【日常记录】解包android boot.img,vendor_boot.img和vendor_boot-debug.img
查看文件类型:
$ file vendor_boot.img vendor_boot.img: data $ file vendor_boot-debug.img vendor_boot-debug.img: data
unpack_bootimg用法:
$ ./unpack_bootimg -h usage: unpack_bootimg [-h] --boot_img BOOT_IMG [--out OUT] [--format {info,mkbootimg}] [-0] Unpacks boot, recovery or vendor_boot image. options: -h, --help show this help message and exit --boot_img BOOT_IMG path to the boot, recovery or vendor_boot image --out OUT output directory of the unpacked images --format {info,mkbootimg} text output format (default: info) -0, --null output null-terminated argument strings Output format: * info Pretty-printed info-rich text format suitable for human inspection. * mkbootimg Output shell-escaped (quoted) argument strings that can be used to reconstruct the boot image. For example: $ unpack_bootimg --boot_img vendor_boot.img --out out --format=mkbootimg | tee mkbootimg_args $ sh -c "mkbootimg $(cat mkbootimg_args) --vendor_boot repacked.img" vendor_boot.img and repacked.img would be equivalent. If the -0 option is specified, output unescaped null-terminated argument strings that are suitable to be parsed by a shell script (xargs -0 format): $ unpack_bootimg --boot_img vendor_boot.img --out out --format=mkbootimg \ -0 | tee mkbootimg_args $ declare -a MKBOOTIMG_ARGS=() $ while IFS= read -r -d '' ARG; do MKBOOTIMG_ARGS+=("${ARG}") done <mkbootimg_args $ mkbootimg "${MKBOOTIMG_ARGS[@]}" --vendor_boot repacked.img
unpack vendor_boot.img
bin$ ./unpack_bootimg --boot_img ../vendor_boot.img --out ../vendor_boot boot magic: VNDRBOOT vendor boot image header version: 4 page size: 0x00001000 kernel load address: 0x00008000 ramdisk load address: 0x01000000 vendor ramdisk total size: 8479036 vendor command line args: video=vfb:640x400,bpp=32,memsize=3072000 bootconfig buildvariant=userdebug kernel tags load address: 0x00000100 product name: vendor boot image header size: 2128 dtb size: 3046854 dtb address: 0x0000000001f00000 vendor ramdisk table size: 108 vendor ramdisk table: [ vendor_ramdisk00: { size: 8479036 offset: 0 type: 0x1 name: board_id: [ 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, ] } ] vendor bootconfig size: 124
unpack之后vendor_boot目录:
vendor_boot$ ls
bootconfig dtb vendor-ramdisk-by-name vendor_ramdisk vendor_ramdisk00
vendor_boot$ file * bootconfig: ASCII text dtb: Device Tree Blob version 17, size=224217, boot CPU=0, string block size=21729, DT structure block size=202432 vendor-ramdisk-by-name: directory vendor_ramdisk: LZ4 compressed data (v0.1-v0.9) vendor_ramdisk00: LZ4 compressed data (v0.1-v0.9)
vendor_boot$ ll total 19560 drwxr-xr-x 3 4096 Nov 7 09:07 ./ drwxr-xr-x 5 4096 Nov 7 09:07 ../ -rw-r--r-- 1 124 Nov 7 09:07 bootconfig -rw-r--r-- 1 3046854 Nov 7 09:07 dtb drwxr-xr-x 2 4096 Nov 7 09:07 vendor-ramdisk-by-name/ -rw-r--r-- 1 8479036 Nov 7 09:07 vendor_ramdisk -rw-r--r-- 1 8479036 Nov 7 09:07 vendor_ramdisk00
LZ4解压缩vendor_ramdisk(LZ4 compressed data):
lz4解压缩命令:
lz4 -d file.lz4 output_file
实际使用命令:
vendor_boot$ lz4 -d vendor_ramdisk vendor_ramdisk.cpio vendor_ramdisk : decoded 28476928 bytes
vendor_boot$ ll total 47220 drwxr-xr-x 3 4096 Nov 7 09:22 ./ drwxr-xr-x 6 4096 Nov 7 09:18 ../ -rw-r--r-- 1 124 Nov 7 09:07 bootconfig -rw-r--r-- 1 3046854 Nov 7 09:07 dtb drwxr-xr-x 2 4096 Nov 7 09:07 vendor-ramdisk-by-name/ -rw-r--r-- 1 8479036 Nov 7 09:07 vendor_ramdisk -rw-r--r-- 1 28476928 Nov 7 09:07 vendor_ramdisk.cpio -rw-r--r-- 1 8479036 Nov 7 09:07 vendor_ramdisk00
