NSA-Partitons on MyCloud?

MyCloud has a total of 8 Partitions which is very special for a single drive NAS box.

  • sda1 is together with sda2 the raid-1 of the root filesystem
  • sda3 is the swap partition
  • sda4 is the big data partition

But then there are 4 more partitions which look suspicious

Number Start (sector) End (sector) Size Code Name
   1 1032192 5031935 1.9 GiB FD00 primary
   2 5031936 9031679 1.9 GiB FD00 primary
   3 30720 1032191 489.0 MiB 0700 primary
   4 9428992 5860532223 2.7 TiB 0700 primary
   5 9031680 9226239 95.0 MiB 0700 primary
   6 9226240 9422847 96.0 MiB 0700 primary
   7 9422848 9424895 1024.0 KiB 0700 primary
   8 9424896 9428991 2.0 MiB 0700 primary
  •  sda5 & sda6 have 95M/96M
  • sda7 & sda8 have 1M/2M

If you fill any of them with zeros or delete a partition, then MyCloud does no longer boot.

Who knows what sda5…sda8 contain?

Thanks!

Should be 5 tmpfs 

tmpfs               23056       6292     16764  28% /run

tmpfs               40960          4     40956   1% /run/lock

tmpfs               10240          0     10240   0% /dev

tmpfs                5120          0      5120   0% /run/shm

tmpfs              102400        292    102108   1% /tmp

are you telling or asking?

Ralphael wrote:

Should be 5 tmpfs 

 

tmpfs               23056       6292     16764  28% /run

tmpfs               40960          4     40956   1% /run/lock

tmpfs               10240          0     10240   0% /dev

tmpfs                5120          0      5120   0% /run/shm

tmpfs              102400        292    102108   1% /tmp

 

are you telling or asking?

What you list in your reply are additional file systems the firmware generates in MyCloud.

They unnecessarily eat a lot of scarce RAM but are otherwise innocent :wink:

Thx anyhow :open_mouth:

Anybody any hints what the purpose of those partions could be ???

Count_Dooku wrote:

Anybody any hints what the purpose of those partions could be ???

 

Is it possible that all those experts on board do not know??

Within one week still no answer. That makes me suspicious :flushed:

Look at the scripts.   They’re easy to find.

TonyPh12345 wrote:

Look at the scripts.   They’re easy to find.

You are the true expert, not me :wink:

I did a file search for those partitions and found no script. So would you mind telling what skripts you think do acess these partitions?

Any ideas for what purpose?

Thanks for any more detailed information.

Count_Dooku wrote:

I did a file search for those partitions and found no script.

Can’t imagine where you were looking, but the file has a very obvious name…

partitionDisk.sh

TonyPh12345 wrote:


Count_Dooku wrote:

I did a file search for those partitions and found no script.


Can’t imagine where you were looking, but the file has a very obvious name…

 

partitionDisk.sh

Thanks for your information. I was looking everywhere for sda5 … sda8. The file you mention imho is irrelevant, because those variables assigned seem not to be used anywhere.> And of course, if I were to program a NSA backdoor I would call this code Kernel and control :confounded:> The miracle remains: These partitions hold information that is acessed when booting, but nobody here knows how, why and when it is used. It would be a good hiding place :frowning:

Count_Dooku wrote:  And of course, if I were to program a NSA backdoor I would call this code Kernel and control :confounded:

I’ll bet you would.  

But until you actually examine the contents of those partitions and see something unusual, you need to stop spreading conspiracy theories.

I did this for you, because I know your ONLY intent is to stir up conspiracies and fear.

SDA5 and SDA6 contain IDENTICAL data.   And what is that data?   It’s the KERNEL!  Just as the name says.   

Compare the contents of SDA5 to /boot/uImage.   They’re identical until bytes 0038e300.   In fact, the contents of SDA5 and 6 are just smaller uImage files.  The RESIDENT uImage file contains 7K of additional data.  They even begin with a uImage header; bytes 0x00 - 0x03 are 27 05 19 56.

