMS569 The JMS569 is another USB-to-SATA bridge from JMicron based on the 8051 architecture. This bridge is used in newer MP devices compared to the JMS538S and does not support HW accelerated AES encryption like most of the MP bridges. The only possible ”AES Mode” supported is 0x30, which refers to the FDE option. The host can not supply any host generated key material for the AES key if calling the erase VSC. Everything is generated and set within the HDD. Analyzing this is future work. Nevertheless did we encounter encrypted data on the HDD when accessing the HDD directly with a user set password, as the AES encryption is now done by the HDD directly.

Facing a protected HDD is not new problem for HDD forensics. As there are already existing commercial solutions (e.g PC-3000), we analyzed the HDD directly with those tools. Their approach seems to follow a straight pattern, which allows SA access by overwriting the RAM/ROM and bypass security features like ATA passwords and optionally AES keys. By forcing SA access and manipulating the SA area 0x124 and 0x127 we were able to unlock the HDD and disable the SATA AES encryption. Note that this works always, independent of the chosen user password and bridge status.

We did not look further into the details of AES-key generation and validation as this solution is enough to get full user-data access. This has only been tested on a single available device with VID:PID, 1058:0820. As our focus was mainly USB bridges supporting HW AES, this chip has not received much attention and should go into future work. Furthermore, most of this attack is based on commercial tools, so we don’t provide a detailed attack to evade conflicts with the vendors and to comply the the responsible disclosure model [11]. A list of different VID:PIDs that might be using the JMS569 chip, are listed in Table 6.

Does it make sense to try it with reallymine? or is it anyway in "read" mode only?!

Is the only way to change the controller to sata - to gain full access via PC-3000 ?! Any ideas to start with?

best regards, marv

ellamarvin avatar Jun 14 '23 10:06 ellamarvin

The info you posted appears to be from Alendal's paper. I suggest you contact the authors, since I would not be able to help.

themaddoctor avatar Jun 14 '23 20:06 themaddoctor

The info you posted appears to be from Alendal's paper. I suggest you contact the authors, since I would not be able to help.

Thanks buddy. I´ll try

ellamarvin avatar Jun 21 '23 10:06 ellamarvin