[Q] How to Extract data from .Backup file ? - Created with android system recovery

notamamasboy · Feb 17, 2016

It appears just to be an .ext4 img. But I can't mount it, should I try fallocating?

---------- Post added at 05:41 PM ---------- Previous post was at 05:08 PM ----------

Huzzah! I was able to mount the img after stringing the backups and fallocating/mount loop. We are in business.

AngelDeaD7299 · Feb 24, 2016

mini tut

I made some success.
Phone was not mine, so I can't say is it 100% recovered or just some part.

NOTE1: make copy of .backup file. After I extracted files from it, it become unusable for me. So do it just in case.
NOTE2: place .backup file in an empty folder, it would be easier for you.

You need:
live boot cd of linux (i used Ubuntu) Of course, you can also use linux that is installed on your computer
.backup file on hard drive (mine was on NTFS local disk, by default it was mounted in /media/xx.../ so I did CD to folder where .backup file is)

Open terminal in linux, use CD command to move to folder where you placed .backup file
then you simply do command:

Code:

dd if=userdata_xxxxxxxx_yyyyyy.backup bs=512 skip=1 | gunzip -c | tar xv

Thanks ektoric for this.
And then wait. If you can't wait, then check folder where you placed .backup file, there you should see your files from mobile.

I tried to find 0x200 offset, but in vain. Atleast i recovered files from .backup file.

Now the only thing is left to do is choose how to transfer files back to phone

alecxs · Feb 25, 2016

there is a readme.txt file in bckp2cwm.zip with some useful links to guides below (see my previous post)

Reezan · Apr 7, 2016

notamamasboy said:
It appears just to be an .ext4 img. But I can't mount it, should I try fallocating?

---------- Post added at 05:41 PM ---------- Previous post was at 05:08 PM ----------

Huzzah! I was able to mount the img after stringing the backups and fallocating/mount loop. We are in business.

Can you please explain in detail?

Sneeder · Apr 8, 2016

guys, just try to open with 7zip.. profit!

Reezan · Apr 8, 2016

BigRulaZ said:
guys, just try to open with 7zip.. profit!

It didn't work. Also I have x file in backup, backup1, backup2 format.

---------- Post added at 11:34 AM ---------- Previous post was at 11:27 AM ----------

ektoric said:
It's a 512 byte header in front of a "tar.gz"

hexdump -C userdata_xxxxxxxx_yyyyyy.backup | less
showed the magical zip header "1f8b0800 00000000" at offset 0x200
So, skipping 512 bytes, the rest can be gunzip | tar

dd if=userdata_xxxxxxxx_yyyyyy.backup bs=512 skip=1 | gunzip -c | tar xv

My files don't have that magic header. They are more than one, backup, backup1. Can you give any suggestion as another user above mentioned using fallocate?

alecxs · Apr 8, 2016

if you prefer automatised linux solution, download the bash script at page 2 - bckp2cwm.sh will do it for you!

dewdree · Apr 8, 2016

This is also my problem, I want to put missing files in my back up to fix the boot loop of my phone :crying:

alecxs · Apr 8, 2016

the userdata_*.backup file does not contain full phone backup like boot.img or /system folder for example - it will not help you to fix bootloop, i guess. the file is only for restore /data

you just have to concatenate all files with cat, then mount it with option -o loop.

the script also supports these splitted files, ext4 image files and sparse image files. give feedback if your file format is not supported, i may update the script

Reezan · Apr 8, 2016

aIecxs said:
the userdata_*.backup file does not contain full phone backup like boot.img or /system folder for example - it will not help you to fix bootloop, i guess. the file is only for restore /data

you just have to concatenate all files with cat, then mount it with option -o loop.

the script also supports these splitted files, ext4 image files and sparse image files. give feedback if your file format is not supported, i may update the script

Code:

unpacking ...

