1 2 Previous Next 12 Replies Latest reply on Jan 14, 2011 5:55 PM by SafeBoot

    SafeBoot 4.2.7 - Error 5b050006

    crackerjak

      I received a HP dc7800 from our helpdesk that had received the error 5b050006 on Safeboot 4.2.7. Error 5b050006 is listed as "Bad check value in SafeBoot file-system". After completing an emergency boot I received the message "Error loading operating system". I used the safetech disk decrypted the hard drive and still receive the error message "Error loading operating system". The data on the hard disk is not visible via NTFSPRO \ WinTech \ Knoppix. I have viewed sector 63 on a workspace and I do not see any visible messages.  What are my options so that I can recover the user's data from the computer?

        • 1. Re: SafeBoot 4.2.7 - Error 5b050006

          can you document EXACTLY what you did - or attach the .trk file from the SafeTech disk you used?

           

          most likely you used the wrong key, or did not decrypt enough of the disk...

           

          Actually, eBoot was probably one of the worst things to do - that deleted all the saftey information that we now really need to work out how to get the user data back.

          • 2. Re: SafeBoot 4.2.7 - Error 5b050006
            crackerjak

            Here is the file you requested.

            • 3. Re: SafeBoot 4.2.7 - Error 5b050006

              looking at the log, I have no idea what you (or someone) was doing - when did you start working on the machine?

               

              There's a bunch of sections of decryption:

               

               

              12/1/2011 15:20:33] MENU      Decrypt sectors

              [12/1/2011 15:20:35] QUESTION  Enter range to decrypt

              [12/1/2011 15:20:44] REPONSE   0-256

              [12/1/2011 15:20:46] CONFIRM   Decrypt 256 sectors starting at logical sector 0 on hard disk 0?

              [12/1/2011 15:20:46] CHOICE    Decrypt 256 sectors starting at logical sector 0 on hard disk 0?

              [12/1/2011 15:20:51] RESPONSE  Continue

              [12/1/2011 15:20:53] STATUS    Disk decrypting completed

              [12/1/2011 15:21:10] MENU      Decrypt sectors

              [12/1/2011 15:21:11] QUESTION  Enter range to decrypt

              [12/1/2011 15:21:33] REPONSE   256-1024

              [12/1/2011 15:21:35] CONFIRM   Decrypt 768 sectors starting at logical sector 256 on hard disk 0?

              [12/1/2011 15:21:35] CHOICE    Decrypt 768 sectors starting at logical sector 256 on hard disk 0?

              [12/1/2011 15:21:39] RESPONSE  Continue

              [12/1/2011 15:21:40] STATUS    Disk decrypting completed

              [12/1/2011 15:25:55] MENU      Decrypt sectors

              [12/1/2011 15:25:56] QUESTION  Enter range to decrypt

              [12/1/2011 15:26:10] REPONSE   1025-2048

              [12/1/2011 15:26:11] CONFIRM   Decrypt 1023 sectors starting at logical sector 1025 on hard disk 0?

              [12/1/2011 15:26:12] CHOICE    Decrypt 1023 sectors starting at logical sector 1025 on hard disk 0?

              [12/1/2011 15:26:18] RESPONSE  Continue

               

               

              But there's no indication you checked the key was right first, plus these don't correspond to any partitions (no partition starts at 0 for example).

               

              Later on you seem to have decrypted the same sectors a second time?

               

              [12/1/2011 16:14:31] QUESTION  Enter range to decrypt

              [12/1/2011 16:14:56] REPONSE   0-8000000

              [12/1/2011 16:14:58] CONFIRM   Decrypt 8000000 sectors starting at logical sector 0 on hard disk 0?

              [12/1/2011 16:14:58] CHOICE    Decrypt 8000000 sectors starting at logical sector 0 on hard disk 0?

              [12/1/2011 16:15:01] RESPONSE  Continue

               

              So they are now double decrypted..

               

              This may be a difeferent machine though?

               

              Later on, again more decryption..

               

               

              [12/1/2011 17:03:32] QUESTION  Enter range to decrypt

              [12/1/2011 17:03:53] REPONSE   63-156296384

              [12/1/2011 17:03:54] CONFIRM   Decrypt 156296321 sectors starting at logical sector 63 on hard disk 0?

              [12/1/2011 17:03:55] CHOICE    Decrypt 156296321 sectors starting at logical sector 63 on hard disk 0?

