Secure wipe before resale

h9tud52m0cmy · February 16, 2019, 3:55am

I’m looking to wipe my device for resale (i upgraded to a newer model) any thoughts on a good app for busybox (like sfill) that will zero the contents where my wifi password, openvpn configs, etc was stored?

Out of curiosity where where is all the user set information stored outside the rom partition?

root@GL-AR300M:~# uname -a
Linux GL-AR300M 4.4.92 #0 Tue Oct 17 17:46:20 2017 mips GNU/Linux

root@GL-AR300M:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/root 8448 8448 0 100% /rom
tmpfs 62428 992 61436 2% /tmp
/dev/ubi0_1 102988 72 98076 0% /overlay
overlayfs:/overlay 102988 72 98076 0% /
tmpfs 512 0 512 0% /dev

kyson-lok · February 16, 2019, 4:13am

Do you want to restore the configuration file? If yes, you can backup the configuration files in Luci.

h9tud52m0cmy · February 16, 2019, 4:14am

nope already setup the new one. just looking for an app that will work with busybox to overwrite those sensitive areas (as well as which areas are sensitive)

kyson-lok · February 16, 2019, 4:17am

What’s the purpose for you? Could you please describe more clear what you want to achieve?

h9tud52m0cmy · February 16, 2019, 4:22am

ok
[1] i want to resell this device because i recently upgraded to a newer model (slate)
[2] i want to factory reset the device to clear out all of my old settings (done)
[3] i want to overwrite all of the areas where sensitive information was stored such as my last known WAN IP, VPN configs + usernames + passwords, logs and traffic details

I’m not incredibly scared that any of this information is valuable to anyone but if someone goes peeking i dont want something to be discovered like credentials that can be used to get onto my current system. i.e. if i reused my router password - i didn’t but say i did. the last known wan address would give some and address to attach and a username and password to login. after that I’m owned.

nopro404 · February 16, 2019, 6:25pm

This is a good question. Would be nice if there was a secure wipe feature like ChromeOS or Windows (bleh!)

Even for times when you are travelling between hostile countries and they may want to copy your devices.

Would be a great feature to be able to do factory reset and wipe all free space with 0’s.

Added bug: GL.iNet - Connecting The World To Secure Wi-Fi

h9tud52m0cmy · February 17, 2019, 4:37am

i’m hoping i can find a binary like ‘wipe’ that works with busybox to overwrite free space with random bits and the locations/partitions on which this sensitive data is stored.

nopro404 · February 17, 2019, 6:09pm

You can manually accomplish this with dd. random is not required and will take a long time, zeroes are fine.

after you ‘revert’ to factory default you can do:

dd if=/dev/zero of=/root/bigfile bs=1M

after its done (it will throw an out of space error):

rm /root/bigfile

and you’re done. This will only work on the current boot flash if you are on a dual boot device.

kyson-lok · February 18, 2019, 1:38am

Just curious, if you do a factory reset, all the sensitive information will be wipe, isn’t it? It won’t store your password.

Johnex · February 18, 2019, 8:32pm

Deleting files from a memory card or a hard drive usually only means that the file is removed from the file allocation table, with the files data still remaining on the memory. The operating system can not see the files anymore, but forensics software can scan each memory location and use patterns to find the files. Images for example have a header and checksum, so they could be recovered pretty easy.

The only way to truly delete the data is to overwrite it. For a magnetic based drive like a harddisk, it requires
overwriting many times, as shadows of the data can still be found using sensitive equipment. For a memory chip i would still recommend to overwrite the data randomly and a few times just to be sure.

sfx2000 · February 18, 2019, 10:32pm

NOR based targets - flashing from uBoot should be good enough, and perhaps so for many using SPI-NAND and eMMC.

For the truly paranoid - clearing out the NAND space might a concern on those targets as it removes the pointers, but doesn’t really clear the bits - this isn’t unique to GL-iNet targets and might be better addressed upstream with OpenWRT so that wheel isn’t repeatedly reinvented…

alzhao · February 19, 2019, 12:52am

This is many people’s business model, recover data from a damaged hard disk.

nopro404 · February 24, 2019, 4:50pm

Yeah that’s what’s happening. When ‘Revert’ or a firmware upgrade is called ‘jffs2reset’ is run.

If anyone is interested – it calls this here:
https://git.openwrt.org/?p=project/fstools.git;a=blob;f=libfstools/overlay.c;hb=af93f4b8dc32cf1320dfe8f4b93bb3a12606fc33#l38

It just removes the directories from the file table, not even the files themselves - so they would be quite easy to recover if all you did was ‘revert’ and sell the device.