Hello,
I own a samsung xcover 3 (sm-g388f, android lollitop) and out of curiosity I start to be interested in the android system. I downloaded the ROM and get back the file boot.img, i try to get the file Image.gz (kernel) with Android Image Kitchen.
Code:
./unpackimg.sh boot.img
I get:
Code:
Android Image Kitchen - UnpackImg Script
by osm0sis @ xda-developers
Supplied image: boot.img
Setting up work folders...
Image type: AOSP-PXA
Footer with "SEAndroid" type detected.
Splitting image to "split_img/"...
BOARD_KERNEL_CMDLINE
BOARD_KERNEL_BASE 0x10000000
BOARD_NAME
BOARD_PAGE_SIZE 2048
BOARD_KERNEL_OFFSET 0x00008000
BOARD_RAMDISK_OFFSET 0x01000000
BOARD_SECOND_OFFSET 0x00f00000
BOARD_TAGS_OFFSET 0x00000100
BOARD_DT_SIZE 475136
BOARD_UNKNOWN 0x03000000
Unpacking ramdisk (as root) to "ramdisk/"...
Compression used: gzip
4739 blocs
Done!
I get the file boot.img-kernel, i use dumpimage:
Code:
./dumpimage -i boot.img-kernel -p 0 Image.gz
The return is:
Code:
./dumpimage: invalid option -- 'i'
Usage: ./dumpimage -l image
-l ==> list image header information
./dumpimage [-T type] [-p position] [-o outfile] image
-T ==> declare image type as 'type'
-p ==> 'position' (starting at 0) of the component to extract from image
-o ==> extract component to file 'outfile'
./dumpimage -h ==> print usage information and exit
./dumpimage -V ==> print version information and exit
I try the command:
Code:
./dumpimage -T boot.img-kernel -p 0 Image.gz
i get:
Code:
./dumpimage: Invalid type
I no longer see what to do, here is the boot.img
If anyone has an idea I’m interested
Thanks
Related
Disclaimer: Do only use this information if you know what you're doing!
PATH=$PATH:/home/markus/android/sdk/platform-tools
Get kernel from phone:
adb shell
su
dd if=/dev/block/mmcblk0p8 of=/sdcard/external_sd/stockboot.img
Exit adb shell
adb pull /sdcard/external_sd/stockboot.img
Separate the zImage from the ramdisk (see below for abootimg):
abootimg -x stockboot.img
unpacks the archive and copies contents to working directory:
gunzip -c initrd.img | cpio -i
Do your edits, e.g. default.prop, add:
debug.performance.tuning=1
video.accelerate.hw=1
windowsmgr.max_events_per_sec=150
--> move all files to new folder, cd into this folder:
repacks files from working directory into an archive (MAKE SURE NO OTHER FILES ARE IN THE WORKING DIRECTORY!!)
find . | cpio -o -H newc | gzip > ../myinitrd.img
New boot.img:
./mkbootimg --kernel zImage --ramdisk myinitrd.img --cmdline "console=null androidboot.hardware=qcom androidboot.emmc=true hw=6" -o myBuiltBoot.img --base 0x00400000 --pagesize 4096
You can also use abootimg to create your new .img file, it has an easier syntax as it exports the commandline to a .cfg file and you can use that while creating the package.
Push your new kernel.img to the phone:
adb push myBuiltBoot.img /sdcard/external_sd/myBuiltBoot.img
Write kernel to kernel-partition in phone:
adb shell
su
dd if=/sdcard/external_sd/myBuiltBoot.img of=/dev/block/mmcblk0p8
adb reboot
< pray >
Sources:
http://forums.androidcentral.com/lg...ense-back-up-your-phone-without-nandroid.html
http://forum.xda-developers.com/showthread.php?t=1227269
http://forum.xda-developers.com/showthread.php?t=1292557
Also quite handy: http://packages.debian.org/de/sid/abootimg
wouldnt just editing build.prop in /system without touching kernel do the same job? ^_^
Yep. I just wanted to describe the whole process of extracting and packing the needed files. The edit was just an example. And in fact, i made a typo, it's called default.prop.
ElfTool
This tool will help you to pack and unpack boot image for sony mobile devices.
Usage :
For unpacking
Code:
elftool unpack -i input-path -o output-path
For packing
If you have header file containing address of kernel, ramdisk etc..
