Unlocking a Travelstar 2.5" HDD?

← Back to Stories (view on slashdot.org)

Unlocking a Travelstar 2.5" HDD?

Posted by Cliff on Sunday November 4, 2001 @09:03AM from the unsecuring-the-wrongfully-secured dept.

Rogerborg writes "So, I buy a used 6.5Gb IBM Travelstar on eBay, only to find that I didn't caveat emptor enough, and it's password protected. No problem, I'll just, uh... uh... what will I do? According to this discussion at geek.com, the password is stored on the platter, not the controller, so swapping controllers won't help. If the controller finds a password, it refuses all access to the disk. Mounting the drive as a slave in an IDE converter, I can't fdisk, format or otherwise access it under Linux. DOS won't even recognize that the drive is there. I've even tried it in a freaky system running VxWorks. The drive mounts, but can't be accessed or formatted." How rude! Are there any utils out there that can be used to unlock the device so it can be used?

"The IBM tech sheet for a similar drive notes that there is a "security erase unit" command... but it's also password protected! I can't find any further info on the IBM site, but apparently their recommendation is to use password locked Travelstars as paperweights.

"Nortek can remove the password from Travelstars using black magic and chicken sacrifices (or a custom controller?) but will charge more than the price of the drive for even for a basic unlock that destroys the data.

I have to admit that I'm impressed by this security, but it renders the drive useless far too easily. Can Slashdot suggest any way to remove the password (the data can go too), short of degaussing the platters or building a custom controller?"

55 comments

Min score:

Reason:

Sort:

youre fucked. by Zurk · 2001-11-04 09:21 · Score: 5, Informative

bottom line is -- youre really fucked. its too cheap of a disk to be worth the hassle. just go get another.
on the other hand, if you want to struggle and you have plenty of free time :
Look for an eeprom which is located on the underside of the planar near the main power connector. The chip is typically marked C46C1 - ST 39AD. It is an 8 pin package and holds the security supervisor data and the code required to unlock the embedded code on the hard drive. Replace this chip with a clean one from an unlocked laptop drive (you can burn it with a serial eeprom writer) and you should be able to format the drive. Note that you need to disassemble the housing of the drive and maybe 30% of the drive itself to get at the chip.
1. Re:youre fucked. by Rogerborg · 2001-11-05 01:18 · Score: 2
  
  This chip is on the board itself, right? I've only got the drive. :-(
  
  Thanks for the reply though. In response to your first point, I'm really just pursuing this as a personal project, because I feel that hardware should be discarded when the magic smoke gets out and not before. ;-)
  
  --
  If you were blocking sigs, you wouldn't have to read this.
hearsay: "ZAP" by b-side.org · 2001-11-04 09:24 · Score: 3, Informative

Someone claims that a program called 'zap' from IBM will do it.

It's response number 16.

Enjoy,

--
Indie rock lives! b-side!
1. Re:hearsay: "ZAP" by hdurdle · 2001-11-04 09:37 · Score: 2, Informative
  
  There's a whole host of tools on the IBM site all Zap does is write zeros to the first 128 sectors of the disc... if, as a previous poster stated, the password is on a chip on the drive, you're probably screwed.
2. Re:hearsay: "ZAP" by FrozedSolid · 2001-11-04 14:57 · Score: 2, Informative
  
  Someone else on that same board mentioned...
  In the booklet for the 755C and similar models, there appears to be a "power on password" jumper next to the cmos battery sockets.
  Then.. later on, someone mentioned this (could be a troll, all caps.. but then again, could be foreign or something..)
  YOU MUST SUPPLY POWER TO THE HDD THEN SHORT OUT J11 J15 SHUT DOWN AND FDISK THEN FORMAT AND YOUR READFY TO GO
  Can't vouge for how true any of that is.. but it's worth a shot.
  
  -Scott
  
  --
  When all freedom is outlawed only the outlaws have freedom
3. Re:hearsay: "ZAP" by Rogerborg · 2001-11-05 01:23 · Score: 3, Informative
  
  Thanks for the response, but the poster hasn't tried this on a Travelstar. Until you unlock the drive, you can't do anything to it. I've tried this in 2 DOS laptops, a Linux desktop and a custom system running a PPC and VxWorks. One laptop won't boot at all unless the password is entered (even from floppy or CD-ROM), the other systems booted but then couldn't see the drive. Actually, the VxWorks system saw and mounted the drive, but then couldn't access it at all.
  
