The description of TIFFS that follows was originally written in the summer ofSE52 (A.D. 2013), before the major TI source discoveries which happened laterthat year. The text following the dividing line below has not been edited incontent since it was written; for a newer write-up based on the current source-enabled understanding and reflecting the current FreeCalypso plans with respectto this FFS, see TIFFS-Overview.-------------------------------------------------------------------------------This is a description, based on reverse engineering, of the flash file system(FFS) implemented in Pirelli's original firmware for the DP-L10 GSM/WiFi dualmode mobile phone, and in the Closedmoko GTA0x modem firmware. Not knowing the"proper" name for this FFS, and needing _some_ identifier to refer to it, Ihave named it Mokopir-FFS, from "Moko" and "Pirelli" - sometimes abbreviatedfurther to MPFFS.(I have previously called the FFS in question MysteryFFS; but now that I've successfully reverse-engineered it, it isn't as much of a mystery any more :-)At a high functional level, Mokopir-FFS presents the following features:* Has a directory tree structure like UNIX file systems;* The file system API that must be implemented inside the proprietary firmware appears to use UNIX-style pathnames; doing strings on firmware images reveals pathname strings like these: /var/dbg/dar /gsm/l3/rr_white_list /gsm/l3/rr_medium_rxlev_thr /gsm/l3/rr_upper_rxlev_thr /gsm/l3/shield Parsing the corresponding FFS image with tools included in the present package has confirmed that the directory structure implied by these pathnames does indeed exist in the FFS.* Absolutely no DOS-ish semantics seen anywhere: no 8.3 filenames and no colon-separated device names (seen in the TSM30 file system source, for example) are visible in the Closedmoko/Pirelli FFS.* File contents are stored uncompressed, but not necessarily contiguous: one could probably store a file in FFS which is bigger than the flash sector size, it which case it can never be contiguous in a writable FFS (see below), and the firmware implementation seems to limit chunk sizes to a fairly small number: on the Pirelli phones all largish files are divided into chunks of 8 KiB each, and on my GTA02 the largest observed chunk size is only 2 KiB. The smaller files, like the IMEI and the firmware ID strings in my GTA02 FFS, are contiguous.* The FFS structure is such that the length of "user" payload data stored in each chunk (and consequently, in each file) can be known exactly in bytes, with the files/chunks able to contain arbitrary binary data. (This property may seem obvious or trivial, as all familiar UNIX and DOS file systems have it, but contrast with RT-11 for example.)* The flash file system is a writable one: the running firmware can create, delete and overwrite files (and possibly directories too) in the live FFS; thus the FFS design is such that allows these operations to be performed within the physical constraints of NOR flash write operations.I have reverse-engineered this Mokopir-FFS on a read-only level. What it meansis that I, or anyone else who can read this document and the accompanyingsource for the listing/extraction utilities, can take a Mokopir-FFS image readout of a device and see/extract its full content: the complete directory treeand the exact binary byte content of all files contained therein.However, the knowledge possessed by the present hacker (and conveyed in thisdocument and the accompanying source code) is NOT sufficient for constructing avalid Mokopir-FFS image "in vitro" given a tree of directories and files, orfor making modifications to the file or directory content of an existing imageand producing a content-modified image that is also valid; valid as in suitablefor the original proprietary firmware to make its normal read and writeoperations without noticing anything amiss.Constructing "de novo" Mokopir-FFS images or modifying existing images in sucha way that they remain 100% valid for all read and write operations of theoriginal proprietary firmware would, at the very minimum, require anunderstanding of the meaning of *all* fields of the on-media FFS format. Someof these fields are still left as "non-understood" for now though: a read-onlyimplementation can get away with simply ignoring them, but a writer/generatorwould have to put *something* in those fields.As you read the "read-only" description of the Mokopir-FFS on-media format inthe remainder of this document, it should become fairly obvious which piecesare missing before our understanding of this FFS can be elevated to a"writable" level.However, when it comes to writing new code to run on the two Calypso phones inquestion (Closedmoko and Pirelli), it seems, at least to the present hacker,that a read-only understanding of Mokopir-FFS should be sufficient:* In the case of Closedmoko GTA0x modems, the FFS is seen to contain the IMEI and the RF calibration data. The format of the former is obvious; the latter not so much - but in any case, the information of interest is clearly of a read-only nature. It's difficult to tell (or rather, I haven't bothered to experiment enough) whether the Closedmoko firmware does any writes to FFS or if the FFS is treated as read-only outside of the production line environment, but in any case, it seems to me that for any 3rd party replacement firmware, the best strategy would be to treat the FFS as a read-only source of IMEI and RF calibration data, and nothing more.