Re: [Yaffs] Access to files on a YAFFS2 image

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MCharles Manning at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
Delete this message
Reply to this message
Author: McCash John-GKJN37
Date:  
To: yaffs
Subject: Re: [Yaffs] Access to files on a YAFFS2 image
Hi Folks, 

                Please CC me on any responses. I'm a forensic analyst,
and I'm working on a process for analyzing YAFFS2 filesystem dumps from
Android phones. We've been able to get onto the phones as root via adb,
and extracted raw dumps of all the ro mtd devices via dd ("dd


if=/dev/mtd/mtd2ro of=/sdcard/mtd2ro.dd bs=4096" for example). 



                We were initially expecting to mount these images on a
YAFFS2-enabled Ubuntu Linux system (with YAFFS kernel compile options
configured the same as those in the phone kernel) via the loop device,
as we would with ext2, but this doesn't work. Then we tried using
block2mtd, but that emulates a NOR device, and we can't mount an
emulated NOR device as YAFFS2. Then we tried unyaffs, but it just says
"broken image file" and exits.




                Finally, we tried using nandsim (modprobe nandsim
first_id_byte=0x20 second_id_byte=0xac third_id_byte=0x00
fourth_id_byte=0x15 parts=0x18,0x456,0x6FC,0x2,0x28,0x300,0x4), and
writing our extracted images into one of the emulated nand flash
devices.  When we write the image files in with dd, the operation
appears to succeed, but when we mount the associated block device, we
see an empty lost+found directory, and nothing else. We tried writing
the image back with "nandwrite -a -o", but it complains that our dd
image is not page-aligned. We understand that the -o option is essential
to correctly writing a YAFFS2 image, and the -p option is incompatible
with it. In any case, when we tried using -p, we got the same result as
with dd.




                We've also heard that dd may not capture all data from
an mtd device (Can anybody explain why?), and that we should be using
nanddump. After this we also tried writing one of the test images
(userdata.img) from the Android SDK using "nandwrite -a -o". This
appears to succeed, but when we mount the result, we again get just an
empty lost+found directory, and nothing else, suggesting there's
something wrong with our write methodology.




                Can someone who really understands how mtd devices and
YAFFS2 work look at this, and tell us if we're doing something
fundamentally wrong? Can anyone suggest an alternative methodology for
performing a YAFFS2 filesystem dump and examining its constituent files
offline?




                                Thanks much


                                                John McCash




----------------------------------------------------------

Quis custodiet ipsos custodes?... I do!

This message was posted to the following mailing lists:
YAFFS
Mailing List Info | Nearby Messages		<-[Yaffs] Về: A Three YEARs Problem!!!-----Can not see file afterwrite yaffs2 image on NANDRe: [Yaffs] Access to files on a YAFFS2 image->
Stoneboat Mailing List Archive administrated by JennyLurker (version 2.3)