Skip navigation.
Home
The QNX Community Portal

View topic - Mounting file system EFS from flash dump

Mounting file system EFS from flash dump

For discussion of realtime and/or embedded programming.

Mounting file system EFS from flash dump

Postby lordmaximus840 » Thu Apr 07, 2016 12:00 pm

Hi everyone,

here is my problem :
A couple of week ago, I have dumped flash memories within which I have a IFS/EFS file system. It's distributed in two flash memory of 64 MB (GL512).

After some researches, I found a topic on QNX Community (http://community.qnx.com/sf/discussion/ ... .topc26570) that explain how to mount this kind of file system.

Here is the commands I wrote drowing on the topic:
# devf-ram -vvv -s0,128m,,,256k
# flashctl -p /dev/fs0 -ev
#cp -V /home/flash.bin /dev/fs0 <- this one don't work, flash.bin is my flash's dump, his size is precisely of 128MB.

Unfortunately, the "cp" command doesn't work and i'm stuck at this point.

I attempted to use the command described in a page of QNX Developper support (http://www.qnx.com/developers/docs/6.3. ... html#FLASH) :

# cat ipl_image flash_image > /dev/fs0
# slay devf-ram
# devf-ram &

But, again, no result.
I know that is possible, because the commands dumpifs and dumpefs can describe the content of the file system, but it seems I don't use the right command.

For information, I work with QNX neutrino's VM downloaded from QNX site
Does someone should help me for mounting the file system ?

Regards,
Max

******
For memory :
I work with QNW neutrino VM from QNX site
lordmaximus840
Active Member
 
Posts: 13
Joined: Thu Feb 11, 2016 4:05 pm

Re: Mounting file system EFS from flash dump

Postby Tim » Wed Apr 13, 2016 3:04 pm

Did you do the steps exactly in the order shown here:
http://www.qnx.com/developers/docs/6.3. ... html#FLASH

# devf-ram &
# flashctl -p /dev/fs0 -ev

# hd /dev/fs0 <--- What does this show (should be all 0xff)?

# cat flash.bin > /dev/fs0
# slay devf-ram
# devf-ram &

# hd /dev/fs0 <--- What does this show now (should not be all 0xff)?

Tim
Tim
Senior Member
 
Posts: 1390
Joined: Wed Mar 10, 2004 12:28 am

Re: Mounting file system EFS from flash dump

Postby lordmaximus840 » Wed Apr 13, 2016 6:32 pm

Hi Tim,

I wrote the commands like shown in the doc, but something is going wrong.

I will make a new test tomorrow morning and give the result. Maybe the commands I wrote before have messed around the good functionning of the good commands.

Thanks for your help, I will report the result as soon as I have tested the commands.

Max
lordmaximus840
Active Member
 
Posts: 13
Joined: Thu Feb 11, 2016 4:05 pm

Re: Mounting file system EFS from flash dump

Postby lordmaximus840 » Fri Apr 15, 2016 8:34 am

Hi Tim,

I've tested again, and I'm always stuck with mounting the flash file system.

# hd /dev/fs0 <--- What does this show (should be all 0xff)?


There is 0xFF after the flashctl command

# hd /dev/fs0 <--- What does this show now (should not be all 0xff)?


I've my flash dump in /dev/fs0, no problem.

But again, I'm stuck with mounting the file system.
I've tested te following commands with no results :
# mount /dev/fs0 /fs/flash/
# mount -t F3S /dev/fs0 /fs/flash/
# mount -t ffs3 /dev/fs0 /fs/flash/
# mount -t ETFS /dev/fs0 /fs/flash/

I've the same result every time :
# mount: Can't mount /dev/fs0 (Type xxx)
mount: Possible reason: Resource busy

I had the same kind of result when I tried to mount QNX4/6's partitions without file system mentioned in mount command.
Thus, when I have used the good parameters, mount command worked fine.
But in this case, I don't arrive to find the good parameter for this file system.

