Obtaining a SATA Disk Password from an RDX drive bay

I have a bunch of RDX backup cartridges and, given that they contain standard 2.5″ SATA drives, i recently wanted to open them in order to be able to use the drives outside of the proprietary drive bay.

However, after connecting the drives directly via SATA to my PC, they did not show any content. It took me quite long, but i managed to find out that the drives reported as locked if checked with hdparm.

My assumption is that the proprietary drive bay controller simply protects them with a password, and that, after obtaining this password i should be able to use them normally.
I have the proprietary drive bay at hand and won’t shy away from opening it, soldering on it or diving *a little* into microcontrolling, reverse engineering or whatever might be applicable here. The drive bay has a USB 3 connection and inside sits a Texas Instruments TUSB9261 USB to SATA controller. I believe the corresponding SPI chip would be the one labeled 2SPE20VP.

I would be grateful for any advice on where to appropriately ask this question, what to do and how.

Currently, i see the following options but don’t know about their practicability or how to actually implement any of them:

  1. Build something that poses to the bay as a regular drive, but
    instead records any attempts to unlock it with the secret passcode.
  2. Attach a few wires on the SATA plug and sniff on the connection while the bay unlocks one of the drives with the right passcode.
  3. Dump the USB controller firmware and reverse engineer it to find the passcode / how it is generated if isn’t the same for each drive.
    Of course, this would likely be one hell of work, but if not, it
    maybe even adds the chance to modify the firmware so that in the future the bay could operate my disks without locking them?