ubiattach failed with too many bad blocks

0

I was trying to read firmware from a NAND chip, and extract its program and data for analyse.

From online I learned, you must create an UBI device with your image file write to it, then you can mount it to your system.

Description

First I read a bin file from FLASH chip. binwalk I get this.

$ binwalk -Me Flash_data.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
771180        0xBC46C         device tree image (dtb)
772444        0xBC95C         device tree image (dtb)
823236        0xC8FC4         CRC32 polynomial table, little endian
2703360       0x294000        uImage header, header size: 64 bytes, header CRC: 0xF092DEF5, created: 2016-10-04 21:32:58, image size: 2773040 bytes, Data Address: 0x80008000, Entry Point: 0x80008000, data CRC: 0x365DF8B1, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.2.0"
2703424       0x294040        Linux kernel ARM boot executable zImage (little-endian)
2722452       0x298A94        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
8110080       0x7BC000        UBI erase count header, version: 1, EC: 0x2, VID header offset: 0x800, data offset: 0x1000

From its output files, I foun this ubi image file.

$ binwalk 7BC000.ubi 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             UBI erase count header, version: 1, EC: 0x2, VID header offset: 0x800, data offset: 0x1000
$ file 7BC000.ubi 
7BC000.ubi: UBI image, version 1

Some information about NAND chip:

     PageSize : 2048
    SpareSize : 64
PagesPerBlock : 64
  Blocks Size : 128KB + 4KB
  Total Block : 2048
  Device Size : 256MB + 8192KB8192KB
   Bus Width  : 8

Then I tried to mount it, like this:

$ sudo modprobe mtdblock
$ sudo modprobe nandsim first_id_byte=0x20 second_id_byte=0xac third_id_byte=0x00 fourth_id_byte=0x15
$ mtdinfo /dev/mtd0
mtd0
Name:                           NAND simulator partition 0
Type:                           nand
Eraseblock size:                131072 bytes, 128.0 KiB
Amount of eraseblocks:          4096 (536870912 bytes, 512.0 MiB)
Minimum input/output unit size: 2048 bytes
Sub-page size:                  512 bytes
OOB size:                       64 bytes
Character device major/minor:   90:0
Bad blocks are allowed:         true
Device is writable:             true
$ sudo flash_erase /dev/mtd0 0 0
$ cp 7BC000.ubi test_infile   
$ sudo ubiformat /dev/mtd0 -O 2048 -f test_infile
ubiformat: mtd0 (nand), size 536870912 bytes (512.0 MiB), 4096 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes
libscan: scanning eraseblock 4095 -- 100 % complete  
ubiformat: 4096 eraseblocks are supposedly empty
ubiformat: error!: file "test_infile" (size 268713984 bytes) is not multiple of eraseblock size (131072 bytes)
           error 0 (Success)

The size of "test_file" is 0x10044000, so I just remove the last 0x4000 bytes, and tried to ubiformat again.

$ dd if=test_infile of=test_infile_dd bs=268697600 count=1
$ sudo ubiformat /dev/mtd0 -O 2048 -f test_infile_dd      
ubiformat: mtd0 (nand), size 536870912 bytes (512.0 MiB), 4096 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes
libscan: scanning eraseblock 4095 -- 100 % complete  
ubiformat: 4096 eraseblocks are supposedly empty
ubiformat: flashing eraseblock 1 --  0 % complete  ubiformat: error!: bad UBI magic 0xffffffff, should be 0x55424923
ubiformat: error!: bad EC header at eraseblock 1 of "test_infile_dd"

I did some research and found out, in this UBI image, there are many blocks, and every block contains data and OOB.

The reason last command fails because it searchs 0x55424923 at wrong position which is 0x20000, because of OOB, 0x55424923 is actually at 0x21000, so I think perhaps delete all of OOB part from "this_file_dd" might work. The bash command and test as follows.

#!/bin/bash                                                                                
# ./dump.sh
# pagesize 0x20000                                                                         
# oob size 0x01000   

# block 1                                                                                  
dd if=infile of=test_infile_dd_nooob bs=$((0x20000)) count=1

declare -i i=1

# block others                                                                             
while ((i<2048))
  do
    dd if=test_infile of=out bs=$((0x21000)) count=1 skip=$i
    dd if=out of=outfile bs=$((0x20000)) count=1
    cat outfile >> test_infile_dd_nooob
    rm out
    rm outfile
    let i++
done

After remove all OOB, compare 2 file, and noticed that OOB has been remove.

