ATA security lock removal for seagate [Solved] ;)

After spending a few hours working on this and finding it very interesting I now write this little article to maybe help or guide people having the same problem as me, because in my opinion this really simple matter isn’t covered enough on the internet.
Don’t get me wrong it is extensively covered, but most of the coverage repeats and rehashes the same thing over and over again.
There is no new knowledge and no community (that I found) that works on this.I found the hddguru forum helpful, but exchanging real information isn’t common in there.Most times I found a question that was askable the second or third post would be like “We can’t verify it’s your hd so we can’t help”.This seems to be purely because of the lack of knowledge because they didn’t seem to have a problem with the thread itself.

But let me start at the beginning:
One week ago my uncle gave me a laptop hdd of a colleague.This guy had a friend help him setup his pc and lock his laptops hd with a password.After a few months of not using or needing the laptop both of these guys forgot the password and tried guessing it (guess how that went).My uncle is the PC expert of their choice and so they let him work on it.Because he had no luck unlocking he asked me to take a look at it.
This was the first time I had ever seen someone use this feature.If someone gave me this without telling me that it was locked I would probably just insert it into my usb sata reader see input output errors and forget it and even if I would have inserted it into my desktop pc I probably wouldn’t have checked hdparm for the locked status.Now if I get a hd like this,this will be one of the first things I’ll check.

Now how did I go about it?
After a short search I found a few sites and links I thought could be helpful.Especially this seemed interesting.I even found additional infos on hddguru.The people didn’t seem that interested in it, even thought it helps you recover your hdd password.
So I downloaded the image and booted it, the third PC I tested it on even recognized my sata controller and succesfully identified my hard disks.

Sidenote: I didn’t write on the article for 2 month now so the whole thing isn’t as fresh in my memory as it could be

Sadly it didn’t work all too well.
I was using a Seagate hd and this only seems to work for WD hds.Some commands just didn’t get executed.
Anyway after a while I found this.Now I could play around with a serial console,for which I had no documentation.
After I played with it for a bit I started to see that this actually might lead to something.A quick google helped and I actually found a pdf that documented the diagnostic functions.
Another 5 minutes later I saw the first few lines of memory and buffer (Dxx and Bxx).
I still didn’t know what to expect of this output, but I had a new angle I could work on.
I don’t want to go into to much detail for now, but I quickly realised that I could easily write a script that dumps the buffer and the memory for me and hopefully that would lead to something.I already read somewhere that you could unlock the hd by writing something to the memory of it and I thought to myself that I would have to find out how to do this if I couldn’t find the password in one of the dumps.I can tell you I didn’t had high hopes for this,I already planned on writing an entry for the Hackaday “Fail of the Week” series.

2 hours and 2 python scripts later I had my first working POC.For aesthetics I also hacked together a wget style status and watched the memory dump crawl :)
Another half an hour later I had the complete dump.
In the progress of my research many people suggested possible master passwords.It seems that every hd type has specific default passwords (who would have thought?) and the SeaGate passwords are mostly variations of Seagate and spaces.I already tried every possibility I found online so I was sure that the default didn’t apply here and after aimlessly looking through the dump my prediction of failure seemed all too true,but I wouldn’t go down without a fight!I still got a few Seagate hard disks in storage and it sure as hell wouldn’t hurt locking them and creating a dump.And again half an hour and one dump later I once again grepped through a dump with hexedit and sure enough / found me my password!Sadly jumping to this address in the old dump didn’t bring me the result I was looking for.Another 30 minutes and another hd dump later (again a different hd) showed me that between different models the addresses vary as well.But now that I knew that the layout itself didn’t change nothing could stop me.I searched for common features,created a small regex and tried it on the new dumps I had and what do you know?I got a sure method that found me the user and the master password contained in the dump.
Sadly the passwords for the hd I wanted to crack seemed to be garbage (because they didn’t form ascii text I could enter).Again expecting failure I tried entering the now found password with hdparm

hdparm –security-unlock $(printf ‘\x0b\x0b\x0b\x0b’) /dev/sdb

and my heart skipped a beat.HELL YEAH!IT WORKS!!!!
The owner of the HD used the bios integrated functions!I tried brute forcing the pw before,but I could have waited forever because my dictionary attack would have never worked.I had to convert my password with the scancodes of the characters to unlock this hd.And sure enough the user used 0000 as the password.

I haven’t worked on the script I used in a long time,but I don’t want that got stuck in the same situation as me to have to rewrite the script I just described and duplicate work so I will put my work in progress code onto github for everyone to see.It’s true that now no seagate hd is “secure” through this “encryption” but to be fair, they never were!For 50-100$ everybody could unlock a hd without any real proof and the loosers on the forums that tell you “Wee need to see proof that this is your HD or we can/won’t help you” simply can’t help you, because they don’t know how!And how should they know?Nobody documented this shit yet.And why trust a firm with your precious data when you can save it yourself in half an hour with parts that you got either at home (I had a cable I could use and an arduino) or get online for ~5$.
The code is located here don’t expect to much ;) this is only my quick hack, but it works rather well and you even can fine tune a bit.
Neither the tool nor this article is finished yet, to be exact they both are far from finished but before this gets yet another Draft of mine that doesn’t get posted I will open up and share my findings.Have a nice day and keep on hacking.

