Help! All data in mybook live gone and owner password unknown

Added this to the Reddit thread I made earlier.

Western Digital support still asking questions as of a few hours ago, but it’s not looking good right now.

Seeking professional help at this point

That article has absolutely nothing to do with this :confused:

So in terms of help, WD cant do anything really unless they provide us some software to recover the data right?

What recourse do we have against them? Surely they cant just press the factory reset on all our devices and be like “oops finger slipped our bad”?

You have no recourse (other than vote with your wallet) since in the EULA for their device I guarantee there’s a “we’re not liable for data lost or destroyed by (insert huge list of things here)” clause.

I’ve been here before, you only have each other now.

EDIT1
If someone could gain access to the SSH file system or deconstruct the firmware and figure out what the factory reset shell script does that would go a long ways towards figuring out if recovery is even possible.

EDIT2
I found the firmware I’ll download it and find the scripts and what they do.

1 Like

Please refer to the following thread for more information regarding this issue:

Same here, found this in the logs:
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 PARAMETER System_factory_restore POST : erase = none
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 OUTPUT System_factory_restore POST SUCCESS
I dont recognize this IP. Seems to be a Dutch IP (I’m in the Netherlands)

2 Likes

Thanks for doing that.
Yes, right now it is critical to find out what the factoryRestore.sh has done is “quick” or “full” factory reset.
Hoping it is the “quick” one then our data should be rescued much easier by data recovery services.

Thanks so much for your assistance @ t4thfavor.

So I have the firmware “opened up” and it looks like there may be some light. There are two scripts that reference factory restore.
First is factoryRestore.sh which is what the logs are reporting. Then there is factoryRestoreWithWipe.sh which does a bunch of nonsense and then calls factoryRestore.sh AND THEN does a block format using dd. I think per the logs it only executed factoryRestore.sh which has the lonely contents of (ommitting comments and useless stuff):

CMD=${1:-"ext4"}

##########################################
# � 2010 Western Digital Technologies, Inc. All rights reserved.
#
# factoryRestore.sh - This script kicks off the factory restore process
##########################################
echo "$CMD" > ${reformatDataVolume}

/usr/bin/touch ${RESTORE_SETTINGS_FROM_DIR_TRIGGER}

Everyone here should keep in mind that this device is running linux from 2009… (being Debian 5.0.4) meaning literally every bug and exploit for that Kernel (and userspace) since 2009 would probably be exploitable unless WD spent tons of time patching and building their own custom kernel (for a 12 year old device).

In the system.conf file I find reference to what should be the source of the format command.

reformatDataVolume=/etc/.reformat_data_volume

The path /etc/.reformat_data_drive does not exist in this firmware, so I’m assuming it’s being created at boot or something, I’ll keep looking.

2 Likes

@t4thfavor Thank you very much. This means so much to many folks.

1 Like

You’re a hero. Any light is good I am dying here hating myself for leaving it mapped. It’s been “old faithful” for 7 years or so. I can’t believe this has happened. I am taking the current view that there is no chance WD will provide a speedy magic bullet here and I will need to send the drive to recovery services asap - my client work can’t wait weeks - but hesitating just in case I waste money couriering it to the professionals right now/overnight for £500+VAT.

1 Like

Story time…

in 2012 I accidentally deleted 200GB of home movies and pictures… Basically everything my wife and I had ever done since we got married in 2005. Pictures of my 2 year old son, pictures of our old home. Needless to say I have a sore spot for people in this position.

On the bright side, I was able to recover ALL of my data, so I hope that helps make some of you feel better. It might end up costing you $$ but that will be a small price to pay for your the return of your memories and livelihood.

That is heartbreaking, I’m so sorry to hear this. I am so angry with myself for the things I could have done to prevent this and I have learnt many lessons in the last 12 hours. I shouldn’t say it publically but I am willing to part with my life savings to get my doctoral thesis data, new born pictures of my children and dead relatives, travel blogs I wrote and never published and all my last 7 months of contract work. I am so scared to even think about what this is going to do for my career having lost all my project data and documentation…

I’ve also found this.

Is any savvy enough to be able to SSH into their device and look for their folders? I can walk someone through it if you can figure out how to ssh.

Preferably someone who is in the “Man this ■■■■■, but I’m glad I got a backup” camp.

I managed to pull the drive out of my device, currently have it plugged into an external dock, and I’m running Stellar Data Recovery on it. This will probably take a while due to the size of the drive, but if I’m lucky this may be able to find my data and allow it to be restored.

3 Likes

@14thflavor

I found this on the link you sent to SSH.
Not sure it makes any sense?

Hold on a second. So… Performing a Full factory restore or a Quick factory restore from the Dashboatrd UI will wipe /DataVolume but using . . .

/usr/local/sbin/factoryRestore.sh noreformat

. . . will perform a full factory restore BUT will NOT reformat /DataVolume leaving all the user data absolutely and completely 100% intact and in-place?

I was able to decipher a little more about what occurs on factory reset.

There was no “zeroing” of the drive, but there WAS a call to mkfs.(type) which will wipe out the partition table and most certainly cause some data corruption.

The relevant code is here in S15MountDataVolume.sh (which is called during every boot and checks for a “FactoryReset” flag).

	##################################
	# check if factory restore, then format DataVolume
	##################################
	if [ -f ${reformatDataVolume} ]; then
		echo "<=====Start factory default format=====>"
		dvType=`cat ${reformatDataVolume}`
		page_size=`getconf PAGE_SIZE`
		echo "reformat dvType=${dvType} page_size=${page_size}"
	fi
	**if [ "$dvType" == "xfs" ]; then**
**		mkfs.xfs -f -b size=${page_size} -s size=4k ${dataVolumeDevice}**
**		createDataVolume.sh ${dataVolumeDevice}**
**	elif [ "$dvType" == "ext3" ]; then**
**		mkfs.ext3 -b ${page_size} -m 0 ${dataVolumeDevice}**
**		createDataVolume.sh ${dataVolumeDevice}**
**	elif [ "$dvType" == "ext4" ]; then**
**		mkfs.ext4 -b ${page_size} -m 0 ${dataVolumeDevice}**
**		createDataVolume.sh ${dataVolumeDevice}**
**	else**
		if [ -f /etc/.update_ext4 ]; then
			echo "<=====Convert to ext4=====>"
			tune2fs -O extents,uninit_bg,dir_index ${dataVolumeDevice}
			e2fsck -fDy ${dataVolumeDevice}
			rm /etc/.update_ext4
		fi
		mount -o noatime,nodiratime ${dataVolumeDevice} /DataVolume

The board says I’m out of posts for today, so once Reddit comes back, I can talk to you all again :slight_smile:

@jacyjacy77 This one was called without the noreformat argument so 100% the partition table is gone. Best leave it alone and unplugged until @Grokheim comes back with a report of success/failure.

1 Like

Seems like this or a similar vulnerability have been known for quite a while:

The question is how were so many devices affected worldwide at the same time?

A lot of good that does us after the fact isnt it? Come on man. How are you determining which are compromised and how?

What this also says that I shouldnt be using my drive at all even if I do/dont get anything recovered? Because as you say theres malicious software out there and you arent going to secure it since its legacy, so might as well bin the thing when this is all done, right?

Fingers crossed the real heroes here find a way to make it recoverable in some way.

1 Like

SSH’d in, cannot see any of my folders on there so far…

1 Like