解压vendor_ramdisk.cpio:
vendor_boot$ mkdir vendor_boot_out vendor_boot$ cd vendor_boot_out/ vendor_boot_out$ cpio -idmv < ../vendor_ramdisk.cpio first_stage_ramdisk first_stage_ramdisk/fstab.default first_stage_ramdisk/fstab.emmc lib lib/modules lib/modules/altmode-glink.ko lib/modules/arm_smmu.ko //......... lib/modules/usb_f_ccid.ko lib/modules/usb_f_cdev.ko lib/modules/usb_f_diag.ko lib/modules/usb_f_gsi.ko lib/modules/usb_f_qdss.ko lib/modules/usbpd.ko 55619 blocks
vendor_boot_out$ tree . ├── first_stage_ramdisk │ ├── fstab.default │ └── fstab.emmc └── lib └── modules ├── altmode-glink.ko ├── arm_smmu.ko ├── atomic64_test.ko ├── bam_dma.ko ├── bcl_pmic5.ko ├── bcl_soc.ko ├── boot_stats.ko |//..............................
同样方法unpack vendor_boot-debug.img:
vendor_boot-debug-out$ tree . ├── adb_debug.prop ├── first_stage_ramdisk │ ├── fstab.default │ └── fstab.emmc ├── force_debuggable ├── lib │ └── modules │ ├── altmode-glink.ko │ ├── arm_smmu.ko │ ├── atomic64_test.ko │ ├── bam_dma.ko │ ├── bcl_pmic5.ko │ ├── bcl_soc.ko //......................................... │ ├── usb_f_ccid.ko │ ├── usb_f_cdev.ko │ ├── usb_f_diag.ko │ ├── usb_f_gsi.ko │ ├── usb_f_qdss.ko │ └── usbpd.ko └── userdebug_plat_sepolicy.cil 3 directories, 252 files
其他:
WSL中安装lz4失败及解决:
没有lz4:
vendor_boot$ lz
lzcat lzdiff lzfgrep lzless lzmainfo
lzcmp lzegrep lzgrep lzma lzmore
install error:
vendor_boot$ sudo apt-get install lz4 Reading package lists... Done Building dependency tree Reading state information... Done Package lz4 is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source E: Package 'lz4' has no installation candidate
下载源码并编译安装:
源码地址:https://github.com/lz4/lz4
编译并安装:
lz4-dev$ make compiling static library compiling dynamic library 1.10.0 creating versioned links creating pkgconfig ==> building with multithreading support lz4 build completed
lz4-dev$ sudo make install Installing libraries in /usr/local/lib Installing headers in /usr/local/include lz4 libraries installed Installing binaries in /usr/local/bin Installing man pages in /usr/local/share/man/man1 lz4 installation completed
vendor_boot$ lz
lz4 lz4cat lzcmp lzegrep lzgrep lzma lzmore
lz4c lzcat lzdiff lzfgrep lzless lzmainfo
关于unpack_bootimg:
来自于高通代码的out目录:out/target/product/device_name/obj/PACKAGING/otatools_intermediates/otatools/bin
out/target/product/device_name/obj/PACKAGING/otatools_intermediates/otatools/bin$ ls aapt2 bsdiff debugfs_static generate_gki_certificate make_f2fs_casefold mksquashfsimage.sh signapk verity_signer add_img_to_target_files build_image defrag.f2fs generate_verity_key merge_target_files mkuserimg_mke2fs sign_target_files_apks verity_verifier apex_compression_tool build_super_image delta_generator host_init_verifier merge_zips ota_extractor sign_virt_apex zip2zip apexer build_verity_metadata dump.f2fs img2simg minigzip ota_from_target_files simg2img zipalign apksigner build_verity_tree e2fsck imgdiff mkbootfs repack_bootimg sload_f2fs zucchini append2simg care_map_generator e2fsdroid img_from_target_files mkbootimg resize2fs soong_zip avbtool check_ota_package_signature fc_sort lib mke2fs resize.f2fs toybox blk_alloc_to_base_fs check_target_files_signatures fec lpmake mke2fs.conf secilc tune2fs boot_signer check_target_files_vintf fsck.erofs lpunpack mkf2fsuserimg.sh sefcontext_compile unpack_bootimg brillo_update_payload checkvintf fsck.f2fs lz4 mkfs.erofs sgdisk update_host_simulator brotli deapexer fs_config make_f2fs mksquashfs sign_apex validate_target_files