25 thoughts on “ATA security lock removal for seagate [Solved] ;)

  1. Excellent work, I have a question: What were the drives (part numbers) that you used? because I have a Seagate Momentus 5400.6 that I need to unlock and knowing the address of the password could help me a lot.

    Regards ;)

    • Like I said I wrote this for someone else,I gave him the hd back after I unlocked it so, no part numbers for you.
      But it doesn’t matter because I tested it with 3 disks that all had different offsets.
      That’s why I made the little script called extract-pw
      Right now I’m rewriting this whole mess I call code ;)
      But if you got your hd simply hook it up to your pc like described in the hackaday article I linked to (the one to fix the seagate bug), run one of the dump scripts (I think is the newest right now…) and then you can extract the pw using the script linked above.The address changes but not the “frame” around it.
      Hope I could help

      • Thanks for your fast reply, I have yet to build the serial adapter but with your help I think I can bring back to life this HD. Many thanks!

      • If you have an arduino you don’t have to build anything (just saying because many people own one) :)
        Like stated in the article I will rewrite not only the tool, but the article as well.So if you have problems/questions/suggestions you are welcome to ask, it would probably help me write a better article/code.

  2. This looks very similar to something we used to do for the xbox original hard drives as they were locked and paired to each machine, some you could just flash the latest firmware onto the harddrive and it would clear the pw and others needed a max232 com1 hardware and a few commands through hyperterminal and done, good days

  3. Dear BlackLotus89,
    I have a Seagate 250GB 540rpm, SN 5SW2Y61D and i locked it from BIOS. Now i can’t do anything with it. As your post, i think that you have solved the same problem.
    But, my problem is that i don’t know what exactly i should do? I set up Python 3.3, and downloaded argparse-1.2.1.tar and pyserial-2.7.tar. I copied your command line from this
    Can you show me what should i do? The data on this disk is very important for me.
    I’m waiting for your help.
    My email is (i’m a Vietnamese).
    Wish you happy and lucky.
    Tkks for your help!

  4. Hey,

    I wanted to give this a try for my Samsung HDD (I know this most probably wouldnt work from the scratch, but for now I would be happy even with a dump of the HDD memory)

    Unfortunately, an exception gets thrown quite early on line 64 in init:

    ser = serial.Serial(port=device, baudrate=baud, bytesize=8,parity=’N’,stopbits=1,timeout=timeout)

    Exception is:

    serial.serialutil.SerialException: Could not configure port: (22, ‘Invalid argument’)

    I tried some custom code where I try just to open the device without any other arguments – no luck. Then I changed the devices permissions to rwxrwxrwx, but yet the same exception gets thrown.
    Any ideas on that one?

  5. Hey blacklotus89,

    I just connected the HDD by an external case via USB 3.0.
    Thought this might workt till I saw your response to Thanh Tran – reading the article I havent even realized you built a custom serial adapter for the drive.
    Do you have any idea if the setup described on could work for other drives like Samsung?

    Thanks for your fast response

  6. It’s telling me I’m already on 11500 baudrate and it can’t find the modus. Changing timeout to 1 doesn’t help, neither does setting debug to 2.
    I’m using an Arduino as a USB-TTL bridge as shown at that Arvydas website. Thinking I might have made it wrong or connected it up badly, as the Arduino’s tx and rx LEDs clearly come on when I run your script.
    Any other reason why it would be showing this error?

      • Just used the in-built serial monitor in Arduino (I’m on Windows :S) and can’t see a thing when I plug and unplug the drive’s power.
        And putting a multimeter across the resistors shows 2.3V across one and 2.6V across the other (which is bloody weird, since they’re supposed to be working as a voltage divider and one’s 10K while the other’s 22K)
        I think I can pin the blame on my God awful TTL bridge. Time to scrap everything and start again!

      • Oh thought that you were on Linux, forgot for a moment that windows existed. BTW which script are you using? The old one or the one that is wip?I didn’t work on them in some time now, but if you encounter any problems please post them. I’m looking forward to make it less error prone.

      • Just using the latest version of Didn’t know what the append bit was. Will be sure to point out any errors, but I doubt there’ll be any.

  7. I have a Seagate Momentus 7200.4 on a Thinkpad w500. Two months ago, I changed the ATA User and Master passwords through the W500′s bios. Unfortunately, I forgot the master password, but luckily wrote down the user password. Last night I managed to dump the hard disk’s memory using your python codes. However, the two password strings looked like sha256sum hash results, not hex-scancodes. Each one contains 64 hex-characters, and won’t produce meaningful results (because I remember the user password). This reminds me that before I could never clear an ATA password set through bios using hdparm. I believe Thinkpad stores the one-way hashing result on the drive, which can only be unlocked using their bios.

    • Thank you! A week ago someone came to me with exactly the same problem. But at this time I didn’t know about this. If you can set the user password, could you please set it to something like AAAAA… And send me the dump?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s