Page 1 of 1
Analyze filesystem found in Flash
Posted: 23 Jul 2020, 18:24
by Go4IT
Hi, i think i found a filesystem inside the Flash of the FX (NX and MCA should have this also, but for now i look on FX).
When i browse through the content of the dump i find this:
Code: Select all
01681400 49 4E 4F 44 01 00 00 00 68 05 00 00 00 00 00 00 INOD....h.......
repeating every 0x200 (which equals a blocksize of 512 Bytes) up to
Code: Select all
01EB8600 49 4E 4F 44 05 00 00 00 00 00 00 00 00 00 00 00 INOD............
There are also some other node-types having "MAST", "INDI" and "INDX" as type identifier. For me this looks very of a filesystem. As we already now, the software running on the OMAP5948 is Nucleus RTOS, developed by Siemens (
https://en.wikipedia.org/wiki/Nucleus_RTOS).
This could be run without an FS, but there are serveral drivers, even special ones for flash chips (the S29GL of FX is a NOR-Flash). Datalight INC. has an RTOS which also provides such driver, named "Reliance Edge". Here are the sources on Github and i point right to a header-file where we found the refs for the above strings:
https://github.com/datalightinc/relianc ... ped_q=INOD
Code: Select all
#define META_SIG_MASTER (0x5453414DU) /* 'MAST' */
#define META_SIG_METAROOT (0x4154454DU) /* 'META' */
#define META_SIG_IMAP (0x50414D49U) /* 'IMAP' */
#define META_SIG_INODE (0x444F4E49U) /* 'INOD' */
#define META_SIG_DINDIR (0x494C4244U) /* 'DBLI' */
#define META_SIG_INDIR (0x49444E49U) /* 'INDI' */
I try to reverse engineer the FS, maybe there are some good forensic tools for this. Right now i try to understand "by hand" how it's made. My goal is to build a tool to "read" the filesystem and then maybe also write it.
The reason why we find the inodes only on the upper half of the flash may be that the lower part is used to boot the kernel and the needed FS for storing data read from SD/CD/DVD or just temporary and persistent files must be stored somewhere.
Re: Analyze filesystem found in Flash
Posted: 23 Jul 2020, 18:46
by Go4IT
I found an interesting introduction into Flash filesystems here:
https://www.ibm.com/developerworks/linu ... lesystems/
We find many occurences like this
where "FFS" stands for "Flash-File-System") or
{RFFS_s32Format} Formatting drive %c: {RFFS_s32Format} where "RFFS" indicated "Reliable Flash File System".
Re: Analyze filesystem found in Flash
Posted: 23 Jul 2020, 20:33
by Go4IT
I recently installed binwalk on one of my Linux boxes (running headless Ubuntu 16LTS) and see what this find in the whole dump. Quite interesting:
Code: Select all
root@ubuntu16:~$ binwalk fx_flashdump.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1310752 0x140020 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
1311328 0x140260 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
1351872 0x14A0C0 Unix path: /dev/registry/LOCAL_MACHINE
1370352 0x14E8F0 Unix path: /dev/ffd/CD_PARAM
1394524 0x15475C Unix path: /dev/ffs/FC_DOWNLOAD_VER.DAT
1400528 0x155ED0 Unix path: /dev/ffd/CD_PARAM
1405992 0x157428 Unix path: /dev/fgs/dim
1437636 0x15EFC4 Unix path: /dev/adc/7
1441568 0x15FF20 Unix path: /dev/ffs2/FC_SPM_ENG.dat
1443820 0x1607EC Unix path: /dev/card/em_trace.bin
1448356 0x1619A4 Unix path: /dev/ffd/TTFIS
1517876 0x172934 Unix path: /dev/ffs/mif/mif01.cfg
1519156 0x172E34 Unix path: /dev/ffs/mif
1520320 0x1732C0 Unix path: /dev/ffs/CRDSHARE.DAT
1634480 0x18F0B0 Copyright string: "Copyright (c) 2003 - 2005 Datalight, Inc."
