Jump to content











Photo

Software to wipe a systemdrive from Windows?


  • Please log in to reply
164 replies to this topic

#126 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 20 January 2011 - 07:37 PM

"frozen" is not really a "technical" term,

You might want to consult your crystal ball on that again.

#127 Sadeghi85

Sadeghi85

    Newbie

  • Members
  • 15 posts
  •  
    Iran

Posted 20 January 2011 - 07:39 PM

So OS freezes drive and without knowing pwd we cannot unfreeze it???


"frozen" means you can't set a password and without setting a password first, you can't issue the Secure Erase command.
"locked" means a password has been set and you need to know the password to unlock the drive.


A possible solution for SATA drives is hot-(re)plug the data cable (this might crash your kernel). If hot-(re)pluging the SATA data cable crashes the kernel try letting the operating system fully boot up, then quickly hot-(re)plug both the SATA power and data cables.

It has been reported that hooking up the drive to an eSATA SIIG ExpressCard/54 with an eSATA enclosure will leave the drive security state to "not frozen".

Placing my system into "sleep" (Clevo M865TU notebook) worked too---and this may reset other drives to "not frozen" as well.


https://ata.wiki.ker...t_frozen.22.29:


I've tried removing the power cable while the data cable was connected and it worked.(I've only tried hdparm in Linux)


Edit: MedEvil beat me to it!

Edited by Sadeghi85, 20 January 2011 - 07:45 PM.


#128 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,600 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 January 2011 - 07:59 PM

@Medevil
I see that my attempts at humour are not much appreciated (or maybe understood :dubbio:). :(

From the same page :whistling::

I shut down the system, reconnected the drive to the SATA controller, and found that the drive was bricked - BIOS couldn't recognize it. I will update this warning if I find a way to un-brick the drive.


I simply love the term "bricked" as exemplified by this nice image:
http://www.mapleleaf...agatebrick.html
Posted Image

Now, seriously this time, there are at least THREE "bad" conditions:
  • locked
  • frozen
  • bricked ;) (which basically means "something else from the above two" but still completely UNLIKE functional)
Since the procedure to unfreeze a frozen drive is given still on that same page, and I hold steve6375 in the highest esteem, presuming that he already tried to unfreeze the drive with the given procedures, I tried to cheer him up a bit with the "bricked" term.... :ph34r:

:cheers:
Wonko

#129 cdob

cdob

    Silver Member

  • Expert
  • 974 posts

Posted 20 January 2011 - 08:13 PM

When i type this in (under Win7 32Bit) i get: Permission denied
Any idea, who denied the permission?

Hdparm.exe does run at Windows 7 32Bit.
Hard disk is acessable, admin permissions are required.
Remember a admin may not have admin permissions.


"frozen" is not really a "technical" term

It's a a "technical" term relating ATA security settings.
A BIOS may freeze ATA security: a application can't set a password.

Some BIOS offers a "ATA Vulnerability Protection" setting.
This allows the end user to freeze or not freeze the hard disk.
http://uk.ts.fujitsu...D2030/D2030.htm

Other BIOS freeze hard disk without user setting.

#130 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 20 January 2011 - 08:36 PM

Hdparm.exe does run at Windows 7 32Bit.
Hard disk is acessable, admin permissions are required.
Remember a admin may not have admin permissions.

I can install drivers without problems.
If there is some special voodoo to do, to get Win7 to grant the special admin rights hdparm needs, i'm all ears.

:dubbio:

#131 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,270 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 20 January 2011 - 08:45 PM

Spec says...

4.18.4 Frozen Mode
The SECURITY FREEZE LOCK command prevents changes to all Security states until a following power-on reset or hardware reset. The purpose of the SECURITY FREEZE LOCK command is to prevent password setting attacks on the security system.

So just removing SATA data cable will do no good. It must be power cable. My guess is that winpe v2 sends freeze command when it mounts a physical unit. So Vista/Win7 will do the same. Secure Erase cannot be issued if drive is in frozen state.

Disconnecting power under DOS clears the frozen state but not under WinPE v2.

Switching off and then booting from USB to DOS seems to unfreeze - so maybe my BIOS does not send freeze command after all (I was in Windows 7 before and did a warm reset to boot from UFD to DOS).

#132 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,600 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 20 January 2011 - 08:53 PM

May I ask which version of hdparm has been tested? :whistling:

Coming from where? :dubbio:

:ph34r:
Wonko

#133 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,270 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 20 January 2011 - 09:13 PM

I used the windows version installed by hdparm-6.9-20070516.win32-setup.exe
http://hdparm-win32.dyndns.org/hdparm/

Here is output (attached file) which I got under WInPE using -I (capital I)

here is output under Win 7 32-bit (different system) using lower case -i

> hdparm -i /dev/sda



/dev/sda:



 Model=TOSHIBA MK3265GSX, FwRev=GJ002J, SerialNo=           209DF02DS

 Config={ Fixed }

 RawCHS=16383/16/63, TrkSize=0, SectSize=0, ECCbytes=0

 BuffType=unknown, BuffSize=8192kB, MaxMultSect=16, MultSect=off

 CurCHS=16383/16/63, CurSects=16514064, LBA=yes, LBAsects=268435455

 IORDY=on/off, tPIO={min:120,w/IORDY:120}, tDMA={min:120,rec:120}

 PIO modes:  pio0 pio1 pio2 pio3 pio4

 DMA modes:  sdma0 sdma1 sdma2 mdma0 mdma1 mdma2

 UDMA modes: udma0 udma1 udma2 udma3 udma4 *udma5

 AdvancedPM=yes: unknown setting WriteCache=enabled

 Drive conforms to: Unspecified:  ATA/ATAPI-3 ATA/ATAPI-4 ATA/ATAPI-5 ATA/ATAPI-

6 ATA/ATAPI-7



 * signifies the current active mode

I get similar output using -I under Win 7 - end of output is:

Security:

        Master password revision code = 65534

                supported

        not     enabled

        not     locked

                frozen

        not     expired: security count

                supported: enhanced erase

        96min for SECURITY ERASE UNIT. 96min for ENHANCED SECURITY ERASE UNIT.

Checksum: correct

Attached Files



#134 cdob

cdob

    Silver Member

  • Expert
  • 974 posts

Posted 20 January 2011 - 10:58 PM

If there is some special voodoo to do, to get Win7 to grant the special admin rights hdparm needs

I right click cmd.exe and select run as admin.


Given a Intel D845PESV and a Win PE 3 boot.wim loaded from internal hard disk to RAM.

E:\hdparm\bin>hdparm -I /dev/hda

Security:
Master password revision code = 65534
supported
not enabled
not locked
frozen
not expired: security count
not supported: enhanced erase

BIOS and / or OS freeze ATA security setting.
BIOS dosn't offfer a setting to set ATA security.

Power cable disconnected and reconnected:

Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
not supported: enhanced erase

Hard disk is not frozen anymore.


BartPE XP SP2 booted: frozen
Power cable disconnected and reconnected: not frozen

Brute force:
Windows 7 bootet from hard disk.
This hard disk power cable disconnected and reconnected.
Keyboard and mouse dosn't respond anymore.

#135 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 21 January 2011 - 03:01 PM

I right click cmd.exe and select run as admin.

Hey that worked. Thanks cdob!
Still can't believe, how stupid Win7 works. I'm loged in as admin, but still cmd is not started with admin rights. :cheers:

Anyway, security is frozen too.
So at least your worries about someone exploiding those HDD features seems to be without substance, as it seems the ss are frozen for everyone.

One would think, that if the BIOS freezes the security settings, it would only be logical, that a secure wipe can be initiated from it too. But there is no such setting, nor is there one, to tell to not freeze the ss.

:cheers:

#136 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,270 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 21 January 2011 - 08:19 PM

as the drive was not frozen when I cold booted to DOS (booting to USB from OFF), maybe BIOS (or at least my DQ45CB Intel BIOS) does not send freeze command, just windows + winpe v2 and v3?

#137 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,600 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 January 2011 - 09:04 AM

Brute force:
Windows 7 bootet from hard disk.
This hard disk power cable disconnected and reconnected.
Keyboard and mouse dosn't respond anymore.


..and anyway, since the general idea it was that it was more handy for less experienced peeps, it wouldn't be practical.

Semi-random idea #1 :diablo::
What really happens when hybernating?

Like Hybernate->HD power cable disconnected and reconnected->Resume?

Semi-random idea #2 :):
What would happen with a scheduled task (schtasks or the like)?
Like set the task to 2 minutes in the future->HD power cable disconnected and reconnected->Wait?

Still no tests with PE v 1.x/2K/XP? :)

Addition:
XP Embedded HORM:
http://msdn.microsof...ibrary/Dd143253
(@Medevil: an idea fr "InstantOn Os"?)
A .ppt with a few interesting points:
http://mcuol.com/dow..._Mode_setup.ppt

:cheers:
Wonko

#138 cdob

cdob

    Silver Member

  • Expert
  • 974 posts

Posted 24 January 2011 - 11:01 PM

Let's investigate:

Hard disk: ST360015A

BartPE XP SP2
D845 PEVS / BIOS with ATA security
ICH4 / PCI\VEN_8086&DEV_24CB&CC_0101
pciide.sys 5.1.2600.0
frozen

BartPE XP SP3
D845 PEVS / BIOS with ATA security
pciide.sys 5.1.2600.0
frozen

BartPE XP SP2
D845 PEVS / BIOS with ATA security
Ultra100 TX2 / ultra.sys 1.43
not frozen

BartPE XP SP3
D845 PEVS / BIOS with ATA security
Ultra100 TX2 / ultra.sys 1.43
not frozen

BartPE XP SP2
K6XV3+ / BIOS from 2001
PCI\VEN_1106&DEV_0571&CC_0101
viaide.sys 5.00.1636.1
not frozen

BartPE XP SP3
K6XV3+ / BIOS from 2001
viaide.sys 5.00.1636.1
frozen

BartPE XP SP2
TXP4-X / BIOS http://web.inter.nl....rink/k6plus.htm
TX chipset / K6-III / 128MB single sided SDRAM 16Mx8
atapi.sys 5.1.2600.2180
intelide.sys 5.1.2600.2180
not frozen

BartPE XP SP3
TXP4-X
atapi.sys 5.1.2600.5512
intelide.sys 5.1.2600.5512
frozen

BartPE XP SP3 / SP2 atapi.sys
TXP4-X
atapi.sys 5.1.2600.2180
intelide.sys 5.1.2600.5512
not frozen


Summary:
A BIOS may freeze ATA secrity.
Or a driver freeze ATA secrity: e.g. XP SP3 atapi.sys
This refers to a IDE (emulation) mass storage controller.

Unknown:
which Longhorn, Vista or 7 driver set ATA Secutity freeze?
What about a addional (not attached to motherboard) mass storage controller?

Because of BIOS and OS:
almost all hard disks are security frozen at running XP and later.
Wiping a systemdrive is a challenge from Windows.

#139 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,270 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 24 January 2011 - 11:49 PM

Good work :happy_dance:
But it may be the Windows driver that freezes the drive rather than the BIOS. Could you test one or two using DOS (switch off - switch on - boot to DOS from USB - run HDDErase which will report status before it will ask last Q to wipe the drive. e.g. K6XV3+ / BIOS from 2001

A BIOS may freeze ATA secrity.

If the BIOS freezes the drive then that drive should always be frozen regardless of what OS is booted - but your results show each system boots as unfrozen to at least one OS - therefore it does not look like the BIOS is freezing the drive ever (at least on the systems you tested)???

#140 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,600 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 January 2011 - 10:22 AM

Maybe a test with UNIATA would be advisable?

http://alter.org.ua/soft/win/uni_ata/

(at least in it we have the source and removing the whatever freezes the disk should be possible)

:rofl:
Wonko

#141 cdob

cdob

    Silver Member

  • Expert
  • 974 posts

Posted 25 January 2011 - 03:26 PM

But it may be the Windows driver that freezes the drive rather than the BIOS.

Yes, that's true and has been prooved already:
XP SP3 atapi.sys freeze hard disk security.

Ultra.sys and iastor.sys (refers to Post #93 example) dosn't freeze hard disk security.
I expect no hardware manufactuer driver freeze ATA security.

Link again from #93 http://social.techne...1c-8693be591caf

You have described a functioning feature of Windows Vista that was backported to Windows XP SP3 and pulled into Windows 7.

This is working as designed with the MS stack.


Assumption 1: Vista and 7 atapi.sys (MS stack) freeze hard disk security.
Assumption 2: Longhorn atapi.sys dosn't freeze hard disk security.

There is another hint: IDENTIFY_DEVICE_DATA Structure refers "SecurityLocked"
http://msdn.microsof...6(v=vs.85).aspx

Maybe a test with UNIATA would be advisable?

Or use XP SP2 atapi.sys at XP SP3.
Or try Longhorn atapi.sys at Windows 7.

#142 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7,763 posts

Posted 25 January 2011 - 11:28 PM

So the only way to have an easy to use tool for noobs would be, to have an installer, which:
- let's the user make all selection in a GUI.
- writes a ramloading DOS, which can also start from a NTFS partition, to the HDD with previous choosen settings
- Enter it into the bootmanager (exchange the bootmanager?)
- Reboot and does the wipe

Any other or better ideas?

:)

#143 Peterm

Peterm
  • Members
  • 4 posts
  •  
    Australia

Posted 26 January 2011 - 01:20 AM

Sorry if this topic is old
Since there is a floppy drive why not write a batch file that runs fdisk and fills in all the prompts.
Insert floppy disk turn on computer and it will do it all for you.
Cheers
peterm

#144 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,600 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 26 January 2011 - 07:40 AM

Sorry if this topic is old
Since there is a floppy drive why not write a batch file that runs fdisk and fills in all the prompts.
Insert floppy disk turn on computer and it will do it all for you.
Cheers
peterm

And you pretend to use fdisk to wipe a drive in a secure manner? :w00t: :)
...and no, the general idea is without a "real" floppy drive.

:)
Wonko

#145 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,270 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 26 January 2011 - 08:06 AM

So the only way to have an easy to use tool for noobs would be, to have an installer, which:
- let's the user make all selection in a GUI.
- writes a ramloading DOS, which can also start from a NTFS partition, to the HDD with previous choosen settings
- Enter it into the bootmanager (exchange the bootmanager?)
- Reboot and does the wipe


:)

by 'reboot' you mean 'cold reboot' (switch off and on again). pretty much what my kludge of grub4dos and HDDErase does then...

#146 cdob

cdob

    Silver Member

  • Expert
  • 974 posts

Posted 26 January 2011 - 06:40 PM

to have an easy to use tool for noobs

Can a noob open a machine, boot a OS, disconnect running hard disk cable and reconnect again?
This can include hot plug without manufacturer support.

#147 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,270 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 26 January 2011 - 10:00 PM

No need to disconnect??? Have we found a BIOS yet that you have to disconnect the drive - i.e. that freezes the drive before it boots to MSDOS?

  • Switch off system - switch on system
  • Boot to DOS
  • Run HDDErase


#148 cdob

cdob

    Silver Member

  • Expert
  • 974 posts

Posted 26 January 2011 - 10:51 PM

Have we found a BIOS yet that you have to disconnect the drive - i.e. that freezes the drive before it boots to MSDOS?

I don't know.

Manufacturer opinion http://cmrr.ucsd.edu...EraseReadMe.txt

- If the system BIOS executes a "security freeze lock" command upon drive
detection HDDerase attempts to bypass this. A hard reboot is required if the
attempt is successful. Afterwards HDDerase should be run once more and the
drive should not be in a frozen state. HDDerase will not attempt to bypass if
a HPA is set.
NOTE: This internal method may not work on all drives (MAXTOR drives for sure)
and the FAQ should be checked for other methods to bypass the BIOS freeze lock.


What about hard disks at RAID configuration?
Does HDDerase find single hard disks?

#149 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,270 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 22 February 2011 - 03:31 PM

Can you really sanitize an SSD or UFD?

Interesting paper here http://www.usenix.or..._papers/Wei.pdf

Maybe encrypting data is the answer after all :D

#150 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,600 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 22 February 2011 - 05:08 PM

Interesting. :smiling9:

I'll have to think about the actual meaning of this :D:

We also evaluated degaussing as a method for erasing
SSDs. Degaussing is a fast, effective means of destroy-
ing hard drives, since it removes the disks low-level for-
matting (along with all the data) and damages the drive
motor. The mechanism flash memories use to store data
is not magnetism-based, so we did not expect the de-
gausser to erase the flash cells directly. However, the
strong alternating magnetic fields that the degausser pro-
duces will induce powerful eddy currents in chip’s metal
layers. These currents may damage the chips, leaving
them unreadable.
....
In all cases, the data remained intact.

means:
  • we have no idea of what we are doing and threw at a chip a strong magnetic field since we happened to have a degausser around, just for the fun of it.
    or
  • we know for sure that by applying a strong magnetic field powerful eddy currents will be generated, actually so powerful as to damage the chips metal layers, and since this did not happen, the chips have a protection against such eddy currents or we completely missed the point and produced a not strong enough magnetic field and/or no eddy current (or not powerful enough eddy current) was generated.

I may add (my little experience ;)) that immersing chips in mildly hot water with some soap and scrubbing them really hard with a brush never worked for me as a way to sanitize the data in them, but further research should be done in this field.

:)
Wonko




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users