Open Sesame: Harddrive Password Hacking with a OpenBench Logic Sniffer

shackspace’s @dop3j0e had a big problem. A password problem. Quite a while ago he set up a password for his Thinkpad’s harddrive and chose to unlock his drive using the built-in fingerprint scanner. Years passed, thumbs were drawn over the scanner countless times, passwords were changed frequently. But not all passwords were changed. That one password for his harddrive never did change and over time he simply forgot what the actual password was.

The thumb print scanner kept working. However, to change or disable the password you have to enter it by keyboard in the BIOS since in this case it does not accept the thumb print scanner as input.
This poses a real problem. How do you access the disk if your fingerprint scanner dies? Or what if the laptop dies and you have to unlock the drive from a different machine that doesn’t have the password stored in the fingerprint scanner?

There’s various approaches to go about this issue.
One idea was to reverse engineer the BIOS to find out where the actual password is stored. This turned out to be especially nasty business and while a lot of insight was gained into how (ugly) a BIOS looks from the inside, no password was recovered.
Another idea which does not work was exchanging the control board of the harddrive with that of a similar model. Turns out the harddrive password is stored on the platter, not the controller.
You could of course use a logic sniffer (costs multiple kilo-Euros) and sniff the IDE bus for the password being transmitted. Not really an option either… or is it?

Open Source Hardware to the Rescue

Thanks to the open source hardware movement, you can have a logic sniffer for just $50! The OpenBench Logic Sniffer is exactly what you want and @hdznrrd at shackspace just happened to receive his first batch pre-order at the exact time @dop3j0e was about to fall into despair.

The OBLS comes with 16 buffered (3.3 or 5V) pins and another 16 unbuffered (3.3V only) pins. The IDE bus happens to be a 5V bus, ruling out half of the capture pins, and to sniff everything you’d need 40 pins.

It turns out it’s good enough to just sniff the data pins and nothing else (details below). And yes, the IDE bus has exactly 16 data pins :)

Sniffing the IDE bus for the Password Transfer

Next it was time to hook up the harddrive to the sniffer. What makes this slightly complicated is that you have to sniff the bus while the harddrive is mounted inside the laptop.
To do this individual wires were connected to each of the 16 data pins. Since the drive bay wasn’t large enough to accommodate the wiring, the laptop had to be partially disassembled.

The OBLS is compatible with the SUMP Logic Analyzer GUI which was used to control the analyzer and set up triggering.

The sniffer was set up to start logging data as soon as the 0xF2 unlock command is seen on the data bus which is then followed by the plain text password, which is exactly what you need to unlock the drive yourself. A from-memory reconstruction of the trigger settings can be found here.

Below screenshot shows the SUMP GUI displaying the results of a successful password sniffing run (note the ‘f2’ command). Note: the Prezi presentation linked below contains an annotated full length screen capture of the sniffed password.

Unlocking the Drive

Now the drive can be unlocked using the handy hdparm tool:

# hdparm --user-master u --security-unlock \
  $(echo -ne "\036\023\042\046\006\002\004\013")
Once unlocked, the password can be disabled entirely:
# hdparm --user-master u --security-disable \
  $(echo -ne "\036\023\042\046\006\002\004\013")

Metafoo