Mount / Read the contents of a binary dump from a BIOS eeprom?
I've been researching this topic for about 2 days now, but have not been able to find a solution for my requirement.
Some Background:
I own a cheap Chinese CCTV DVR, which runs a really cut-down version of Linux. Once you configure the admin password on these boxes, it gets written to the BIOS eeprom. If you forget the password, you are very limited; you either try to use a password recovery tool (none of which worked for me) or you try to overwrite the BIOS .bin file with a new one, and hope that you have one which will boot the hardware correctly and recognise all the components on the motherboard. Been there, done that, didn't work (long story!) I've tried 3x different BIOS images that were very similar, but didn't fully recognise all the hardware on my MB.
I need to figure out where within the original BIOS filesystem the password was written, to see if I can recover it.
So....
I have a .bin dump from this BIOS chip. I obtained the .bin dump by using a CH341 USB Programmer. I desoldered the chip from the motherboard, and read it's contents. I 'think' (assume?) that it contains an MBR and some other partitions.
I would like to 'mount' this .bin file and be able to read the contents of the filesystem(s).
I have so far attempted the following:
- Read the content of the file with HxD Hex Editor. Which shows me 'some' info, but it is not entirely useful.
- I've used DD to write the .bin file to a USB Key
- I then used 2x different file recovery utilities to read the contents of the USB Key.
- Unfortunately, and whilst I learned stuff in the process, this merely resulted in the file recovery utilities recovering previously deleted photos and videos from the USB key. As opposed to actually reading the files I had written with DD.
- I have tried booting GParted, and reading the content of the USB Key. It didn't recognise any partitions.
So,
How can I take this .bin dump and write it to a disk, or virtual disk file and read the contents? Like mounting a Linux partition?
You can find the .bin file here, if you want to play around with it. There's no sensitive data on it: https://drive.google.com/file/d/19epXpqNXnw5TfAj3lQKDtSYABqXgOM86/view?usp=sharing
Solution 1:
OK, so after further research and consulting with some other experts on filesystems, we've determined that this .bin image contains some compressed cramfs and squashfs partitions.
After yet more digging, and trying various different forensic utilities, I finally found on that worked and allowed me to extract the cramfs and mount them in Ubuntu. The utility is called https://github.com/ReFirmLabs/binwalk
I am now able to read the filesystem, and I believe I have found the file that contains the web interface password. It appears to be the /squashfs-root-0/etc/auth.dat file. Possibly a java json web token, but not 100% on that yet!