WD My Cloud Mirror Gen2 with Debian 11 and Linux Kernel 5.15 LTS

Intro

Since 2017 I have been using an Western Digital My Cloud Mirror Gen 2 which I bought at Amazons Black Friday (or similar) - because the included 2x 8 TB WD Red were even cheaper with the NAS than standalone. Using the NAS had been quite ok, especially the included Docker Engine and Plex Support were a nice to have, the included Backdoor in older Versions - not so much. Recently WD had their new "My Cloud OS 5" replace the old My Cloud OS 3 - and made things worse for a lot of people. As I don't want any more surprises - and more control over my hardware - I decided to finally go down the road and get Debian 11 with an LTS (5.15) Kernel running on the hardware. This is how it went.

Warning

Warning, these are just my notes on how to convert a My Cloud OS 3 / My Cloud Mirror Gen 2 device to a "real" Debian system. You will need to take your device fully apart, solder wires and lose the warranty. Additionally you will lose all your data and even brick the hardware if something goes wrong, I am taking in no way responsibility, neither can I give support. You're on your own now.

Step 0: Get Serial Console Access

Without a serial console, you will not be able to do anything here. You will need to completely disassembly the NAS and will lose all warranty. The plain motherboard will look like this. On the most right side you will see the pins for the UART interface you will need to solder to.

When you're done with that, connect your 3v3 TTL UART USB device like this:

... and connect to it via 115200 BAUD with Putty, TeraTerm Pro or any other software (Do not connect the 3v3 pin :)). It would be wise starting without the hard drives installed.

Step 1: Flashing U-Boot

The current U-Boot on the NAS is flawed, you need to replace it. I will be CyberPK here which did an awesome job explaining everything:

We have to prepare an usb drive formatted in Fat32, and extract the uboot at link into it and connect to usb port#2.

Connect the device to the serial adapter, poweron the device and start pressing '1' (one) during the boot until you can see the 'Marvell>>' Command Prompt
press ctrl+c
then

We will start here to change stuff and break stuff. But if I could give you one tip before you start: Please execute printenv once. Copy and paste all env variables and everything Uboots spits out. It could save your hardware one day. Thanks, Nico out!

usb start
bubt u-boot-a38x-GrandTeton_2014T3_PQ-nand.bin nand usb
reset

This will reboot the device. Access again the Command prompt and add the following envs, a modified version of the ones provided by bodhi at this post:

setenv set_bootargs_stock 'setenv bootargs root=/dev/ram console=ttyS0,115200'

setenv bootcmd_stock 'echo Booting from stock ... ; run set_bootargs_stock; printenv bootargs; nand read.e 0xa00000 0x500000 0x500000;nand read.e 0xf00000 0xa00000 0x500000;bootm 0xa00000 0xf00000'

setenv bootdev 'usb'

setenv device '0:1'

setenv load_image_addr '0x02000020'

setenv load_initrd_addr '0x2900000'

setenv load_image 'echo loading Image ...; fatload $bootdev $device $load_image_addr /boot/uImage'

setenv load_initrd 'echo loading uInitrd ...; fatload $bootdev $device $load_initrd_addr /boot/uInitrd'

setenv usb_set_bootargs 'setenv bootargs "console=ttyS0,115200 root=LABEL=rootfs rootdelay=10 $mtdparts earlyprintk=serial init=/bin/systemd"'

setenv bootcmd_usb 'echo Booting from USB ...; usb start; run usb_set_bootargs; if run load_image; then if run load_initrd; then bootm $load_image_addr $load_initrd_addr; else bootm $load_image_addr; fi; fi; usb stop'

setenv bootcmd 'setenv fdt_skip_update yes; setenv usbActive 0; run bootcmd_usb; setenv usbActive 1; run bootcmd_usb; setenv fdt_skip_update no; run bootcmd_stock; reset'

saveenv

reset

(This code was also modified by me to use the fatload instead of the ext2load)

With this, our NAS is ready.