Code:
elftool pack -o output-path header=path/to/header kernel-path ramdisk-path,ramdisk ipl-path,ipl rpm-path,rpm [email protected]
Else
Code:
elftool pack -o output-path [email protected] [email protected],ramdisk [email protected],ipl [email protected],rpm [email protected]
The tool was created for injecting twrp recovery ramdisk to fxp cm10 boot images to prevent overwriting of cwm ramdisk over twrp ramdisk. I hope this tool will be useful for other developers also.
Here is how I used it for injecting twrp to fxp cm10 boot images.
During start of twrp run backup.sh. This will extract twrp ramdisk from the boot partition and store it in /cache/backup
Code:
mount /cache
cd /cache
mkdir backup
cd backup
dump_image /dev/block/mmcblk0p3 /cache/backup/oldboot.img
mkdir oldboot
elftool unpack -i /cache/backup/oldboot.img -o /cache/backup/oldboot
cd oldboot
mkdir uramdisk
cd uramdisk
gzip -dc ../ramdisk | cpio -i
mv sbin/ramdisk-recovery.cpio /cache/backup/ramdisk-recovery.cpio
cd /cache/backup
rm -irf oldboot
rm oldboot.img
When a new zip file is installed inject.sh is run. This will extract the newly installed boot image and inject the twrp ramdisk into it and then flash the newly created bootimage.
Code:
#!/sbin/sh
mount /cache
dump_image /dev/block/mmcblk0p3 /cache/newboot.img
mkdir /cache/newboot
elftool unpack -i /cache/newboot.img -o /cache/newboot
rm cache/newboot.img
cd /cache/newboot
mkdir uramdisk
cd uramdisk
gzip -dc ../ramdisk | cpio -i
rm ../ramdisk
if [ -e "/cache/backup/ramdisk-recovery.cpio" ];then
cp /cache/backup/ramdisk-recovery.cpio sbin/ramdisk-recovery.cpio
cd ..
mkbootfs uramdisk > ramdisk.cpio
cat ramdisk.cpio | gzip > ramdisk
rm -irf uramdisk
rm ramdisk.cpio
elftool pack -o /cache/injectboot.img [email protected] [email protected],ramdisk [email protected]
cd /cache
rm -irf newboot
if [ -e "/cache/injectboot.img" ];then
erase_image /dev/block/mmcblk0p3
flash_image /dev/block/mmcblk0p3 /cache/injectboot.img
rm /cache/injectboot.img
fi
fi
Both arm and x86_64 versions are available.
Thanks to sony for providing boot image format in packelf.py
Source code can be found here
yeah
thanks bro
srl3gx said:
ElfTool
This tool will help you to pack and unpack boot image for sony mobile devices.
Click to expand...
Click to collapse
Thanks for this tool. It helped me edit a kernel.
Btw, I've used the source to compile x86 version. I've attached it here.
I'm trying to use it on my ubuntu but it doesn't work. I get error: elftool: command not found
I want to unpack CM10 boot.img
Great. Will try it as soon as possible Thanks
Hi all folks,
I have some question about the stock android system in this specific box and the format of the dumped partition.
Try to explain, I'm using rkflashtool to interact with the memory of the RK3188
This is the output of the command
rkflashtool r 0 1 | head -n 11
-------------------------------------------------------------------------------------------------
CMDLINE:console=ttyFIQ0 androidboot.console=ttyFIQ0
init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:
[email protected](misc),
[email protected](kernel),
[email protected](boot),
[email protected](recovery),
[email protected](backup),
[email protected](cache),
[email protected](userdata),
[email protected](kpanic),
[email protected](system),
[email protected](user)
-------------------------------------------------------------------------------------------------
I guess the boot partition is something linke that:
+-------+ <--- 0x00019fe0
| boot |
+-------+ <----0x00012000
With this command i'm able to dump the entrie boot partition on my linux box in a file named b00t.img :
rkflashtool r 0x12000 0x8000 > b00t.img
Now, i have find out that with the tool rkunpack (or simply with dd) i'm able to unpack this b00t.img. The output are two file:
b00t.img-raw
b00t.img-symbol
The first file is no more than a gzip compressed data file, I'm able to extract the data in a directory with this command:
gunzip < ../b00t.img-raw | sudo cpio -i --make-directories
Now in this dir I have all the files of the / partition. I can modify for example the /init.rc.
