I recently extracted the firmware (u-boot system) from an old Sagemcom router and analyzed it using the binwalk utility for a personal reverse engineering project.
Despite identifying a root filesystem (likely JFFS2 based on string analysis), binwalk was unable to recognize or extract it. I know that the filesystem is JFFS by examining the boot info, and performing strings analysis on my dump. (You can check the git repo given further down)
Steps Taken:
- Initial Extraction with Binwalk:
- Binwalk was used to analyze the firmware, but it failed to identify the root filesystem.
- Manual Binary Segmentation:
- Based on MTD (Memory Technology Device) partitions, I attempted to segment the binary using the dd command.
- Encountered overlapping addresses and excessive total pages exceeding 65536 (total memory size of 16MB divided by page size of 2048 bytes).
Challenges:
- Translating MTD addresses to NAND offsets.
- Understanding the relationship between MTD partitions and NAND subsystems.
- Ensuring correct memory dumping and assembly.
- Extracting the JFFS2 rootfs
Additional Information:
- Utilized dd for binary segmentation.
- Cleaned .dmp files to remove Out-Of-Band (OOB) data and other unnecessary lines.
Memory Extraction steps:
- dump from router through UART : 'dump_nand_memory.py' ; use
nand dump offsetto dump nand page - assure no error in the file :
assure_140_lines.py - clean .dmp file (dont keep oob) :
clean_dmp.py - concatenate all .dmp file into .bin :
concatenated_all_to_bin.py - Search for magic number in the binary for JFFS2 filesystem :
check_for_JFFS2.py
Questions:
- How do I accurately convert MTD partition addresses into corresponding NAND offsets?
- Is MTD simply an abstraction layer for NAND, or is there more complexity involved ?
- Do I have correctly extracted memory, do I need to correct errors using OOB ?
- Where can I find more info about u-boot, embed system, ... (doc is pretty much non existent)
