# How do I unlock a hard drive (SSD)?

## DingbatCA

I am kinda stumped on this one.  I have an SSD that is password locked.  At 512GB, it is still a rather useful drive. Dont care about any of the data on the drive, just want to get it functional. I know the basics like using "hdparm --user-master u --security-erase password /dev/X" to unlock a drive.  Or using the "--user-master m" with a password of 32 spaces, but none of that has worked.  I now need something deeper.

I already contacted Toshiba and they were not able to help.

Any thoughts/ideas?

Here are the specs on the drive according to hdparm:

```
/dev/sdj:

ATA device, with non-removable media

        Model Number:       TOSHIBA THNSNJ512GCSU

        Serial Number:      XXXXXXXXXXXX

        Firmware Revision:  JUPS0102

        Transport:          Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0

Standards:

        Supported: 9 8 7 6 5

        Likely used: 9

Configuration:

        Logical         max     current

        cylinders       16383   16383

        heads           16      16

        sectors/track   63      63

        --

        CHS current addressable sectors:    16514064

        LBA    user addressable sectors:   268435455

        LBA48  user addressable sectors:  1000215216

        Logical  Sector size:                   512 bytes

        Physical Sector size:                   512 bytes

        Logical Sector-0 offset:                  0 bytes

        device size with M = 1024*1024:      488386 MBytes

        device size with M = 1000*1000:      512110 MBytes (512 GB)

        cache/buffer size  = unknown

        Form Factor: 2.5 inch

        Nominal Media Rotation Rate: Solid State Device

Capabilities:

        LBA, IORDY(can be disabled)

        Queue depth: 32

        Standby timer values: spec'd by Standard, no device specific minimum

        R/W multiple sector transfer: Max = 16  Current = 16

        Advanced power management level: 254

        DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 *udma5

             Cycle time: min=120ns recommended=120ns

        PIO: pio0 pio1 pio2 pio3 pio4

             Cycle time: no flow control=120ns  IORDY flow control=120ns

Commands/features:

        Enabled Supported:

           *    SMART feature set

           *    Security Mode feature set

           *    Power Management feature set

           *    Write cache

           *    Look-ahead

           *    Host Protected Area feature set

           *    WRITE_BUFFER command

           *    READ_BUFFER command

           *    NOP cmd

           *    DOWNLOAD_MICROCODE

           *    Advanced Power Management feature set

                SET_MAX security extension

           *    48-bit Address feature set

           *    Device Configuration Overlay feature set

           *    Mandatory FLUSH_CACHE

           *    FLUSH_CACHE_EXT

           *    SMART error logging

           *    SMART self-test

           *    General Purpose Logging feature set

           *    WRITE_{DMA|MULTIPLE}_FUA_EXT

           *    64-bit World wide name

           *    WRITE_UNCORRECTABLE_EXT command

           *    {READ,WRITE}_DMA_EXT_GPL commands

           *    Segmented DOWNLOAD_MICROCODE

           *    Gen1 signaling speed (1.5Gb/s)

           *    Gen2 signaling speed (3.0Gb/s)

           *    Gen3 signaling speed (6.0Gb/s)

           *    Native Command Queueing (NCQ)

           *    Host-initiated interface power management

           *    Phy event counters

           *    Host automatic Partial to Slumber transitions

           *    Device automatic Partial to Slumber transitions

           *    READ_LOG_DMA_EXT equivalent to READ_LOG_EXT

                DMA Setup Auto-Activate optimization

                Device-initiated interface power management

           *    Software settings preservation

                Device Sleep (DEVSLP)

           *    SMART Command Transport (SCT) feature set

           *    SCT Write Same (AC2)

           *    SCT Error Recovery Control (AC3)

           *    SCT Features Control (AC4)

           *    SCT Data Tables (AC5)

           *    SANITIZE feature set

           *    BLOCK_ERASE_EXT command

           *    DOWNLOAD MICROCODE DMA command

           *    SET MAX SETPASSWORD/UNLOCK DMA commands

           *    WRITE BUFFER DMA command

           *    READ BUFFER DMA command

           *    DEVICE CONFIGURATION SET/IDENTIFY DMA commands

           *    Data Set Management TRIM supported (limit 8 blocks)

           *    Deterministic read ZEROs after TRIM

Security:

        Master password revision code = 65534

                supported

                enabled

                locked

        not     frozen

        not     expired: security count

                supported: enhanced erase

        Security level maximum

        2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.

Logical Unit WWN Device Identifier: 500080d910247d1f

        NAA             : 5

        IEEE OUI        : 00080d

        Unique ID       : 910247e1f

Device Sleep:

        DEVSLP Exit Timeout (DETO): 70 ms (drive)

        Minimum DEVSLP Assertion Time (MDAT): 10 ms (drive)

Checksum: correct
```

----------

## frostschutz

you can try NULL (sic, capitalized) for empty password

otherwise you have to use the password you set

the risk of "bricking" your drives with those drive passwords is the reason why I never use this feature

----------

## DingbatCA

I got the drive for free because it is locked.  So if I break it, I loose nothing.  If I manage to unlock it, I get a free drive.

----------

## Cyker

If it's just a bios lock type password and the drive isn't actually encrypted, you can get special diagnostic/forensic interface cards which can access the low level bits to change/disable the drive password. I'm not sure if you can just do this with software alone tho' but I would think not because it would defeat the point of it if it was so easily disabled.

If it's one of the encrypted types then you've basically got a slightly inept doorstop...

