Blancco Tcg Password

0 views

Skip to first unread message

Stella Kreuter

unread,

Aug 3, 2024, 3:14:57 PM8/3/24

to nidlirawal

After a failed attempt at erasing certain drives, the drive may may contain a password following an erasure when you try to boot it next, it may also become not visible within the Drive Eraser software because of this!

This issue usually occurs on drives that have DCO or HPA areas that need to be eraser or removed, the reason this issue occurs is because Drive Eraser needs to set a password on the drive in order to run firmware based erasure commands, if some errors occur during this phase it is possible that the software leaves the drive locked. This issue can also occur with erasure standards which otherwise utilize firmware based erasure command during the erasure proces, such as Blancco SSD Method or NIST 800-88 Purge.

With the normal process the password will be removed later on. Typically we use the password "blancco" if the software needs to set the password to the drive. If the password stays on the drive after the failed erasure due to some error, rebooting the software should unlock the drive again and remove the password.

The fact that even though the software locks the disk with the password "blancco", in some instances the password may not work when typed into the prompt asking for the disk password even though the correct password has been entered

Sometimes an user forgets the Blancco Mobile Device Diagnostic and Erasure user account password and it is required to reset the password in order to allow the user to login into the Blancco Mobile Device Diagnostic and Erasure.

Note that password locked drives can be only erased with erasure standards containing traditional overwriting rounds (such as Aperiodic random overwrite). The password protection prevents executing any firmware based commands onto the drive. If it is required to have purge-level erasure result, the password protection must be removed from the BIOS/UEFI settings.

I already tried to unlock it with hdparm on linux with the default master password for the disk which I found online (32 times 't'). Also tried various tools like blancco to erase it without success. The SSD is a Samsung pm871 which is torn out of a laptop.

I got a replacement for my Samsung MZVLW256HEHP-000L7 NVMe 256GB M.2 PCIExpress X4 SSD, known also simply as Samsung PM961. It is an OEM part.After replacing it with the new one, Samsung 980 1TB, I put the old one onsale. This was my daily driver, so I did not want any meaningful data to berecoverable from it. So I connected it to the computer with the USB to NVMEM.2 converter (AXAGON EEM2-SG2), which by the way I can now recommend (noaffiliate link, sorry) and started the old, magnetic HDD type of securedata erase, using shred utility:

This command on the other hand should not decrease the lifespan of the SSDso drastically the shred does, but looks like data are still quiterecoverable after (depending on the threat model). It did not work for mehowever:

However, this got me on the track, as I had no idea about this whole"encryption password" rabbit hole. Searching further led me to anotheranswer explaining the sameprocess, but for NVME drives using the nvme-cli utility. Exactly what Ineeded. A quick glance at the options:

Running NVME sanitize would probably be even better option as it appears toalso clear any caches, not just the data in the namespace, but I woulddefinitely need more time studying both. Also, I could not even run inproperly, getting complains about bad sanitize argument. Consider doingyour own research.

The nvme tool however failed right on the step 1 listing the devicesusing nvme list. The reason is that the USB to NVME M.2 converterprobably does not implement all the required commands, as hinted in thiscomment.

So I put the old NVME back into the laptop and booted a live Linux imagefrom the USB. Now, the NVME connected over native PCIe lanes without anyUSB converted in the way, the nvme list command properly recognized thedrive, outputting detailed information about Node, Generic, SN, Model,Namespace, Usage, Format and FW Revision of the PM961 drive.

Ouch. It is notedhereandherethat it is a known bug for a Samsung PM951 and PM961 and s simple suspendshould resolve the issue. I was happy a for a brief moment. Sadly, somehowthis has did not work for me, yet again. There was no change in thebehavior From here on, the ride was a steep downhill.

Other suggestions in the above two GitHub threads were to use aLenovo EFI applicationwhich is a bootable image that works on ThinkPads (I still rock the trustyT470 at the time of writing) and is meant to erase a cryptographic key onthe SSD. I was not able to boot this piece of software by any means, not inUEFI mode, nor in Legacy BIOS mode, nor in any other combination that cameto my mind (there is note about it being supported only in UEFI only orUEFI First boot mode).

Another option is to useLenovo NVME Firmware Utilitywhich is for Windows (but I can dual-boot from mSATA PCIex1 Transcend 430S512GB internal SSD drive), but following theseinstructionsit appears the updater utility could even be run on Arch or other Linuxdistribution (again, not tested yet). Trying this on Windows, it correctlyidentified both Transcend 430S and Samsung PM961 to be present, but it didnot offer a Firmware update for either. So no luck here.

As a last resort, I tried theeasier firmware upgrade option,a fwupdmgr which is part of the fwupdpackage but, as I expected,it did not pick the Samsung PM961 SSD for an update. It did however updatedmy Intel Management Engine and also System Firmware, which I assume wasBIOS, as the next reboot updated the BIOS with a new version containingbreaking changes to EFI (that were mentioned during the install process),which in turn required me to reinstall GRUB from live Arch. Living on theedge.

This is the end. In the beginning I thought it would be a simple deviceformatting and here I am in the middle of the night with the drive that isstill not prepared to be handed to some stranger. Will probably go for theshred and hope for the best. Wish me luck!

I have received an email from Tim Small t...@seoss.co.uk adding a few bitsto this topic. They also agreed for me to post this update here along withauthor's name and email, which is always nice, so I did. Here's a verbatimsource of the contribution:

"This issue concerns Samsung PM951 NVMe (256/512gb) drives and BlanccoDrive Eraser 6.x version(s)." ... "erasure fails with the followingmessage: "FORMAT UNIT command failed. Device is NVMe, see manual for moreinformation". In this case the drive does not respond to the 'formatunit' nvme firmware erasure command properly.

Since I had a Dell Optiplex 7070 at hand (and I was under time pressure),I opted to use the "Data wipe" option of that machine's firmware instead,since I'd guessed that it would include whatever secret commands werenecessary to carry out a security erase on these drives.