Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Funny QNX6 file system magic

See original GitHub issue

I’ve been looking at an issue why a Samsung FW blob has a QNX6 FS in it.

I am sure this is not true, since the magic doesn’t align while the blob is huge and likely to be a false positive. So I looked into the QNX6 magic as defined in the latest filesystems file:


# QNX6 filesystem
0 string \xEB\x10\x90\x00 QNX6 filesystem

However, after reading this Forensic Focus article and looking at the corresponding QNX6 extractor, it seem that there is a different magic available, namely \68\19\11\22.

class QNX6FS:

	PARTITION_MAGIC	= {'QNX4':0x002f,'QNX6':0x68191122}
	FILE_TYPE 		= {'DIRECTORY':0x01,'DELETED':0x02,'FILE':0x03}

	QNX6_SUPERBLOCK_SIZE 	= 0x200 	#Superblock is fixed (512 bytes)
	QNX6_SUPERBLOCK_AREA 	= 0x1000	#Area reserved for superblock
	QNX6_BOOTBLOCK_SIZE  	= 0x2000	#Boot Block Size
	QNX6_DIR_ENTRY_SIZE  	= 0x20 		#Dir block size (32 bytes)
	QNX6_INODE_SIZE      	= 0x80 		#INode block size (128 bytes)
	QNX6_INODE_SIZE_BITS 	= 0x07 		#INode entry size shift

	QNX6_NO_DIRECT_POINTERS = 16		#Max Direct iNodes
	QNX6_PTR_MAX_LEVELS 	= 5			#Max Indirect iNodes
	QNX6_SHORT_NAME_MAX 	= 27		#Short Name Max Length
	QNX6_LONG_NAME_MAX 		= 510		#Long Name Max Length

	def __init__(self, source):
		self.TARGET_ = source
		
	def GetPartitions(self):
		with open(self.TARGET_, "rb") as handle:
			DataBlock = handle.read(512);

			##Split DataBlock into parts
			BootCode = DataBlock[0:446]
			MasterPartitionTable = DataBlock[446:510]
			BootRecordSignature = DataBlock[510:512]

			##Detect if MBR is valid.
			BootRecordSignature = unpack('H', BootRecordSignature)[0]
			if BootRecordSignature == 0xAA55:
				print "[-] BootRecordSignature Detected."
			else:
				raise IOError('[ERROR] BootRecordSignature Missing; Invalid Disk Image')
				exit()
			return self.parsePartitionMBR(handle,0)
...

I think we need to change this and include it. Also, there are no references in the magic file, as to where this info was obtained.

Any ideas how to proceed?

Issue Analytics

State:
Created 5 years ago
Comments:11 (8 by maintainers)

Top GitHub Comments

1reaction

eacmencommented, Jul 28, 2020

Hey eacmen,

qnx6-0.2d.zip

et voila.

Greetings Gerd

Gerd,

merci!

-peter

1reaction

KuroSarucommented, Oct 18, 2018

Hi,

Yes that is a QNX4 bootblock. 2/3. The added value is for the QNX6 superblock, this is used to find all filess in a QNX file system, a superblock in terms of QNX is same as EXT2/3/4 it is required to parse and process the filesystems. 4: There are no signautres that determine a single file in QNX as they are split up acorss multiple blocks, it requires a iNode structure to process and get a block.

Hope This Helps.

On Wed, Oct 17, 2018 at 7:11 PM E:V:A notifications@github.com wrote:

@KuroSaru https://github.com/KuroSaru Hi! Please let me understand what you are saying.

So are you saying that \xEB\x10\x90\x00, is for a QNX4 boot block?

That we need to add: \x68\x19\x11\x22 for a “super block”.

What is a “super block”? A partition?

What are the signatures for the files contained within, then?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ReFirmLabs/binwalk/issues/365#issuecomment-430731668, or mute the thread https://github.com/notifications/unsubscribe-auth/AAXIzPE2GMXLv90mB_MXrZzLp_3qlXRsks5ul3KzgaJpZM4XkT8L .