Understanding boot.img and Reverse Analysis Android/linux kernel

Some try and understand.

1> Extract boot.img:

　　　　

Wherein, MSM represents a high-pass chip, MSM_SDCC.1 is the external SD card mount directory, by-name refers to the name of this SD card partition. The next few lines represent what is stored in each partition.

　　　　

Remember to SU,DD IF=/DEV/BLOCK/MMCBLK0P8 of=/data/local/tmp/boot.img in advance. Dump the boot.img.

　　　　

ADB root gets root permission to move the boot.img to the PC.

2>BOOT.IMG Format Analysis

such as System/core/mkbootimg/bootimg.h

　　

typedefstructBOOT_IMG_HDR Boot_img_hdr;#defineBoot_magic "android!"#defineBoot_magic_size 8#defineBoot_name_size 16#defineBoot_args_size 512structboot_img_hdr{unsignedCharMagic[boot_magic_size];  unsigned kernel_size; /*size in bytes*/unsigned kernel_addr; /*Physical Load Addr*/unsigned ramdisk_size;/*size in bytes*/unsigned ramdisk_addr;/*Physical Load Addr*/unsigned second_size; /*size in bytes*/unsigned second_addr; /*Physical Load Addr*/unsigned tags_addr; /*Physical addr for kernel tags*/unsigned page_size; /*Flash Page Size we assume*/unsigned dt_size; /*device tree in bytes*/unsigned unused; /*Future expansion:should is 0*/unsignedCharName[boot_name_size];/*Asciiz Product Name*/unsignedCharCmdline[boot_args_size]; unsigned id[8];/*timestamp/checksum/sha1/etc*/};boot,img file skips 2k of file headers, including two GZ packages, one is boot.img-kernel.gz:linux kernel, one is boot.img-the approximate composition of ramdisk.cpio.gz is as follows:** +-----------------+ ** | Boot Header |1page** +-----------------+** | Kernel |N Pages** +-----------------+** | RAMDisk |m pages** +-----------------+** | Second Stage |o pages** +-----------------+** | Device Tree |P pages* * +-----------------+** n = (kernel_size + page_size-1) /page_size* * m = (ramdisk_size + page_size-1) /page_size* * o = (second_size + page_size-1) /page_size* * p = (dt_size + page_size-1)/Page_size

In summary, Boot.img includes the boot.img header, kernel, and RAMDisk file systems, where kernel and ramdisk are generally compressed in zip format (depending on the vendor). Use Binwalk to extract the analysis and use DD to extract two cores:

　　　　

3> first to analyze kernel:

　　　　

Drag into Ida, set the processor type to arm Little-endian, and change the base address to c0008000.

At this point, because there is no symbol table, not easy to read and understand. Get symbol table

cat/proc/kallsyms >/data/local/tmp/syms.txt

At the same time, move to the PC.

ADB pull/data/local/tmp/syms.txt Syms.txt

Get this

c0008000 t stextc0008000 t _sinittextc0008000 t _stextc0008000 t __init_beginc0008050 t __create_page_tablesc0008104 t __e nable_mmu_locc0008110 t __vet_atagsc0008148 t __fixup_smpc0008180 t __fixup_smp_on_up ...

Convert it to SYM.IDC and convert it directly to Python, as follows:

Importreaddress=[]sym=[]with Open ('Syms.txt','RT') as fr: forLineinchFr:group= Re.split (' ', line,3) Address.append (group[0]) sym.append (group[2]) with open ('SYM.IDC','w+') as Fw:fw.write ("#include <idc.idc>\n") Fw.write ("static main () \ n") Fw.write ("{")     forIinchRange (0,len (address)): Fw.write ("\n\tmakenameex (0x"+address[i]+",\""+sym[i][:len (Sym[i]) -1]+"\ ", 0);") Fw.write ("\ n}")Print "ok!"

The SYM.IDC is then loaded into IDA, which allows reading and modifying the kernel according to the Linux source code. As follows

　　

You can modify the return value of Task_pid_nr_ns () to reverse-debug the kernel-level bypass of Tracepid.

4> again to see RAMDisk

　　　　

　　　　

Get randisk.img, through Binwalk to observe, see the RAMDisk file system, as well as the files inside, as follows:

　　　　

　　　　

The Android phone has root privileges, allowing the/system and/data partitions to gain access to read and write. The permissions of the two partitions are configured, typically in the root partition of the init.rc file, to modify this file to permanently gain root privileges.

Understanding boot.img and Reverse Analysis Android/linux kernel