TransWikia.com

How to extract the kernel assembly code from a zImage?

Reverse Engineering Asked by BtPython on April 26, 2021

here is the situation, i have a OnePlus phone and i want to explore his kernel, so i downloaded the zip firmware from the oneplus website, extract the img files from the payload.bin, use this tool to extract the zImage from the boot.img.

i found an article here to extract a gzip from the zImage but the output from arm-linux-gnueabi-objdump is kinda weird with the <UNDEFINED> instruction: 0xf1008b1f:

arm-linux-gnueabi-objdump -EL -b binary -D -m armv5t boot.img-zImage | grep 8b1f
    2f14:   f1008b1f            ; <UNDEFINED> instruction: 0xf1008b1f
    3290:   f1008b1f            ; <UNDEFINED> instruction: 0xf1008b1f
    3384:   f1008b1f            ; <UNDEFINED> instruction: 0xf1008b1f
   8a224:   2a0003f4    bcs 0x8b1fc
   8b1f0:   f9000518            ; <UNDEFINED> instruction: 0xf9000518
   8b1f4:   f9000308            ; <UNDEFINED> instruction: 0xf9000308
   8b1f8:   f9405fe8            ; <UNDEFINED> instruction: 0xf9405fe8
   8b1fc:   f9000708            ; <UNDEFINED> instruction: 0xf9000708
   8fd54:   b98b1f28    stmiblt fp, {r3, r5, r8, r9, sl, fp, ip}
   cffbc:   9a9f87e9    bls 0xfe8b1f68
   d0008:   9a9f87ea    bls 0xfe8b1fb8
  18a220:   aa0003f3    bge 0x18b1f4
  18b1f0:   f81a83a8            ; <UNDEFINED> instruction: 0xf81a83a8
  18b1f4:   b40001a2    strlt   r0, [r0], #-418 ; 0xfffffe5e
  18b1f8:   d0010268    andle   r0, r1, r8, ror #4
  18b1fc:   b94e5108    stmdblt lr, {r3, r8, ip, lr}^
^C

Also i noticed that the file type was not recognized:

user@ubuntu:~/Desktop/bootImg$ file zImage 
zImage: data

But anyway i converted the 2f14 to decimal and tried to extract a gzip archive:

dd if=zImage of=piggy.gz bs=1 skip=12052

and then tried to extract:

user@ubuntu:~/Desktop/bootImg$ gunzip piggy.gz 
gzip: piggy.gz: unknown method 0 -- not supported

also, the archive seems to be encrypted:

user@ubuntu:~/Desktop/bootImg$ file piggy.gz 
piggy.gz: gzip compressed data, reserved method, ASCII, has comment, encrypted, last modified: Fri Aug 29 04:43:12 2014, from Unix, original size modulo 2^32 0

note: i know that the oneplus kernels are opensource but i really want to practice my reverse engineering skills.

androidarmkernel

One Answer

It's possible that the kernel is not actually gzip compressed but uses another algorithm. I would recommend using vmlinux-to-elf which can not only automatically detect the compressed stream, uncompress, and convert to an ELF but also parse the kallsyms tables and symbolize the image.

Answered by Igor Skochinsky on April 26, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP