Page 4 of 4 FirstFirst 1234
Results 46 to 47 of 47
  1. #46
    Joined
    Jun 2004
    Location
    Newcastle upon Tyne, UK
    Age
    70
    Posts
    585

    Re: Hard drive locked - an experiement

    Instead of finding someone or something to shoot at I tried to test the locking mechanism.

    I have experiemented with 3 hard disks, locked them and then unlocked them about a dozen times.

    Haven't found a solution yet but can report the behaviour of it.

    (1) To show both hard disks available

    First as an example I started with two disks, sda for working and sdb is to be locked. I first became the root user (as Windows Admin) and showed the existence of the two disks by a Linux command "fdisk -l". I have colored the Linux commands in blue inside the boxes. The uncolored text are resposes by the Linux kernel, to assist reading
    Code:
    saikee@linux:~> su
    Password:
    linux:/home/saikee # fdisk -l
    
    Disk /dev/sda: 500.1 GB, 500107862016 bytes
    255 heads, 63 sectors/track, 60801 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes
    Disk identifier: 0xbe153241
    
       Device Boot      Start         End      Blocks   Id  System
    /dev/sda1               1       12158    97659103+  17  Hidden HPFS/NTFS
    /dev/sda2   *       12159       24316    97659135    7  HPFS/NTFS
    /dev/sda3           24317       36598    98655165    5  Extended
    /dev/sda4           36599       60801   194410597+  83  Linux
    /dev/sda5           24317       24438      979933+  82  Linux swap / Solaris
    /dev/sda6           24439       25654     9767488+  83  Linux
    /dev/sda7           25655       26870     9767488+  83  Linux
    /dev/sda8           26871       28086     9767488+  83  Linux
    /dev/sda9           28087       29302     9767488+  83  Linux
    /dev/sda10          29303       30518     9767488+  83  Linux
    /dev/sda11          30519       31734     9767488+  83  Linux
    /dev/sda12          31735       32950     9767488+  83  Linux
    /dev/sda13          32951       34166     9767488+  83  Linux
    /dev/sda14          34167       35382     9767488+  83  Linux
    /dev/sda15          35383       36598     9767488+  83  Linux
    
    Disk /dev/sdb: 61.4 GB, 61492838400 bytes
    255 heads, 63 sectors/track, 7476 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes
    Disk identifier: 0xba91ba91
    
       Device Boot      Start         End      Blocks   Id  System
    /dev/sdb1   *           1        7476    60050938+   c  W95 FAT32 (LBA)
    Secondly I confirmed the sdb status by the command hdparm with the -I option. hdparm is the only command to lock and unlock the disk.
    Code:
    linux:/home/saikee # hdparm -I /dev/sdb
    Security:
            Master password revision code = 65297
                    supported 
            not     enabled
            not     locked
            not     frozen
            not     expired: security count
            not     supported: enhanced erase
            36min for SECURITY ERASE UNIT.
    
    Checksum: correct
    (note: the display of "hdparm -I" has been truncated except showing the last relevant section)
    At this stage the disk is not locked.

    (2) To show how one disk is locked


    I then locked the disk device sdb twice, first as the master (m) using a password "somebody" and then as the user (u) by password "anybody".
    Code:
    linux:/home/saikee # hdparm --user-master m --security-mode h --security-set-pass somebody /dev/sdb
    security_password="somebody"
    
    /dev/sdb:
     Issuing SECURITY_SET_PASS command, password="somebody", user=master, mode=high
    linux:/home/saikee # hdparm --user-master u --security-mode h --security-set-pass anybody /dev/sdb
    security_password="anybody"
    
    /dev/sdb:
     Issuing SECURITY_SET_PASS command, password="anybody", user=user, mode=high
    linux:/home/saikee # reboot
    The above commands were accepted by Linux and so the disk has a record of both master and user passwords. The locking by the master does not lock the disk at all. The disk can only be locked if a password is set when the "user" switch is used. I then rebooted the PC.

    (3) To show the results after a disk has been locked

    After reboot the PC took longer to boot because an operating system found it hard to understand what is going on with a hard disk that cannot be read. I found a Linux kernel, Ubuntu 8.04, hanged but others just spent time displaying the error trying to read the disk.

    The following 3 items of information confirmed the disk is indeed locked

    (1) If an attempt is made to boot the locked disk the BIos would report
    Code:
    DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS RETURN
    (2) If the disk is booted by Grub, which is a Linux boot loader capable of booting any installed PC system, it reported
    Code:
    Error 22 Disk read error
    If the disk does not exist the normal error in Grub is "Error 21 : Selected disk does not exist". Here the disk was not displayed I knew it was there and could ask Grub to show its geometry by command "geometry (hd0)", hence the error reported.

    (3) In an operational operating system the disk is simply not reported.

    I now booted a Linux (Open Suse) in sda disk (which has XP, Vista and 10 Linux distros) and the response of command "fdisk -l" confirmed the disk sdb wasn't there.
    Code:
    linux:/home/saikee # fdisk -l
    
    Disk /dev/sda: 500.1 GB, 500107862016 bytes
    255 heads, 63 sectors/track, 60801 cylinders
    Units = cylinders of 16065 * 512 = 8225280 bytes
    Disk identifier: 0xbe153241
    
       Device Boot      Start         End      Blocks   Id  System
    /dev/sda1               1       12158    97659103+  17  Hidden HPFS/NTFS
    /dev/sda2   *       12159       24316    97659135    7  HPFS/NTFS
    /dev/sda3           24317       36598    98655165    5  Extended
    /dev/sda4           36599       60801   194410597+  83  Linux
    /dev/sda5           24317       24438      979933+  82  Linux swap / Solaris
    /dev/sda6           24439       25654     9767488+  83  Linux
    /dev/sda7           25655       26870     9767488+  83  Linux
    /dev/sda8           26871       28086     9767488+  83  Linux
    /dev/sda9           28087       29302     9767488+  83  Linux
    /dev/sda10          29303       30518     9767488+  83  Linux
    /dev/sda11          30519       31734     9767488+  83  Linux
    /dev/sda12          31735       32950     9767488+  83  Linux
    /dev/sda13          32951       34166     9767488+  83  Linux
    /dev/sda14          34167       35382     9767488+  83  Linux
    /dev/sda15          35383       36598     9767488+  83  Linux
    linux:/home/saikee # hdparm -I /dev/sdb
    Security:
            Master password revision code = 65297
                    supported
                    enabled
                    locked
            not     frozen
            not     expired: security count
            not     supported: enhanced erase
            Security level high
            36min for SECURITY ERASE UNIT.
    
    Checksum: correct
    It is noteworthy to point out although the device sdb was not reported yet the Linux kernel knew it was there and the command hdparm could find the relevant disk information and reported that it was indeed locked as shown by the last section of the display above.

    The locked disk is not available at the software level but there seems to be a limited access from the hardware level. It did not respond to the dd command with which I could possibly copy its MBR or any sector out to have a look. To the operating system itself the disk simply does not exist.

    Since a raw disk, directly off a new purchase, would still respond to command "fdisk -l" the evidence would suggest the locking mechanism could possibly be part of the controller physically attached to the hard disk by a function inhibitating the disk to be read sensibly, judging from the amount of errors a Linux kernel reports when detecting the locked disk.

    (4) To show how a hard is unlocked (requiring the knowledge of the password)

    To unlock it I just use the hdparm command again with the "--security--disable" switch and the master-password "somebody"
    Code:
    linux:/home/saikee # hdparm --user-master m --security-disable somebody /dev/sdb
    security_password="somebody"
    
    /dev/sdb:
     Issuing SECURITY_DISABLE command, password="somebody", user=master
    The Linux then immediately reporting the disk was no longer locked if the "hdparm -I /dev/sdb" was issued
    Code:
    linux:/home/saikee # hdparm -I /dev/sdb
    Security:
            Master password revision code = 65297
                    supported
            not     enabled
            not     locked
            not     frozen
            not     expired: security count
            not     supported: enhanced erase
            36min for SECURITY ERASE UNIT.
    
    Checksum: correct
    Naturally it was showned up in "fdisk -l". (output not showed due to limitation of the post length)

    The disk at this stage is not yet available from the Bios but will be operational after a reboot.

    I have tried all the security switches of the hdparm command but did not find a way to overcome a locked hard disk unless I have a prior knowledge of either the user or master password.

    However as I could unlocked the disk with an operating system this means I could possibly ask the same operating system to display the reserved password location of the hard disk and obtain the knowledge of the previous password, say just for the purpose of unlocking it. Unfortunately I am not experienced enough to do this yet and as a security measure there is almost nothing written on the subject.
    Last edited by saikee; 06-12-2008 at 12:19 PM.

  2. #47
    Joined
    Jun 2004
    Location
    Newcastle upon Tyne, UK
    Age
    70
    Posts
    585

    Re: Hard drive locked

    For completeness I also post the help section relating to the --security switch of the hdparm command from Linux kernel. All the locking and unlocking activities involve the use of just one command hdparm and nothing else.

    Code:
    linux:/home/saikee # hdparm --security-help
    
    ATA Security Commands:
     Most of these are VERY DANGEROUS and can KILL your drive!
     Due to bugs in most Linux kernels, use of these commands may even
     trigger kernel segfaults or worse.  EXPERIMENT AT YOUR OWN RISK!
    
     --security-freeze           Freeze security settings until reset.
    
     --security-set-pass PASSWD  Lock drive, using password PASSWD:
                                      Use 'NULL' to set empty password.
                                      Drive gets locked if user-passwd is selected.
     --security-unlock   PASSWD  Unlock drive.
     --security-disable  PASSWD  Disable drive locking.
     --security-erase    PASSWD  Erase a (locked) drive.
     --security-erase-enhanced PASSWD   Enhanced-erase a (locked) drive.
    
     The above four commands may optionally be preceeded by these options:
     --security-mode  LEVEL      Use LEVEL to select security level:
                                      h   high security (default).
                                      m   maximum security.
     --user-master    WHICH      Use WHICH to choose password type:
                                      u   user-password.
                                      m   master-password (default).
    linux:/home/saikee #
    Explanation of the commands

    The locking command

    linux:/home/saikee # hdparm --user-master u --security-mode h --security-set-pass anybody /dev/sdb

    The --user-master switch is to select u for user amd m for master. The disk can only be locked if "u" is selected for this switch. Type "m" doesn't lock the disk at all, it only set up a password inside the hard disk.
    The --security-mode switch is to select h for high amd m for maximum. If m is selected the disk can only be re-used after being completely erased.
    The --security-set-pass with the password followed is to lock the disk making it unavailable for use.
    The password used is type "u" anybody while the device to be locked is /dev/sdb

    The unlocking command


    linux:/home/saikee # hdparm --user-master m --security-disable somebody /dev/sdb

    Only the --security-disable with the appropriate password can unlock the disk. I purposely use a different password, previously established as the master password, to unlock the disk. The --security-unlock switch seems only to inhibit the disk from being locked in the first place. The feature disappears if the PC is booted.
    Last edited by saikee; 06-12-2008 at 08:43 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •