Obtaining a SATA Disk Password from an RDX drive bay

Question

I have a bunch of RDX backup cartridges and, given that they contain standard 2.5" SATA drives, I recently wanted to open them in order to be able to use the drives outside of the proprietary drive bay.

However, after connecting the drives directly via SATA to my PC, they did not show any content. It took me quite long, but I managed to find out that the drives reported as locked if checked with hdparm.

My assumption is that the proprietary drive bay controller simply protects them with a password, and that, after obtaining this password I should be able to use them normally. I have the proprietary drive bay at hand and won't shy away from opening it, soldering on it or diving *a little* into microcontrolling, reverse engineering or whatever might be applicable here. The drive bay has a USB 3 connection and inside sits a Texas Instruments TUSB9261 USB-to-SATA controller. I believe the corresponding SPI chip would be the one labeled 2SPE20VP.

I would be grateful for any advice on where to appropriately ask this question, what to do and how.

Currently, I see the following options but don't know about their practicability or how to actually implement any of them:

1. Build something that poses to the bay as a regular drive, but instead records any attempts to unlock it with the secret passcode.
2. Attach a few wires on the SATA plug and sniff on the connection while the bay unlocks one of the drives with the right passcode.
3. Dump the USB controller firmware and reverse engineer it to find the passcode / how it is generated if isn't the same for each drive. Of course, this would likely be one hell of work, but if not, it maybe even adds the chance to modify the firmware so that in the future the bay could operate my disks without locking them?

Answer 1

RDX (RD1000) drives seem to use HIGH security, not MAX security, and there are reports their master password is blank.

So, provided you are ready to lose all data on those drives (can't harm to say it again), you can wipe the drives to unlocked status:

hdparm --user-master m --security-erase '' /dev/sda # SLOWLY WIPE CLEAN /dev/sda

I cannot assure you that your disks's master password is actually blank. It makes good sense (the disk remains useable, the data remain secure) but it's not God's law that the manufacturer ever believed in good sense. They might have gone for paranoid between those reports and your drives' manufacture date. I believe it's worth a shot, though.

There is also this tool which attempts to do the same. I haven't tested it, nor have I verified it's not, say, malware. Use appropriate caution.

Finally, on some drives there is a "recover a disk as a blank disk even if you lost the password" by using a special PSID master password that is printed on the disk label. Here, it is all zeroes, at the bottom of the label: