I used binwalk to scan firmware image, uncompressed & raw RAM dump. When scan for signatures with -I flag there is reference to Linux EXT filesystem:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
... ...
2148245 0x20C795 Linux EXT filesystem, blocks count: 1048741, image size: 1073910784, invalid state invalid error behavior invalid major revision rev 611745794.9334, ext2 filesystem data (mounted or unclean), UUID=a200288c-6200-14af-a200-2c8c62006200, volume name "¢"
I want extract that filesystem use dd command:
dd if=image.out of=ext2-filesystem bs=1 skip=2148245 count=1048741
On output I got file 1,0 MiB (1 048 741 bytes). I'm not sure that this is correct result, the file is too small. What should be the correct command for this?
EDIT: GNU Coreutils,
$ dd --version
dd (coreutils) 8.32
dd if=/dev/urandom count=2M of=random && binwalk -I randomand also found EXT with "invalid state invalid error behavior invalid major revision". Meaningless. Your file is not random data by itself, but the alleged EXT may be a false positive. (3) "Blocks count" is not "bytes count". The block size seems to be 1024 bytes here.blocksize=1(bs=1) andcount=1048741, that gives a file size of 1MB. As Kamil stated, the blocksize is 1024 (1073910784 / 1024 = 1048731). So you may get the image you desire by simply specifyingbs=1024. Also recalculate theskip=value to fit the beginning of the assumed image in the dump.skip=while usingbs=1024is not really possible. Inddfrom GNU coreutils 9.0 or laterskip=2148245Bshould work regardless ofbs=, I think. Earlier versions could do this withskip=2148245 iflag=skip_bytes. Portably one needs to keepbs=1and to recalculatecount=.dd if=image.out of=ext2-filesystem bs=1024 skip=2148245B count=1048741dd: invalid number: ‘2148245B’Bisn't a valid suffix. Please read the documentationman dd(search forsuffix)