shackspace’s @dop3j0e had a big problem.  A password problem.  Quite a while ago he set up a password for his Thinkpad’s harddrive and chose to unlock his drive using the built-in fingerprint scanner.  Years passed, thumbs were drawn over the scanner countless times, passwords were changed frequently.  But not all passwords were changed.  That one password for his harddrive never did change and over time he simply forgot what the actual password was.

The thumb print scanner kept working.  However, to change or disable the password you have to enter it by keyboard in the BIOS since in this case it does not accept the thumb print scanner as input.
This poses a real problem.  How do you access the disk if your fingerprint scanner dies?  Or what if the laptop dies and you have to unlock the drive from a different machine that doesn’t have the password stored in the fingerprint scanner?

There’s various approaches to go about this issue.
One idea was  to reverse engineer the BIOS to find out where the actual password is stored.  This turned out to be especially nasty business and while a lot of insight was gained into how (ugly) a BIOS looks from the inside, no password was recovered.
Another idea which does not work was exchanging the control board of the harddrive with that of a similar model. Turns out the harddrive password is stored on the platter, not the controller.
You could of course use a logic sniffer (costs multiple kilo-Euros) and sniff the IDE bus for the password being transmitted.  Not really an option either… or is it?

Open Source Hardware to the Rescue

Thanks to the open source hardware movement, you can have a logic sniffer for just $50!  The OpenBench Logic Sniffer is exactly what you want and @hdznrrd at shackspace just happened to receive his first batch pre-order at the exact time @dop3j0e was about to fall into despair.

The OBLS comes with 16 buffered (3.3 or 5V) pins and another 16 unbuffered (3.3V only) pins.  The IDE bus happens to be a 5V bus, ruling out half of the capture pins, and to sniff everything you’d need 40 pins.

It turns out it’s good enough to just sniff the data pins and nothing else (details below).  And yes, the IDE bus has exactly 16 data pins :)

Sniffing the IDE bus for the Password Transfer

Next it was time to hook up the harddrive to the sniffer.  What makes this slightly complicated is that you have to sniff the bus while the harddrive is mounted inside the laptop.
To do this individual wires were connected to each of the 16 data pins.  Since the drive bay wasn’t large enough to accommodate the wiring, the laptop had to be partially disassembled.

The OBLS is compatible with the SUMP Logic Analyzer GUI which was used to control the analyzer and set up triggering.

The sniffer was set up to start logging data as soon as the 0xF2 unlock command is seen on the data bus which is then followed by the plain text password, which is exactly what you need to unlock the drive yourself. A from-memory reconstruction of the trigger settings can be found here.

Below screenshot shows the SUMP GUI displaying the results of a successful password sniffing run (note the ‘f2′ command).  Note: the Prezi presentation linked below contains an annotated full length  screen capture of the sniffed password.

Unlocking the Drive

Now the drive can be unlocked using the handy hdparm tool:

# hdparm --user-master u --security-unlock \
  $(echo -ne "\036\023\042\046\006\002\004\013")

Once unlocked, the password can be disabled entirely:

# hdparm --user-master u --security-disable \
  $(echo -ne "\036\023\042\046\006\002\004\013")

Metafoo

Update #1: Exchanged the SUMP screenshot with one that actually shows the 0xf2 command.
Update #2
: Added more info why sniffing of the password was necessary.
Update #3
: Added link to the trigger settings.

http://www.shackspace.de/gallery/index.php/Projekte/Festplattenpasswort-sniffen

flattr this!



Urspünglich gepostet: April 27th, 2011
Tags: Allgemein, Projekte

Reader's Comments

  1. Adam | April 28th, 2011 at 17:04

    Nice and very interesting work.

    Do you think you can possibly annotate the SUMP screen shot? I’m having trouble seeing the 0xF2 (0b1111 0010) command come across. I’m assuming its somewhere near the 0x1E/0×22, but I’m having a hard time seeing it because I don’t know how the bus is ordered on the display.

  2. jocki | April 28th, 2011 at 17:57

    @Adam — The screenshot only shows a very small section of the trace. Check out the prezi, it’s got the full annotated trace near the very end.

  3. hadez | April 28th, 2011 at 17:57

    I’ve replaced the screenshot with the one used in the Prezi. It should now show the 0xf2 command as advertised

  4. JVas | April 28th, 2011 at 18:31

    great trick. actually have a few drives that i need to unlock that i have had sitting in my office for the past year or so. on another note i have just one question. the multi-colored alligator clip looking things. what exactly are those and where do you get them because i see them used in various projects debugging before final wiring

  5. hadez | April 28th, 2011 at 19:18

    You can find them at Seeedstudio as well:
    http://www.seeedstudio.com/depot/open-logic-sniffer-probe-cable-p-619.html?cPath=178_180

  6. Adam | April 28th, 2011 at 20:33

    @joki and hadez – Thanks, I was feeling very stupid for not seeing it :) its nice to know there was nothing to see. Good work, and thanks again.

