nlitsme
commented
4 years ago Can you post a copy of your binary somewhere? So i can have a look at it?
Closed Aztorius closed 4 years ago
nlitsme
commented
4 years ago Can you post a copy of your binary somewhere? So i can have a look at it?
Aztorius
commented
4 years ago I wish i could, but for legal reasons i cannot share that particular firmware. I will try to send you a small part of the file where no personal information are included.
nlitsme
commented
4 years ago Btw, those 'failed to load dll' messages, you can fix them by copying the dlls into the same directory as the 'eimgfs' binary is. It will work on linux too.
Aztorius
commented
4 years ago Ok thanks. I will send you the firmware this week.
Aztorius
commented
4 years ago So, I dig into the firmware image and I extracted the "main" FAT32 partition to be able to mount it and recover files, but it seems that it is not working properly (no files, dosfsck runs forever or just do nearly nothing). Do you know some differences between the FAT32 used in WinCE and the "popular" FAT32 ? For now I am developing a custom script to parse FAT infos and trying to find where is the culprit and eventually extract the files. I think the FAT RootDirectory may be empty thus it may explain why I have no files shown when mounting the filesystem. I have also a lot of small ExFAT partitions but I am not interested in their content for now.
nlitsme
commented
4 years ago Maybe it uses a non standard sectorsize? I have some tools for analyzing / extracting stuff from fat images too: https://github.com/nlitsme/fatutils Also, 7-zip often is able to extract files from fat partitions.
Aztorius
commented
4 years ago Well it seems something is wrong with this partition. It should be a FAT32 of 1GB.
$ ./fatdump.py ~/O2.fat32.all --listfiles
==> /home/xxxxx/O2.fat32.all <==
b'f8fffffffffffff7ffffff0fffffff0f'
fat type from header(FAT32) is different from that of the fat(FAT16)
cluster reader: off=0, c2o=1cf000, cs=800
error decoding date 2107-15-31
error decoding date 2107-15-31
error decoding date 2107-15-31
error decoding date 2107-15-31
error decoding date 2107-15-31
error decoding date 2107-15-31
error decoding date 2107-15-31
[...]If you could show me a sample, i might be able to tell what is wrong. There are many ways to encode filesystems, for instance: maybe this is an image which has chunks interleaved with non-filesystem blocks every so often. Or maybe your image has a flash wearleveling layer that needs to be decoded first.
You may be able to tell, if you look at the hexdump of the image.
Aztorius
commented
4 years ago Ok. I finally found the problem. The flash is in fact partially incorrect. There are blocks of bytes that are 0xFF (megabytes of them). Most important : The end of the FAT and the Root Directory are within a 0xFF block thus no directory or files are found in the entire filesystem. I will manage to analyse the data section to recover files. Thanks a lot for your help ! Your tool was right to crash with these corruptions.
Hi ! Thanks a lot for this tool. I have a 1GB firmware image of a GPS that contains WinCE files and programs. The firmware extracted may be partially corrupted (less than 20 bits over 1GB may be flipped). My goal is to extract all files from the firmware image. eimgfs is detecting an xip filesystem and then crashing on a seg fault (on Linux and on Windows as well).
I believe the first 4 lines are only missing libraries on Linux and does not appear on Windows. On both platform eimgfs crashes. I found the offset by using binwalk on the file :
Any idea ?
Thanks.