Bypassing the password protection from a WD My Passport with hardware encryption – August 2020

Portable USB hard drives are very useful devices. As laptops and computers move towards SSD as the primary means of onboard storage, the ability to store data diminishes as the capacity of an SSD is significantly less compared to a HDD in the same price range. As good as SSDs are in terms of speed, they just can’t compare in terms of storage space. An easy way to get around this problem is to introduce an external hard drive into the equation. Cheap and with loads of space available, they are the go-to for storage. Due to the value we place on our data it’s important that we keep it secure, and one way of doing so is to encrypt it by means of password protection. Western Digital, or WD, offers a series of drives that use hardware encryption and are branded as the My Passport range. They have a dedicated chip on the PCB (printed circuit board) of the drive to handle the encryption so that any data that is passed from your computer to the external hard drive is encrypted and kept private. As useful as this is, things can go wrong…

Whether our client had forgotten their password, or the encryption side of the drive had a wobble, the result was the same. Entering the password and hitting enter wasn’t working, instead of getting access to the data they were instead shown a message saying that the password was incorrect.

Considering the value of the data on the hard drive, the client contacted us for help. On paper, without the password there should be no access to the data considering the hardware encryption on this hard drive. But let’s take a look at how it all works. Inside the plastic enclosure we have a standard 2.5″ hard drive, but with a USB connector on the PCB, no native SATA connection. That’s the first challenge, as we can’t work with the drive at all without SATA commands. Here you can see the original USB PCB on the left (with hardware encryption chip highlighted in red) and compatible SATA PCB on the right.

Step one is to convert the drive to SATA by finding a compatible SATA PCB. These come in 256kb and 512kb ROM versions, so we needed to check the size of the USB ROM first, which we found to be 256kb. We read the ROM from the USB PCB and programmed the SATA PCB with its contents.

Once this has been done we can connect the hard drive to our Ace Laboratory PC-3000 Express hardware and software combination and work with the drive on a manufacturer level. Now that we’ve converted the drive to SATA we can work with it like a regular hard drive. Upon opening the WD utility we can see that the drive initialises well, but if we look at the contents of the first sector on the drive it’s encrypted and is just a jumble of characters.

This is as we expected as we know the data is encrypted by the Symwave chip, the one highlighted earlier in this article. However, the encryption is not based on the password that was set. It is instead based purely on the, now known, algorithm that the Symwave 6316 chip uses. Let’s search the firmware of the hard drive and confirm that this is the encryption that’s been used.

Now that we’ve confirmed the method used to encrypt the data, we can tell the PC-3000 WD utility to instead read sectors based on this algorithm. When we enable this method of reading and reread the same sector, we get usable data returned. About a third of the way through the sector you can see the text ‘Invalid partition table. Error loading operating system.’

Now that we can read data that’s decrypted, we can go ahead and access and extract the user’s data. This is good news for us and the client, but not such good news if you trust this system to keep your data safe from prying eyes as we didn’t need to know any passwords to get to the data.

In summary, hardware based encryption in this example is not secure. If you are looking to protect your data by means of password based encryption, rather use Bitlocker if using Windows, or FileVault if you’re using an Apple Macbook or iMac, as they are known to be secure. Feel free to contact us at our Cape Town data recovery lab if you have any queries related to hard drives or data recovery.