Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Forgot password of WD My Passport Ultra #4

Open
dx486 opened this issue Jul 31, 2016 · 34 comments

Comments

Projects
None yet
5 participants
@dx486
Copy link

commented Jul 31, 2016

Hello,

I have forgotten my password. I have an idea about the password but I can't find it.

This is the forum page where I heard about you. You can find more information about my problem there.

Can you please help me? If you would like I can pay for your time and expertise if you can help me access my files.

@andlabs

This comment has been minimized.

Copy link
Owner

commented Jul 31, 2016

Can you run reallymine briefly (until it either asks for a password or starts the decryption) to see if the type of encryption used can be detected?

(Note to self: make a standalone program for this.)

@dx486

This comment has been minimized.

Copy link
Author

commented Jul 31, 2016

Thank you for your reply. I get following error message when I run

$ go build
symwave.go:9:2: cannot find package "github.com/mendsley/gojwe" in any of:
    /usr/lib/go/src/pkg/github.com/mendsley/gojwe (from $GOROOT)
    ($GOPATH not set)

This is a debian system.

@dx486

This comment has been minimized.

Copy link
Author

commented Jul 31, 2016

Okay, I installed those files in that directory and build command worked. Now I get following error:

$ sudo ./reallymine-master /dev/sdb ~/wd.img
Finding key sector...
[BUG] error reading sector in FindKeySectorAndBridge(): read /dev/sdb: input/output error
Please report to andlabs on github.com/andlabs/reallymine.
@andlabs

This comment has been minimized.

Copy link
Owner

commented Aug 1, 2016

Is the hard drive damaged in any way?

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 1, 2016

No it is not damaged. It always worked perfectly.

@andlabs

This comment has been minimized.

Copy link
Owner

commented Aug 1, 2016

Ugh, it'd be great if Unix systems were more descriptive than "input/output error"... Actually, are you connecting the hard drive directly to the computer, or is it still in the WD case?

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 2, 2016

It is still in its original case & form. I connect it to my computer via USB port, using a USB 3.0 cable.

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 3, 2016

Should I try to remove the case and connect it in another way?

@andlabs

This comment has been minimized.

Copy link
Owner

commented Aug 3, 2016

Yeah; reallymine won't work if the drive is still in the chasis, as it's the USB bridge that controls access to the drive when you have the wrong password. I'm not sure if there's a way to write a password recovery tool with the drive still in the chasis...

How many guesses have you made so far?

@MrDecay

This comment has been minimized.

Copy link

commented Aug 3, 2016

No. If its a smartware password I'm not sure if reallymine is the tool for
this situtation. Since the drive is working. ..

On Aug 3, 2016 9:25 AM, "dx486" notifications@github.com wrote:

Should I try to remove the case and connect it in another way?


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#4 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AQE6xfAhsFpsNuoxswANh24sMf4gN6Xgks5qcJwygaJpZM4JZFLG
.

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 3, 2016

I removed the case. Now how should/can I connect this drive to the computer to let reallymine work?

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 3, 2016

I made around 50 guesses and I can't find it. :(

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 3, 2016

I probably remember the letters/words in the password. I think there are some numbers at the end of it and I can't remember them.

@athomic1

This comment has been minimized.

Copy link

commented Aug 4, 2016

You'll need to use either an external SATA case or connector, or connect the drive to an internal SATA port and power connector, if any are available. You'll need cables for these, too, if you don't have them already. Once you have that set up, the drive should show up somewhere among your devices. Just where will depend on what system you're running. You might have to monitor system logs to see it.

Assuming the drive is working, and nothing critical has been overwritten, ReallyMine MIGHT be able to recover your data without the password. If I remember correctly, all it needs is the encryption keys/data stored on the disk itself. The password is just used to generate and match the key. I might be wrong on that, though. It's been awhile since I read that paper...

I'd say, just get the drive connected as described, and try to run ReallyMine against it. It should tell you whether it finds the key, and can decrypt it.

Good luck!

@MrDecay

This comment has been minimized.

Copy link

commented Aug 4, 2016

So its possible to decrypt smartware passwords? Or does the smartware just
blocks access to the file system?

On Aug 3, 2016 9:38 PM, "athomic1" notifications@github.com wrote:

You'll need to use either an external SATA case or connector, or connect
the drive to an internal SATA port and power connector, if any are
available. You'll need cables for these, too, if you don't have them
already. Once you have that set up, the drive should show up somewhere
among your devices. Just where will depend on what system you're running.
You might have to monitor system logs to see it.

Assuming the drive is working, and nothing critical has been overwritten,
ReallyMine MIGHT be able to recover your data without the password. If I
remember correctly, all it needs is the encryption keys/data stored on the
disk itself. The password is just used to generate and match the key. I
might be wrong on that, though. It's been awhile since I read that paper...

