Secure Erasing 840 Evo E-Drive - can it be done?

Discussion in 'Memory and Storage' started by Jovec, Jan 31, 2014.

  1. Jovec

    Jovec Senior member

    Joined:
    Feb 24, 2008
    Messages:
    567
    Likes Received:
    0
    Replaced a 840 Evo in a system that was using Bitlocker encryption. I want to re-purpose the 840 Evo but it seems I can no longer use the Secure Erase function from Magician, DOS, or ROG bios.

    Any ideas?

    Solved

    Summary: Samsung's Evo SSDs with EXT0BB6Q firmware added support for TCG Opal and eDrive encryption. Enabling this is done through the Samsung Magician software. The default state looks like this:

    [​IMG]

    Step 1: Set the drive state to "Ready to Enable"

    [​IMG]

    Step 2: Install Windows 8. eDrive mode cannot be activated on an existing OS install. After a successful install, eDrive should be activated and look like this:

    [​IMG]

    At this point, Bitlocker is not activated and the SSD is not user encrypted, however the drive no longer accepts standard security commands and as such, can no longer be Secure Erased. Should you wish to use Bitlocker with eDrive, this is the point to enable it in Windows.

    [​IMG]

    The drive cannot be Secure Erased via Magician as a non-OS drive, via a Magician created USB boot stick, or via my Asus ROG BIOS.

    Bitlocker can be turned on and off and used successfully with the Evo as an eDrive, but there a few things to point out here. It's best to think of Edrive mode and Bitlocker as two separate things even though they are meant to work together. One can enable eDrive without using Bitlocker (results in no encryption). One can use Bitlocker without enabling eDrive (results in software encryption). One can still create and delete partitions with eDrive mode Enabled and otherwise use the drive as normal.

    In my case, I was specifically testing eDrive and Bitlocker and it took a user action to enable eDrive. If the user's Evo was unknowing in an "Ready to enable" eDrive state, then a Win8 install will change that state to Enabled automatically and silently (by default - you can change the registry during the install process to avoid this). Also, there can come a time when the Evo is no longer needed as an eDrive, and a Secure Erase is desired to restore performance prior to use in a different environment or even being sold.

    Samsung's initial response was to have me contact Microsoft. Their second response wanted me to do a warranty replacement. I don't agree with either option. The Samsung Evo is a consumer level SSD using a feature on a consumer level OS. Samsung should provide a consumer level PSID revert utility.

    It turns out they have one, but they don't make it public. Here is link to Samsung's PSID revert utility, with much thanks to Micrornd! Standard disclaimers apply. Use at your own risk. Note that using this tool will destroy any data on the Evo, so back up first.

    https://dl.dropboxusercontent.com/u/62276273/Samsung PSID Revert.zip

    I am not sure why they won't release it. A PSID revert does not allow one to access the encrypted data. A PSID revert also assumes physical access to the drive. Using the tool linked here, I was able to do a successful PSID revert. I didn't screen cap it, but the process can be seen in the PDF manual in the zip file. To my mind, the instructions are incomplete. The PSID revert will leave the eDrive state in "Ready to enable."

    [​IMG]

    This will allow the Evo to automatically enable eDrive mode on the next Win8 install. If this is not what is desired, press the Disable button (reboot first required) so it looks like:

    [​IMG]
     
    #1 Jovec, Jan 31, 2014
    Last edited: Aug 20, 2014
  2. Loading...

    Similar Threads - Secure Erasing Drive Forum Date
    Secure erase flash drives Memory and Storage Jul 10, 2012
    Secure Erase data off spindle/flash drives? Memory and Storage Oct 21, 2010
    How does secure erase 3.3 work on an intel G2 Drive? Memory and Storage Aug 3, 2010
    How to securely erase an external hard drive Memory and Storage Jul 25, 2009
    How to securely erase external USB drive Memory and Storage Mar 29, 2009

  3. MoInSTL

    MoInSTL Senior member

    Joined:
    Jan 2, 2012
    Messages:
    392
    Likes Received:
    0
    Did you make a bootable flash drive with secure erase and make the change in the BIOS to boot from it? What happens? What OS?