* In the case of Pirelli phones, the FFS is used to store user data: sent and received SMS (and MMS/email/whatever), call history, UI settings, pictures taken with the camera, and whatever else. It also stores a ton of files which I can only presume were meant to be immutable except at the time of firmware updates: graphics for the UI, ringtones, i18n UI strings, and even "helper" firmware images for the WiFi and VoIP processors. However, no IMEI or RF calibration data are anywhere to be found in the FFS - instead this information appears to be stored in the "factory block" at the end of the flash (in its own sector) outside of the FFS. Being able to parse FFS images extracted out of Pirelli phones "in vitro" allows us to steal some of these helper files (UI artwork, ringtones, WiFi/VoIP helpers), and some of these might even come useful to firmware replacement projects, but it seems to me that a replacement firmware would be better off using its own FFS design for storing user data, and as to retrieving the original IMEI and RF calibration data, the original FFS isn't of any use for that anyway.=======================Moko/Pirelli FFS format=======================OK, now that I'm done with the introduction, we can get to the actualMokopir-FFS format.* On the GTA0x modem (or at least on my GTA02; my sample size is 1) the FFS occupies 7 flash sectors of 64 KiB each at offsets 0x380000 through 0x3E0000, inclusive.(The 4 MiB NOR flash chip used by Closedmoko has an independent R/W bank division between the first 3 MiB and the last 1 MiB. The first 3 MiB are used to hold the field-flashable closed firmware images distributed as *.m0 files; the independent last megabyte holds the FFS, and thus the FW could be implemented to do FFS writes while running from flash in the main bank. Less than half of that last megabyte appears to be used for the FFS though; the rest appears to be unused - blank flash observed.)* On the Pirelli the FFS occupies 18 sectors of 256 KiB each at offsets 0 through 0x440000 (inclusive) of the 2nd flash chip select, the one wired to nCS3 on the Calypso.Each flash sector allocated to FFS begins with the following signature:00000000: 46 66 73 23 10 02 xx yy zz FF FF FF FF FF FF FF Ffs#............The bytes shown as xx and yy above serve a non-understood purpose; as a guess,they may hold some info for the flash wear leveling algorithm: in a "virgin"FFS image like that found in my GTA02 (which never had a SIM card in it andnever made or received a call) or read out of a "virgin" Pirelli phone thathasn't seen any active use yet, both of these bytes are FFs, but when I look atFFS images read out of the Pirelli which I currently use as my everyday-usecellphone, I see other values in sectors which must have been erased andrewritten. A read-only implementation can ignore these bytes, as mine does.The byte shown as zz is more important though, even to a read-onlyimplementation. The 3 values I've encountered in this byte so far are AB, BDand BF. Per my current understanding, in a "healthy" FFS exactly one sectorwill have AB in its header, exactly one will have BF, and the rest will haveBD. The meanings are (or appear to be):AB: the sector holds a vital data structure which I have called the active index block;BD: the sector holds regular data;BF: the sector is blank except for the header, can be turned into a new AB or BD.(Note that a flash program operation, which can turn 1s into 0s but not the other way around, can turn BF into either AB or BD - but neither AB nor BD can be turned into any other valid value.)In a "virgin" FFS image (as explained above) the first FFS sector is AB, thelast one is BF, and the ones in between are BDs.An FFS read operation (a search for a given pathname, or a listing of allpresent directories and files) needs to start with locating the active indexblock - the FFS sector with AB in the header. Following this header, which istreated as being 16 bytes long (almost everything in Mokopir-FFS is aligned on16-byte boundaries), the active index block contains a linear array of 16-byterecords, each record describing an FFS object: directory, file or filecontinuation chunk.Here is my current understanding of the 16-byte index block record structure:2 bytes: Length of the described chunk in bytes1 byte: Purpose/meaning not understood, ignored by my current code1 byte: Object type2 bytes: Descendant pointer2 bytes: Sibling pointer4 bytes: Data pointer4 bytes: Purpose/meaning not understood, ignored by my current code(On the Calypso phones of interest, all multibyte fields are in the native little-endian byte order of the ARM7TDMI processor.)The active index block gets filled with these records as objects are created;the first record goes right after the 'Ffs#'...AB header (padded to 16 bytes);the last record (at any given moment) is followed by blank flash for theremainder of the sector. Records thus appear in the order in which they arecreated, which bears no direct relation to the directory tree structure.The objects, each described by a record in the index block, are organized intoa tree structure by the descendant and sibling pointers, plus the object typeindicator byte. Let's start with the latter; the following objtype byte valueshave been observed:00: deleted object - a read-only implementation should ignore everything except the descendant and sibling pointers. (A write-capable implementation would need more care - it would need a way of reclaiming dirty flash space taken up by deleted/overwritten files.)E1: a special file - see the description of the /.journal file further downF1: a regular file (head chunk thereof)F2: a directoryF4: file continuation chunk (explained below)Each record in the index block has an associated chunk in one of the datasectors; the index record contains fields giving the address and length of thischunk. The length of a chunk is always a nonzero multiple of 16 bytes, and isstored (as a number in bytes) in the first 16-bit field of the 16-byte indexentry. The address of each chunk is given by the data pointer field of theindex record, and it is reckoned in 16-byte units (thereby 16-byte alignment isrequired) from the beginning of the FFS sector group in the flash address space.For objects of type F1 and F2 (regular files and directories) the just-describedchunk begins with the name of the file or subdirectory as a NUL-terminated ASCIIstring. This name is just for the current level of the directory tree, justlike in UNIX directories, thus one will have chunk names like gsm, l3, eplmnetc, rather than /gsm/l3/eplmn. One practical effect is that one can't readilysee pathnames or any of the directory structure by looking at an FFS image as araw hex dump; the structure is only revealed when one uses a parsing programlike those which accompany this document.In the case of directories, the "chunk" part of the object contains only thename of the directory itself, padded with FFs to a 16-byte boundary. Forexample, an FFS directory named /gsm would be represented by an objectconsisting of two flash writes: a 16-byte entry in the active index block, withthe object type byte set to F2, and a corresponding 16-byte chunk in one of thedata sectors, with the 16 bytes containing "gsm", a terminating NUL byte, and12 FF bytes to pad up to 16. In the case of files, this name may be followedby the first chunk of file data content, as explained further down.In order to parse the FFS directory tree (whether the objective is to dump thewhole thing recursively or to find a specific file given a pathname), one needsto first (well, after finding the active AB block) find the root directory node.The root directory object is similar to other directory objects: it has a typeof F2, and an associated chunk of 16 bytes in one of the data sectors. Thelatter contains the name of the root node: on the Pirelli it is "/", whereas onmy GTA02 it is "/ffs-root".The astute reader should notice that it really makes no sense to store a namefor the root node, and indeed, this name plays no part in the traversal of thedirectory tree given an absolute pathname. But instead this name, or ratherits first character, appears to be used for the purpose of locating the rootnode itself. At first I had assumed that the index record for the root node isalways the first record in the active index block right after the signatureheader - that is how it is in "virgin" FFS images, and also in some quite non-virgin ones I have pulled from my daily-use Pirelli. Naturally my first versionof the Mokopir-FFS (then called MysteryFFS) extraction utility expected the rootnode to always be at index #1. But then I got some additional Pirelli phones,and discovered that in certain cases, index record #1 is a deleted object (theoriginal root node which has been deleted), and the new active root node issomewhere in the middle of the index!Thus it appears that in order to find the active root node, one needs to scanthe active index block linearly from the beginning (disregarding the treestructure pointers in this initial pass), looking for a non-deleted object oftype F2 (a directory) whose corresponding name chunk sports a name beginningwith the '/' character. (Anyone who's been raised in UNIX will immediatelyknow that the path separator character '/' is the only character other than NULthat's absolutely forbidden in the individual filenames - so this special"root node name" is the only case of a '/' character appearing in what wouldotherwise be a regular filename.)