├── LICENSE
├── README.md
└── parseMFS.py


/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright (c) 2017 Positive Technologies
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
 4 | The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
 5 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 6 | 
 7 | 
 8 | Copyright (c) 2017 Positive Technologies
 9 | 
10 | Данная лицензия разрешает лицам, получившим копию данного программного обеспечения и сопутствующей документации (в дальнейшем именуемыми «Программное Обеспечение»), безвозмездно использовать Программное Обеспечение без ограничений, включая неограниченное право на использование, копирование, изменение, слияние, публикацию, распространение, сублицензирование и/или продажу копий Программного Обеспечения, а также лицам, которым предоставляется данное Программное Обеспечение, при соблюдении следующих условий:
11 | 
12 | Указанное выше уведомление об авторском праве и данные условия должны быть включены во все копии или значимые части данного Программного Обеспечения.
13 | 
14 | ДАННОЕ ПРОГРАММНОЕ ОБЕСПЕЧЕНИЕ ПРЕДОСТАВЛЯЕТСЯ «КАК ЕСТЬ», БЕЗ КАКИХ-ЛИБО ГАРАНТИЙ, ЯВНО ВЫРАЖЕННЫХ ИЛИ ПОДРАЗУМЕВАЕМЫХ, ВКЛЮЧАЯ ГАРАНТИИ ТОВАРНОЙ ПРИГОДНОСТИ, СООТВЕТСТВИЯ ПО ЕГО КОНКРЕТНОМУ НАЗНАЧЕНИЮ И ОТСУТСТВИЯ НАРУШЕНИЙ, НО НЕ ОГРАНИЧИВАЯСЬ ИМИ. НИ В КАКОМ СЛУЧАЕ АВТОРЫ ИЛИ ПРАВООБЛАДАТЕЛИ НЕ НЕСУТ ОТВЕТСТВЕННОСТИ ПО КАКИМ-ЛИБО ИСКАМ, ЗА УЩЕРБ ИЛИ ПО ИНЫМ ТРЕБОВАНИЯМ, В ТОМ ЧИСЛЕ, ПРИ ДЕЙСТВИИ КОНТРАКТА, ДЕЛИКТЕ ИЛИ ИНОЙ СИТУАЦИИ, ВОЗНИКШИМ ИЗ-ЗА ИСПОЛЬЗОВАНИЯ ПРОГРАММНОГО ОБЕСПЕЧЕНИЯ ИЛИ ИНЫХ ДЕЙСТВИЙ С ПРОГРАММНЫМ ОБЕСПЕЧЕНИЕМ.
15 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | Intel ME File System Explorer
 2 | =====
 3 | This repository contains Python 2.7 scripts for parsing MFS/MFSB partition and extracting contained files.
 4 | 
 5 | ## Usage
 6 | 
 7 |   parseMFS.py <MFS_Partition_File_Name.bin>
 8 | 
 9 |   Extracted files would be stored in MFS_Partition_File_Name.bin.zip file
10 | 
11 | ## Limitations
12 | 
13 |   Tested with MFS partitions obtained from ME 11.x firmware images
14 | 
15 | ## Related URLs:
16 | 
17 | [Intel ME: Flash File System Explained][1]
18 | 
19 | [Intel ME: The Way of the Static Analysis][2]
20 | 
21 | [Intel DCI Secrets][3]
22 | 
23 | [How to Hack a Turned-Off Computer or Running Unsigned Code in Intel Management Engine][4]
24 | 
25 | [Intel ME 11.x Firmware Images Unpacker][8]
26 | 
27 | ## Author
28 | 
29 | Dmitry Sklyarov ([@_Dmit][7])
30 | 
31 | ## Research Team
32 | 
33 | Mark Ermolov ([@\_markel___][5])
34 | 
35 | Maxim Goryachy ([@h0t_max][6])
36 | 
37 | Dmitry Sklyarov ([@_Dmit][7])
38 | 
39 | ## License
40 | This software is provided under a custom License. See the accompanying LICENSE file for more information.