    Try disconnecting all other drives and then try it.
     
  4. VirtualLarry

    VirtualLarry Lifer

    Joined:
    Aug 25, 2001
    Messages:
    38,225
    Likes Received:
    1,933
    Is the disk ATA-password locked in some way?
     
  5. john3850

    john3850 Golden Member

    Joined:
    Oct 19, 2002
    Messages:
    1,319
    Likes Received:
    5
    I have only done it with the 830 and 840 only.
    To run Secure Erase via Windows, the Samsung SSD must be installed as a secondary disk in your system and use Samsung Magician which will put the needed files on a usb flash drive for you.
    Next you unlock the drive and follow the directions.
    Be sure which number drive your going to se.
     
  6. MoInSTL

    MoInSTL Senior member

    Joined:
    Jan 2, 2012
    Messages:
    392
    Likes Received:
    0
    What do you mean that it must be installed as a secondary disk? I have used it on 830, 840 Pro and 840 EVO. In all cases, it was my C:/boot drive only attached to MB.
     
  7. john3850

    john3850 Golden Member

    Joined:
    Oct 19, 2002
    Messages:
    1,319
    Likes Received:
    5
    Sometimes it takes a few times to unlock the drive.
     
  8. john3850

    john3850 Golden Member

    Joined:
    Oct 19, 2002
    Messages:
    1,319
    Likes Received:
    5
    Your using a usb flash with installed Samsung files as your 1rst boot so you c: is your secondary.
    That came from the Samsung help file and I always had a few SSDs when I did one a single se.
     
    #7 john3850, Jan 31, 2014
    Last edited: Jan 31, 2014
  9. MoInSTL

    MoInSTL Senior member

    Joined:
    Jan 2, 2012
    Messages:
    392
    Likes Received:
    0
    Do you have a link to that? It seems kind of odd to me. (Edit: Just read your updated post. You are correct, the USB drive is the first drive. But the way I read it was it was installed as a secondary drive. My other SSD is my second drive).

    OP: Make sure you are typing SEGUI0 (That's zero, not an O).

    I have never had to try it a few times. I found out early on, it can take a minute or two when it's unplugged and then plug it back in and then enter the command
     
    #8 MoInSTL, Jan 31, 2014
    Last edited: Jan 31, 2014
  10. john3850

    john3850 Golden Member

    Joined:
    Oct 19, 2002
    Messages:
    1,319
    Likes Received:
    5
    OP: Make sure you are typing SEGUI0 (That's zero, not an O).
    I wasted 2 hours on that the 1rst time I tried.
     
  11. schmuckley

    schmuckley Platinum Member

    Joined:
    Aug 18, 2011
    Messages:
    2,335
    Likes Received:
    1
    Parted Magic
    Dowload,burn ISO to USB or disc.
     
    catilley1092 likes this.
  12. Jovec

    Jovec Senior member

    Joined:
    Feb 24, 2008
    Messages:
    567
    Likes Received:
    0
    I appreciate the comments. I have used Samsung's Secure Erase from the Magician software and from a USB boot stick before.

    The issue is due to enabling E-drive on the Evo, as referenced here: http://www.anandtech.com/show/7572/...vo-msata-rapid-for-840-pro-edrive-for-840-evo

    It appears that enabling this is irreversible. You can no longer change any of the drive's security options.

    [​IMG]

    You can no longer secure erase.

    [​IMG]

    There are two partitions I cannot erase via Disk Management (the 300MB and 100MB on Disk 1).

    [​IMG]

    The drive still works however. Bitlocker is not enabled.

    I'm debating trying to nuke the partitions from orbit (Linux), but I don't want to hose the drive.
     
    #11 Jovec, Jan 31, 2014
    Last edited: Jan 31, 2014
  13. MoInSTL

    MoInSTL Senior member

    Joined:
    Jan 2, 2012
    Messages:
    392
    Likes Received:
    0
    #12 MoInSTL, Jan 31, 2014
    Last edited: Jan 31, 2014
  14. Jovec

    Jovec Senior member

    Joined:
    Feb 24, 2008
    Messages:
    567
    Likes Received:
    0
    I went ahead and deleted the EFI partitions but the result is the same.