SDA7 and SDA8 contain IDENTICAL data.   What is that data?   It’s a simple script:

## Button initial state
btn_status=0
get_button_status
sata
satapart 0x3008000 5 0x5000
sata stop
# This is customized for each environment variable script
bootargs="console=ttyS0,115200n8, init=/sbin/init"
bootargs="$bootargs root=/dev/md0 raid=autodetect"
bootargs="$bootargs rootfstype=ext3 rw noinitrd debug initcall_debug swapaccount=1 panic=3"
bootargs="$bootargs mac_addr=$eth0.ethaddr"
bootargs="$bootargs model=$model serial=$serial board_test=$board_test btn_status=$btn_status"
bootm /dev/mem.uImage

Yeah, that looks VERY suspicious.  It’s a diagnostics setup to boot the kernel into a hardware console with debugs enabled!

Ooh.  Yeah, that’s the NSA alright…

1 Like

TonyPh12345 wrote:


Count_Dooku wrote:  And of course, if I were to program a NSA backdoor I would call this code Kernel and control :confounded:


I’ll bet you would.  

 

But until you actually examine the contents of those partitions and see something unusual, you need to stop spreading conspiracy theories.

 

I did this for you, because I know your ONLY intent is to stir up conspiracies and fear.

 

SDA5 and SDA6 contain IDENTICAL data.   And what is that data?   It’s the KERNEL!  Just as the name says.   

Compare the contents of SDA5 to /boot/uImage.   They’re identical until bytes 0038e300.   In fact, the contents of SDA5 and 6 are just smaller uImage files.  The RESIDENT uImage file contains 7K of additional data.  They even begin with a uImage header; bytes 0x00 - 0x03 are 27 05 19 56.

 

SDA7 and SDA8 contain IDENTICAL data.   What is that data?   It’s a simple script:

[…]

Yeah, that looks VERY suspicious.  It’s a diagnostics setup to boot the kernel into a hardware console with debugs enabled!

 

Ooh.  Yeah, that’s the NSA alright…

 

I would never have believed that you bet anything …

“because I know your ONLY intent is to stir up conspiracies and fear.”

Plain wrong, but my question got no convincing answer for more than a week!

My comparison of /boot/uImage and content of sda5 and sda6 show some similarities, but comp spits out differences for almost all byte positions. So your disk seems to be different from mine.

“It’s a diagnostics setup to boot the kernel into a hardware console with debugs enabled!”

You must have acess to insider know-how :flushed:

Can you tell what must be done to boot into that image?

Thanks for your cooperation.

Count_Dooku wrote:

My comparison of /boot/uImage and content of sda5 and sda6 show some similarities, but comp spits out differences for almost all byte positions. So your disk seems to be different from mine. 

I don’t understand what you’re saying “Show some similarities…but different in almost all byte positions.”  That’s contradictory.   

You’ve already indicated that you’ve been monkeying around with those partitions.  There’s no surprise yours might be corrupt or out of state.

Count_Dooku wrote:

You must have acess to insider know-how :flushed:

Another conspiracy?   Just because I did some legwork you were unwilling to do, you now say I’m an insider?  No, I just spent about 30 minutes looking at the obvious.

Count_Dooku wrote:

Can you tell what must be done to boot into that image?

Gee.  Maybe that script has a clue – perhaps a button?   Perhaps there’s a switch or jumper on the motherboard?  At this point, I don’t really care.

I’m just writing this because people searching the net for various things are going to come across this post and need to see level heads explaining away the claptrap.

Oh, and another thing…

Count_Dooku wrote:
Plain wrong, but my question got no convincing answer for more than a week!

Your post STARTED with the conspiracy.  “NSA-Partitions on MyCloud?”

The fact that it went unanswered for a week is irrelevant.

Your existence must be a miserable cloud of paranoia if everything unknown to you has sinister intent…  :laughing:

TonyPH12345, please don’t encourage Count_Dooku by denying the conspiracy. However It is amazing that this post has survived this long without the mods deleting it as well as the Count himself.

When the Count disappears from this forum; we will know that there must be a conspiracy… although we would most likely see a Count2, Count3_Dooku etc. BTW What ever happen to Linadmin666?

As has been explained before, WD is not involved in any conspiracies, nor do we have any knowledge of any government agency attempting to use our drives to spy on anyone.

Please keep posts relevant to product topics.  [edit] Moreover, please refrain from making threats towards one another, whether blatant or subtle, it will get you banned immediately.

1 Like