Windows Embedded Automotive 7 - Filesystem?

[Wh1terat]

Just want to say thank you for all of your work over the years; it's been ~15 years (Wizard era!) since I last delved into wince/wm, having recently returned due to a project, I see the community (what's left) is still heavily reliant upon your hard work!

I'm working on a car radio running Windows Embedded Automotive 7 - a very limited environment to start with.

I managed to get serial access and then get to one of the test modes in the bootloader for memory read/write/test and from there slowly dump over serial.

eimgfs finds the 2 bootloaders (XIPs with a single nk in each) and the traditional xip which extracted perfectly (thank you!) however there's some kind of filesystem I can't identify; looking at the dump the strings marry up with a series of PEs but no recognisable PE header.

Appreciate this is not an issue/bug, but any help or pointers would be greatly appreciated!

BL 0x00000000 BL2(?) 0x00060000 XIP 0x001c0000

Believed filesystem start is around 0x00AC0000

Dump: https://filebin.net/1fxqva7tx40iths5/0xa0000000.bin

[nlitsme]

I don't yet understand how the xip section at 0x9b5b80 is structured, it has two copies of the romhdr + toc: 0293ce58-0293f8b8 == 009b6b80-009b95e0

somehow all the filename pts seem not to point to strings. so either somepart was overwritten, or maybe shifted to a different location.

this is rougly the structure of the file:

00000000-0002560c   ECEC  97c23c60 00023c60  base=0x97c00000  romhdr=00023c60   eimgfs -v -list -info -o 0 0xa0000000.bin

0002560c-00040000   empty: 0x00
00040000-000402c0   'PROD1...'  
000402c0-000442c0   empty: 0xff
000442c0-00044314   ?
00044314-00048000   empty: 0xff
00048000-000482c0   'PROD2...'  
000482c0-0004c2c0   empty: 0xff
0004c2c0-0004c314   ?
0004c314-00060000   empty: 0xff

00060000-00064100   ECEC  a0053e60 00003e60  base=0xa0050000  romhdr=00063e60   eimgfs -v -list -info -o 0x60000 0xa0000000.bin

00064100-00080000   empty: 0x00
00080000-00080080   'PRV1'
00080080-000e0000   empty: 0xff
000e0000-000e23a8   'CONF'
000e23a8-00160000   empty: 0xff   
00160000-00160200   ?
00160200-00170000   empty: 0x00
00170000-00170200   ?
00170200-00180000   empty: 0x00

00180000            ?
00180200-001a0000 == 00000200-00020000   duplicate
001a0000            ?
001a0b00-001c0000 == 00000b00-00020000   duplicate

001c0000-009B5B80   ECEC  8824f0a0 0024f0a0  base=0x88000000  romhdr=0040f0a0   eimgfs -v -list -info -o 0x1c0000 0xa0000000.bin
 001c2ab8-           ECEC  8e10004c 0000004c  base=0x8e100000  romhdr=001c2b04   -- embedded within nk.exe  'ObjSubstance.skn'
009b5b80-           ECEC  8b6b0a58 02e70a58  base=0x88840000  romhdr=0293ce58
009ba904-00abfff0   empty: 0x00
0293ceac-0293f3ec  mod hdrs : 0x12a  == 009b6bd4-009b9114  mod hdrs : 0x12a
0293f3ec-0293f8bc  file hdrs : 0x2c  == 009b9114-009b95e4  file hdrs : 0x2c
0293f8bc-029a0000   empty: 0x00
029a0000-02ae0000   empty: 0xff

...
03d80030-03fa0000   empty: 0x00

...
03fa0308-03fc0000   empty: 0xff
...

[Wh1terat]

I really appreciate you taking the time to look into this 😃

Glad it's not just me that thinks it's a little odd 😛

There appears to be both a number of sections (that you've noted) such as PROD1, PROD2 (these contain model number, part number, serial number, etc) and then a series of "chunks" with some kind of header (searching "SUM4" highlights these, seem to be at 0x30 or 0x80 from the start of the chunk)

Unicode strings would indicate that the filesystem is contained - Seems odd to me to not compress strings (especially unicode) but still strip the PE header.

Unfortunately it's a bit of a catch-22 in that I need the filesystem in order to find a better, higher level method of access 🤦 The flash on this unit is BGA too which exceeds my capabilities (SOP/TSSOP) to remove and read.

[nlitsme]

could it be that the three intact XIP sections are all there is? the third one contains 112 files. and the first two both a nk.exe

possibly the fourth corrupted one is a remenant of various upgrades and overwrites.