Step 2: Build a kernel and rootfs

  • On your current linux machine, get yourself a copy / git clone of Heisaths wdmc2-kernel Repo
  • Get all dependencies installed according to this repo, I installed it on a Debian 11 machine
  • Replace the file content of wdmc2-kernel/dts/armada-375-wdmc-gen2.dts with the content of the real and improved dts for the WDMCMG2 (original from this link, copy available here) - but keep the file name still armada-375-wdmc-gen2.dts
  • Replace the file content of wdmc2-kernel/config/linux-5.15.y.config with the file from here (please know this config ain't perfect, but it will get you running. You can always file a PR and help me out ;))
  • Start the build process in wdmc2-kernel with ./build.sh
  • Mark: Linux Kernel, Clean Kernel sources, Debian Rootfs, Enable ZRAM on rootfs
  • Kernel -> Kernel 5.15 LTS
  • Build initramfs -> Yes
  • Debian -> Bullseye
  • Fstab -> usb
  • Rootpw -> whateverYouWant
  • Hostname -> whateverYouWant
  • Locales -> no changes, accept (or whatever you want)
  • Default locale for system -> en_US.UTF-8 (or whatever you want)
  • Tzdata -> Your region
  • Now your kernel and rootfs will be build

While this is on-going, get yourself a nice USB 2.0 or USB 3.0 stick prepared with

  • partition table: msdos
  • 1st partition: 192 MB, FAT32, label set to boot, boot flag enabled
  • 2nd partition: rest, ext4, label set to rootfs

When the kernel is done compiling and your usb stick is done, copy all the files (sda is the name of my usb stick

  • mkdir /mnt/boot /mnt/root
  • mount /dev/sda1 /mnt/boot
  • mount /dev/sda2 /mnt/root
  • mkdir /mnt/boot/boot
  • cp wdmc2-kernel/output/boot/uImage-5.15.* /mnt/boot/boot/uImage
  • cp wdmc2-kernel/output/boot/uRamdisk /mnt/boot/boot/uInitrd
  • tar -xvzf wdmc2-kernel/output/bullseye-rootfs.tar.gz --directory=/mnt/root/
  • rm -rf /mnt/root/etc/fstab
  • cp /mnt/root/etc/fstab.usb /mnt/root/etc/fstab
    // within /mnt/root/etc/fstab:
    // change all /dev/sdb to /dev/sdc if all two drive slots on the NAS are used <- this!
    // change all /dev/sdb to /dev/sda if no drive slots on the NAS are used
  • umount /mnt/boot /mnt/root

Step 3: First boot and getting things running

Insert the USB stick into the 2 slot of the NAS. Leave the drives still out and boot it up for the first time, watch it via terminal. Login at the end with root and your chosen password.

If it boots, you can shut it down again with shutdown -P now, unplug power, insert the drives and reboot.

First thing after the first boot with drives, your own initramfs / Ramdisk from your current setup:

  • cd /root/
  • ./build_initramfs.sh
  • cp initramfs/uRamdisk /boot/boot/uInitrd

Second, install MDADM for the RAID:

  • apt update
  • apt install mdadm
  • mkdir /mnt/HD
  • edit your /etc/fstab and add a mount point for your md/raid. I used the old drives with my old data on it like this (depending on the fact as which mdX it launches...)
/dev/md0        /mnt/HD         ext4    defaults,noatime,nodiratime,commit=600,errors=remount-ro        0       1
 

A lot of good knowledge about Ramdrives can be found here.

I would advise to do steps: 1. Folder2RAM, 2. Kernel Options, 4. Logrotate - option 3 did not work out for me.

To get the drive to sleep at some point, we need to reconfigure MDADM

dpkg-reconfigure mdadm
// monthly check ok 
// daily degration check ok
// monitoring disable

... and get hdparm working

apt install hdparm hd-idle

# hdparm config
, add in /etc/hdparm.conf 

/dev/sda {
#        apm = 127
#        acoustic_management = 127
        spindown_time = 120
#       spindown_time = 4
        write_cache = on
}

/dev/sdb {
#        apm = 127
#        acoustic_management = 127
        spindown_time = 120
#       spindown_time = 4
        write_cache = on
}

# Spindown Time means: 120 * 5 sec = 600 sec / 60 sec = 10 min
# apply it after saving the file with:
/usr/lib/pm-utils/power.d/95hdparm-apm resume

