Unlocking a password-protected hard disk

encryption, hardware, linux, security

TL;DR: Recovering data from a password-protected SATA hard disk that was locked by a Thinkpad

I wish this post would be as generally valid as the title suggests; at this hour I’m just unspeakably glad to have unlocked a hard disk I didn’t even know I had locked and can finally go to bed.

What happened?

I enabled password protection in the Thinkpad BIOS, believing that it’s “just” a UI thing. If the laptop ever would break down, I’d be able to salvage the disk, install it in a new computer, worst case re-enter the password and all would be good. Until said Thinkpad broke down.

I removed the hard disk from the dead Thinkpad and connected it via USB to a different computer which couldn’t read it. Weirdly enough, none of the recovery tools I tried would even find a trace of data on the disk, not even a partition table. At that point it dawned on me that BIOS password must have had activated the SATA protection feature of the disk.

Trying out stuff

These two [1] posts [2] helped unlock the hard disk after a few tries. I don’t think any of this will work over USB because of the low-level SATA interactions. I installed the hard disk (/dev/sdb) in a Linux NAS where I had root access.

First let’s see if the drive is indeed locked:

hdparm -I /dev/sdb
...
 supported
 enabled
 not locked
 not frozen
 not expired: security count

A naive

hdparm --security-disable mypassword /dev/sdb

of course didn’t work. The reason is that Thinkpads transform the password so it’s not stored in clear text. Jethro Beekman wrote a Ruby programme [3] which encodes the password.

I cloned his repository:

git clone https://github.com/jethrogb/lenovo-password.git
cd lenovo-password

(alternatively download the ZIP, extract)

Next installed ruby

sudo apt install ruby

Then followed the instructions, not knowing much what I was doing:

sudo hdparm --Istdout /dev/sda > sda.ata_identify
P="$(ruby pw.rb sda.ata_identify)"
sudo hdparm --security-unlock "$P" /dev/sdb
sudo hdparm --security-disable "$P" /dev/sdb
sudo partprobe /dev/sdb

After that, the hard disk was visible again and could be mounted over a USB cable.

Thanks go to users MegaBrutal and jethrogb.

Resources

[1] Disable HDD password when master password is unknown
https://forum.hddguru.com/viewtopic.php?f=1&t=32046

[2] Lenovo ThinkPad HDD Password
https://jbeekman.nl/blog/2015/03/lenovo-thinkpad-hdd-password/

[3] lenovo-password
https://github.com/jethrogb/lenovo-password

Published

2 thoughts on “Unlocking a password-protected hard disk

  2. Thank you.

    In my case I issued a master password via hdparm. After reboot Thinkpad wanted the password (fine). But as you write, ThinkPad adds “salt”. Altough I typed the corrent password, access was denied.

    So the solution for me (worked via USB!) was

    hdparm –security-unlock MYPASS /dev/sdb
    hdparm –security-disable MYPASS /dev/sdb

    Fun Fact: Windows managed to see the disk. They know the master passwords from manufacturers? I wanted the data, so I didn’t formatted. Something to test in future.

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.