This project contains code to parse and mount (read only) the TFFS filesystem found in certain Automotive systems. Earlier we created a similar tool: qnxmount for other filesystems found in Automotive applications running the QNX OS.
Most of the initial research and reverse engineering of TFFS was done by the Digital Analysis Division of the National Forensic Service (NFS) of the Republic of Korea. This research is documented in their paper published at DFRWS 2023 and their code can be found here.
The information in the paper was augmented with some additional reverse engineering efforts of our own based on executable files found in Automotive systems.
All of this filesystem structure information combined was put in the parser.ksy
file, which is written in the declarative binary structure language: kaitai, enabling the automatic generation of parser code.
The filesystem can then be mounted using FUSE with some python glue code between the FUSE python bindings and the generated parser.
This project is only tested on Linux machines.
Make sure you have fuse installed:
sudo apt install fuse
Set up your Python virtual environment and activate it:
python3 -m venv venv
source ./venv/bin/activate
Install tffsmount:
pip install .
General use of the module is as follows:
~ python -m tffsmount -h
usage: tffsmount [-h] [-o OFFSET] image mount_point
positional arguments:
image Path to image containing tffs file system
mount_point Path to mount point
options:
-h, --help show this help message and exit
-o OFFSET, --offset OFFSET
Offset of tffs partition in image
Note that the offset and page size can be entered in decimal, octal, binary, or hexadecimal format. For example, we can mount an image with a tffs filesystem at offset 0x1000 with:
python3 -m tffsmount -o 0x1000 /image /mountpoint
Using the option -o 4096
would give the same result.
If mounting succeeds you will see the log message "Mounting image /image on mount point /mountpoint"
appear and the process will hang. Navigate to the given mount point with another terminal session or a file browser to access the file system.
Unmounting can be done from the terminal with:
sudo umount /mountpoint
The logs will show show that the image was successfully unmounted and tffsmount will exit.
If you want develop the tool and run tests, first fork the repository. Contributions can be submitted as a merge request.
To get started clone the forked repository and create a virtual environment. Install the test dependencies.
pip install .[test]
The folder tests contains functional tests to test the parser against known input data. To run these tests you need a file system image and an accompanying tar archive. The tests run are functional tests that check whether the parsed data from the test image is equal to the data stored in the archive. Default test_images are located in the folders test_data. If you want to test your own image replace the files test_image.bin and test_image.tar.gz with your own.
A test image can be created by running the script make_test_fs.sh
inside an environment where you have access to mktffs
and the Tuxera kernel module (tffs.ko
) loaded.
The script will create the desired files and directories which you will then need to tar as well as use dd to create a physical image.
To run the tests in this repo navigate to the main directory of the repo and run:
pytest