  --
  If you were blocking sigs, you wouldn't have to read this.
4. Re:hearsay: "ZAP" by Rogerborg · 2001-11-05 03:53 · Score: 2
  SUPPLY POWER TO THE HDD THEN SHORT OUT J11 J15
  
  Got that, thanks. Only thing is, there are no J11 and J15 on the controller. Perhaps he means pins 11 and 15, but as these are well defined I/O (HD03 and HD01) and not reserved, I'm highly dubious about following this advice.
  
  Still, I don't really have much to lose...
  --
  If you were blocking sigs, you wouldn't have to read this.
One Question by DAldredge · 2001-11-04 09:30 · Score: 2, Insightful

Why don't you ask the seller what the password is?
1. Re:One Question by 42forty-two42 · 2001-11-04 09:52 · Score: 1
  
  What if they were getting rid of it after buying it from someone else who was getting rid of it after buying it from someone else ad infinitum... eventually coming to someone who was getting rid of it after 'forgetting' the password...
2. Re:One Question by Anonymous Coward · 2001-11-04 13:58 · Score: 0
  
  Or -- perish the thought -- it came from a stolen laptop whose owner wisely activated the password..
3. Re:One Question by Yottabyte84 · 2001-11-04 15:02 · Score: 1
  
  I personaly have a laptop with a lockable HD, and I do have it locked, not because I have anything worth reading on it, but in case it's stolen to give the theif a headache, and possibly increase the likelyhood of getting it back if i should lose it (my bios displays my name and phone # at boot time and is password protected, but someone could erase the CMOS.)
4. Re:One Question by Rogerborg · 2001-11-05 01:26 · Score: 2
  
  The drive was "sold as seen", and priced to reflect that. The seller shifts dozens of Travelstars, probably IBM rejects. Many of them work OK, because it's not worth anyone's (commercial) time to check an obsolete returned drive, they'll just shovel it out the back door.
  
  I actually expected the drive to be dead, the fact that it's "only" password locked is a bonus, because it gives me something fun to play with. ;-)
  
  --
  If you were blocking sigs, you wouldn't have to read this.
5. Re:One Question by Anonymous Coward · 2001-11-05 07:53 · Score: 0
  
  My e-mail address is totally spamproof! Just delete every other character, ROT13, and write backwards to decode.
  What you mean like locando@imane.com?
6. Re:One Question by Anonymous Coward · 2001-11-05 14:14 · Score: 0
  
  gahahahah that's great. EAT SPAM you fucking security freak.
last resort by whydna · 2001-11-04 10:56 · Score: 1

Personally, if you've already contacted the seller on ebay to see if they know and that failed. You could ask for a refund or give negative feekback for selling a bum drive (if you can't use it with compatible equipment, it's dead in my book). But as a last resort, you could always try a big hefty magnet to zap it. I don't know how that would affect any eeprom or anything of that sort, but it's a good last resort.
1. Re:last resort by kju · 2001-11-04 20:56 · Score: 4, Informative
  
  NEVER USE A MAGNET! Besides the data tracking informations are written on most hard disks. You will destroy this essential data with a magnet and render the harddrive unusable!
Degauss? by Beowulf_Boy · 2001-11-04 11:22 · Score: 1

Nice big bar magnet oughta take care of that problem. But, would it effect the chips or anything?
1. Re:Degauss? by Anonymous Coward · 2001-11-04 11:56 · Score: 0
  
  a radioshack tape degausser will take care of it but will produce a large number of bad sectors if it doesnt kill the drive completely.
2. Re:Degauss? by pete-classic · 2001-11-04 12:11 · Score: 5, Informative
  
  Modern HDDs use "imbedded servo data" which basically means that there are magnetic "guide posts" or "mile markers" on the disk. This is a huge improvement. The sort of capacities that HDDs have today would be impossible without it. It has also cured the so-called "Monday morning blues." (For PCs anyway :-)
  
  This is why many people used to think that you could perminately damage IDE hard disks with a low level format. You can't becuase 1. a low level format is really executed by the drive hardware, and is just initiated from software and 2. these drives have an electronic "interlock," which is to say they will "fail" on writing to the servo areas.
  
  It is also important to understand that in modern drives the controller is the board on the drive. IDE isn't a controller, it is a simple data bus. (In fact, the original IDE ports were nothing more than stripped down ISA ports.) So the servo areas aren't externally addressable.
  
