Rooting the Cozytouch (aka Kizbox Mini) – Part 3

Analyzing the dump

Now that you have dumped the 128 blocks of 1MB – its time to re assemble it and start analyzing it.

cat *.bin > nand.bin

Favorite tool to start with… binwalk ! The output is not very verbose, but indicates that the NAND flash uses the UBI filesystem – which is common for NAND on embedded devices.

If we want to be able to work with the NAND image – and list and mount partition, one option is to emulate on our linux an MTD device. The various parameter describe flash size, block size, etc.

modprobe nandsim first_id_byte=0xc2 second_id_byte=0xf1 third_id_byte=0x80 fourth_id_byte=0x95

The parameters values are directly taken from the Macronix documentation – to emulate the exact NAND device:

Macronix NAND flash documentation

Emulating a virtual NAND identical to the device

Now that the virtual NAND flash is created, just copy the content of the dump on it:

Flashing the virtual NAND

Enable the UBIFS, indicate that it’s on mtd0, and the block size is 2048:

Enabling UBIFS

And – tadaaaa:

List of UBI volumes

The full filesystem is composed of 11 volumes:

Volume IDSize (bytes)Name
025 197dtb
125 197dtb-spare
24 893 365kboot
34 893 365kboot-spare
48 192security
58 192security-spare
63 174 400persistent
726 411 008root
823 871 488apps
926 284 032rootB
10126 976persistent-spare

The device has some redundancy/failover in place to prevent a corrupted storage/partition and seems to have self-restore facility (-spare volumes).

You can find the filesystem / data type using binwalk on each UBI volume, for example:

DTB (device tree binding) is used by the kernel to describe the hardware, and determine modules/drivers to be loaded. We’ll not be touching at it.

There is next KBOOT – which is the device specific bootloader.

Finally, we are interested in the following volumes (not mentioning the spare one):

– security : SquashFS
– persistent : UbiFS
– root : UbiFS
– apps : UbiFS

UbiFS partitions can be mounted straightforward – whereas the SquashFS needs to be extracted.

Now, mount each filesystem:

Mounting partitions
Extracting the SquashFS image

At this stage, you can start exploring the device file systems, and understand the logic. Looking at /etc/fstab from the root partition indicates that apps and persistent partitions are mounted in /apps and /persistent respectively:


By default, all the ports are closed on the device. What we want to do is be able to connect to the device first. What about enabling SSH ? read it in the next part !

–> Go to Part 4

Leave a Reply

Your email address will not be published. Required fields are marked *