gzip: stdin: not in gzip format
tar: This does not look like a tar archive
tar: Exiting with failure status due to previous errors
xargs: cat: terminated by signal 13

unpacking as tar
...failed.
found a multipart image, merge files:
../userdata_20160406_200034.backup
../userdata_20160406_200034.backup1
../userdata_20160406_200034.backup2
../userdata_20160406_200034.backup3
../userdata_20160406_200034.backup4
../userdata_20160406_200034.backup5
(please wait)
...merged
try to unpack as sparse ext4 image (please wait)
...failed
try to mount as ext4
...failed
try to mount as ext3
...failed
try to mount as ext2
...failed
try to mount as rfs
...failed

exiting script

Failed

alecxs · Apr 8, 2016

possible reasons:
- file is neighter tarball archive nor (sparsed) ext4/3/2/rfs image
- fallocate is needed for some reason? (script does not include fallocate - don't know why it should be necessary??)
- file is incomplete / corrupt
- file is encrypted
- not enough disk space

what you can do:
- try to unyaffs the concatenated file (its not implemented, yet) or try to mount as other common known file systems like JFFS JFFS2 YAFFS YAFFS2 UBIFS F2FS
- repeat creating backup from phone
- restore backup on phone to check if restoring works
- post your phone model / android version and screenshot of recovery mode
- make factory reset and provide a backup file for further analysis
- if phone is encrypted and you know password, try to figure out how to mount encrypted image file: DMCrypt / xmount / eMount
- if phone is encrypted and you don't know password, there is hardly a chance to get data back. just for inspiration tinyurl.com/CoreStorageAttacks
- try to figure out how to combine fallocate with mount loop??
- cat files is always a good idea before try to open with 7zip

Code:

cat file1 file2 file3 > newcombinedfile

Reezan · Apr 9, 2016

aIecxs said:
possible reasons:
- file is neighter tarball archive nor (sparsed) ext4/3/2/rfs image
- fallocate is needed for some reason? (script does not include fallocate - don't know why it should be necessary??)
- file is incomplete / corrupt
- file is encrypted
- not enough disk space

what you can do:
- try to unyaffs the concatenated file (its not implemented, yet) or try to mount as other common known file systems like JFFS JFFS2 YAFFS YAFFS2 UBIFS F2FS
- repeat creating backup from phone
- restore backup on phone to check if restoring works
- post your phone model / android version and screenshot of recovery mode
- make factory reset and provide a backup file for further analysis
- if phone is encrypted and you know password, try to figure out how to mount encrypted image file: DMCrypt / xmount / eMount
- if phone is encrypted and you don't know password, there is hardly a chance to get data back. just for inspiration tinyurl.com/CoreStorageAttacks
- try to figure out how to combine fallocate with mount loop??
- cat files is always a good idea before try to open with 7zip

Code:

cat file1 file2 file3 > newcombinedfile

TL : DR, some progress, still couldn't extract files.
- Tried unyaffs. It's not recognizing this file.
- Flashed stock recovery and tried to backup again. It is backing up entire internal memory. So my 11GB (although occupied is 600MB) is backed up in external SD card.
- When trying to restore, stock recovery not showing/mounting external sd card. It shows internal memory, can't navigate from there to anywhere. (I don't know what's the point of this restore menu

)
- Coolpad note 3 lite. Android 5.1
Screenshot: http://i.imgur.com/qVlG9nw.jpg
I have uploaded the stock recovery in case someone want to look into : https://mega.nz/#!HRIyHArC!EB7YwFx1ZQ9CAvNP2f9diTnLfquizXXf9mYApayGmyE
- I have made backup. But since it's 12GB it would take some time to upload. But read below, as I can see the .ext file from previous backup.
- Phone is not encrypted.

I have merged file using cat. I couldn't open it using 7zip in Ubuntu. But in Windows, using one particular context menu, I can see the contents of the backup file :good:

However when I mount this file in Linux reader it says nothing recoverable here.

Also in Ubuntu after mounting it shows no contents.

However it shows 3.3 GB used. So I'm confused.

Again trying to open 2.ext file using 7zip, I can see such files.

But when I extract one file, again it goes in similar names recursively. Also often, can't extract many files due to errors from CRC or other archive errors.

Now that I have 2.ext file, can I do anything else? Fallocate will do anything here? How to get data from the 3.3 GB used or from 7zip?

alecxs · Apr 9, 2016

did you use MTK Droid Tools? what says scatter file for partition type? if its ext4 img lets go deeper in this direction. try to mount file without journal or with offset. you may find offset with parted, fdisk or file.

Code:

fdisk -lu userdata_20160406_200034_new.backup
file -ks userdata_20160406_200034_new.backup
parted userdata_20160406_200034_new.backup
mkdir /media/userdata
sudo mount -t ext4 -o loop,ro,noexec,noload,offset=512 userdata_20160406_200034_new.backup /media/userdata

or give kpartx a try

Code:

losetup /dev/loop0 userdata_20160406_200034_new.backup
kpartx -a /dev/loop0
mount /dev/mapper/loop0p1 /media/userdata

regarding concatenating files: don't do this on a fat32 file system. copy files to a ext4 partition first.
wondering your files start with backup backup1 backup2, but on other phones it is backup, backup2. to avoid concatenating files recursively because of similar file names, give new name for newcombinedfile. also you may try to mount only single parts or try to concatenate without backup or without backup1. repeat several combinations with or without simg2img

in stock recovery normally it will restore user data from sd card, try other sd card / other file systems.
default.prop of your recovery.img says
ro.build.id=LMY47D
ro.build.version.incremental=5.1.015.P0.160113.8298_I00
ro.build.version.sdk=22
ro.build.date=Wed Jan 13 00:31:55 CST 2016
ro.build.fingerprint=Coolpad/CP8298_I00/CP8298_I00:5.1/LMY47D/5.1.007.P0.151216.8298_I00:user/release-keys

fstab.mt6735
/system ext4
/data ext4
/cache ext4
/protect_f ext4
/protect_s ext4
/nvdata ext4

in the /sbin directory there are some binary files. recovery does look like it supports encryption, but does not clearly say if backup is ext4 gzip or f2fs (i was not able to find used version of recovery.cpp and reading a binary file is quite different

)
/sbin
gzip
mkfs.f2fs
recovery

found some stuff in source code
"This program takes a file on an ext4 filesystem and produces a list of the blocks that file occupies, which enables the file contents to be read directly from the block device without mounting the filesystem.
If the filesystem is using an encrypted block device, it will also read the file and rewrite it to the same blocks of the underlying (unencrypted) block device, so the file contents can be read without the need for the decryption key."

there are more forensic tools, you may try free version of DFF

Reezan · Apr 11, 2016

double post

Reezan · Apr 12, 2016

aIecxs said:
did you use MTK Droid Tools? what says scatter file for partition type? if its ext4 img lets go deeper in this direction. try to mount file without journal or with offset. you may find offset with parted, fdisk or file.

Code:

fdisk -lu userdata_20160406_200034_new.backup file -ks userdata_20160406_200034_new.backup parted userdata_20160406_200034_new.backup mkdir /media/userdata sudo mount -t ext4 -o loop,ro,noexec,noload,offset=512 userdata_20160406_200034_new.backup /media/userdata

or give kpartx a try

Code:

losetup /dev/loop0 userdata_20160406_200034_new.backup kpartx -a /dev/loop0 mount /dev/mapper/loop0p1 /media/userdata

regarding concatenating files: don't do this on a fat32 file system. copy files to a ext4 partition first.
wondering your files start with backup backup1 backup2, but on other phones it is backup, backup2. to avoid concatenating files recursively because of similar file names, give new name for newcombinedfile. also you may try to mount only single parts or try to concatenate without backup or without backup1. repeat several combinations with or without simg2img

in stock recovery normally it will restore user data from sd card, try other sd card / other file systems.
default.prop of your recovery.img says
ro.build.id=LMY47D
ro.build.version.incremental=5.1.015.P0.160113.8298_I00
ro.build.version.sdk=22
ro.build.date=Wed Jan 13 00:31:55 CST 2016
ro.build.fingerprint=Coolpad/CP8298_I00/CP8298_I00:5.1/LMY47D/5.1.007.P0.151216.8298_I00:user/release-keys

fstab.mt6735
/system ext4
/data ext4
/cache ext4
/protect_f ext4
/protect_s ext4
/nvdata ext4

in the /sbin directory there are some binary files. recovery does look like it supports encryption, but does not clearly say if backup is ext4 gzip or f2fs (i was not able to find used version of recovery.cpp and reading a binary file is quite different )
/sbin
gzip
mkfs.f2fs
recovery

found some stuff in source code
"This program takes a file on an ext4 filesystem and produces a list of the blocks that file occupies, which enables the file contents to be read directly from the block device without mounting the filesystem.
If the filesystem is using an encrypted block device, it will also read the file and rewrite it to the same blocks of the underlying (unencrypted) block device, so the file contents can be read without the need for the decryption key."

there are more forensic tools, you may try free version of DFF

MTKDroid tools don't show the partitions type.

file & fdisk result

parted & mount result

losetup & mount result

I don't have FAT32. Of course I can't concat file with size 12 GB in fat32. Tried with NTFS system, but in Ubuntu.
My backup file names are, backup, backup1. I take care of the file name issues already.
Let me try DFF and tar

Meanwhile uploading takes long time. I think it would be completed only by this Sunday evening.

alecxs · Apr 12, 2016

without successful restoring your backup on stock recovery - there is no proof that this backup contains any data. maybe this is just a corrupt backup? does 'view recovery logs' say anything?

Reezan · Apr 12, 2016

aIecxs said:
without successful restoring your backup on stock recovery - there is no proof that this backup contains any data. maybe this is just a corrupt backup? does 'view recovery logs' say anything?

To figure out, I copied only the first file userdataxyz.backup ignoring backup1 and so on, to my internal SD card. Stock restore, reads and complaint backup1 file is missing after few seconds. I agree you may assume 2.ext content may be corrupted, but you'll see once I'm done with this upload.

External SD card is mounted. When I try to use backup option, it detects free space in SD card and stops if not enough space or continues if enough space (11.5 GB) is present. My problem here is I can't navigate to sd card when I choose restore backup. It opens in internal storage root directory. Clicking parent folder (..) again goes back to recovery menu.

It don't have adb access in stock recovery. Can I somehow patch some files in recovery to have adb access and then symlink sd card using adb while phone is in recovery mode?

Or Can I find some generic recovery version that would work (with external sd card) and flash them to try?

recovery log files in pm

Reezan · Apr 18, 2016

Sent .backup files

alecxs · Apr 26, 2016

first quick view on this file shows 3 blocks. first block contains some kind of checksum header, second block is detect as ext4 partition, third block is empty. binwalk detected 2159 magics, testdisk detected lots of ext4 superblocks. Hex Editor shows theres a lot of empty space. first step is to cut off first 512 bytes and last 2560 bytes. thats same what 7zip does.

Code:

userdata_20141231_184536.backup
         size    block size   blocks
        512 b    512 b             1
12372672512 b    128 kb        94396
       2560 b    512 b             5

now, result is maybe a raw flash image file (containing 1 or more partitions), but we don't know Flash Translation Layer (FTL). partition size we may find in scatter file, but don't use MTK Droid Tools for memory larger > 4GB , better is to use SP_Flash_Tool it will show partitions, too. the Sleuth Kit mmls command doesnt show partition table, which maybe means it is just 1 partition image, but i am not sure. will try some more forensic tools and come back . . .

alecxs · Apr 28, 2016

sorry, but i cannot see anything else then a ext4 image

i have merged the tables you provided (see file attached). calculated block size on flash partition is = 1024, sector size on ext4 partition is = 512
it is the same partition size in all 3 tables (mmcblk0p26 = userdata). this matches with what 7zip shows, if you already have concatenated this multipart files to single one.
/proc/partitions
12082688 x 1024 = 12372672512
/proc/emmc
0x0170bc00 = 24165376
24165376 x 512 = 12372672512
/proc/partinfo
0x00000002e1780000 = 12372672512

however, total file size is 12372675584 so there is a diff of 3072 bytes.
this could mean 3 more blocks (or 6 more sectors) left.

