Related
want to edit your boot.img?
included files in zip: mkbootimg (i compiled this file from android source), unpack-bootimg.pl, repack-bootimg.pl
i edited the repack script to compile the nexus s img correctly.
Code:
--base 0x30000000 --pagesize 4096
first dump original boot.img:
Code:
cat /dev/mtd/mtd2 > /sdcard/boot.img
then drag/drop to your linux box to edit file.
use unpack script:
Code:
./unpack-bootimg.pl boot.img
you will end up with 2 compressed files and 1 folder.
finished editing and want to repack boot.img, for example:
Code:
./repack-bootimg.pl <kernel> <ramdisk-directory> <outfile>
most info and scripts pulled from here: http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack,_Edit,_and_Re-Pack_Boot_Images, thanks to the original author.
test your new boot.img:
Code:
fastboot boot boot.img
Two things:
1. if you have any bad blocks in your boot partition, this method will fail to extract the boot.img (you need to skip bad blocks, but cat will just get an error)
2. you can replace just the kernel (leaving the ramdisk and parameters intact) using:
Code:
% fastboot flash zimage zImage
The bootloader will read-modify-write the boot partition, replacing the kernel only.
how would you skip bad blocks? i never thought of a phone as having bad blocks.
k0mpresd said:
i never thought of a phone as having bad blocks.
Click to expand...
Click to collapse
All flash devices can have bad blocks. But it usually isn't something the end user would notice, unless there are so many and something is wrong that you're losing drive space.
edit: more info here if your curious http://en.wikipedia.org/wiki/Flash_memory
hmm, very strange thing happening to me. I've only gotten my boot.img to compile and boot successfully once with this method, but now I can't seem to get it to compile? I keep getting errors of the file name or file type. I'm using the correct usage.. If I compile manually with mkbootimg on the cmd line it'll compile but it won't boot. Just bootloops at the Google splash..
Jroid try my Matr1x kernel and see what happens
Sent from my Nexus S using XDA App
The problem seems to be compiling the boot with the perl scripts, not the kernel itself.
Try manually:
Once unpacked do the boot.img-ramdisk.cpio.gz with the following command (moved to the ramdisk folder):
Code:
#sudo find . | cpio -o -H newc | gzip > ../<your boot name>.img-ramdisk.cpio.gz
Then cd ../
And repack:
Code:
#./mkbootimg --kernel <your boot name>.img-kernel.gz --ramdisk <your boot name>.img-ramdisk.cpio.gz --base 0x30000000 --pagesize 4096 -o boot.img
you can replace just the kernel (leaving the ramdisk and parameters intact) using:
Code:
% fastboot flash zimage zImage
The bootloader will read-modify-write the boot partition, replacing the kernel only.
Click to expand...
Click to collapse
It won't work on the Nexus S.
python08 said:
It won't work on the Nexus S.
Click to expand...
Click to collapse
exactly, i'd love to be able to do this for some testing but it doesn't allow me.
EDIT: yes it does. Swetland is right
Chamb' said:
Try manually:
Once unpacked do the boot.img-ramdisk.cpio.gz with the following command (moved to the ramdisk folder):
Code:
#sudo find . | cpio -o -H newc | gzip > ../<your boot name>.img-ramdisk.cpio.gz
Then cd ../
And repack:
Code:
#./mkbootimg --kernel <your boot name>.img-kernel.gz --ramdisk <your boot name>.img-ramdisk.cpio.gz --base 0x30000000 --pagesize 4096 -o boot.img
Click to expand...
Click to collapse
I've tied compiling a boot both manually (with cmdline) and with the perl scripts and have used a simple kernel.gz and ramdisk.cpio.gz for my file names.. doesn't really matter what I name it as long as it has the correct file format in this .gz and .cpio.gz right? the manual compile goes fine with base 0x30000000 and pagesize 4096
however, it does not boot and will bootloop at the Google splash
Used boot.img extracted from (what ROM ?) cat /dev/mtd/mtd2 ?
Is the phone start with this boot.img (unchanged) if you flash it by typing "fastboot flash..." ?
After that, just try to unpack and repack the boot.img without changes on ramdisk or kernel, if it works that means your changes suck (^^).
These commands (or perl scripts) work perfectly for me.
Lol I will try doing that. The boot.img I used is from stock 2.3.4, edited the ramdisk (specifically init.rc & init.herring.rc)
Like I said, first time I used the perl scripts I edited my ramdisk, threw in a netarchy kernel, it compiled fine and booted. Now if I use the perl script to repack with an aosp kernel, it gives me an error about file name and/or extension being wrong. Or complains it can't find mkbootimg when its there and executable. I'll re run it again and post errors
Sent from my Nexus S
he guys where is the boot image located? not the animation, the google logo at the start of the booting!
Sent from my Nexus S using XDA Premium App
ok so when I used the repack-bootimg.pl script, it kept giving me this error:
Code:
boot.img-kernel.gz Not a directory at ./repack-bootimg.pl line 13.
So I ran mkbootimg manually, without a cmdline comment as stated above. It compiled
and booted beautifully all stock with no init.rc or init.herring.rc edits.
however when I compile a boot.img coupled with a stock kernel and a modified ramdisk, I get a non-booting boot.img. One came out at 2.9 mb and the other at 5.6 mb neither boots using the same cmd that compiled the working boot. Must be my edits.. I literally only changed about 1 line in init.rc and another line in init.herring.rc that causing it not to boot.
By the way, I got some info on a stock boot.img using the unpackbootimg binary (not the perl script) and here's what it outputs:
Code:
#BOARD_KERNEL_CMDLINE console=ttyFIQ0 no_console_suspend
BOARD_KERNEL_BASE 30000000
BOARD_PAGE_SIZE 00001000
I enter that pagesize and it says it's not a valid value when I compile boot.img's
Borky_16 said:
he guys where is the boot image located? not the animation, the google logo at the start of the booting!
Sent from my Nexus S using XDA Premium App
Click to expand...
Click to collapse
part of the kernel
to change-https://github.com/morfic/Samsung-logo
ogdobber said:
part of the kernel
to change-https://github.com/morfic/Samsung-logo
Click to expand...
Click to collapse
yeah i know thanks for the link a helping source though!
Sent from my Nexus S using XDA Premium App
Sorry for the Control C Control V of it, but I just found this topic now..
I`m facing this problem when I try to unpack boot.img..
I have done it 2 days ago but dunno why, now I can`t..
Follows what is happening..
Code:
[email protected]:~/NS-bootwork$ ./unpack-bootimg.pl boot.img
Found a secondary file after the ramdisk image.
According to the spec (mkbootimg.h) this file can exist,
but this script is not designed to deal with this scenario.
The Kernel is built, as a zImage and the WLAN as a bmc3429.ko..
Just repeating, I have built this Kernel 2 days ago in the same way, without any problems, but now I`m struggling on the message after inputting ./unpack-bootimg.pl boot.img..
Dunno what else to try, I re-downloaded the unpack-bootimg.pl from 2 different sources, and still the same error..
Any ideas?
Many thanks..
P.S.: Ubuntu 11.04 x64..
EDIT
Well, I already solve it!
That is what I did..
As unpack-bootimg.pl was not working (don`t know why) I used split_bootimg.pl script, splitting the boot.img and created new ramdisk img..
Code:
./split_bootimg.pl boot.img
mkdir ramdisk
cd ramdisk
gzip -dc ../boot.img-ramdisk.gz | cpio -i
find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz
Then after just compiled the Kernel with
Code:
./mkbootimg --kernel zImage --ramdisk newramdisk.cpio.gz --base 0x30000000 --pagesize 4096 --cmdline _console_suspend=1 console=bull's -o newtestboot.img'no
Witches includes " --cmdline _console_suspend=1 console=bull's" to not break BT functionality, in the case of Nexus S..
I found the tools here work well: http://glandium.org/blog/?p=2214
...if you then use the code originally posted above:
Code:
sudo find . | cpio -o -H newc | gzip > ../<your boot name>.img-ramdisk.cpio.gz
./mkbootimg --kernel <your boot name>.img-kernel.gz --ramdisk <your boot name>.img-ramdisk.cpio.gz --base 0x30000000 --pagesize 4096 -o boot.img
Plagiarism will not be tolerated on XDA-Developers:
http://forum.xda-developers.com/showpost.php?p=35640046&postcount=36
Reserved - Possible Updates Using Cygwin
I'm gonna take this one just in case as well
Thx for the app but i have an empty ramdisk folder...and all of the ramdisk files can't created or newer or same age version exists...cydwin won't let me copy the log...im using huawei not SE phone..if it has something to do!! But i can see the contents at boot.img-ramdisk.gz
Thanks but please mirror to other filehoster because mf is buggy on my phone
Sent from my WT19i using xda premium
$ ./extractboot boot.img
./extractboot: ./split_bootimg.pl: /usr/bin/perl: bad interpreter: Permission denied
./extractboot: line 17: cpio: command not found
gzip: ../../boot.img-ramdisk.gz: No such file or directory
what i missed here?
edit: opps. missed the REQUIRED packages. testing again.
$ ./extractboot boot.img
Android Magice not found in ./boot.img/ Giving up.
gzip: ../../boot.img-ramdisk.gz: unexpected end of file
cpio: premature end of archive
Any help with this error? I am trying to split and edit a custom CM9/ICS boot.img
very useful tool, thanks
This isn't working for me on my htc evo 4g lte. I am unpacking the stock boot.img and then repacking it with NO changes and get bootloops.
your image png should not exceed 20KB and your logo.rle should not exceed 60kb Otherwise you will almost always bootloop
stef67000 said:
your image png should not exceed 20KB and your logo.rle should not exceed 60kb Otherwise you will almost always bootloop
Click to expand...
Click to collapse
I didn't change any pngs, logos, or anything. I simply unpacked, repacked, and flashed.
maxdamage2122 said:
I didn't change any pngs, logos, or anything. I simply unpacked, repacked, and flashed.
Click to expand...
Click to collapse
Check on the way your kernel should be build.. Ours use as base 0x20 but yours may change..
Sent from my LT18i using Tapatalk
jimbo77 said:
Check on the way your kernel should be build.. Ours use as base 0x20 but yours may change..
Sent from my LT18i using Tapatalk
Click to expand...
Click to collapse
Is there a way to check without the source? Source for our kernel isn't released yet.
I've tried to unpack the last boot.img from cm9 RC2 to get the new cwm 6.x but I have an issue
Code:
$ ./extractboot boot.img
Page size: 2048 (0x00000800)
Kernel size: 3229308 (0x0031467c)
Ramdisk size: 1789254 (0x001b4d46)
Second size: 0 (0x00000000)
Board name:
Command line:
Writing boot.img-kernel ... complete.
Writing boot.img-ramdisk.gz ... complete.
./extractboot: line 17: cpio: command not found
I use this way http://forum.xda-developers.com/showthread.php?t=1477845
how to change spash screen http://forum.xda-developers.com/showthread.php?t=1140406
You need to download the cpio package through cygic in order to have it fixed..
Sent from my SGS3... Yes I have it!!!!
jimbo77 said:
You need to download the cpio package through cygic in order to have it fixed..
Sent from my SGS3... Yes I have it!!!!
Click to expand...
Click to collapse
thanks
thomas.raines said:
$ ./extractboot boot.img
Android Magice not found in ./boot.img/ Giving up.
gzip: ../../boot.img-ramdisk.gz: unexpected end of file
cpio: premature end of archive
Any help with this error? I am trying to split and edit a custom CM9/ICS boot.img
Click to expand...
Click to collapse
Hello,I'm having the same error with CM9/10 ICS/JellyBean kernel boot.img,there are chances it comes from the kernel itself as it appears to be or should we better look into our configuration?
helo, i repacket doomlord kernel v22 and when im trying to flash it i got this error :
FAILED (remote: Wrong range:0x10008000-0x103202d7. Ok:0x00200000 - 0x03dfff)
It's somethink about size of kernel and "fake size maker" file, but i dont know how to fix it.
So I pulled a working one apart and replaced the kernel with the compiled one.
Code:
[email protected] ~
$ cd /boot
[email protected] /boot
$ ./extractboot boot.img
Page size: 2048 (0x00000800)
Kernel size: 4463500 (0x00441b8c)
Ramdisk size: 372027 (0x0005ad3b)
Second size: 0 (0x00000000)
Board name:
Command line: console=ttyHSL0,115200,n8 androidboot.hardware=qcom loglevel=0
Writing boot.img-kernel ... complete.
Writing boot.img-ramdisk.gz ... complete.
2881 blocks
[email protected] /boot
$ ./packboot
Using base address 0x40200000
Using command line 'console=ttyHSL0,115200,n8 androidboot.hardware=qcom loglevel=0'
No errors
I then put it back together and I'm getting the boot.img is like half the original size (even tho the kernel files were pretty close to almost deadon the same size) and when I try to send to boot I get this
Code:
>fastboot boot boot_new.img
downloading 'boot.img'...
OKAY [ 1.168s]
booting...
FAILED (remote: incomplete bootimage)
finished. total time: 1.168s
This is for a Pantech Burst (p9070) if that helps at all
Original boot.img
New repacked boot.img
environment: ubuntu 10.04 LTS 64bit
get some package
sudo apt-get install gnupg flex bison gperf build-essential \
zip curl zlib1g-dev libc6-dev lib32ncurses5-dev ia32-libs \
x11proto-core-dev libx11-dev lib32readline5-dev lib32z-dev \
libgl1-mesa-dev g++-multilib mingw32 tofrodos python-markdown \
libxml2-utils xsltproc
install git
first install some packages that git depends on:
sudo apt-get install libcurl4-gnutls-dev libexpat1-dev gettext libz-dev libssl-dev
get the new git source code from http://code.google.com/p/git-core/downloads/list.
download git-1.8.0.tar.gz
tar -xvf git-1.8.0.tar.gz
cd git-1.8.0
./configure
make
sudo make install
this will install git to /usr/local/bin/
get the kernel source code:
mkdir -p ~/android/kernel
cd ~/android/kernel
git clone https://android.googlesource.com/kernel/msm
check which version of kernel to checkout
mkdir ~/work/android/nexus4-kernel
cd ~/work/android/nexus4-kernel
git clone https://android.googlesource.com/device/lge/mako-kernel
cd mako-kernel
git log kernel
get the commit rev, which is e039dcb (nov 25, 2012), this number seems to correspond to the latest commit revision in https://android.googlesource.com/kernel/msm/android-msm-mako-3.4-jb-mr1
check out the kernel
cd ~/android/kernel/kernel_msm
git checkout <commit version>
note: commit version is e039dcb, which is the result of the git log kernel command in the previous step
install google toolchain
mkdir ~/android/toolchain
cd ~/android/toolchain
git clone https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.6
add “export PATH=$PATH:~/android/toolchain/arm-linux-androideabi-4.6/bin” to ~/.profile and run source ~/.profile
setup environment variables and build
cd ~/android/kernel/kernel_msm
export ARCH=arm
export SUBARCH=arm
export CROSS_COMPILE=arm-linux-androideabi-
make mako_defconfig
make -j4
done
if you wanna thank me. go to google play and try out my app Wishlist :laugh:
https://play.google.com/store/apps/details?id=com.wish.wishlist
So with this I can make my own kernel for the Nexus 4? Hmm... will be nice to make one and get people to test it out for me lol.
