See https://zonnigbreda.blogspot.com/2021/05/onkyo-onkyo-tx-nr656-hacking-firmware.html for a better write down of these steps
Decrypt the firmware
simply execute ./onkyo-dec
in the firmware folder.
It creates an extracted
folder with the output
Get the decoded content and see what's there
$ file *
of0: empty
of1.ONKAVR001F_E70000EAEAEOEO.hdr: data
of2.ONKAVR001F_E70000EAEAEOEO.EA107: data
of2.ONKAVR001F_E70000EAEAEOEO.EA109: data
of2.ONKAVR001F_E70000EAEAEOEO.hdr: data
of3.AM335XEO_010203040506.03296: data
of3.AM335XEO_010203040506.04296: u-boot legacy uImage, Linux-3.19.0, Linux/ARM, OS Kernel Image (Not compressed), 4625424 bytes, Tue Feb 12 03:24:24 2019, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0x01BD6550, Data CRC: 0x8D747944
of3.AM335XEO_010203040506.05296: Linux Compressed ROM File System data, little endian size 61440 version #2 sorted_dirs CRC 0x61c58604, edition 0, 58 blocks, 8 files
of3.AM335XEO_010203040506.07296: UBI image, version 1
of3.AM335XEO_010203040506.hdr: data
of3.ONKAVR001F_E70000EAEAEOEO.hdr: data
of4.ONKAVR001F_E70000EAEAEOEO.EO211: data
of4.ONKAVR001F_E70000EAEAEOEO.hdr: data
Seems the file system is in of3.AM335XEO_010203040506.07296
$ blkid of3.AM335XEO_010203040506.07296
of3.AM335XEO_010203040506.07296: UUID="152348150" TYPE="ubi"
Now we need to mount this see also https://www.coresecurity.com/core-labs/articles/next-generation-ubi-and-ubifs
see the structure
$ hexdump of3.AM335XEO_010203040506.07296 -C | head -n 30
00000000 55 42 49 23 01 00 00 00 00 00 00 00 00 00 00 00 |UBI#............|
00000010 00 00 08 00 00 00 10 00 09 14 a5 f6 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 5b 78 84 d4 |............[x..|
00000040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000800 55 42 49 21 01 01 00 05 7f ff ef ff 00 00 00 00 |UBI!............|
00000810 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000830 00 00 00 00 00 00 00 00 00 00 00 00 b8 25 64 a8 |.............%d.|
00000840 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00001000 00 00 03 95 00 00 00 01 00 00 00 00 01 00 00 06 |................|
00001010 72 6f 6f 74 66 73 00 00 00 00 00 00 00 00 00 00 |rootfs..........|
00001020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001090 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000010a0 00 00 00 00 00 00 00 00 69 d9 4a a6 00 00 00 00 |........i.J.....|
000010b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Mount the file
$ modprobe nandsim modprobe nandsim first_id_byte=0x01 second_id_byte=0xf1 third_id_byte=0x80 fourth_id_byte=0x1d
$ ubiformat -O 2048 -f of3.AM335XEO_010203040506.07296 /dev/mtd0
ubiformat: mtd0 (nand), size 134217728 bytes (128.0 MiB), 1024 eraseblocks of 131072 bytes (128.0 KiB), min. I/O size 2048 bytes
libscan: scanning eraseblock 1023 -- 100 % complete
ubiformat: 1024 eraseblocks are supposedly empty
ubiformat: flashing eraseblock 715 -- 100 % complete
ubiformat: formatting eraseblock 1023 -- 100 % complete
$ modprobe ubi
$ ubiattach -O 2048 -p /dev/ubi0
UBI device number 0, total 1024 LEBs (130023424 bytes, 124.0 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
$ ubinfo /dev/ubi0
ubi0
Volumes count: 1
Logical eraseblock size: 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks: 1024 (130023424 bytes, 124.0 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes 128
Count of bad physical eraseblocks: 0
Count of reserved physical eraseblocks: 20
Current maximum erase counter value: 1
Minimum input/output unit size: 2048 bytes
Character device major/minor: 247:0
Present volumes: 0
$ mkdir onkyofs
$ mount -t ubifs /dev/ubi0_0 ./onkyofs
Now you can browse the file system from ./onkyofs