Crucial MX100 "lost" the security features?

Elixer

Lifer
May 7, 2002
10,371
762
126
This is really odd, had a MX100 that I tucked away for about 8 months (unpowered, just to test data retention), and today, I needed it to install a new OS.
Well, I go to secure erase it and... it is not an option anymore.

I *know* this SSD had it before, since I do recall doing a secure erase on it (in fact, multiple times), but now, hdparm shows no security section at all. Can't set a password, or do anything of the sort.

I then downloaded and installed Crucial's own tool, and tried to "sanitize" the drive (their words for secure erasing) and it says the SSD doesn't support it.

No, this drive was never locked via BIOS settings.

What am I missing here, fails in linux, fails in Crucial's own utility, so... ???
 

Elixer

Lifer
May 7, 2002
10,371
762
126
Looking into this some more, neither TPM or OPAL was enabled (nor does my hardware have those features).
However, I read that to get the ATA Security mode back, I need to perform a PSID reset?

Makes no sense that I would have to perform a PSID reset, unless it goes to this "mode" after being unpowered for 8 months? If so, wouldn't that suggest a firmware bug?

Code:
hdparm -I /dev/sdb

/dev/sdb:

ATA device, with non-removable media
	Model Number:       Crucial_CT256MX100SSD1                  
	Serial Number:      *********
	Firmware Revision:  MU02    
	Transport:          Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
Standards:
	Used: unknown (minor revision code 0x0028) 
	Supported: 9 8 7 6 5 
	Likely used: 9
Configuration:
	Logical		max	current
	cylinders	16383	16383
	heads		16	16
	sectors/track	63	63
	--
	CHS current addressable sectors:   16514064
	LBA    user addressable sectors:  268435455
	LBA48  user addressable sectors:  500118192
	Logical  Sector size:                   512 bytes
	Physical Sector size:                  4096 bytes
	Logical Sector-0 offset:                  0 bytes
	device size with M = 1024*1024:      244198 MBytes
	device size with M = 1000*1000:      256060 MBytes (256 GB)
	cache/buffer size  = unknown
	Form Factor: 2.5 inch
	Nominal Media Rotation Rate: Solid State Device
Capabilities:
	LBA, IORDY(can be disabled)
	Queue depth: 32
	Standby timer values: spec'd by Standard, with device specific minimum
	R/W multiple sector transfer: Max = 16	Current = 16
	Advanced power management level: 254
	DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6 
	     Cycle time: min=120ns recommended=120ns
	PIO: pio0 pio1 pio2 pio3 pio4 
	     Cycle time: no flow control=120ns  IORDY flow control=120ns
Commands/features:
	Enabled	Supported:
	   *	SMART feature set
	   *	Power Management feature set
	   *	Write cache
	   *	Look-ahead
	   *	Host Protected Area feature set
	   *	WRITE_BUFFER command
	   *	READ_BUFFER command
	   *	NOP cmd
	   *	DOWNLOAD_MICROCODE
	   *	Advanced Power Management feature set
	    	SET_MAX security extension
	   *	48-bit Address feature set
	   *	Device Configuration Overlay feature set
	   *	Mandatory FLUSH_CACHE
	   *	FLUSH_CACHE_EXT
	   *	SMART error logging
	   *	SMART self-test
	   *	General Purpose Logging feature set
	   *	WRITE_{DMA|MULTIPLE}_FUA_EXT
	   *	64-bit World wide name
	   *	IDLE_IMMEDIATE with UNLOAD
	    	Write-Read-Verify feature set
	   *	WRITE_UNCORRECTABLE_EXT command
	   *	{READ,WRITE}_DMA_EXT_GPL commands
	   *	Segmented DOWNLOAD_MICROCODE
	   *	Gen1 signaling speed (1.5Gb/s)
	   *	Gen2 signaling speed (3.0Gb/s)
	   *	Gen3 signaling speed (6.0Gb/s)
	   *	Native Command Queueing (NCQ)
	   *	Phy event counters
	   *	NCQ priority information
	   *	READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
	   *	DMA Setup Auto-Activate optimization
	    	Device-initiated interface power management
	    	Asynchronous notification (eg. media change)
	   *	Software settings preservation
	    	Device Sleep (DEVSLP)
	   *	SMART Command Transport (SCT) feature set
	   *	SCT Write Same (AC2)
	   *	SCT Features Control (AC4)
	   *	SCT Data Tables (AC5)
	   *	reserved 69[4]
	   *	reserved 69[7]
	   *	Data Set Management TRIM supported (limit 8 blocks)
	   *	Deterministic read ZEROs after TRIM
Logical Unit WWN Device Identifier: 500a07510c1d7e41
	NAA		: 5
	IEEE OUI	: 00a075
	Unique ID	: 10c1d7e41
Checksum: correct
Device Sleep:
	DEVSLP Exit Timeout (DETO): 50 ms (drive)
	Minimum DEVSLP Assertion Time (MDAT): 10 ms (drive)

Their tool responds with:
Code:
No Drives Found Supporting Sanitize

No drives were discovered that currently support being Sanitized.

Sanitize operation is not available due to the following reason(s):
/dev/sda: Command is not supported.
/dev/sdb: Command is not supported.

Sanitize operation will be available when the drive meets all of the following conditions:
Drive supports sanitize operation.
Encryption on drive is not active.
Drive is not connected behind a RAID controller.
System is in AHCI mode.
Drive has no mounted partitions.
and funny enough...
Code:
No Drives Found Supporting PSID Revert Operation

No drives were discovered that currently support PSID Revert operation.

PSID Revert operation is not available due to the following reason(s):
/dev/sda: Command is not supported.
/dev/sdb: Encryption is not supported.

PSID Revert operation will be available when the drive meets all of the following conditions:
Encryption is active on the drive.
Drive has no mounted partitions.
Drive is not behind RAID.
Drive is not boot drive.
 
Last edited:

Elixer

Lifer
May 7, 2002
10,371
762
126
From their manual of their software:
TCGalways_Enabled.png

But, again, how was this enabled "automatically" when the system does NOT have TCG enabled OR a TPM module!

Sue enough, in windows I see:
TCGon_HUHwin.png
 

Elixer

Lifer
May 7, 2002
10,371
762
126
On windows:
Capture2.png

So, it can't do a secure erase since it is TCG locked?

At least PSID works on windows...
Capture3.png

Though, no, I haven't done it yet... I am waiting to see if anyone can answer why this went on.
 

Elixer

Lifer
May 7, 2002
10,371
762
126
Crucial support told me to just do a PSID reset, and that windows 8 enabled eDrive.
Never mind that I said I don't have a TPM module, or a BIOS that supports that.
Also, even if the SSD itself thinks it is locked, it still can be read on other machines, so just what type of lock is TCG? It is just blocking the ATA secure erase command it seems?
 

Elixer

Lifer
May 7, 2002
10,371
762
126
After talking with Crucial some more, they could care less on how or why it happened.
They just said PSID reset it and if it don't work contact them again. :rolleyes:
Anyway, after the PSID reset, the ATA security section is back, I was able to secure erase it again.

Code:
hdparm -I /dev/sdb

/dev/sdb:

ATA device, with non-removable media
	Model Number:       Crucial_CT256MX100SSD1                  
	Serial Number:      *********
	Firmware Revision:  MU02    
	Transport:          Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0
Standards:
	Used: unknown (minor revision code 0x0028) 
	Supported: 9 8 7 6 5 
	Likely used: 9
Configuration:
	Logical		max	current
	cylinders	16383	16383
	heads		16	16
	sectors/track	63	63
	--
	CHS current addressable sectors:   16514064
	LBA    user addressable sectors:  268435455
	LBA48  user addressable sectors:  500118192
	Logical  Sector size:                   512 bytes
	Physical Sector size:                  4096 bytes
	Logical Sector-0 offset:                  0 bytes
	device size with M = 1024*1024:      244198 MBytes
	device size with M = 1000*1000:      256060 MBytes (256 GB)
	cache/buffer size  = unknown
	Form Factor: 2.5 inch
	Nominal Media Rotation Rate: Solid State Device
Capabilities:
	LBA, IORDY(can be disabled)
	Queue depth: 32
	Standby timer values: spec'd by Standard, with device specific minimum
	R/W multiple sector transfer: Max = 16	Current = 16
	Advanced power management level: 254
	DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6 
	     Cycle time: min=120ns recommended=120ns
	PIO: pio0 pio1 pio2 pio3 pio4 
	     Cycle time: no flow control=120ns  IORDY flow control=120ns
Commands/features:
	Enabled	Supported:
	   *	SMART feature set
	    	Security Mode feature set
	   *	Power Management feature set
	   *	Write cache
	   *	Look-ahead
	   *	Host Protected Area feature set
	   *	WRITE_BUFFER command
	   *	READ_BUFFER command
	   *	NOP cmd
	   *	DOWNLOAD_MICROCODE
	   *	Advanced Power Management feature set
	    	SET_MAX security extension
	   *	48-bit Address feature set
	   *	Device Configuration Overlay feature set
	   *	Mandatory FLUSH_CACHE
	   *	FLUSH_CACHE_EXT
	   *	SMART error logging
	   *	SMART self-test
	   *	General Purpose Logging feature set
	   *	WRITE_{DMA|MULTIPLE}_FUA_EXT
	   *	64-bit World wide name
	   *	IDLE_IMMEDIATE with UNLOAD
	    	Write-Read-Verify feature set
	   *	WRITE_UNCORRECTABLE_EXT command
	   *	{READ,WRITE}_DMA_EXT_GPL commands
	   *	Segmented DOWNLOAD_MICROCODE
	   *	Gen1 signaling speed (1.5Gb/s)
	   *	Gen2 signaling speed (3.0Gb/s)
	   *	Gen3 signaling speed (6.0Gb/s)
	   *	Native Command Queueing (NCQ)
	   *	Phy event counters
	   *	NCQ priority information
	   *	READ_LOG_DMA_EXT equivalent to READ_LOG_EXT
	   *	DMA Setup Auto-Activate optimization
	    	Device-initiated interface power management
	    	Asynchronous notification (eg. media change)
	   *	Software settings preservation
	    	Device Sleep (DEVSLP)
	   *	SMART Command Transport (SCT) feature set
	   *	SCT Write Same (AC2)
	   *	SCT Features Control (AC4)
	   *	SCT Data Tables (AC5)
	   *	reserved 69[4]
	   *	reserved 69[7]
	   *	Data Set Management TRIM supported (limit 8 blocks)
	   *	Deterministic read ZEROs after TRIM
Security: 
	Master password revision code = 65534
		supported
	not	enabled
	not	locked
	not	frozen
	not	expired: security count
		supported: enhanced erase
	2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT. 
Logical Unit WWN Device Identifier: 500a07510c1d7e41
	NAA		: 5
	IEEE OUI	: 00a075
	Unique ID	: 10c1d7e41
Checksum: correct
Device Sleep:
	DEVSLP Exit Timeout (DETO): 50 ms (drive)
	Minimum DEVSLP Assertion Time (MDAT): 10 ms (drive)
 

aviator79

Member
Aug 4, 2012
70
1
66
eDrive set to "enabled" does not mean you are actively using it.
You have to enable it before a OS install and after that use bitlocker to really use it an set a key/password.
And it does not matter if you have a TPM (not TPM Module, the M stands for Module) or if you have a BIOS option for it. You can use eDrive Security with bitlocker even without a TPM.
And yes, if TCG is enabled you can not secure erase, since you need to set a password for secure erase. But you can not set a password if eDrive was already enabled before... it's quite a bit complicated ^^
 

Elixer

Lifer
May 7, 2002
10,371
762
126
Well, I never have used bitlocker on this drive, so why did the drive just lock itself up like that?
I think it has to do with lack of power to the drive, and that flipped a bit so to speak for TCG.
 

Jovec

Senior member
Feb 24, 2008
579
2
81
Happened to my MX200. I just had to do a PSID revert to fix it. I did mine from a bootable Linux USB stick since the drive was a Windows boot drive and I would have to move drives around to make it a non-OS drive and do it from Windows
 

Elixer

Lifer
May 7, 2002
10,371
762
126
I wonder how common this is, smells like a firmware bug that is in most of their lines.
 

leexgx

Member
Nov 4, 2004
57
1
71
I am aware this is an old topic but it's important note about crucial and eDrive

Unfortunately crucial have there ssds set to eDrive ready state from the get go so if your system meats the requirements for eDrive Windows will enabled it when you install Windows even if you don't enable bitlocker (TPM should be a requirement but does not mean it still won't lock the drive to eDrive)

on samsung (and I assume other ssds) you have to open samsung magician and press enable eDrive and then reload windows for it to use it (crucial way is annoying as it can potentially make data retrieval impossible after a broke Windows update) other ssds usually have to use a command line tool to enable eDrive or TCG mode

Also eDrive (witch is just the ssd securing the drive to Windows) seems to be now insecure and seems using software bitlocker mode or veracrypt is better option (if you have a Samsung drive and you have not done anything apart from firmware updates you will be using software bitlocker if you enabled it)