Extracting QNX IFS Partitions

FirmwareCar Hacking
Written By Tim
A screenshot showing three QNX IFS files, named 'qnxbase.ifs', 'qnxbasedma.ifs', and 'qnxbasesmp.ifs'

There isn’t a lot of content online discussing how to dump a QNX IFS partition, so I thought I’d write up a few paragraphs here to spread the tips and tricks that I’ve learned.

(If you just want the tl;dr and already know what IFS partitions are, scroll to the bottom!)

IFS Partition…? What’s that?

“IFS” stands for Image FileSystem". IFS partitions are a common type of file/disk image used with the QNX operating system.

To quote the QNX SDP 7.0.0 documentation:

When the IPL has completed its work, it copies a bootable OS image into RAM and jumps to it to continue execution.

An OS image is simply a file that contains the OS, plus any executables, OS modules, and data files that are needed to get the system running properly. This image is presented in an image filesystem (IFS).

This IFS consists of:

  • The startup program (included in the IFS file, but no longer required after the IFS has started execution)

  • The OS kernel

  • The build scripts

  • Any other drivers, applications and binaries that the system initially requires

Somewhat straightforward! So essentially, IFS images that you find within a given QNX system are usually small operating system images that contain all of the essential binaries, start-up scripts, and libraries that are required at boot.

Many automotive embedded systems (and possibly trains? lol) run QNX

Why would I want to dump one?

Generally, to get access to all of the start-up scripts, binaries, and configurations listed above! On top of that, a system can have more than one IFS - this allows for boot optimizations where essential services (such as the rear-facing camera, in an automotive infotainment system) can be started as quickly as possible and does not require waiting for the full system to boot.

Within IFS images, you’ll generally find many interesting configuration files, binaries, and other misc. utilities that deal with the core system services.

As an example, here is the ‘tree’ printout showing the contents of an IFS image present in the BMW HU NBT EVO infotainment system (which runs QNX 6.5.0):

The filesystem extracted from the NBT EVO's IFS file

Pictured: The filesystem extracted from the NBT EVO's IFS file

As you can see, there are a number of interesting files within this IFS - ‘passwd’ and ‘shadow’ files that could be checked for user credentials, binaries for controlling the vehicle interface processor (V850), all sorts of apix and ethernet related configuration files, and more! IFS files can be great starting places when investigating the security of a given QNX system, or trying to figure out how a given function works.

So… How do you dump an IFS file?

The answer is one word: dumpifs

That’s right - ‘dumpifs’ is the tool used to… dump an IFS. Who could have guessed? :)

A bit of background info: ‘dumpifs’ is a utility provided by BlackBerry as part of the QNX Software Development Platform (SDP) and runs on QNX, Linux, Mac, and Windows.

Alternatively, the tool is available on GitHub. I believe it was first open-sourced back when QNX as a whole was made open source back in 2007 - so it’s somewhat amazing that it still works perfectly!

I forked the most popular open source implementation of dumpifs on GitHub (which was unfortunately abandoned), and merged in some of the pending changes to get it up-and-running on modern Linux systems. Plus, I merged some nice-to-have updates I found on GitHub, like the extremely-useful ‘dumpifs-folderized.sh’ script written by the GitHub user ‘sickcodes’. You can check that repo out here!

Once you have the tool and script ready, an IFS file can be dumped with the following command:

./dumpifs-folderized.sh example-ifs.img

This will dump the entire filesystem of the IFS to your current directory - plus, it will make a few useful bits of metadata:

  • dirlist.txt

    • This is a list of all directories within the IFS

  • ifscont.txt

    • This is a list of all files within the IFS

  • ifslinks.txt

    • This is a list of all symbolic links within the IFS

These can be quite helpful for analysis, especially as extracting symbolic links could be questionable (or even broken) depending on the type of filesystem you’re running dumpifs on. Much nicer to sanity check yourself with the list of all links that the tool ran into!

Aaaandd.. that’s it!

Congrats - your IFS has been dumped!

It’s somewhat unfortunate that tools like fdisk aren’t able to detect IFS files, and tools like binwalk aren’t able to intelligently extract them. I have a feeling this is a mix of the proprietary and niche nature of QNX IFS files, but I’m honestly not completely sure… hopefully it’s a capability we’ll see added to common Linux utilities in the future, similar to what happened with the QNX4 and QNX6 filesystems.

If you have any tips or tricks of your own for analyzing or extracting data from IFS files or QNX systems as a whole, I’d love to hear about it - feel free to leave a comment below, or reach out directly!

As always, thanks for reading - catch you in the next one!

Tim
Next

Embedded Firmware Exfiltration - The Easy Way