Unpacking a ubi image with an ubifs image inside

Question

I ran into a problem during my research. I have a firmware file that is downloaded of the internet and im trying to unpack it to emulate the firmware. Good news is that i did it successfully once but i reverted my machine and i cant recreate the process now.

First of all the file cant be extracted by any tools because you will get an error that less than 2 layout blocks are found.

After that i dumped some info of the ubi file :

==> app_ubifs <==
1 named volumes found, 2 physical volumes, blocksize=0x20000
== volume b'bakfs' ==
-rw-r--r--  1 0     0       37879808 2020-04-22 01:27:47 ubifs

So from the time i got this to succeed i know that in the volume bakfs there is another ubifs image inside that can successfully be extracted by public tools.

I have tested a lot of ways to mount this image but it always fails at mounting.

modprobe ubi 

modprobe nandsim first_id_byte=0x20 second_id_byte=0xaa \
                 third_id_byte=0x00 fourth_id_byte=0x15

i believe this is the right config for blocksize=0x20000.

ubiformat /dev/mtd0 -f app_ubifs   
ubiformat: mtd0 (nand), size 268435456 bytes (256.0 MiB), 2048 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes
libscan: scanning eraseblock 2047 -- 100 % complete  
ubiformat: 2048 eraseblocks have valid erase counter, mean value is 0
ubiformat: flashing eraseblock 282 -- 100 % complete  
ubiformat: formatting eraseblock 2047 -- 100 % complete    

                 

Also formatting and flashing works fine.

After this the next part i really don't understand. There are 100 different ways online and i cant seem to get it to work.

I would appreciate it if someone could help me in the process.

As i said i already have the unpacked version with the filesystem. But i cant recreate the unpacking process now. So i know its possible.

Answer 1

---- solution

modprobe nandsim first_id_byte=0x2c second_id_byte=0xac third_id_byte=0x90 fourth_id_byte=0x15

Make the device for blocksize=0x20000.

Check if it is set-up.

cat /proc/mtd

lets clean it.

flash_erase /dev/mtd0 0 0

Now format and flash the image.

ubiformat /dev/mtd0 -f image.ubi -O 2048

Then attach the device.

modprobe ubi 

ubiattach -p /dev/mtd0 -O 2048

And now i can mount it.

mount -t ubifs /dev/ubi0_X /mnt/ubifs

In my case it was ubi0_1 make sure to check this at /dev.

Answer 2

Another quick alternative to access the files inside the image, in case nandsim module is not available for the current kernel (in my case a debian based-OS), install:

apt install liblzo2-dev
pip install python-lzo ubi_reader

Then in the same folder where the ubifs image is localted, execute
ubireader_extract_files ubifs.img and there you go:

├── ubifs.img
└── ubifs-root
    └── 705623055
        └── rootfs
            ├── bin
            ├── boot
            ├── dev
            ├── etc
            ├── home
            ├── lib
            ├── linuxrc -> /bin/busybox
            ├── media
            ├── mnt
            ├── opt
            ├── proc
            ├── sbin
            ├── Settings
            ├── srv
            ├── sys
            ├── tmp -> /var/tmp
            ├── usr
            ├── var
            └── www