I can edit the CPU, GPU, UV settings, etc? Is this only on Ubuntu or can it be done on Windows?
the kernel source is from google, but you can modify it as you wish. this is only for ubuntu. other linux environment will also work. but not windows.
You could change "make -j4" by "make -j$(grep -c ^processor /proc/cpuinfo)" ...
matt73300 said:
You could change "make -j4" by "make -j$(grep -c ^processor /proc/cpuinfo)" ...
Click to expand...
Click to collapse
that's handy to use.
But should the general rule of N in make -jN be twice the number of cpu core? for example, on my computer, I have two cores, so I use -j4.
yduck said:
that's handy to use.
But should the general rule of N in make -jN be twice the number of cpu core? for example, on my computer, I have two cores, so I use -j4.
Click to expand...
Click to collapse
Not really nice for lambda users. I think it's better when it written as I said (no need to know how many cores you have), or j# (and say replace # by 2xnumber_of_cores).
I have 8 cores on my computer, so I use j16 and it's much faster than j4, some people should know it
for some reason, the kernel I built cannot be booted.
when I did:
fastboot boot zImage
the phone stuck at the google logo.
any idea? I have seen other people in the forum built the kernel and booted it. there must be something wrong with the way I compiled the kernel, or the config is incorrect, or do I need to sign the kernel?
yduck said:
for some reason, the kernel I built cannot be booted.
when I did:
fastboot boot zImage
the phone stuck at the google logo.
any idea? I have seen other people in the forum built the kernel and booted it. there must be something wrong with the way I compiled the kernel, or the config is incorrect, or do I need to sign the kernel?
Click to expand...
Click to collapse
Is the zImage file the one found in "arch/arm/boot/zImage"? If so, then you can't use this directly in fastboot. You need to create a boot.img file.
Edit 2: You could possibly try this: " fastboot flash:raw boot <kernel> <ramdisk> ". I personally have not done, this. I created the boot.img file and flashed it.
Edit 3: Note that Edit 2 does perform a flash instead of boot, so be very wary of this. I recommend you create a boot.img file and use "fastboot boot boot.img" for testing --- it's safer that way.
dsana123 said:
Is the zImage file the one found in "arch/arm/boot/zImage"? If so, then you can't use this directly in fastboot. You need to create a boot.img file.
Edit 2: You could possibly try this: " fastboot flash:raw boot <kernel> <ramdisk> ". I personally have not done, this. I created the boot.img file and flashed it.
Edit 3: Note that Edit 2 does perform a flash instead of boot, so be very wary of this. I recommend you create a boot.img file and use "fastboot boot boot.img" for testing --- it's safer that way.
Click to expand...
Click to collapse
great suggestion. I just figured this out yesterday. as you said, fastboot boot does not work with just the zImage. it needs a boot.img.
so I created a newboot.img by packing my zImage and the ramdisk extracted from google's stock boot.img, and the newboot.img boots!
the command "fastboot flash:raw <kernel> <ramdisk>" seems simple to use. does it have an equivalent "fastboot boot: raw <kernel> <ramdisk"? so I don't need to worry about breaking my phone.
yduck said:
the command "fastboot flash:raw <kernel> <ramdisk>" seems simple to use. does it have an equivalent "fastboot boot: raw <kernel> <ramdisk"? so I don't need to worry about breaking my phone.
Click to expand...
Click to collapse
The fasboot.c source file at
https://android.googlesource.com/pl...8d27c72a03d56c1a36068a57f/fastboot/fastboot.c
indicates that there is no equivalent, although if you want to start modifying the fastboot.c code, it is probably easy enough to do so. Below is the relevant flash:raw code in fastboot.c:
} else if(!strcmp(*argv, "flash:raw")) {
char *pname = argv[1];
char *kname = argv[2];
char *rname = 0;
require(3);
if(argc > 3) {
rname = argv[3];
skip(4);
} else {
skip(3);
}
data = load_bootable_image(page_size, kname, rname, &sz, cmdline);
if (data == 0) die("cannot load bootable image");
fb_queue_flash(pname, data, sz);
Click to expand...
Click to collapse
From your post it sounds like you're using mkbootimg to create the boot image so you have what you need anyway (as long as you call mkbootimg with all the parameters corresponding to the boot header info from the boot image you extracted --- base offset, kernel offset, ramdisk offset, page offset, kernel command line , etc).
I've just added this guide to the Nexus 4 Complete Index
Sent from my GT-I9100 using xda premium
KidCarter93 said:
I've just added this guide to the Nexus 4 Complete Index
Sent from my GT-I9100 using xda premium
Click to expand...
