Hubert's Lingineering Bay: FlyVision CarCam Video Files Extraction

Somehow a mystery was remained unanswered in my previous post few days ago. The "SQFS" string in the header of the dump file looks suspicious but turned out it has nothing to do with the SquashFS used in Linux images. Search of "S&Q Tech" leads us to a CCTV/Carcam maker in Taiwan. Guessed the "SQFS" string is just an ID label.

00000000   EB 3C 90 53  26 51 20 54  45 43 48 00  02 20 04 00  .<.S&Q TECH.. ..

00000010   02 00 02 00  00 F8 1E 00  3F 00 FF 00  00 00 00 00  ........?.......

00000020   00 68 76 00  00 01 29 00  00 00 00 53  51 46 53 46  .hv...)....SQFSF

00000030   41 54 44 49  53 4B 46 41  54 31 36 20  20 20 00 00  ATDISKFAT16   ..

00000040   00 00 00 00  00 00 00 00  00 00 00 00  00 00 00 00  ................

By seeking the "SQFS" string, we found the next occurrence at offset 0x8000052. The 0xE9 at 0x8000000 and all the 0's above it makes the boundary so blatant that this might be the beginning of the 2nd partition where the video files reside in.

07FFFFC0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
07FFFFD0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
07FFFFE0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
07FFFFF0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
08000000   E9 00 00 00 00 00 00 00 00 00 00 00 02 40 2D 00 .............@-.
08000010   01 00 00 00 00 F8 00 00 3F 00 84 00 00 00 00 00 ........?.......
08000020   6C 54 72 00 93 03 00 00 00 00 00 00 02 00 00 00 lTr.............
08000030   01 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
08000040   00 00 29 78 56 34 12 4E 4F 20 4E 41 4D 45 00 00 ..)xV4.NO NAME..
08000050   00 00 53 51 46 53 20 20 B2 02 00 00 00 00 00 00 ..SQFS ........
08000060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Let's mount the dump.dat at offset 0x8000000 (134,217,728 in decimal). The result's pretty self-explanatory. Too bad this renders our Bourne/Perl hybrid one-liner obsolete. :(

$ mkdir /tmp/part2

$ sudo mount -o loop,ro,offset=134217728 dump.dat /tmp/part2

$ df -Th /tmp/part2

Filesystem    Type    Size  Used Avail Use% Mounted on

/dev/loop0    vfat    3.6G  3.6G   75M  98% /tmp/part2

$ ls -l /tmp/part2

total 3674564
-rwxr-xr-x 1 root root   4587590 1980-02-05 00:02 C.D
-rwxr-xr-x 1 root root         0 1980-01-01 00:02 g.H
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0001.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0002.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0003.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0004.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0005.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0006.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0007.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0008.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0009.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0010.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0011.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0012.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0013.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0014.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0015.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0016.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0017.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0018.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0019.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0020.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0021.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0022.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0023.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0024.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0025.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0026.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0027.AVI
-rwxr-xr-x 1 root root 134217728 1980-01-01 00:00 PICT0028.AVI
-rwxr-xr-x 1 root root         0 1980-01-01 00:00 SQ

Notes: The file size (128 MB) of the video files are all the same despite the actual play time because preoccupied spaces result in better IO performance while rotating.

3 comments:

Anonymous6:53 PM, June 22, 2012
Hi,

My "Vehicle blackbox dvr X3000" uses the same layout (msdos filesystem at offset 128MB). It also has a GPS receiver; do you have any idea where GPS data might be stored ?
Unknown8:36 PM, June 28, 2012
i don't have a GPS receiver, there's not enough information to tell where the data stores. :(
Anonymous6:29 AM, January 11, 2013
My carcam is also the X3000 with the Windows "viewer" being called JPlayer.exe.

I too got sidetracked with the 'SQFS' text and spent a few hours thinking I was working with a squash filesystem :).

Anyways, thanks for posting your findings. Mine has a GPS and 3-axis g-sensor data which I am trying to extract. I am not too worried about GPS and accel data but I want to be able to timestamp the files so I can find what I am looking for.

Will post what I figure out

Hubert's Lingineering Bay

May 11, 2012

FlyVision CarCam Video Files Extraction - Part II

3 comments: