Unlocking a Travelstar 2.5" HDD? 55
Rogerborg writes "So, I buy a used 6.5Gb IBM Travelstar on eBay, only to find that I didn't caveat emptor enough, and it's password protected. No problem, I'll just, uh... uh... what will I do? According to this discussion at geek.com, the password is stored on the platter, not the controller, so swapping controllers won't help. If the controller finds a password, it refuses all access to the disk. Mounting the drive as a slave in an IDE converter, I can't fdisk, format or otherwise access it under Linux. DOS won't even recognize that the drive is there. I've even tried it in a freaky system running VxWorks. The drive mounts, but can't be accessed or formatted." How rude! Are there any utils out there that can be used to unlock the device so it can be used?
"The IBM tech sheet for a similar drive notes that there is a "security erase unit" command... but it's also password protected! I can't find any further info on the IBM site, but apparently their recommendation is to use password locked Travelstars as paperweights.
"Nortek can remove the password from Travelstars using black magic and chicken sacrifices (or a custom controller?) but will charge more than the price of the drive for even for a basic unlock that destroys the data.
I have to admit that I'm impressed by this security, but it renders the drive useless far too easily. Can Slashdot suggest any way to remove the password (the data can go too), short of degaussing the platters or building a custom controller?"
youre fucked. (Score:5, Informative)
on the other hand, if you want to struggle and you have plenty of free time :
Look for an eeprom which is located on the underside of the planar near the main power connector. The chip is typically marked C46C1 - ST 39AD. It is an 8 pin package and holds the security supervisor data and the code required to unlock the embedded code on the hard drive. Replace this chip with a clean one from an unlocked laptop drive (you can burn it with a serial eeprom writer) and you should be able to format the drive. Note that you need to disassemble the housing of the drive and maybe 30% of the drive itself to get at the chip.
Re:youre fucked. (Score:2)
This chip is on the board itself, right? I've only got the drive. :-(
Thanks for the reply though. In response to your first point, I'm really just pursuing this as a personal project, because I feel that hardware should be discarded when the magic smoke gets out and not before. ;-)
hearsay: "ZAP" (Score:3, Informative)
It's response number 16.
Enjoy,
Re:hearsay: "ZAP" (Score:2, Informative)
Re:hearsay: "ZAP" (Score:2, Informative)
In the booklet for the 755C and similar models, there appears to be a "power on password" jumper next to the cmos battery sockets.
Then.. later on, someone mentioned this (could be a troll, all caps.. but then again, could be foreign or something..)
YOU MUST SUPPLY POWER TO THE HDD THEN SHORT OUT J11 J15 SHUT DOWN AND FDISK THEN FORMAT AND YOUR READFY TO GO
Can't vouge for how true any of that is.. but it's worth a shot.
-Scott
Re:hearsay: "ZAP" (Score:2)
Got that, thanks. Only thing is, there are no J11 and J15 on the controller. Perhaps he means pins 11 and 15, but as these are well defined I/O (HD03 and HD01) and not reserved, I'm highly dubious about following this advice.
Still, I don't really have much to lose...
Re:hearsay: "ZAP" (Score:3, Informative)
Thanks for the response, but the poster hasn't tried this on a Travelstar. Until you unlock the drive, you can't do anything to it. I've tried this in 2 DOS laptops, a Linux desktop and a custom system running a PPC and VxWorks. One laptop won't boot at all unless the password is entered (even from floppy or CD-ROM), the other systems booted but then couldn't see the drive. Actually, the VxWorks system saw and mounted the drive, but then couldn't access it at all.
One Question (Score:2, Insightful)
Re:One Question (Score:1)
Re:One Question (Score:1)
Because it's stolen? (Score:1)
It sounds very suspicious to me. I've had friends who have had their car windows smashed so their company laptops could be 'appropriated'. Stereo, CD collection, etc. were left untouched.
My personal paranoia and suspicions aside, who would sell their HD to a stranger *without* first wiping the disk?
Re:Because it's stolen? (Score:2, Interesting)
Well, a local dot-com went out of business recently, and auctioned off almost all of their corporate and development servers (including the Visual SourceSafe repository) without wiping the drives. I've also bought an un-wiped computer from a consignment shop. So I wouldn't automatically assume that the laptop in question was stolen.
Re:One Question (Score:2)
The drive was "sold as seen", and priced to reflect that. The seller shifts dozens of Travelstars, probably IBM rejects. Many of them work OK, because it's not worth anyone's (commercial) time to check an obsolete returned drive, they'll just shovel it out the back door.
I actually expected the drive to be dead, the fact that it's "only" password locked is a bonus, because it gives me something fun to play with. ;-)
last resort (Score:1)
Re:last resort (Score:4, Informative)
Degauss? (Score:1)
Re:Degauss? (Score:5, Informative)
This is why many people used to think that you could perminately damage IDE hard disks with a low level format. You can't becuase 1. a low level format is really executed by the drive hardware, and is just initiated from software and 2. these drives have an electronic "interlock," which is to say they will "fail" on writing to the servo areas.
It is also important to understand that in modern drives the controller is the board on the drive. IDE isn't a controller, it is a simple data bus. (In fact, the original IDE ports were nothing more than stripped down ISA ports.) So the servo areas aren't externally addressable.
Bottom line, if you degauss, you'd better have a "factory" controller to re-write the servo areas if you ever want to store data on the disk again.
