Thursday, 11 November 2010

256-Bit Based Hardware Encryption on WD MyBook Essential

Western Digital’s refreshed My Book Essential external hard drive provides a simple, secure, and inexpensive home backup solution. With an enormous 2TB capacity, built-in WD SmartWare software, 256-bit built-in encryption with user password protection, there is very little not to like here. But, imagine what would happen if the hardware of the device is broken? For example, the PCB board of the hard drive is damaged by a power surge. Can data recovery engineer retrieve any user data by any conventional techniques? A test is being carried out on two 320GB WD MyBook Essential external hard drives for research purpose.

Two drives are initialized by factory default setting and there are no user password being used. Use a hex editor to view the sector 0 and sector 1 from these two drives (as shown in the figure below respectively). Sector 0 is a Master Boot Record. Sector 1 contains a patterning data where it should be zero in a conventional hard drive. The patterning data are unique and different on two drives (as shown in the table below).

Drive A 0x E6 89 D2 0F D3 62 4C F8 3A 2E 7B B7 6A 7A FC BF
Drive B 0x 3A 73 9F 10 1A 47 97 F2 9A 31 BB E5 CC 8F 97 50

Assume that both PCB boards are now damaged by users and the drives are not spinning up anymore.

A compatible PCB is borrowed from a donor drive (as shown in the figure below).

Direct replacement of WD PCB is not going to work. The adaptive ROM content on the donor PCB needs to be recreated by ROM overlay modules on the platter. This can be achieved by firmware manipulation tool, which is not introduced here. The reason of using a SATA interface PCB instead of USB interface on a donor drive, it is because the firmware repair utilities don’t support USB interface for firmware manipulation. Once the ROM is regenerated and the PCB is attached to the failed hard drives, both hard drives are spinning up again and recognized by computer correctly.

Use a hex editor to view the same sectors again after replacing the PCB, sector 0 contains some data, which look like have been encrypted, and sector 1 contains zeros. Obviously, the contents are totally different to what they were seen before the PCB was swapped.

Based on the test above, the original PCB utilizes an encryption feature where the decryption key is unique to a hard drive. Even the sectors are become accessible through a donor PCB, the user files are still not recoverable without the original PCB being fixed. The patterning data stored at sector 1 and some following sectors where they should contain zeros are the key parameter to the decryption process. But there is only the WD knows the decryption algorithm until someone else is able to disclose it by reverse engineering. Bear in mind that, the patterning data will be unknown without the original PCB is working. So, to find out the key parameter, the controller chip and/or the firmware modules have to be looked at.

Written by: Zijian Xie (R&D Manager, MSc,BEng)