$ xxd test_infile_dd | grep "5542 4923"                                               ⏎
00000000: 5542 4923 0100 0000 0000 0000 0000 0002  UBI#............
00021000: 5542 4923 0100 0000 0000 0000 0000 0002  UBI#............
00042000: 5542 4923 0100 0000 0000 0000 0000 0001  UBI#............
00063000: 5542 4923 0100 0000 0000 0000 0000 0001  UBI#............
00084000: 5542 4923 0100 0000 0000 0000 0000 0001  UBI#............
$ xxd test_infile_dd_nooob | grep "5542 4923" 
00000000: 5542 4923 0100 0000 0000 0000 0000 0002  UBI#............
00020000: 5542 4923 0100 0000 0000 0000 0000 0002  UBI#............
00040000: 5542 4923 0100 0000 0000 0000 0000 0001  UBI#............
00060000: 5542 4923 0100 0000 0000 0000 0000 0001  UBI#............
00080000: 5542 4923 0100 0000 0000 0000 0000 0001  UBI#............

Then ubiformat again, another error about bad UBI magic.

$ sudo ubiformat /dev/mtd0 -O 2048 -f test_infile_dd_nooob 
ubiformat: mtd0 (nand), size 536870912 bytes (512.0 MiB), 4096 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes
libscan: scanning eraseblock 4095 -- 100 % complete  
ubiformat: 1 eraseblocks have valid erase counter, mean value is 0
ubiformat: 4095 eraseblocks are supposedly empty
ubiformat: warning!: only 1 of 4096 eraseblocks have valid erase counter
ubiformat: erase counter 0 will be used for all eraseblocks
ubiformat: note, arbitrary erase counter value may be specified using -e option
ubiformat: continue? (y/N) y
ubiformat: use erase counter 0 for all eraseblocks
ubiformat: flashing eraseblock 1074 -- 54 % complete  ubiformat: error!: bad UBI magic 00000000, should be 0x55424923
ubiformat: error!: bad EC header at eraseblock 1074 of "test_infile_dd_nooob"

Used ghex to fix wrong EC header in EB-1074, and ubiformat again, same block's CRC is not right.

sudo ubiformat /dev/mtd0 -O 2048 -f test_infile_dd_nooob -e 10
ubiformat: mtd0 (nand), size 536870912 bytes (512.0 MiB), 4096 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes
libscan: scanning eraseblock 4095 -- 100 % complete  
ubiformat: 1074 eraseblocks have valid erase counter, mean value is 10
ubiformat: 3022 eraseblocks are supposedly empty
ubiformat: use erase counter 10 for all eraseblocks
ubiformat: flashing eraseblock 1074 -- 54 % complete  ubiformat: error!: bad CRC 0x7d72af58, should be 00000000

ubiformat: error!: bad EC header at eraseblock 1074 of "test_infile_dd_nooob"

Fix CRC and ubiformat again, enable ubi and ubiattach to mtd0, but another error occurs.

sudo ubiformat /dev/mtd0 -O 2048 -f test_infile_dd_nooob -e 10                         ⏎
ubiformat: mtd0 (nand), size 536870912 bytes (512.0 MiB), 4096 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes
libscan: scanning eraseblock 4095 -- 100 % complete  
ubiformat: 1074 eraseblocks have valid erase counter, mean value is 10
ubiformat: 3022 eraseblocks are supposedly empty
ubiformat: use erase counter 10 for all eraseblocks
ubiformat: flashing eraseblock 1987 -- 100 % complete  
ubiformat: formatting eraseblock 4095 -- 100 % complete 
$ sudo modprobe ubi
$ sudo modprobe ubi mtd=0
$ sudo ubiattach -m 0 -O 2048   
ubiattach: error!: cannot attach mtd0
           error 22 (Invalid argument)

Do dmesg I found this message.

$ sudo dmesg
[ 6974.021149] 0001efa0: 00 00 00 00 00 00 00 00 10 0a 00 00 01 00 00 00 00 0a d9 d5 05 f9 20 a1 63 d7 00 00 00 02 fb d2  ...................... .c.......
[ 6974.021150] 0001efc0: ce 15 00 00 00 0d 00 00 02 00 00 00 04 00 20 00 c7 00 00 00 0d 0d 0d 00 00 00 0b 01 b8 00 03 db  .............. .................
[ 6974.021151] 0001efe0: 03 9d 03 5e 03 20 02 fd 02 d8 02 93 02 4e 02 1b 01 f6 01 b8 20 00 7a 14 08 00 32 3b 81 0e 04 17  ...^. .......N...... .z...2;....
[ 6974.023703] ubi0 error: validate_ec_hdr [ubi]: node with incompatible UBI version found: this UBI version is 1, image version is 0                                                 
[ 6974.023707] ubi0 error: validate_ec_hdr [ubi]: bad EC header
[ 6974.023707] Erase counter header dump:
[ 6974.023708]  magic          0x55424923
[ 6974.023708]  version        0
[ 6974.023709]  ec             10
[ 6974.023709]  vid_hdr_offset 2048
[ 6974.023710]  data_offset    4096
[ 6974.023710]  image_seq      144665903
[ 6974.023711]  hdr_crc        0xb574c34c
[ 6974.023711] erase counter header hexdump:
[ 6974.023713] 00000000: 55 42 49 23 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 08 00 00 00 10 00 08 9f 6d 2f 00 00 00 00  UBI#......................m/....
[ 6974.023713] 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b5 74 c3 4c  .............................t.L
[ 6974.023715] CPU: 4 PID: 14955 Comm: ubiattach Tainted: G        W   E     5.7.0-kali1-amd64 #1 Debian 5.7.6-1kali2
[ 6974.023716] Hardware name: Dell Inc. Inspiron 7472/0GHVRJ, BIOS 1.1.6 06/14/2018
[ 6974.023716] Call Trace:
[ 6974.023722]  dump_stack+0x66/0x90
[ 6974.023725]  validate_ec_hdr+0x8a/0xe0 [ubi]
[ 6974.023729]  ubi_io_read_ec_hdr+0x1e9/0x280 [ubi]
[ 6974.023732]  ubi_attach+0x1d3/0x14c0 [ubi]
[ 6974.023736]  ubi_attach_mtd_dev+0x5b3/0xd30 [ubi]
[ 6974.023741]  ? __get_mtd_device+0x2c/0xa0 [mtd]
[ 6974.023743]  ? _cond_resched+0x15/0x30
[ 6974.023746]  ctrl_cdev_ioctl+0xda/0x1c0 [ubi]
[ 6974.023748]  ksys_ioctl+0x87/0xc0
[ 6974.023749]  __x64_sys_ioctl+0x16/0x20
[ 6974.023751]  do_syscall_64+0x52/0x180
[ 6974.023753]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 6974.023754] RIP: 0033:0x7f3f55902c87
[ 6974.023756] Code: 00 00 00 48 8b 05 09 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d9 91 0c 00 f7 d8 64 89 01 48
[ 6974.023756] RSP: 002b:00007ffd4fec6f88 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 6974.023757] RAX: ffffffffffffffda RBX: 00007ffd4fec7020 RCX: 00007f3f55902c87
[ 6974.023758] RDX: 00007ffd4fec6fb0 RSI: 0000000040186f40 RDI: 0000000000000003
[ 6974.023758] RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000000
[ 6974.023759] R10: fffffffffffff48e R11: 0000000000000206 R12: 000055c2a393c052
[ 6974.023759] R13: 00007ffd4fec6fb0 R14: 0000000000000000 R15: 0000000000000000
[ 6974.023763] ubi0 error: ubi_io_read_ec_hdr [ubi]: validation failed for PEB 1074
[ 6974.061006] ubi0 error: ubi_attach_mtd_dev [ubi]: failed to attach mtd0, error -22

But I don't know how to solve this, so I just remove block 1074 from file.

$ dd if=test_infile_dd_nooob of=test_infile_dd_nooob_no1074_1 bs=131072 count=1074
$ dd if=test_infile_dd_nooob of=test_infile_dd_nooob_no1074_2 bs=131072 skip=1075
$ cat test_infile_dd_nooob_no1074_1 test_infile_dd_nooob_no1074_2 > test_infile_dd_nooob_no1074

Then ubiformat and attach again, but there was another error.

$ sudo ubiformat /dev/mtd0 -O 2048 -f test_infile_dd_nooob_no1074 -e 10
ubiformat: mtd0 (nand), size 536870912 bytes (512.0 MiB), 4096 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes
libscan: scanning eraseblock 4095 -- 100 % complete  
ubiformat: 4096 eraseblocks have valid erase counter, mean value is 10
ubiformat: use erase counter 10 for all eraseblocks
ubiformat: flashing eraseblock 1986 -- 100 % complete  
ubiformat: formatting eraseblock 4095 -- 100 % complete 
$ sudo ubiattach -m 0 -O 2048                                                            ⏎
ubiattach: error!: cannot attach mtd0
           error 22 (Invalid argument)

Check dmesg and found this, this is where I don't know how to do, I don't know how I get so many bad blocks.

$ sudo dmesg
ubi0: scanning is finished
[ 7392.005554] ubi0 error: ubi_attach [ubi]: 1205 PEBs are corrupted and preserved
[ 7392.005554] Corrupted PEBs are: 1805 1802 1793 1678 1674 1670 1666 1662 1654 1653 1652 1649 1640 1639 1626 1625 1621 1605 1587 1586 1581 1563 1553 1540 1534 1533 1532 1531 1530 1529 1528 1527 1526 1525 1524 1523 1522 1521 1520 1519 1518 1517 1516 1515 1514 1512 1511 1510 1509 1508 1507 1506 1505 1504 1503 1502 1501 1500 1499 1498 1496 1495 1494 1493 1492 1491 1490 1489 1488 1487 1486 1485 1484 1483 1482 1481 1471 1449 1448 1447 1446 1445 1444 1441 1439 1438 1437 1436 1435 1434 1433 1432 1431 1430 1429 1428 1425 1424 1423 1422 1421 1420 1419 1418 1417 1416 1415 1414 1413 1412 1411 1410 1409 1408 1407 1406 1405 1404 1403 1402 1401 1400 1399 1398 1397 1396 1395 1394 1393 1391 1390 1389 1388 1387 1386 1385 1384 1383 1382 1381 1380 1379 1378 1377 1376 1375 1374 1373 1372 1371 1370 1369 1368 1367 1366 1365 1364 1363 1362 1361 1360 1359 1358 1357 1356 1355 1354 1353 1352 1351 1350 1349 1348 1347 1346 1345 1344 1343 1342 1341 1340 1339 1338 1337 1335 1334 1333 1332 1331 1330 1329 1328 1327 1326                                                                                        
[ 7392.005578]  1325 1324 1323 1322 1321 1294 1275 1274 1273 1264 1230 1223 1221 1219 1214 1211 1210 1207 1204 1203 1202 1201 1200 1199 1198 1197 1196 1195 1194 1193 1192 1191 1190 1189 1188 1187 1186 1185 1184 1183 1182 1181 1180 1179 1178 1177 1176 1175 1174 1173 1172 1165 1164 1163 1157 1147 1144 1143 1142 1141 1140 1139 1138 1137 1136 1134 1133 1132 1131 1130 1129 1128 1127 1126 1125 1124 1123 1122 1121 1120 1119 1118 1117 1116 1115 1114 1112 1111 1110 1109 1108 1106 1105 1098 1085 1053 1052 1044 1016 1003 1002 977 973 972 963 939 938 937 936 935 934 933 932 931 930 929 928 927 926 925 924 923 922 921 920 919 918 917 916 915 914 913 912 911 910 909 908 907 906 905 904 903 902 900 899 898 897 896 895 894 893 892 891 890 889 888 887 886 885 884 883 882 881 880 879 878 877 876 875 874 873 872 871 870 869 868 867 866 865 864 863 862 861 860 859 858 857 856 855 854 853 852 851 850 849 848 847 846 845 844 841 840 839 838 837 836 835 834 833 832 831 830 829 828 827 826 825 824 823 822 821 820
[ 7392.005606]  819 818 817 816 815 814 813 812 811 810 809 808 807 806 805 804 803 802 801 800 799 798 797 796 795 794 793 792 791 790 789 788 787 785 784 782 781 780 779 778 777 776 775 774 773 772 771 770 769 768 767 766 765 764 763 762 761 760 759 758 757 756 755 754 753 752 751 750 749 748 747 746 745 744 743 742 741 740 739 738 737 736 735 734 733 732 731 730 729 727 726 725 724 723 722 721 720 719 718 716 715 714 713 712 711 710 709 708 707 706 705 704 703 702 701 700 699 698 697 696 695 694 693 692 691 690 689 688 687 686 685 684 683 682 681 680 679 678 677 676 675 674 673 672 671 670 668 667 666 665 664 663 662 661 660 659 657 656 655 654 653 652 651 650 649 648 647 646 645 644 643 642 641 640 639 638 637 636 635 634 633 632 631 630 629 628 627 626 625 624 623 622 621 620 619 618 617 616 615 614 613 611 610 609 608 607 606 605 604 602 601 600 599 598 597 596 595 594 593 592 591 589 588 587 586 585 584 583 582 581 580 579 578 577 576 575 574 573 572 571 570 569 568 567 566 565 564 563