[What causes the root node to be somewhere other than at index #1? I assume it has to do with the dirty space reclamation / data movement algorithm. In a "virgin" FFS image the very first sector is the active index block, and the following sector is the first to hold chunks, beginning with the name chunk of the root node. Now what happens if all data in that sector aside from the root node name and some other mostly-static directory names becomes dirty, i.e., belonging to deleted or overwritten files? How would that flash space get reclaimed? I assume that the FFS firmware algorithm moves all still-active chunks to a new flash sector, invalidating the old copies - turning the latter into deleted objects. The root node will be among them. Then at some point the active index block is going to fill up too, and will need to be rewritten into a new sector - at which point the previously-deleted index entries are omitted and the root node becomes #1 again...]Tree structureOnce the root node has been found, the descendant and sibling pointers are usedto traverse the tree structure. For each directory object, including the rootnode, the descendant pointer points to the first child object of this directory:the first file or subdirectory contained therein. (Descendant and siblingpointers take the form of index numbers in the active index block. A "nil"pointer is indicated by all 1s (FFFF) - the usual all-0s NULL pointer conventioncouldn't be used because it's flash, where the blank state is all 1s.) If thedescendant pointer of a directory object is nil, that means an empty directory.The sibling pointer of each file or directory points to its next sibling, i.e.,the next member of the same parent directory. The sibling pointer of the rootnode is nil.Data content of filesObjects of type F1 are the head chunks of files. Each file has a head chunk,and may or may not have continuation chunks. More precisely, the head chunkmay contain only the name (or viewed alternatively, 0 bytes of data), or it maycontain a nonzero number of payload bytes; orthogonally to this variability,there may or may not be continuation chunk(s) present.Continuation chunksThe descendant pointer of each file head object (the object of type F1, the onereached by traversing the directory tree) indicates whether or not there areany continuation chunks present. If this descendant pointer is nil, there areno continuation chunks; otherwise it points to the first continuation chunkobject. File continuation objects have type F4, don't have any siblings (thesibling pointer is nil - but see below regarding relocated chunks), and thedescendant pointer of each continuation object points to the next continuationobject, if there is one - nil otherwise.Payload data delineationEach chunk, whether head or continuation, always has a length that is a nonzeromultiple of 16 bytes. The length of the chunk here means the amount of flashspace it occupies in its data sector - which is NOT equal to the payload datalength.The head chunk of each file begins with the filename, terminated by a NUL byte.If there are any payload data bytes present in this head chunk (I'll explainmomentarily how you would tell), the byte immediately after the NUL thatterminates the filename is the first byte of the payload. In the case of acontinuation chunk, there is no filename and the first byte of the chunk is thefirst byte of that chunk's portion of the user data payload.Each data-containing chunk (head or continuation) has the following terminationafter the last byte of that chunk's payload data: one byte of 00, followed byhowever many bytes are needed ([0,15] range) of FFs to pad to a 16-byteboundary. A file head chunk that has no payload data has the same format as adirectory name chunk: filename followed by its terminating NUL followed by[0,15] bytes of FFs to pad to the next 16-byte boundary.When working with a head chunk, find the beginning of possible payload data (1byte after the filename terminating NUL) and find the end per the standardtermination logic: scanning from the end of the chunk, skip FFs until 00 isfound (encountering anything else is an error). If the head chunk has no data,the effective data length (end_pointer - start_pointer) will be 0 or -1. (Thelatter possibility is the most likely, as there will normally be a "shared" 00byte, serving as both the filename terminator and the 00 before the paddingFF bytes.)Relocated chunksLet's go back to the scenario in which a particular data sector is full (no moreusable free space left) and contains a mixture of active and dirty (deleted orinvalidated) data. How does the dirty flash space get reclaimed, so that theamount of available space (blank flash ready to hold new data) becomes equal tothe total FFS size minus the total size of active files and overhead? It canonly be done by relocating the still-active objects from the full sector to anew one, invalidating the old copies, and once the old sector consists ofnothing but invalidated data, subjecting it to flash erasure.So how do the active FFS objects get relocated from a "condemned" sector to anew one? If the object is a directory, a new index entry is created, pointingto the newly relocated name chunk, but it is then made to fit into the old treestructure without disrupting the latter: the new index entry is added at thetail of the sibling-chain of the parent directory's descendants, the old indexentry for the same directory is invalidated (as if the directory were rmdir'ed),and the descendant pointer of the newly written index entry is set to a copy ofthe descendant pointer from