- 注册时间
- 2005-1-1
- 最后登录
- 1970-1-1
|
发表于 2006-4-29 09:37:00
|
显示全部楼层
(标记的部分为语法/单词拼写错误)
Hide file/data form nGFFFS or any other Nand flash file system
qiqi/Thread inc.
========================
Notice:
Just for research or study!
*NGFFFS:A type of file system develop for nand flash by ggv
blow some way to hide file/data under gfffs or other nand flash disk
1.Hide file form FileList
2.Hide file form FileSystem(Use Api hook)
3.Hide file form FileSystem(Use edit Inode table)
4.Hide Data form FileSystem(Use edit Inode table,don't hide file,but can hide file data form
file read function)
5.Hide Data form Logic Nand flash block list(method 1,depend on ngfffs)
6.Hide Data form Physical Nand flash blcok(method 2,not depend on ngfffs,but it must edit an
common data structure,it may only can(情态动词可以随便用啊~) run under ngfffs)
7.Hide Data form Physical Nand Block(can run under any common Nand flash disk(ex.
samsung,toshiba,scandisk...etc.),and any file system(Ngfffs.fat.yaffs..etc.),but may can't
run under OneNand flash disk(ex.samsung's OneNand flash)
1.Hide file form FileList
in this method,we only hide file form filelist,file can't shown in filelist,but still can
operate by other file system function
for system filelist function,it can bypass easily
you only need find the file's indoe local and edit the inode table(write Inode table in nor
flash or use Edit-Inode APi function),and set the "FileHide" bit
for other filelist function(ex. lee's filelist function or lendy's filelist function),it not
check the "FileHide" bit and list the all files any way
for bypass this filelist function,you can edit the directory structure(system do not check
this structure any way,so you can edit this strcture and not care any bad effect:>).In this
structrue,every file or directory's entry have a Inode number and a file/directory name,you
can write Inode number by bad data(ex.55h,02h don't write FFFFh,because some program will
recognise this sign for directory ends),if this bad data not a right inode number,filelist
function will think it's bad file(corpose file),and brush off it:p
2.Hide file form filesystem
Hook system api
(open file,get_file_len,and so on) will hide file form file System
reference the method and source code in my blog:
http://pain.ucblog.com
3.Hide file form File System Mothod 2
this mothod edit the file's inode entry.you can erase the file's inode entry,and file will be
"extirpate" form the Inode table,and any file system app layer function can't accessing it.
but we don't edit the Block-use-table,so the file data will keep down
Becase the file blcok information will be erase(maybe you don't erase the file block
information,and only edit the inode number,inode attribute information,of course it also can
hide file form file system,but it can be find by use nor flash edit tools
(ex.wqxhex,wqxdebug...etc.)),if you want get the file data by record it in other place
(ex.system core part)
notice:some file system tool will detect the hide file data and consider it as logic bad
block(ex.:my Logic Bad detecter(already release),may be clear it for set free the flash
space(ex:my Bad blcok DustMan(not release)
4.Hide data form file system Mothod 3
this mothod edit the file inode table and edit file length information.edit the file length
or file block list and made it like a "empty file",so the file edit tools just like
ue\Pacmanager will can't read the file data,but some file system function under logic layer
will read the file data as usual
5.Hide data form Logic Nand flash disk Mothod 1
this mothod will hide the data by edit the bad block list(not the PHY-LOG exchange table in
xram,it will be update when reset)
step1:write the data what you want to hide to a specific blank blcok
step2:edit the Bad block list in Super blcok,and sign the specific block to bad blcok
step3:reset
setp4:the blcok will be hidden,and you can't accessing it with any logic layer read function
(ex.Brk $0505 on NC2600),and the flash free space will reduce 16KB
even though the Nand Flash format to be excute,this data will not be clear,and never be touch
by any system function.
it can be fixed by handwork operate wqxhex or use my bad block DustMan(it will differenttiate
the real bad blcok and not)
6.Hide Data form Physical Nand flash disk Mothod 2
this mothod conform with the mothod 6.but it will suit for some file system just like ngfffs.
Every nand flash block will contain x32 512B Data page,and x32 16B extend page
some of file system like ngfffs use the extend page for check the data page
so you can edit the chekcsum data in extend page
and this 512B data page(in NGFFFS and FAT16/32 file system,the whole 32KB data block(x2
blcok)will be auto sign to bad block)will be sign to bad block(when write or read to/form
this block).if you write you data in this area before,this data will be hidden
7.Hide data form Physical Nand flash disk Mothod 3
this mothod also use the nand flash's extend page
some compiexion,the 16B extend page can't be whole used,you can use the remain data space for
storeage you own data which you want to hide
if your data large then xxB,you must be storeage it by distribute serveral pages.and record
the page which you distributed.
this mothod don't edit any data structrue already exist,so can using under any nand flash
disk(must be the common structrue).and can hide data almost inexistence
=============================
my english is so poor```so the article will be covered with bugs````:p``
thanks for zhangchu,yuaner,any reader who read whole of this article and anyone who ever help
me
2006-4-27 2:43
|
|
楼主
发表于 2006-4-27 11:51:00
发表于 2006-4-28 13:57:00
发表于 2006-4-29 17:16:00