I want to repack the entrie b00t.img in order to flash it again on the device.
NB:
In this thread this guys work at something like my problem...
http://www.freaktab.com/showthread.p...ull=1#post4055
The difference is that they work on a different partition layout, and the rkunpack of dumped boot.img return they only boot.img-raw.
Obviously I've already tried to repack the modified directory in this two ways:
mkcramfs myboot myboot-temp.img
kcrc myboot-temp.img customboot.img
or
find . ! -name "."| sort | cpio -oa -H newc | gzip -n > ../newboot.gz
kcrc newboot.gz customboot.img
Neither of these leads to obtain a file large enough to fit the boot partition on the deivice, that I want fill with:
rkflashtool w 0x12000 0x8000 < modifiedb00t.img
Has anyone ever worked with rk3188? Any idea?
Thanks in advance.
SOLVED!
Look at http://www.freaktab.com/showthread.php?12200-ANDROID!-boot-img-want-to-modify-only-the-ramdisk.
Hi all folks,
I have some question about the stock android system in this specific box and the format of the dumped partition.
Try to explain, I'm using rkflashtool to interact with the memory of the RK3188
This is the output of the command
rkflashtool r 0 1 | head -n 11
-------------------------------------------------------------------------------------------------
CMDLINE:console=ttyFIQ0 androidboot.console=ttyFIQ0
init=/init initrd=0x62000000,0x00800000 mtdparts=rk29xxnand:
[email protected](misc),
[email protected](kernel),
[email protected](boot),
[email protected](recovery),
[email protected](backup),
[email protected](cache),
[email protected](userdata),
[email protected](kpanic),
[email protected](system),
[email protected](user)
-------------------------------------------------------------------------------------------------
I guess the boot partition is something linke that:
+-------+ <--- 0x00019fe0
| boot |
+-------+ <----0x00012000
With this command i'm able to dump the entrie boot partition on my linux box in a file named b00t.img :
rkflashtool r 0x12000 0x8000 > b00t.img
Now, i have find out that with the tool rkunpack (or simply with dd) i'm able to unpack this b00t.img. The output are two file:
b00t.img-raw
b00t.img-symbol
The first file is no more than a gzip compressed data file, I'm able to extract the data in a directory with this command:
gunzip < ../b00t.img-raw | sudo cpio -i --make-directories
Now in this dir I have all the files of the / partition. I can modify for example the /init.rc.
I want to repack the entrie b00t.img in order to flash it again on the device.
NB:
In this thread these guys work at something like my problem...
http://www.freaktab.com/showthread.p...ull=1#post4055
The difference is that they work on a different partition layout, and the rkunpack of dumped boot.img return they only boot.img-raw.
Obviously I've already tried to repack the modified directory in this two ways:
mkcramfs myboot myboot-temp.img
kcrc myboot-temp.img customboot.img
or
find . ! -name "."| sort | cpio -oa -H newc | gzip -n > ../newboot.gz
kcrc newboot.gz customboot.img
None of these leads to obtain a file large enough to fit the boot partition on the deivice, that I want fill with:
rkflashtool w 0x12000 0x8000 < modifiedb00t.img
Has anyone ever worked with rk3188? Any idea?
Thanks in advance.
Anyone?
Hello all,
I'd like to braindump how I managed to make android emulator v30 work with mitm, hope that helps someone.
Since it was not possible to neither write nor make writable the /system partition, I decided to roll my own system.img and that actually worked. I'm not going to upload a script because I might not remember 100%, but I'll going to descibe the steps in full, even though they exist elsewhere. The commands might not be exact, too, so if there's a typo you'll need to figure it out yourself.
Also, it will be a bit confusing because I shall refer to 2 files named system.img, one is the 2G file that comes with android, the other is 700M or something file that you will be creating in the process. I'll refer them as #1 and #2.
1. What is needed: android studio and emulator, linux, xattr, https://github.com/LonelyFool/lpunpack_and_lpmake , https://github.com/tytso/e2fsprogs, mitmproxy, parted. Build these github projects, you'll need their binaries in the process.
also, 'mkdir build' somewhere.