the old index entry for the same directory. Thesame approach is used when the head chunk of a file needs to be relocated; inboth cases a read-only FFS implementation doesn't need to do anything special tosupport reading file and directory objects that have been relocated in thismanner.However, if the relocated object is a file continuation chunk, then the mannerin which such objects get relocated does affect file reading code. What if achunk in the middle of a chain linked by "descend" pointers needs to be moved?What happens in this case is that the old copy of the chunk gets invalidated(the object type byte turned to 00) like in the other object relocating cases,and the sibling pointer of that old index entry (which was originally FFFF ascontinuation objects have no siblings) is set to point to the new index entryfor the same chunk. The "descend" pointer in the new index entry is a copy ofthat pointer from the old index entry.The manner of chunk relocation just described has been observed in the FFSimages read out of my most recent batch of Pirelli phones - the same ones inwhich the root directory object is not at index #1. Thinking about it as Iwrite this, I've realized that the way in which continuation objects getrelocated is exactly the same as for other object types - thus the compactioncode in the firmware doesn't need to examine what object type it is moving.However, the case of continuation chunk relocation deserves special attentionbecause it affects a read-only implementation like ours - the utilities whosesource accompanies this document used to fail on these FFS images until Iimplemented the following additional handling:When following the chunk chain of a file, normally the only object type that'sexpected is F4 - any other object type is an error. However, as a result ofchunk relocation, one can also encounter deleted objects, i.e., type == 00.If such a deleted object is encountered, follow its sibling pointer, which mustbe non-nil.Journal fileEvery Mokopir-FFS image I've seen so far contains a special file named/.journal; this file is special in the following ways:* The object type byte is E1 instead of F1;* Unlike regular files, this special file is internally-writable.What I mean by the above is that regular files are mostly immutable: once afile has been created with some data content in the head chunk, it can only beeither appended to (one or more continuation chunks added), or overwritten bycreating a new file with the same name at the same level in the tree hierarchyand invalidating the old one. But the special /.journal file is different: Ihave never observed it to consist of more than the head chunk, and this headchunk is pre-allocated with some largish and apparently fixed length (4 KiB onmy GTA02, 16 KiB on the Pirelli). This pre-allocated chunk contains what looklike 16-byte records at the beginning (on the first 4-byte boundary after theNUL terminating the ".journal" name), followed by blank flash for the remainderof the pre-allocated chunk - so it surely looks like new flash writes happenwithin this chunk.I do not currently know the purpose of this /.journal file or the meaning of therecords it seems to contain. This understanding would surely be needed if onewanted to create FFS images from scratch or to implement FFS write operations,but I reason that a read-only implementation can get away with simply ignoringthis file. I reason that this file can't be necessary in order to parse an FFSimage for reading because one needs to parse the tree structure first in orderto locate this journal file itself.-------------------------------------------------------------------------------That's all I can think of right now. If anything is unclear, see theaccompanying source code for the listing/extraction utilities: with the generalexplanation given by this document, it should be clear what my code does andwhy. And if a given piece of knowledge is found neither in this document norin my source code, then I don't know it myself either, and my read-onlyMokopir-FFS implementation makes do without it.All knowledge contained herein has been recovered by reverse engineering.Believe it or not, I have figured it out by staring at the hex dump of FFSsectors, reasoning about how one could possibly implement an FFS given therequirement of dynamic writability and the physical constraints of flash memory,and writing listing/extraction test code iteratively until I got something thatappears to correctly parse all FFS images available to me - the result is thecode in this package.I never got as far as attempting to locate the FFS implementation routineswithin the proprietary firmware binary code images, and I haven't found animplementation of this particular FFS in any of the leaked sources yet either.The TSM30 code doesn't seem to be of any use as its FFS appears to be totallydifferent. As to the more recently found LoCosto code leak, I found that one afew days *after* I got the Moko/Pirelli "MysteryFFS" reverse-engineered on myown, and when I did look at the FFS in the LoCosto code later, I saw what seemsto be a different FFS as well.Michael SpacefalconSE 52 Mes 16
