How do I unlock a hard drive (SSD)?

DingbatCA · Guru Joined: 07 Jul 2004 Posts: 384 Location: Portland Or

I am kinda stumped on this one. I have an SSD that is password locked. At 512GB, it is still a rather useful drive. Dont care about any of the data on the drive, just want to get it functional. I know the basics like using "hdparm --user-master u --security-erase password /dev/X" to unlock a drive. Or using the "--user-master m" with a password of 32 spaces, but none of that has worked. I now need something deeper.

I already contacted Toshiba and they were not able to help.

Any thoughts/ideas?

Here are the specs on the drive according to hdparm:

frostschutz · Advocate Joined: 22 Feb 2005 Posts: 2977 Location: Germany

you can try NULL (sic, capitalized) for empty password

otherwise you have to use the password you set

the risk of "bricking" your drives with those drive passwords is the reason why I never use this feature

DingbatCA · Guru Joined: 07 Jul 2004 Posts: 384 Location: Portland Or

I got the drive for free because it is locked. So if I break it, I loose nothing. If I manage to unlock it, I get a free drive.

Cyker · Veteran Joined: 15 Jun 2006 Posts: 1746

If it's just a bios lock type password and the drive isn't actually encrypted, you can get special diagnostic/forensic interface cards which can access the low level bits to change/disable the drive password. I'm not sure if you can just do this with software alone tho' but I would think not because it would defeat the point of it if it was so easily disabled.

If it's one of the encrypted types then you've basically got a slightly inept doorstop...

Hu · Moderator Joined: 06 Mar 2007 Posts: 21602

Have you read / tested how to unlock a ssd disk with hdparm??

DingbatCA · Guru Joined: 07 Jul 2004 Posts: 384 Location: Portland Or

Any other ideas/links?

frostschutz · Advocate Joined: 22 Feb 2005 Posts: 2977 Location: Germany

Do you know how it came to be locked in the first place?

Maybe there is a place that collects common passwords, by vendor, by erase tool, by malware, ...

I haven't found any authorative list, though. Apparently there is a tool that sets "idrive". There is a wiki page here that sets "Eins": https://www.thomas-krenn.com/en/wiki/SSD_Secure_Erase (and also) https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Of course if someone set a random password none of these will work. And if the drive gives you only five tries per power cycle, brute forcing it will take quite a while. Maybe you could automate that process with an USB enclosure (that supports the ATA erase commands, verify with another drive I guess) and a USB controller that has power saving options so you can flip it off and on in software. And then hope someone set a very short password rather than a long one...

Jaglover · Posted: Sat Mar 10, 2018 6:13 pm Post subject:

If I remember correctly I read somewhere some laptops actually 'mate' with drive and to unlock it has to be put back into the very same laptop.
_________________
My Gentoo installation notes.
Please learn how to denote units correctly!

DingbatCA · Guru Joined: 07 Jul 2004 Posts: 384 Location: Portland Or

I bought 4 of these drives, and 4 work just fine. This 5th one was a freebie because the electronics dealer could not unlock it.

It looks like the master password has been changed. I cant find a firmware update in hopes of re-flashing it. I have tried a few of the old dos tools like victoria, zu, atapwd, but nothing has worked.

Is all hope lost?

frostschutz · Advocate Joined: 22 Feb 2005 Posts: 2977 Location: Germany

Well, it says "Master password revision code = 65534" which usually means the master password has NOT been changed. As doing so would also change the revision.

Only problem is, that doesn't mean you know whatever the vendor chooses as the master password. This could be completely random (a salted hash based on serial number and you don't know the salt). It's vendor-specific.

In theory the vendor should be able to tell you the master password if you tell them everything there is to tell about your drive (model, serial, etc.) - whether they would be willing to do so is another question...

You could contact a data recovery company and ask them if they are able to unlock, and erase such a locked drive and how much it would cost and whether it would be worth it to you. (Assuming a data recovery company would be able to either obtain this info from the vendor directly under some kind of non-disclosure deal, or made the effort to reverse engineer it). I'd really hate supporting this business model though (same with that unlock software that costs 50 bucks).

There should always be a way to unbrick a drive (at the cost of erasing data) unfortunately this has always been a problematic side of the ata password.

Never use this feature.

keet · Guru Joined: 09 Sep 2008 Posts: 568

Hashcat might work for bruteforcing it.

DingbatCA · Guru Joined: 07 Jul 2004 Posts: 384 Location: Portland Or

Thought about hashcat. After 3 tries the drive locks it's self. Needs to be power cycled to unlock it. No way that I can think of to acquire the encrypted password...

I emailed Toshiba, again, asking specifically for the unlock/master password. We will see.

DingbatCA · Guru Joined: 07 Jul 2004 Posts: 384 Location: Portland Or

From Toshiba "Toshiba does not have unlock your drive . We do not have unlock code / master password that can unlock your drive."

I have a brick!

NeddySeagoon · Posted: Mon Mar 12, 2018 3:41 pm Post subject:

DingbatCA,

Well, that leaves the JTAG interface but it will be a lot of work because it won't be documented.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

DingbatCA · Guru Joined: 07 Jul 2004 Posts: 384 Location: Portland Or

I am not against going in through JTAG/Serial. ;-)

There are some exposed pads on the bottom...
https://www.tweaktown.com/image.php?image=imagescdn.tweaktown.com/content/6/6/6684_04_toshiba_hg6_thnsnj512gcsu_enterprise_ssd_review_full.jpg

If, and it's a big if, I can acquire a console type connection, what would a I do from there? I am guessing/hoping there is some kind of simple command line where I can directly interface with the drive using ata commands?

NeddySeagoon · Posted: Mon Mar 12, 2018 4:32 pm Post subject:

DingbatCA,

JTAG is a test interface.
It is serial but it won't give you a console.

During manufacture, it the way the device is tested and firmware uploaded.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

frostschutz · Advocate Joined: 22 Feb 2005 Posts: 2977 Location: Germany

Last time I tried to do something with JTAG/Serial (recovering a bricked ereader) it was a complete failure so I certainly will be unable to help.

If you find out anything, please keep us updated too.

DingbatCA · Guru Joined: 07 Jul 2004 Posts: 384 Location: Portland Or

Pure JTAG is out of my skill set. I think this is where I throw in the towel. :-(

frostschutz · Advocate Joined: 22 Feb 2005 Posts: 2977 Location: Germany

I guess this won't work for an already locked drive either?

https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt

https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert

Sounds hopeful actually - see if your drive supports it.

DingbatCA · Guru Joined: 07 Jul 2004 Posts: 384 Location: Portland Or

All hope is lost, or at least for my skill set. After a ton of googling I found that the extra 4 pins along side the SATA connection are a debug port. I ordered in a serial TTL adapter and was able to test it out on an old Toshiba laptop drive. I got a VERY simplistic console. Then I jacked into the SSD and go nothing. I also tried a known good SSD, same model, nothing. I would guess the debug port has changed it's protocol in the last 15 years. ;-)

End of this adventure... Locked SSD has been placed on my scrap pile. :-(