I'd say, just get the drive connected as described, and try to run
ReallyMine against it. It should tell you whether it finds the key, and can
decrypt it.

Good luck!


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#4 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AQE6xRD5d06q6qd3QXExEF0kHPVh0jYPks5qcVC4gaJpZM4JZFLG
.

@andlabs

This comment has been minimized.

Copy link
Owner

commented Aug 4, 2016

Symwave bridge chips do not store the encryption key in a secure way, allowing them to be decrypted without a password. With other bridge chips, you're out of luck.*

Technical details: for all these firmwares, the mechanism is the same: the password is used to generate a special encryption key (the "KEK") that encrypts the real encryption key (the "DEK"). The correct way to deal with the KEK is to not store it on the drive, instead having the unlocking program that you run on your computer generate it each time you enter the password. The same password will produce the same KEK. This way, you need the password to decrypt the data. However, Symwave stores the KEK on the drive, encrypting it with a fixed master key stored on the firmware. Oops. (Symwave also thinks RFC 3394 key wrapping saves them. It doesn't.)

*Note that the other bridge chip firmwares get some very subtle things about random number generation for producing DEKs wrong, so in theory I could write a program to brute-force the DEK out. This will take more time and require more resources than I have available right now. The paper that discusses the bridge chips has details.

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 10, 2016

I have arranged a desktop computer to try this. I have opened the case and I realized that SATA connector cable and power cables do not seem like to fit anywhere.

There are [12 pins] - [USB port] - [2 pins] on the drive. Here is a close picture of the pins.

Here is another picture of the drive and its case.

Could you please tell me how exactly can I make this connection? I have found this article but I am not sure if it is relevant or if there is any easier method... This method seems almost impossible for me to apply.

@MrDecay

This comment has been minimized.

Copy link

commented Aug 10, 2016

This is a tough one. Take a picture from the back . so I can see the
circuit board number

On Aug 10, 2016 7:21 AM, "dx486" notifications@github.com wrote:

I have arranged a desktop computer to try this. I have opened the case and
I realized that SATA connector cable and power cables do not seem like to
fit anywhere.

There are [12 pins] - [USB port] - [2 pins] on the drive. Here
https://dl.dropboxusercontent.com/u/38580782/Pictures/WD%20My%20Passport%20Ultra%20bare.png
is a picture.

Could you please tell me how exactly can I make this connection? I have
found this article
http://www.datarecoverytools.co.uk/2010/05/05/how-to-connect-and-recover-usb-only-western-digital-drives-with-hd-doctor-suite/
but I am not sure if it is relevant or if there is any easier method...
This method seems almost impossible for me to apply.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#4 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AQE6xaFdnCELSNUey4AMf8I4M1GO74oDks5qecIygaJpZM4JZFLG
.

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 10, 2016

Here is the circuit photo. Thank you!

@andlabs

This comment has been minimized.

Copy link
Owner

commented Aug 10, 2016

Can you take a picture of a view from the side you're trying to plug into a SATA cable?

@andlabs

This comment has been minimized.

Copy link
Owner

commented Aug 10, 2016

Right; the USB bridge circuit is still attached to the drive. On the 3.5" MyBook towers, it's a separate board that can be detached easily (I forget if by pulling or unscrewing) to expose the normal SATA connectors; not sure about yours, though...

@MrDecay

This comment has been minimized.

Copy link

commented Aug 10, 2016

Total different creature. In this case 2 options from a physical point.
And this is all hoping you can decrypt the drive. Option 1 like the
article states. Remove 4 coupling capacitors and bypass the usb bridge
chip(encryption chip) ×extremely difficult soldering from a novice point×.
Option 2 locate a compatible sata version of the circuit board and move the
u12 serial eprom from the USB board. Not ad difficult. But just as hard if
you have limited solder skills....but this all just in case you can decrypt
the sectors

On Aug 10, 2016 3:20 PM, "Pietro Gagliardi" notifications@github.com
wrote:

Right; the USB bridge circuit is still attached to the drive. On the
MyBook towers, it's a separate board that can be detached easily (I forget
if by pulling or unscrewing); not sure about that one, though...


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#4 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AQE6xSHy_KKAUlVwsVXPxu0o3Aeru59Wks5qejKPgaJpZM4JZFLG
.

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 10, 2016

@MrDecay I have no solder skills. I guess I am locked at this point. I may ask for professional help for SATA connection, if I can find. My other desperate options: 1. brute force the password using a Windows app/script (if I remember the words correctly) (if I can find a coder to program it), 2. manually enter passwords (I already tried more than 200 times, no avail), 3. pay to people who claim to be able to decrypt these drives. (I need to trust them first to post my drive, not easy).

