reallymine
reallymine copied to clipboard
andlabs
decrypt files and not image file?
Hi there,
I finally got all fixed and reallymine is now decrypting my drive !!! tjank you so much !
One question remains, is there any way to just put all the files just like they were on another hard drive ? I prefer to "simply" copy the folders and files without creating an .img file. Is that possible ?
thanks !!
Decrypting under windows?
Afaik it has to output to an image.
But I think somebody did something with a program called cryptab .it was mentioned in early issues
On Nov 10, 2016 9:22 AM, "silkyclouds" [email protected] wrote:
Hi there,
I finally got all fixed and reallymine is now decrypting my drive !!! tjank you so much !
One question remains, is there any way to just put all the files just like they were on another hard drive ? I prefer to "simply" copy the folders and files without creating an .img file. Is that possible ?
thanks !!
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/20, or mute the thread https://github.com/notifications/unsubscribe-auth/AQE6xdIl6yHiDPZ1EDC9LYuRP2U-3TrPks5q8zZ3gaJpZM4Kux6h .
No, reallymine does not know anything about partitions or filesystems, so it cannot extract files. Sorry.
It can be done on linux, using cryptsetup with the key that reallymine extracts. Feel free to contact me at thomas dot a dot kaeding at gmail dot com if you want to try it.
Cool. That would be interesting to be able to mount an encrypted image. Do you have a PDF or a blog about it
On Feb 4, 2017 10:23 AM, "themaddoctor" [email protected] wrote:
It can be done on linux, using cryptsetup with the key that reallymine extracts. Feel free to contact me at thomas dot a dot kaeding at gmail dot com if you want to try it.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/20#issuecomment-277456956, or mute the thread https://github.com/notifications/unsubscribe-auth/AQE6xcgrfuEYHQCJAyavIkAlehrjLoIGks5rZKYFgaJpZM4Kux6h .
No. So far I have succeeded with the Jmicron and Symwave chips.
There is a PDF mentioned in notes/story.md in the reallymine code
that is very helpful, but it doesn't include anything about the linux part.
Something like this works for the Symwave chip:
echo 2850018b293e7af277eb8b6d7aabb7060ccddf0392a312e600eb76cc5560af3b |
xxd -p -r | sudo cryptsetup -c aes-ecb --key-size=256 -d - --hash=plain
create wd /dev/sdb
But for the Jmicro chip, I needed to handle the reversal of each block of 16 bytes
by creating a new encryption module.
After 'cryptsetup', you can use 'kpartx' to detect the partitions, and 'mount' to mount them.
If you are willing to run linux (even if only temporarily) and email me the first 2MB and the last 2MB of your drive image, I may be able to send you commands specific to your situation. (I say "may" because I'm about 80% sure.)
cryptsetup is specific to linux. It allows you to set up an en/decryption layer with another program called device mapper. It creates a new device that can be mounted, formatted, etc. just like a normal hard drive. I'm attaching a PDF that I wrote just now. The JMicron and Symwave parts are there, but the Initio and PLX parts are waiting for data to test. Mounting encrypted WD disks in linux.pdf
If I might make a suggestion, it might be good to include hexadecimal equivalents in your key location tables. While not everyone might need them, I feel they do help reveal the logic or pattern by which those locations are determined. I'm all but certain there IS some logic going on, there, though I don't have the resources to pursue it myself.
In the next revision. Do you have any initio or plx samples that I can play with?
I'm afraid I don't. All I've got is the one drive I was recovering. I don't expect to run into any others, but if I do, I'll see what I can do about that.
I noticed the PDF here has instructions for the JMS528S but my board was a JMS538S. Will the same instructions apply?
Looks pretty good! I take it from all those strikeouts that the PLX version still needs a lot of work?
Thanks. I'm still waiting for samples to try for INIC and PLX. But not a lot of work left; mostly just checking. I was able to extract the same key from their keyblock as Alendal et al. in "got HW encryption?", but can't test the decryption without a keyblock and start block from the same disk, as you know.
Is it true that you could skip collecting the DEK by using reallymine getdek?
getdek is for collecting the DEK. The DEK is necessary for retrieving the encryption key (except on some chips where the security is bad).
so I was able to get the module to build and the DEK into dek.hex (which I assume should just be the hex value that getdek dumps out as a string in the file).
