Mount Android emulator images

user1136474 picture user1136474 · Jul 25, 2012 · Viewed 20.4k times · Source

I am trying to analyse Android malware on an emulator with Android 2.1. I want to analyze the files permissions and fingerprints after the execution of the suspicious app. I know, I can use the adb shell to get this information, but I think I can't trust the information after the execution of e.g. a rootkit.

I think the only way to prevent rootkits from hiding is by mounting the images directly or? I have the following files:

ramdisk.img  snapshots.img  userdata-qemu.img  cache.img  system.img  userdata.img  zImage

How can they be mounted/extracted on Ubuntu (read access is enough)?

With unyaffs I can extract the system.img and userdata.img file. simg2img returns "bad magic" for all files.

Thanks Alex

Edit: userdata-qemu.img works unyaffs2

Answer

user1059432 picture user1059432 · Sep 5, 2012

You've already answered your own question but I'll expand a bit. The Android sdk comes with system images, for example:

$ cd android-sdk-linux/system-images/android-15/armeabi-v7a/
$ ls *.img
ramdisk.img  system.img  userdata.img

$ cd ~/.android/avd/<img name>.avd/
$ ls *.img
cache.img  sdcard.img  userdata.img  userdata-qemu.img

Though, not all images are of the same type:

$ file *.img
cache.img:         VMS Alpha executable
sdcard.img:        x86 boot sector, code offset 0x5a, OEM-ID "MSWIN4.1", sectors/cluster 4, Media descriptor 0xf8, sectors 2048000 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 3993, reserved3 0x800000, serial number 0x17de3f04, label: "     SDCARD"
userdata.img:      VMS Alpha executable
userdata-qemu.img: VMS Alpha executable

Since sdcard.img contains no extra partitions, it can be mounted directly without an offset parameter (like -o loop,offset=32256):

$ fdisk -l sdcard.img
You must set cylinders.
You can do this from the extra functions menu.

Disk sdcard.img: 0 MB, 0 bytes
255 heads, 63 sectors/track, 0 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x00000000

     Device Boot      Start         End      Blocks   Id  System

$ sudo mount -o loop sdcard.img /mnt/

The other image files which are described as VMS Alpha executable are in fact yaffs2 files. As far as I'm aware they can't be mounted directly but can be extracted using the two utilities unyaffs or unyaffs2.

$ mkdir extract
$ cd extract
$ unyaffs ../userdata.img

or

$ unyaffs2 --yaffs-ecclayout ../userdata.img .

Note, there's another utility called simg2img which can be found in the android source tree under ./android_src/system/extras/ext4_utils/ which is used on compressed ext4 img files. However, if wrongly applied to yaffs2 images it complains with Bad magic.