1606 Using Hwemngr to Extract SDOT BitLocker Recovery Pin

  • Published on Feb 19, 2026
  • 1 minute(s) read
  • VN
 Prev Next

Topic:

This internal How-To article provides steps for extracting SDOT BitLocker Recovery Pin from an SED drive.
 
Product version affected:

All SD versions

Environment:

SED drives
SDOT encryption

Reference Material:

Provided by Tony Kou

Steps to follow:

The new hwemngr utility – hwemngr (InternalOnly)_v3.2.5.exe (located on S:\SecureDoc Tools\SED Tools folder

A computer screen with white text AI-generated content may be incorrect.

 

Example usage: hwemngr.exe 0 –-rangeFile <Range.dat> -k <User.dbk>
A screenshot of a computer AI-generated content may be incorrect.

 

Extract “RANGE” out of SDS (either from EMG disk, or SDS extraction from SDRecovery, or directly from user disk via winhex) – save as range.dat
Extract user KF (either from SES, or extract from SDS, which contains the KEK for this user hard disk)

Finally, find the DEK from hwemngr.log:

[2016-02-09 17:02:17.396] [12660:12376]  DBG GetBitLockerRange() enters ...
[2016-02-09 17:02:20.016] [12660:12376]  DBG EHA_BITLOCKER_DEVICE_ID: 0x32 bytes
[2016-02-09 17:02:20.916] [12660:12376]  DBG Dumping address 0x01EEB869, len=50=0x32
                               01EEB869 5C 5C 3F 5C 56 6F 6C 75 6D 65 7B 64 30 35 39 35  \\?\Volume{d0595
                               01EEB879 37 34 32 2D 38 31 39 65 2D 31 31 65 35 2D 39 34  742-819e-11e5-94
                               01EEB889 34 61 2D 38 30 36 65 36 66 36 65 36 39 36 33 7D  4a-806e6f6e6963}
                               01EEB899 5C 00                                            \.
[2016-02-09 17:02:22.026] [12660:12376]  DBG EHA_BITLOCKER_VOLUME_ID: 0x27 bytes
[2016-02-09 17:02:22.280] [12660:12376]  DBG Dumping address 0x01EEB840, len=39=0x27
                               01EEB840 7B 32 30 42 30 42 32 31 32 2D 36 38 46 39 2D 34  {20B0B212-68F9-4
                               01EEB850 46 34 35 2D 42 39 31 32 2D 34 43 36 46 31 31 46  F45-B912-4C6F11F
                               01EEB860 37 43 32 45 30 7D 00                             7C2E0}.
[2016-02-09 17:02:37.824] [12660:12376]  DBG EHA_KEY_ID: CMCD123470 key _0c61cf80989b5c6a_
[2016-02-09 17:02:49.184] [12660:12376]  DBG BitLocker Recovery Pin: 0x38 bytes
[2016-02-09 17:02:50.084] [12660:12376]  DBG Dumping address 0x002BE110, len=56=0x38
                               002BE110 36 33 32 35 36 36 2D 31 39 32 31 30 34 2D 34 30  632566-192104-40
                               002BE120 39 31 38 39 2D 36 30 33 31 38 35 2D 36 30 37 30  9189-603185-6070
                               002BE130 31 33 2D 30 34 33 37 35 38 2D 33 39 33 33 36 30  13-043758-393360
                               002BE140 2D 31 32 39 30 39 36 00                          -129096.
[2016-02-09 17:02:58.195] [12660:12376]  DBG GetBitLockerRange(FVE) return status 0x0 

 

Related articles