PDA

View Full Version : how is ide security implemented?



sweh
04-27-2003, 04:39 PM
OK, I understand that when the drive is first initialised in the uTV (eg after an upgrade) a password is sent to the disk. Whenever the machine is rebooted it sends the IDE "unlock" command with this password and the drive is unlocked.

But how does the drive implement this? Is the data actually encrypted on the disk, or is it merely locked? Is the password stored on the firmware, or is it stored on a magic sector on the disk itself?

I was just thinking that a possible way of accessing hard disk data without doing the hotswap method might be to change the drive electronics with an identical (unlocked) drive. If the data isn't encrypted and the password is on the board (rather than the disk) then this should effectively make the disk readable.

GodKilla
04-27-2003, 11:17 PM
Just do a search with his username to find all of your questions answered....

Here you go.. this thread should have all the info in it you are looking for. :)

http://www.dealdatabase.com/forum/showthread.php?threadid=19337


Here's some more goodness...


http://www.avsforum.com/avs-vb/showthread.php?s=&threadid=113022

sweh
04-28-2003, 10:12 PM
Originally posted by GodKilla
[B]Just do a search with his username to find all of your questions answered....


Unless I'm blind, actually not. The existing threads talk about either using the UTV to unlock the current drive and then hot-plugging it into the PC for access, or to use the drive-swap procedure to unlock the drive (and reformat).

What I'm talking about is potentially a different way (hardware hacking) of getting an older (replaced) drive unlocked and the stored data accessible. For example, someone with an older 40Gb drive that's already been replaced with a 120Gb and so can't do the hot-swap unlock.

BlueCop
04-29-2003, 12:09 AM
sweh: there is another method for accessing the drive

look here
http://www.dealdatabase.com/forum/showthread.php?s=&threadid=18883

sweh
04-29-2003, 02:00 PM
Originally posted by BlueCop
sweh: there is another method for accessing the drive

look here
http://www.dealdatabase.com/forum/showthread.php?s=&threadid=18883

That's interesting. I'll give that a go.

Does this leave the data structures on-disk (ie it doesn't do a erase)? If so that implies the drive is just set using "high security" mode and so the master password will provide data access. I'm surprised; I would have thought Microsoft would have used "maximum security" mode which means the master password can only do security erase functions.

I'll have to check the IDENTIFY output to see if bit8 in word128 of the IDENTIFY response is set.

Most of what I know of ATA security comes from: http://rockbox.haxx.se/lock.html

Thanks! This gives me something to play with in my spare time :-)

sweh
05-01-2003, 08:34 PM
Originally posted by BlueCop
sweh: there is another method for accessing the drive

look here
http://www.dealdatabase.com/forum/showthread.php?s=&threadid=18883

OK, so I sat down and tried this procedure... and the disk I rescued from the machine was a Seagate and not a WD. So, of course, the WD DLDIAG doesn't work. I downloaded the seagate equivalant tool, but it doesn't seem to unlock the drive in the same way. ATAPWD always says the drive is locked. Yuck :-(

aLfer
05-08-2003, 05:03 PM
sweh, the drive does have a maximum security level set. This means if the user password is forgotten, the drive can only be low level formatted and only using the master password. If the master password is lost, all access to the drive is lost indefinitely. The master password is stored in the drive electronics along with the user password, and the master password is the same for all drives. This is programmed into the boot rom of the UTV. The user password, which is what we really need to be able to unlock the drive and edit it easily, is unique to each unit, and is generated as a combination of serial/model/ssid numbers run through an algo. At this time, it isnt possible to figure out the password, except on an individual basis using a logic analyzer. A friend of mine actually used one to determine the master password the utv sets, so we do know that. Unfortunately, he does not want this information disclosed at this time. I think the user password is generated/set the same way it is on the xbox. If anyone is into xbox, there are a hell of a lot more people messin around with those than there are utv hackers, so they are our best bet at defeating the security of the drive.

sweh
05-08-2003, 11:37 PM
Originally posted by aLfer
The master password is stored in the drive electronics along with the user password, and the master password is the same for all drive

Right, so this comes back to my original question... where exactly is the password stored and is the data on the physical media encrypted? If the password is merely on the interface circuitry and not stored on the physical media, then we have the potential to do a hardware swap on the drive itself. However if the data is encrypted on the platters then this is pointless.

As to master passwords... since all that can be done is a "format and reset" using this, and since both WD and Seagate provide tools to do that, drives flagged with maximum security (ie UTV drives) can't be exposed to anything new. Only drives on "high" security can be accessed using the master password. I know of no application that uses this, so why is your friend worried about releasing the password? It's pretty useless...

aLfer
05-09-2003, 02:38 AM
sweh, i am glad you are interested in this. i wish more were. if we got the security down many many more coders would be looking at the drive right now, sorting through the data to try to come up with a nozkt hack. Yes, both passwords are stored in the drive electronics, the data on the platters is not encrypted. The drive electronics basically say access to the platters is unauthorized without the user password. I dont know how you would perform a hardware swap, are you talking about removing the pcb from the bottom of the drive and replacing with one of the same model? If thats possible, then yes I would think you could access the data on those platters, although it seems like a lot more work than the simple swap trick while the utv is running. As for the master password, no utility that I know of will low level format a maximum level security set drive without the master password, thats the whole point of the security feature (atapwd.exe will do this, assuming you provide the master password). What it means is that since we know this password we can at least reuse the drive in a PC after its been in the UTV without performing the whole hot swap trick, which can save a couple of hours. What we need to get at is the user password, since this provides full access to the drive. Ive never gotten the atapwd trick to work with my WD 120GB drive after hours of trying and using the methods described in another thread on this forum at http://www.dealdatabase.com/forum/showthread.php?s=&threadid=18883. I have, however, heard of a utility xbox users have used to generate the user password based on the specific inputs it needs (serial number, model, ssid, etc.) but the site I saw it referenced on (sorry i havent got the url handy) says that they are fearful of releasing it due to possible legal action. This is the same reason I wont release the master password, as my colleague is worried about possible legal trouble, as well he should be (its basically reverse engineering, which is illegal). Anyway, if anyone knows about this xbox utility, please let us know or pm me. Id be very interested in testing it.

PS: more info on the ATA complete spec including commands used is available at www.t13.org , the group that sets the standards for ATA.

sweh
05-09-2003, 08:26 AM
Originally posted by aLfer
sweh, i am glad you are interested in this. i wish more were. if we got the security down many many more coders would be looking at the drive right now, sorting through the data to try to come up with a nozkt hack.

Well, I doubt the path I'm looking at will be of long term benefit to most people; it'd be a pain and most people may not have the spare parts or experteese. Hell, I'm not even sure <i>I</i> have the ability to do what I'm thinking of; I could easily end up with two broken drives :-)


Yes, both passwords are stored in the drive electronics, the data on the platters is not encrypted.

Great, that makes it as least feasible!


are you talking about removing the pcb from the bottom of the drive and replacing with one of the same model? If thats possible, then yes I would think you could access the data on those platters, although it seems like a lot more work than the simple swap trick while the utv is running.

Yes, this is what I'm thinking of doing. I know some people have been able to recover data from "fried" drives before now by doing this (the drive electronics went up in smoke when the power supply blew up, but the drive platters and heads were OK). I'll have to undo the torx screws and see how the pcb is attached. But this hassle is why I doubt this will be a popular method of accessing the drive! It may, however, make it possible to access a drive which is no longer married to a UTV (and thus no user password is available).


As for the master password, no utility that I know of will low level format a maximum level security set drive without the master password, thats the whole point of the security feature (atapwd.exe will do this, assuming you provide the master password).


Doesn't dlgdiag and the seagate equivalent program have the abiluity to do this? They appear to have the password coded into them since they can do diagnostic tests even on a locked drive.


What we need to get at is the user password

Yes, that'd be nice, but I don't know enough to even start decoding the ROMs BlueCop has provided, so don't stand much chance of reverse engineering the password algorithm UTV uses!


(its basically reverse engineering, which is illegal).
Not in Europe... although that didn't help DVD Jon :-(

alldeadhomiez
05-27-2003, 12:47 PM
Sorry for the late reply. (bump?)

I tried swapping the drive electronics on the 40GB (stock) seagate UTV drives once after unlocking one of them. It did not seem to make a difference, so I assume the security info is stored on the platter and not on the board.

It is interesting to note that the newer versions of DLGDIAG don't seem to want anything to do with a locked drive. They will not even initiate a low-level format, choosing instead to return the "drive locked" error code. This makes sense though if the master password needs to be supplied to wipe a locked drive.

The hot swap is kind of a hassle but it does work. I have not had any trouble at all pulling the drive during the "acquiring guide data" phase and connecting it to my PC to boot linux to read it.

sweh
05-27-2003, 01:15 PM
Originally posted by alldeadhomiez
I tried swapping the drive electronics on the 40GB (stock) seagate UTV drives once after unlocking one of them. It did not seem to make a difference, so I assume the security info is stored on the platter and not on the board.

It is interesting to note that the newer versions of DLGDIAG don't seem to want anything to do with a locked drive. They will not even initiate a low-level format, choosing instead to return the "drive locked" error code. This makes sense though if the master password needs to be supplied to wipe a locked drive.


I tripped over my old disk last night and it reminded me that I need to do this controller swap test as well. Hopefully my girldfriend will give me enough spare time that I'll be able to do it :-)

As for dlgdiag, isn't that just for WD disks? Seagate have their own equivalent programs called SeaTools at http://www.seagate.com/support/seatools/

alldeadhomiez
05-27-2003, 01:44 PM
Originally posted by sweh
As for dlgdiag, isn't that just for WD disks? Seagate have their own equivalent programs called SeaTools at http://www.seagate.com/support/seatools/

You are correct. I tried it on a WD drive that my UTV had locked during testing. FWIW it was a newer drive - probably a 160 or 180 gig. I suspect that only the older WD drives had the firmware hole that let you start a "verify" op and use that to read the data off a locked drive.

I have not tried seatools.

Flagg
07-04-2003, 04:33 PM
I can confirm that the security hole in Western Digital drives that let you remove the password with DLGDIAG has been closed in the newer drives.

I was unable to use the trick in a 160GB Western Digital drive, although the same trick does work in the older 40GB drives in the UTV.

Flagg