1. Forum
  2. FidoNet
  3. ALT.OS.LINUX.MAGEIA

  • Hdparm issue with Samsung EVO 870 drive

    From Markus Robert Kessler@2:250/1 to All on Sat Sep 3 19:45:20 2022
    Hi all,

    I just tried to prepare an external harddisk by setting a password to
    make it safe for travelling.

    All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
    accept locking / unlocking via password through hdparm commands via USB (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:

    $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb security_password: "newpass"

    /dev/sdb:
    Issuing SECURITY_SET_PASS command, password="newpass", user=user,
    mode=high
    The running kernel lacks CONFIG_IDE_TASK_IOCTL support for this device. SECURITY_SET_PASS: Invalid argument

    B.t.w., I cannot even remove or overwrite the manufacturer's secret
    master password. So, this is a severe security risk since someone could
    know it and unlock those drives.

    Has anyone already managed to lock / unlock such a drive?

    Any idea how to proceed?

    Thanks a lot!

    Best regards,

    Markus


    --
    Please reply to group only.
    For private email please use http://www.dipl-ing-kessler.de/email.htm

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Marco Moock@2:250/1 to All on Sat Sep 3 20:04:45 2022
    Am Samstag, 03. September 2022, um 18:45:20 Uhr schrieb Markus Robert
    Kessler:

    I just tried to prepare an external harddisk by setting a password to
    make it safe for travelling.

    I can't help you with your problem, but setting this password won't
    protect people from accessing it if they know how to remove it. The
    data is still unencrypted. I recommend setting up LUKS to encrypt the
    data, so you don't need to care about such a password anymore.


    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From David W. Hodgins@2:250/1 to All on Sat Sep 3 20:05:39 2022
    On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler <no_reply@dipl-ing-kessler.de> wrote:

    Hi all,

    I just tried to prepare an external harddisk by setting a password to
    make it safe for travelling.

    All other harddisks like (older) Samsung, Western Digital, Hitachi etc. accept locking / unlocking via password through hdparm commands via USB (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:

    $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb security_password: "newpass"

    /dev/sdb:
    Issuing SECURITY_SET_PASS command, password="newpass", user=user,
    mode=high
    The running kernel lacks CONFIG_IDE_TASK_IOCTL support for this device. SECURITY_SET_PASS: Invalid argument

    B.t.w., I cannot even remove or overwrite the manufacturer's secret
    master password. So, this is a severe security risk since someone could
    know it and unlock those drives.

    Has anyone already managed to lock / unlock such a drive?

    Any idea how to proceed?

    Are you using a usb connection? https://sourceforge.net/p/hdparm/support-requests/7/

    Regards, Dave Hodgins

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Markus Robert Kessler@2:250/1 to All on Sat Sep 3 23:20:08 2022
    On Sat, 03 Sep 2022 15:05:39 -0400 David W. Hodgins wrote:

    On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler <no_reply@dipl-ing-kessler.de> wrote:

    Hi all,

    I just tried to prepare an external harddisk by setting a password to
    make it safe for travelling.

    All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
    accept locking / unlocking via password through hdparm commands via USB
    (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:

    $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
    security_password: "newpass"

    /dev/sdb:
    Issuing SECURITY_SET_PASS command, password="newpass", user=user,
    mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
    this device.
    SECURITY_SET_PASS: Invalid argument

    B.t.w., I cannot even remove or overwrite the manufacturer's secret
    master password. So, this is a severe security risk since someone could
    know it and unlock those drives.

    Has anyone already managed to lock / unlock such a drive?

    Any idea how to proceed?

    Are you using a usb connection? https://sourceforge.net/p/hdparm/support-requests/7/

    Yes and no. First, I tried to connect via USB, since this worked for
    every other disk I have, but accessing EVO 870 failed.

    In the BIOS I could set the user password, but not the factory-set master- password. So, everyone knowing the master-pw can gain access to the data.
    This is inacceptable.

    So, I then put it into one of my notebooks and booted from a live dvd
    (Mageia 8 / x64).

    I could see the drive, but, unfortunately, when the live-dvd is up, there
    is no way to set/unset user/master password with hdparm, since prior to booting, the BIOS has "frozen" the settings of the disk.
    There is no "do not freeze the disk" checkbox in my BIOS.

    So, currently, I am stuck here. But, anyway, Samsung did not integrate
    such an evil backdoor in the former models like EVO 840..860.
    Just now, into EVO 870. -- Anyone can tell me why?