Click to collapse
awesome! my post got into the index. I am so excited.:cyclops:
Thanks- although cdesai already made one
cdesai's thread here
yduck said:
great suggestion. I just figured this out yesterday. as you said, fastboot boot does not work with just the zImage. it needs a boot.img.
so I created a newboot.img by packing my zImage and the ramdisk extracted from google's stock boot.img, and the newboot.img boots!
the command "fastboot flash:raw <kernel> <ramdisk>" seems simple to use. does it have an equivalent "fastboot boot: raw <kernel> <ramdisk"? so I don't need to worry about breaking my phone.
Click to expand...
Click to collapse
I wonder if this is the correct way of making boot.img. I heard kernel image and ramdisk are related, if you modify and recompile the kernel and pack it with an old ramdisk, it may not boot. Is it true? what's the standard way of making boot.img? Is there a method to make our own ramdisk, instead of extracting it from google's stock boot.img?
yduck said:
setup environment variables and build
cd ~/android/kernel/kernel_msm
export ARCH=arm
export SUBARCH=arm
export CROSS_COMPILE=arm-linux-androideabi-
make mako_defconfig
make -j4
Click to expand...
Click to collapse
Based in part on this documentation, I have created a HOWTO on building the system.img and boot.img files (for fastboot) with a single "make" call. Checkout: http://nosemaj.org/howto-build-android-nexus-4 .
Hi, I have two strange problems when trying to compile the mako kernel source. My setup:
Ubuntu 10.04, 64-bit (succesfully compiled a GB kernel for another device with this setup, using Google gcc 4.4.3 and Linaro gcc 4.6.2)
Kernel source from https://android.googlesource.com/kernel/msm, HEAD @ 7ce11cd - this is the android-msm-mako-3.4-jb-mr1.1 branch, wich should be identical to the kernel shipped with 4.2.2
Google gcc 4.6.x from https://android.googlesource.com/platform/prebuilts/gcc/linux-x86/arm/arm-linux-androideabi-4.6, also jb-mr1.1-release
No changes to the source, yet
There are two problems when compiling. First, there is this error
Code:
error: the frame size of XXXX bytes is larger than 1024 bytes
which is caused by 'CONFIG_FRAME_WARN=1024'. This value is not set in mako_defconfig, but seems to be the default for gcc 4.6 and is written to the .config when running make mako_defconfig. I am able to bypass this by setting 'CONFIG_FRAME_WARN=2048', but question is: Why do I need to? The stock kernel on my device running 4.2.2 has been compiled with 'CONFIG_FRAME_WARN=1024'.
The second problem are warnings of the type
Code:
warning: unwinding may not work because EXIDX input section XX of arch/arm/.../YYY.o is not in EXIDX output section
These can be suppressed by setting '# CONFIG_ARM_UNWIND is not set' and adding 'CONFIG_FRAME_POINTER=y'. But again, the stock kernel is compiled with 'CONFIG_ARM_UNWIND=y' and obviously, the Google guys didn't have this problem. What's wrong with my setup?
add “export PATH=$PATH:~/android/toolchain/arm-linux-androideabi-4.6/bin” to ~/.profile and run source ~/.profile
I can't figure out why but I keep getting a no command 'add' found
Sent From My Paranoid Nexus
atomilluminati said:
add “export PATH=$PATH:~/android/toolchain/arm-linux-androideabi-4.6/bin” to ~/.profile and run source ~/.profile
I can't figure out why but I keep getting a no command 'add' found
Sent From My Paranoid Nexus
Click to expand...
Click to collapse
Thanks for the response. The path to the compiler is defined in my kernel build script. Do I have to change it in my .profile, too?
XDA_Bam said:
Thanks for the response. The path to the compiler is defined in my kernel build script. Do I have to change it in my .profile, too?
Click to expand...
Click to collapse
Actually this was supposed to be a question...my bad... I keep getting to that line in the OP's instructions and can't get past it
Sent From My Paranoid Nexus
atomilluminati said:
Actually this was supposed to be a question...my bad... I keep getting to that line in the OP's instructions and can't get past it
Sent From My Paranoid Nexus
Click to expand...
Click to collapse
Hehe Okay, the answer is that you have to open the ~/.profile and manually add in a text editor the line given in the OP. The file should be in your profile folder (/home/your_user_name/). After this, save, close and run
Code:
source ~/.profile
in the terminal. That should do it, as far as I understood.
If you interested in extracting the kernel image from the Samsung Galaxy S5 ROM, you should follow the following steps.
This is was tested with the G900VVRU1ANCG_G900VVZW1ANCG_VZW stock ROM firmware.
The first is extracting the files from the ROM firmware file, this is explained in many places and won't be covered here.
Extract the boot.img to some directory, using the Android unpackbootimg utility:
Code:
unpackbootimg -i boot.img -o boot/
After extracting the boot.img file you will usually end up with the following file list:
Code:
boot.img-base
boot.img-cmdline
boot.img-pagesize
boot.img-ramdisk.gz <- this includes the root (/) files, like init*.rc and SELinux policy files
boot.img-zImage <- compressed image of the Android Linux kernel
Next step will be extracting the compressed kernel image from the zImage file. The Android kernel is a self-extracting compressed file, while different devices use different compression methods. While looking at the file contents using hex editor, you can see the decompression code at the beginning, and then at some point the compressed data begins. The compressed image begins where you find the LZO magic header.
