Could it work to extract data from a WD My Book disk with a forgotten password?
Opened this issue · 37 comments
I have a WD My Book 3TB external disk that works properly inside its USB enclosure.
Using the software "WD SmartWare", I set a password choosing the option "Remember in this computer" when I first connected the disk to mi PC several years ago.
But now, I have formatted my PC to install the latest version of W10 and I forgot to remove the password protection of the disk.
When I have reconnected the external disk, obviously, it's still password locked and I have a big problem because I can't remember the password.
I have tried more than 30 passwords that I could have used but none of them is correct.
Could I use your tools to get the password, or reset it, or extract all the data from the disk to another drive?.
Thank you very much for your help.
Um, if you know what you are doing.
After you remove the hard drive from the enclosure, look at the chip on the USB-SATA bridge card. The square one near the middle of the card. What part number do you see?
This is what I see:
If you follow the PDF instructions to extract the keyblock, and send me the first few MB from the drive, and send some sort of proof of ownership, there is a 95% chance that I can get the encryption key for you.
It would also help to have the manufacture date from the disk label (on the hard drive, not on the enclosure).
DO NOT CONNECT THE BARE DRIVE TO A WINDOWS COMPUTER
Manufacture date from disk label = 31 DEC 2012
Fortunately, I still have the purchase invoice. I can send it to you by email (give me, please). Would this serve as proof of ownership?
One question: could I run the procedure on a virtual machine with Ubuntu 18.04?
Thanks!.
This is valid for 10 minutes: vavoc91971@boldhut.com
Yes on Ubuntu.
I have just sent you
It timed out. Try sexabin753@botfed.com
Done
Sorry, temp mail isn't working. When I click on your message, it disappears and reassigns me a different address.
Post your address.
Try with next Drive link:
https://drive.google.com/folderview?id=1q9DwBCV8zqI5iuXwwfsubI_Vnh7j07Gb
Secure Connection Failed
An error occurred during a connection to drive.google.com. PR_CONNECT_RESET_ERROR
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
It looks like my ISP is blocking google drive. It must be because google is a hotbed of white supremacists and insurrectionists.
Got it. I had to use a VPN. I have received your proof of ownership.
Good. Ok. I'm going to start the procedure in Ubuntu but after reading the PDF, I think that there are some steps invalid in my case.
E.x.: when you say "Did you set a password for the drive when it was in the original enclosure? If so, you need to generate the key encryption key (KEK) from it." In my case I don't remember the password.
And when I have completed "First Steps", how do I know which chip I have?.
Furthermore, I have more general doubts:
If I complete the procedure successfully, will I be able to get all the decrypted files and move them to another unit?. And then, will I be able to erase the drive using the software "WD SmartWare" and use it normally again with the original USB enclosure?
Thank you very much and sorry for the inconveniences and doubts. You are being very helpful with me.
You have a JMS538S chip.
You only need to extract the keyblock and some raw material for me to work on. Use these commands, where you replace X with the appropriate letter for your drive:
sudo dd if=/dev/sdX skip=5860528160 count=1 status=none | gzip -c > keyblock.gz
sudo dd if=/dev/sdX count=4096 status=none | gzip -c > 2mb.gz
If I can recover the key (DEK), then you can recover your files. If you want the password, it will require additional work.
When I execute the commands, the results are:
I don't know. Did you remove the drive from the enclosure and connect it with either a generic enclosure or an SATA cable? If not, then you cannot access the hidden sectors.
No. I did connect drive in its original enclosure.
You said "DO NOT CONNECT THE BARE DRIVE TO A WINDOWS COMPUTER".
I'm using a Linux virtual machine running in a Windows host with VMWare, so if I connect the drive with SATA cable, it will be connected to Windows host first. Is it dangerous for the drive?
Probably. Can you boot from a Ubuntu USB drive or DVD?
Hi!.
I have booted Ubuntu from a bootable USB and with the drive in its original enclosure. The results of commands are the same :-(
Do you consider it dangerous for the drive to boot Ubuntu from USB with the drive connected via SATA?
I said: "Did you remove the drive from the enclosure and connect it with either a generic enclosure or an SATA cable? If not, then you cannot access the hidden sectors."
