Hi Ron, Den tors 3 jan. 2019 kl 20:52 skrev Ron Bowes <ron@xxxxxxxxxxxxxxxxx>: > > Hey Linux-mtd folks, > > I'm a security consultant that does a variety of different consulting > work for our customers. In my current project, I'm trying to read a > UBI filesystem from a flash-chip dump, but I'm having a lot of > trouble. I've tried to use both the MTD userland tools (from you > folks) and ubi-reader (from https://github.com/jrspruitt/ubi_reader). > > I'm struggling to understand the filesystem, and it seems to be - at > least initially - because the VID header is offset by 0x40 bytes from > where I think it should be. I was wondering if anybody recognizes > what's going on here, and can help point me in the right direction? > > I've been working directly on the file dump in a hex editor right now, > and I see why the tools are struggling, but I don't understand why. > > In the image, the block sizes are 0x21000 bytes, the VID header is at > offset 0x800, and the data offset is 0x1000. The first block is empty, > but here's the second EB block header: > > ``` > ---magic--- ver - - - --------- EC -------------- > 00021000: 55 42 49 23 01 00 00 00 00 00 00 00 00 00 10 0d > UBI#............ > vid_hdr_off data_offset -image_seq- --padding-- > 00021010: 00 00 08 00 00 00 10 00 8b 19 3b a0 00 00 00 00 > ..........;..... > --------------------------padding-------------------------- > 00021020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > -----------------padding------------------- ----crc---- > 00021030: 00 00 00 00 00 00 00 00 00 00 00 00 c4 b3 6f 75 > ..............ou > > 00021040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > ...empty... > 000217f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > ``` > > That all looks legit. It lists the vid_hdr_offset as 0x800, and the > data_offset at 0x1000. Looks good so far! > > If I fast forward to 0x800 bytes into the block, where I'd expect to > see the VID header, I see: > > ``` > 00021800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ > 00021810: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ > 00021820: 12 2e e1 ff ff ff ff ff ff ff ff ff ff ff ff ff ................ > 00021830: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ > ``` > > It appears that the checksum is set, but nothing else at all, > including the 'magic'. However, if I go an additional 0x40 bytes to > 0x840 from the start of the block, I see what appears to be a UBI VID > header (starts with 'UBI!'): > > ``` > type compat > ---magic--- ver copy --vol_id--- ---lnum---- > 00021840: 55 42 49 21 01 01 00 00 00 00 00 00 00 00 01 18 > UBI!............ > > ----pad---- -data_size- -used_ebs-- data_padding > 00021850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 > ................ > > data_crc padding ----------seq_num---------- > 00021860: 00 00 00 00 00 00 00 00 00 00 00 00 00 7e 0c ad > .............~.. > > ------------------padding------------------ ----crc---- > 00021870: 00 00 00 00 00 00 00 00 00 00 00 00 bc b0 9f 45 > ...............E > > 00021880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > ...empty... > 00021ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > ``` > > It doesn't look 100% perfect, but it does start with the "UBI!" magic > and apparently has a CRC32 at the end. > > If I go to 0x1000 offset from the start, it looks like it could be a > data block, but I haven't gotten far enough to know what that's > supposed to look like yet. I'm still working through the headers. > > I haven't dug super deep into the RFC or docs just yet, just the list > of headers. But I thought maybe somebody here with a deeper knowledge > might tell me if I'm on the right track. > > Can anybody help me understand what I'm looking at? And how I can > either mount or extract this? > > Thanks! What's the flash parameters? Is it NAND or NOR? What's your page size, oob size etc.? Assuming you have a NAND flash, a first guess would be that your flash chip dump contains also the pages' OOB data after every page. If your page size is 2048 (0x800) bytes and OOB size is 64 bytes (0x40), that would explain why the VID header is 0x40 bytes offset, since those extra 0x40 bytes are filled with OOB data. /Emil ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/