    To be clear this is an issue with the eDrive standard and/or how Samsung implements it. From Magician help:

    I don't recall this warning during the process, though it's possible I missed it. If anything then this thread is a warning that you cannot revert from TCP Opal and eDrive modes on Samsung SSDs.
     
    #13 Jovec, Feb 1, 2014
    Last edited: Feb 1, 2014
  15. Ig

    Ig Senior member

    Joined:
    Mar 29, 2001
    Messages:
    236
    Likes Received:
    0
  16. Jovec

    Jovec Senior member

    Joined:
    Feb 24, 2008
    Messages:
    567
    Likes Received:
    0
  17. Hellhammer

    Hellhammer AnandTech Emeritus

    Joined:
    Apr 25, 2011
    Messages:
    701
    Likes Received:
    4
    Have you tried disabling encryption through Windows 8's BitLocker? There should be an option to disable BitLocker.
     
  18. Jovec

    Jovec Senior member

    Joined:
    Feb 24, 2008
    Messages:
    567
    Likes Received:
    0
    Yes, Bitlocker was disabled. In fact, I don't think Bitlocker was ever enabled on this drive (it was on another). eDrive mode on the drive gets enabled before the actual bitlocker encryption takes place. The rough process is as follows:

    1) Use Magician to set Encrypted Drive mode to "Ready to Enable"
    2) Install fresh Win8. At this point Encrypted Drive mode is set to Enable (see SS above) and cannot be reverted and secure erase no longer works.
    3) Enable Bitlocker encryption.
     
    #17 Jovec, Feb 1, 2014
    Last edited: Feb 1, 2014
  19. MoInSTL

    MoInSTL Senior member

    Joined:
    Jan 2, 2012
    Messages:
    392
    Likes Received:
    0
  20. PliotronX

    PliotronX Diamond Member

    Joined:
    Oct 17, 1999
    Messages:
    8,602
    Likes Received:
    51
    +1 As soon as BitLocker is in the mix, headaches happen. You need to activate the SE function independently of the OS and Parted Magic will do it.
     
  21. Jovec

    Jovec Senior member

    Joined:
    Feb 24, 2008
    Messages:
    567
    Likes Received:
    0
    The drive works (and always did). I deleted the EFI partitions, but before that I could still manage the rest of the disk.

    The issue is that enabling eDrive appears to be irreversible. Think of eDrive and Bitlocker as two separate things. eDrive mode on the SSD can be enabled whether or not you use Bitlocker, and of course Bitlocker can be used with or without eDrive. If I flipped the "switch" on an Evo, gave it to you, and you installed Win8 Pro, eDrive mode will be enabled even if you never planned to use Bitlocker. At that point, you can no longer SE the drive.

    Or maybe you used the drive as a Bitlocker eDrive for a year or two, then replace it. You could disable Bitlocker and use the drive elsewhere, but you couldn't SE the drive anymore.

    A PSID reset seems to be what's needed. You'd think it would be a utility built into Magician or a boot disc it could create, but no such luck. I'm trying to contact Samsung for a PSID tool. I'm assuming that PSID reset utilities are manufacturer specific.

    I'll look into Parted Magic, but I strongly suspect that when eDrive is enabled the drive itself prevents access to whatever is needed to SE (presumably the keys). Recall that I cannot SE from Windows (as a non-OS drive), boot the Samsung boot disc, or even from my Asus Rog BIOS.
     
    #20 Jovec, Feb 1, 2014
    Last edited: Feb 1, 2014
  22. Ig

    Ig Senior member

    Joined:
    Mar 29, 2001
    Messages:
    236
    Likes Received:
    0
    You should contact some major tech sites (ones that review ssds and such; looking at you Hellhammer :p) and see if you can get them to try and replicate the issue. Seems like this could be a problem when buying a used SSD off ebay or craigslist, get a locked drive and can't do a SE.

