Ring ATA passwords

This commit is contained in:
Bottersnike 2023-05-26 07:42:16 +01:00
parent 75926b268a
commit 9fd61d1453
Signed by: Bottersnike
SSH Key Fingerprint: SHA256:3g0ghwd4dNX1k1RX8qazbiT+3RIYn/daeBevHZVCiU0
2 changed files with 32 additions and 0 deletions

View File

@ -32,6 +32,8 @@
<p>This can be bypassed either by extracting the password used, or by first powering on the Ring* system with the drive
connected, then hotplugging the SATA data cable on the drive while keeping the drive powered.</p>
{% markdown %}{% include relative("~ata.md") %}{% endmarkdown %}
<details>
<summary>Why does this work?</summary>
<p>The following is the sequence of possible security modes for an ATA drive:</p>

View File

@ -0,0 +1,30 @@
The ATA key is derived in the BIOS during boot, based on the 40-byte model number of the drive provided by the ATA identify device data command (0xEC). The 32-byte password is then calculated based on the following algorithm. This algorithm is consistent between RingWide, RingEdge and RingEdge2 (thanks to Darksoft for some info here). Happy unlocking!
```py
CHARSET = bytearray(b'/-AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789')
def charset_index(x: int) -> int:
if x in CHARSET:
return CHARSET.index(x)
return 0x55
def prepare_password(model: bytes) -> bytes:
assert len(model) == 40
password = bytearray(32)
for i in range(32):
a = charset_index(model[i])
b = charset_index(model[39 - i])
if i % 2 == 0:
password[i] = (((i ^ a) & 0x1f) << 3) ^ ((b & 0x2e) >> 1)
else:
password[i] = (((i ^ b) & 0x3b) << 2) ^ ((a & 0x66) >> 1)
return password
```
Some common disks:
- `GBDriver RS2`: `7242525aba526a5aea726278ca42da4a2a223a2a0a221a2a6a027a0a5cce4a0a`
- `GBDriver RS3`: `7242525aba526a5aea726278ca42da4a2a223a2a0a221a2a6a027a0a5cce4a0a`