Image forensics

From OLPC
Jump to navigation Jump to search

One way to inspect a captured JFFS2 image is to configure a loopback device on top of it, to use the block2mtd module to produce an memory-technology device (mtd) backed by the loopback device, and finally to mount the resulting mtd.

As root, run: 

losetup /dev/loop4 nand.img
modprobe block2mtd block2mtd=/dev/loop4 
cat /proc/mtd    # inspect status
mkdir mtd
modprobe jffs2
mount -t jffs2 mtd0 mtd

If you want to write to the image, you may need to pad it with several blocks of 0xFFFF bytes.

Also, on some kernels, the jffs2 module may fail to load due to incorrect licensing information in the mtdsuper module. In this case, rebuild the mtdsuper module with appropriate licensing information, overwrite the old version, and then load the jffs2 module. On Fedora, these operations consist of: 

# install the appropriate kernel-devel rpm, perhaps downloaded from http://koji.laptop.org/packages/kernel/
mkdir mtdsuper && cd mtdsuper
wget -O mtdsuper.c http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.24.y.git;a=blob_plain;f=drivers/mtd/mtdsuper.c;hb=HEAD
echo 'MODULE_LICENSE("GPL");' >> mtdsuper.c
echo 'obj-m := mtdsuper.o' > Makefile
make -C /lib/modules/`uname -r`/build SUBDIRS=`pwd`
sudo mv mtdsuper.ko /lib/modules/`uname -r`/kernel/drivers/mtd/
Retrieved from "http://wiki.laptop.org/mediawiki/index.php?title=Image_forensics&oldid=112706"