    Best regards,

    Markus


    --
    Please reply to group only.
    For private email please use http://www.dipl-ing-kessler.de/email.htm

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Sjouke Burry@2:250/1 to All on Sat Sep 3 23:34:52 2022
    On 04.09.22 0:20, Markus Robert Kessler wrote:
    On Sat, 03 Sep 2022 15:05:39 -0400 David W. Hodgins wrote:

    On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler
    <no_reply@dipl-ing-kessler.de> wrote:

    Hi all,

    I just tried to prepare an external harddisk by setting a password to
    make it safe for travelling.

    All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
    accept locking / unlocking via password through hdparm commands via USB
    (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:

    $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
    security_password: "newpass"

    /dev/sdb:
    Issuing SECURITY_SET_PASS command, password="newpass", user=user,
    mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
    this device.
    SECURITY_SET_PASS: Invalid argument

    B.t.w., I cannot even remove or overwrite the manufacturer's secret
    master password. So, this is a severe security risk since someone could
    know it and unlock those drives.

    Has anyone already managed to lock / unlock such a drive?

    Any idea how to proceed?

    Are you using a usb connection?
    https://sourceforge.net/p/hdparm/support-requests/7/

    Yes and no. First, I tried to connect via USB, since this worked for
    every other disk I have, but accessing EVO 870 failed.

    In the BIOS I could set the user password, but not the factory-set master- password. So, everyone knowing the master-pw can gain access to the data. This is inacceptable.

    So, I then put it into one of my notebooks and booted from a live dvd
    (Mageia 8 / x64).

    I could see the drive, but, unfortunately, when the live-dvd is up, there
    is no way to set/unset user/master password with hdparm, since prior to booting, the BIOS has "frozen" the settings of the disk.
    There is no "do not freeze the disk" checkbox in my BIOS.

    So, currently, I am stuck here. But, anyway, Samsung did not integrate
    such an evil backdoor in the former models like EVO 840..860.
    Just now, into EVO 870. -- Anyone can tell me why?

    Best regards,

    Markus


    Why not put your data in a password protected
    zipfile on the HD?
    That way you dont need to block the drive.

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: KPN B.V. (2:250/1@fidonet)
  • From Paul@2:250/1 to All on Sun Sep 4 01:27:16 2022
    On 9/3/2022 6:20 PM, Markus Robert Kessler wrote:
    On Sat, 03 Sep 2022 15:05:39 -0400 David W. Hodgins wrote:

    On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler
    <no_reply@dipl-ing-kessler.de> wrote:

    Hi all,

    I just tried to prepare an external harddisk by setting a password to
    make it safe for travelling.

    All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
    accept locking / unlocking via password through hdparm commands via USB
    (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:

    $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
    security_password: "newpass"

    /dev/sdb:
    Issuing SECURITY_SET_PASS command, password="newpass", user=user,
    mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
    this device.
    SECURITY_SET_PASS: Invalid argument

    B.t.w., I cannot even remove or overwrite the manufacturer's secret
    master password. So, this is a severe security risk since someone could
    know it and unlock those drives.

    Has anyone already managed to lock / unlock such a drive?

    Any idea how to proceed?

    Are you using a usb connection?
    https://sourceforge.net/p/hdparm/support-requests/7/

    Yes and no. First, I tried to connect via USB, since this worked for
    every other disk I have, but accessing EVO 870 failed.

    In the BIOS I could set the user password, but not the factory-set master- password. So, everyone knowing the master-pw can gain access to the data. This is inacceptable.

    So, I then put it into one of my notebooks and booted from a live dvd
    (Mageia 8 / x64).

    I could see the drive, but, unfortunately, when the live-dvd is up, there
    is no way to set/unset user/master password with hdparm, since prior to booting, the BIOS has "frozen" the settings of the disk.
    There is no "do not freeze the disk" checkbox in my BIOS.

    Sometimes an add-on card is "unfrozen".

    https://commons.wikimedia.org/wiki/File:Noname_JMB363-based_P-_%26_SATA_controller_card.png

    I could set an HPA (Host Protected Area) using the
    JMB363 on my previous motherboard, whereas
    the motherboard BIOS module for the ICH10
    SATA ports was "frozen". I've never tried
    any password procedures, so cannot even tell
    you whether setting a password makes sense.

    The Flash memory on that card can be re-flashed.
    It can be flashed with RAID or non-RAID code.

    What happens when UEFI boots up, is unknown.

