02/03/2022 Progress Update

2022-03-02

Following a quick scribble of notes I wrote four months ago how I might go about making an image of the system for offline analysis purposes, I finally found the time (and motivation) get get around working on my thesis again :')

I didn’t want to make an on-board image of the system since

Bad idea to write to the file system of the file system you’re trying to clone…
There’s not enough free space anyway

So I decided to pipe the output of a dd command through SSH.

SSH Access

According to iptables, inbound access to the SSH port (22) is blocked

root@rockrobo:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere             udp dpt:6665
DROP       tcp  --  anywhere             anywhere             tcp dpt:6665
DROP       tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

root@rockrobo:~# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 6665 -j DROP
-A INPUT -p tcp -m tcp --dport 6665 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j DROP

So first we’ll need to enable access, by deleting the drop rule.
(You can find the rules by doing iptables -S, and then replacing -A with -D)

iptables -D INPUT -p tcp -m tcp --dport 22 -j DROP

Note that this rule gets added back by some scripts running on the system, so you’ll need to patch those files

SSH Auth

I added my public key to the OpenSSH server (SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3)

ssh-copy-id -i ~/.ssh/id_rsa root@10.10.10.8

Backup

for partition in `ssh root@10.10.10.8 "ls /dev/mmcblk0?* -1"`
do
    ssh root@10.10.10.8 "sudo dd if=$partition bs=1M" | dd of=$(basename $partition).img
done

This made a backup of each individual partition on the remote eMMC chip, and stored it locally on my computer

Mapping

Later I can correlate the partition backups to their labels and purpose which I had documented in eMMC Layout and fdisk dump

fstab

Also this

root@rockrobo:/# cat /etc/fstab
# UNCONFIGURED FSTAB FOR BASE SYSTEM
tmpfs /tmp tmpfs size=30m 0 0
tmpfs /run/shm tmpfs size=100m 0 0
/dev/mmcblk0p1      /mnt/data/              ext4  defaults 0 0
/dev/mmcblk0p6      /mnt/default/               ext4  ro 0 0
/dev/mmcblk0p10     /mnt/updbuf/                ext4  defaults 0 0
/dev/mmcblk0p11     /mnt/reserve/               ext4  defaults 0 0

TODO

cat /proc/mtd

Previous Commentree

Next fdisk dump

On This Page