Dangerous Prototypes

General Category => General discussion => Topic started by: Ramazuri on January 08, 2020, 11:49:03 am

Title: Getting access to the content of a SquashFS filesystem
Post by: Ramazuri on January 08, 2020, 11:49:03 am
Hello everyone,

I bought myself a while ago a BusPirate to retrieve the content of a NAND Flash via SPI.
After some inicial trouble I managed to dump the entire flash. Unfortunately I am having a big issue with analyzing the filesystem that is part of it. I was hoping that someone has an idea what I can do.

First of all let me tell you what I already did. I gave the dump binwalk as input and extracted the content with the
Code: [Select]
binwalk -Me
So far so good. I knew that I was dealing with a squashfs filesystem, so I installed sasquatch just in case that some weird modification was used that unsquashfs couldn't handle.
Unfortunately sasquatch couldn't handle it either. The whole thing seemed pretty suspicious to me so I took a look at the binary and I found something weird.
The binary started with a squashfs header obviously but afterwards there is a pretty big area before the actual content of the filesystem starts that consists of a periodically repeating Byte structure (16 * 0xff followed by a 0x01 Byte). Also there are UBI signatures appearing throughout the entire binary.
I think the squashfs was running on top of a UBI device and that is why sasquatch couldn't extract it. Does anyone had to deal with a similar situation before and knows what I can do to mount it or to extract the files that it contains?