Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading content…
Loading…
Transcript

1. Set up harddisk password

2. Set up fingerprint reader to unlock HDD

3. Regularly change passwords

...except the harddisk password

4. Let time pass

I can use my notebook,

but I shouldn't lose my finger.

If the notebook dies or forgets the

password, my data is gone.

Schrödinger's Data, sort of.

This is not a

desirable situation.

1. Get BIOS to unlock HDD and remove password

Only works if I type it in,

not with a fingerprint

possible, but not supported by the BIOS

2. Hack BIOS to remove

password on fingerprint

Involves reverse-engineering your BIOS:

Been there, done that, big waste of time

..and you don't want to know the nasty details.

3. Listen on IDE bus when

BIOS sends password to HDD

Too much effort, too little knowledge

Involves expensive hardware:

  • Custom-made FPGA stuff or
  • Logic Analyzer

Waaaaay too expensive!

...or is it?

USB connection

16 buffered inputs

16 unbuffered inputs

  • Easily fast enough for IDE
  • Only $50 incl. shipping

Read Sector

Write Sector

Seek

Security Unlock

Security Disable

etc.

Ready

Seek Done

Error

etc.

1. Write "UNLOCK" command (F2) to Command Reg

2. Read Status Reg until HDD signals "Data Request"

3. Write a full sector (2 bytes header, 32 bytes

password, padded to 512 bytes with zeros) to Data Reg

We also tried linking two OLSes via their Clock Out / Clock In pins for 32 buffered inputs, but that didn't work out well; probably needs work on the OLS developers' side.

Includes finding latest non-buggy firmware ;)

  • More than 2x signal frequency, else you get bad traces
  • Only as fast as necessary, else the trace is too short

Let's hope it still works!

Idea: Put extra pin header on HDD pins, clamp wires between HDD pins and header.

Getting 16 loose wires into the header without one of them falling out again, then plugging the HDD into that: impossible!

  • Trace size is limited
  • I need to find the right moment to start tracing
  • Triggers to the rescue!
  • "Security Unlock" command is F2 hex, 11110010 binary
  • So trigger on 11110010

That didn't work at first...

...until I realized I had reversed the bus pins!

So here's what I found:

Open Sesame

How I recovered my harddisk password

Joachim Fenkes / @dop3j0e

shack e.V. / http://shackspace.de/

Bus Protocol

Execution

Bus pins

I don't know my harddisk password

Register Write

...but my Notebook knows!

Data 0..7

Each HDD has a bunch of registers

PC controls HDD by reading/ writing these registers

Register Read

Houston, we have a Problem

{

Example: Reading a sector

Step 1: Practice

Four Steps to Disaster

  • Command
  • Data
  • Status
  • and several more

{

Step 2: Wire up harddisk

1. Write sector address to Address Reg(s)

2. Write "Read Sector" command to Command Reg

3. Read Status Reg until HDD signals "Data Request"

4. Read 16bit Data Reg 256 times --> one sector / 512 bytes

Register Select

  • Buffered inputs accept 5V signals
  • Unbuffered inputs accept 3.3V signals
  • IDE is a 5V bus Only use buffered inputs Only 16 signals can be traced

...and your password fade into oblivion

or

All data pins, no control

Some control, only partial data

Data 8..15

Sniffer

Host

HDD

Normal IDE cable with two taps:

Bus likes this

Both our OLSes in the background

  • Learn OLS Basics
  • Bring OLS Firmware up to date
  • Hook data signals of old PC's CD-ROM
  • Experiment until you see some data

Sniffer

Host

HDD

Direct Host-HDD connection with long T-style tap:

Bus does not like this

  • Decided to only trace data bus for starters.
  • My mission: Hook notebook's Mainboard-Harddisk connection
  • No IDE cable, so I had to build a T connection:
  • How to fix wires to HDD pins - reversibly?

  • Put HDD back into Notebook, hook up wires.

Traced all 16 data signals

Solution: Break header apart, plug individual header pins onto HDD!

Divide, Conquer, Wait until hands stop trembling.

Lessons learned:

Theory

Introduction

  • Trace speed is critical
  • Big trace buffer is nice
  • RLE mode doesn't work reliably
  • Triggers are awesome!

Now for some IDE

Run Length Encoding: Record trace entry only when something changes; i.e. trace compression.

Only start tracing when something predefined happens

  • Like a certain set of signal values
  • Or a certain string of serial data
  • Or a certain sequence of signal values

"ATA Security" commands

And it's completely

Step 3: Find crucial moment

Enter the Open Logic Sniffer

I had to dismantle most of my notebook to be able to fit the HDD with the extra wires in there!

Source, too.

(HDD Password is 32 bytes)

Buy new HDD

What on Earth can I do?

This is where I want to end up

Security disabled

DISABLE PASSWORD

SET PASSWORD

Holy Cow!

Security enabled

HDD unlocked

My HDD only moves through these states right now

This is what the BIOS sends to the HDD when I use the fingerprint reader

UNLOCK

Power off, power on

There it is! This is what I want to see in my trace!

Two bytes header

(01 means User Password)

Password starts here!

Trigger hit here

HDD status: Seek Success, Ready, Data Request

HDD status: Seek Success, Ready, Busy

... rest zeros.

... 04 0B ...

... 06 02 ...

... 22 26 ...

... 1E 13 ...

Data bytes: 01 00 ...

Here's the F2 command

http://twitter.com/dop3j0e/status/18182607274

# unlock harddisk (needed before next step!)

hdparm --user-master u --security-unlock \

$(echo -ne "\036\023\042\046\006\002\004\013") /dev/sdX

# disable harddisk password forever!

hdparm --user-master u --security-disable \

$(echo -ne "\036\023\042\046\006\002\004\013") /dev/sdX

Security enabled

HDD locked

Should you have any questions,

now would be a good time to ask ;)

http://www.pjrc.com/tech/8051/ide/wesley.html

http://de.wikipedia.org/wiki/ATA/ATAPI

http://dangerousprototypes.com/open-logic-sniffer/

References:

@hdznrrd - partner in crime

@momorientes - moral support

@shackspace - awesome place, awesome people!

Thanks and greetings:

That's All Folks!

Learn more about creating dynamic, engaging presentations with Prezi