View previous topic :: View next topic |
Author |
Message |
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
Posted: Sat Mar 10, 2018 5:39 am Post subject: How do I unlock a hard drive (SSD)? |
|
|
I am kinda stumped on this one. I have an SSD that is password locked. At 512GB, it is still a rather useful drive. Dont care about any of the data on the drive, just want to get it functional. I know the basics like using "hdparm --user-master u --security-erase password /dev/X" to unlock a drive. Or using the "--user-master m" with a password of 32 spaces, but none of that has worked. I now need something deeper.
I already contacted Toshiba and they were not able to help.
Any thoughts/ideas?
Here are the specs on the drive according to hdparm: Code: | /dev/sdj:
ATA device, with non-removable media
Model Number: TOSHIBA THNSNJ512GCSU
Serial Number: XXXXXXXXXXXX
Firmware Revision: JUPS0102
Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
Standards:
Supported: 9 8 7 6 5
Likely used: 9
Configuration:
Logical max current
cylinders 16383 16383
heads 16 16
sectors/track 63 63
--
CHS current addressable sectors: 16514064
LBA user addressable sectors: 268435455
LBA48 user addressable sectors: 1000215216
Logical Sector size: 512 bytes
Physical Sector size: 512 bytes
Logical Sector-0 offset: 0 bytes
device size with M = 1024*1024: 488386 MBytes
device size with M = 1000*1000: 512110 MBytes (512 GB)
cache/buffer size = unknown
Form Factor: 2.5 inch
Nominal Media Rotation Rate: Solid State Device
Capabilities:
LBA, IORDY(can be disabled)
Queue depth: 32
Standby timer values: spec'd by Standard, no device specific minimum
R/W multiple sector transfer: Max = 16 Current = 16
Advanced power management level: 254
DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 *udma5
Cycle time: min=120ns recommended=120ns
PIO: pio0 pio1 pio2 pio3 pio4
Cycle time: no flow control=120ns IORDY flow control=120ns
Commands/features:
Enabled Supported:
* SMART feature set
* Security Mode feature set
* Power Management feature set
* Write cache
* Look-ahead
* Host Protected Area feature set
* WRITE_BUFFER command
* READ_BUFFER command
* NOP cmd
* DOWNLOAD_MICROCODE
* Advanced Power Management feature set
SET_MAX security extension
* 48-bit Address feature set
* Device Configuration Overlay feature set
* Mandatory FLUSH_CACHE
* FLUSH_CACHE_EXT
* SMART error logging
* SMART self-test
* General Purpose Logging feature set
* WRITE_{DMA|MULTIPLE}_FUA_EXT
* 64-bit World wide name
* WRITE_UNCORRECTABLE_EXT command
* {READ,WRITE}_DMA_EXT_GPL commands
* Segmented DOWNLOAD_MICROCODE
* Gen1 signaling speed (1.5Gb/s)
* Gen2 signaling speed (3.0Gb/s)
* Gen3 signaling speed (6.0Gb/s)
* Native Command Queueing (NCQ)
* Host-initiated interface power management
* Phy event counters
* Host automatic Partial to Slumber transitions
* Device automatic Partial to Slumber transitions
* READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
DMA Setup Auto-Activate optimization
Device-initiated interface power management
* Software settings preservation
Device Sleep (DEVSLP)
* SMART Command Transport (SCT) feature set
* SCT Write Same (AC2)
* SCT Error Recovery Control (AC3)
* SCT Features Control (AC4)
* SCT Data Tables (AC5)
* SANITIZE feature set
* BLOCK_ERASE_EXT command
* DOWNLOAD MICROCODE DMA command
* SET MAX SETPASSWORD/UNLOCK DMA commands
* WRITE BUFFER DMA command
* READ BUFFER DMA command
* DEVICE CONFIGURATION SET/IDENTIFY DMA commands
* Data Set Management TRIM supported (limit 8 blocks)
* Deterministic read ZEROs after TRIM
Security:
Master password revision code = 65534
supported
enabled
locked
not frozen
not expired: security count
supported: enhanced erase
Security level maximum
2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
Logical Unit WWN Device Identifier: 500080d910247d1f
NAA : 5
IEEE OUI : 00080d
Unique ID : 910247e1f
Device Sleep:
DEVSLP Exit Timeout (DETO): 70 ms (drive)
Minimum DEVSLP Assertion Time (MDAT): 10 ms (drive)
Checksum: correct |
|
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Sat Mar 10, 2018 11:03 am Post subject: |
|
|
you can try NULL (sic, capitalized) for empty password
otherwise you have to use the password you set
the risk of "bricking" your drives with those drive passwords is the reason why I never use this feature |
|
Back to top |
|
|
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
Posted: Sat Mar 10, 2018 3:14 pm Post subject: |
|
|
I got the drive for free because it is locked. So if I break it, I loose nothing. If I manage to unlock it, I get a free drive. |
|
Back to top |
|
|
Cyker Veteran
Joined: 15 Jun 2006 Posts: 1746
|
Posted: Sat Mar 10, 2018 3:51 pm Post subject: |
|
|
If it's just a bios lock type password and the drive isn't actually encrypted, you can get special diagnostic/forensic interface cards which can access the low level bits to change/disable the drive password. I'm not sure if you can just do this with software alone tho' but I would think not because it would defeat the point of it if it was so easily disabled.
If it's one of the encrypted types then you've basically got a slightly inept doorstop... |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21602
|
|
Back to top |
|
|
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
Posted: Sat Mar 10, 2018 5:18 pm Post subject: |
|
|
Any other ideas/links?
Code: | #The master password for Toshiba drives is 32 spaces, but I have not confirmed this on SSDs.
hdparm --user-master m --security-unlock " " /dev/sdj
security_password: " "
/dev/sdj:
Issuing SECURITY_UNLOCK command, password=" ", user=master
SECURITY_UNLOCK: Input/output error
# hdparm --user-master m --security-unlock NULL /dev/sdj
security_password: ""
/dev/sdj:
Issuing SECURITY_UNLOCK command, password="", user=master
SECURITY_UNLOCK: Input/output error
# hdparm --user-master u --security-unlock NULL /dev/sdj
security_password: ""
/dev/sdj:
Issuing SECURITY_UNLOCK command, password="", user=user
SECURITY_UNLOCK: Input/output error |
|
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Sat Mar 10, 2018 6:10 pm Post subject: |
|
|
Do you know how it came to be locked in the first place?
Maybe there is a place that collects common passwords, by vendor, by erase tool, by malware, ...
I haven't found any authorative list, though. Apparently there is a tool that sets "idrive". There is a wiki page here that sets "Eins": https://www.thomas-krenn.com/en/wiki/SSD_Secure_Erase (and also) https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
Of course if someone set a random password none of these will work. And if the drive gives you only five tries per power cycle, brute forcing it will take quite a while. Maybe you could automate that process with an USB enclosure (that supports the ATA erase commands, verify with another drive I guess) and a USB controller that has power saving options so you can flip it off and on in software. And then hope someone set a very short password rather than a long one... |
|
Back to top |
|
|
Jaglover Watchman
Joined: 29 May 2005 Posts: 8291 Location: Saint Amant, Acadiana
|
|
Back to top |
|
|
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
Posted: Sat Mar 10, 2018 6:28 pm Post subject: |
|
|
I bought 4 of these drives, and 4 work just fine. This 5th one was a freebie because the electronics dealer could not unlock it.
It looks like the master password has been changed. I cant find a firmware update in hopes of re-flashing it. I have tried a few of the old dos tools like victoria, zu, atapwd, but nothing has worked.
Is all hope lost? |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Sat Mar 10, 2018 6:53 pm Post subject: |
|
|
Well, it says "Master password revision code = 65534" which usually means the master password has NOT been changed. As doing so would also change the revision.
Only problem is, that doesn't mean you know whatever the vendor chooses as the master password. This could be completely random (a salted hash based on serial number and you don't know the salt). It's vendor-specific.
In theory the vendor should be able to tell you the master password if you tell them everything there is to tell about your drive (model, serial, etc.) - whether they would be willing to do so is another question...
You could contact a data recovery company and ask them if they are able to unlock, and erase such a locked drive and how much it would cost and whether it would be worth it to you. (Assuming a data recovery company would be able to either obtain this info from the vendor directly under some kind of non-disclosure deal, or made the effort to reverse engineer it). I'd really hate supporting this business model though (same with that unlock software that costs 50 bucks).
There should always be a way to unbrick a drive (at the cost of erasing data) unfortunately this has always been a problematic side of the ata password.
Never use this feature. |
|
Back to top |
|
|
keet Guru
Joined: 09 Sep 2008 Posts: 568
|
Posted: Sun Mar 11, 2018 4:23 pm Post subject: |
|
|
Hashcat might work for bruteforcing it. |
|
Back to top |
|
|
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
Posted: Mon Mar 12, 2018 1:59 pm Post subject: |
|
|
Thought about hashcat. After 3 tries the drive locks it's self. Needs to be power cycled to unlock it. No way that I can think of to acquire the encrypted password...
I emailed Toshiba, again, asking specifically for the unlock/master password. We will see. |
|
Back to top |
|
|
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
Posted: Mon Mar 12, 2018 3:27 pm Post subject: |
|
|
From Toshiba "Toshiba does not have unlock your drive . We do not have unlock code / master password that can unlock your drive."
I have a brick! |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54216 Location: 56N 3W
|
Posted: Mon Mar 12, 2018 3:41 pm Post subject: |
|
|
DingbatCA,
Well, that leaves the JTAG interface but it will be a lot of work because it won't be documented. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54216 Location: 56N 3W
|
Posted: Mon Mar 12, 2018 4:32 pm Post subject: |
|
|
DingbatCA,
JTAG is a test interface.
It is serial but it won't give you a console.
During manufacture, it the way the device is tested and firmware uploaded. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
Posted: Mon Mar 12, 2018 4:32 pm Post subject: |
|
|
Last time I tried to do something with JTAG/Serial (recovering a bricked ereader) it was a complete failure so I certainly will be unable to help.
If you find out anything, please keep us updated too. |
|
Back to top |
|
|
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
Posted: Mon Mar 12, 2018 4:38 pm Post subject: |
|
|
Pure JTAG is out of my skill set. I think this is where I throw in the towel. :-( |
|
Back to top |
|
|
frostschutz Advocate
Joined: 22 Feb 2005 Posts: 2977 Location: Germany
|
|
Back to top |
|
|
DingbatCA Guru
Joined: 07 Jul 2004 Posts: 384 Location: Portland Or
|
Posted: Thu Mar 22, 2018 9:15 pm Post subject: |
|
|
All hope is lost, or at least for my skill set. After a ton of googling I found that the extra 4 pins along side the SATA connection are a debug port. I ordered in a serial TTL adapter and was able to test it out on an old Toshiba laptop drive. I got a VERY simplistic console. Then I jacked into the SSD and go nothing. I also tried a known good SSD, same model, nothing. I would guess the debug port has changed it's protocol in the last 15 years. ;-)
End of this adventure... Locked SSD has been placed on my scrap pile. :-( |
|
Back to top |
|
|
|