Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove OPAL (--revertnoerase) Fails #304

Open
mabachel opened this issue Oct 4, 2019 · 2 comments
Open

Remove OPAL (--revertnoerase) Fails #304

mabachel opened this issue Oct 4, 2019 · 2 comments

Comments

@mabachel
Copy link

mabachel commented Oct 4, 2019

Hi,

I use a Samsung Samsung SSD 850 EVO 500GB (EMT02B6Q) as my only system drive and have it encrypted with sedutil 1.15.1 since a few years now. Today I wanted to remove OPAL in order to switch to a more recent version (https://github.com/ladar/sedutil or https://github.com/ChubbyAnt/sedutil) of sedutil. Looking at the wiki I found the "Remove OPAL" section which instructs you to run sedutil-cli --revertnoerase {Admin1Password} {drive}.

Thus i bootet the RESCUE64.img and ran the command which FAILED:

sedutil-cli --revertnoerase MySIDPassword /dev/sdb
method status code FAIL
Command failed

In order to track the issue down I ran the command again with the highest verbosity:

sedutil-cli -vvvvv --revertnoerase MySIDPassword /dev/sdb
0000 000000b4 00000001 00000000 00000000  ................ 
0010 00000000 00000000 00000000 00000000  ................ 
0020 00000000 00000000 00000000 00000000  ................ 
0030 0001100c 11000000 00000000 00000000  ................ 
0040 0002100c 1f000000 00000000 00000000  ................ 
0050 0003101c 00000000 00000000 00000200  ................ 
0060 00000000 00000001 00000000 00000000  ................ 
0070 02001010 10040001 00000000 00000000  ................ 
0080 00000000 0201100c 00000009 04000000  ................ 
0090 00000000 0202100c 00000009 00a00000  ................ 
00a0 00000001 02031010 10040001 00000400  ................ 
00b0 09000000                             ....
0000 000000b4 00000001 00000000 00000000  ................ 
0010 00000000 00000000 00000000 00000000  ................ 
0020 00000000 00000000 00000000 00000000  ................ 
0030 0001100c 11000000 00000000 00000000  ................ 
0040 0002100c 1f000000 00000000 00000000  ................ 
0050 0003101c 00000000 00000000 00000200  ................ 
0060 00000000 00000001 00000000 00000000  ................ 
0070 02001010 10040001 00000000 00000000  ................ 
0080 00000000 0201100c 00000009 04000000  ................ 
0090 00000000 0202100c 00000009 00a00000  ................ 
00a0 00000001 02031010 10040001 00000400  ................ 
00b0 09000000                             ....
0000 00000000 10040000 00000000 00000000  ................ 
0010 000000b0 00000000 00000000 00000000  ................ 
0020 00000000 00000000 00000098 00000000  ................ 
0030 00000000 0000008c f8a80000 00000000  ................ 
0040 00ffa800 00000000 00ff01f0 f200f0f2  ................ 
0050 d0104d61 78436f6d 5061636b 65745369  ..MaxComPacketSi 
0060 7a658208 00f3f2ad 4d617850 61636b65  ze......MaxPacke 
0070 7453697a 658207ec f3f2af4d 6178496e  tSize......MaxIn 
0080 64546f6b 656e5369 7a658207 c8f3f2aa  dTokenSize...... 
0090 4d617850 61636b65 747301f3 f2ad4d61  MaxPackets....Ma 
00a0 78537562 7061636b 65747301 f3f2aa4d  xSubpackets....M 
00b0 61784d65 74686f64 7301f3f1 f3f1f9f0  axMethods....... 
00c0 000000f1                             ....
0000 00000000 10040000 00000000 00000000  ................ 
0010 000001b4 00000000 00000000 00000000  ................ 
0020 00000000 00000000 0000019c 00000000  ................ 
0030 00000000 00000190 f8a80000 00000000  ................ 
0040 00ffa800 00000000 00ff01f0 f0f2d010  ................ 
0050 4d617843 6f6d5061 636b6574 53697a65  MaxComPacketSize 
0060 83010200 f3f2d018 4d617852 6573706f  ........MaxRespo 
0070 6e736543 6f6d5061 636b6574 53697a65  nseComPacketSize 
0080 83010200 f3f2ad4d 61785061 636b6574  .......MaxPacket 
0090 53697a65 830101ec f3f2af4d 6178496e  Size.......MaxIn 
00a0 64546f6b 656e5369 7a658301 0004f3f2  dTokenSize...... 
00b0 aa4d6178 5061636b 65747301 f3f2ad4d  .MaxPackets....M 
00c0 61785375 62706163 6b657473 01f3f2aa  axSubpackets.... 
00d0 4d61784d 6574686f 647301f3 f2d0124d  MaxMethods.....M 
00e0 61784175 7468656e 74696361 74696f6e  axAuthentication 
00f0 7305f3f2 ab4d6178 53657373 696f6e73  s....MaxSessions 
0100 01f3f2d0 134d6178 5472616e 73616374  .....MaxTransact 
0110 696f6e4c 696d6974 01f3f2d0 11446566  ionLimit.....Def 
0120 53657373 696f6e54 696d656f 757400f3  SessionTimeout.. 
0130 f1f200f0 f2d0104d 6178436f 6d506163  .......MaxComPac 
0140 6b657453 697a6582 0800f3f2 d0184d61  ketSize.......Ma 
0150 78526573 706f6e73 65436f6d 5061636b  xResponseComPack 
0160 65745369 7a658208 00f3f2ad 4d617850  etSize......MaxP 
0170 61636b65 7453697a 658207ec f3f2af4d  acketSize......M 
0180 6178496e 64546f6b 656e5369 7a658207  axIndTokenSize.. 
0190 c8f3f2aa 4d617850 61636b65 747301f3  ....MaxPackets.. 
01a0 f2ad4d61 78537562 7061636b 65747301  ..MaxSubpackets. 
01b0 f3f2aa4d 61784d65 74686f64 7301f3f1  ...MaxMethods... 
01c0 f3f1f9f0 000000f1                    ........
0000 00000000 10040000 00000000 00000000  ................ 
0010 0000007c 00000000 00000000 00000000  ...|............ 
0020 00000000 00000000 00000064 00000000  ...........d.... 
0030 00000000 00000058 f8a80000 00000000  .......X........ 
0040 00ffa800 00000000 00ff02f0 8169a800  .............i.. 
0050 00020500 00000201 f200d020 4ff44ca9  ........... O.L. 
0060 fc0961ca 0260bad1 145273f3 0ce72abd  ..a..`...Rs...*. 
0070 36f8ad8c 6f1c0b4f accc1cfe f3f203a8  6...o..O........ 
0080 00000009 00010001 f3f1f9f0 000000f1  ................ 
0000 00000000 10040000 00000000 00000000  ................ 
0010 0000004c 00000000 00000000 00000000  ...L............ 
0020 00000000 00000000 00000034 00000000  ...........4.... 
0030 00000000 00000025 f8a80000 00000000  .......%........ 
0040 00ffa800 00000000 00ff03f0 84000000  ................ 
0050 69840000 1007f1f9 f0000000 f1000000  i............... 
0000 00000000 10040000 00000000 00000000  ................ 
0010 00000048 00001007 00000069 00000000  ...H.......i.... 
0020 00000000 00000000 00000030 00000000  ...........0.... 
0030 00000000 00000022 f8a80000 00000000  ......."........ 
0040 0001a800 00000600 000011f0 f2830600  ................ 
0050 0001f3f1 f9f00000 00f10000           ............
0000 00000000 10040000 00000000 00000000  ................ 
0010 0000002c 00001007 00000069 00000000  ...,.......i.... 
0020 00000000 00000000 00000014 00000000  ................ 
0030 00000000 00000008 f0f1f9f0 3f0000f1  ............?... 
method status code FAIL
Command failed
0000 00000000 10040000 00000000 00000000  ................ 
0010 00000028 00001007 00000069 00000000  ...(.......i.... 
0020 00000000 00000000 00000010 00000000  ................ 
0030 00000000 00000001 fa000000           ............
0000 00000000 10040000 00000000 00000000  ................ 
0010 00000028 00001007 00000069 00000000  ...(.......i.... 
0020 00000000 00000000 00000010 00000000  ................ 
0030 00000000 00000001 fa000000           ............

