Search code examples

Unpacking a ubi image with an ubifs image inside

I ran into a problem during my research. I have a firmware file that is downloaded off the internet and I'm trying to unpack it to emulate the firmware.

Good news is that I did it successfully once but I reverted my machine and I can't recreate the process now.

First of all the file can't be extracted by any tools because you will get an error that less than 2 layout blocks are found.

After that I dumped some info of the ubi file:

==> app_ubifs <==
1 named volumes found, 2 physical volumes, blocksize=0x20000
== volume b'bakfs' ==
-rw-r--r--  1 0     0       37879808 2020-04-22 01:27:47 ubifs

So from the time I got this to succeed I know that in the volume bakfs there is another ubifs image inside that can successfully be extracted by public tools.

I have tested a lot of ways to mount this image but it always fails at mounting.

modprobe ubi 

modprobe nandsim first_id_byte=0x20 second_id_byte=0xaa \
                 third_id_byte=0x00 fourth_id_byte=0x15

I believe this is the right config for blocksize=0x20000.

ubiformat /dev/mtd0 -f app_ubifs   
ubiformat: mtd0 (nand), size 268435456 bytes (256.0 MiB), 2048 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes
libscan: scanning eraseblock 2047 -- 100 % complete  
ubiformat: 2048 eraseblocks have valid erase counter, mean value is 0
ubiformat: flashing eraseblock 282 -- 100 % complete  
ubiformat: formatting eraseblock 2047 -- 100 % complete    


Also formatting and flashing works fine.

After this the next part I really don't understand. There are 100 different ways online and I can't seem to get it to work.

I would appreciate it if someone could help me in the process.

As I said I already have the unpacked version with the filesystem. But I can't recreate the unpacking process now. So I know it's possible.


  • ---- solution

    modprobe nandsim first_id_byte=0x2c second_id_byte=0xac third_id_byte=0x90 fourth_id_byte=0x15

    Make the device for blocksize=0x20000.

    Check if it is set-up.

    cat /proc/mtd

    lets clean it.

    flash_erase /dev/mtd0 0 0

    Now format and flash the image.

    ubiformat /dev/mtd0 -f image.ubi -O 2048

    Then attach the device.

    modprobe ubi 
    ubiattach -p /dev/mtd0 -O 2048

    And now i can mount it.

    mount -t ubifs /dev/ubi0_X /mnt/ubifs

    In my case it was ubi0_1 make sure to check this at /dev.