Calculation of the base address of boot. IMG in Android mobile phones (zz)

Boot. imgBase address baseCalculation Method

If you have no patience in reading this post, I can only tell you that it is your own fault if you encounter any problems.ArticleFinally, it's a bit evil. Forgive me! I gave a parameter in the toolkit, which is certainly no problem for my gt540, but I cannot guarantee it for other mobile phones, so you may need to calculate it by yourself, or use the value obtained by the version area predecessors! If you brush your phone back to the boot page, the screen will flash, black screen, and other symptoms emerge one after another. There are two common possibilities.
I. boot. IMG is encrypted. Mobile phone manufacturers, when doing Rom, use their own encryptionAlgorithmTo check the CRC of the entire file, and then add the check value to the end of boot. IMG. The hardware bios of the mobile phone is like a diligent soldier, checking the password. Sorry, please leave and I will trigger an alarm ~~ Er, I cannot report a warning, so I won't let you in ~~
Ii. boot. IMG also has an important parameter, base address, which is used to tell the mobile phone from which address it starts. It is the entrance to the memory disk and which address is the entrance to the kernel. If you cannot get an entry number, sorry, you cannot enter the room illegally.
If it is the first type, it can only escape and stop.
Various queries finally found that the Define address offset exists in the boardconfig. h of Rom. Although this file does not exist in the ROM of my mobile phone, the offset of each android system is common and will not be changed unless I take the wrong medicine.
The offset define is as follows:

 

1. # Define physical_dram_base Zero X 00200000 <! -- Iwms_ad_begin --> // The base address is different. We aim to obtain this base address, but since there is no romSource codeThis seems impossible. <! -- Iwms_ad_end --> # define kernel_addr (physical_dram_base + 0x00008000) # define ramdisk_addr (physical_dram_base + 0x01000000) # define tags_addr (physical_dram_base
   + 0x00000100) # define newtags_addr (physical_dram_base + 0x00004000)

CopyCode

Remember this sentence in wiki? For Nexus One : Add -- Base 0x20000000 To mkbootimg command-line. translation, if it is a Nexus One phone, you need to add -- Base 0x20000000 to the mkbootimg command .. Are you familiar with it now? The original base address is written here. mkbootimg will automatically add an offset for you and write boot. IMG ..
Well, now we need to know where these values are.
Why? In the above section, we already know the offset, so if we start from the official ROM boot. obtain kernel_addr from IMG, and use kernel_addr-offset 0x00008000 to obtain the base address?
You need to know where the bootimg tool writes them. You can only view the source code of mkbootimg (Fortunately, bootimg is open-source as a typical Linux tool. If you replace it with win, it's really sad ).
Find the bootimg. c file.
Header + padding + kernel + padding + ramdisk + padding +... (padding is complete. Remember what I mentioned above. How many boxes are required for a box containing 10 cards and 11 cards? Because the second box only has one card, we need nine blank cards to fill the position, that is, padding)
4*2, magic, fixed to "android! "
4*1, kernel length, small-end unsigned type
4*1, kernel address, should be base + 0x00008000
4*1, ramdisk length, small unsigned
4*1, ramdisk address, should be base + 0x01000000
4*1, second stage length, Small End unsigned, 0
4*1, second stage address, should be base + 0x00f00000
4*1, tags address, should be base + 0x00000100
4*1, page size, Small End unsigned, 2048 or 4096
4*2, not used, fixed to 0x00
4*4, board name, generally Blank
4*128, kernel command parameters, a large string
4*8, ID, do not know what it is, 0x00
Let's send a hexadecimal post to your dear user. It's a hexadecimal image of n600 + official 2.1rom, as shown below:
 

we can know:
41 4E 44 52 4f 49 44 21 is magic number, and the content is fixed android !. One-to-one correspondence
kernel_size is 0x00237470. Note: Small-end reading. It is a forward read in byte. In the whole type, it is a reverse read. Therefore, the exact number of 70 74 23 00 is 0x00 23 74 70
kernel_addr is 0x03008000. Someone asked, then subtract the kernel offset obtained above, 0x00008000. Is the base 0x030000000? Now, I know, and I will use -- Base 0x03000000 for packaging. Congratulations! On n600, writing is still not started. Why? Please continue.
ramdisk_size: B9 66 03 00 --> 0x00 03 66 B9.
ramdisk_addr: 00 00 A0 03 --> 0x03 A0 00. Offset 0x01000000, base = 0x02a00000
second_stage size: 00000000
second_stage ADDR: 00 00 90 03 --> 0x03 90 00. offset 0x00f00000, base = 0x02a00000
tags_addr: 00 01 A0 02 --> 0x 02a00100. offset 0x00000100, base = 0x02a00000
page_size: 00 80 --> 0x0800. this is the page length. Remember that the page length I mentioned earlier is generally an integer multiple of 1 K (1024? The page length is 0x0800. If it is converted to decimal, the page length is 2048.

Well, let's take a look at the base. Well, the base of the kernel is 0x03000000. The base addresses of ramdisk and second_stage and tags_addr are the same. Yes... It is 0x02a000000 .. I went ~~ The four bases are actually different ~ Yes, that's what I said at the time.
I thought, fortunately, I had nothing to worry about, I had four bases. If there were only 1st, And then I packed them with 0x03000000, it was basically the result of the tragedy, and I may still be confused, think this boot. IMG is a CRC check, rather than a base address error.
Well, in the principle of minority majority, we fill in the base address as 0x02a00000 during packaging. Then, manually modify the first address kernel_addr.
The correct command is as follows:

1. Bootimg ramdisk | gzip> ramdisk-new.gzmkbootimg -- kernel boot. IMG-kernel -- ramdisk ramdisk-new.gz -- Base 0x02a00000-O boot. img

Copy code

Then enable boot. IMG with ghex2 and ignore the previous 4*2 byte, 41 4E 44 52 4f 49 44 21. This is the magic number, which remains unchanged.
Skip 4*1 byte again. In my case, this is 70 74 23 00. This is kernel_size,ProgramGenerate and do not need to be manually modified.
The last 4 * 1byte is kernel_addr. Now it is 00 80 A0 02 and changed to 00 80 00 03. Save it.
Okay, put it in the "refresh" directory, open the "Refresh tool", and click "refresh. Start happily.