2. Find system.img (#1) in your android studio installation, then extract the system partition:
$ losetup -f system.img
$ losetup -a | grep system.img
/dev/loop5
$ partprobe /dev/loop5
$ ls /dev/loop5p*
/dev/loop5p1 /dev/loop5p2
$ lpunpack_and_lpmake/bin/lpunpack /dev/loop5p2 build
$ ls build
system.img system-ext.img product.img vendor.img
$ losetup -d /dev/loop5
3. Make system.img (#2) writable and usable. This is ext4 crunched with feature shared_blocks, which makes it not really writable even in theory, as it deduplicates identical blocks in the filesystem. You'll need to convert that to a normal ext4, but, there's not enough space to do that operation. So you'll need to expand the partition to accomodate for this. How much? Empirically, I added 30M to a 700M partition:
$ ls -l system.img
700000000 # for example
$ e2fsprogs/resize/resize2fs system.img 730M
$ ls -l system.img
730000000 # for example
$ e2fsprogs/e2fsck/e2fsck -f system.img
$ e2fsprogs/e2fsck/e2fsck -E unshared_blocks system.img
$ e2fsprogs/e2fsck/e2fsck -f system.img
4. Modify the now writable partiton to your heart's content (we're still with system.img #2 here). I needed to add just one file, mitmproxy-ca-cert.cer . According to the mitmproxy docs, the name must be the hash of the certificate:
$ losetup -f system.img
$ losetup -a | grep system.img
/dev/loop6
$ mount /dev/loop6 /mnt
$ hashed_name=`openssl x509 -inform PEM -subject_hash_old -in mitmproxy-ca-cert.cer | head -1
$ echo $hashed_name
c8750f0d
$ cp mitmproxy-ca-cert.cer /mnt/system/ext/security/cacerts/$hashed_name.0
$ cd /mnt/system/ext/security/cacerts/
$ chmod 644 $hashed_name.0
Now check if your android has extra attributes in these certificate files. Mine does:
$ xattr 00abcde.0 # some random certificate
security.selinux
$ xattr -p security.selinux 00abcde.0
ubject_r:system_security_cacerts_file:s0
if yes, you'll need it on this file too:
$ xattr -w security.selinux ubject_r:system_security_cacerts_file:s0 $hashed_name.0
and be done with the partition
$ umount /mnt
$ losetup -d /dev/loop6
5. Create new super-partition, the one we used as /dev/loop5p2. You'll need the file sizes of your .img partitions, and your command to create a super.img file will look like this:
$ cat repack
#!/bin/sh
P=/android/super/1
~/src/lpunpack_and_lpmake/bin/lpmake --metadata-size 65536 --super-name super --metadata-slots 2 --device super:2496462848 --group main:2647101440 \
--partition system:readonly:786432000:main --image system=$P/system.img \
--partition system_ext:readonly:131952640:main --image system_ext=$P/system_ext.img \
--partition product:readonly:1468575744:main --image product=$P/product.img \
--partition vendor:readonly:102739968:main --image vendor=$P/vendor.img \
--output $P/super2.img
the interesting numbers are the corresponding partition sizes (in --partition), and, if f ex you increased the system.img #2 to 30M in the step 3, the number in --device:super should be the size of /dev/loop5p2 in bytes plus at least these 30M (but also okay if a bit more).
6. Finally, create a new system.img #1 . Create a backup copy of it, and then append some 30M there, and fix the partition
$ dd if=/dev/zero of=system-new.img flags=append bs=1M size=30
$ losetup -f system-new.img
$ losetup -a | grep system-new.img
/dev/loop7
$ parted /dev/loop7
GNU Parted 3.3
Using /dev/loop7
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) p
Model: Loopback device (loopback)
Disk /dev/loop7: 2444MB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags:
Number Start End Size File system Name Flags
1 1049kB 2097kB 1049kB vbmeta
2 2097kB 2443MB 2441MB super
you will need to expand the partion 2 to the max (plus minus same 30M). If is fails fix the number and retry:
(parted) resizepart 2 24460MB
Error: The location 24460MB is outside of the device /dev/loop7.
and finally copy data back:
$ partprobe /dev/loop7
$ dd if=super.img of=/dev/loop7p2 bs=1M
$ losetup -d /dev/loop7
and that's it. After that, rename system-new.img to system.img, and hopefully the emulator could run this new image.
Also, to check that the certificate is there and recognized, go to the setting/certificates/trusted certificates, the mitmproxy one should be in the list.
Hopefully this will be helpful.
Cheers!
/dk