  Bottom line, if you degauss, you'd better have a "factory" controller to re-write the servo areas if you ever want to store data on the disk again.
  
  -Peter
3. Re:Degauss? by ers81239 · 2001-11-05 09:37 · Score: 1
  
  I'd say its worth a shot at this point. And I want to know how it turns out!!
  
  --
  there are 2 kinds of people. those who divide people into 2 kinds, and those who don't.
firmware by man_ls · 2001-11-04 12:47 · Score: 2

Several HDDs I have taken apart have a small flash ROM or EEPROM or some other such small memory-storing chip, located in the same container as the physical drive platters. There's the EEPROM, some resistors, and the drive servo. I don't know about IBM drives; but it probably is stored in one of those chips. Per the geek.com discussion, it seems IBM won't be terribly helpful with it, but I'm sure somebody, somewhere, has written a reflasher for the drive. The question is finding that person...
1. Re:firmware by Rogerborg · 2001-11-05 01:30 · Score: 2
  Several HDDs I have taken apart have a small flash ROM or EEPROM
  
  I've stripped an identical (but dead and already grinding) Travelstar down to the bones, but can't see any EEPROM or flash on it anywhere, neither on the controller, nor inside the body. This agrees with the information that the password is on the platter itself in a Travelstar.
  
  Heck, if it comes to it, if I have to open the body, I'll go ahead and swap the damn platters over from the dead drive; it's not as though I've got much to lose. ;-)
  --
  If you were blocking sigs, you wouldn't have to read this.
2. Re:firmware by Anonymous Coward · 2001-11-05 07:50 · Score: 0
  
  If you swap platters (and are really that daring) - build a custom clean "tank" - otherwise you won't be able to trust the drive at all...
publically available by man_ls · 2001-11-04 12:51 · Score: 2

Anyone know of a place I could purchase hard-drives with this type of hardware-level password protection for a desktop system? I'd put one of those onto my documents drive and keep it safe from prying family members while I was out.
1. Re:publically available by unitron · 2001-11-04 13:00 · Score: 2
  
  Here's a wild guess. Call IBM.
  Seriously, that's where this one came from, and last I heard IBM would rather sell stuff than have it gather dust in the warehouse, and their sales department is bound to have an 800 number.
  
  --
  I see even classic Slashdot is now pretty much unusable on dial up anymore.
2. Re:publically available by Kefaa · 2001-11-04 13:29 · Score: 2
  
  Go to a host of sites and look for the internal hdd converter. It will allow you to mount a laptop hdd into a desktop system. The intent is to allow you to more easily access the data (i.e. upgrade the drive, etc.). Then buy one of these drives.
  
  The only thing I am uncertain about is if this will let you access the security information.
  _____________________________________________
  For every complex problem there exists a simple, inexpensive solution that is wrong.
3. Re:publically available by Yottabyte84 · 2001-11-04 14:50 · Score: 1
  
  For Windows: Get scramdisk.
  For Linux: Unless your family can use a root disk, just make sure your files aren't world readable. You could also use encryped loopbacks if you are really worried.
4. Re:publically available by Anonymous Coward · 2001-11-04 15:54 · Score: 1, Informative
  
  In the 9x series just rename (from dos) a directory to contain the character 254 (ALT-254). Windows find will bypass it and windows explorer can't enter it. Set up some batch files to hide and reveal the directory. It's enough for idiot family's, anyway.
5. Re:publically available by Rogerborg · 2001-11-05 01:33 · Score: 2
  [an] hdd converter [..] will allow you to mount a laptop hdd into a desktop system
  
  Don't bother. I've never seen a desktop BIOS that supports drive passwords. When mounted in a desktop, the controller doesn't respond and the BIOS doesn't see it at all if it's got a password set, and the BIOS has no option to set, change or remove the password.
  
  OTOH, you could try finding some source that handles ATAPI commands, and (perhaps) write a custom app to do this. That would be neat.
  --
  If you were blocking sigs, you wouldn't have to read this.
6. Re:publically available by Yottabyte84 · 2001-11-05 08:04 · Score: 1
  
  Yeah, but it's alt-0255 (donno if the leading 0 is required or not.)
If you have a lot of time.... by Yottabyte84 · 2001-11-04 15:09 · Score: 1

You could try brute forcing the password somehow and hope that the luser that locked it didn't know anything about security and had a password = 6 chars.
Because it's stolen? by t0mmyb · 2001-11-04 15:35 · Score: 1

...or from some other shady source. I doubt if the seller ever got this thing to work, other than powering it up and seeing that it was locked.

