OSX, error running getdek: key sector not found[SOLVED]

[BoBMrTD]

Hi everybody
I'm running reallymine on OSX 10.13.5, the version posted here:
#38
Also mine WD enclosure have the usb connector detached, so I've attached it to my NB.
The enclosure was based on the JMicron JMS538S chip and the disk was a 2.0TB.
The result of the operation
sudo dd if=/dev/disk2 bs=512 skip=3907024928 count=1 of=kb.bin
is
hexdump -C kb.bin
00000000 57 44 76 31 cd f8 00 00 00 88 df e8 00 00 00 00 |WDv1............|
00000010 00 00 00 00 00 00 f0 00 00 00 00 00 00 00 00 00 |................|
00000020 01 00 00 00 00 00 46 50 00 00 00 00 00 00 00 00 |......FP........|
00000030 00 02 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
so I think I've find the keyblock.

But when I run
sudo ./reallymine getdek /dev/disk2
the result is the following message
error running getdek: key sector not found

Can someone help me?
I've tryed also to perform the operation illustrated in
https://github.com/themaddoctor/linux-mybook-tools
but at the end of the operation I was unable to obtain a DEK.

Thank's in advance and sorry for my bad english.

[andlabs]

What happens if you run getdek on that kb.bin file?

[BoBMrTD]

Thank's again for the answer.
the result is:
sudo ./reallymine getdek kb.bin
bridge type JMicron
DEK: 5C5471290A7F1CCC06212E8FC31566DE41B0C5C7209A27F802353E20E99FE6A5
decryption steps: reverse decrypt reverse

[andlabs]

That is strange... Probably a bug in reallymine? What happens if you run getdek with --disk-size 3907025440?

[BoBMrTD]

The result is:
sudo ./reallymine --disk-size 3907025440 getdek /dev/disk2
error running getdek: requested disk size larger than actual disk size
if i run
diskutil list
the result is
.[snip].
/dev/disk2 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *2.0 TB disk2
1: Microsoft Reserved 16.8 MB disk2s1
and
diskutil info /dev/disk2
Device Identifier: disk2
Device Node: /dev/disk2
Whole: Yes
Part of Whole: disk2
Device / Media Name: EARX-32PASB0

Volume Name: Not applicable (no file system)
Mounted: Not applicable (no file system)
File System: None

Content (IOContent): GUID_partition_scheme
OS Can Be Installed: No
Media Type: Generic
Protocol: USB
SMART Status: Not Supported

Disk Size: 2.0 TB (2000398934016 Bytes) (exactly 3907029168 512-Byte-Units)
Device Block Size: 512 Bytes

Read-Only Media: No
Read-Only Volume: Not applicable (no file system)

Device Location: External
Removable Media: Fixed

Virtual: No

Thank's again andlabs

[themaddoctor]

Can you post the complete kb.bin, please?

[andlabs]

That looks like your drive is fully working? Are you not able to mount that Windows partition?

[themaddoctor]

Doesn't "1: Microsoft Reserved 16.8 MB disk2s1" mean that partition 1 is a placeholder and that there is also an Apple partition scheme on the drive? So it's HFS+?

[themaddoctor]

And if "diskutil /dev/disk2" finds a partition table, doesn't that mean it's not encrypted?

[BoBMrTD]

Hi to all,
i really appreciate your effort.

@andlabs
the command
sudo dd if=/dev/disk2 bs=512 skip=3907024928 count=1 of=kb.bin
is workin so I think the disk is functional, I don't know if there are bad block.
When I've mounted the disk in windows 7 the OS don't recognize the disk and ask to format it.

@themaddoctor
I've uploaded the kd.bin
kb.bin.zip
When I try to mount the disk in OSX the system don't recognize it and ask to format, I chose ignore and the I can operate on it using dd and diskutil.

[themaddoctor]

I checked and I get the same key from your kb.bin.

By plugging the disk into Windows 7 you may have corrupted the MBR and first sector of the partition. Can you send sectors 0, 2048, and 2049?

Are you sure it was an NTFS filesystem even though you have a mac?

[BoBMrTD]

Hi themaddoctor,
I've run the following command:
sudo dd if=/dev/disk2 bs=512 skip=0 count=1 of=block_0.bin
sudo dd if=/dev/disk2 bs=512 skip=2047 count=1 of=block_2048.bin
sudo dd if=/dev/disk2 bs=512 skip=2048 count=1 of=block_2049.bin
the result is:
block_0_2048_2049.zip
The drive was used on windows (from XP and later), OSX, Sony TV and Linux, we normally use NTFS as filesystem, so I'm confident to exclude the drive was in HFS+

Best regards and again thank's a lot for the effort.

[BoBMrTD]

Hi all,
actually my mac is decrypting !!!!
I've used this command:
sudo ./reallymine decryptfile /dev/disk2 /Volumes/GoogleDrive/Il\ mio\ Drive/Lavoro/decrypt.img "5C5471290A7F1CCC06212E8FC31566DE41B0C5C7209A27F802353E20E99FE6A5" "reverse decrypt reverse" as explained in issue #38
Seems to be a little slow but using a google drive as target don't help....

[BoBMrTD]

I'll leave the mac working for the week end, monday I hope to be able to access to the data.
Best regard to all

[themaddoctor]

Bad news, dude. Your block 0 is NOT encrypted. So the disk was repartitioned after you took it out of the case.

You used the wrong "skip" numbers. Block "2049" is really 2048, and decrypts to be the start of an NTFS partition. So you will have to deal with the bad partition table after you finish decrypting.

[BoBMrTD]

@themaddoctor
Thank's again.
I've to fight again a problem related to the use of google drive as target.
Now I can use a empty disk as target for the .img file.
Tonight I try again.
Best regards

[BoBMrTD]

Hi,
no way, the set up I'm using is too slow: after 20 hour of work only 230 GB of data.
Some ideas?

[BoBMrTD]

Done!!!
I've used the dek.hex key obtained using reallymine in the procedure from
https://github.com/themaddoctor/linux-mybook-tools

Thank's to @andlabs and @themaddoctor

[MrDecay]

Great job👍

…

On Fri, Jul 13, 2018, 9:32 AM BoBMrTD ***@***.***> wrote: Done!!! I've used the dek.hex key obtained using reallymine in the procedure from https://github.com/themaddoctor/linux-mybook-tools Thank's to @andlabs <https://github.com/andlabs> and @themaddoctor <https://github.com/themaddoctor> — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#71 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AQE6xTJCp6JF5PQR181REazbCeAGsrsTks5uGK-FgaJpZM4VDwB6> .

[klturi421]

@BoBMrTD - I'm curious, after running reallymine from #38, were you able to recover your files? I'm curious if it works any differently on MacOS vs Linux. I'm currently attempting to decrypt a 3tb using Ubuntu 18.04, I have had it running for about a week now and have only decrypted roughly 200 GB. When I attempted using reallymine from #38 it "decrypted" way faster, but when I attempted to access the files through a file recovery program the files were not recoverable.

Just looking for some ideas to hopefully help my situation a little quicker.

[BoBMrTD]

@klturi421
Hi, I've read only today the message, I'm sorry.
Yes, I've found the right sector and the key on the hdd using the step as in #38.
Afther I've tryed to decode the whole disk using the binary from @andlabs for the MAC but the speed was very very slow.
My set-up in linux was: themaddoctor/linux-mybook-tools#19
I've mounted the un-clear un-mounted decrypted partition using loop device in linux to be able to access to the coontents.
I've used an old ubuntu distro to be able to build the filter for the data, I've mess around a bit to be capable to install all the SW needed.
Best regards