After spending a few hours working on this and finding it very interesting I now write this little article to maybe help or guide people having the same problem as me, because in my opinion this really simple matter isn’t covered enough on the internet.
Don’t get me wrong it is extensively covered, but most of the coverage repeats and rehashes the same thing over and over again.
There is no new knowledge and no community (that I found) that works on this.I found the hddguru forum helpful, but exchanging real information isn’t common in there.Most times I found a question that was askable the second or third post would be like “We can’t verify it’s your hd so we can’t help”.This seems to be purely because of the lack of knowledge because they didn’t seem to have a problem with the thread itself.
But let me start at the beginning:
One week ago my uncle gave me a laptop hdd of a colleague.This guy had a friend help him setup his pc and lock his laptops hd with a password.After a few months of not using or needing the laptop both of these guys forgot the password and tried guessing it (guess how that went).My uncle is the PC expert of their choice and so they let him work on it.Because he had no luck unlocking he asked me to take a look at it.
This was the first time I had ever seen someone use this feature.If someone gave me this without telling me that it was locked I would probably just insert it into my usb sata reader see input output errors and forget it and even if I would have inserted it into my desktop pc I probably wouldn’t have checked hdparm for the locked status.Now if I get a hd like this,this will be one of the first things I’ll check.
Now how did I go about it?
After a short search I found a few sites and links I thought could be helpful.Especially this seemed interesting.I even found additional infos on hddguru.The people didn’t seem that interested in it, even thought it helps you recover your hdd password.
So I downloaded the image and booted it, the third PC I tested it on even recognized my sata controller and succesfully identified my hard disks.
Sidenote: I didn’t write on the article for 2 month now so the whole thing isn’t as fresh in my memory as it could be
Sadly it didn’t work all too well.
I was using a Seagate hd and this only seems to work for WD hds.Some commands just didn’t get executed.
Anyway after a while I found this.Now I could play around with a serial console,for which I had no documentation.
After I played with it for a bit I started to see that this actually might lead to something.A quick google helped and I actually found a pdf that documented the diagnostic functions.
Another 5 minutes later I saw the first few lines of memory and buffer (Dxx and Bxx).
I still didn’t know what to expect of this output, but I had a new angle I could work on.
I don’t want to go into to much detail for now, but I quickly realised that I could easily write a script that dumps the buffer and the memory for me and hopefully that would lead to something.I already read somewhere that you could unlock the hd by writing something to the memory of it and I thought to myself that I would have to find out how to do this if I couldn’t find the password in one of the dumps.I can tell you I didn’t had high hopes for this,I already planned on writing an entry for the Hackaday “Fail of the Week” series.
2 hours and 2 python scripts later I had my first working POC.For aesthetics I also hacked together a wget style status and watched the memory dump crawl :)
Another half an hour later I had the complete dump.
In the progress of my research many people suggested possible master passwords.It seems that every hd type has specific default passwords (who would have thought?) and the SeaGate passwords are mostly variations of Seagate and spaces.I already tried every possibility I found online so I was sure that the default didn’t apply here and after aimlessly looking through the dump my prediction of failure seemed all too true,but I wouldn’t go down without a fight!I still got a few Seagate hard disks in storage and it sure as hell wouldn’t hurt locking them and creating a dump.And again half an hour and one dump later I once again grepped through a dump with hexedit and sure enough / found me my password!Sadly jumping to this address in the old dump didn’t bring me the result I was looking for.Another 30 minutes and another hd dump later (again a different hd) showed me that between different models the addresses vary as well.But now that I knew that the layout itself didn’t change nothing could stop me.I searched for common features,created a small regex and tried it on the new dumps I had and what do you know?I got a sure method that found me the user and the master password contained in the dump.
Sadly the passwords for the hd I wanted to crack seemed to be garbage (because they didn’t form ascii text I could enter).Again expecting failure I tried entering the now found password with hdparm
hdparm –security-unlock $(printf ‘\x0b\x0b\x0b\x0b’) /dev/sdb
and my heart skipped a beat.HELL YEAH!IT WORKS!!!!
The owner of the HD used the bios integrated functions!I tried brute forcing the pw before,but I could have waited forever because my dictionary attack would have never worked.I had to convert my password with the scancodes of the characters to unlock this hd.And sure enough the user used 0000 as the password.
I haven’t worked on the script I used in a long time,but I don’t want that got stuck in the same situation as me to have to rewrite the script I just described and duplicate work so I will put my work in progress code onto github for everyone to see.It’s true that now no seagate hd is “secure” through this “encryption” but to be fair, they never were!For 50-100$ everybody could unlock a hd without any real proof and the loosers on the forums that tell you “Wee need to see proof that this is your HD or we can/won’t help you” simply can’t help you, because they don’t know how!And how should they know?Nobody documented this shit yet.And why trust a firm with your precious data when you can save it yourself in half an hour with parts that you got either at home (I had a cable I could use and an arduino) or get online for ~5$.
The code is located here don’t expect to much ;) this is only my quick hack, but it works rather well and you even can fine tune a bit.
Neither the tool nor this article is finished yet, to be exact they both are far from finished but before this gets yet another Draft of mine that doesn’t get posted I will open up and share my findings.Have a nice day and keep on hacking.