41 | 
42 | [1]: https://www.blackhat.com/eu-17/briefings.html#intel-me-flash-file-system-explained
43 | [2]: https://www.troopers.de/troopers17/talks/772-intel-me-the-way-of-the-static-analysis/
44 | [3]: http://conference.hitb.org/hitbsecconf2017ams/sessions/commsec-intel-dci-secrets/
45 | [4]: https://www.blackhat.com/eu-17/briefings.html#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine
46 | [5]: https://twitter.com/_markel___
47 | [6]: https://twitter.com/h0t_max
48 | [7]: https://twitter.com/_Dmit
49 | [8]: https://github.com/ptresearch/unME11
50 | 


--------------------------------------------------------------------------------
/parseMFS.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | import sys, struct, os, hashlib, hmac, zlib
  3 | 
  4 | #***************************************************************************
  5 | #***************************************************************************
  6 | #***************************************************************************
  7 | 
  8 | CRC16tab = [0]*256
  9 | for i in xrange(256):
 10 |   r = i << 8
 11 |   for j in xrange(8): r = (r << 1) ^ (0x1021 if r & 0x8000 else 0)
 12 |   CRC16tab[i] = r & 0xFFFF
 13 | 
 14 | def CrcIdx(w, crc=0x3FFF):
 15 |   for b in bytearray(struct.pack("<H", w)): crc = (CRC16tab[b ^ (crc >> 8)] ^ (crc << 8)) & 0x3FFF
 16 |   return crc
 17 | 
 18 | def Crc16(ab, crc=0xFFFF):
 19 |   for b in bytearray(ab): crc = (CRC16tab[b ^ (crc >> 8)] ^ (crc << 8)) & 0xFFFF
 20 |   return crc
 21 | 
 22 | #***************************************************************************
 23 | #***************************************************************************
 24 | #***************************************************************************
 25 | 
 26 | crcTabLo = bytearray([0, 7, 14, 9, 28, 27, 18, 21, 56, 63, 54, 49, 36, 35, 42, 45])
 27 | crcTabHi = bytearray([0, 112, 224, 144, 199, 183, 39, 87, 137, 249, 105, 25, 78, 62, 174, 222])
 28 | def CSum8(ab):
 29 |   csum = 1
 30 |   for b in bytearray(ab):
 31 |     b ^= csum
 32 |     csum = crcTabLo[b & 0xF] ^ crcTabHi[b >> 4]
 33 |   return csum
 34 | 
 35 | #***************************************************************************
 36 | #***************************************************************************
 37 | #***************************************************************************
 38 | 
 39 | import zipfile, posixpath
 40 | class zipStorage(object):
 41 |   compression = zipfile.ZIP_STORED
 42 |   #compression = zipfile.ZIP_DEFLATED
 43 |   def __init__(self, baseName):
 44 |     self.fn = baseName + ".zip"
 45 |     self.z = zipfile.ZipFile(self.fn, "w", self.compression)
 46 |     self.baseDir = None
 47 | 
 48 |   def setBaseDir(self, baseDir=None):
 49 |     self.baseDir = baseDir
 50 |     return self
 51 | 
 52 |   def add(self, path, data=None):
 53 |     if self.baseDir: path = posixpath.join(self.baseDir, path)
 54 |     if data is None: path += posixpath.sep # Folder
 55 |     zi = zipfile.ZipInfo(path)
 56 |     zi.external_attr = (040755 << 16) | 0x30 if data is None else (0644 << 16) # Assign permissions
 57 |     self.z.writestr(zi, data or "")
 58 |     del zi
 59 | 
 60 |   def __del__(self):
 61 |     self.z.close()
 62 | 
 63 | #***************************************************************************