guess it is a raw flash file, it must be much bigger with minimum spare 8 bytes per sector (just for example, for real flash layout you have to extract the CID from /sys/block/mmcblk0/device/cid and searching for nand specified datasheet):

partition size: 12082688 (blocks)
block size: 1024 b
spare size: 8 / 512
calculated oob: 16 ( = 1024 / 512 x 8)

that mean 16 additional bytes per block 1024 + 16 = 1040 bytes

12082688 * 1040 = 12565995520 bytes / that means in theoretical 184.4 MB more data is needed (in real it is even much more, modern nand chips have up to 4 MB block size).

regarding this, it makes no sense starting with "nandsim" or "mtdram" to simulate MTD device and then try to mount on it. even not if file is bigger (or partition size smaller) unless we don't have the flash layout (maybe there is some stuff in flashinfo partition, but i really dont know). . .

so, guess the first 512 bytes and last 2560 bytes are just some kind of checksum, like in other cases too (it is for security reason you cannot restore userdata even to similar phone modell).

you can try mount with offset to skip first sector (hopefully the last 5 sectors will be ignored).
if it still contains no data run cgsecurity's "testdisk" to show a list of backup superblocks.

Code:

sudo testdisk userdata_20141231_184536.backup

in testdisk menu navigate to superblock locating. if not showing a list, search for partitions first. maybe this only works with userdata.img (result of dd, see below) because 512 byte offset will confuse testdisk
navigate to
-> [None] Non partitioned media
-> [Advanced] Filesystem Utils
-> [Type] set partition type >ext4
-> [Superblock] locate superblocks

Code:

Disk userdata_20141231_184536.backup - 12 GB / 11 GiB - CHS 1505 255 63

 Partition                 Start           End           Size in sectors
                           C   H  S           C   H  S
 ext4                      0   0  1        1504  57 25          24165376

superblock      0, blocksize=4096 []
superblock  32768, blocksize=4096 []
superblock  98304, blocksize=4096 []
superblock 163840, blocksize=4096 []
superblock 229376, blocksize=4096 []
superblock 294912, blocksize=4096 []

To repair the filesystem using alternate superblock, run
fsck.ext4 -p -b superblock -B blocksize device

you can use mount with option -o sb=<any backup superblock>

Code:

sudo mount -t ext4 -o loop,ro,noexec,noload,offset=512,sb=0      userdata_20141231_184536.backup ./data
sudo mount -t ext4 -o loop,ro,noexec,noload,offset=512,sb=32768  userdata_20141231_184536.backup ./data
sudo mount -t ext4 -o loop,ro,noexec,noload,offset=512,sb=98304  userdata_20141231_184536.backup ./data
sudo mount -t ext4 -o loop,ro,noexec,noload,offset=512,sb=163840 userdata_20141231_184536.backup ./data
sudo mount -t ext4 -o loop,ro,noexec,noload,offset=512,sb=229376 userdata_20141231_184536.backup ./data
sudo mount -t ext4 -o loop,ro,noexec,noload,offset=512,sb=294912 userdata_20141231_184536.backup ./data

if mount with offset fail, use dd to delete first 512 bytes and last 2560 bytes, then mount with no offset. the noexec,noload option prevents loading/updating the ext4 file journal/last access time (useful in case journal is corrupt)

Code:

dd if=userdata_20141231_184536.backup of=userdata.img bs=512 count=24165376 skip=1
sudo mount -t ext4 -o loop,ro,noexec,noload,sb=32768 userdata.img ./data

in case partition was maybe corrupt before you created backup, of course you can run some forensic tools on already mounted image (thats what Sleuthkit do).

thats all i can say at the moment, sorry.

(table is 17 columns for best view save file to disk)

[Q] How to Extract data from .Backup file ? - Created with android system recovery

Member

New member

Forum Moderator

Member

Member

Member

Forum Moderator

New member

Forum Moderator

Member

Forum Moderator

Member

Forum Moderator

Member

Member

Forum Moderator

Member

Member

Forum Moderator

Forum Moderator

Attachments

Similar threads

Top Liked Posts