Unlocking a Travelstar 2.5" HDD?

← Back to Stories (view on slashdot.org)

Unlocking a Travelstar 2.5" HDD?

Posted by Cliff on Sunday November 4, 2001 @09:03AM from the unsecuring-the-wrongfully-secured dept.

Rogerborg writes "So, I buy a used 6.5Gb IBM Travelstar on eBay, only to find that I didn't caveat emptor enough, and it's password protected. No problem, I'll just, uh... uh... what will I do? According to this discussion at geek.com, the password is stored on the platter, not the controller, so swapping controllers won't help. If the controller finds a password, it refuses all access to the disk. Mounting the drive as a slave in an IDE converter, I can't fdisk, format or otherwise access it under Linux. DOS won't even recognize that the drive is there. I've even tried it in a freaky system running VxWorks. The drive mounts, but can't be accessed or formatted." How rude! Are there any utils out there that can be used to unlock the device so it can be used?

"The IBM tech sheet for a similar drive notes that there is a "security erase unit" command... but it's also password protected! I can't find any further info on the IBM site, but apparently their recommendation is to use password locked Travelstars as paperweights.

"Nortek can remove the password from Travelstars using black magic and chicken sacrifices (or a custom controller?) but will charge more than the price of the drive for even for a basic unlock that destroys the data.

I have to admit that I'm impressed by this security, but it renders the drive useless far too easily. Can Slashdot suggest any way to remove the password (the data can go too), short of degaussing the platters or building a custom controller?"

27 of 55 comments (clear)

Min score:

Reason:

Sort:

youre fucked. by Zurk · 2001-11-04 09:21 · Score: 5, Informative

bottom line is -- youre really fucked. its too cheap of a disk to be worth the hassle. just go get another.
on the other hand, if you want to struggle and you have plenty of free time :
Look for an eeprom which is located on the underside of the planar near the main power connector. The chip is typically marked C46C1 - ST 39AD. It is an 8 pin package and holds the security supervisor data and the code required to unlock the embedded code on the hard drive. Replace this chip with a clean one from an unlocked laptop drive (you can burn it with a serial eeprom writer) and you should be able to format the drive. Note that you need to disassemble the housing of the drive and maybe 30% of the drive itself to get at the chip.
1. Re:youre fucked. by Rogerborg · 2001-11-05 01:18 · Score: 2
  
  This chip is on the board itself, right? I've only got the drive. :-(
  
  Thanks for the reply though. In response to your first point, I'm really just pursuing this as a personal project, because I feel that hardware should be discarded when the magic smoke gets out and not before. ;-)
  
  --
  If you were blocking sigs, you wouldn't have to read this.
hearsay: "ZAP" by b-side.org · 2001-11-04 09:24 · Score: 3, Informative

Someone claims that a program called 'zap' from IBM will do it.

It's response number 16.

Enjoy,

--
Indie rock lives! b-side!
1. Re:hearsay: "ZAP" by hdurdle · 2001-11-04 09:37 · Score: 2, Informative
  
  There's a whole host of tools on the IBM site all Zap does is write zeros to the first 128 sectors of the disc... if, as a previous poster stated, the password is on a chip on the drive, you're probably screwed.
2. Re:hearsay: "ZAP" by FrozedSolid · 2001-11-04 14:57 · Score: 2, Informative
  
  Someone else on that same board mentioned...
  In the booklet for the 755C and similar models, there appears to be a "power on password" jumper next to the cmos battery sockets.
  Then.. later on, someone mentioned this (could be a troll, all caps.. but then again, could be foreign or something..)
  YOU MUST SUPPLY POWER TO THE HDD THEN SHORT OUT J11 J15 SHUT DOWN AND FDISK THEN FORMAT AND YOUR READFY TO GO
  Can't vouge for how true any of that is.. but it's worth a shot.
  
  -Scott
  
  --
  When all freedom is outlawed only the outlaws have freedom
3. Re:hearsay: "ZAP" by Rogerborg · 2001-11-05 01:23 · Score: 3, Informative
  
  Thanks for the response, but the poster hasn't tried this on a Travelstar. Until you unlock the drive, you can't do anything to it. I've tried this in 2 DOS laptops, a Linux desktop and a custom system running a PPC and VxWorks. One laptop won't boot at all unless the password is entered (even from floppy or CD-ROM), the other systems booted but then couldn't see the drive. Actually, the VxWorks system saw and mounted the drive, but then couldn't access it at all.
  
  --
  If you were blocking sigs, you wouldn't have to read this.
4. Re:hearsay: "ZAP" by Rogerborg · 2001-11-05 03:53 · Score: 2
  SUPPLY POWER TO THE HDD THEN SHORT OUT J11 J15
  
  Got that, thanks. Only thing is, there are no J11 and J15 on the controller. Perhaps he means pins 11 and 15, but as these are well defined I/O (HD03 and HD01) and not reserved, I'm highly dubious about following this advice.
  
