Four Steps to Disaster
1. Set up harddisk password
3. Regularly change passwords
...except the harddisk password
2. Set up fingerprint reader to unlock HDD
4. Let time pass
...and your password fade into oblivion
Houston, we have a Problem
I don't know my harddisk password
...but my Notebook knows!
I can use my notebook,
but I shouldn't lose my finger.
This is not a
desirable situation.
If the notebook dies or forgets the
password, my data is gone.
Schrödinger's Data, sort of.
What on Earth can I do?
1. Get BIOS to unlock HDD and remove password
Only works if I type it in,
not with a fingerprint
possible, but not supported by the BIOS
2. Hack BIOS to remove
password on fingerprint
Involves reverse-engineering your BIOS:
Been there, done that, big waste of time
..and you don't want to know the nasty details.
3. Listen on IDE bus when
BIOS sends password to HDD
Involves expensive hardware:
Custom-made FPGA stuff or
Logic Analyzer
Too much effort, too little knowledge
Waaaaay too expensive!
...or is it?
Enter the Open Logic Sniffer
16 buffered inputs
16 unbuffered inputs
USB connection
Easily fast enough for IDE
Only $50 incl. shipping
Holy Cow!
Introduction
Theory
Execution
{
{
Data 0..7
Data 8..15
Register Read
Register Write
Register Select
Bus pins
Bus Protocol
Command
Data
Status
and several more
Read Sector
Write Sector
Seek
Security Unlock
Security Disable
etc.
Ready
Seek Done
Error
etc.
Each HDD has a bunch of registers
1. Write sector address to Address Reg(s)
2. Write "Read Sector" command to Command Reg
3. Read Status Reg until HDD signals "Data Request"
4. Read 16bit Data Reg 256 times --> one sector / 512 bytes
PC controls HDD by reading/ writing these registers
Example: Reading a sector
"ATA Security" commands
(HDD Password is 32 bytes)
SET PASSWORD
Security disabled
Security enabled
HDD unlocked
Power off, power on
Security enabled
HDD locked
UNLOCK
DISABLE PASSWORD
Buy new HDD
This is what the BIOS sends to the HDD when I use the fingerprint reader
This is where I want to end up
My HDD only moves through these states right now
And it's completely
Source, too.
Now for some IDE
1. Write "UNLOCK" command (F2) to Command Reg
2. Read Status Reg until HDD signals "Data Request"
3. Write a full sector (2 bytes header, 32 bytes
    password, padded to 512 bytes with zeros) to Data Reg
There it is! This is what I want to see in my trace!
Step 1: Practice
Step 2: Wire up harddisk
Step 3: Find crucial moment
Learn OLS Basics
Bring OLS Firmware up to date
Hook data signals of old PC's CD-ROM
Experiment until you see some data
Buffered inputs accept 5V signals
Unbuffered inputs accept 3.3V signals
IDE is a 5V bus      Only use buffered inputs      Only 16 signals can be traced
We also tried linking two OLSes via their Clock Out / Clock In pins for 32 buffered inputs, but that didn't work out well; probably needs work on the OLS developers' side.
All data pins, no control
Some control, only partial data
or
Includes finding latest non-buggy firmware ;)
Traced all 16 data signals
Both our OLSes in the background
Trace speed is critical
Big trace buffer is nice
RLE mode doesn't work reliably
Triggers are awesome!
More than 2x signal frequency, else you get bad traces
Only as fast as necessary,         else the trace is too short
Run Length Encoding: Record trace entry only when something changes; i.e. trace compression.
Only start tracing when something predefined happens
Like a certain set of signal values
Or a certain string of serial data
Or a certain sequence of signal values
Lessons learned:
Decided to only trace data bus for starters.
My mission: Hook notebook's Mainboard-Harddisk connection
No IDE cable, so I had to build a T connection:
How to fix wires to HDD pins - reversibly?

Put HDD back into Notebook, hook up wires.
Host
HDD
HDD
Host
Sniffer
Sniffer
Normal IDE cable with two taps:
Bus likes this
Direct Host-HDD connection with long T-style tap:
Bus does not like this
Let's hope it still works!
Idea: Put extra pin header on HDD pins, clamp wires between HDD pins and header.
Getting 16 loose wires into the header without one of them falling out again, then plugging the HDD into that: impossible!
Solution: Break header apart, plug individual header pins onto HDD!
Divide, Conquer, Wait until hands stop trembling.
I had to dismantle most of my notebook to be able to fit the HDD with the extra wires in there!
Trace size is limited
I need to find the right moment to start tracing
Triggers to the rescue!
"Security Unlock" command is F2 hex, 11110010 binary
So trigger on 11110010
That didn't work at first...
...until I realized I had reversed the bus pins!
So here's what I found:
Trigger hit here
Here's the F2 command
HDD status: Seek Success, Ready, Busy
Data bytes: 01 00 ...
... 1E 13 ...
... 22 26 ...
... 06 02 ...
... 04 0B ...
... rest zeros.
HDD status: Seek Success, Ready, Data Request
Two bytes header
(01 means User Password)
Password starts here!
Thanks and greetings:
References:
@hdznrrd - partner in crime
@momorientes - moral support
@shackspace - awesome place, awesome people!
Should you have any questions,
now would be a good time to ask ;)
http://dangerousprototypes.com/open-logic-sniffer/
http://www.pjrc.com/tech/8051/ide/wesley.html
http://de.wikipedia.org/wiki/ATA/ATAPI
# unlock harddisk (needed before next step!)
hdparm --user-master u --security-unlock \
    $(echo -ne "\036\023\042\046\006\002\004\013") /dev/sdX

# disable harddisk password forever!
hdparm --user-master u --security-disable \
    $(echo -ne "\036\023\042\046\006\002\004\013") /dev/sdX
http://twitter.com/dop3j0e/status/18182607274
That's All Folks!
Open Sesame
How I recovered my harddisk password
Joachim Fenkes / @dop3j0e
shack e.V. / http://shackspace.de/