Hacking A Code-protected Hard Disk

Our friend [Sprite_TM] took a look at the security of a code-protected hard disk. The iStorage diskGenie is an encrypted USB hard drive that has a keypad for passcode entry. After cracking it open he found that the chip handling the keypad is a PIC 16F883 microcontroller. He poked and prodded at the internals and found some interesting stuff. Like the fact that there is an onboard LED that blinks differently based on the code entered; one way for the right code, another for the wrong code of the right number of digits, and a third for a wrong code with the wrong number of digits. This signal could be patched into for a brute force attacking but there’s a faster way. The microcontroller checks for the correct code one digit at a time. So by measuring the response time of the chip an attacker can determine when the leading digit is correct, and reduce the time needed to crack the code. There is brute force protection that watches for multiple incorrect passwords but [Sprite_TM] even found a way around that. He attached an AVR chip to monitor the PIC response time. If it was taking longer than it should for a correct password the AVR resets the PIC before it can write incorrect attempt data to its EEPROM. This can be a slow process, but he concluded it should work. We had fun watching the Flash_Destroyer hammer away and we’d like to see a setup working to acquire the the code from this device.

26 thoughts on “Hacking A Code-protected Hard Disk

  1. Hm… I really wonder how it actually locks the data. If it doesn’t transparently encrypt that – it’s useless. You can:
    1. Replace a controller board with the one from the same, but unprotected drive
    2. Are we able to dump the firmware/eeprom?
    3. Is there a signal from pic that actually tells the other circuitry that a correct password has been entered? If so the crack will be ‘solder a wire from Vcc to pass_ok_pad’

  2. Hmm If i remember correctly, there is a way to reset the internal code protection fuses and just read back the code. Involves etching away the packaging and using an UV light at the correct angle to hit the fuses. Any one remember the article that went over this?

  3. “When you want to unlock the disk, you get 50 tries. After that, you have to enter a special code (described in the manual) and then you can try for another 50 times. After that, the disk locks up and you can only reset it, erasing all the data on the disk.”

    So, after 99 tries just swap the disk to something not-so-important and then the device erases it. You get 100 new tries?

  4. @Just me

    He doesn’t go into details about the reset when you reach the max tries (100), but I would bet that it just erases the key from the PIC rather than actually doing anything to the HDD.

    So swapping HDDs wouldn’t do anything.

  5. Awesome, this is very similar to the “timing attack” which was used a while back on older Xbox 360’s (before the JTAG exploit) to downgrade the console to the base 1888 kernel. It worked by attaching a microcontroller to the 360’s motherboard to monitor the POST codes, and bruteforcing one of the bootloader’s authorization keys (which the 360 checked one byte at a time) by measuring the time it took to get a “fail” code. MS soon fixed that with an update of course

  6. Hi, I was going to purchase one of these. I admit I do not know what most of you are talking about, have you hacked into this unit or are you saying it is possible? There is a difference.

  7. @JustMe, it was explained in the article. The Pic generates a lockkey based on a new password/hd. It sends that lockkey to the encryption micro, which generates a encryption key based on that to encrypt everything on the HD. Once a password has be rendered useless by the 100 tries, the pic and encryption micro generate new lock keys.

    Switching the harddrive out when the 100 tries are up and putting it back in, even with the new, correct password, the key the encryption micro is trying to decode the harddrive data with would be different.

    TL;DR version, it won’t work, Sprite TM has tried it.

  8. @hans PICs are just another tool, not all problems are nails, and not all tools are hammers; so yeah, like if your problem calls for a legacy microcontroller that only executes an instruction every fourth clock cycle (or less), and has less features than all of it’s competitors… or maybe you just need to pound in a few nails… PIC is definitely your tool.

  9. @Atomic Dirt Bike
    “has less features than all of it’s competitors…”
    now give some examples in details…
    It just funny to watch how people reference to something they haven’t touch and information is so outdated, stop comparing oldest chip family to modern ones, why don’t you compare 18f instead of 16f. Its PIC’s strong advantage that they so diverse and yes there is very low level devices variations also Microchip usually don’t discontinue its oldest chips

  10. Nice article, i have exactly this disk and jep i lost my key… only know the last few digits.
    Is there any way to get the rest without the method above? I have no idea what exactly he did :)

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.