Extract shsq

 

As we know the normal Magic number is 0x73717368("hsqs").

But some vendors modified the squashfs format to support LZMA, and changed the magic to 0x71736873("shsq").

But now, squashfs has already supported LZMA. Thus we can modify our binary image and let unsquashfs do its work.

1. Open image with a hex edtor or create your own tool.
2. Change the magic "shsq" to "hsqs" at the beginning of the image.
3. Change compression_id(image_header[20]) from "1-GZIP" to "2-LZMA". 

4. run unsquashfs as usual.

ref:https://dr-emann.github.io/squashfs/ 

Run arm rootfs with QEMU user

Extract or mount your rootfs to a dir. For example: ./rootfs

Install qemu-user-binfmt.

This package will tell kernel run arm ELF with qemu-user.

sudo apt install qemu-user-binfmt

To see what are installed:

ls  /proc/sys/fs/binfmt_misc/

cat /proc/sys/fs/binfmt_misc/qemu-arm

Now, we can find that the interpreter of arm ELF is changed to /usr/bin/qemu-arm-static.

The interpreter could be /usr/bin/qemu-arm depending your installation order of QEMU packages. 

When we call chroot, kernel will use the interpreter to run ELFs. So we need put qemu-arm-static into the chrooted "root".

If your interpreter is /usr/bin/qemu-arm-static:

cp `which qemu-arm-static` ./rootfs/usr/bin/

If your interpreter is /usr/bin/qemu-arm:

cp `which qemu-arm-static` ./rootfs/usr/bin/qemu-arm

 OK, we can chroot now.

chroot ./rootfs/ /bin/ash

Enjoy!