 64 | #***************************************************************************
 65 | #***************************************************************************
 66 | 
 67 | def sCfgMode(mode):
 68 |   assert 0 == (mode & ~0x1FFF) # Only 13 lowest bits used
 69 |   typ = " d"
 70 |   #      842184218421
 71 |   sfl = "AEIrwxrwxrwx" # A for Anti-Replay, E for Encrypton, I for Integrity
 72 |   r = []
 73 |   for i in xrange(len(sfl)):
 74 |     r.append(sfl[i] if mode & (1<<(len(sfl)-1-i)) else "-")
 75 |   return typ[mode >> 12] + "".join(r)
 76 | 
 77 | def sCfgOpt(mode):
 78 |   assert 0 == mode & ~0x001F, "mode == 0x%X" % mode # Only 5 lowest bits used
 79 |   sfl = "^?!MF" # M for afterManufacture, F for fromFIT
 80 |   r = []
 81 |   for i in xrange(len(sfl)):
 82 |     r.append(sfl[i] if mode & (1<<(len(sfl)-1-i)) else "-")
 83 |   return "".join(r)
 84 | 
 85 | #***************************************************************************
 86 | #***************************************************************************
 87 | #***************************************************************************
 88 | 
 89 | VFS_integrity    = 0x0200
 90 | VFS_encryption   = 0x0400
 91 | VFS_antireplay   = 0x0800
 92 | VFS_nonIntel     = 0x2000
 93 | VFS_directory    = 0x4000
 94 | 
 95 | def sVarMode(mode):
 96 |   typ = " d"
 97 |   #      21842184218421
 98 |   sfl = "N?AEIrwxrwxrwx" # N for Non-intel, A for Anti-Replay, E for Encrypton, I for Integrity
 99 |   r = []
100 |   for i in xrange(len(sfl)):
101 |     r.append(sfl[i] if mode & (1<<(len(sfl)-1-i)) else "-")
102 |   return typ[mode >> 14] + "".join(r)
103 | 
104 | #***************************************************************************
105 | #***************************************************************************
106 | #***************************************************************************
107 | 
108 | class MFS_Var_Folder_Entry(object):
109 |   fmtRec = struct.Struct("<LHHHH12s")
110 |   def __init__(self, ab, iRec):
111 |     self.iRec = iRec
112 |     self.fileno, self.mode, self.uid, self.gid, self.salt, name = self.fmtRec.unpack_from(ab, iRec * self.fmtRec.size)
113 |     self.name = name.split('\0', 1)[0]
114 |     self.iFile = self.fileno & 0xFFF
115 | 
116 |   def __str__(self):
117 |     return "iF=%03X m=%s u=%04X g=%04X s=%08X.%04X %s" % (self.iFile, sVarMode(self.mode), self.uid, self.gid, self.fileno, self.salt, self.name)
118 | 
119 | #***************************************************************************
120 | #***************************************************************************
121 | #***************************************************************************
122 | 
123 | class MFS_Blob_Security(object):
124 |   fmt = struct.Struct("<32sL16s")
125 |   def __init__(self, blob):
126 |     self.blob = blob
127 | 
128 |     blob.ab, self.ab = blob.ab[:-self.fmt.size], blob.ab[-self.fmt.size:] # Separate blob and security data
129 |     self.hmac, self.flags, self.nonce = self.fmt.unpack(self.ab)
130 |     self.tail = struct.pack("<32sL16sLL", '\0'*32, self.flags, self.nonce, blob.fileno, blob.salt)
131 | 
132 |     self.ar  = (self.flags) & 3 # bits 0-1
133 |     self.enc = (self.flags >> 2) & 1 # bit 2
134 |     self.u7  = (self.flags >> 3) & 0x7F # bits 3-9
135 |     self.iAR = (self.flags >> 10) & 0x3FF # bits 10-19
136 |     self.u12 = (self.flags >> 20) # bits 20-31
137 |     if self.ar: self.rnd, self.ctr = struct.unpack_from("<LL", self.nonce)
138 | 
139 |     assert 0x12 == self.u7
140 |     assert self.enc << 1 == self.u12
141 | 
142 |     if 0 == (self.flags & 7):
143 | #      if '\0'*16 != self.nonce: print self.nonce.encode("hex")
144 |       assert '\0'*16 == self.nonce # Empty nonce if no AR/Enc
145 | 
146 |   def __str__(self):
147 | #    return "ar=%d:%03X enc=%d:%s u7=%02X u12=%03X hmac=%s" % (self.ar, self.iAR, self.enc, self.nonce.encode("hex"), self.u7, self.u12, self.hmac.encode("hex"))
148 | 
149 |     sENC = "iv=%s" % (self.nonce.encode("hex"))
150 |     if not self.enc: sENC = ' '*len(sENC)
151 |     sAR = "ar=%d:%03X:%08X:%08X" % (self.ar, self.iAR, self.rnd, self.ctr) if self.ar else ' '*24
152 |     sU7 = "u7=%02X" % self.u7
153 |     if 0x12 == self.u7: sU7 = ' '*len(sU7)
154 |     sU12 = "u12=%02X" % self.u12
155 |     if self.enc << 1 == self.u12: sU12 = ' '*len(sU12)
156 |     return "%s %s %s %s" % (sENC, sAR, sU7, sU12)
157 | 
158 | #***************************************************************************
159 | #***************************************************************************
160 | #***************************************************************************
161 | 
162 | class MFS_Blob(object):
163 |   def __init__(self, mfs, fileno, mode=VFS_integrity|VFS_nonIntel, salt=0):
164 |     self.mfs, self.fileno, self.mode, self.salt = mfs, fileno, mode, salt
165 |     self.ab = mfs.getFileData(self.fileno & 0xFFF) # Read MFS record data
166 |     self.sec = MFS_Blob_Security(self) if self.mode & VFS_integrity else None
167 |     self.typ = 0
168 | 
169 |   def asFolder(self, path):
170 |     self.typ = 1
171 |     self.path = path
172 |     assert 0x90 == self.sec.flags
173 |     nRec, left = divmod(len(self.ab), MFS_Var_Folder_Entry.fmtRec.size)
174 |     assert 0 == left
175 |     self.aE = [MFS_Var_Folder_Entry(self.ab, iRec) for iRec in xrange(nRec)]
176 | 
177 |   def __str__(self):
178 |     r = ["%s/[%d]" % (self.path, len(self.aE))]
179 |     for i, e in enumerate(self.aE): r.append("%3d: %s" % (i, e))
180 |     return "\n".join(r + [""])
181 | 
182 | #***************************************************************************
183 | #***************************************************************************
184 | #***************************************************************************
185 | 
186 | class MFS_Page(object):
187 |   fmtHdr = struct.Struct("<LLLHHBB")
188 |   fmtChunk = struct.Struct("<64sH")
189 |   def __init__(self, ab, iPage):
190 |     o = iPage * MFS.PAGE_SIZE
191 |     self.iPage = iPage
192 |     self.data = ab[o:o+MFS.PAGE_SIZE]
193 |     self.sign, self.USN, self.nErase, self.iNextErase, self.firstChunk, csum, b0 = self.fmtHdr.unpack_from(self.data)
194 |     self.bData = self.firstChunk > 0
195 |     assert 0xAA557887 == self.sign # Page signature
196 |     assert csum == CSum8(self.data[:16]) # Page Header checksum
197 |     assert 0 == b0
198 |     self.oInfo = self.fmtHdr.size
199 | 
200 |     if self.bData:
201 |       self.mFree = bytearray(self.data[self.oInfo:self.oInfo + MFS.nDataPageChunks])
202 |       self.oChunks = MFS.oDataChunks
203 |     else:
204 |       assert 0 == self.firstChunk
205 |       self.axIdx = struct.unpack_from("<%dHH" % MFS.nSysPageChunks, self.data, self.oInfo)
206 |       self.oChunks = MFS.oSysChunks
207 | 
208 |       iChunk, self.aiChunk = 0, []
209 |       for iRec in xrange(MFS.nSysPageChunks): # Enum Sys records
210 |         if self.axIdx[iRec] & 0xC000: break # Stop on first unmaped chunk
211 |         iChunk = CrcIdx(iChunk) ^ self.axIdx[iRec]
212 |         self.aiChunk.append(iChunk)
213 |     return
214 | 
215 |   def getChunk(self, iRec, iChunk):
216 |     chunk, crc = self.fmtChunk.unpack_from(self.data, self.oChunks + iRec * self.fmtChunk.size)
217 |     assert crc == Crc16(chunk + struct.pack("<H", iChunk))
218 |     return chunk
219 | 
220 |   def enumChunks(self):
221 |     if self.bData:
222 |       for iRec, bFree in enumerate(self.mFree): # Enum Data records
223 |         if bFree: continue # Skip unmapped chunks
224 |         iChunk = self.firstChunk + iRec # Calculate chunk number
225 |         yield iChunk, self.getChunk(iRec, iChunk)
226 |     else:
227 |       for iRec, iChunk in enumerate(self.aiChunk): # Enum System records
228 |         yield iChunk, self.getChunk(iRec, iChunk)
229 | 
230 |   def __str__(self):
231 |     if self.bData: data = "".join((" " if free else "*") for free in self.mFree)
232 |     else: data = " ".join("%04X" % x for x in self.aiChunk)
233 |     sChunk = "%04X" % self.firstChunk if self.firstChunk else "----"
234 |     return "%02X: USN=%04X erase=%4X iNext=%4X %s : %s" % (self.iPage, self.USN, self.nErase, self.iNextErase, sChunk, data)
235 | 
236 | #***************************************************************************
237 | #***************************************************************************
238 | #***************************************************************************
239 | 
240 | class MFS_Cfg_Record(object):
241 |   fmtRec = struct.Struct("<12sHHHHHHL")
242 |   def __init__(self, data, iRec):
243 |     self.name, unused, self.mode, self.opt, self.cb, self.uid, self.gid, self.offs = self.fmtRec.unpack_from(data, 4+iRec*self.fmtRec.size)
244 |     assert 0 == unused
245 |     self.name = self.name.rstrip('\0')
246 | 
247 | class MFS_Cfg_Storage(object):
248 |   def __init__(self, data):
249 |     self.data = data
250 |     nRec, = struct.unpack_from("<L", data)
251 |     self.aRec = [MFS_Cfg_Record(self.data, iRec) for iRec in xrange(nRec)]
252 | 
253 |   def dump(self, stg=None):
254 |     msg = "nRec=%d(0x%X), cb=%d(0x%X)" % (len(self.aRec), len(self.aRec), len(self.data), len(self.data))
255 |     rTxt = [msg]
256 |     rLog = [msg]
257 |     aPath = []
258 |     for i,e in enumerate(self.aRec):
259 |       rLog.append("%4X: m=%04X %04X cb=%04X uid=%04X gid=%04X o=%08X %s" % (i, e.mode, e.opt, e.cb, e.uid, e.gid, e.offs, e.name))
260 |       if e.mode & 0x1000: # Dir
261 |         if ".." == e.name: aPath.pop()
262 |         else:
263 |           aPath.append(e.name)
264 |           path = posixpath.join(*aPath)
265 |           if stg: stg.add(path)
266 |           rTxt.append("%4X: %s %s uid=%04X gid=%04X               %s/" % (i, sCfgMode(e.mode), sCfgOpt(e.opt), e.uid, e.gid, path))
267 |       else:
268 |         path = posixpath.join(posixpath.join(*aPath), e.name)