Code:
static const unsigned char lzop_magic[9] = {
0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a
};
Save the data from the LZO magic header to the end of the file with the zImage.kernel file name.
This firmware and kernel are using LZO compression, and there is an easy to use utility called lzop that is used for the decompression of the file. Just run the following command to decompress the kernel from the zImage.kernel file:
Code:
lzop -d -c zImage.kernel > zImage.kernel.decompressed
And now you have the decompressed kernel for the device ready for exploration, which is also attached to this post.
Note:
I've tried using different scripts that do the job, including galaxys2_kernel_repack and http://forum.xda-developers.com/showthread.php?t=901152 but both failed while extracting the kernel image, although were able to extract the begin position for the LZO compression header.
But it does trip KNOX after flashing, doesn't it?
roman.blachman said:
If you interested in extracting the kernel image from the Samsung Galaxy S5 ROM, you should follow the following steps.
This is was tested with the G900VVRU1ANCG_G900VVZW1ANCG_VZW stock ROM firmware.
The first is extracting the files from the ROM firmware file, this is explained in many places and won't be covered here.
Extract the boot.img to some directory, using the Android unpackbootimg utility:
Code:
unpackbootimg -i boot.img -o boot/
After extracting the boot.img file you will usually end up with the following file list:
Code:
boot.img-base
boot.img-cmdline
boot.img-pagesize
boot.img-ramdisk.gz <- this includes the root (/) files, like init*.rc and SELinux policy files
boot.img-zImage <- compressed image of the Android Linux kernel
Next step will be extracting the compressed kernel image from the zImage file. The Android kernel is a self-extracting compressed file, while different devices use different compression methods. While looking at the file contents using hex editor, you can see the decompression code at the beginning, and then at some point the compressed data begins. The compressed image begins where you find the LZO magic header.
Code:
static const unsigned char lzop_magic[9] = {
0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a
};
Save the data from the LZO magic header to the end of the file with the zImage.kernel file name.
This firmware and kernel are using LZO compression, and there is an easy to use utility called lzop that is used for the decompression of the file. Just run the following command to decompress the kernel from the zImage.kernel file:
Code:
lzop -d -c zImage.kernel > zImage.kernel.decompressed
And now you have the decompressed kernel for the device ready for exploration, which is also attached to this post.
Note:
I've tried using different scripts that do the job, including galaxys2_kernel_repack and http://forum.xda-developers.com/showthread.php?t=901152 but both failed while extracting the kernel image, although were able to extract the begin position for the LZO compression header.
Click to expand...
Click to collapse
I tried that and was given a warning of trailing bytes by `lzop`. Later when i do a `file` command on the resulting uncompressed file, it is not a vmlinux ELF image, rather it is a data file. How are we able to repack this image back into zImage? Any advise is appreciated thanks.
What i do if i have boot.img-kernel and boot.img-kernel_offset?
DGKG said:
What i do if i have boot.img-kernel and boot.img-kernel_offset?
Click to expand...
Click to collapse
The boot.img-kernel is your zimage file
What Source you used for Unpack?
Can you share link for you Scripts? or can you provide link to scripts for unpacking and repacking Note 9 Exynos Kernel?
Thanks
Hi all,
I am trying to get an insecure kernel for Nexus 6, marshmallow 6.0, and I stuck at a bootloop.
The AOSP tag android-6.0.0_r1 builds without any errors. Then I flash the produced insecure boot image on a nexus 6, which had the latest 6.0 factory images.
Has anyone managed to do this procedure?
Btw, I am compiling the AOSP sources, and not the kernel sources.
In AOSP, I think, the kernel/zImage is precompiled, and the aosp build system bundles it into a boot image.
So, if someone has managed to build a working insecure boot.img from any marshmallow branch please let me know.
Or has done the same thing from kernels sources, also let me know.
EDIT:
How to compile an insecure kernel:
0. This will use the precompiled kernel found in aosp sources.
So we are not actually compiling. But this title might help some folks googling the topic.
2. modify device/<maker>/<codename>/fstab.<codename>/, and remove verify tag from system
3. make -jN bootimage
Alternatively, you can follow the procedure by ziddey, and removing the verify tag from fstab.shamu, allows the kernel to be booted!
NOTE: insecure kernel is not permissive.
How to compile a permissive kernel:
0. Now we will actually compile the kernel.
1. Download the kernel sources, and checkout the branch you want. Do these modifications.
Finally compile the kernel. (There are many tutorials for kernel compilation online)
2. copy the kernel (arch/arm/boot/zImage-dtb) to your aosp_dir/device/<maker>/<codename>-kernel/
3. Disable verification (as w/ insecure kernel)
4. make -j8 bootimage
How to compile an insecure and permissive kernel:
Not sure about this. I 'd play with configurations in aosp_dir/device/<maker>/<codename>,
or maybe try an eng build. If anyone knows just post it!
I have tried these with the kernel branch "android-msm-shamu-3.10-marshmallow-mr1",
and the aosp tag "android-6.0.1_r21".
I have also tried to unpack and repack the boot.img using unpackbootimg and mkbootimg from https://github.com/osm0sis/mkbootimg.
I have extracted ramdisk, edited the default prob, repacked ramdisk, and packed using:
Code:
mkbootimg --kernel su_boot.img-zImage --ramdisk su_boot.img-ramdisk.gz --cmdline 'console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=shamu msm_rtb.filter=0x37 ehci-hcd.park=3 utags.blkdev=/dev/block/platform/msm_sdcc.1/by-name/utags utags.backup=/dev/block/platform/msm_sdcc.1/by-name/utagsBackup coherent_pool=8M' --base 00000000 --pagesize 2048 --kernel_offset 00008000 --ramdisk_offset 02000000 --tags_offset 01e00000 --board "" -o ins_su_boot.img
Have I missed anything?
*EDIT* also tried w/ 'abootimg'. Still no luck.
Screwing around with random files found on the internet is not going to solve your problem. Use the program from *AOSP*. And make sure your parameters match (I'm not going to verify them for you). Bootloops are always cute, what did you change? Typically running make bootimg should make you a good bootimg from AOSP sources.
Well, turns out that in this case, that assumption is not correct.
The first issue is that the verity keys are not present in a custom built boot.img. At least not ones without also involving an entire system build (not that they would match the system partition that you already have).
So to solve that, edit the fstab file in the shamu device tree to remove the verify parameter from the system partition. Once that is done, it should no longer randomly reboot.
UNFORTUNATELY, that may not be enough to make the whole thing work properly still, since there appears to be some other differences between the AOSP userdebug's boot.img and the google user build. You will be able to adb in, but the android subsystem won't run.
These utilities I have used were the ones that have been successfully used to pack/unpack boot images by others. I have also done this successfully in the past, for another device running earlier versions.
Yeap. That's the problem. A kernel build from AOSP sources does not work out of the box with the rest of the system, if it is a production build. This used to work for Lollipop, but I guess they tighten security up.
Building zImage from kernel sources is still not a solution for me, as I can't properly pack/unpack a Marshmallow boot.img
The problem might be something very stupid, OS specific, and I don't want to waste any more time on this.
For now I will live with SuperSu and adbd insecure.
Maybe at some point I might try to remove the verification to see whether the rest of the stuff play nicely.
Thanks for your time!
[edit]
Answer is root. http://forum.xda-developers.com/showpost.php?p=64110288&postcount=1283
[/edit]
I spent a while tonight trying to figure this out as well. Simply dumping boot.img and recreating it works fine. But something goes wrong when unpacking/repacking the ramdisk. Stripping bootsize from bootimg.cfg so abootimg recalculates it doesn't help.
1. I did find that mkboot "works": https://github.com/ModdingMyMind/mkbootimg_tools
Simply run `mkboot boot.img boot` to dump to dir boot. Make changes to ramdisk, and then run `mkboot boot newboot.img` to create a new image. However, for whatever reason, this causes at least one issue for me. The sbin dir, despite being 755 in the ramdisk is 750 again in Android. Not sure what's going on here since I can redump newboot.img and confirm that sbin is 755.
2. I looked at seSuperuser/super-bootimg and found https://github.com/seSuperuser/super-bootimg/blob/master/scripts/bootimg.sh
The relevant part is in doneBootImgEdit(). Looking at the comments, Husson found that appending the changes to the inflated ramdisk cpio and then deflating it works. I just tested this and indeed it does work.
Husson only appends new/changed files; as a test, I tried appending the entire new ramdisk onto the old one, and sure enough, it bugs out again. Will have to investigate why this happening later, but for now, this is good enough.
As well, abootimg also comes with the tools abootimg-pack-initrd and aboot-unpack-initrd, which takes care of gzip/cpio. Of course, since the packing part doesn't work, we can't use it.
So, here's an example. Say you want to change fstab.shamu (to remove /system verification and/or /data forced encryption):
Code:
# extract boot.img
abootimg -x boot.img
# unpack the extracted initrd.img to ramdisk dir
abootimg-unpack-initrd
cd ramdisk
# make your changes to ramdisk/fstab.shamu here....
echo fstab.shamu | cpio -o -H newc > ../initrd2
cd ..
# inflate initrd.img
cp initrd.img initrd.gz
gunzip initrd.gz
# append and create new initrd.img
cat initrd initrd2 |gzip -9 -c > newinitrd.img
# strip bootsize from bootimg.cfg
sed 1d bootimg.cfg > newbootimg.cfg
# create new boot.img
abootimg --create newboot.img -f newbootimg.cfg -k zImage -r newinitrd.img
newboot.img should be a working boot image. If modifying multiple files, it may be easiest to create a different dir with those files and use find . |cpio -o -H newc > ../initrd2
Hope this helps. And if anyone can explain why this is necessary / how to recreate initrd from scratch, I can continue being lazy.
Thanks @phhusson
[edit]
Damn. I tried applying a different init file and it ate ****.
[/edit]
ziddey said:
I spent a while tonight trying to figure this out as well. Simply dumping boot.img and recreating it works fine. But something goes wrong when unpacking/repacking the ramdisk. Stripping bootsize from bootimg.cfg so abootimg recalculates it doesn't help.