----------

## Hu

Have you read / tested how to unlock a ssd disk with hdparm??

----------

## DingbatCA

Any other ideas/links?

```
#The master password for Toshiba drives is 32 spaces, but I have not confirmed this on SSDs.

hdparm --user-master m --security-unlock "                                " /dev/sdj

security_password: "                                "

/dev/sdj:

 Issuing SECURITY_UNLOCK command, password="                                ", user=master

SECURITY_UNLOCK: Input/output error

# hdparm --user-master m --security-unlock NULL /dev/sdj

security_password: ""

/dev/sdj:

 Issuing SECURITY_UNLOCK command, password="", user=master

SECURITY_UNLOCK: Input/output error

# hdparm --user-master u --security-unlock NULL /dev/sdj

security_password: ""

/dev/sdj:

 Issuing SECURITY_UNLOCK command, password="", user=user

SECURITY_UNLOCK: Input/output error
```

----------

## frostschutz

Do you know how it came to be locked in the first place?

Maybe there is a place that collects common passwords, by vendor, by erase tool, by malware, ...

I haven't found any authorative list, though. Apparently there is a tool that sets "idrive". There is a wiki page here that sets "Eins": https://www.thomas-krenn.com/en/wiki/SSD_Secure_Erase (and also) https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Of course if someone set a random password none of these will work. And if the drive gives you only five tries per power cycle, brute forcing it will take quite a while. Maybe you could automate that process with an USB enclosure (that supports the ATA erase commands, verify with another drive I guess) and a USB controller that has power saving options so you can flip it off and on in software.  And then hope someone set a very short password rather than a long one...

----------

## Jaglover

If I remember correctly I read somewhere some laptops actually 'mate' with drive and to unlock it has to be put back into the very same laptop.

----------

## DingbatCA

I bought 4 of these drives, and 4 work just fine.  This 5th one was a freebie because the electronics dealer could not unlock it.

It looks like the master password has been changed. I cant find a firmware update in hopes of re-flashing it.  I have tried a few of the old dos tools like victoria, zu, atapwd, but nothing has worked.

Is all hope lost?

----------

## frostschutz

Well, it says "Master password revision code = 65534" which usually means the master password has NOT been changed. As doing so would also change the revision.

Only problem is, that doesn't mean you know whatever the vendor chooses as the master password. This could be completely random (a salted hash based on serial number and you don't know the salt). It's vendor-specific.

In theory the vendor should be able to tell you the master password if you tell them everything there is to tell about your drive (model, serial, etc.) - whether they would be willing to do so is another question...

You could contact a data recovery company and ask them if they are able to unlock, and erase such a locked drive and how much it would cost and whether it would be worth it to you. (Assuming a data recovery company would be able to either obtain this info from the vendor directly under some kind of non-disclosure deal, or made the effort to reverse engineer it). I'd really hate supporting this business model though (same with that unlock software that costs 50 bucks).

There should always be a way to unbrick a drive (at the cost of erasing data) unfortunately this has always been a problematic side of the ata password.

Never use this feature.  :Wink: 

----------

## keet

Hashcat might work for bruteforcing it.

----------

## DingbatCA

Thought about hashcat.  After 3 tries the drive locks it's self.  Needs to be power cycled to unlock it.  No way that I can think of to acquire the encrypted password...

I emailed Toshiba, again, asking specifically for the unlock/master password. We will see.

----------

## DingbatCA

From Toshiba "Toshiba does not have unlock your drive . We do not have unlock code / master password that can unlock your drive."

I have a brick!

----------

## NeddySeagoon

DingbatCA,

Well, that leaves the JTAG interface but it will be a lot of work because it won't be documented.

----------

## DingbatCA

I am not against going in through JTAG/Serial. ;-)

There are some exposed pads on the bottom...

https://www.tweaktown.com/image.php?image=imagescdn.tweaktown.com/content/6/6/6684_04_toshiba_hg6_thnsnj512gcsu_enterprise_ssd_review_full.jpg

If, and it's a big if, I can acquire a console type connection, what would a I do from there? I am guessing/hoping there is some kind of simple command line where I can directly interface with the drive using ata commands?

----------

## NeddySeagoon

DingbatCA,

JTAG is a test interface.

It is serial but it won't give you a console.  

During manufacture, it the way the device is tested and firmware uploaded.

----------

## frostschutz

Last time I tried to do something with JTAG/Serial (recovering a bricked ereader) it was a complete failure so I certainly will be unable to help.

If you find out anything, please keep us updated too.   :Smile: 

----------

## DingbatCA

Pure JTAG is out of my skill set.  I think this is where I throw in the towel.  :-(

----------

## frostschutz

I guess this won't work for an already locked drive either?

https://github.com/Drive-Trust-Alliance/sedutil/blob/master/linux/PSIDRevert_LINUX.txt

https://github.com/Drive-Trust-Alliance/sedutil/wiki/PSID-Revert

Sounds hopeful actually - see if your drive supports it.

----------

## DingbatCA

All hope is lost, or at least for my skill set.  After a ton of googling I found that the extra 4 pins along side the SATA connection are a debug port.  I ordered in a serial TTL adapter and was able to test it out on an old Toshiba laptop drive.  I got a VERY simplistic console.  Then I jacked into the SSD and go nothing.  I also tried a known good SSD, same model, nothing.  I would guess the debug port has changed it's protocol in the last 15 years. ;-)  

End of this adventure...  Locked SSD has been placed on my scrap pile. :-(

----------

