{"id":2233,"date":"2011-04-30T11:39:43","date_gmt":"2011-04-30T17:39:43","guid":{"rendered":"http:\/\/www.seeedstudio.com\/blog\/?p=2233"},"modified":"2011-04-30T11:39:43","modified_gmt":"2011-04-30T17:39:43","slug":"harddrive-password-hacking-with-a-openbench-logic-sniffer","status":"publish","type":"post","link":"https:\/\/www.seeedstudio.com\/blog\/2011\/04\/30\/harddrive-password-hacking-with-a-openbench-logic-sniffer\/","title":{"rendered":"Harddrive Password Hacking with a OpenBench Logic Sniffer"},"content":{"rendered":"

\"\"<\/a><\/p>\n

shackspace\u2019s @dop3j0e<\/a> had a big problem.\u00a0 A password problem.\u00a0 Quite a while ago he set up a password for his Thinkpad\u2019s harddrive and chose to unlock his drive using the built-in fingerprint scanner.\u00a0 Years passed, thumbs were drawn over the scanner countless times, passwords were changed frequently.\u00a0 But not all passwords were changed.\u00a0 That one password for his harddrive never did change and over time he simply forgot what the actual password was.<\/p>\n

The thumb print scanner kept working.\u00a0 However, to change or disable the password you have to enter it by keyboard in the BIOS since in this case it does not accept the thumb print scanner as input.
\nThis poses a real problem.\u00a0 How do you access the disk if your fingerprint scanner dies?\u00a0 Or what if the laptop dies and you have to unlock the drive from a different machine that doesn\u2019t have the password stored in the fingerprint scanner?<\/p>\n

There\u2019s various approaches to go about this issue.
\nOne idea was\u00a0 to reverse engineer the BIOS to find out where the actual password is stored.\u00a0 This turned out to be especially nasty business and while a lot of insight was gained into how (ugly) a BIOS looks from the inside, no password was recovered.
\nAnother idea which does not work was exchanging the control board of the harddrive with that of a similar model. Turns out the harddrive password is stored on the platter, not the controller.
\nYou could of course use a logic sniffer (costs multiple kilo-Euros) and sniff the IDE bus for the password being transmitted.\u00a0 Not really an option either\u2026 or is it?<\/p>\n

<\/p>\n

Open Source Hardware to the Rescue<\/h3>\n

\"\"<\/a>Thanks to the open source hardware movement, you can have a logic sniffer for just $50!\u00a0 The\u00a0OpenBench Logic Sniffer<\/a> is exactly what you want and @hdznrrd<\/a> at shackspace just happened to receive his first batch pre-order at the exact time @dop3j0e was about to fall into despair.<\/p>\n

The OBLS comes with 16 buffered (3.3 or 5V) pins and another 16 unbuffered (3.3V only) pins.\u00a0 The\u00a0IDE bus<\/a> happens to be a 5V bus, ruling out half of the capture pins, and to sniff everything you\u2019d need 40 pins.<\/p>\n

It turns out it\u2019s good enough to just sniff the data pins and nothing else (details below).\u00a0 And yes, the IDE bus has exactly 16 data pins\u00a0\":)\"<\/p>\n

Sniffing the IDE bus for the Password Transfer<\/h3>\n

\"\"<\/a>Next it was time to hook up the harddrive to the sniffer.\u00a0 What makes this slightly complicated is that you have to sniff the bus while the harddrive is mounted inside the laptop.
\nTo do this individual wires were connected to each of the 16 data pins.\u00a0 Since the drive bay wasn\u2019t large enough to accommodate the wiring, the laptop had to be partially disassembled.<\/p>\n

The OBLS is compatible with the\u00a0SUMP Logic Analyzer GUI<\/a> which was used to control the analyzer and set up triggering.<\/p>\n

The sniffer was set up to start logging data as soon as the 0xF2 unlock command is seen on the data bus which is then followed by the plain text password, which is exactly what you need to unlock the drive yourself.<\/p>\n

Below screenshot shows the SUMP GUI displaying the results of a successful password sniffing run (note the \u2018f2\u2032 command).\u00a0\u00a0Note: the Prezi presentation linked below contains an <\/em>annotated<\/em> full length\u00a0 screen capture of the sniffed password.<\/em><\/p>\n

\"\"<\/a><\/p>\n

Unlocking the Drive<\/h3>\n

Now the drive can be unlocked using the handy hdparm tool:<\/p>\n

# hdparm --user-master u --security-unlock \\\r\n  $(echo -ne \"\\036\\023\\042\\046\\006\\002\\004\\013\")<\/pre>\n
Once unlocked, the password can be disabled entirely:<\/p>\n
# hdparm --user-master u --security-disable \\\r\n  $(echo -ne \"\\036\\023\\042\\046\\006\\002\\004\\013\")<\/pre>\n
Metafoo<\/h3>\n