  7. Chris | April 28th, 2011 at 20:55

    What I don’t get, and can’t make up from the article is why the password is sent.

    I’d expect the hard disk is only unlocked after presenting a correct fingerprint. Since you can sniff the unlock command, why isn’t the hard disk unlocked by this command?

    Interesting article nonetheless.

  8. hadez | April 28th, 2011 at 21:38

    the issue here is that you actually have to enter the password via the keyboard to disable or change it in the BIOS.
    if you forgot it, you can still use the thumb print scanner to unlock it, but you can never change or disable it.
    I’ll update the article to make this clearer. Thanks for the feedback.

  9. IraqiGeek | April 29th, 2011 at 02:06

    Seeing as this is for IDE drives, would it be possible to use two IDE-SATA bridges to accomplish the same with SATA drives?

    That is, SATA from the motherboard/chipset goes to the frist IDE-SATA bridge to get an IDE interface that we can tap, then this IDE interface is fed to the second IDE-SATA bridge to get SATA again which goes to a SATA disk.

    I don’t know if that would work, but if it does, that would still be an under $100 solution that can recover passwords for SATA drives.

    Just a thought…

  10. hadez | April 29th, 2011 at 02:12

    if your IDE bridge setup works, you should be able to sniff the bus.
    if you can manage the rates at which SATA transmits data, you can employ the same approach by sniffing SATA directly, it should be even easier since it’s a serial bus with way less pins. problem is, the data rate is usually a lot higher, possibly out of range of your sniffer (might try lower speed legacy modes).

    also note, that this approach only works in the specific case where you can still unlock the drive using (in this case) the password stored $somewhere but still accessible via the thumb print scanner, even if you forgot the actual password (as in this case). if you have no means of replaying the password in some way or other, you cannot use this method to unlock the drive.

  11. Gloria | Mai 19th, 2011 at 21:47

    Hi guys,

    i’m trying to understand how to use trigger option to activate logging when it “catch” a particular char.

    How did you set/instruct OLS to activate logging when it “catch” 0xF2 ?!

    Thank you for attention

    Cheers

    Gloria

  12. jocki | Mai 20th, 2011 at 21:32

    Hey, Gloria,

    I reconstructed the trigger settings from memory and took a screenshot — please have a look at http://shackspace.de/gallery/index.php/Projekte/Festplattenpasswort-sniffen/sump-trigger-settings

    Actual trigger settings depend very much on which wire went where, but the screenshot should help you get an idea of what I did.

    Cheers
    dop3j0e

  13. Gloria | Mai 23rd, 2011 at 13:40

    Hi Jocki,

    Now i understand how you did that.

    Thank you for the answer.

    :)

    Cheers
    Gloria

  14. JC | Februar 18th, 2012 at 15:45

    Hello,
    Nice work!
    I reviewed the extended presentation…
    One question for clarification if I may…. Did the pinout match one for one to the OBLS? (I.e. the data pin #14 on the IDE cable go to the labeled pin 14 on the OBLS) OR did it match the the Data transmission pins one for one from the HDD? If you could elaborate that would be awesome!
    Thanks!

  15. jocki | Februar 21st, 2012 at 13:04

    Hi, JC,

    I connected the wires such that IDE data bit 0 (pin 17) went to OBLS pin 0, IDE data bit 1 (pin 15) went to OBLS pin 1, and so on until IDE data bit 15 (pin 18) went to OBLS pin 15.

    I used the pinout described in http://de.wikipedia.org/wiki/ATA/ATAPI#Steckerbelegung — it’s German, but I find it easier to digest than the pin listing in its English counterpart.

    Hope that answers your question.
    Jocki

  16. Problemhund | September 28th, 2013 at 17:20

    Hallo, Ich finde den Aufbau der Seite klasse. Macht bitte weiter
    so.

  17. Pete | Mai 21st, 2014 at 17:24

    Nice job!!!
    Where did you get that header connected to the HDD?

  18. Jocki | Mai 21st, 2014 at 18:53

    Hey, Pete,

    the HDD uses a 2mm pin pitch, so I used a standard 2×20 2mm header with machined pins. It’s important that the pins be machined, because those still work if you break the header apart and use the individual pins.

    As for the “where”, any well-equipped distributor should have these.

    Hope that helps,
    Jocki

Leave a Comment