[ 7392.005634]  562 561 560 559 558 557 556 554 553 552 551 550 549 548 547 546 545 544 543 541 540 539 538 537 536 535 534 533 532 531 530 529 528 527 526 525 524 523 522 521 520 519 518 517 516 515 514 513 512 511 510 509 508 507 506 505 504 503 502 501 500 498 497 496 495 494 493 492 491 489 488 487 486 485 484 483 482 481 480 479 478 477 476 475 474 473 472 471 470 469 468 467 466 465 464 463 461 460 459 458 457 456 455 454 453 452 451 450 449 448 447 446 445 444 443 441 440 438 437 436 435 434 433 432 431 430 429 428 427 426 425 424 423 422 421 420 419 418 417 416 415 414 413 412 411 410 409 408 407 406 405 404 403 402 401 400 399 398 397 396 395 394 393 392 391 390 389 388 387 386 384 383 382 381 380 379 378 377 376 375 374 373 372 371 370 369 368 367 366 365 364 363 362 361 360 359 358 357 356 355 354 353 352 351 350 349 348 347 346 345 344 343 342 341 340 339 338 337 336 335 333 332 331 330 329 328 327 326 325 324 323 322 321 320 319 318 317 316 315 314 313 312 311 310 309 308 307 306
[ 7392.005661]  305 304 303 302 301 300 295 294 293 292 290 289 288 287 286 285 284 283 282 281 280 279 278 277 276 275 274 273 271 270 269 268 267 266 265 264 263 262 261 260 259 258 257 256 255 254 253 252 251 250 249 248 247 246 245 244 243 242 241 240 239 238 237 236 235 233 231 230 229 228 227 226 225 224 223 222 221 220 219 218 217 216 215 214 213 212 211 210 209 208 207 206 205 204 203 202 201 200 199 198 197 196 195 194 193 192 191 190 189 188 187 186 185 184 183 182 181 180 179 177 176 175 174 172 171 170 169 168 167 166 165 164 163 162 161 160 159 158 157 156 155 154 153 152 151 150 149 148 147 146 145 144 143 142 141 140 139 138 137 136 135 134 133 132 131 130 129 128 127 126 125 124 123 122 121 120 118 117 116 115 114 113 112 111 110 109 108 107 106 105 104 103 102 101 100 99 98 97 96 95 94 93 92 91 90 89 88 87 86 85 84 83 82 81 80 79 78 77 76 75 74 73 72 71 70 69 68 67 66 65 64 63 62 61 60 59 58 57 56 55 54 53 52 51 50 49 48 47 46 45 44 43 42 41 40 39 38 37 36 35 34 33 32 31 30
[ 7392.005690]  29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2
[ 7392.005698] ubi0 error: ubi_attach.cold [ubi]: too many corrupted PEBs, refusing
[ 7392.028819] ubi0 error: ubi_attach_mtd_dev [ubi]: failed to attach mtd0, error -22
[ 7393.182325] systemd-journald[331]: /dev/kmsg buffer overrun, some messages lost.

I read the official documents, it says only in 2 senerios a block will be marked as bad. One is when write opertion to eraseblock fails, UBI will move data from bad EB to a good EB, and do some tests so it can confirm whether bad EB is really bad; or when erase opertion have EIO error, then EB will be marked as bad block immediately. I am not sure which reason caused so much bad block.

My questions

  • In the progess, is my command doing wrong? If not, how to repair this UBI image so I can read its programs and data?
  • Is there other ways that can get programs and data from this UBI image file?

Tools and versions

  • Kali 2020.3
  • mtd-utils 2.1.1
linux-kernel
firmware
ubifs
ubi
asked on Stack Overflow Aug 17, 2020 by aaarrrgghh • edited Aug 17, 2020 by aaarrrgghh

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0