I run the commands to create the new device (/dev/sdc is the correct hardware device)
cat dek.hex | xxd -p -r | sudo cryptsetup -d - --hash=plain \
--key-size=256 -c aes-ecb create wd2 /dev/mapper/wd1
echo "" | sudo cryptsetup -c rev16-ecb -d - create wd /dev/mapper/wd2
Then if I do file -s /dev/mapper/wd it says it is a symbolic link to /dev/dm-2. If I do a file -s /dev/dm-2 it correctly shows me it is an MSDOS device with 1 partition.
However, if I try to use kpartx to stat the partition I get a message about it trying to read past the end of the disk and then if I try to stat it again, I get a kernel panic and have to reboot the machine.
Any ideas what to check for or do at this point?
Yes. Firstly, use /dev/dm-2. You're the second person to tell me that they get a symbolic link. "file -sL /dev/mapper/wd" will work, though.
Next, dump the partition table to the console, so that you can get details about your partition: fdisk -l /dev/dm-2 Use losetup to create a device that maps to the partition, instead of kpartx. Something like losetup -o 2048 /dev/dm-2 I'm guessing that partition 1 starts at sector 2048. Adjust this number to fit your case. There is also a --sizelimit option to losetup, to tell it to limit the new device to a certain size, but you probably don't need it, because the file system knows how big it is. You might need to use sudo for this.
If that succeeded, you can try to mount /dev/loop0 (or whatever number was created; losetup -j /dev/dm-2 might help you find out).
Could you do me the favor of sending me a copy of rev16.ko, as well as the name of your linux distribution, and the output of "uname -a" ? I want to collect copies in order to help those with less technical acumen. Thank you.
Running fdisk:
# fdisk -l /dev/dm-2
Disk /dev/dm-2: 1.4 TiB, 1500301910016 bytes, 2930277168 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0003ccdf
Device Boot Start End Sectors Size Id Type
/dev/mapper/wd-part1 2048 2930210815 2930208768 1.4T 7 HPFS/NTFS/exFAT
Running losetup:
losetup: /dev/dm-2: failed to use device: Success
That is a very helpful error message? At this point, losetup -j /dev/dm-2 does not return anything. I am running all of this as root to be clear.
Also, I can provide my files. I built this on the latest Ubuntu 16.04.2 server with kernel 4.4.0-64-generic. I'll get that to you sometime today. Do you want them here? Email?
Try this: losetup -o 1048576 -f /dev/dm-2 I did not know (or maybe forgot) that the offset is in bytes, not sectors. And I did some experimenting and for reasons I don't understand, the "-f" is needed.
Files can be zipped and uploaded here. Github doesn't like zip files that I create, and you might have the same problem. So my email is thomas dot a dot kaeding at gmail dot com.
Sweet! That worked. I now have access to this dumb drive. You are a gentleman and a scholar.
I also can't get Github to take this dumb zip file. Watch for an email.
Yesssss.. Great job by all props to the doc
On Mar 1, 2017 3:23 PM, "themaddoctor" [email protected] wrote:
Yay! Success!
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/andlabs/reallymine/issues/20#issuecomment-283474659, or mute the thread https://github.com/notifications/unsubscribe-auth/AQE6xaborAEwqiZAxnP2znhya-REykRyks5rheHQgaJpZM4Kux6h .
Reviewing the man file for losetup (https://linux.die.net/man/8/losetup), I think the -f option tells the computer to find the first loopback device available, or use the device indicated if you supply one. I think the tool actually wants two filespecs: one for the loop device, and one for the file the device is supposed to use. I think -f in this case is telling losetup either to find the first available one to access /dev/dm-2, or perhaps to use that path AS the loop device.
Not sure that helps...
There was a problem in the instructions: a conflict between names used by cryptsetup and kpartx. Here's an updated version. Mounting encrypted WD disks in linux.pdf
Yes, I do.
Can you dump sectors 7814036350 through 7814036365 and zip it for me?
sudo dd if=/dev/sdX skip=7814036350 count=16 of=4tbplx.bin (replace X with the right thing)