Thursday, 11 November 2010

256-Bit Based Hardware Encryption on WD MyBook Essential

Western Digital’s refreshed My Book Essential external hard drive provides a simple, secure, and inexpensive home backup solution. With an enormous 2TB capacity, built-in WD SmartWare software, 256-bit built-in encryption with user password protection, there is very little not to like here. But, imagine what would happen if the hardware of the device is broken? For example, the PCB board of the hard drive is damaged by a power surge. Can data recovery engineer retrieve any user data by any conventional techniques? A test is being carried out on two 320GB WD MyBook Essential external hard drives for research purpose.

Two drives are initialized by factory default setting and there are no user password being used. Use a hex editor to view the sector 0 and sector 1 from these two drives (as shown in the figure below respectively). Sector 0 is a Master Boot Record. Sector 1 contains a patterning data where it should be zero in a conventional hard drive. The patterning data are unique and different on two drives (as shown in the table below).

Drive A 0x E6 89 D2 0F D3 62 4C F8 3A 2E 7B B7 6A 7A FC BF
Drive B 0x 3A 73 9F 10 1A 47 97 F2 9A 31 BB E5 CC 8F 97 50

Assume that both PCB boards are now damaged by users and the drives are not spinning up anymore.

A compatible PCB is borrowed from a donor drive (as shown in the figure below).

Direct replacement of WD PCB is not going to work. The adaptive ROM content on the donor PCB needs to be recreated by ROM overlay modules on the platter. This can be achieved by firmware manipulation tool, which is not introduced here. The reason of using a SATA interface PCB instead of USB interface on a donor drive, it is because the firmware repair utilities don’t support USB interface for firmware manipulation. Once the ROM is regenerated and the PCB is attached to the failed hard drives, both hard drives are spinning up again and recognized by computer correctly.

Use a hex editor to view the same sectors again after replacing the PCB, sector 0 contains some data, which look like have been encrypted, and sector 1 contains zeros. Obviously, the contents are totally different to what they were seen before the PCB was swapped.

Based on the test above, the original PCB utilizes an encryption feature where the decryption key is unique to a hard drive. Even the sectors are become accessible through a donor PCB, the user files are still not recoverable without the original PCB being fixed. The patterning data stored at sector 1 and some following sectors where they should contain zeros are the key parameter to the decryption process. But there is only the WD knows the decryption algorithm until someone else is able to disclose it by reverse engineering. Bear in mind that, the patterning data will be unknown without the original PCB is working. So, to find out the key parameter, the controller chip and/or the firmware modules have to be looked at.

Written by: Zijian Xie (R&D Manager, MSc,BEng)


  1. Halo Admin,

    I finding your website by Gogo and I think this is really informative site and I can get the information that I'm looking for here, oh yeah hope you can check also the website about Ilmu Komputer.

    Thank u

  2. Now that's some nice info and i'll absoltely come back to see the latest news. Be sure to also check my website

  3. I don’t usually read much but after looking at your work, I think I will continue watching out for what you have ready for us. Your ideas are quite moving and not like any that I have seen. Waiting for your next creation.

    Thanks and Regards,
    Virtual assistant India

  4. i have harddisk and my harddisk get bad sector .. how can i do for repair that problem

  5. its good too read your website again, I am weighting for next creation, thanks

  6. thanks for excellent post...please add more..

    Thanks for sharing.


  7. Good Article! I have a little knowledge about that but its more info that i expect
    i will waiting for new article..

  8. the patterning data you see is actually an output of AES-ECB decryption hardware, feed with zeros instead of ciphertext - zeros is the state the platters are initialized in factory.

    the AES is done by the bridge chip and key is
    unique for each drive - this is why the patterning data differs between the drives.

    replacing the board by a generic SATA one you skip the AES decryption step, hence the now encrypted sector 0 contents, followed by sectors of plain zeros - this is what the data looks like on the platters.