269 |         rTxt.append("%4X: %s %s uid=%04X gid=%04X @%06X[%4X] %s" % (i, sCfgMode(e.mode), sCfgOpt(e.opt), e.uid, e.gid, e.offs, e.cb, path))
270 |         if stg: stg.add(path, self.data[e.offs:e.offs + e.cb])
271 |     if stg:
272 |       name = os.path.split(stg.baseDir)[1] or "storage"
273 |       stg.add("%s.txt" % name, "\n".join(rTxt + [""]))
274 |       stg.add("%s.log" % name, "\n".join(rLog + [""]))
275 |     else:
276 |       print "\n".join(rTxt)
277 | 
278 | #***************************************************************************
279 | #***************************************************************************
280 | #***************************************************************************
281 | 
282 | def packPage(iPage, data="", firstChunk=0):
283 |   hdr = struct.pack("<LLLHH", 0xAA557887, iPage+1, 1, iPage+1, firstChunk)
284 |   return (hdr + chr(CSum8(hdr)) + '\0' + data).ljust(MFS.PAGE_SIZE, '\xFF')
285 | 
286 | def packChunk(iChunk, chunk):
287 |   chunk = chunk.ljust(64, '\0')
288 |   crc = Crc16(chunk + struct.pack("<H", iChunk))
289 |   return chunk + struct.pack("<H", crc)
290 | 
291 | #***************************************************************************
292 | #***************************************************************************
293 | #***************************************************************************
294 | 
295 | def MFSBtoMFS(mfsb):
296 |   fmtHdr = struct.Struct("<4sL24s")
297 |   fmtLen = struct.Struct(">L")
298 |   sign, crc, FFs = fmtHdr.unpack_from(mfsb)
299 |   assert "MFSB" == sign
300 |   o = fmtHdr.size
301 |   assert ~zlib.crc32(mfsb[o:], -1) & 0xFFFFFFFF == crc
302 |   assert '\xFF'*len(FFs) == FFs
303 |   oEnd = mfsb.find('\xFF'*10, o)
304 |   r = []
305 |   while True:
306 |     o1324 = mfsb.find('\1\3\2\4', o, oEnd-8)
307 |     if o1324 < 0: break
308 |     r.append(mfsb[o:o1324])
309 |     r.append('\xFF'*fmtLen.unpack_from(mfsb, o1324+4)[0])
310 |     o = o1324+8
311 |   r.append(mfsb[o:oEnd])
312 |   cb = sum(len(v) for v in r)
313 |   r.append('\xFF'*(-cb % 0x2000))
314 |   return "".join(r)
315 | 
316 | class MFS(object):
317 |   cbHdr = MFS_Page.fmtHdr.size # 18(0x12) bytes
318 |   PAGE_SIZE = 0x2000 # Page size is 8K
319 |   CHUNK_SIZE = 0x40 # Chunk size is 64(0x40) bytes
320 |   nDataPageChunks = (PAGE_SIZE - cbHdr) / (1 + CHUNK_SIZE + 2) # 122(0x7A) chunks per Data page
321 |   oDataChunks = cbHdr + nDataPageChunks # 140(0x8C)
322 |   nSysPageChunks = (PAGE_SIZE - cbHdr - 2) / (2 + CHUNK_SIZE + 2) # 120(0x78) chunks per System page
323 |   oSysChunks = cbHdr + 2*(nSysPageChunks + 1) # 260(0x104)
324 |   fmtVolHdr = struct.Struct("<LLLH")
325 | 
326 |   def getFileData(self, iFile):
327 |     iNode = self.aFAT[iFile]
328 |     if 0x0000 == iNode: return None # No file
329 |     if 0xFFFF == iNode: return "" # Empty file
330 | 
331 |     r = []
332 |     while True:
333 |       assert iNode >= self.nFiles
334 |       chunk = self.dChunks[iNode - self.nFiles + self.nSysChunks]
335 |       iNode = self.aFAT[iNode] # Get next node
336 |       if iNode > 0 and iNode <= self.CHUNK_SIZE: break # Last chunk
337 |       r.append(chunk)
338 |     r.append(chunk[:iNode])
339 |     return "".join(r)
340 | 
341 |   def enumFiles(self):
342 |     for iFile in xrange(self.nFiles):
343 |       if 0x0000 == self.aFAT[iFile]: continue
344 |       yield iFile, self.getFileData(iFile)
345 | 
346 |   def __init__(self, ab):
347 |     self.ab = ab
348 |     self.cbPart = len(self.ab) # Find total size of MFS partition
349 |     assert 0 == self.cbPart % self.PAGE_SIZE
350 |     self.nPages = self.cbPart / self.PAGE_SIZE # Total number of pages
351 |     self.nSysPages = self.nPages/12 # Number of System pages
352 |     self.nDataPages = self.nPages - self.nSysPages - 1 # Number of Data pages
353 |     self.nDataChunks = self.nDataPages * self.nDataPageChunks # Number of Data chunks
354 |     self.cbData = self.nDataChunks * self.CHUNK_SIZE # Data area capacity
355 | 
356 |     self.aSysPages = []
357 |     self.aDataPages = []
358 |     for iPage in xrange(self.nPages): # Process all pages
359 |       if 0 == struct.unpack_from("<L", self.ab, iPage*self.PAGE_SIZE)[0]: continue # Ignore to-be-erased page
360 |       pg = MFS_Page(self.ab, iPage) # Load page
361 |       (self.aDataPages if pg.bData else self.aSysPages).append(pg) # Add to specific list
362 | 
363 |     assert self.nSysPages == len(self.aSysPages)
364 |     assert self.nDataPages == len(self.aDataPages)
365 | 
366 |     self.aSysPages.sort(key=lambda pg: pg.USN) # Sort System pages by USN
367 |     self.aDataPages.sort(key=lambda pg: pg.firstChunk) # Sort Data pages by firstChunk
368 | 
369 |     self.nSysChunks = self.aDataPages[0].firstChunk
370 |     self.dChunks = {}
371 | 
372 |     for pg in self.aSysPages: # Process all System pages
373 |       for iChunk, chunk in pg.enumChunks(): # Enumerate all chunks in System page
374 |         assert iChunk < self.nSysChunks
375 |         self.dChunks[iChunk] = chunk
376 | 
377 |     for i, pg in enumerate(self.aDataPages): # Process all Data pages
378 |       assert self.nSysChunks + i * self.nDataPageChunks == pg.firstChunk
379 |       for iChunk, chunk in pg.enumChunks(): # Enumerate all chunks in Data page
380 |         assert iChunk not in self.dChunks # No duplicats in Data chunks permitted
381 |         self.dChunks[iChunk] = chunk
382 | 
383 |     self.sign, self.ver, self.cbTotal, self.nFiles = self.fmtVolHdr.unpack_from(self.dChunks[0]) # Volume header is in Chunk#0
384 |     assert 0x724F6201 == self.sign # FileSystem signature
385 |     assert 1 == self.ver # FileSystem version
386 |     assert self.nSysChunks == (self.fmtVolHdr.size + 2*self.nDataChunks + 2*self.nFiles + self.CHUNK_SIZE - 1) / self.CHUNK_SIZE
387 |     self.cbSys = self.nSysChunks * self.CHUNK_SIZE
388 |     assert self.cbData + self.cbSys == self.cbTotal
389 | 
390 |     abSys = bytearray(self.cbSys)
391 |     for iChunk in xrange(self.nSysChunks):
392 |       if iChunk in self.dChunks: abSys[iChunk*self.CHUNK_SIZE:(iChunk+1)*self.CHUNK_SIZE] = bytearray(self.dChunks[iChunk])
393 | 
394 |     self.aFAT = struct.unpack_from("<%dH" % (self.nFiles + self.nDataChunks), str(abSys), self.fmtVolHdr.size)
395 |     return
396 | 
397 |     print str(abSys[:self.fmtVolHdr.size]).encode("hex")
398 |     for i, v in enumerate(self.aFAT):
399 |       if i == self.nFiles: print
400 |       if 0 == i % 16: print "\n%04X:" % i,
401 |       print "%4X" % v,
402 |     print
403 | 
404 |   def walkFolder(self, path, fileno, mode=VFS_integrity|VFS_nonIntel, salt=0):
405 |     fld = MFS_Blob(self, fileno, mode, salt)
406 |     fld.asFolder(path)
407 | 
408 |     self.r.append("%s/[%d]" % (path, len(fld.aE)))
409 |     for i,e in enumerate(fld.aE):
410 |       r = ["%3d: %-69s" % (i+1, e)]
411 |       blob = MFS_Blob(self, e.fileno, e.mode, e.salt) if e.fileno else None
412 |       r.append("<dir>" if e.mode & VFS_directory else "%5d" % len(blob.ab))
413 |       if e.mode & VFS_integrity:
414 |         r.append(" %s" % blob.sec) # Integrity enabled -- append Security info
415 |       self.r.append("".join(r).rstrip())
416 |     self.r.append("")
417 | 
418 |     for e in fld.aE:
419 |       if e.name in (".", ".."): continue # Ignore self/parent references
420 |       fn = posixpath.join(path, e.name)
421 |       if e.mode & VFS_directory: # Directory
422 |         self.stg.add(fn)
423 |         self.walkFolder(fn, e.fileno, e.mode, e.salt)
424 |       else:
425 |         blob = MFS_Blob(self, e.fileno, e.mode, e.salt)
426 |         if blob.sec:
427 |           self.stg.add(fn + ".vfsSecurity", blob.sec.ab) # Security data
428 |         if blob.sec and blob.sec.enc: # Encrypted
429 |           self.stg.add(fn + ".vfsEncrypted", blob.ab)
430 |         else: self.stg.add(fn, blob.ab)
431 | 
432 |   def dump(self, baseName=None):
433 |     self.stg = zipStorage(baseName)
434 |     self.stg.setBaseDir("chains")
435 |     for iFile, data in self.enumFiles():
436 |       self.stg.add("%03X.bin" % iFile, data)
437 | 
438 |     for iFile in (6, 7):
439 |       dName = {6:"intel.cfg", 7:"fitc.cfg"}
440 |       data = self.getFileData(iFile)
441 |       if data:
442 |         if False: # Extract intel.cfg / fit.cfg
443 |           h = hashlib.sha256(data).digest()
444 |           fnCfg = "%s_%s" % (h[:8].encode("hex"), dName[iFile])
445 |           if not os.path.exists(fnCfg):
446 |             with open(fnCfg, "wb") as fo: fo.write(data)
447 |         self.stg.setBaseDir(dName[iFile])
448 |         MFS_Cfg_Storage(data).dump(self.stg)
449 | 
450 |     if self.aFAT[8]:
451 |       self.stg.setBaseDir("varFS")
452 |       self.r = []
453 |       self.walkFolder("home", 0x10000008)
454 |       self.stg.add("varFS.log", "\n".join(self.r + [""]))
455 |       del self.r
456 | 
457 |   def __str__(self):
458 |     return "Size:%dK, nPages:%d, nSysPg:%d, nDataPg:%d, nDataChunks:%d, nSysChunks:%d, nFiles:%d/%d, cbData:%d, cbSys:%d, cbTotal:%d" % \
459 |     (self.cbPart/1024, self.nPages, self.nSysPages, self.nDataPages, self.nDataChunks, self.nSysChunks, self.nFiles, (self.cbSys-14)/2 - self.nDataChunks, self.cbData, self.cbSys, self.cbTotal)
460 | 
461 | #***************************************************************************
462 | #***************************************************************************
463 | #***************************************************************************
464 | 
465 | def main(argv):
466 |   if len(argv) <= 1:
467 |     print "Usage: %s MFS.part {MFS.part}" % os.path.split(argv[0])[1]
468 |     return
469 | 
470 |   for fn in argv[1:]:
471 |     with open(fn, "rb") as fi: data = fi.read()
472 | 
473 |     if data.startswith("MFSB"):
474 |       print ". Converting MFSB to MFS for %s" % fn
475 |       data = MFSBtoMFS(data)
476 | 
477 |     mfs = MFS(data)
478 |     print fn, mfs
479 |     mfs.dump(fn)
480 | 
481 | if __name__=="__main__": main(sys.argv)
482 | 


--------------------------------------------------------------------------------