  Still, I don't really have much to lose...
  --
  If you were blocking sigs, you wouldn't have to read this.
One Question by DAldredge · 2001-11-04 09:30 · Score: 2, Insightful

Why don't you ask the seller what the password is?
1. Re:One Question by Rogerborg · 2001-11-05 01:26 · Score: 2
  
  The drive was "sold as seen", and priced to reflect that. The seller shifts dozens of Travelstars, probably IBM rejects. Many of them work OK, because it's not worth anyone's (commercial) time to check an obsolete returned drive, they'll just shovel it out the back door.
  
  I actually expected the drive to be dead, the fact that it's "only" password locked is a bonus, because it gives me something fun to play with. ;-)
  
  --
  If you were blocking sigs, you wouldn't have to read this.
Re:Degauss? by pete-classic · 2001-11-04 12:11 · Score: 5, Informative

Modern HDDs use "imbedded servo data" which basically means that there are magnetic "guide posts" or "mile markers" on the disk. This is a huge improvement. The sort of capacities that HDDs have today would be impossible without it. It has also cured the so-called "Monday morning blues." (For PCs anyway :-)

This is why many people used to think that you could perminately damage IDE hard disks with a low level format. You can't becuase 1. a low level format is really executed by the drive hardware, and is just initiated from software and 2. these drives have an electronic "interlock," which is to say they will "fail" on writing to the servo areas.

It is also important to understand that in modern drives the controller is the board on the drive. IDE isn't a controller, it is a simple data bus. (In fact, the original IDE ports were nothing more than stripped down ISA ports.) So the servo areas aren't externally addressable.

Bottom line, if you degauss, you'd better have a "factory" controller to re-write the servo areas if you ever want to store data on the disk again.

-Peter
firmware by man_ls · 2001-11-04 12:47 · Score: 2

Several HDDs I have taken apart have a small flash ROM or EEPROM or some other such small memory-storing chip, located in the same container as the physical drive platters. There's the EEPROM, some resistors, and the drive servo. I don't know about IBM drives; but it probably is stored in one of those chips. Per the geek.com discussion, it seems IBM won't be terribly helpful with it, but I'm sure somebody, somewhere, has written a reflasher for the drive. The question is finding that person...
1. Re:firmware by Rogerborg · 2001-11-05 01:30 · Score: 2
  Several HDDs I have taken apart have a small flash ROM or EEPROM
  
  I've stripped an identical (but dead and already grinding) Travelstar down to the bones, but can't see any EEPROM or flash on it anywhere, neither on the controller, nor inside the body. This agrees with the information that the password is on the platter itself in a Travelstar.
  
  Heck, if it comes to it, if I have to open the body, I'll go ahead and swap the damn platters over from the dead drive; it's not as though I've got much to lose. ;-)
  --
  If you were blocking sigs, you wouldn't have to read this.
publically available by man_ls · 2001-11-04 12:51 · Score: 2

Anyone know of a place I could purchase hard-drives with this type of hardware-level password protection for a desktop system? I'd put one of those onto my documents drive and keep it safe from prying family members while I was out.
1. Re:publically available by unitron · 2001-11-04 13:00 · Score: 2
  
  Here's a wild guess. Call IBM.
  Seriously, that's where this one came from, and last I heard IBM would rather sell stuff than have it gather dust in the warehouse, and their sales department is bound to have an 800 number.
  
  --
  I see even classic Slashdot is now pretty much unusable on dial up anymore.
2. Re:publically available by Kefaa · 2001-11-04 13:29 · Score: 2
  
  Go to a host of sites and look for the internal hdd converter. It will allow you to mount a laptop hdd into a desktop system. The intent is to allow you to more easily access the data (i.e. upgrade the drive, etc.). Then buy one of these drives.
  
  The only thing I am uncertain about is if this will let you access the security information.
  _____________________________________________
  For every complex problem there exists a simple, inexpensive solution that is wrong.
3. Re:publically available by Rogerborg · 2001-11-05 01:33 · Score: 2
  [an] hdd converter [..] will allow you to mount a laptop hdd into a desktop system
  
  Don't bother. I've never seen a desktop BIOS that supports drive passwords. When mounted in a desktop, the controller doesn't respond and the BIOS doesn't see it at all if it's got a password set, and the BIOS has no option to set, change or remove the password.
  
  OTOH, you could try finding some source that handles ATAPI commands, and (perhaps) write a custom app to do this. That would be neat.
  --
  If you were blocking sigs, you wouldn't have to read this.
It's a $12 drive. Throw it away. by nukebuddy · 2001-11-04 15:36 · Score: 3, Informative

Why do people purchase junk like this? The best thing to do with a used HD is throw it in the garbage. If you want a cheap HD, you can buy a brand new 10GB Travelstar for $81 shipped:
http://www.googlegear.com/ggweb/jsp/ProductDetail. jsp?ProductCode=712553-017

-nb
1. Re:It's a $12 drive. Throw it away. by Rogerborg · 2001-11-05 03:58 · Score: 2, Funny
  The best thing to do with a used HD is throw it in the garbage
  
  Tsk tsk. If the Magic Smoke hasn't got out, it's usable or at least a fun project. Not everyone is ready to embrace the culture of disposability so readily.
  
