Hi Tom,
After an effort I have recovered both my drives and have started decrypting them through the UI. In case it helps anyone here are the technical details of what I did.
Firstly I searched the entire drive for the text "BGFS" and used sector viewer tools to understand the drive state and where the records are stored. I had a copy of the source code and reviewed that to determine how PGP stores it's BGFS records. I was able to determine what drive the records were supposed to be for by examining the usrrec and usrrec1 parts of the stage 2 data block which contain the drive name e.g. "WD 5000AAV External USB Device". The drives in their trashed state looked like this:
Drive A
MBR (Drive B)
BGFS Backup (Drive B)
- Pointed to by address at offset 0x41 in the MBR
BGFS Primary (Drive B)
- Pointed to by address at offset 0x42 in the MBR
BGFS Primary (Drive A)
- Not pointed to by anything anymore
Drive B
MBR (Drive A)
BGFS Backup (Drive A)
- Pointed to by address at offset 0x41 in the MBR
BGFS Primary (Drive A)
- Pointed to by address at offset 0x42 in the MBR
BGFS Primary (Drive B)
- Not pointed to by anything anymore
At this point I decided to fix Drive A by copying the first ~10kb of Drive B to Drive A, this gives Drive A the correct MBR and replacing the incorrect BGFS backup records with ones appropriate for Drive A. Drive A now looked at this:
Drive A
MBR (Drive A)
BGFS Backup (Drive A)
- Pointed to by address at offset 0x41 in the MBR
BGFS Primary (Drive B)
- Not pointed to by anything anymore
BGFS Primary (Drive A)
- Not pointed to by anything anymore
Unfortunately this didnt fix it. In fact, PGP went into a strange state where it would prompt for authentication and seemingly accept any passphrase - but the 'decrypted' data was all completely random and clearly not decrypted. At this point I'm not sure why the backup records werent working, I think I should also have copied across the lvbitmap data and not just the usrrec file in stage 2 but because I had located the original BGFS records (which had not been overwritten because both drives had their records at different points) I decided to force PGP to use these instead.
I wrote 0x00 to offset 0x41 in the MBR of Drive A to cause PGP to think its BGFS backup records were destroyed. I then altered the stage 2 start sector pointer at offset 0x42 in Drive A's MBR to point to the start of the original Stage 2 [BGFS Primary (Drive A) ]. A careful read of stage1.h and stage1.S in PGP source code gives clear info on the structure of the MBR and the location/format of the stage 2 start sector pointer.
After altering the pointer Drive A looked like this:
Drive A
MBR (Drive A)
BGFS Backup (Drive A)
- Not pointed to by anything anymore (because of overwriting the pointer in the MBR with 0x00)
BGFS Primary (Drive B)
- Not pointed to by anything anymore
BGFS Primary (Drive A)
- Pointed to by address at offset 0x42 in the MBR
Happily PGP could authenticate and a similar process worked for recovering Drive B. After spending hours deep in source code and hex from the disk sector viewer/editor, I had pretty much had as much fun as I could stand!
Hope it helps, to try reproducing this, hook up 2 PGP WDE encrypted drives to usb and try unplugging and plugging in each one whilst the other is connected. I think I possibly didn't do the safe removal and just unplugged one without safe eject so maybe that is what screwed PGP up and confused it into writing the wrong records to both drives.
Achelon
[edited to fix typos]