实际上这里也有:out/host/linux-x86/bin/unpack_bootimg
out/host/linux-x86/bin$ ./unpack_bootimg -h usage: unpack_bootimg [-h] --boot_img BOOT_IMG [--out OUT] [--format {info,mkbootimg}] [-0] Unpacks boot, recovery or vendor_boot image. options: -h, --help show this help message and exit --boot_img BOOT_IMG path to the boot, recovery or vendor_boot image --out OUT output directory of the unpacked images --format {info,mkbootimg} text output format (default: info) -0, --null output null-terminated argument strings Output format: * info Pretty-printed info-rich text format suitable for human inspection. * mkbootimg Output shell-escaped (quoted) argument strings that can be used to reconstruct the boot image. For example: $ unpack_bootimg --boot_img vendor_boot.img --out out --format=mkbootimg | tee mkbootimg_args $ sh -c "mkbootimg $(cat mkbootimg_args) --vendor_boot repacked.img" vendor_boot.img and repacked.img would be equivalent. If the -0 option is specified, output unescaped null-terminated argument strings that are suitable to be parsed by a shell script (xargs -0 format): $ unpack_bootimg --boot_img vendor_boot.img --out out --format=mkbootimg \ -0 | tee mkbootimg_args $ declare -a MKBOOTIMG_ARGS=() $ while IFS= read -r -d '' ARG; do MKBOOTIMG_ARGS+=("${ARG}") done <mkbootimg_args $ mkbootimg "${MKBOOTIMG_ARGS[@]}" --vendor_boot repacked.img
编译log:
行 61608: [ 61% 49653/81155] //system/tools/mkbootimg:unpack_bootimg python library archive [linux_glibc] 行 61639: [ 61% 49684/81155] //system/tools/mkbootimg:unpack_bootimg embedded python archive [linux_glibc] 行 61658: [ 61% 49703/81155] host Prebuilt: unpack_bootimg (out/host/linux-x86/obj/EXECUTABLES/unpack_bootimg_intermediates/unpack_bootimg) 行 61658: [ 61% 49703/81155] host Prebuilt: unpack_bootimg (out/host/linux-x86/obj/EXECUTABLES/unpack_bootimg_intermediates/unpack_bootimg) 行 61658: [ 61% 49703/81155] host Prebuilt: unpack_bootimg (out/host/linux-x86/obj/EXECUTABLES/unpack_bootimg_intermediates/unpack_bootimg) 行 61673: [ 61% 49718/81155] Install out/host/linux-x86/bin/unpack_bootimg
代码看这里:https://cs.android.com/
system/tools/mkbootimg$ python unpack_bootimg.py -h usage: unpack_bootimg.py [-h] --boot_img BOOT_IMG [--out OUT] Unpacks boot.img/recovery.img, extracts the kernel,ramdisk, second bootloader, recovery dtbo and dtb optional arguments: -h, --help show this help message and exit --boot_img BOOT_IMG path to boot image --out OUT path to out binaries
system/tools/mkbootimg$ python unpack_bootimg.py --boot_img ~/xxx/android/out/target/product/xxxx/boot.img --out ~/tmp/android-unpack/ttttt boot_magic: ANDROID! kernel_size: 17925921 ramdisk size: 11010967 os version: 11.0.0 os patch level: 2024-01 boot image header version: 3 command line args:
tmp/android-unpack/ttttt$ file * kernel: gzip compressed data, max compression, from Unix ramdisk: LZ4 compressed data (v0.1-v0.9)
本次实验目录介绍:
unpack$ tree -L 1 . ├── bin //unpack_bootimg所在目录 ├── gki ├── lz4-dev //lz4源码包 ├── lz4-dev.zip ├── lz4-dev.zip:Zone.Identifier ├── vendor_boot //unpack_bootimg vendor_boot.img的out目录,lz4及解包后的cpio以及最终目录都放在此处 ├── vendor_boot-debug //同上,vendor_boot-debug.img的解包中间文件及结果 ├── vendor_boot-debug.img //看名字 └── vendor_boot.img //看名字 5 directories, 4 files
浙公网安备 33010602011771号