2095836 0x1FFADC Copyright string: "Copyright (c) 2003 - 2005 Datalight, Inc."
2387584 0x246E80 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/BASE/DOWNLOAD/CHINASIBD
2418955 0x24E90B Copyright string: "Copyright MGC 2003 - Nucleus PLUS v. 1.14.5 - ARM926T TI OMAP5912 RVCT 2.0.1"
2427712 0x250B40 CRC32 polynomial table, little endian
2444640 0x254D60 Unix path: /dev/adc/0
2481652 0x25DDF4 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT
2490324 0x25FFD4 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
2507828 0x264434 Unix path: /dev/ffs/FC_DOWNLOAD_LMM.DAT
2508672 0x264780 Unix path: /dev/registry/LOCAL_MACHINE
2509996 0x264CAC Unix path: /dev/ffs/FC_DOWNLOAD_FEA.DAT
2513944 0x265C18 Unix path: /dev/registry/LOCAL_MACHINE
2515404 0x2661CC Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/NAVAPP
2520176 0x267470 Unix path: /dev/ffs/cfg/navdreg.reg
2524604 0x2685BC Unix path: /dev/ffs/FC_DOWNLOAD_CRC.DAT
2526836 0x268E74 Unix path: /dev/ffs/DnlSrcUSB.set
2528768 0x269600 Unix path: /dev/registry/LOCAL_MACHINE
2537168 0x26B6D0 Unix path: /dev/ffs/DSDSE.CFG
2541572 0x26C804 Unix path: /dev/ffs/download.off
2543580 0x26CFDC Unix path: /dev/ffs/ffsbat.ena
2547964 0x26E0FC Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
2565196 0x27244C Unix path: /dev/registry/LOCAL_MACHINE
2568072 0x272F88 Unix path: /dev/ffs/chinasi.cfg
2571508 0x273CF4 Unix path: /dev/ffs/DnlSrcUSB.set
2574892 0x274A2C Unix path: /dev/fgs/download
2579000 0x275A38 Unix path: /dev/rp_if/download
2605532 0x27C1DC Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS
2610976 0x27D720 Unix path: /dev/ffs2/FC_SPM_LMM.dat
2640488 0x284A68 Unix path: /dev/ffs2/FC_SPM_ENG.dat
2651532 0x28758C Unix path: /dev/ffs2/FC_SPM_LMM.dat
2661392 0x289C10 Unix path: /dev/rp_if/power
2662772 0x28A174 Unix path: /dev/registry/LOCAL_MACHINE
2677180 0x28D9BC Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/NAVAPP
2678540 0x28DF0C Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/SDS
2683752 0x28F368 Unix path: /dev/ffs2/base.reg
2685612 0x28FAAC Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/SYSTEM
2686832 0x28FF70 Unix path: /dev/ffs2/FC_SPM_LMM.dat
2689460 0x2909B4 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/BASE
2691804 0x2912DC Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
2694004 0x291B74 Unix path: /dev/fgs/system
2724700 0x29935C Unix path: /dev/ffs/Bluetoothtest.bin
2725584 0x2996D0 Unix path: /dev/ffs/dabtest.bin
2726844 0x299BBC Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS/
2728156 0x29A0DC Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/NAVAPP/
2728928 0x29A3E0 Unix path: /dev/ffs/FC_DOWNLOAD_VER.DAT
2737984 0x29C740 Unix path: /dev/registry/LOCAL_MACHINE
2768532 0x2A3E94 Unix path: /dev/registry/LOCAL_MACHINE
2789948 0x2A923C Unix path: /dev/registry/LOCAL_MACHINE/software/blaupunkt/process/navapp/data_server/app_config
2792032 0x2A9A60 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/BASE/SPM/APP_THREAD
2798496 0x2AB3A0 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS/BASE_SW_VERSION
2799952 0x2AB950 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/BASE/SPM/APP_THREAD
2800116 0x2AB9F4 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/PROCESS/BASE/SPM/AIF_CONFIG
3027871 0x2E339F Copyright string: "Copyright (c) 1993-2005 Datalight, Inc."
5503142 0x53F8A6 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
5768812 0x58066C Unix path: /dev/cryptcard/RT2/RT3.TXT'
6207992 0x5EB9F8 Unix path: /dev/ffs2/burnin
6260754 0x5F8812 Unix path: /dev/ffs/FC_AUDIOPL_LMM.DAT
6418819 0x61F183 Unix path: /dev/ffs/VD_DIMMING_LMM.DAT
6680854 0x65F116 Unix path: /dev/ffs/UAM_LMM.DAT
6735014 0x66C4A6 Unix path: /dev/ffs2/bHA
7562448 0x7364D0 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
8124681 0x7BF909 Unix path: /dev/ffs/PDATA_MNGR_LM.DAT
8277662 0x7E4E9E Unix path: /dev/registry/LOC#`w
8505172 0x81C754 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
8641485 0x83DBCD Base64 standard index table
9660287 0x93677F Unix path: /dev/ffs/rcerr_%03d.log
12836002 0xC3DCA2 Unix path: /dev/ramdisk/fcsina2L
13107224 0xC80018 Unix path: /bin/nucleus/arion/release/ -IY:/build/nucleus_core/init/nucleus/arion/startup_r/release/ -IY:/build/nucleus_core/init/nucleus/a
16906438 0x101F8C6 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
17172108 0x106068C Unix path: /dev/cryptcard/RT2/RT3.TXT'
17611288 0x10CBA18 Unix path: /dev/ffs2/burnin
17664050 0x10D8832 Unix path: /dev/ffs/FC_AUDIOPL_LMM.DAT
17822115 0x10FF1A3 Unix path: /dev/ffs/VD_DIMMING_LMM.DAT
18084150 0x113F136 Unix path: /dev/ffs/UAM_LMM.DAT
18138310 0x114C4C6 Unix path: /dev/ffs2/bHA
18965744 0x12164F0 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
19527977 0x129F929 Unix path: /dev/ffs/PDATA_MNGR_LM.DAT
19680958 0x12C4EBE Unix path: /dev/registry/LOC#`w
19908468 0x12FC774 Unix path: /dev/registry/LOCAL_MACHINE/SOFTWARE/BLAUPUNKT/VERSIONS
20044781 0x131DBED Base64 standard index table
23611146 0x168470A Unix path: /dev/acousticout/speech/0
24419594 0x1749D0A Unix path: /dev/acousticout/speech/0
24703242 0x178F10A Unix path: /dev/acousticout/speech/0
25321738 0x182610A Unix path: /dev/acousticout/speech/0
25753354 0x188F70A Unix path: /dev/acousticout/speech/0
25829130 0x18A1F0A Unix path: /dev/acousticout/speech/0
26294538 0x191390A Unix path: /dev/acousticout/speech/0
26782986 0x198AD0A Unix path: /dev/acousticout/speech/0
28001546 0x1AB450A Unix path: /dev/acousticout/speech/0
29254410 0x1BE630A Unix path: /dev/acousticout/speech/0
29594378 0x1C3930A Unix path: /dev/acousticout/speech/0
29674494 0x1C4CBFE MySQL ISAM index file Version 1
32208138 0x1EB750A Unix path: /dev/acousticout/speech/0
Re: Analyze filesystem found in Flash
Posted: 25 Jul 2020, 08:18
by latigido
Hello,
As you see at bin offset 0x140020 there is an ELF, 32-bit LSB executable, ARM.
So extract this 140020.elf and load to IDA as elf and use ARM Little endian.
After, you can see in example this code(note:elf partition is extracted from 8S7T-18K931-AD_7612300524_PIN-8367.bin):
Code: Select all
SDRAM_RO:900A35D0 BL sub_900A3242 ; SDcard_Signature_check
SDRAM_RO:900A35D4 CMP R0, #0
SDRAM_RO:900A35D6 BNE loc_900A35EE
SDRAM_RO:900A35D8 ADR R0, aSignatureFileS ; "Signature file successfully verified"
...so here you can simply patch branch "BNE loc_900A35EE" to "NOP".
(using some hex editor, change two bytes at 0x900A35D6: 0A D1 to C0 46 - this is opcode of NOP in Little endian)
Re: Analyze filesystem found in Flash
Posted: 25 Jul 2020, 09:26
by Go4IT
Ok, please let me recap this: How to extract the ELF? using "binwalk -d 'elf' dump.bin" oder just by removing everything prior to 0x140020 from the hexfile, yes?
Next, load this into IDA Pro, it will default ask for ARM Thumb little endian, which looks good for me.
1.) IDA then scans through whole image, determines a lot of subs and segments. Could you tell more about it?
IDLE_ENTRY
POWER_MODE
SDRAM_INIT
SDRAM_RO
DOE_SDRAM_RO
TESTCODE_RO
where did the descritpors come from? The developers?
2.) The "start" seems to be the entrypoint of the software at 0x9000 0000 (so this is a relative offset in the address-range of the OMAP right?)
3.) SDRAM_RO:90000178 ADR R2, aStartFordHsrns ; "** Start FORD HSRNS System "
Sound pretty cool. So there may be some debug output facility somewhere, right? How to get where this is going to? Maybe a serial output...
Oh, i've got sooo many questions! Find this all exciting, want to learn more from you!
Re: Analyze filesystem found in Flash
Posted: 25 Jul 2020, 09:28
by Go4IT
latigido wrote: ↑25 Jul 2020, 08:18
...so here you can simply patch branch "BNE loc_900A35EE" to "NOP".
(using some hex editor, change two bytes at 0x900A35D6: 0A D1 to C0 46 - this is opcode of NOP in Little endian)
Mate, you are so genius! Could it be that easy?!
Let's find this damned PIN algo...
Re: Analyze filesystem found in Flash
Posted: 25 Jul 2020, 09:31
by latigido
ok, I will search for It.
Re: Analyze filesystem found in Flash
Posted: 26 Jul 2020, 06:20
by DGAlexandru
We allready have this patch for NX SD version (NX NCA) available on Internet for at least 3 years... but finding more things like this maybe will let us get more from these audio units.
Great job!
Re: Analyze filesystem found in Flash
Posted: 26 Jul 2020, 09:52
by Go4IT
With binwalk we again learn a lot about the internals of the firmware and how it is made. An ELF is something like an executeable image (correct me if i'm wrong!). It contains some regions (segments) and tells the OS which loads and executes it where to put it in memory, what to call to start it up and which parts of the image could be only read, read/write and executed. It also could contain static bound (included) libraries.
In the above case the target-location of the image (0x9000 0000) points into the external SD-RAM (EMIFF) area of the OMAP-System, which starts at 0x8000 0000 in our configuration of the FX (see Memory Map). So it means that the ELF will be transferred into SDRAM an get's executed there.
So for me, the ELF is the main software running on top of the operating system (RTOS). I wonder how it get's loaded and executed? This must be part of some boot-process. Also i wonder if the ELF itself is used as part of an filesystem or if the bootloader knows it by address location in Flash? As RTOS does not need an Filesystem, but we know it has support for it, it could be both ways.
So what do we have right now?
a) 0x0000 0000: The boot/reset vector table
b) The secondary bootloader code (called by the primary bootloader, sit in ROM of OMAP chip)
c) An RTOS kernel image in Flash
d) An ELF application image in Flash
e) Some stack in RAM
f) Some variable data area in RAM
g) A filesystem of some kind in Flash
h) A memory-mapped IO region to address external and internal perihpals
Let's see if we get this together in a big picture.