We can check the status of the drives with smartctl

smartctl -i -n standby /dev/sda
smartctl -i -n standby /dev/sdb

To get fan control working

apt install wget
wget -O mcm-fancontrol-master.tar.gz https://github.com/nmaas87/mcm-fancontrol/archive/refs/heads/master.tar.gz
tar -xvzf mcm-fancontrol-master.tar.gz
cd mcm-fancontrol-master/
cp fan-daemon.py /usr/sbin/
chmod +x /usr/sbin/fan-daemon.py
cp fan-daemon.service /etc/systemd/system/
systemctl enable fan-daemon
systemctl start fan-daemon

(You can change low temp and high temp in the /usr/sbin/fan-daemon.py to get the Fan to kick in later and also set DEBUG = True if you want to see some details in the systemctl status fan-daemon)

MDT Utils can be useful, just mentioning it here

apt install -y mtd-utils
cat /proc/cmdline
cat /proc/mtd

Samba ...

apt install samba --no-install-recommends
# change /etc/samba/smb.conf to your liking and setup your SMB

Plex ...

# Plex 
apt update
apt install apt-transport-https ca-certificates curl gnupg2
curl https://downloads.plex.tv/plex-keys/PlexSign.key | apt-key add -
echo deb https://downloads.plex.tv/repo/deb public main | tee /etc/apt/sources.list.d/plexmediaserver.list
apt update
apt install plexmediaserver
systemctl status plexmediaserver

Well, that's it.

Thanks a lot to all awesome contributors in the net:

Companion repo with files: https://github.com/nmaas87/WDMCMG2

Debian 9 Offline Installation Bug

I had to install a Debian 9.3 without having access to the internet, so I downloaded the full size offline install DVD from https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd. As usual, I inserted the first DVD into the DVD Drive, started the install and everything worked fine - except for the moment where it didn't ;): I needed to switch DVDs for some software - and directly afterwards, Debian came to the "Install Grub" step - and asked politly to insert DVD 1 again - which I tried to do - but could not:

For some reason, the Debian GUI Installer had locked the DVD Drive and I could not remove the DVD - could not open it. I then used the Emergency Eject, inserted DVD 1 and closed the Drive again with very mild force.

However, the Installer did not recognize the new DVD and said, that I needed to insert a DVD. Well...

To cope with that problem, just CTRL+ALT+F1 switch to a different Terminal, enter mount /dev/cdrom /cdrom and switch back to the Installer Terminal with CTRL+ALT+F7 (I think it was ;)) - and hit "Continue" - and from that moment on, it worked again and the installation ended successful after the GRUB installation.

 

SSH Tunneling

One of the most important things by working in "dangerous" Networking Enviroments is protection.

And by that I don't mean the usual (and important!) Anti Virus, Anti Malware and Firewall Software, but Traffic Tunneling, meaning VPN or SSH.

SSH is the secure equivalent to the good old (and Plaintext transmitted) Telnet. And its also more powerful: Its use is not limited to remote Control, but can also provide an secured Datatunnel through which all your Traffic to your Remote Location (i.e. an Mysql Database, Web- or Mailserver or the Web itself) is tunneld - and encrypted. Giving therefore little to no chance to "Wiresharkes" and other Cable Tappers or Span Users.

So lets go:

1. Setting up the SSH Server
Setting up an ssh Server is as simple as:
apt-get install openssh-server
if you're running Debian or Ubuntu.

Optional you can configure that the "root" Account
won't be able to access via ssh and you can configure that
Plaintext Passwords aren't allowed. We will go for an Keybased Setup here,
but I would recommend not shutting down this Plaintext Password Authentification
if you can't access the machine physically easily (as the Certifactes are only valid
for one year...).

2. Configuring the SSH Server
vi /etc/ssh/sshd_config

- change Port to 18000
Port 18000
// Thats an must!

- deactivate root access
PermitRootLogin yes
// Thats optional, it does NOT allow your root Account to login via SSH.
// Only set that if you know what you're doing!