And I did a query of the drive afterwards:

sedutil-cli --query /dev/sdb
/dev/sdb ATA Samsung SSD 850 EVO 500GB                EMT02B6Q MySerialNumber     
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = Y, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = Y, MediaEncrypt = Y
Geometry function (0x0003)
    Align = N, Alignment Granularity = 1 (512), Logical Block size = 512, Lowest Aligned LBA = 0
Opal V1.0 function (0x0200)
Base comID = 0x1004, comIDs = 1
SingleUser function (0x0201)
    ALL = N, ANY = N, Policy = Y, Locking Objects = 9
DataStore function (0x0202)
    Max Tables = 9, Max Size Tables = 10485760, Table size alignment = 1
OPAL 2.0 function (0x0203)
    Base comID = 0x1004, Initial PIN = 0x0\00, Reverted PIN = 0x0\00, comIDs = 1
    Locking Admins = 4, Locking Users = 9, Range Crossing = N

TPer Properties: 
  MaxComPacketSize = 66048  MaxResponseComPacketSize = 66048
  MaxPacketSize = 66028  MaxIndTokenSize = 65540  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1  MaxAuthentications = 5
  MaxSessions = 1  MaxTransactionLimit = 1  DefSessionTimeout = 0

Host Properties: 
  MaxComPacketSize = 2048  MaxResponseComPacketSize = 2048
  MaxPacketSize = 2028  MaxIndTokenSize = 1992  MaxPackets = 1
  MaxSubpackets = 1  MaxMethods = 1

Please help me out if I do something wrong or update the source if its a real BUG.
Thanks and let me know if further testing is needed.
This was referenced Oct 4, 2019
Closed
Open
@oom-is
Copy link

oom-is commented Oct 7, 2019

I'm definitely not capable of gleaning much from the verbose debug output but I'll make some suggestions based on what I've seen in testing with some other drives. (The only SED Samsung drive I have is an M.2 NVME 970 EVO, and I've not yet spent any time testing sedutil against it as it's the main drive in my primary Win10 PC. There's support for windows_nvme in the @lukefor and @ChubbyAnt forks that I'm building into my working codebase but I haven't tested it beyond --scan/--query).

When you say that you "have it encrypted with sedutil 1.15.1 since a few years now" - are you 100% sure that you encrypted it with the stock sedutil 1.15.1 which you downloaded in pre-compiled form from this site? Or is there any chance you used an older binary or one that came as part of a Linux distro? Not saying that's the problem, just verifying that we're troubleshooting the same understood and bounded problem.

Second: If you can't unlock the drive to be able to write to it, then I'm not surprised that you can't do the --revertnoerase. Your --query output shows the drive as Locked: Y. Could you please try to use the same sedutil-cli binary on the RESCUE64 image to perform the command
sedutil-cli --setlockingrange 0 rw <yourpassword> /dev/sdb
and help confirm that you actually are using the correct passphrase and a compatible keyboard mapping? (That command, if run successfully, will unlock your /dev/sdb SED. If that command fails too, then there is very likely a keyboard mismatch or the wrong passphrase.)

Third: If you really really want to change NOW to a newer "more better" version of sedutil, I would suggest that you back up the contents of that drive to something else, and then use the PSID unlock function. Sedutil-cli has one, and the Samsung Magician software has an equivalent implementation (as do SeaTools for Seagate SEDs, and Micron Storage Executive for Micron/Crucial drives). NOTE that the PSID unlock is also known as "crypto erase" as it WILL wipe out 100% of the data on the disk. This is a Feature Not A Bug but please back up your data first. The good news is that the PSID is designed that way because it should always be possible to get a drive usable again, if there is no other way to decrypt/unlock/recover. While testing some things I've been using PSID unlock 3-4 times per day lately....

Good Luck Have Fun.

@mabachel
Copy link
Author

mabachel commented Oct 8, 2019

Thanks @oom-is for your time.

  1. I used the precompiled version from here.
  2. I was / am unable to unlock the drive. There are no uncertainties with keyboard layouts.

The solution can be found here: ChubbyAnt#4 (comment)

Issue can be closed if the Documentation / Wiki is updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mabachel @oom-is