reallymine icon indicating copy to clipboard operation
reallymine copied to clipboard

Published 20 hours ago verified publisher icon andlabs

Can't dump on mac os x

Open thomasbrunstrom opened this issue 7 years ago • 5 comments
trafficstars

Hello, I have a WD My Passport Air which I'm trying to decrypt (lost password) but all i get from the command line is the following:

$ reallymine dumpkeysector /dev/disk3 outfile.bin 
error running dumplast: non-empty sector not found

$ reallymine decrypt /dev/disk3 test2.img
error running decrypt: key sector not found

So my question is: Am I doing something wrong or is there anything else I can try?

I'm running on mac os x sierra if that's any importance. The WD Security program finds the hard drive and asking me for the password (which i can't remember). And I'm using the right path to the drive. /dev/disk3.

The model on the case says 3214B R/n: D98, CBADDA. Let me know if you need any more information like P/N or S/N. (Don't know if that's something i should keep secret?)

thomasbrunstrom avatar Dec 28 '17 01:12 thomasbrunstrom

Won't work for passports unless you bypass the encryption chip. Some older models had the chip on a separate board, but for the newer ones, it is integrated into the disk controller board.

To use decryption software, the bare drive has to be connected to the computer with a nonWD enclosure or directly by SATA. With MyBook models, you can take the drive out of the case and remove the USB bridge card. For the new Passports, you can't.

There are ways to bypass the encryption chip. If you google it, you might find something. Someone once shared this link with me: http://blog.acelaboratory.com/pc-3000-hdd-how-to-solder-a-sata-adapter-to-the-usb-western-digital-drive.html Follow it at your own risk.

Even if you do bypass the encryption chip and get to the bare (encrypted) data, recovering a lost password might require more than ReallyMine. (it depends on which chip was used on your drive)

themaddoctor avatar Dec 28 '17 02:12 themaddoctor

Does dumplast work? If not, you may need to use sudo.

andlabs avatar Dec 28 '17 21:12 andlabs

I had the same "sector not found" issue with dumpkeysector, decrypt, and dumplast on MacOS Sierra.

# reallymine dumplast /dev/disk5 dumplast0627.out
error running dumplast: non-empty sector not found

I believe I have been able to work around the issues by using decryptfile after manually extracting the sectors and DEK based on @themaddoctor's instructions, but it has been very slow (more than 24 hours each to make disk image and run decryption on that image).

I can post the steps I used if there is interest and after I confirm that it worked.

One small concern, I got lots of errors like this while the decrypt was running:

fatal error: systemstack called from unexpected goroutine

gribbg avatar Jun 27 '18 13:06 gribbg

For that fatal error, I probably need to rebuild with a newer Go.

Yes, it's slow. #38 is the relevant issue, but I'm getting people telling me it doesn't actually work... and I don't know why.

andlabs avatar Jun 27 '18 14:06 andlabs

If you have the JMS538S chip, could you please post your keyblock? (hexdump -C kb.bin) Thanks.

themaddoctor avatar Jun 27 '18 18:06 themaddoctor