-Peter
Re:Degauss? (Score:1)
firmware (Score:2)
Re:firmware (Score:2)
I've stripped an identical (but dead and already grinding) Travelstar down to the bones, but can't see any EEPROM or flash on it anywhere, neither on the controller, nor inside the body. This agrees with the information that the password is on the platter itself in a Travelstar.
Heck, if it comes to it, if I have to open the body, I'll go ahead and swap the damn platters over from the dead drive; it's not as though I've got much to lose. ;-)
publically available (Score:2)
Re:publically available (Score:2)
Seriously, that's where this one came from, and last I heard IBM would rather sell stuff than have it gather dust in the warehouse, and their sales department is bound to have an 800 number.
Re:publically available (Score:2)
The only thing I am uncertain about is if this will let you access the security information.
_____________________________________________
For every complex problem there exists a simple, inexpensive solution that is wrong.
Re:publically available (Score:2)
Don't bother. I've never seen a desktop BIOS that supports drive passwords. When mounted in a desktop, the controller doesn't respond and the BIOS doesn't see it at all if it's got a password set, and the BIOS has no option to set, change or remove the password.
OTOH, you could try finding some source that handles ATAPI commands, and (perhaps) write a custom app to do this. That would be neat.
Re:publically available (Score:1)
For Linux: Unless your family can use a root disk, just make sure your files aren't world readable. You could also use encryped loopbacks if you are really worried.
Re:publically available (Score:1, Informative)
Re:publically available (Score:1)
Who needs hardware? (Score:2)
For this kind of thing, I use PGPdisk [pgpi.org]. Let's you allocate space into an encrypted pseudodrive. Much more secure than a simple password-protected drive. As long as your software is uncomprimised, it's totally non-hackable. But don't lose your pass phrase!!!
Already Available (Score:1)
Kind of a moot point, as most bios's have no support for this type of thing.
Perhaps IBM commercial sales have some systems that support these levels of desktop HD passwords.
IBM Deskstar Supports Passwords (Score:1)
http://www.storage.ibm.com/hdd/support/dtla/dtlac
I'm sure there's a PDF floating around on their site, but i can't find it right now. Have a gander at the Security set password and Security unlock fields.
Perhaps someone will be able to write a utility to lock a desktop HD when users go on vacation or something. (not sure how the BIOS would handle a locked drive though.)
There's some food for thought.
Re:IBM Deskstar Supports Passwords (Score:2)
Or if they're storing politically sensitive material, perhaps in a suppressive regime. Or really hard core porn. ;-)
It doesn't see the drive. The controller won't respond to any ATAPI commands except the password ones.
Actually, if you really want the data, an informed poster on another forum reckons that if you whip the controller off a non-locked drive (without powering it off, so it never gets an ATAPI power down or sleep from the BIOS), you can drop it onto a locked drive and read the data (once, until you power it down). I'm dubious about that, as I can't see any non-volatile storage on the controller to hold that state, but hey, it might be worth a try.
If you have a lot of time.... (Score:1)
It's a $12 drive. Throw it away. (Score:3, Informative)
http://www.googlegear.com/ggweb/jsp/ProductDetail
-nb
Re:It's a $12 drive. Throw it away. (Score:2, Funny)
Tsk tsk. If the Magic Smoke hasn't got out, it's usable or at least a fun project. Not everyone is ready to embrace the culture of disposability so readily.
Recycling is better than disposal. Re-use is better than recycling. Recovery of an otherwise defunct drive is best of all. C'mere, and give me a hug. C'mon, it won't hurt.
Re:It's a $12 drive. Throw it away. (Score:1)
IBM Travelstar info (Score:1, Informative)
Think caps on people... let's hear some intelligent replies.
Do like every other ebayer.. (Score:2)
Or better yet : sell the drive on ebay
Re:Do like every other ebayer.. (Score:2)
Tsk tsk, the drive was sold (along with dozens of others) explicitely as seen. The seller was quite up front that it might not work, and the price I paid reflected this. I'm not at all bothered, and am actually having fun playing with it. ;-)
Ooh, cruel! No, I wouldn't do that, unless I could find someone who wanted to take a swing at fixing it.
Buying the drive wasn't a commercial decision, I can easily afford a new one. I just believe that hardware should be binned when the Magic Smoke billows out, and not before. ;-)
Amazon.com offers excellent tools (Score:4, Funny)
Basic [amazon.com] and industrial strength [amazon.com] versions!
A complicated solution (Score:1)
Alternatively, it's possible that IBM just included a default, fallback password. I read somewhere that nearly every BIOS has a "cheat" password. Of course, motherboards aren't used to store your company's most valuable data....
Re:Duhh! (Score:2)
Bzzt, thanks for playing. Identical drives function as slaves just fine. Try before you post, please.
Try this... (Score:1)
YOU MUST SUPPLY POWER TO THE HDD THEN SHORT OUT J11 J15 SHUT DOWN AND FDISK THEN FORMAT AND YOUR READFY TO GO [computing.net]
Final follow up (Score:2)
For the benefit of the archives, a last post from the article submitter:
I found a solution. The solution came in the form of a very nice man that I met on another discussion forum who, free and gratis, removed the password after I posted the drive to him. He also managed to tell me that what the password had been set to, and what kind of laptop the drive was in when it was locked.
How did he do it? He won't say. I think that he works for a shop that does this commercially, so I'll respect that and not mention his name or the shop that I think he works for. All I can say is that from our conversations, I suspect that with access to a custom drive controller, this is a thirty second operation, but that it does absolutely require modified hardware, and that there is, and never will be a software solution.
Thanks to all who contributed, and good luck with your own hacking and hardware reuse. ;-)