    Seems to also prevent the use of all ATA security commands (Secure Erase/bios disk password). And Lenovo shipping out Win7 laptops with it already enabled.
    https://forums.lenovo.com/t5/T400-T...k-Password-cannot-be-set-in-Bios/td-p/1354729

    Apparently there are 3rd party tools, but from the looks of it they are all selling it as part of their security packages.
     
  23. Jovec

    Jovec Senior member

    Joined:
    Feb 24, 2008
    Messages:
    567
    Likes Received:
    0
    Samsung's response:

     
  24. Jovec

    Jovec Senior member

    Joined:
    Feb 24, 2008
    Messages:
    567
    Likes Received:
    0
    Since it's been 3 months, I hit up Samsung again, and got this response:

    Still not what I am looking for, but in comes Micrornd to the rescue with a (unofficial) link to Samsung's PSID revert utility!

    I will update and summarize in the first post.
     
  25. Ig

    Ig Senior member

    Joined:
    Mar 29, 2001
    Messages:
    236
    Likes Received:
    0
    Wow, I'm suprised Lenovo support put out a public link to it considering how everyone seems to be trying to keep it a secret.
     
  26. souldjer777

    souldjer777 Junior Member

    Joined:
    Jul 16, 2014
    Messages:
    1
    Likes Received:
    0
    I would like to personally thank you for fixing my issue 100%... This would have been the second Samsung SSD EVO that I bricked but you saved me with the Samsung TCG_Revert_Release.exe utility from the dropbox link above. I can now access my drive again... TCG Opal was locked - couldn't disable. Secure Erase was not even an available option in Samsung Magician. I tried everything from Active Data Studio, to Windows 7 Windows 8 format / delete partition / checkdisk / you name it... this was the ONLY thing that worked!

    NOTE: You will need this utility to restore to factory settings and all data will be lost. But it's better than a paperweight!

    First I downloaded the zip from the dropbox link above and extracted to my C: \temp\

    Then I typed out the PSID of my Samsung SSD in notepad - the PSID label is on the ssd hard drive itself - PSID is extremely LONG - make sure you type it out correctly!

    Next I connected my Samsung using BlacX by Termaltake via usb or esata connection and powered it up.

    Finally - I ran the revert utility "tcg_revert_release.exe" :)

    C: \Windows\system32>cd C: \

    C: \>cd temp

    C: \TEMP>tcg_revert_release.exe

    Drive 0 - Primary Controller - - Master drive

    Drive Model Number________________: [OCZ-AGILITY3]
    Drive Serial Number_______________: [asdfasdfasdf]
    Drive Firmware Revision Number____: [2.25]
    Drive Type________________________: Fixed
    Drive Size________________________: 90028302336 bytes
    Drive 1 ID error

    Drive 2 - Secondary Controller - - Master drive

    Drive Model Number________________: [Samsung SSD 840 EVO 120GB]
    Drive Serial Number_______________: [asdfasdfasdf]
    Drive Firmware Revision Number____: [EXT0BB6Q]
    Drive Type________________________: Fixed
    Drive Size________________________: 120034123776 bytes
    Drive 2 is TCG activated device.

    Select a device you want to revert.(If you want to quit program, typing q.) : 2
    TCG activate confirmed. And device is locked.
    Please input a PSID : "YOUR PSID WILL GO HERE!!!"
    Drive 2 : Revert success!

    Drive 0 - Primary Controller - - Master drive

    Drive Model Number________________: [OCZ-AGILITY3]
    Drive Serial Number_______________: [asdfasdfasdf]
    Drive Firmware Revision Number____: [2.25]
    Drive Type________________________: Fixed
    Drive Size________________________: 90028302336 bytes
    Drive 1 ID error

    Drive 2 - Secondary Controller - - Master drive

    Drive Model Number________________: [Samsung SSD 840 EVO 120GB]
    Drive Serial Number_______________: [asdfasdfasdf]
    Drive Firmware Revision Number____: [EXT0BB6Q]
    Drive Type________________________: Fixed
    Drive Size________________________: 120034123776 bytes
    Select a device you want to revert.(If you want to quit program, typing q.) : q

    Now restart the Samsung Magician and you should see your SSD is now accessible!