1. I did find that mkboot "works": https://github.com/ModdingMyMind/mkbootimg_tools
Simply run `mkboot boot.img boot` to dump to dir boot. Make changes to ramdisk, and then run `mkboot boot newboot.img` to create a new image. However, for whatever reason, this causes at least one issue for me. The sbin dir, despite being 755 in the ramdisk is 750 again in Android. Not sure what's going on here since I can redump newboot.img and confirm that sbin is 755.
2. I looked at seSuperuser/super-bootimg and found https://github.com/seSuperuser/super-bootimg/blob/master/scripts/bootimg.sh
The relevant part is in doneBootImgEdit(). Looking at the comments, Husson found that appending the changes to the inflated ramdisk cpio and then deflating it works. I just tested this and indeed it does work.
Husson only appends new/changed files; as a test, I tried appending the entire new ramdisk onto the old one, and sure enough, it bugs out again. Will have to investigate why this happening later, but for now, this is good enough.
As well, abootimg also comes with the tools abootimg-pack-initrd and aboot-unpack-initrd, which takes care of gzip/cpio. Of course, since the packing part doesn't work, we can't use it.
So, here's an example. Say you want to change fstab.shamu (to remove /system verification and/or /data forced encryption):
Code:
# extract boot.img
abootimg -x boot.img
# unpack the extracted initrd.img to ramdisk dir
abootimg-unpack-initrd
cd ramdisk
# make your changes to ramdisk/fstab.shamu here....
echo fstab.shamu | cpio -o -H newc > ../initrd2
cd ..
# inflate initrd.img
cp initrd.img initrd.gz
gunzip initrd.gz
# append and create new initrd.img
cat initrd initrd2 |gzip -9 -c > newinitrd.img
# strip bootsize from bootimg.cfg
sed 1d bootimg.cfg > newbootimg.cfg
# create new boot.img
abootimg --create newboot.img -f newbootimg.cfg -k zImage -r newinitrd.img
newboot.img should be a working boot image. If modifying multiple files, it may be easiest to create a different dir with those files and use find . |cpio -o -H newc > ../initrd2
Hope this helps. And if anyone can explain why this is necessary / how to recreate initrd from scratch, I can continue being lazy.
Thanks @phhusson
[edit]
Damn. I tried applying a different init file and it ate ****.
[/edit]
Click to expand...
Click to collapse
My guess, and the reason why I tried appending without further thinking, is that the new initramfs files contains SELinux labels, which standard GNU/Linux cpio tool doesn't support.
One would have to investigate the changes in mkbootfs done recently.
Also, I guess mkboot is using Android's mkbootfs, which forces the permissions by itself I think.
Though the fact that extracting back give the result you expected is weird.
In super-bootimg I chose to change init.rc to chmod /sbin
Wow. http://forum.xda-developers.com/showpost.php?p=64110288&postcount=1283
Just tested and sure enough, everything is working.
Thanks @shoey63
Hopefully a final update:
The difference is in ownership. Unpacking (cpio -i) as a regular user will not preserve the ownership. However, repacking (cpio -o) does.
To repack, add -R 0.0 to cpio (i.e. --owner root.root).
e.g.
Code:
find . |cpio -o -H newc -R 0.0 | gzip -9 > ../newinitrd.img
I just tested and this works just fine without being root.
ziddey said:
Hopefully a final update:
The difference is in ownership. Unpacking (cpio -i) as a regular user will not preserve the ownership. However, repacking (cpio -o) does.
To repack, add -R 0.0 to cpio (i.e. --owner root.root).
e.g.
Code:
find . |cpio -o -H newc -R 0.0 | gzip -9 > ../newinitrd.img
I just tested and this works just fine without being root.
Click to expand...
Click to collapse
Erf that's weird, I'm pretty sure I always ran the script as root...
Anyway, thanks for the info! I'll probably update my scripts with it
I just wanted to post that using root to extract the cpio file fixed the boot failure for me on my Nexus 9 with 6.0.1. You also need to use root to find the files and create the cpio file because some files are only accessible by root of course. I guess that should have been obvious (usually needed for /dev nodes) as @phhusson said, but this time I didn't do that until reading here.
To unpack the boot.img file I used: https://github.com/osm0sis/mkbootimg.git
To pack the boot.img file I used: https://android.googlesource.com/platform/system/core/+/master/mkbootimg
I'm not sure you need the official google packer, but I just happened to use when it worked.
EDIT: I needed to update boot.img and I tried it using the osm0sis packer and it worked.
Hey guys. Thanks for the replies!
I needed a permissive kernel this time, and I have played around with the sources and your recommendations and got it working. :good:
The post by ziddey might be the easiest way to make any kernel bootable, by disabling the verification from fstab.
(and uses just one packing/unpacking tool)
You can do the same thing from sources, again by modifying the fstab on aosp.
You can build an insecure kernel by using the pre-built kernel (is aosp),
or compile and then pack a permissive one.
This procedure wasn't working for me back then when I tried it (hence this thread). I am not sure if it was my fault or the initial marshmallow release had differences from the sources. More info on the first post.