  Recycling is better than disposal. Re-use is better than recycling. Recovery of an otherwise defunct drive is best of all. C'mere, and give me a hug. C'mon, it won't hurt.
  --
  If you were blocking sigs, you wouldn't have to read this.
Re:Because it's stolen? by mmontour · 2001-11-04 18:08 · Score: 2, Interesting

My personal paranoia and suspicions aside, who would sell their HD to a stranger *without* first wiping the disk?

Well, a local dot-com went out of business recently, and auctioned off almost all of their corporate and development servers (including the Visual SourceSafe repository) without wiping the drives. I've also bought an un-wiped computer from a consignment shop. So I wouldn't automatically assume that the laptop in question was stolen.
Re:last resort by kju · 2001-11-04 20:56 · Score: 4, Informative

NEVER USE A MAGNET! Besides the data tracking informations are written on most hard disks. You will destroy this essential data with a magnet and render the harddrive unusable!
Do like every other ebayer.. by billcopc · 2001-11-05 01:04 · Score: 2

and harass the bejiznitz out of the seller. Heck, I'm up to my 3rd account because of idiot buyers who ruined my name (and got me banned) on false claims just because they were from overseas. At least you'd have an honest reason to slam the guy/gal/thing and maybe get enough insurance money to get the thing unlocked (or buy a much larger drive and toss the locked one)

Or better yet : sell the drive on ebay :)

--
-Billco, Fnarg.com
1. Re:Do like every other ebayer.. by Rogerborg · 2001-11-05 01:37 · Score: 2
  harass the bejiznitz out of the seller
  
  Tsk tsk, the drive was sold (along with dozens of others) explicitely as seen. The seller was quite up front that it might not work, and the price I paid reflected this. I'm not at all bothered, and am actually having fun playing with it. ;-)
  
  Or better yet : sell the drive on ebay
  
  Ooh, cruel! No, I wouldn't do that, unless I could find someone who wanted to take a swing at fixing it.
  
  Buying the drive wasn't a commercial decision, I can easily afford a new one. I just believe that hardware should be binned when the Magic Smoke billows out, and not before. ;-)
  --
  If you were blocking sigs, you wouldn't have to read this.
Who needs hardware? by fm6 · 2001-11-05 03:59 · Score: 2

Documents? Never mind.
For this kind of thing, I use PGPdisk. Let's you allocate space into an encrypted pseudodrive. Much more secure than a simple password-protected drive. As long as your software is uncomprimised, it's totally non-hackable. But don't lose your pass phrase!!!
Amazon.com offers excellent tools by sulli · 2001-11-05 07:45 · Score: 4, Funny

for this problem.
Basic and industrial strength versions!

--

sulli
RTFJ.
Re:IBM Deskstar Supports Passwords by Rogerborg · 2001-11-06 05:18 · Score: 2
- Perhaps someone will be able to write a utility to lock a desktop HD when users go on vacation or something.
Or if they're storing politically sensitive material, perhaps in a suppressive regime. Or really hard core porn. ;-)
- (not sure how the BIOS would handle a locked drive though
It doesn't see the drive. The controller won't respond to any ATAPI commands except the password ones.

Actually, if you really want the data, an informed poster on another forum reckons that if you whip the controller off a non-locked drive (without powering it off, so it never gets an ATAPI power down or sleep from the BIOS), you can drop it onto a locked drive and read the data (once, until you power it down). I'm dubious about that, as I can't see any non-volatile storage on the controller to hold that state, but hey, it might be worth a try.
--
If you were blocking sigs, you wouldn't have to read this.
Re:Duhh! by Rogerborg · 2001-11-06 05:22 · Score: 2
- Laptop drives do not function as slaves
Bzzt, thanks for playing. Identical drives function as slaves just fine. Try before you post, please.
--
If you were blocking sigs, you wouldn't have to read this.
Final follow up by Rogerborg · 2001-11-16 02:28 · Score: 2

For the benefit of the archives, a last post from the article submitter:

I found a solution. The solution came in the form of a very nice man that I met on another discussion forum who, free and gratis, removed the password after I posted the drive to him. He also managed to tell me that what the password had been set to, and what kind of laptop the drive was in when it was locked.

How did he do it? He won't say. I think that he works for a shop that does this commercially, so I'll respect that and not mention his name or the shop that I think he works for. All I can say is that from our conversations, I suspect that with access to a custom drive controller, this is a thirty second operation, but that it does absolutely require modified hardware, and that there is, and never will be a software solution.

Thanks to all who contributed, and good luck with your own hacking and hardware reuse. ;-)

--
If you were blocking sigs, you wouldn't have to read this.