Brute force password cracking of ATA security locked harddrives

Recently I found a x41 thinkpad in good condition, but with a locked 1.8″ drive. I google a bit and found that there is almost no chance of buying a new 1.8″ drive. So now what? I could mod the machine with SSD like this guy has done. Or I could try to crack the password of the 1.8″ drive. I’ll try the latter before I give in an mod the machine.

So how do I crack the password of a 1.8″ drive. You can buy all kinds of stuff of the internet. And lo and behold. Someone claims to be able to give you the master password if you give them some stash.

Instead of handing out my money to strangers on the internet, I read the ATA specs and tried to do it like this:

  • Realize that the drive is in maximum security mode. So you have to cycle the drive power for every X failed tries with the user password. Go for a security erase of the drive with the master password instead. Might be a harder password, but atleast I can try unlimited amount of times without the drive demanding a power cycle.

So I ended up like this

  • Download ubuntu 10.04. Create bootable usb pen.
  • pull out the drive of the x41
  • Boot the x41 of the usb pen
  • put the drive back into the x41 while ubuntu boots.
  • issue ‘echo “- – -”  >  /sys/class/scsi_host/host0/scan
  • download john the ripper from openwall together with a dictionary.
  • compile john the ripper.
  • Figure out details of the drive with hdparm -I /dev/sda
  • Execute this command: ./john –wordlist=./all –stdout | while read pass ; do hdparm –security-erase “$pass”  /dev/sda ; if [ $? -ne 5 ]; then exit 1; fi ; done > /dev/null 2>&1

Presently I brute force attack the drive with 1000 words pr. second. Might not yield anything. But atleast I tried ;-)


2 Responses to “Brute force password cracking of ATA security locked harddrives”

  1. Woland says:

    Dear Thomas,

    Thank you very much for sharing your experence. It is very interesting to me but few moments are not very clear.. I will be very appreciated for your answers.

    1. What for do you use command below and how could I deteremine that my SSD was scsnned and added?
    issue ‘echo “- – -” > /sys/class/scsi_host/host0/scan
    2. download john the ripper from openwall together with a dictionary. – What dictionary you were speaking about? There are lots of them…
    3. Looks like your step below has some errors… e.g. what is “all” and how is this command working?
    Execute this command: ./john –wordlist=./all –stdout | while read pass ; do hdparm –security-erase “$pass” /dev/sda ; if [ $? -ne 5 ]; then exit 1; fi ; done > /dev/null 2>&1

    Kind regards,

    • admin says:


      Sorry for the late reply. Busy doing other stuff.

      1. The echo statement scans the scsi bus for new devices. I could not boot the machine (IBM) with the drive attached, so I had to ‘hotplug’. This requires getting the kernel to recognize the device. Mine was attached on the scsi bus, so I scanned the first host controller, host0, to get the drive online.

      2. openwall has an all.gz wordlist that contains a list of frequently used passwords. You can use others. Some places on the net sell bigger wordlists.

      3. john is john the ripper executable. -wordlist tells john to try all the passwords in the wordlist (under the assumption that the password you are trying to crack is keyed in by a human, which normally selects one of the few million most frequently used passwords; we humans are not as creative as we think). The rest of the program basically get john to try the passwords one by one and then feed them (with -stdout) one by one to the loop, which then tries them one-by-one against the hdd using hdparm. It will exit when hdparm returns something different (-not-equal -ne) than 5.

Leave a Reply

You must be logged in to post a comment.