@MrDecay

This comment has been minimized.

Copy link

commented Aug 10, 2016

Yes at this point. I would say be patient. Give me some time to get out of
work. And I can look for some ideas.

We can all agree that the symptom here is "smartware" security and not the
USB bridge encryption system.

@pietro ,could you clarify if reallymine can decrypt this drive if we could
dump the encrypted sectors?

On Aug 10, 2016 4:00 PM, "dx486" notifications@github.com wrote:

@MrDecay https://github.com/MrDecay I have no solder skills. I guess I
am locked at this point. I may ask for professional help for SATA
connection, if I can find. My other desperate options: 1. brute force the
password using a Windows app/script (if I remember the words correctly) (if
I can find a coder to program it), 2. manually enter passwords (I already
tried more than 200 times, no avail), 3. pay to people who claim to be able
to decrypt these drives. (I need to trust them first to post my drive, not
easy).


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#4 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AQE6xUPnCzsWoHN8bTWHiNAMNM-8Q3XDks5qejvwgaJpZM4JZFLG
.

@andlabs

This comment has been minimized.

Copy link
Owner

commented Aug 10, 2016

Not in its current state. Because the password is used to protect the encryption key, I'd need to brute-force the encryption key somehow, as I described above, and I don't have the time to implement those algorithms right now (nor do I have a reliable way of testing them, apart from looking for things that "look like" a MBR, GPT, or APM partition map)

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 11, 2016

@andlabs Do you think it would be a good idea to have that missing part of the job done by hiring a freelance programmer? How many hours of work would be needed for that job approximately? Would you write the job description and check the job if we would do that? I may consider finance that project as an open source software support.

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 11, 2016

@MrDecay I would be very happy if you would be able to come with some ideas. Thank you.

@dx486

This comment has been minimized.

Copy link
Author

commented Aug 11, 2016

Just to note here:

"AIUI, the drive is a SED (VID/PID = 1058/0810):

http://www.hddoracle.com/viewtopic.php? ... 9069#p9069

This means that encryption is handled by the drive rather than the bridge. Therefore I don't think that reallymine would be applicable in your case. You could always ask the author, though.

Note that your drive will have a locked SA which means that you will need special techniques to gain access:

viewtopic.php?f=1&t=33822&p=236436

You could wait for WDMarvel (US$15) to add this feature (if it doesn't have it already?)."

Source.

@MrDecay

This comment has been minimized.

Copy link

commented Aug 11, 2016

The only person I knew about smartware bypass was Einstein on hddguru but
last I heard it was a closed off project

On Aug 11, 2016 6:20 AM, "dx486" notifications@github.com wrote:

Just to note here:

"AIUI, the drive is a SED (VID/PID = 1058/0810):

http://www.hddoracle.com/viewtopic.php? ... 9069#p9069

This means that encryption is handled by the drive rather than the bridge.
Therefore I don't think that reallymine would be applicable in your case.
You could always ask the author, though.

Note that your drive will have a locked SA which means that you will need
special techniques to gain access:

viewtopic.php?f=1&t=33822&p=236436

You could wait for WDMarvel (US$15) to add this feature (if it doesn't
have it already?)."

Source http://forum.hddguru.com/viewtopic.php?p=236910#p236910.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#4 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AQE6xSw3gt9n7hPb0gOSSnBsWV0FXPGGks5qewWBgaJpZM4JZFLG
.

@AbhilashMS

This comment has been minimized.

Copy link

commented May 10, 2017

@dx486 Any success in unlocking
I have the same problem with my HD.
My passport ultra which is still in case working properly.
Don't remember the password.

@dx486

This comment has been minimized.

Copy link
Author

commented May 10, 2017

@AbhilashMS Unfortunately not. My plan is to program a tool to crack the password using brute force as I probably remember most of it. However I haven't had enough time for that yet.

@andlabs

This comment has been minimized.

Copy link
Owner

commented May 11, 2017

FWIW there are some weaknesses in the way encryption keys are created that I could theoretically use to add a key brute-forcing system in for some of the chips, but the people who did that research either had to take the chips apart (which I don't have the resources or know-how to do) or wound up with several terabytes worth of data (which is obviously not going to work). Probably a distant-future thing though... And this wouldn't help you get your password out (it'd bypass the password entirely), so it won't help if you just want to continue using your drive as is (which wasn't the goal of reallymine to begin with, as I couldn't continue using my drives as is when I started working on it).

I could be misremembering things, though. Refer to the original paper for the real story.

@AbhilashMS

This comment has been minimized.

Copy link

commented May 11, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.