Help! All data in mybook live gone and owner password unknown

So I have the firmware “opened up” and it looks like there may be some light. There are two scripts that reference factory restore.
First is factoryRestore.sh which is what the logs are reporting. Then there is factoryRestoreWithWipe.sh which does a bunch of nonsense and then calls factoryRestore.sh AND THEN does a block format using dd. I think per the logs it only executed factoryRestore.sh which has the lonely contents of (ommitting comments and useless stuff):

CMD=${1:-"ext4"}

##########################################
# � 2010 Western Digital Technologies, Inc. All rights reserved.
#
# factoryRestore.sh - This script kicks off the factory restore process
##########################################
echo "$CMD" > ${reformatDataVolume}

/usr/bin/touch ${RESTORE_SETTINGS_FROM_DIR_TRIGGER}

Everyone here should keep in mind that this device is running linux from 2009… (being Debian 5.0.4) meaning literally every bug and exploit for that Kernel (and userspace) since 2009 would probably be exploitable unless WD spent tons of time patching and building their own custom kernel (for a 12 year old device).

In the system.conf file I find reference to what should be the source of the format command.

reformatDataVolume=/etc/.reformat_data_volume

The path /etc/.reformat_data_drive does not exist in this firmware, so I’m assuming it’s being created at boot or something, I’ll keep looking.

2 Likes

@t4thfavor Thank you very much. This means so much to many folks.

1 Like

You’re a hero. Any light is good I am dying here hating myself for leaving it mapped. It’s been “old faithful” for 7 years or so. I can’t believe this has happened. I am taking the current view that there is no chance WD will provide a speedy magic bullet here and I will need to send the drive to recovery services asap - my client work can’t wait weeks - but hesitating just in case I waste money couriering it to the professionals right now/overnight for £500+VAT.

1 Like

Story time…

in 2012 I accidentally deleted 200GB of home movies and pictures… Basically everything my wife and I had ever done since we got married in 2005. Pictures of my 2 year old son, pictures of our old home. Needless to say I have a sore spot for people in this position.

On the bright side, I was able to recover ALL of my data, so I hope that helps make some of you feel better. It might end up costing you $$ but that will be a small price to pay for your the return of your memories and livelihood.

That is heartbreaking, I’m so sorry to hear this. I am so angry with myself for the things I could have done to prevent this and I have learnt many lessons in the last 12 hours. I shouldn’t say it publically but I am willing to part with my life savings to get my doctoral thesis data, new born pictures of my children and dead relatives, travel blogs I wrote and never published and all my last 7 months of contract work. I am so scared to even think about what this is going to do for my career having lost all my project data and documentation…

I’ve also found this.

Is any savvy enough to be able to SSH into their device and look for their folders? I can walk someone through it if you can figure out how to ssh.

Preferably someone who is in the “Man this ■■■■■, but I’m glad I got a backup” camp.

I managed to pull the drive out of my device, currently have it plugged into an external dock, and I’m running Stellar Data Recovery on it. This will probably take a while due to the size of the drive, but if I’m lucky this may be able to find my data and allow it to be restored.

3 Likes

@14thflavor

I found this on the link you sent to SSH.
Not sure it makes any sense?

Hold on a second. So… Performing a Full factory restore or a Quick factory restore from the Dashboatrd UI will wipe /DataVolume but using . . .

/usr/local/sbin/factoryRestore.sh noreformat

. . . will perform a full factory restore BUT will NOT reformat /DataVolume leaving all the user data absolutely and completely 100% intact and in-place?

I was able to decipher a little more about what occurs on factory reset.

There was no “zeroing” of the drive, but there WAS a call to mkfs.(type) which will wipe out the partition table and most certainly cause some data corruption.

The relevant code is here in S15MountDataVolume.sh (which is called during every boot and checks for a “FactoryReset” flag).

	##################################
	# check if factory restore, then format DataVolume
	##################################
	if [ -f ${reformatDataVolume} ]; then
		echo "<=====Start factory default format=====>"
		dvType=`cat ${reformatDataVolume}`
		page_size=`getconf PAGE_SIZE`
		echo "reformat dvType=${dvType} page_size=${page_size}"
	fi
	**if [ "$dvType" == "xfs" ]; then**
**		mkfs.xfs -f -b size=${page_size} -s size=4k ${dataVolumeDevice}**
**		createDataVolume.sh ${dataVolumeDevice}**
**	elif [ "$dvType" == "ext3" ]; then**
**		mkfs.ext3 -b ${page_size} -m 0 ${dataVolumeDevice}**
**		createDataVolume.sh ${dataVolumeDevice}**
**	elif [ "$dvType" == "ext4" ]; then**
**		mkfs.ext4 -b ${page_size} -m 0 ${dataVolumeDevice}**
**		createDataVolume.sh ${dataVolumeDevice}**
**	else**
		if [ -f /etc/.update_ext4 ]; then
			echo "<=====Convert to ext4=====>"
			tune2fs -O extents,uninit_bg,dir_index ${dataVolumeDevice}
			e2fsck -fDy ${dataVolumeDevice}
			rm /etc/.update_ext4
		fi
		mount -o noatime,nodiratime ${dataVolumeDevice} /DataVolume

The board says I’m out of posts for today, so once Reddit comes back, I can talk to you all again :slight_smile:

@jacyjacy77 This one was called without the noreformat argument so 100% the partition table is gone. Best leave it alone and unplugged until @Grokheim comes back with a report of success/failure.

1 Like

Seems like this or a similar vulnerability have been known for quite a while:

The question is how were so many devices affected worldwide at the same time?

A lot of good that does us after the fact isnt it? Come on man. How are you determining which are compromised and how?

What this also says that I shouldnt be using my drive at all even if I do/dont get anything recovered? Because as you say theres malicious software out there and you arent going to secure it since its legacy, so might as well bin the thing when this is all done, right?

Fingers crossed the real heroes here find a way to make it recoverable in some way.

1 Like

SSH’d in, cannot see any of my folders on there so far…

1 Like

@t4thfavor - thanks for all of your efforts investigating this. It’s reassuring to know that people who understand this stuff far better than I do are on the case.

@Grokheim - good luck with the data recovery. Fingers crossed…

Another Tech site has picked up on the issue:

3 Likes

I’m taking mine into a local recovery service place tomorrow. I called today and they said they think they can restore the files. They’ll take the drive apart and see what they can do. So incredibly frustrating!

2 Likes

Good luck let us know how you make out.

1 Like

Yeah, same problem here. Had to to do reset because password didn’t work, and now everything is gone.
I have strong feelings about this.

2 Likes

Same here in Canada.

1 Like

I made calls to 6 professional recovery services - I am fairly technical but I would rather shell out £600+VAT to have an expert in a clean room look at it rather than screw it up worse myself attempting an SSH or running a data recovery programme myself. All of them were “optimstic” as it’s still “working” and there is the WD software on it etc. This really helpful thread has some hope that the data itself is still there under a lsos of file tables. I think I’m going to have to bite the bullet and send it off tomorrow, its the only I hope I have of not telling my clients and catching up work this week. I really doubt WD are going to suddenly send a magic bullet which will allow any faster potential recovery. Let me know how you get on, and good luck.

See Grokheim post above. He will probably know something in the morning.

Good news everyone: I’m currently using PhotoRec on my dismantled harddrive and I see some pictures I know reapper. For the 3 TB it’ll take about 10 hours.