Cerbero Blog

SPIFFS Format Package

We are happy to announce support for the SPIFFS (SPI Flash File System) format. The new SPIFFS Format package lets you browse and extract files from SPIFFS images directly within the application.

SPIFFS is a flat file system designed for SPI NOR flash memory, widely used in ESP8266, ESP32, and other embedded microcontrollers. It provides wear leveling and power-loss resilience with minimal RAM overhead, making it the go-to file system for storing configuration files, web assets, and sensor data on IoT devices. SPIFFS uses a page-based layout with per-block object lookup tables and 16-bit object IDs. Unlike traditional file systems, it has no directory support — files are stored with flat paths (e.g. /config.json). Having native support in Cerbero Suite means analysts can inspect ESP32 firmware dumps, IoT flash images, and embedded device storage encountered during security research, vulnerability assessment, or forensic investigations without needing external tools or knowing the flash geometry parameters.

WASM Format & Decompiler Packages

We are happy to announce two new packages, released together: the WASM Format package and the WASM Decompiler package. Together they bring native WebAssembly analysis to Cerbero Suite: parsing, disassembly, decompilation, data cross-references, and unified navigation between all of them.

Continue reading “WASM Format & Decompiler Packages”

F2FS Format Package

We are happy to announce support for the F2FS (Flash-Friendly File System) format. The new F2FS Format package lets you browse and extract files from F2FS images directly within the application.

F2FS is a log-structured file system designed by Samsung for NAND flash storage, merged into the Linux kernel in version 3.8. It is the default user-data file system on many Android devices and is also used on Chrome OS, Tizen, and other flash-based storage systems. F2FS employs a Node Address Table (NAT) for efficient inode resolution, multi-level hash-based directories, and supports inline data for small files, extended attributes, and transparent compression (LZO, LZ4, ZSTD). Having native support in Cerbero Suite means analysts can inspect Android user-data partitions, IoT firmware, and flash storage images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.

DotNETBinaryFormatter Format Package

We are happy to announce support for the .NET BinaryFormatter serialization format. The new DotNET BinaryFormatter Format package replaces the old decoder with a full parser, providing reliable parsing and embedded object detection for malware analysis and forensic investigations.

BinaryFormatter (System.Runtime.Serialization.Formatters.Binary.BinaryFormatter) is a .NET binary serialization mechanism that has been widely used since the early days of .NET. It is also notoriously insecure: deserialization of untrusted data can lead to arbitrary code execution, which has made it a favored vector for .NET exploitation payloads. Malware authors frequently embed executables, shellcode, and configuration data inside BinaryFormatter byte arrays. Having native support in Cerbero Suite means analysts can safely inspect these payloads, navigate the serialized object graph, and extract embedded objects without risking code execution.

EROFS Format Package

We are happy to announce support for the EROFS (Enhanced Read-Only File System) format. The new EROFS Format package lets you browse and extract files from EROFS images directly within the application.

EROFS is a high-performance, read-only compressed file system for Linux, merged into the mainline kernel in version 4.19. It was originally developed by Huawei and is now the standard file system for Android system partitions starting from Android 10. EROFS is also used in container images (Docker, Nydus) and embedded systems. Unlike older read-only file systems such as SquashFS and CRAMFS, EROFS uses a pcluster-based compressed data layout that offers efficient random read access without decompressing entire blocks. It supports multiple compression algorithms including LZ4 and DEFLATE. Having native support in Cerbero Suite means analysts can inspect Android system images, container images, and embedded firmware encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.

ROMFS Format Package

We are happy to announce support for the ROMFS (ROM File System) format in Cerbero Suite. The new ROMFS Format package lets you browse and extract files from ROMFS images directly within the application.

ROMFS is a simple, space-efficient, read-only file system designed for Linux. It was introduced in Linux 2.1.21 as a minimal alternative to ext2 for boot media and embedded devices. ROMFS stores data uncompressed with all on-disk structures in big-endian byte order, resulting in very low overhead and fast read access. ROMFS is commonly found in embedded systems, firmware images, initial RAM file systems (initramfs/initrd), and bootloaders. Its simplicity and small kernel footprint make it a popular choice for resource-constrained environments where read-only access is sufficient. Having native support in Cerbero Suite means analysts can inspect firmware dumps and ROM images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.

CRAMFS Format Package

We are happy to announce support for CRAMFS file system images. The new CRAMFS Format package lets you browse and extract files from CRAMFS images directly within the application.

CRAMFS (Compressed ROM File System) is a simple, read-only compressed file system designed for Linux ROM devices. It compresses file data one page at a time using zlib, keeping the image compact while allowing random read access. CRAMFS is commonly found in embedded systems, firmware images, set-top boxes, and devices with limited flash storage. Having native support in Cerbero Suite means analysts can inspect firmware dumps and ROM images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.

VBA Beautifier Package

We are happy to announce the beta release for commercial licenses of the VBA Beautifier package. It provides automated beautification and deobfuscation for VBA (Visual Basic for Applications) and VBS (VBScript) code, the most common macro language found in malicious Office documents.

VBA macros remain one of the primary initial access vectors in the threat landscape. Malware authors routinely apply layers of obfuscation. Manually cleaning up these scripts is tedious and error-prone. The VBA Beautifier helps to automate this process, turning obfuscated macro code into clean, readable output.

YAFFS Format Package

We are happy to announce support for YAFFS and YAFFS2 file system images. The new YAFFS Format package lets you browse and extract files from YAFFS flash dumps directly within the application.

YAFFS2 (Yet Another Flash File System 2) is a log-structured file system designed for NAND flash memory. It is widely used in embedded Linux devices such as Android phones, routers, set-top boxes, IoT hardware, and industrial controllers. YAFFS stores data in fixed-size chunks (pages) interleaved with spare (out-of-band) areas that contain metadata tags. Having native support in Cerbero Suite means analysts can inspect firmware dumps and flash images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools or knowing the NAND geometry parameters.

Lua Decompiler Package

We are happy to announce the beta release of the Lua Decompiler package. It reconstructs readable Lua source code from compiled Lua bytecode (.luac) files, covering all major Lua versions from 5.0 through 5.4. This package requires the installation of the LUAC Format package.

Compiled Lua bytecode is common across game engines, embedded firmware, IoT devices, and malware payloads. Disassembly alone is often enough for a rough understanding of a function, but reading dozens of instructions per line does not scale when a script spans thousands of opcodes. A decompiler bridges that gap: it turns register-level bytecode back into control flow a human can read, making review, patch development, and malware triage dramatically faster.

This is a beta release. The core reconstruction pipeline is stable and validated against a broad sample set across all supported Lua versions, but complex control flow patterns and heavily optimized bytecode may still produce suboptimal output. Feedback is welcome.