Skip to content

Instantly share code, notes, and snippets.

@azureru
Last active August 9, 2024 19:12
Show Gist options
  • Save azureru/478fe60ee5b9ec545fa5eb286fb2c4be to your computer and use it in GitHub Desktop.
Save azureru/478fe60ee5b9ec545fa5eb286fb2c4be to your computer and use it in GitHub Desktop.
How to Extract Android Kernel And Modify The Boot Ramdisk (Android 4.4) on Allwinner based Processor

Extracting Existing Kernel + Ramfs

Enter the machine using adb shell

Run cat /proc/partitions

  #  Path                     Purpose        Size
  0 /dev/block/mmcblk0                       7761920
  1 /dev/block/mmcblk0p1      data           6085631
  2 /dev/block/mmcblk0p2      bootloader     16384
  3 /dev/block/mmcblk0p3                     1
  5 /dev/block/mmcblk0p5      uboot          16384
  6 /dev/block/mmcblk0p6      kernel         16384
  7 /dev/block/mmcblk0p7      system         786432
  8 /dev/block/mmcblk0p8      misc           16384
  9 /dev/block/mmcblk0p9      recovery       32768
 10 /dev/block/mmcblk0p10     sysrecovery    16384
 11 /dev/block/mmcblk0p11     private        16384
 12 /dev/block/mmcblk0p12     Reserve0       16384
 13 /dev/block/mmcblk0p13     klog           32768
 14 /dev/block/mmcblk0p14     Reserve1       16384
 15 /dev/block/mmcblk0p15     Reserve2       655360

Dump the partition to a file using dd

dd if=/dev/block/mmcblk0p6 of=/data/kernel_ramfs.img

Extract it to your linux system adb pull /data/kernel_ramfs.img

Install abootimg

Run sudo apt-get install abootimg

Check the Kernel Dump

Run abootimg -i kernel_ramfs.img. It need to show

Android Boot Image Info:

* file name = kernel_ramfs.img

* image size = 16777216 bytes (16.00 MB)
  page size  = 2048 bytes

* Boot Name = ""

* kernel size       = 9797076 bytes (9.34 MB)
  ramdisk size      = 2017625 bytes (1.92 MB)

* load addresses:
  kernel:       0x40008000
  ramdisk:      0x41000000
  tags:         0x40000100

* empty cmdline
* id = 0x7c37c0d4 0xcefde745 0xe81b85ba 0xf05275ba 0xbe7de0ad 0x00000000 0x00000000 0x00000000

That means you dump the correct kernel+ramfs

Extract Kernel Dump

abootimg -x kernel_ramfs.img

It will extract zImage and also initrd.img

Extract Ramdisk, Modify And Repack

mkdir initrd
cd initrd
cat ../initrd.img | gunzip | cpio -vid

Modify the ramdisk accordingly (e.g. you modify init.rc or add another additonal files) Then repack accordingly

cd initrd
find . | cpio --create --format='newc' | gzip > ../myinitrd.img

Repacking Boot.Img

abootimg --create myboot.img -f bootimg.cfg -k zImage -r myinitrd.img

Adb Put and Redumping

adb push myboot.img /data/myboot.img
adb shell dd if=mybootimg of=/dev/block/mmcblk0p6

Reboot - And pray for the best

@ytrezq
Copy link

ytrezq commented Mar 26, 2020

@petrosmp.
In my case, simply unpacking and repacking without changing anything through

abootimg -x boot.img
rm -f boot.img
abootimg --create boot.img -f bootimg.cfg -k zImage -r initrd.img

results in a different boot.img (but of the same size) which doesn’t work on my Samsung Galaxy tab s3.

@TheTangledMind
Copy link

I dont get the same information that you do from cat. I get this.

130|gts6lwifi:/ # cat /proc/partitions
major minor #blocks name

1 0 8192 ram0
1 1 8192 ram1
1 2 8192 ram2
1 3 8192 ram3
1 4 8192 ram4
1 5 8192 ram5
1 6 8192 ram6
1 7 8192 ram7
1 8 8192 ram8
1 9 8192 ram9
1 10 8192 ram10
1 11 8192 ram11
1 12 8192 ram12
1 13 8192 ram13
1 14 8192 ram14
1 15 8192 ram15
8 0 249835520 sda
8 1 2048 sda1
8 2 2048 sda2
8 3 4 sda3
8 4 8 sda4
8 5 32768 sda5
8 6 20480 sda6
8 7 10240 sda7
8 8 10240 sda8
8 9 20480 sda9
8 10 1024 sda10
8 11 512 sda11
8 12 40960 sda12
8 13 512 sda13
8 14 4096 sda14
8 15 16384 sda15
259 17 97280 sda16
259 18 87040 sda17
259 19 65536 sda18
259 20 10240 sda19
259 21 65536 sda20
259 22 80852 sda21
259 23 16384 sda22
259 24 16384 sda23
259 25 6381568 sda24
259 26 1347584 sda25
259 27 1024000 sda26
259 28 409600 sda27
259 29 40960 sda28
259 30 51200 sda29
259 31 239978364 sda30
8 16 8192 sdb
8 17 3776 sdb1
8 18 4260 sdb2
8 32 8192 sdc
8 33 3776 sdc1
8 34 4260 sdc2
8 48 61440 sdd
8 49 1024 sdd1
8 50 4096 sdd2
8 51 2048 sdd3
8 52 512 sdd4
8 53 512 sdd5
8 54 4096 sdd6
8 55 4 sdd7
8 56 1024 sdd8
8 57 384 sdd9
8 58 512 sdd10
8 59 512 sdd11
8 60 512 sdd12
8 61 256 sdd13
8 62 256 sdd14
8 63 4 sdd15
259 0 8192 sdd16
259 1 4 sdd17
259 2 2048 sdd18
259 3 8192 sdd19
259 4 128 sdd20
259 5 512 sdd21
259 6 64 sdd22
259 7 80 sdd23
259 8 2048 sdd24
259 9 32 sdd25
259 10 32 sdd26
259 11 32 sdd27
259 12 512 sdd28
259 13 2048 sdd29
259 14 2048 sdd30
259 15 1024 sdd31
259 16 18536 sdd32
179 0 15138816 mmcblk0
179 1 15134720 mmcblk0p1
gts6lwifi:/ #

