Home
> Computer forensics > Mounting a JFFS2 dd image in Linux
Mounting a JFFS2 dd image in Linux
So there I was, holding a dd image of a JFFS2 filesystem dumped from a drone. Great, good to go! Let’s start our analysis! Not so fast, mounting one of these things is non-trivial. After much trial and error, and some Google-fu, I got the following to work in the SIFT3 forensics VM (Ubuntu).
First, test to see if the image is recognized:
khorog:dot2 kovar$ file root.dd
root.dd: data
Not a recognized filesystem and the most likely issue is big vs little endian. Let’s fix that:
apt-get install mtd-utils jffs2dump -b -c -r -e dest_file.little src_file.big
Note: The ‘-r’ was critical and none of the Google hits I found on this topic included it. This option “recalc name and data crc on endian conversion”.
Now, check the file again:
khorog:dot2 kovar$ file root-swap.dd
root-swap.dd: Linux jffs2 filesystem data little endian
Then install a lot of kernel modules. (Some of these failed in Ubuntu 14 but the mount worked anyhow.)
modprobe mtdcore modprobe jffs2 modprobe mtdram modprobe mtdchar modprobe mtdblock
Now, mount the image:
dd if=root-swap.dd of=/dev/mtdblock0 mount -t jffs2 /dev/mtdblock0 /mnt/jffs2
Et viola.
Categories: Computer forensics
Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics 
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
$file root_cfe_auto.jffs2
root_cfe_auto.jffs2: UBI image, version 1
$modprobe nandsim first_id_byte=0x2c second_id_byte=0xda third_id_byte=0x90 fourth_id_byte=0x95
$flash_erase /dev/mtd0 0 0
$ubiformat /dev/mtd0 -O 2048 -f Documents/vuplus/solo/root_cfe_auto.jffs2
$modprobe ubi
$ubiattach /dev/ubi_ctrl -m 0 -O 2048
$mkdir /media/jffs2
$mount -t ubifs ubi0:rootfs /media/jffs2
Thanks ! Strangely some of the commands indeed dont work but the mounting itself worked on Ubuntu. Just needed to add sudo, but that speaks for itself 😉 Thanks !