Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Open Sesame

How I recovered my harddisk password

Joachim Fenkes

on 9 October 2010

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Open Sesame

Four Steps to Disaster 1. Set up harddisk password 3. Regularly change passwords ...except the harddisk password 2. Set up fingerprint reader to unlock HDD 4. Let time pass ...and your password fade into oblivion Houston, we have a Problem I don't know my harddisk password ...but my Notebook knows! I can use my notebook,
but I shouldn't lose my finger. This is not a
desirable situation. If the notebook dies or forgets the
password, my data is gone. Schrödinger's Data, sort of. What on Earth can I do? 1. Get BIOS to unlock HDD and remove password Only works if I type it in,
not with a fingerprint possible, but not supported by the BIOS 2. Hack BIOS to remove
password on fingerprint Involves reverse-engineering your BIOS:
Been there, done that, big waste of time ..and you don't want to know the nasty details. 3. Listen on IDE bus when
BIOS sends password to HDD Involves expensive hardware:
Custom-made FPGA stuff or
Logic Analyzer Too much effort, too little knowledge Waaaaay too expensive! ...or is it? Enter the Open Logic Sniffer 16 buffered inputs 16 unbuffered inputs USB connection Easily fast enough for IDE
Only $50 incl. shipping Holy Cow! Introduction Theory Execution { { Data 0..7 Data 8..15 Register Read Register Write Register Select Bus pins Bus Protocol Command
and several more Read Sector
Write Sector
Security Unlock
Security Disable
etc. Ready
Seek Done
etc. Each HDD has a bunch of registers 1. Write sector address to Address Reg(s)
2. Write "Read Sector" command to Command Reg
3. Read Status Reg until HDD signals "Data Request"
4. Read 16bit Data Reg 256 times --> one sector / 512 bytes PC controls HDD by reading/ writing these registers Example: Reading a sector "ATA Security" commands (HDD Password is 32 bytes) SET PASSWORD Security disabled Security enabled
HDD unlocked Power off, power on Security enabled
HDD locked UNLOCK DISABLE PASSWORD Buy new HDD This is what the BIOS sends to the HDD when I use the fingerprint reader This is where I want to end up My HDD only moves through these states right now And it's completely Source, too. Now for some IDE 1. Write "UNLOCK" command (F2) to Command Reg
2. Read Status Reg until HDD signals "Data Request"
3. Write a full sector (2 bytes header, 32 bytes
password, padded to 512 bytes with zeros) to Data Reg There it is! This is what I want to see in my trace! Step 1: Practice Step 2: Wire up harddisk Step 3: Find crucial moment Learn OLS Basics
Bring OLS Firmware up to date
Hook data signals of old PC's CD-ROM
Experiment until you see some data Buffered inputs accept 5V signals
Unbuffered inputs accept 3.3V signals
IDE is a 5V bus Only use buffered inputs Only 16 signals can be traced We also tried linking two OLSes via their Clock Out / Clock In pins for 32 buffered inputs, but that didn't work out well; probably needs work on the OLS developers' side. All data pins, no control Some control, only partial data or Includes finding latest non-buggy firmware ;) Traced all 16 data signals Both our OLSes in the background Trace speed is critical
Big trace buffer is nice
RLE mode doesn't work reliably
Triggers are awesome! More than 2x signal frequency, else you get bad traces
Only as fast as necessary, else the trace is too short Run Length Encoding: Record trace entry only when something changes; i.e. trace compression. Only start tracing when something predefined happens
Like a certain set of signal values
Or a certain string of serial data
Or a certain sequence of signal values Lessons learned: Decided to only trace data bus for starters.
My mission: Hook notebook's Mainboard-Harddisk connection
No IDE cable, so I had to build a T connection:
How to fix wires to HDD pins - reversibly?

Put HDD back into Notebook, hook up wires. Host HDD HDD Host Sniffer Sniffer Normal IDE cable with two taps:
Bus likes this Direct Host-HDD connection with long T-style tap:
Bus does not like this Let's hope it still works! Idea: Put extra pin header on HDD pins, clamp wires between HDD pins and header. Getting 16 loose wires into the header without one of them falling out again, then plugging the HDD into that: impossible! Solution: Break header apart, plug individual header pins onto HDD! Divide, Conquer, Wait until hands stop trembling. I had to dismantle most of my notebook to be able to fit the HDD with the extra wires in there! Trace size is limited
I need to find the right moment to start tracing
Triggers to the rescue!
"Security Unlock" command is F2 hex, 11110010 binary
So trigger on 11110010 That didn't work at first... ...until I realized I had reversed the bus pins! So here's what I found: Trigger hit here Here's the F2 command HDD status: Seek Success, Ready, Busy Data bytes: 01 00 ... ... 1E 13 ... ... 22 26 ... ... 06 02 ... ... 04 0B ... ... rest zeros. HDD status: Seek Success, Ready, Data Request Two bytes header
(01 means User Password) Password starts here! Thanks and greetings: References: @hdznrrd - partner in crime
@momorientes - moral support
@shackspace - awesome place, awesome people! Should you have any questions,
now would be a good time to ask ;) http://dangerousprototypes.com/open-logic-sniffer/ http://www.pjrc.com/tech/8051/ide/wesley.html http://de.wikipedia.org/wiki/ATA/ATAPI # unlock harddisk (needed before next step!)
hdparm --user-master u --security-unlock \
$(echo -ne "\036\023\042\046\006\002\004\013") /dev/sdX

# disable harddisk password forever!
hdparm --user-master u --security-disable \
$(echo -ne "\036\023\042\046\006\002\004\013") /dev/sdX http://twitter.com/dop3j0e/status/18182607274 That's All Folks! Open Sesame How I recovered my harddisk password Joachim Fenkes / @dop3j0e
shack e.V. / http://shackspace.de/
Full transcript