reallymine
reallymine copied to clipboard
Decrypt without WD password?
My friend's father seems to have set a password on his WD Live Essentials 1TB disk (he isn't sure, but I guess there's a password set if reallymine asks for it?).
I removed the USB case and connected it directly using SATA, because it gave read errors otherwise. Is there a way to tell if there's really a password set or if the USB case has an issue?
It's a WD10EARS (MF: 29 NOV 2009), controller is a INIC-1607B.
Keysector:
00000000 57 44 01 14 00 00 00 00 00 00 00 00 00 00 00 00 |WD..............|
00000010 00 00 00 00 74 5b 78 00 00 00 00 00 74 5b 78 00 |....t[x.....t[x.|
00000020 00 00 00 00 00 14 e0 00 20 00 00 00 00 00 00 00 |........ .......|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 57 44 01 14 |............WD..|
00000040 fb cc 06 7c 5c f4 4f d0 30 38 c5 7e 7f 7b 95 32 |...|\.O.08.~.{.2|
00000050 5a 5a c6 5d 7c bf e1 27 39 d8 4d b2 7a eb 32 ac |ZZ.]|..'9.M.z.2.|
00000060 c0 96 58 38 71 f2 a4 50 94 53 2b e0 8b b4 e6 69 |..X8q..P.S+....i|
00000070 89 bc 08 ac 64 a8 24 6a fe bb e9 b4 7a 4c 85 fb |....d.$j....zL..|
00000080 94 97 dc a8 13 9d 37 a5 60 64 b7 68 6e d5 7f a9 |......7.`d.hn...|
00000090 e3 63 a7 10 b7 db cd c8 5f 3d 27 50 ea 6d a8 1e |.c......_='P.m..|
000000a0 ad 3d 02 13 c6 8e bb a9 81 53 2f d3 f3 4f a5 99 |.=.......S/..O..|
000000b0 4c 68 75 da 7c 1a 3d 3d a4 f9 f3 13 69 0f 48 f3 |Lhu.|.==....i.H.|
000000c0 e8 4a a0 68 8f 2c c8 8b ce bb 90 6d 91 27 51 d9 |.J.h.,.....m.'Q.|
000000d0 7c 62 02 26 a5 52 a6 2a 52 67 0b 68 a7 48 83 54 ||b.&.R.*Rg.h.H.T|
000000e0 69 3c 0a c2 c2 52 e3 63 38 b2 09 05 ed 38 54 bb |i<...R.c8....8T.|
000000f0 9f e1 a3 d7 78 8b 3b 7f eb d4 e2 78 b6 c2 75 b1 |....x.;....x..u.|
00000100 69 37 fc 8b aa f9 0d eb 9e 35 bf 93 1c ca 1e b6 |i7.......5......|
00000110 76 1d 53 a3 50 f1 63 2d b6 93 56 29 40 49 95 44 |v.S.P.c-..V)@I.D|
00000120 db 15 3e 0a 3e fe 41 24 e2 c0 00 10 ed b5 d9 16 |..>.>.A$........|
00000130 39 09 2c ef 3c cc 07 4d 95 7d 9e b4 d1 0c a8 69 |9.,.<..M.}.....i|
00000140 3a 22 05 76 96 3e 65 26 ad 7b 4b 7a c2 af 01 e6 |:".v.>e&.{Kz....|
00000150 5e 67 70 85 41 d4 dc 7b 3e f4 dc 01 4f 9f 3c a9 |^gp.A..{>...O.<.|
00000160 e1 2f a3 6d e3 22 49 1c d8 eb 47 fc e1 93 25 b2 |./.m."I...G...%.|
00000170 8c 10 ce bb 50 de 8d 0d 09 3f 86 df 60 1b e4 e5 |....P....?..`...|
00000180 71 b1 f9 44 f8 f3 15 02 c0 f6 3d 7b 79 a1 ba 5b |q..D......={y..[|
00000190 98 b3 96 26 59 27 ac 4b 3c 6f a1 7f 94 12 b6 ff |...&Y'.K<o......|
000001a0 da 66 94 04 7f 0a c5 66 86 a5 b5 d4 d9 10 a9 19 |.f.....f........|
000001b0 70 1a 85 08 35 be a9 30 a0 a0 cb e9 56 86 76 19 |p...5..0....V.v.|
000001c0 d9 89 66 58 0b 15 fd 05 59 cb 2e 49 bb 82 27 3c |..fX....Y..I..'<|
000001d0 25 9c 5c 46 61 48 06 98 cd e5 a8 49 9f 32 51 bf |%.\FaH.....I.2Q.|
000001e0 6c 2e c4 c8 7e 7f 5d c5 cc 30 ec 47 bc 55 2a 21 |l...~.]..0.G.U*!|
000001f0 70 c1 2e c1 b3 6b 9a 69 e1 22 ca e1 82 1b ce d8 |p....k.i."......|
00000200
Thank you very much.
I tried the steps listed in themaddoctor's PDF using the default KEK, sudo file -sL /dev/mapper/wd
returns /dev/mapper/wd: data
- I guess there's really a password set using the WD software?
If you have a list of possible passwords, you could try them each until you can decrypt the DEK. Or you might try contacting the authors of this paper: https://eprint.iacr.org/2015/1002.pdf
From my understanding there is..I know mad doctor has more info but, I believe when the user password is set, that adds another layer...it has been a while since I looked into this
On Mon, Aug 28, 2023, 8:16 AM Martin Karer @.***> wrote:
I tried the steps listed in themaddoctor's PDF using the default KEK, sudo file -sL /dev/mapper/wd returns /dev/mapper/wd: data - I guess there's really a password set using the WD software?
— Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/143#issuecomment-1695683827, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEATVRJ7FF2FUOTSTEUH3RLXXSK3JANCNFSM6AAAAAA4BLDYOU . You are receiving this because you are subscribed to this thread.Message ID: @.***>
If you have a list of possible passwords, you could try them each until you can decrypt the DEK. Or you might try contacting the authors of this paper: https://eprint.iacr.org/2015/1002.pdf
Thanks, interesting read, sounds like it is quite easy to bypass the protection if you have the right skills (which I don't).
I'll ask him for a list of possible passwords and how important the data on the disk is for him.
I just called him and tried his passwords without success. He also told me that the disk only started asking for a password on his new computer and it was working fine when he used it on his old computer (which got replaced).
I assume he might have set a password many years ago and checked "remember password" on the old computer or the firmware of his drive might be affected by this bug reported here: https://superuser.com/a/1615217 (Sadly I can't find anything else related to that bug)
Short update: He brought me his old nonworking notebook that recognized the disk before, so I cloned the windows disk, applied the oldest restoration point I've found and it still asks for the password.
@themaddoctor Sorry for bothering you with this, I just talked to my friend (his daughter) and the data on the disk is important for him. Do you still help out directly occasionally? I can ask him to register here and provide proof of ownership and whatever is needed to not break any laws.
The only thing I could do is try a list of passwords. Ask your friend for all of the passwords that he could ever have used.
If the problem is the bug you mentioned, then the key is lost forever.
The only thing I could do is try a list of passwords. Ask your friend for all of the passwords that he could ever have used.
Do you have different tools to test the passwords, or is it the same if I just test them using reallymine (that's what I tried before, but none of the passwords he told me worked).
I can automate it and try some variations, but essentially it's the same.