              [12/1/2011 17:04:05] RESPONSE  Continue

               

               

              Today, all I can see is some test decrypt and an e-boot - no indication you tried to remove or decrypt the drive?

               

              So, it all depends on where in this log you started - looking at it,  think you started yesturday at 17:42 with the db export dang.sdb ? If so  you later on switched to db export wsxp2u~1.sdb (which was originally put on the disk on 5th October), did not check the key, and then tried an eboot.

               

              It's too confused without knowing where in this log to start looking from...

               

               

              on 1/13/11 7:08:36 PM EST
              • 4. Re: SafeBoot 4.2.7 - Error 5b050006
                crackerjak

                The log of this machine starts yesterday. The key has to match since it is the only matching computer name. My co-worker was reading previous suggestions from other users within different threads of the EEM managed forums that had the same or similiar issues with "error loading operating system". They decrypted the machine yesterday with the key wsxp2u~1.sdb. After reading several threads on the possibility that the machine did not fully decrypt. We figured this was the case and that the 9kb sdb file was possibly corrupt so we resaved the .sdb file as dang.sdb and decrypted again. 

                • 5. Re: SafeBoot 4.2.7 - Error 5b050006

                  So you've decrypted the same sectors three times, plus sectors which were never encrypted to start with.   In theory it's possible to fix this, we just need to undo all the mistakes and get it back to a good starting point. Practically though is it worth the effort? I guess if you sent it in and bought a few days consultancy we could do it, but otherwise....

                  • 6. Re: SafeBoot 4.2.7 - Error 5b050006
                    crackerjak

                    Is it possible to get the machine to a point where we can use a version of BartPE/WinTech to mount the drive and copy the user's data off?

                    • 7. Re: SafeBoot 4.2.7 - Error 5b050006

                      Yes, it is possible. You have to run all operations that wrote anything to the hard disk, but in opposite order and function (like "encrypt" for "decrypt" operations). Using sdb files exactly the same, as they were active at those times. I think Simon explained it to you.

                      • 8. Re: SafeBoot 4.2.7 - Error 5b050006

                        to be blunt, whoever was working on this machine has really screwed it up.

                         

                        they decrypted sector 0 FOUR times - I think someone does not understand that the "workspace" is a scratch pad, it does not change the disk, but in v4 when you go to disk functions and tell it to decrypt something, that's what it does.

                         

                        There are also other problems, for example they decrypted :

                         

                        [12/1/2011 15:20:46] CHOICE    Decrypt 256 sectors starting at logical sector 0 on hard disk 0?

                        ...

                        [12/1/2011 15:21:35] CHOICE    Decrypt 768 sectors starting at logical sector 256 on hard disk 0?

                         

                        So here they decrypted sector 256 TWICE...

                         

                        Later on they realised the mistake and started making the start range one more sector on from the beginning..

                         

                        [12/1/2011 15:26:12] CHOICE    Decrypt 1023 sectors starting at logical sector 1025 on hard disk 0?

                        ..

                        [12/1/2011 15:26:46] CHOICE    Decrypt 1951 sectors starting at logical sector 2049 on hard disk 0?

                         

                        So by now, Sector 63 was decrypted twice, sectors 0-62 and 64-255 decrypted once, sector 256 twice, 257-20000 decrypted once...

                         

                        Then for some reason we start again by decrypting 0-7000000 (so 63 is now decrypted three times etc..

                         

                        Next, we decrypt 0-8000000 (sector 63 now decrypted 4 times...)

                         

                        and on it goes - you see the state of the problem now?

                         

                        It's not rocket science to unwind this, you just need to start at the end and work back to the beginning and undo all these mistakes. Then you stand a chance of being able to rescue this data.

                        • 9. Re: SafeBoot 4.2.7 - Error 5b050006
                          crackerjak

                          So you are saying that I need to encrypt any sector that was decrypted. The last thing I did was a complete decrypt.

                           

                          So I need to:

                           

                          1. encrypt the entire drive

                          2. decrypt the entire drive

                          3. encrypt 0-8000000

                          4. encrypt sector 0-7000000

                          5. encrypt 2049 to 4000

                          6. encrypt 1025 to 2048

                          7. encrypt 1023 -1025

                          8. encrypt 256-768

                          9. encrypt sector 0-256

                           

                          correct?

                          1 2 Previous Next