It sounds very suspicious to me. I've had friends who have had their car windows smashed so their company laptops could be 'appropriated'. Stereo, CD collection, etc. were left untouched.

My personal paranoia and suspicions aside, who would sell their HD to a stranger *without* first wiping the disk?
1. Re:Because it's stolen? by mmontour · 2001-11-04 18:08 · Score: 2, Interesting
  
  My personal paranoia and suspicions aside, who would sell their HD to a stranger *without* first wiping the disk?
  
  Well, a local dot-com went out of business recently, and auctioned off almost all of their corporate and development servers (including the Visual SourceSafe repository) without wiping the drives. I've also bought an un-wiped computer from a consignment shop. So I wouldn't automatically assume that the laptop in question was stolen.
It's a $12 drive. Throw it away. by nukebuddy · 2001-11-04 15:36 · Score: 3, Informative

Why do people purchase junk like this? The best thing to do with a used HD is throw it in the garbage. If you want a cheap HD, you can buy a brand new 10GB Travelstar for $81 shipped:
http://www.googlegear.com/ggweb/jsp/ProductDetail. jsp?ProductCode=712553-017

-nb
1. Re:It's a $12 drive. Throw it away. by Rogerborg · 2001-11-05 03:58 · Score: 2, Funny
  The best thing to do with a used HD is throw it in the garbage
  
  Tsk tsk. If the Magic Smoke hasn't got out, it's usable or at least a fun project. Not everyone is ready to embrace the culture of disposability so readily.
  
  Recycling is better than disposal. Re-use is better than recycling. Recovery of an otherwise defunct drive is best of all. C'mere, and give me a hug. C'mon, it won't hurt.
  --
  If you were blocking sigs, you wouldn't have to read this.
2. Re:It's a $12 drive. Throw it away. by Wakko+Warner · 2001-11-06 08:28 · Score: 1
  
  This is slashdot. $12 to some people here is a month's pay!!
  
  --
  "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
IBM Travelstar info by Anonymous Coward · 2001-11-05 00:51 · Score: 1, Informative

The IBM Travelstar series has ATAPI commands which can protect the drive. If you don't supply the password to a locked drive you won't even see the drive. The firmware on the drive has a 5 counts and you're out system to slow down brute forcers. If you get it wrong 5 times you need to power down to reset the drive. There are no jumpers to short out and no utilities to bypass the mechanism. If you can't see the drive how are you supposed to use a utility to speak to it ?
Think caps on people... let's hear some intelligent replies.
Do like every other ebayer.. by billcopc · 2001-11-05 01:04 · Score: 2

and harass the bejiznitz out of the seller. Heck, I'm up to my 3rd account because of idiot buyers who ruined my name (and got me banned) on false claims just because they were from overseas. At least you'd have an honest reason to slam the guy/gal/thing and maybe get enough insurance money to get the thing unlocked (or buy a much larger drive and toss the locked one)

Or better yet : sell the drive on ebay :)

--
-Billco, Fnarg.com
1. Re:Do like every other ebayer.. by Rogerborg · 2001-11-05 01:37 · Score: 2
  harass the bejiznitz out of the seller
  
  Tsk tsk, the drive was sold (along with dozens of others) explicitely as seen. The seller was quite up front that it might not work, and the price I paid reflected this. I'm not at all bothered, and am actually having fun playing with it. ;-)
  
  Or better yet : sell the drive on ebay
  
  Ooh, cruel! No, I wouldn't do that, unless I could find someone who wanted to take a swing at fixing it.
  
  Buying the drive wasn't a commercial decision, I can easily afford a new one. I just believe that hardware should be binned when the Magic Smoke billows out, and not before. ;-)
  --
  If you were blocking sigs, you wouldn't have to read this.
Who needs hardware? by fm6 · 2001-11-05 03:59 · Score: 2

Documents? Never mind.
For this kind of thing, I use PGPdisk. Let's you allocate space into an encrypted pseudodrive. Much more secure than a simple password-protected drive. As long as your software is uncomprimised, it's totally non-hackable. But don't lose your pass phrase!!!
Already Available by guru_steve · 2001-11-05 07:17 · Score: 1

A while back i was looking through IBM's specs for their deskstar drives, and it appears that they all support the same levels of password protection as their travelstar line of HD's. That is to say they all support a user and supervisor password, with multiple levels of security. (both user and supervisor passwords could be set to allow access to data, or it could be set such that only the user password could access the data, with the supervisor password needed to re-initialize the drive.)

Kind of a moot point, as most bios's have no support for this type of thing.

Perhaps IBM commercial sales have some systems that support these levels of desktop HD passwords.
IBM Deskstar Supports Passwords by guru_steve · 2001-11-05 07:24 · Score: 1

Here's a page from IBM listing the control commands for their Deskstar line of drives:

http://www.storage.ibm.com/hdd/support/dtla/dtlaco m.htm

I'm sure there's a PDF floating around on their site, but i can't find it right now. Have a gander at the Security set password and Security unlock fields.

Perhaps someone will be able to write a utility to lock a desktop HD when users go on vacation or something. (not sure how the BIOS would handle a locked drive though.)

There's some food for thought.
1. Re:IBM Deskstar Supports Passwords by Rogerborg · 2001-11-06 05:18 · Score: 2
  Perhaps someone will be able to write a utility to lock a desktop HD when users go on vacation or something.
  
  Or if they're storing politically sensitive material, perhaps in a suppressive regime. Or really hard core porn. ;-)
  
  (not sure how the BIOS would handle a locked drive though
  
  It doesn't see the drive. The controller won't respond to any ATAPI commands except the password ones.
  
  Actually, if you really want the data, an informed poster on another forum reckons that if you whip the controller off a non-locked drive (without powering it off, so it never gets an ATAPI power down or sleep from the BIOS), you can drop it onto a locked drive and read the data (once, until you power it down). I'm dubious about that, as I can't see any non-volatile storage on the controller to hold that state, but hey, it might be worth a try.
  --
  If you were blocking sigs, you wouldn't have to read this.
Amazon.com offers excellent tools by sulli · 2001-11-05 07:45 · Score: 4, Funny

for this problem.
Basic and industrial strength versions!

--

sulli
RTFJ.
A complicated solution by scriptkiddie · 2001-11-05 12:02 · Score: 1
It sounds like Nortek developed some special software to unlock these drives. Here's how I'd do it:
- Write a Linux driver that can unlock a drive given a password. This would require modifying the IDE code in the kernel. Yuck.
- Crack the password. It's only 8*256 possibilities, which shouldn't take more than a few minutes since the drive is inside the machine.
Alternatively, it's possible that IBM just included a default, fallback password. I read somewhere that nearly every BIOS has a "cheat" password. Of course, motherboards aren't used to store your company's most valuable data....
1. Re:A complicated solution by Anonymous Coward · 2001-11-06 04:28 · Score: 0
  
  8*256 umm I don't think so. try 256^8 (assuming 256 letter alphabet and 8 positions.)
Duhh! by Anonymous Coward · 2001-11-06 04:17 · Score: 0

Laptop drives do not function as slaves. That is why it didn't get detected. Stick it as a master on your second IDE bus and..
dd if=/dev/null of=/dev/hdb1
1. Re:Duhh! by Rogerborg · 2001-11-06 05:22 · Score: 2
  Laptop drives do not function as slaves
  
  Bzzt, thanks for playing. Identical drives function as slaves just fine. Try before you post, please.
  --
  If you were blocking sigs, you wouldn't have to read this.
Try this... by xiox · 2001-11-06 04:21 · Score: 1

$85 later... or
YOU MUST SUPPLY POWER TO THE HDD THEN SHORT OUT J11 J15 SHUT DOWN AND FDISK THEN FORMAT AND YOUR READFY TO GO
1. Re:Try this... by Anonymous Coward · 2001-11-06 08:31 · Score: 0
  
  yes, pay $85 for a utility to unlock a $12 hard drive.
Final follow up by Rogerborg · 2001-11-16 02:28 · Score: 2

For the benefit of the archives, a last post from the article submitter:

I found a solution. The solution came in the form of a very nice man that I met on another discussion forum who, free and gratis, removed the password after I posted the drive to him. He also managed to tell me that what the password had been set to, and what kind of laptop the drive was in when it was locked.

How did he do it? He won't say. I think that he works for a shop that does this commercially, so I'll respect that and not mention his name or the shop that I think he works for. All I can say is that from our conversations, I suspect that with access to a custom drive controller, this is a thirty second operation, but that it does absolutely require modified hardware, and that there is, and never will be a software solution.

Thanks to all who contributed, and good luck with your own hacking and hardware reuse. ;-)

--
If you were blocking sigs, you wouldn't have to read this.