You said: "Do you consider it dangerous for the drive to boot Ubuntu from USB with the drive connected via SATA?"
No.
Ok. It worked!.
The files:
keyblock.gz
2mb.gz
Here is your DEK (disk encryption key) in hexadecimal:
87e4013d5618751fa38a2464ac206c5078ebbe173543b4a088d14eaa0a8ad260
You can continue with the PDF instructions to read your files. To save on typing, here is a copy of rev16.c:
https://github.com/themaddoctor/linux-mybook-tools/blob/master/drivers/rev16.c
When you turn off the computer, the disk is still encrypted. If you want to access it again, you need to do so in Ubuntu.
If you want the actual password, it takes more time, and I would need a list of probable passwords.
Hi!.
I have put DEK in the file "dek.hex" with echo command.
I have followed all the steps in Appendix D by placing the permanent module on my system in the directory /lib/modules/5.4.0-42-generic/kernel/crypto.
All commands worked until here.
echo | sudo cryptsetup -d - -c rev16-ecb create wd-layer1 /dev/sdc has worked fine.
cat dek.hex | xxd -p -r | sudo cryptsetup -d - --hash=plain --key-size=256 -c aes-ecb create wd-layer2 /dev/mapper/wd-layer1 has resulted WARNING: Device /dev/mapper/wd-layer1 already contains a 'atari' partition signature.
echo | sudo cryptsetup -d - -c rev16-ecb create wd /dev/mapper/wd-layer2 has worked fine.
sudo file -sL /dev/mapper/wd has resulted /dev/mapper/wd: DOS/MBR boot sector …
sudo kpartx -a /dev/mapper/wd worked fine. I have control, wd, wd1, wd-layer1 and wd-layer2 in /dev/mapper folder.
sudo mkdir -p /mnt/wd worked fine.
sudo mount /dev/mapper/wd1 /mnt/wd result mount: /mnt/wd: wrong fs type, bad option, bad superblock on /dev/mapper/wd1, missing codepage or helper program, or other error.
/mnt/wd is obviosuly empty.
I have also tried the commands in the "Mounting with a loop device" section and the response is not only "data" in commands 2 and 3 so I guess MBR isn't corrupted.
Do you know what might be going on?
You need to install the NTFS driver for your filesystem. The one you want is ntfs-3g.
Then do this again:
sudo mount /dev/mapper/wd1 /mnt/wd
Hi!.
ntfs-3g was already installed.
sudo mount /dev/mapper/wd1 /mnt/wd still fails.
I have also tried with commands:
sudo ntfs-3g -o ro /dev/mapper/wd1 /mnt/wd
sudo mount -t ntfs-3g -o ro /dev/mapper/wd1 /mnt/wd
and both fails with message: The device '/dev/mapper/wd1' doesn't seem to have a valid NTFS. Maybe the wrong device is used? Or the whole disk instead of a partition? Or the other way around?
Thx.
This is what I get when decrypt your sectors 2048-2049. It is obviously an NTFS filesystem.
What do you see at the beginning of /dev/mapper/wd1?