@Pokemetti
Copy link

@TheTangledMind You have to adb shell and then do the command, otherwise it is your PCs information.

@RudraSama
Copy link

adb pull /data/kernel_ramfs.img
returns
adb: error: failed to copy '/data/kernel_ramfs.img' to '.\kernel_ramfs.img': remote Permission denied

My device is rooted (and connected), adb is running with root privileges and I also tried
adb shell
su
mount -o remount,rw /dev/block/stl9 /system
chmod 777 /system/app
exit
exit

and then re running it but sadly with no succes. Any ideas?

copy kernel_ramfs.img to /sdcard and pull it from sdcard

@TheTangledMind
Copy link

thanks. sorry I was absent for 8 months

@usr577
Copy link

usr577 commented Feb 14, 2022

Is there a way to apply .patch files to the kernel which it returns? If yes, I wasn't able to find it.

@biaocy
Copy link

biaocy commented Jun 18, 2022

DO NOT DO THIS WITHOUT BACKUP YOUR DEVICE'S ORIGINAL boot.img

otherwise, you will end up damage your kernal and can't recover your kernal by repacking boot.img

@misiektw
Copy link

@petrosmp. In my case, simply unpacking and repacking without changing anything through

abootimg -x boot.img
rm -f boot.img
abootimg --create boot.img -f bootimg.cfg -k zImage -r initrd.img

results in a different boot.img (but of the same size) which doesn’t work on my Samsung Galaxy tab s3.

I did the same, and yeah, resulting images differ in two places.
In my case old Tolino Tab 7 at address 0x240:
image

and second at 0x400:
image

Generated boot image has 0x00 in those places.
Seems like abootimg is not aware about this extra info. Not sure if this is static or some generated content, like checksum etc.
Seems like second is some sort signing key maybe...

@srikanth007m
Copy link

I am trying to read a GKI boot image and getting below error message.

abootimg -i boot.img boot.img: ramdisk size is null boot.img: not a valid Android Boot Image.

@misiektw
Copy link

misiektw commented Jul 25, 2022

I am trying to read a GKI boot image and getting below error message.

abootimg -i boot.img boot.img: ramdisk size is null boot.img: not a valid Android Boot Image.

Maybe You are taking image of kernel partition instead boot. Check if file has all zeros. If yes then its just kernel partition that is unused and left in for compatibility reasons.
Check your patririon layout because it will vary between devices, for me it is:

root@android:/system/lib # ls -l /dev/block/mtd/by-name                        
lrwxrwxrwx root     root              2022-07-24 17:11 backup -> /dev/block/mtdblock4
lrwxrwxrwx root     root              2022-07-24 17:11 boot -> /dev/block/mtdblock2
lrwxrwxrwx root     root              2022-07-24 17:11 cache -> /dev/block/mtdblock5
lrwxrwxrwx root     root              2022-07-24 17:11 factory -> /dev/block/mtdblock8
lrwxrwxrwx root     root              2022-07-24 17:11 kernel -> /dev/block/mtdblock1
lrwxrwxrwx root     root              2022-07-24 17:11 kpanic -> /dev/block/mtdblock6
lrwxrwxrwx root     root              2022-07-24 17:11 misc -> /dev/block/mtdblock0
lrwxrwxrwx root     root              2022-07-24 17:11 recovery -> /dev/block/mtdblock3
lrwxrwxrwx root     root              2022-07-24 17:11 system -> /dev/block/mtdblock7
lrwxrwxrwx root     root              2022-07-24 17:11 userdata -> /dev/block/mtdblock9

So I had to dump /dev/block/mtdblock2.

EDIT: Oh, and I'm connecting trough ssh using SimpleSSHD instead of adb.

EDIT2: Also you may be using original source from 2012. Check this patch for new devices:
johnstultz-work/abootimg@db11799

@dxcvvxd
Copy link

dxcvvxd commented Sep 8, 2022

this is what it looks like for me
image

pretty empty, is that normal?

@dxcvvxd
Copy link

dxcvvxd commented Apr 3, 2023

or is this because of magisk

@AblertARock
Copy link

DO NOT DO THIS WITHOUT BACKUP YOUR DEVICE'S ORIGINAL boot.img

otherwise, you will end up damage your kernal and can't recover your kernal by repacking boot.img

If worst comes to worst, most phone have their entire system uploaded to Lolinet Mirrors.

@AblertARock
Copy link

BTW, anyone here have a guide on how to mod a kernel with OrangeFox Recovery or Pitch Black Recovery? It would be amazing if someone did.

@ABC00012345
Copy link

Device doesn't boot after flashing the repacked image. I didn't change anything in the config file, 🤔 why?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment