FDT Format Package

We are happy to announce support for the Flattened Device Tree (FDT / DTB) format. The new FDT Format package lets you parse and explore device tree blobs directly within the application, with an interactive tree navigator and per-node binary view.

FDT is the binary format that bootloaders hand to the Linux kernel (and other operating systems) to describe non-discoverable hardware on ARM, ARM64, RISC-V, PowerPC and similar platforms. A DTB encodes the entire hardware topology of a board: CPUs and their cache hierarchy, physical memory regions, on-chip peripherals like UARTs, I²C and SPI controllers, GPIO banks, USB hosts, MMC/SD, Ethernet MACs and GPUs, interrupt routing, clock and power domains, kernel boot arguments and reserved memory regions. The same blob is used as device tree overlays (.dtbo) to patch a base tree at boot for HATs, capes and optional peripherals. DTBs are routinely pulled from boot partitions, firmware images and recovery dumps during security research, IoT analysis and forensic investigations. Having native FDT support in Cerbero Suite means analysts can read out a device’s hardware description — the same information the OS uses to bring the system up — without leaving the analysis environment.

LittleFS Format Package

We are happy to announce support for LittleFS file system images. The new LittleFS Format package lets you browse and extract files from LittleFS images directly within the application.

LittleFS is a block-based file system designed for microcontrollers, with a focus on power-loss resilience and wear leveling. It is widely used in embedded devices built on platforms such as ESP32, STM32, nRF52, RP2040, and Mbed OS. LittleFS stores metadata in redundant block pairs and organizes file data using either inline storage or a CTZ skip-list structure that provides efficient random access. Having native support in Cerbero Suite means analysts can inspect firmware dumps and flash images from IoT devices, sensor nodes, and consumer electronics without needing external tools.

VDEX Format Package

We are happy to announce support for the Android ART VDEX format. The new VDEX Format package lets you inspect VDEX containers and extract their embedded DEX files directly within the application.

VDEX is the Verified DEX container format produced by the Android ART dex2oat compiler. It ships alongside OAT files in /system/framework/ or /data/dalvik-cache/ and stores the DEX bytecode together with verification metadata that ART uses to skip class verification at class-load time. The format has evolved significantly across Android releases. Having native VDEX support in Cerbero Suite is useful when analyzing Android firmware images, dalvik caches recovered during forensic acquisitions, or APK companion artifacts encountered during malware reverse engineering.

SPIFFS Format Package

We are happy to announce support for the SPIFFS (SPI Flash File System) format. The new SPIFFS Format package lets you browse and extract files from SPIFFS images directly within the application.

SPIFFS is a flat file system designed for SPI NOR flash memory, widely used in ESP8266, ESP32, and other embedded microcontrollers. It provides wear leveling and power-loss resilience with minimal RAM overhead, making it the go-to file system for storing configuration files, web assets, and sensor data on IoT devices. SPIFFS uses a page-based layout with per-block object lookup tables and 16-bit object IDs. Unlike traditional file systems, it has no directory support — files are stored with flat paths (e.g. /config.json). Having native support in Cerbero Suite means analysts can inspect ESP32 firmware dumps, IoT flash images, and embedded device storage encountered during security research, vulnerability assessment, or forensic investigations without needing external tools or knowing the flash geometry parameters.

WASM Format & Decompiler Packages

We are happy to announce two new packages, released together: the WASM Format package and the WASM Decompiler package. Together they bring native WebAssembly analysis to Cerbero Suite: parsing, disassembly, decompilation, data cross-references, and unified navigation between all of them.

Continue reading “WASM Format & Decompiler Packages”

F2FS Format Package

We are happy to announce support for the F2FS (Flash-Friendly File System) format. The new F2FS Format package lets you browse and extract files from F2FS images directly within the application.

F2FS is a log-structured file system designed by Samsung for NAND flash storage, merged into the Linux kernel in version 3.8. It is the default user-data file system on many Android devices and is also used on Chrome OS, Tizen, and other flash-based storage systems. F2FS employs a Node Address Table (NAT) for efficient inode resolution, multi-level hash-based directories, and supports inline data for small files, extended attributes, and transparent compression (LZO, LZ4, ZSTD). Having native support in Cerbero Suite means analysts can inspect Android user-data partitions, IoT firmware, and flash storage images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.

DotNETBinaryFormatter Format Package

We are happy to announce support for the .NET BinaryFormatter serialization format. The new DotNET BinaryFormatter Format package replaces the old decoder with a full parser, providing reliable parsing and embedded object detection for malware analysis and forensic investigations.

BinaryFormatter (System.Runtime.Serialization.Formatters.Binary.BinaryFormatter) is a .NET binary serialization mechanism that has been widely used since the early days of .NET. It is also notoriously insecure: deserialization of untrusted data can lead to arbitrary code execution, which has made it a favored vector for .NET exploitation payloads. Malware authors frequently embed executables, shellcode, and configuration data inside BinaryFormatter byte arrays. Having native support in Cerbero Suite means analysts can safely inspect these payloads, navigate the serialized object graph, and extract embedded objects without risking code execution.

EROFS Format Package

We are happy to announce support for the EROFS (Enhanced Read-Only File System) format. The new EROFS Format package lets you browse and extract files from EROFS images directly within the application.

EROFS is a high-performance, read-only compressed file system for Linux, merged into the mainline kernel in version 4.19. It was originally developed by Huawei and is now the standard file system for Android system partitions starting from Android 10. EROFS is also used in container images (Docker, Nydus) and embedded systems. Unlike older read-only file systems such as SquashFS and CRAMFS, EROFS uses a pcluster-based compressed data layout that offers efficient random read access without decompressing entire blocks. It supports multiple compression algorithms including LZ4 and DEFLATE. Having native support in Cerbero Suite means analysts can inspect Android system images, container images, and embedded firmware encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.

ROMFS Format Package

We are happy to announce support for the ROMFS (ROM File System) format in Cerbero Suite. The new ROMFS Format package lets you browse and extract files from ROMFS images directly within the application.

ROMFS is a simple, space-efficient, read-only file system designed for Linux. It was introduced in Linux 2.1.21 as a minimal alternative to ext2 for boot media and embedded devices. ROMFS stores data uncompressed with all on-disk structures in big-endian byte order, resulting in very low overhead and fast read access. ROMFS is commonly found in embedded systems, firmware images, initial RAM file systems (initramfs/initrd), and bootloaders. Its simplicity and small kernel footprint make it a popular choice for resource-constrained environments where read-only access is sufficient. Having native support in Cerbero Suite means analysts can inspect firmware dumps and ROM images encountered during security research, vulnerability assessment, or forensic investigations without needing external tools.