00000000 eb 52 90 4e 54 46 53 20 20 20 20 00 10 01 00 00 |.R.NTFS .....|
00000010 00 00 00 00 00 f8 00 00 3f 00 ff 00 00 01 00 00 |........?.......|
00000020 00 00 00 00 80 00 80 00 ff f2 a9 2b 00 00 00 00 |...........+....|
00000030 00 00 0c 00 00 00 00 00 7f f9 d4 15 00 00 00 00 |................|
00000040 01 00 00 00 01 00 00 00 be 4a d9 d8 6a d9 d8 54 |.........J..j..T|
00000050 00 00 00 00 fa 33 c0 8e d0 bc 00 7c fb b8 c0 07 |.....3.....|....|
00000060 8e d8 e8 16 00 b8 00 0d 8e c0 33 db c6 06 0e 00 |..........3.....|
00000070 10 e8 53 00 68 00 0d 68 6a 02 cb 8a 16 24 00 b4 |..S.h..hj....$..|
00000080 08 cd 13 73 05 b9 ff ff 8a f1 66 0f b6 c6 40 66 |...s......f...@f|
00000090 0f b6 d1 80 e2 3f f7 e2 86 cd c0 ed 06 41 66 0f |.....?.......Af.|
000000a0 b7 c9 66 f7 e1 66 a3 20 00 c3 b4 41 bb aa 55 8a |..f..f. ...A..U.|
000000b0 16 24 00 cd 13 72 0f 81 fb 55 aa 75 09 f6 c1 01 |.$...r...U.u....|
000000c0 74 04 fe 06 14 00 c3 66 60 1e 06 66 a1 10 00 66 |t......f`..f...f|
000000d0 03 06 1c 00 66 3b 06 20 00 0f 82 3a 00 1e 66 6a |....f;. ...:..fj|
000000e0 00 66 50 06 53 66 68 10 00 01 00 80 3e 14 00 00 |.fP.Sfh.....>...|
000000f0 0f 85 0c 00 e8 b3 ff 80 3e 14 00 00 0f 84 61 00 |........>.....a.|
00000100 b4 42 8a 16 24 00 16 1f 8b f4 cd 13 66 58 5b 07 |.B..$.......fX[.|
00000110 66 58 66 58 1f eb 2d 66 33 d2 66 0f b7 0e 18 00 |fXfX..-f3.f.....|
00000120 66 f7 f1 fe c2 8a ca 66 8b d0 66 c1 ea 10 f7 36 |f......f..f....6|
00000130 1a 00 86 d6 8a 16 24 00 8a e8 c0 e4 06 0a cc b8 |......$.........|
00000140 01 02 cd 13 0f 82 19 00 8c c0 05 20 00 8e c0 66 |........... ...f|
00000150 ff 06 10 00 ff 0e 0e 00 0f 85 6f ff 07 1f 66 61 |..........o...fa|
00000160 c3 a0 f8 01 e8 09 00 a0 fb 01 e8 03 00 fb eb fe |................|
00000170 b4 01 8b f0 ac 3c 00 74 09 b4 0e bb 07 00 cd 10 |.....<.t........|
00000180 eb f2 c3 0d 0a 41 20 64 69 73 6b 20 72 65 61 64 |.....A disk read|
00000190 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 00 | error occurred.|
000001a0 0d 0a 4e 54 4c 44 52 20 69 73 20 6d 69 73 73 69 |..NTLDR is missi|
000001b0 6e 67 00 0d 0a 4e 54 4c 44 52 20 69 73 20 63 6f |ng...NTLDR is co|
000001c0 6d 70 72 65 73 73 65 64 00 0d 0a 50 72 65 73 73 |mpressed...Press|
000001d0 20 43 74 72 6c 2b 41 6c 74 2b 44 65 6c 20 74 6f | Ctrl+Alt+Del to|
000001e0 20 72 65 73 74 61 72 74 0d 0a 00 00 00 00 00 00 | restart........|
000001f0 00 00 00 00 00 00 00 00 83 a0 b3 c9 00 00 55 aa |..............U.|
00000200 05 00 4e 00 54 00 4c 00 44 00 52 00 04 00 24 00 |..N.T.L.D.R...$.|
00000210 49 00 33 00 30 00 00 e0 00 00 00 30 00 00 00 00 |I.3.0......0....|
00000220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
If the filesystem is corrupted, there are tools like ntfsfix, but I can't really say anything about how to use them.
What command can I use to see the beginning of /dev/mapper/wd1?
Here is a problem:
Device Boot Start End Blocks Id System
x1 256 732558335 366279040 7 HPFS/NTFS/exFAT
Your partition table uses blocks of a different size. You need to use the loopback method.
hexdump -C /dev/mapper/wd1
When you said "You need to use the loopback method" do you mean section "Mounting with a loop device" on your manual?
From your output, you can see that there are some blocks of trash before your NTFS header. This is because kpartx used your partition table (which has the wrong block size).
Use kpartx -d /dev/mapper/wd to remove the wd1 entry.
Use the commands on the second half of pate 13 to set up the loopback device instead of using kpartx.
Unbelievable!!!. We got it!
You're a machine!. I don't know how can I thank you for all the help you've given me.
you're welcome