    The various manufacturers, have either good or bad
    BIOS module designers. Perhaps JMicron or ITE might
    make unfrozen stuff. I don't know what VIA products
    are like (you'd want an 8237-S for it to work anyway).
    Asmedia is probably frozen (they tend to be technically
    proficient so BIOS code won't leave with holes in it).
    Intel is definitely frozen. No reason for AMD
    to be any different.

    The ability to set an HPA or use one of those
    passwords, will not appear in any product documentation.
    Intel will not tell you that their SATA ports
    are frozen. You have to test it yourself to find out.
    On my motherboard (the motherboard that is dead now),
    the ICH10 was frozen and useless, whereas the JMB363 allowed
    some experiments.

    It is a murky topic, poorly documented, and for
    people with lots of time and money (for controller cards)
    to waste.

    The manual page for HDParm, in many cases, is the only
    educational material :-)

    Paul

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Markus Robert Kessler@2:250/1 to All on Sun Sep 4 11:12:19 2022
    On Sun, 04 Sep 2022 00:34:52 +0200 Sjouke Burry wrote:

    On 04.09.22 0:20, Markus Robert Kessler wrote:
    On Sat, 03 Sep 2022 15:05:39 -0400 David W. Hodgins wrote:

    On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler
    <no_reply@dipl-ing-kessler.de> wrote:

    Hi all,

    I just tried to prepare an external harddisk by setting a password to
    make it safe for travelling.

    All other harddisks like (older) Samsung, Western Digital, Hitachi
    etc.
    accept locking / unlocking via password through hdparm commands via
    USB (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:

    $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
    security_password: "newpass"

    /dev/sdb:
    Issuing SECURITY_SET_PASS command, password="newpass", user=user,
    mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
    this device.
    SECURITY_SET_PASS: Invalid argument

    B.t.w., I cannot even remove or overwrite the manufacturer's secret
    master password. So, this is a severe security risk since someone
    could know it and unlock those drives.

    Has anyone already managed to lock / unlock such a drive?

    Any idea how to proceed?

    Are you using a usb connection?
    https://sourceforge.net/p/hdparm/support-requests/7/

    Yes and no. First, I tried to connect via USB, since this worked for
    every other disk I have, but accessing EVO 870 failed.

    In the BIOS I could set the user password, but not the factory-set
    master-
    password. So, everyone knowing the master-pw can gain access to the
    data. This is inacceptable.

    So, I then put it into one of my notebooks and booted from a live dvd
    (Mageia 8 / x64).

    I could see the drive, but, unfortunately, when the live-dvd is up,
    there is no way to set/unset user/master password with hdparm, since
    prior to booting, the BIOS has "frozen" the settings of the disk.
    There is no "do not freeze the disk" checkbox in my BIOS.

    So, currently, I am stuck here. But, anyway, Samsung did not integrate
    such an evil backdoor in the former models like EVO 840..860.
    Just now, into EVO 870. -- Anyone can tell me why?

    Best regards,

    Markus


    Why not put your data in a password protected zipfile on the HD?
    That way you dont need to block the drive.

    Hi,

    this was one my favorite options in the beginning, yes.
    But in this case, someone can install trojans, keyloggers etc. to, sooner
    or later, get access.

    Besides this, the archive can be stolen and be decrypted via cloud
    services, no matter, how long it takes. He will get access.

    Best regards,

    Markus


    --
    Please reply to group only.
    For private email please use http://www.dipl-ing-kessler.de/email.htm

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Markus Robert Kessler@2:250/1 to All on Sun Sep 4 11:20:39 2022
    On Sat, 03 Sep 2022 21:04:45 +0200 Marco Moock wrote:

    Am Samstag, 03. September 2022, um 18:45:20 Uhr schrieb Markus Robert Kessler:

    I just tried to prepare an external harddisk by setting a password to
    make it safe for travelling.

    I can't help you with your problem, but setting this password won't
    protect people from accessing it if they know how to remove it. The data
    is still unencrypted. I recommend setting up LUKS to encrypt the data,
    so you don't need to care about such a password anymore.

    Some years ago, I had to prepare for a business trip and therefore I
    tried to do a harddisk encryption.

    Well, yes, this did work. But, whenever something went wrong and I had to simply switch the notebook off, instead of shutting down, the whole thing crashed and I had to reinstall all.

    This happened 2 or 3 times and finally I gave up. I switched to SATA
    password and everything was fine :-)

    Best regards,

    Markus


    --
    Please reply to group only.
    For private email please use http://www.dipl-ing-kessler.de/email.htm

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Markus Robert Kessler@2:250/1 to All on Sun Sep 4 11:55:18 2022
    On Sat, 03 Sep 2022 18:45:20 +0000 Markus Robert Kessler wrote:

    Hi all,

    I just tried to prepare an external harddisk by setting a password to
    make it safe for travelling.