  9. Actually Wd uses AES128 not 256 . Check WD tech documentation not advertising booklets.
    Second, data could be retrievable ( we did many cases).
    Some need part of hash key stored dirrectly on the drive , and it is not encrypted. With this part of key you could decrypt data . Check hddguru forum , there were told about many times.

    1. V@G, I had a WD MyBook LX 2TB stop working. It quit mounting to my Mac. I removed the hard drive from the enclosure and connected it to a USB hard drive reader. While it didn't mount, my Mac at least acknowledged the drive. I got the following message: "This drive is not readable by this computer. Initialize or Eject" (something like that at least). Meanwhile, I tried to run Data Rescue 3 on it, and it ran for abou 1.5 days and seemed to be pulling a bunch of files, but when it came time to recover the data turned out to be nothing. The only thing recoverable was the original WD content on the drive.
      I then sent the drive to a data recovery place, and they're saying that they cannot recover the data without the original enclosure. However, I no longer have the original enclosure.

      Based on your comment above, it seems that you're saying there's a way to recover the data without the original enclosure. Can you please offer me any insight and/ or suggestions.

      Thank you!

  10. Really Good Blog of hard disk data recovery. It good to see an honest account and you talking real sense too. Great!

  11. I'm very happy to read this helpful blog.
    Data files loss situation is usually a headache for the end user.
    However for the simplicity of individuals, Specialists developed a solution for situations.
    Consumer should be knowledgeable of the available computer data restoration methods to make certain that they can deal the data failure condition in the proper way.

    data recovery utah

  12. I've confirmed the larger 2TB WD MyBook Essentials contain a similar pattern - a standard MBR with sectors 1-2047 having a unique 128 bit key (16 bytes, as you show in your image, is 128 bit, not 256). On the 2TB 3.5" drive (which is SATA naitive), the key is repeated across these sectors. The key to recovery has to be the Initio Controller - but it's true, if you approach it after the drive or controller has failed, likely without having that key, you'll probably never get the data back..

    1. Drives with the Initio chip store the key in a block near the end of the drive. It is very possible to decrypt the drives. So far, I have done so with the JMicron chip and the Symwave chip, and I have all the information necessary to also do the Initio chip.

      I'm at thomas dot a dot kaeding at gmail dot com.

  13. This comment has been removed by the author.

  14. I Agree with your Article. If Want to PCB swap, you must swap u4 or u12 too.
    Data Recovery Indonesia

  15. I am overwhelmed by reading this helpful blog.I am searching out for the solution that how should i recover my datas. It will be really helpful for me.Click Here

  16. Yes it's true that the recovering the encrypted data is really a difficult task but about the hard drive data recovery company that I know is having good experts and they can easily recover the encrypted data.

  17. RAID Data Recovery New Zealand services for hard disk drives, SSD, RAID, NAS, USB flash drives, memory cards and mobile phones in New Zealand. Lab based in Auckland

  18. Oppure, per il recupero dati da WD My Passport, WD Essential e WD My Book, potete inviare il disco a RecuperoDati299 che esguirà tutte le operazioni descritte sopra compreso il decriptaggio dei dati.

  19. This is some nice view on how to do it yourself. I have tried that, and messed it up. Fortunately it was with test drive with some dispatchable data. However, even after my attempts and further messing up the hdd, i went to check some services for data recovery. Contacted a few, but only Recupero Dati offered a free diagnosis and recovered all the lost data on my hard drive. And what had me blow my mind, is that they offered some consulting on how to prevent data loss in the future. They have that sentence they said to me: We hope you will recommend our services nad will never have to use our services again :)

  20. It is possible to recover data from these drives. The key is stored in an unencrypted block near the end of the disk. I have myself been able to extract the key and decrypt two disks, one with the JMS528S chip, and one with the Symwave chip. I have instructions on how to do the same for drives with the Initio and Oxford chips as well. I do this on a linux machine. If you want my help, feel free to email me at thomas dot a dot kaeding at gmail dot com.