The more rageous thing is that I can see the content of my dump with the commands dumpifs and dumpefs.

Idea of what I can do ?

Max
lordmaximus840
Active Member
 
Posts: 13
Joined: Thu Feb 11, 2016 4:05 pm

Re: Mounting file system EFS from flash dump

Postby Tim » Fri Apr 15, 2016 6:41 pm

What does fdisk report about the partitions/filesystem type?

#fdisk /dev/fs0

I assume you do understand that this 'ifs' is a self contained filesystem that can't be mounted as anything besides /

http://www.qnx.com/developers/docs/660/ ... Image.html

If you are looking to access specific contents in the ifs you should use the dumpifs tool to extract the files you are interested in.

Tim
Tim
Senior Member
 
Posts: 1390
Joined: Wed Mar 10, 2004 12:28 am

Re: Mounting file system EFS from flash dump

Postby lordmaximus840 » Sat Apr 16, 2016 5:31 pm

Hi Tim,

What does fdisk report about the partitions/filesystem type?

#fdisk /dev/fs0


fdisk command reply : DCMD_CAM_DEVINFO: No error. I haven't found any information on this, corresponding with my case.

I know the constitution of IFS's file system, in the first part, there is IFS's FS and after, there is two or three EFS (three in my case).
I'm not interested in files within IFS, but those within EFS.

Unfortunately, my knowledge of the commands dumpifs and dumpefs aren't sufficient for achieve any extraction of file.
And more, I need all the files that are present in EFS.

In your opinion, does the version of QNX present on the system from where I make the flash dump,
and the version of my QNX virtual machine can be a source of problem and prevent the good functionning of the mounting of IFS in the VM ?

For information, I'm not a developer, I'm a forensic IT in a criminal lab, and I don't have the QNX SDK. This is why I try to solve this problem
by this way. I have already analyze the main memory of the system (a eMMC with QNX6 partitions), but there had nothing interesting for
me.

When I gave a look in the body of the analyzed system, I found two flash memories more, I unsoldered it, I dumped them and I gathered
the data from the two flash memories (A sort of RAID 0 with a stipe of two bytes). After a long investigation in the data, I found important
datas for my case, but out of context. With a colleague, we started to make the retro conception of the organization of the datas (EFS part).

We had good result on this analysis but, some elements are stayed mysterious for us, in particularly, how to organize the files. My colleague have finally
find that QNX OS have a special file system for his flash memories, and at this point, we discovered almost entire method to mount it, but we
stuck with the mounting.

All the suggestions are welcome to extract files that are contained in the EFS.

Thanks for your help.

Regards,
Max
lordmaximus840
Active Member
 
Posts: 13
Joined: Thu Feb 11, 2016 4:05 pm

Re: Mounting file system EFS from flash dump

Postby Tim » Mon Apr 18, 2016 6:30 pm

Tim
Senior Member
 
Posts: 1390
Joined: Wed Mar 10, 2004 12:28 am

Re: Mounting file system EFS from flash dump

Postby lordmaximus840 » Tue Apr 19, 2016 8:41 am

Hi Tim

I have considered your suggestions.

For the pdf from Defcon, I have already found it for a while, but the script extract nothing in my case (I know, I accumulate the problems :cry: ).

I tried the python's script too, but again, it's not working. There is a traceback about one of the functions in the script, but I didn't see what is the problem.
There is no explanation contained in the readme.md on Github except the commands we have to enter. No precisions about the python version.

My own python script is almost complete, and soon, I could test it.

Thank you very very much for your time, all the given elements allowed to me to go further in my analysis, and it's not nothing for me, it's an awesome gain of time.

When it's complete, I could report my results here.

Regards,
Max
lordmaximus840
Active Member
 
Posts: 13
Joined: Thu Feb 11, 2016 4:05 pm


Return to Realtime and Embedded

Who is online

Users browsing this forum: No registered users and 1 guest