decrypted.img remains zero bytes in size. #134
Comments
|
I don't know much about the program, but if you are willing to start from the beginning, maybe I can be useful. First, what chip is on the burned out bridge card? The square one in the middle. |
|
Hi Themaddoctor, and thanks for your reply. I'm happy to start from the beginning if required. I kept a copy of the first image I made that only ended up being around 300GB in size. I believe the drive itself is perfectly fine, as I have tested the SMART attributes, and have also tested sector access with Victoria, and the drive seems to be fine. |
|
Can you dump sectors 0, 2048, and 5860529539? dd if=/dev/sda skip=0 count=1 | hexdump -C Copy the output over. Do not post a screenshot. |
|
Sure. 00000000 33 ed a1 2f 35 91 fd 61 10 6b 0a d7 9a 70 ef 5b |3../5..a.k...p.[| 00000080 0f 68 0c 3f df 88 32 c8 4f dd 68 95 68 2f d6 14 |.h.?..2.O.h.h/..| |
|
sector 2048: |
|
and sector 5860529539: |
|
I have compared these to the original encrypted 3TB drive. Apologies for the formatting or otherwise, as I'm not as familiar using ubuntu, so I copied the data from terminal, then pasted the data into a text file using libre office writer... I haven't learnt the command to pipe terminal data to a file. :) |
|
To direct output to a file, just put
At first glance, nothing looks unusual. But it's midnight here, so I will take a closer look tomorrow afternoon |
|
Githup mangled that. I should say to add the greater than symbol followed by the name of the file you want to write. I went ahead and decrypted sector 0 and found Disk JoshAust-3TB-SW6316-0-decrypted.bin: 512 B, 512 bytes, 1 sectors Device Boot Start End Blocks Id System There is a discrepancy there, because sector 2048 decrypted to the header of an NTFS filesystem. So really, the partition table uses blocks of size 4096, if my math is right. Your key is 84f52e69f30dd2c3413c66aba92e3701623af526dec257e65f4b204580d1b266. Tomorrow we'll talk about trying to mount the disk using a decryption routine built into ubuntu's kernel. |
|
Ah, thanks for that.
I'll put it all here as well for a neater version. Sector 0: 00000000 33 ed a1 2f 35 91 fd 61 10 6b 0a d7 9a 70 ef 5b |3../5..a.k...p.[| Sector 2048: Sector 5860529539: |
|
Sorry, missed your most recent post. Re the discrepancy.... |
|
|
OK, the first thing you should do is put the original disk in a safe place. We will mess around with the copy that you made. Connect the encrypted copy to the ubuntu machine and tell me what its designation is. /dev/sda or /dev/sdb or ... |
|
Hi again themaddoctor. |
|
OK. |
|
If you don't have it, install with My info is somewhat old, and ubuntu might have changed its package manager, so maybe you need to figure it out. |
|
"which cryptsetup" did nothing at all, just returned to the terminal line. |
|
Now feed your key to cryptsetup. This is all one command and should all be on one line. echo 84f52e69f30dd2c3413c66aba92e3701623af526dec257e65f4b204580d1b266 | xxd -p -r | sudo cryptsetup -d - --hash=plain --key-size=256 -c aes-ecb create wd /dev/sdb Check for success by doing If you get "DOS/MBR boot sector..." then it worked. |
|
OK, I just tried that, by copying the line and pasting it into terminal... |
|
|
however, I re ran it and it returned: running lsblk now shows a partition? named wd under sdb. |
|
sudo file -s /dev/mapper/wd |
|
"sudo file -s /dev/mapper/wd" |
|
sudo file -s -L /dev/mapper/wd |
|
that returns: /dev/mapper/wd: DOS/MBR boot sector MS-MBR XP english at offset 0x12c "Invalid partition table" at offset 0x144 "Error loading operating system" at offset 0x163 "Missing operating system", disk signature 0x2dcc8; partition 1 : ID=0x7, start-CHS (0x0,4,5), end-CHS (0x3ff,254,63), startsector 256, 732558080 sectors |
|
OK. It worked. Now you need to change the partition table so that it uses 512-byte blocks, which is the standard size. Run Fdisk is an interactive program. Use m to get help. Use d to delete the existing partition. Use n to recreate it. Use a starting block of 2048 and end block that is as large as possible. |
|
Use p to display the partition table. Check to see if it says sector size is 512. |
|
I ran it, and it threw a possible error, then a different command prompt: Then it has another different command prompt that reads: Should I continue? |
|
p to print the table |
|
i did "d" and deleted it |
|
default is primary. |
|
That explains a lot. WD used a larger block size so that block numbers would not overflow. They used a DOS partition table, but you are going to replace it with GPT table. Use command g |
|
red text reports "Partition #1 contains a ntfs signature" Then prompts to remove the signature yes/no? |
|
NO |
|
OK I said no. |
|
g to create new GPT table |
|
that returns: |
|
n to create new partition in the new table |
|
when I do that, selecting the default start, 2048 and the default end 7814037134. It then asks: |
|
I guess so. I've never had it ask me that before. |
|
SORRY!!! let me rewrite that: when I do that, selecting the default start, 2048 and the default end 7814037134. IT then again prompts to remove the signature... I think I've stuffed something up here... |
|
Use q to exit without actually writing to disk. |
|
done... |
|
We are going to try something else. sudo losetup -o 1048576 -f /dev/dm-0 sudo losetup -j /dev/dm-0 |
|
first returned nothing. |
|
OK. Good. Try to mount it with these two commands: sudo mkdir -p /mnt/wd sudo mount /dev/loop12 /mnt/wd |
|
Wow! |
|
No. You are ready to copy your data to the blank drive. |
|
Fantastic! |
|
You're welcome. Back up your data. Have a good night. |
|
I really am grateful for your help. |
|
That book isn't relevant to modern cryptography. But thanks. |
|
I have been following, and vaguely attempting to decypher the Kryptos sculpture, that is at the CIA headquarters in Langely Virginia. |
|
So that book, while yes, outdated for modern methods, is still very interesting. |
|
I have looked at it, but not for a long time. The ciphertext is very short, so that makes it very difficult. |
|
Yes, that seems to be the major stumbling block. Hey, do you have a paypal address? |
|
If you like classical crypto, you might enjoy cipherchallenge.org I do not have paypal, but thanks anyway. |
|
Thank you. |
Hi.
First, thanks for this great program.
I have a 3TB Western Digital Essentials drive that the USB board has died.
I cannot seem to source one online with the same firmware, hence why I am trying reallymine instead.
I connnected the drive to a PC directly via the SATA port.
The drive has zero bad sectors, pending bad sectors ore reallocation events.
I ran reallymine via ubuntu and it successfully made an image of the drive overnight.
However, the image size was only a bit over 300GB in size.
I did some research, and it appears that when the drive is connected via the USB-SATA bridge, the drive appears as 4096 bytes per sector, however when directly connected to the SATA port, it appears as 512 bytes per sectors ( 1/8 of the size)
So I assume that is why the image is approximately one 1/8 of the drives size.
So, I instead imaged the 3Tb drive onto a brand new blank 4TB drive using ddrescue.
That ran overnight and came to 3TB in size, so I assume it imaged OK, as no errors were reported.
HOWEVER, when I re ran reallymine on that 4TB drive, it creates the decrypt.img file, however it remains as zero bytes, and never grows in size.
reallymine still appears to be running.
I've tried rebooting it, and re-running it, with no change.
The command I'm running is:
sudo ./reallymine decrypt /dev/sdb decrypted.imgAny help, suggestions etc greatly appreciated.
The text was updated successfully, but these errors were encountered: