Possible to reuse TCG Enterprise encrypted drive?

S

simpleman310

Cadet
Joined
Jan 4, 2020
Messages
8
I recently was able to get a HGST SS200 SAS SSD, and it was most likely encrypted when in Production. Is it possible to just wipe the drive and the encryption? I can't seem to get the drive to accept any commands. When I put it in a Windows machine, Disk management says "Access Denied" to anything I try and do to it.

Not sure that this is worth my time to try and figure out.
 
blueether

blueether

Patron
Joined
Aug 6, 2018
Messages
259
low level format in freenas?
sg_format or camcontrol

Page not found - Henderson's Law

www.davidrusseltrask.com www.davidrusseltrask.com
forum.level1techs.com

How to reformat 520 byte drives to 512 bytes (usually)

So a lot of cool hardware uses 520 byte sectors instead of 512 byte sectors (or 4* sector size in the case of SSDs). There is a lot of misinformation out there. Prettymuch anything since 2012 that supports 520 byte sectors will support 512 byte sectors if you know the right magic commands...
forum.level1techs.com forum.level1techs.com
 
S

simpleman310

Cadet
Joined
Jan 4, 2020
Messages
8
Tsaukpaetra said:
This almost sounds like a SED drive, where the drive itself is providing encryption. See https://www.ixsystems.com/documentation/freenas/11.3-RC1/system.html#self-encrypting-drives for more information.
Try to reset the SED password before doing anything with camcontrol or formatting, I'm not sure the drives would even accept commands if it's not unlocked anyways.
Click to expand...

This is an SED drive, and when doing a sedutil-cli --scan, it comes back with "E" for TCG Enterprise. I have the PSID and MSID, but PSID Revert doesn't work. It won't accept any commands, as I'm pretty sure it is completely Lock, as you stated.
 
Tsaukpaetra

Tsaukpaetra

Patron
Joined
Jan 7, 2014
Messages
215
The drive may be frozen (speaking from Googling and not personal experience). Try color cold power cycling the drive between unlock attempts. What does a very verbose output of sedutil-cli output? (put -vvv into the command)
 
S

simpleman310

Cadet
Joined
Jan 4, 2020
Messages
8
Tsaukpaetra said:
The drive may be frozen (speaking from Googling and not personal experience). Try color cold power cycling the drive between unlock attempts. What does a very verbose output of sedutil-cli output? (put -vvv into the command)
Click to expand...

How do I cold power cycle it? Just pull it and push it back in?

What command should I be using to unlock it? I was using "sedutil-cli --setLockingRange 0 rw MSIDHERE /dev/da7

Here is what a query on the drive looks like:

Code:
/dev/da7 SAS HGST    SDLL1DLR960GCDA1 X150 A046ACDA
TPer function (0x0001)
    ACKNAK = N, ASYNC = N. BufferManagement = N, comIDManagement  = N, Streaming = Y, SYNC = Y
Locking function (0x0002)
    Locked = Y, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MBRAbsent = N, MediaEncrypt = Y
Enterprise function (0x0100)
    Range crossing = Y, Base comID = 0x07fe, comIDs = 2
root@freenas[~]#


It does show locked.
 
Tsaukpaetra

Tsaukpaetra

Patron
Joined
Jan 7, 2014
Messages
215
If my research is to be believed:

Code:
sedutil-cli -vvv --yesIreallywanttoERASEALLmydatausingthePSID (DrivePSID) /dev/da7

Replacing (DrivePSID) as appropriate.
 
S

simpleman310

Cadet
Joined
Jan 4, 2020
Messages
8
Tsaukpaetra said:
If my research is to be believed:

Code:
sedutil-cli -vvv --yesIreallywanttoERASEALLmydatausingthePSID (DrivePSID) /dev/da7

Replacing (DrivePSID) as appropriate.
Click to expand...

I did try that as well. As that is what my research told me too.
Here is the results(PSID Omitted)
Code:
root@freenas[~]# sedutil-cli -vvv --yesIreallywanttoERASEALLmydatausingthePSID PSID /dev/da7
Log level set to DBG2
sedutil version :
Creating  DtaResponse()
Creating  DtaResponse()
DtaDevOS::init /dev/da7
Creating DtaDevFreeBSDCAM::DtaDev() /dev/da7
Entering DtaDev::discovery0()
Entering DtaDevFreeBSDCAM::sendCmd
Entering DtaDev::isPresent() 1
Entering DtaDev::isAnySSC 1
Entering DtaDev::isOpal2 0
Entering DtaDev::isOpalite 0
Entering DtaDev::isPyrite1 0
Entering DtaDev::isPyrite2 0
Entering DtaDev::isOpal1() 0
Entering DtaDev::isEprise 1
Creating  DtaResponse()
Creating  DtaResponse()
DtaDevOS::init /dev/da7
Creating DtaDevFreeBSDCAM::DtaDev() /dev/da7
Entering DtaDev::discovery0()
Entering DtaDevFreeBSDCAM::sendCmd
Entering DtaDev::isEprise 1
Entering DtaDevEnterprise::properties()
Creating DtaSsession()
Creating DtaCommand(ID, InvokingUid, method)
Entering DtaCommand::reset(OPAL_UID, OPAL_METHOD)
Entering DtaCommand::reset()
Entering DtaCommand::addToken(OPAL_UID)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::complete(uint8_t EOD)
Entering DtaSession::sendCommand()
Entering DtaCommand::setHSN()
Entering DtaCommand::setTSN()
Entering DtaDevEnterprise::comID()
Entering DtaCommand::setcomID()
<< IF_SEND >>
ComPacket.extendedComID    07FE0000
ComPacket.outstandingData  00000000
ComPacket.minTransfer      00000000
ComPacket.length           000000C0
Packet.TSN                 00000000
Packet.HSN                 00000000
Packet.seqNumber           00000000
Packet.ackType             00000000
Packet.acknowledgement     00000000
Packet.length              000000A8
DataSubPacket.kind         00000000
DataSubPacket.length       0000009A
Entering DtaToken::parse 154
1       ( F8 ) Call
Entering DtaToken::parse 153
9       ( A8 ) 00 00 00 00 00 00 00 FF ("Session Manager UID")
Entering DtaToken::parse 144
9       ( A8 ) 00 00 00 00 00 00 FF 01 ("Session Properties Method UID")
Entering DtaToken::parse 135
1       ( F0 ) Start_List
Entering DtaToken::parse 134
1       ( F2 ) Start_Name
Entering DtaToken::parse 133
15      ( AE ) 48 6F 73 74 50 72 6F 70 65 72 74 69 65 73 ("HostProperties")
Entering DtaToken::parse 118
1       ( F0 ) Start_List
Entering DtaToken::parse 117
1       ( F2 ) Start_Name
Entering DtaToken::parse 116
18      ( D0 10 ) 4D 61 78 43 6F 6D 50 61 63 6B 65 74 53 69 7A 65 ("MaxComPacket                  Size")
Entering DtaToken::parse 98
3       ( 82 ) 2048 (800h)
Entering DtaToken::parse 95
1       ( F3 ) End_Name
Entering DtaToken::parse 94
1       ( F2 ) Start_Name
Entering DtaToken::parse 93
14      ( AD ) 4D 61 78 50 61 63 6B 65 74 53 69 7A 65 ("MaxPacketSize")
Entering DtaToken::parse 79
3       ( 82 ) 2028 (7ECh)
Entering DtaToken::parse 76
1       ( F3 ) End_Name
Entering DtaToken::parse 75
1       ( F2 ) Start_Name
Entering DtaToken::parse 74
16      ( AF ) 4D 61 78 49 6E 64 54 6F 6B 65 6E 53 69 7A 65 ("MaxIndTokenSize")
Entering DtaToken::parse 58
3       ( 82 ) 1992 (7C8h)
Entering DtaToken::parse 55
1       ( F3 ) End_Name
Entering DtaToken::parse 54
1       ( F2 ) Start_Name
Entering DtaToken::parse 53
11      ( AA ) 4D 61 78 50 61 63 6B 65 74 73 ("MaxPackets")
Entering DtaToken::parse 42
1       ( 01 ) 1 (1h)
Entering DtaToken::parse 41
1       ( F3 ) End_Name
Entering DtaToken::parse 40
1       ( F2 ) Start_Name
Entering DtaToken::parse 39
14      ( AD ) 4D 61 78 53 75 62 70 61 63 6B 65 74 73 ("MaxSubpackets")
Entering DtaToken::parse 25
1       ( 01 ) 1 (1h)
Entering DtaToken::parse 24
1       ( F3 ) End_Name
Entering DtaToken::parse 23
1       ( F2 ) Start_Name
Entering DtaToken::parse 22
11      ( AA ) 4D 61 78 4D 65 74 68 6F 64 73 ("MaxMethods")
Entering DtaToken::parse 11
1       ( 01 ) 1 (1h)
Entering DtaToken::parse 10
1       ( F3 ) End_Name
Entering DtaToken::parse 9
1       ( F1 ) End_List
Entering DtaToken::parse 8
1       ( F3 ) End_Name
Entering DtaToken::parse 7
1       ( F1 ) End_List
Entering DtaToken::parse 6
1       ( F9 ) End_of_Data
Entering DtaToken::parse 5
1       ( F0 ) Start_List
Entering DtaToken::parse 4
1       ( 00 ) 0 (0h)
Entering DtaToken::parse 3
1       ( 00 ) 0 (0h)
Entering DtaToken::parse 2
1       ( 00 ) 0 (0h)
Entering DtaToken::parse 1
1       ( F1 ) End_List
Entering DtaDevEnterprise::comID()
Entering DtaDevFreeBSDCAM::sendCmd
Command failed on send 255
Command failed on exec 255
Destroying DtaCommand
Properties exchange failed
Destroying DtaDevOS
Destroying DtaDevFreeBSDCAM
Destroying DtaResponse
Destroying DtaResponse
Performing a PSID Revert on /dev/da7 with password PSID
Entering DtaDevEnterprise::revertTPer()
Creating DtaCommand()
Creating DtaSsession()
Entering DtaSession::dontHashPwd
Entering DtaSession::startSession
Entering DtaSession::startSession
Entering DtaDev::isEprise 1
Creating DtaCommand()
Creating  DtaResponse()
Entering DtaCommand::reset(OPAL_UID, OPAL_METHOD)
Entering DtaCommand::reset()
Entering DtaCommand::addToken(OPAL_UID)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_UID)
Entering DtaCommand::addToken(OPAL_TINY_ATOM)
Entering DtaDev::isEprise 1
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(const char * )
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::complete(uint8_t EOD)
Entering DtaSession::sendCommand()
Entering DtaCommand::setHSN()
Entering DtaCommand::setTSN()
Entering DtaDevEnterprise::comID()
Entering DtaCommand::setcomID()
<< IF_SEND >>
ComPacket.extendedComID    07FE0000
ComPacket.outstandingData  00000000
ComPacket.minTransfer      00000000
ComPacket.length           00000060
Packet.TSN                 00000000
Packet.HSN                 00000000
Packet.seqNumber           00000000
Packet.ackType             00000000
Packet.acknowledgement     00000000
Packet.length              00000048
DataSubPacket.kind         00000000
DataSubPacket.length       0000003B
Entering DtaToken::parse 59
1       ( F8 ) Call
Entering DtaToken::parse 58
9       ( A8 ) 00 00 00 00 00 00 00 FF ("Session Manager UID")
Entering DtaToken::parse 49
9       ( A8 ) 00 00 00 00 00 00 FF 02 ("StartSessionMethod")
Entering DtaToken::parse 40
1       ( F0 ) Start_List
Entering DtaToken::parse 39
2       ( 81 ) 105 (69h)
Entering DtaToken::parse 37
9       ( A8 ) 00 00 02 05 00 00 00 01 ("SP Admin")
Entering DtaToken::parse 28
1       ( 01 ) 1 (1h)
Entering DtaToken::parse 27
1       ( F2 ) Start_Name
Entering DtaToken::parse 26
15      ( AE ) 53 65 73 73 69 6F 6E 54 69 6D 65 6F 75 74 ("SessionTimeout")
Entering DtaToken::parse 11
3       ( 82 ) 60000 (EA60h)
Entering DtaToken::parse 8
1       ( F3 ) End_Name
Entering DtaToken::parse 7
1       ( F1 ) End_List
Entering DtaToken::parse 6
1       ( F9 ) End_of_Data
Entering DtaToken::parse 5
1       ( F0 ) Start_List
Entering DtaToken::parse 4
1       ( 00 ) 0 (0h)
Entering DtaToken::parse 3
1       ( 00 ) 0 (0h)
Entering DtaToken::parse 2
1       ( 00 ) 0 (0h)
Entering DtaToken::parse 1
1       ( F1 ) End_List
Entering DtaDevEnterprise::comID()
Entering DtaDevFreeBSDCAM::sendCmd
Command failed on send 255
Command failed on exec 255
Destroying DtaCommand
Session start with timeout failed rc = 255
Destroying DtaResponse
Creating DtaCommand()
Creating  DtaResponse()
Entering DtaCommand::reset(OPAL_UID, OPAL_METHOD)
Entering DtaCommand::reset()
Entering DtaCommand::addToken(OPAL_UID)
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::addToken(uint64_t)
Entering DtaCommand::addToken(OPAL_UID)
Entering DtaCommand::addToken(OPAL_TINY_ATOM)
Entering DtaDev::isEprise 1
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::complete(uint8_t EOD)
Entering DtaSession::sendCommand()
Entering DtaCommand::setHSN()
Entering DtaCommand::setTSN()
Entering DtaDevEnterprise::comID()
Entering DtaCommand::setcomID()
<< IF_SEND >>
ComPacket.extendedComID    07FE0000
ComPacket.outstandingData  00000000
ComPacket.minTransfer      00000000
ComPacket.length           0000004C
Packet.TSN                 00000000
Packet.HSN                 00000000
Packet.seqNumber           00000000
Packet.ackType             00000000
Packet.acknowledgement     00000000
Packet.length              00000034
DataSubPacket.kind         00000000
DataSubPacket.length       00000027
Entering DtaToken::parse 39
1       ( F8 ) Call
Entering DtaToken::parse 38
9       ( A8 ) 00 00 00 00 00 00 00 FF ("Session Manager UID")
Entering DtaToken::parse 29
9       ( A8 ) 00 00 00 00 00 00 FF 02 ("StartSessionMethod")
Entering DtaToken::parse 20
1       ( F0 ) Start_List
Entering DtaToken::parse 19
2       ( 81 ) 105 (69h)
Entering DtaToken::parse 17
9       ( A8 ) 00 00 02 05 00 00 00 01 ("SP Admin")
Entering DtaToken::parse 8
1       ( 01 ) 1 (1h)
Entering DtaToken::parse 7
1       ( F1 ) End_List
Entering DtaToken::parse 6
1       ( F9 ) End_of_Data
Entering DtaToken::parse 5
1       ( F0 ) Start_List
Entering DtaToken::parse 4
1       ( 00 ) 0 (0h)
Entering DtaToken::parse 3
1       ( 00 ) 0 (0h)
Entering DtaToken::parse 2
1       ( 00 ) 0 (0h)
Entering DtaToken::parse 1
1       ( F1 ) End_List
Entering DtaDevEnterprise::comID()
Entering DtaDevFreeBSDCAM::sendCmd
Command failed on send 255
Command failed on exec 255
Destroying DtaCommand
Session start failed rc = 255
Destroying DtaResponse
Destroying DtaCommand
Destroying DtaSession
Creating  DtaResponse()
Creating DtaCommand()
Entering DtaCommand::reset()
Entering DtaCommand::addToken(OPAL_TOKEN)
Entering DtaCommand::complete(uint8_t EOD)
Entering DtaSession::sendCommand()
Entering DtaCommand::setHSN()
Entering DtaCommand::setTSN()
Entering DtaDevEnterprise::comID()
Entering DtaCommand::setcomID()
<< IF_SEND >>
ComPacket.extendedComID    07FE0000
ComPacket.outstandingData  00000000
ComPacket.minTransfer      00000000
ComPacket.length           00000028
Packet.TSN                 00000000
Packet.HSN                 00000000
Packet.seqNumber           00000000
Packet.ackType             00000000
Packet.acknowledgement     00000000
Packet.length              00000010
DataSubPacket.kind         00000000
DataSubPacket.length       00000001
Entering DtaToken::parse 1
1       ( FA ) End_of_Session
Entering DtaDevEnterprise::comID()
Entering DtaDevFreeBSDCAM::sendCmd
Command failed on send 255
Command failed on exec 255
EndSession Failed
Destroying DtaCommand
Destroying DtaResponse
root@freenas[~]#


It seems I cannot send any command to it until it is not locked
 
Tsaukpaetra

Tsaukpaetra

Patron
Joined
Jan 7, 2014
Messages
215
Oh, yes, to answer your earlier question a cold power cycle would be literally disconnecting it from power and waiting ten (or more) seconds, and then plugging it back in. Assuming the port you connected the drive to is in hot-plug enabled that would be simpler and faster than powering off the whole system.

I think that since you're getting that Command failed on send 255 error, the drive is completely frozen for this session and a power cycle is the only way to get out of that.
 
S

simpleman310

Cadet
Joined
Jan 4, 2020
Messages
8
Tsaukpaetra said:
Oh, yes, to answer your earlier question a cold power cycle would be literally disconnecting it from power and waiting ten (or more) seconds, and then plugging it back in. Assuming the port you connected the drive to is in hot-plug enabled that would be simpler and faster than powering off the whole system.

I think that since you're getting that Command failed on send 255 error, the drive is completely frozen for this session and a power cycle is the only way to get out of that.
Click to expand...

I tried pulling it out for 10 seconds, and it still showed Locked. I tried pulling it out for 20 seconds. Same thing.

Not sure if it matters, but it is plugged into a Dell R620 with H310 Mini flashed to IT mode. I don't think that would matter.
 
Tsaukpaetra

Tsaukpaetra

Patron
Joined
Jan 7, 2014
Messages
215
No, it will always show locked, the question is if it's frozen (two different things). Once you've power cycled it, try the yesIreallywanttoERASEALLmydatausingthePSID command again.
 
S

simpleman310

Cadet
Joined
Jan 4, 2020
Messages
8
Tsaukpaetra said:
No, it will always show locked, the question is if it's frozen (two different things). Once you've power cycled it, try the yesIreallywanttoERASEALLmydatausingthePSID command again.
Click to expand...

Still no luck.

Code:
Command failed on send 255
Command failed on exec 255
Properties exchange failed
Command failed on send 255
Command failed on exec 255
Command failed on send 255
Command failed on exec 255
Session start failed rc = 255
Command failed on send 255
Command failed on exec 255
EndSession Failed


I'm contemplating opening a support ticket with HGST and see if they have a program that they use to do a PSID Revert.

I downloaded the HGST Device Manager, but there doesn't seem to be anything about PSID Reverts with it.
 
S

simpleman310

Cadet
Joined
Jan 4, 2020
Messages
8
Tsaukpaetra said:
Yeah, not sure at this point. You've surpassed my personal ability to Google and translate the found results. :(
Click to expand...

No worries at all! I appreciate your help. I opened up a ticket with HGST/Western Digital. I will keep you updated if I hear anything.
 
O

olodar

Cadet
Joined
Dec 22, 2021
Messages
1
simpleman310 said:
I recently was able to get a HGST SS200 SAS SSD, and it was most likely encrypted when in Production. Is it possible to just wipe the drive and the encryption? I can't seem to get the drive to accept any commands. When I put it in a Windows machine, Disk management says "Access Denied" to anything I try and do to it.

Not sure that this is worth my time to try and figure out.
Click to expand...
Hello! Did you found any solution? I have used HITACHI HUC109060CSS601 drive and it is locked. I tried everything, but nothing helps...
My drive has MSID key, but no PSID, and sg_format requires PSID.
 
automattic3

automattic3

Cadet
Joined
Oct 7, 2023
Messages
3
Did anyone find a soluton for this? I have 72 of these HGST drives that also only have the MSID and no PSID. i have tried everything i can think of.
sedutil-cli --scan shows no for Opal compliant.

HUSMM9040ASS201 is the model.

oddly enough the only thing i can do is write zeros with parted magic but they still dont work afterwards.
 
Davvo

Davvo

MVP
Joined
Jul 12, 2022
Messages
3,222
I guess that since it has been almost 4 years none has found a solution.
 
automattic3

automattic3

Cadet
Joined
Oct 7, 2023
Messages
3
I have ordered a dell 730p raid controller and going to try it in my Cisco server to see if I can force erase them. Will update here if I have any success.
 
You must log in or register to reply here.

Similar threads

D
FreeNAS-11.3-U5 Replacing drive from encrypted pool
Replies
3
Views
1K
jasn
J
E
How to re-attach a drive to an encrypted pool?
Replies
6
Views
2K
Eld
E
M
  • Locked
Replacing an Encrypted drive procedure
Replies
3
Views
2K
dlavigne
D
G
Replace encrypted drive
2
Replies
39
Views
10K
PhiloEpisteme
PhiloEpisteme
L
  • Locked
SOLVED Can't unlock encrypted drive
Replies
5
Views
4K
cyberjock
C
Top