Skip to content

NetherlandsForensicInstitute/qnxmount

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

25 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

QNX Filesystems Mounter

Project Discription

This project contains code to parse and mount (read only) QNX filesystems in non-standard images (HDD / SSD / eMMC).

Existing tools were not able to handle the exotic configurations of some of the filesystems that we encountered in vehicle forensics, for instance on blocksizes greater than 4K on qnx6 filesystems, or non-standard allignment on qnx efs filesystems.

The description of the binary data structure of these filesystems is done with kaitai and this description can be found in the .ksy files in the folders for each respective qnx filesystem (qnx6, etfs, and efs). With Kaitai, a Python based parser was generated. Mounting with these parsers is based on fuse.

This project is only tested on Linux machines.

Getting started

Set up your Python virtual environment and activate the environment:

python3 -m venv venv
source ./venv/bin/activate

Install qnxmount and fuse in the virtual environment:

pip install qnxmount
sudo apt install fuse

Usage

General use of the module is as follows:

python3 -m qnxmount {fs_type} [options] /image /mountpoint

where fs_type is the filesystem type (qnx6, etfs, or efs) and options are the options for that filesystem type.

The options are different for each filesystem type. An overview is given below. For more information use the help option.

python3 -m qnxmount qnx6 [-o OFFSET] /image /mountpoint
python3 -m qnxmount etfs [-o OFFSET] [-s PAGE_SIZE] /image /mountpoint
python3 -m qnxmount efs /image /mountpoint

Note that the offset and page size can be entered in decimal, octal, binary, or hexadecimal format. For example, we can mount an image with a qnx6 filesystem at offset 0x1000 with:

python3 -m qnxmount qnx6 -o 0x1000 /image /mountpoint 

Using the option -o 4096 would give the same result.

If mounting succeeds you will see the log message "Mounting image /image on mount point /mountpoint" appear and the process will hang. Navigate to the given mount point with another terminal session or a file browser to access the file system.

Unmounting can be done from the terminal with:

sudo umount /mountpoint

The logs will show show that the image was successfully unmounted and qnxmount will exit.

Contributing and Testing

If you want develop the tool and run tests, first fork the repository. Contributions can be submitted as a merge request.

To get started clone the forked repository and create a virtual environment. Install the test dependencies and fuse into the environment.

pip install .[test]
sudo apt install fuse

The folder tests contains functional tests to test the different parsers. To run these tests you need a file system image and an accompanying tar archive. The tests run are functional tests that check whether the parsed data from the test image is equal to the data stored in the archive. Default test_images are located in the folders test_data. If you want to test your own image replace the files test_image.bin and test_image.tar.gz with your own.

A test image can be created by running the script make_test_fs.sh inside a QNX Virtual Machine. Update the script with the (edge) cases you want to check and run the command below. This should create an image.bin and image.tar.gz into the specified directory. These can be used as test files.

make_test_fs.sh /path/to/output/directory

To run the tests in this repo navigate to the main directory of the repo and run:

pytest

About

Filesystem parsers to mount non-standard QNX images.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published