    All other harddisks like (older) Samsung, Western Digital, Hitachi etc. accept locking / unlocking via password through hdparm commands via USB (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:

    $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb security_password: "newpass"

    /dev/sdb:
    Issuing SECURITY_SET_PASS command, password="newpass", user=user,
    mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
    this device.
    SECURITY_SET_PASS: Invalid argument

    B.t.w., I cannot even remove or overwrite the manufacturer's secret
    master password. So, this is a severe security risk since someone could
    know it and unlock those drives.

    Has anyone already managed to lock / unlock such a drive?

    Any idea how to proceed?

    Thanks a lot!

    Best regards,

    Markus

    Hi all,
    many thanks for all your hints!

    In the meantime I found more adapters here and accomplished some more
    tests.

    Just to summarize -- I found the following:

    - both, Samsung EVO 840 and 870 can be fully accessed by hdparm through
    USB

    - both, Samsung EVO 840 and 870 do have a built-in master password (which should be overwritten prior to use)

    - USB-to-SATA adapters from "Logilink" do or do not work. At least, this
    one does not support HPA and other hdparm features: SN 39993001701

    - Renkforce "SATA Docking Station Cloner" is fully supporting hdparm
    command set. So, whenever a machine has to be equipped with a new SSD
    that has a master password, and the machine does not allow to disable it
    in the BIOS, the password can be set this way.

    So, once again, thanks for all your ideas!

    Best regards,

    Markus


    --
    Please reply to group only.
    For private email please use http://www.dipl-ing-kessler.de/email.htm

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From William Unruh@2:250/1 to All on Sun Sep 4 15:28:28 2022
    Hi,

    this was one my favorite options in the beginning, yes.
    But in this case, someone can install trojans, keyloggers etc. to, sooner
    or later, get access.

    Besides this, the archive can be stolen and be decrypted via cloud
    services, no matter, how long it takes. He will get access.

    Nuts. With modern encryption this is just wrong. He will not get access.
    The earth will get fried in a supernova or red giant before it is
    decrypted, assuming you do not use idiotically weak passwords.

    And why would anyone spend that kind of time and effort and money on
    your data?


    Best regards,

    Markus



    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From David W. Hodgins@2:250/1 to All on Sun Sep 4 19:38:43 2022
    On Sun, 04 Sep 2022 06:55:18 -0400, Markus Robert Kessler <no_reply@dipl-ing-kessler.de> wrote:
    So, once again, thanks for all your ideas!

    Glad you got it working. One thing I'd like to clarify. Using "hardware" based encryption does not provide any extra security over using software based encryption.

    The "hardware" based encryption is just using software that is stored in the firmware of the device, which you may or may not be able to update when problems are found. The only benefit of using it is that an attacker has to have a similar drive, and the tools/skill needed to switch parts from one
    drive to another to access the encrypted data.

    Once they have access to the encrypted data, the software used in the firmware is more likely to have un-patched flaws that can be exploited, then up-to-date file system encryption software such as luks.

    A major drawback of hardware based encryption is that it can make it much more difficult to move storage from one computer to new one if the old computer fails.

    Regards, Dave Hodgins

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)
  • From Daniel65@2:250/1 to All on Mon Sep 5 11:52:20 2022
    William Unruh wrote on 5/9/22 12:28 am:
    Hi,

    this was one my favorite options in the beginning, yes.
    But in this case, someone can install trojans, keyloggers etc. to, sooner
    or later, get access.

    Besides this, the archive can be stolen and be decrypted via cloud
    services, no matter, how long it takes. He will get access.

    Nuts. With modern encryption this is just wrong. He will not get access.
    The earth will get fried in a supernova or red giant before it is
    decrypted, assuming you do not use idiotically weak passwords.

    And why would anyone spend that kind of time and effort and money on
    your data?

    EXACTLY!! Back in the 80's/90's, I was in Australian Army, dealing with
    Radio and Crypto equipment.

    At one stage, I was told that the daily crypto-keys (64 or 128 bit, I
    think) they were using then were rated as good for 25-28 hours because
    it would take the bad guys that long to break the code!!

    Sure, the code-breaker equipment has gotten better/faster, but so too
    then has the Crypto-Equipment.

    And all just to find out that someone was being posted somewhere else!! ;-P
    --
    Daniel

    --- MBSE BBS v1.0.8 (Linux-x86_64)
    * Origin: A noiseless patient Spider (2:250/1@fidonet)