Help with an disk image of a WD my passport with no password set

Question

Help with an disk image of a WD my passport with no password set

Opened this issue 6 months ago · 23 comments

Please excuse me for any inappropriateness as i am pretty new here.
Here is how it happened.
I had a WD My Passport 1TB, of which i am not sure of the chips as the physical drive is not with me at the moment.
This WD passport was purchased around 2009(10?), and was used to contain all my work of photos from 2009 to 2012. From whatever i remember, i had never set a password to it.
It worked fine until in 2013, when i plugged the drive into a Smart TV USB port to show the photos to my wife(at this time the photos in the drive showed up perfectly). At first there were no problem. However after two or three days click sound was heard. Then it failed.
After taking it to WD designated data recovery centre, i was told that the hardware failed permanently, and when i asked them about the files, i knew for the first time that WD automatically encrypted files. but the service area could be bad, unless i could obtain the same hardware HD. Otherwise they can not get the files at all.
So i asked them to make a disk image and i have kept the disk image for the past ten years.

here is the info about the image:

I tried other disk recovery software on this image.
In fact one software gave me several files that can be rescued: some WD exes, Docs, html, and two big files.

I guess these must be the encrypted data. Of course i couldn’t possibly open these archives.

Then when i came across the Reallymine and linux-mybook-tools project. You could never imagine how excited i was when finding these projects!
So I started to use reallymine decrypt to decrypt the image, i was asked to “Enter WD password”, which i believe i never set.
I used the default Pi password, but it said “Wrong Password”

Output from The command
Reallymine dumpkeysector

Output from “Reallymine dumpfirst “

Output from “reallymine dumplast”

Then i tried to use @themaddoctor ‘s Linux Mybook Tools,

1.in Ubuntu 22.04, the 1TB image is in an NAS location and mounted as /dev/loop8,as we can see from the picture here.

2.Running command
$sudo bash findkeyblock.sh /dev/loop8

So here is the question:
how do i proceed from here? Is it any hope that these files can be recovered at all?

Any suggestions, helps and tutorials are greatly appreciated.
Thanks in advance to everyone and in particular to the wonderful @andlabs and @themaddoctor for creating wonderful programs.

Answer 1 · 2024-03-30T19:30:24.000Z

Instead of sending me a screenshot of the keysector, send me the actual keysector.

Answer 2 · 2024-03-30T20:47:20.000Z

@themaddoctor thanks for answerng me. Here is a zip of first sector, last sector and keysector.
sectors.zip

Answer 3 · 2024-03-30T20:53:21.000Z

Also from the keysector dump it looks like a JMicron JMS538S chip, so i first followed the instructions as in the PDF but when coming to hexdump, it didn't come with keyblock. So i tried findkeyblock.sh but to no avail. Again great thanks.

Answer 4 · 2024-03-30T20:58:33.000Z

When was the disk manufactured? The date should be on the label.

Answer 5 · 2024-03-30T21:14:03.000Z

When was the disk manufactured? The date should be on the label.
the physical drive is not with me, but the Exe files that i recovered from the image says 2010/09/09. as can be seen from the attached unlock.exe
Unlock.zip

Answer 6 · 2024-03-30T22:27:50.000Z

It appears that the chip was not JMS538S, so there is nothing I can do.
If you can recover the physical chip and determine that I am incorrect, then I will take another look.

Answer 7 · 2024-03-30T22:38:42.000Z

@themaddoctor thank you anyway.
It seems if i search the whole image with a hex editor, i do find many WMYS blob. i will try find the physical drive when going back home in two or three months.
Again great thanks a lot.:)

Answer 8 · 2024-03-30T22:47:00.000Z

Why don't you see if any of the WMYS blocks are the keyblock?

Answer 9 · 2024-03-31T08:01:29.000Z

Why don't you see if any of the WMYS blocks are the keyblock?

Can i do this by following instructions about Symwave SW6316?
i tried
sudo dd if=/dev/loop8 bs=512 skip=1953521027 count=1 of=kb0.bin

but when hexdump, it doesn't show the WMYS blob.

Answer 10 · 2024-03-31T08:13:32.000Z

Just now ran reallymine again and the same keysector was dumped

Does this mean that i should modify the "skip parameter to 1,731,355,296 instead of the standard 1953519648?
$sudo dd if=/dev/loop8 bs=512 skip=1731355296 count=1 of=kb.bin

Resulting in kb.bin with WDV1 blob. and then running jms538s-extract-DEK-from-keyblock.sh and got the message:.b
"decryption of keyblock failed"

Attached is the kb.bin and kek.hex

[
resultbyskipping parameter change.zip
]

Answer 11 · 2024-08-14T21:54:59.000Z

When was the disk manufactured? The date should be on the label.

Finally i got hold of the physical disk. it was manufactured in March of 2011. and the chip was Symwave 6316 3VB14. When i dumped the service area, the dump was empty or the word "Bad", which may be why the WD service said the disk has corrupted Service Area.
Is there any other possibility of recovering data from it?

Answer 12 · 2024-08-14T22:25:15.000Z

Dump everything starting with sector 1900000000 and zip it. I will look at it to see if I can find the keyblock.
If it's not there, then you need to find someone to dump the ROM chips next to the Symwave chip.

Answer 13 · 2024-08-16T21:38:40.000Z

Dump everything starting with sector 1900000000 and zip it. I will look at it to see if I can find the keyblock. If it's not there, then you need to find someone to dump the ROM chips next to the Symwave chip.

Thanks a lot for the information.
I was wondering if the command i am using is correct.
$sudo dd if=/dev/loop18 bs=512 skip=1900000000 count=53525168 of=kb.bin
This command produced a file greater than 25GB and stops growing due to limited space.

Answer 14 · 2024-08-16T21:49:43.000Z

The exact model is My Passport WD10TMVW-11ZSMS1, manufactured in March 2011

Answer 15 · 2024-08-16T22:56:43.000Z

Use 1953521000.

Answer 16 · 2024-08-17T08:37:56.000Z

Use 1953521000.
Thank you @themaddoctor for your quick response.

kb1.zip
This is the resulting bin file with 1953521000.

It seems the DR company had not accessed the service area as from the successfully completed command the total number of blocks are not enough.
the total number of the blocks should be 1953525168, but from the disk image the number of blocks are 1953523055.

Is that correct?

Answer 17 · 2024-08-17T12:00:12.000Z

I don't know how many blocks your drive has. Zip up kb1.bin and let me look at it.

Answer 18 · 2024-08-17T15:27:59.000Z

I don't know how many blocks your drive has. Zip up kb1.bin and let me look at it.
in the last post the zipped Kb1.bin is attached.
I got this number from the disk which says "Drive Parameters LBA 1953525168 1.0TB"
kb1.zip

Answer 19 · 2024-08-17T16:14:54.000Z

here are all the blocks with WMYS blobs starting from 1900000000
WMSYBlob-block.zip

Answer 20 · 2024-08-17T16:44:57.000Z

None of those look like key blocks.

Answer 21 · 2024-08-17T17:20:04.000Z

That is bad news. maybe i need to dump the U8 chip? Is there any how-to for dumping the chip?

Answer 22 · 2024-08-17T17:21:32.000Z

I dunno. Ask someone local to you.

Answer 23 · 2024-08-17T17:24:06.000Z

Thanks a lot anyway.