- deactivate password login
PasswordAuthentication no
// Thats optional as well, you can set that after this whole thing,
// as you have working SSH Key Authentification - but beware,
// you won't be able to login via an Password then!
// ( And that will hurt if your Keys are expired and don't work anymore... )

3. Configure Router (NAT and Firewall) to Allow Access to your SSH Server.
Use Dynamic DNS (i.E. DynDNS.org) to get an Dynamic DNS Adress.
( Means that an adress like myserver.dyndns.org will always point to
your dynamically changing IP Adress of your Router. Most Routers have an
DynDNS Client built in, so they update the DynDNS Account on every IP Change -
look it up in the Handbook / Config Menu)

4. Setting up an SSH User with Restricted Shell Access
sudo apt-get install rssh
// Installs the restricted shell
sudo useradd tunnel -m -s /usr/bin/rssh
// Creates an User named tunnel with the Restricted Shell
sudo passwd tunnel
// Enter the Password you want for the User

5. Setting up Squid HTTP Proxy
sudo apt-get install squid

6. Creating the Connection using Putty and Setting up the Clients
Download the Putty installer from
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
and install. Then open Putty:

Session -> Hostname and Port: Enter your DynDNS Adress and the Port you chose for SSH
Connection -> Enable TCP Keepalives
Connection -> SSH -> Don't start a shell or command at all
Connection -> SSH -> Enable compression
Connection -> SSH -> Tunnels: Source Port you can choose i.E. 20000
// Source Port is the Port the Tunnel will end on your "Client PC"
Connection -> SSH -> Tunnels: Destination Port localhost:3128
// Destination Port is in that Case the Server (localhost) and Port 3128
// which is the Squid Proxy. But it could also be something like
// IPofyourRouter:21 to forward the Telnet of your Router to Port 20000 on
// the Remote PC, or IporNameofyourHomePc:3389 to forward the Windows
// Remote Desktop - or anything else. You would then connect with the
// Remote Desktop Tool to "localhost:20000" to Access your PC at Home.
Session -> Press Save and Save the Session
Session -> Press Open and Enter your Login, i.E. tunnel and password

You won't see anything as it stays open and "nothing happens".

Go to your Internet Explorer \ Firefox and enter as Proxy localhost, Port 20000

Internet Explorer:
Extras, Internetoptions, Lan Settings, Choose Proxy Server for Lan
Enter localhost, Port 20000

Firefox:
Extras, Settings, Advanced, Network, Settings
Manual Proxy Configuration, HTTP Proxy: localhost, Port 20000
For all Protocols

And now you'll be able to surf the Web Securely from everywhere through your
secured Tunnel!

WARNING: ONLY the Traffic is secured. Your DNS Lookups STILL go to your local
DNS Server. So i.e. the Local DNS Admin can see that you were surfing on
i.e. Google, Facebook or so - but can't see what you did transmit there.
To change that and to do DNS also tunneled via SSH do this:.

Internet Explorer:
don't know, isn't working

Firefox:
// Enter in the URL Bar:
about:config
// Look for this string and set it to "true"
network.proxy.socks_remote_dns

Only one thing to do left:
Set Keybased Authentification.
Keybased Authentification has two main Advantages:
a) You can use it allow scripts to identify themselfes via the key and use ssh
b) Its more secure as the Key does check its Serverpart and tells you if you're
connection has been redirected or intercepted. Its the way to go.

Creating keys:
su
// Enter password for root Access
ssh-keygen -t rsa -b 2048
Just "enter" through everything

Installing keys:
cd /home/tunnel/
mkdir .ssh
chmod 700 .ssh/
cd .ssh/
touch authorized_keys
cat ~/.ssh/id_rsa.pub > authorized_keys
chmod 600 authorized_keys
cd ..
chmod 700 .ssh/
chown tunnel -R .ssh/
exit

Download the key id_rsa in /root/.ssh/ via WinSCP to your PC
Startup puttygen which you did gain with the Putty installer.
Load the id_rsa in Putty and press on "Save Private Key"

Using key based Authentification with Putty:
Open Putty and load your Preset
Connection -> SSH -> Auth
And use the "Private Key File for Authentification" to point to your previously
set Private Key (wheter encrypted or not isn't important at this Point).
Go again to Session and Save again. Press Open.
You'll be asked to enter your Username and Passphrase (if you got one).
If you want to really automate that, you can even specify your Username in
Putty under SSH -> Connection -> Data "Auto Login Name"