Hi everyone,

here is my problem :
A couple of week ago, I have dumped flash memories within which I have a IFS/EFS file system. It’s distributed in two flash memory of 64 MB (GL512).

After some researches, I found a topic on QNX Community (community.qnx.com/sf/discussion/ … .topc26570) that explain how to mount this kind of file system.

Here is the commands I wrote drowing on the topic:

devf-ram -vvv -s0,128m,256k

flashctl -p /dev/fs0 -ev

#cp -V /home/flash.bin /dev/fs0 ← this one don’t work, flash.bin is my flash’s dump, his size is precisely of 128MB.

Unfortunately, the “cp” command doesn’t work and i’m stuck at this point.

I attempted to use the command described in a page of QNX Developper support (qnx.com/developers/docs/6.3. … html#FLASH) :

cat ipl_image flash_image > /dev/fs0

slay devf-ram

devf-ram &

But, again, no result.
I know that is possible, because the commands dumpifs and dumpefs can describe the content of the file system, but it seems I don’t use the right command.

For information, I work with QNX neutrino’s VM downloaded from QNX site
Does someone should help me for mounting the file system ?

Regards,
Max

For memory :
I work with QNW neutrino VM from QNX site

Did you do the steps exactly in the order shown here:
qnx.com/developers/docs/6.3. … html#FLASH

devf-ram &

flashctl -p /dev/fs0 -ev

hd /dev/fs0 <— What does this show (should be all 0xff)?

cat flash.bin > /dev/fs0

slay devf-ram

devf-ram &

hd /dev/fs0 <— What does this show now (should not be all 0xff)?

Tim

Hi Tim,

I wrote the commands like shown in the doc, but something is going wrong.

I will make a new test tomorrow morning and give the result. Maybe the commands I wrote before have messed around the good functionning of the good commands.

Thanks for your help, I will report the result as soon as I have tested the commands.

Max

Hi Tim,

I’ve tested again, and I’m always stuck with mounting the flash file system.

There is 0xFF after the flashctl command

I’ve my flash dump in /dev/fs0, no problem.

But again, I’m stuck with mounting the file system.
I’ve tested te following commands with no results :

mount /dev/fs0 /fs/flash/

mount -t F3S /dev/fs0 /fs/flash/

mount -t ffs3 /dev/fs0 /fs/flash/

mount -t ETFS /dev/fs0 /fs/flash/

I’ve the same result every time :

mount: Can’t mount /dev/fs0 (Type xxx)

mount: Possible reason: Resource busy

I had the same kind of result when I tried to mount QNX4/6’s partitions without file system mentioned in mount command.
Thus, when I have used the good parameters, mount command worked fine.
But in this case, I don’t arrive to find the good parameter for this file system.

The more rageous thing is that I can see the content of my dump with the commands dumpifs and dumpefs.

Idea of what I can do ?

Max

What does fdisk report about the partitions/filesystem type?

#fdisk /dev/fs0

I assume you do understand that this ‘ifs’ is a self contained filesystem that can’t be mounted as anything besides /

qnx.com/developers/docs/660/ … Image.html

If you are looking to access specific contents in the ifs you should use the dumpifs tool to extract the files you are interested in.

Tim

Hi Tim,

fdisk command reply : DCMD_CAM_DEVINFO: No error. I haven’t found any information on this, corresponding with my case.

I know the constitution of IFS’s file system, in the first part, there is IFS’s FS and after, there is two or three EFS (three in my case).
I’m not interested in files within IFS, but those within EFS.

Unfortunately, my knowledge of the commands dumpifs and dumpefs aren’t sufficient for achieve any extraction of file.
And more, I need all the files that are present in EFS.

In your opinion, does the version of QNX present on the system from where I make the flash dump,
and the version of my QNX virtual machine can be a source of problem and prevent the good functionning of the mounting of IFS in the VM ?

For information, I’m not a developer, I’m a forensic IT in a criminal lab, and I don’t have the QNX SDK. This is why I try to solve this problem
by this way. I have already analyze the main memory of the system (a eMMC with QNX6 partitions), but there had nothing interesting for
me.

When I gave a look in the body of the analyzed system, I found two flash memories more, I unsoldered it, I dumped them and I gathered
the data from the two flash memories (A sort of RAID 0 with a stipe of two bytes). After a long investigation in the data, I found important
datas for my case, but out of context. With a colleague, we started to make the retro conception of the organization of the datas (EFS part).

We had good result on this analysis but, some elements are stayed mysterious for us, in particularly, how to organize the files. My colleague have finally
find that QNX OS have a special file system for his flash memories, and at this point, we discovered almost entire method to mount it, but we
stuck with the mounting.

All the suggestions are welcome to extract files that are contained in the EFS.

Thanks for your help.

Regards,
Max

Why don’t you try this:

defcon.org/images/defcon-22 … rmware.pdf

And here is the python program used to dump the efs filesystem files.

github.com/unbe/dumpefs-parser
github.com/unbe/dumpefs-parser/ … /efsasm.py

Tim

Hi Tim

I have considered your suggestions.

For the pdf from Defcon, I have already found it for a while, but the script extract nothing in my case (I know, I accumulate the problems ).

I tried the python’s script too, but again, it’s not working. There is a traceback about one of the functions in the script, but I didn’t see what is the problem.
There is no explanation contained in the readme.md on Github except the commands we have to enter. No precisions about the python version.

My own python script is almost complete, and soon, I could test it.

Thank you very very much for your time, all the given elements allowed to me to go further in my analysis, and it’s not nothing for me, it’s an awesome gain of time.

When it’s complete, I could report my results here.

Regards,
Max