How to Extract a Device Tree File from Android Firmware Files

Up to now, all our cheap Android devices were based on older Linux kernel (3.0.x, 3.4.x) that still used board files (arch/arm/board, but we’ve recently seen companies like Amlogic and Rockchip release source code with Linux kernel 3.10.x. One of the key differences between these version are the move from board files to flattened device tree and multi-platform support. If it is fully implemented, a single kernel image should be able to boot multiple hardware platforms, and all low level configuration handled by the device tree file. Since I’ve connected the serial port of Tronsmart Vega S89 for debugging, and it’s a slow news day, I thought I might try to boot the Linux kernel I compiled myself, but one of the challenge was to get the device tree file. I’ll show how to extract it from the firmware. It should also be possible to get it directly from the flash, but “cat /proc/mtd” does not show a complete list of partition as in previous versions.

I’ve performed the steps below in Ubuntu 14.04. The first thing is to install some tools: the device tree compiler that we’ll use to decompile the dtb (binary) file into a dtd (text) file, and split_bootimg.pl a standard PERL script to extract files from boot.img:


I’ll use M8 / TM8 firmware (Amlogic S802) as an example. The exact procedure will vary between firmware files, but if you can boot.img, the procedure should be platform independent and work for any ARM SoC. After having downloaded and extracted the firmware file (TM8 ap6330_03102014A_0410_ROOT.rar), let’s create a working directory, and unzip the “OTA” file.


We now get a bunch of files, including boot.img. Great! Time to run split_bootimg.pl script to extract its content:


So we’ve got the kernel, a ramdisk, and a “second file” that happens to be the dtb file. We can now decompile it with dtc (device tree compiler) as follows:


That’s it. Here’s M8 device tree file.

I’ve done the same for Tronsmart Vega S89 (Elite). S89 firmware is usually distributed as an IMG file to be used with AML Flash Burning tool, but I haven’t found a way to extract such file yet. however, I’ve found an “OTA” firmware, to be updated via SD Card, on freaktab, and could extract the device tree file for Tronsmart Vega S89 Elite & Vega S89. Both M8 and S89 Elite DTD files are very similar, but the maximum CPU frequency seems to be higher in M8, and there are other apparently minor differences. Vega S89 DTD file appears to be much different however.

Support CNX Software - Donate via PayPal or become a Patron on Patreon

56
Leave a Reply

avatar
56 Comment threads
0 Thread replies
10 Followers
 
Most reacted comment
Hottest comment thread
23 Comment authors
floepmctiewTheDriveorinoco77Tony Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
m][sko
Guest
m][sko

Did you finally boot up fully working kernel now?

Alain Theriault
Guest
Alain Theriault

This looks like fun… let me know how I can help.

gizmomelb
Guest
gizmomelb

hey cnxsoft, don’t know if it’s of any use – but I extracted the partitions with boot.img etc. on my Beelink 16GB (Tronsmart Standard S89 hardware-a-like) if those files are of any use to putter around in?

I’m mostly a windows guy, I need to set up a *nix box for playing around on (mm.. maybe I could use my raspberry pi for that).

Member

M8 is better then S89 Elite?
Antutu benchmark? I Can’t find anything good about m8 (S802).

Thanks

gizmomelb
Guest
gizmomelb

hey cnxsoft – I extracted the boot.img from the NAND using adb shell and some help from Finless Bob on freaktab.

http://www.freaktab.com/showthread.php?12472-factory-default-firmware-images&highlight=

I have the extracted files from the 100k4 NAND, I’ve since updated to 101k4 but haven’t extracted the files again (is there any point if we can unpack the firmware update?).

I’m happy to help out in any way I can. I have two Beelink M8 round boxes, one for testing – my USB -> serial cable/adapter arrived today as I need to update my Gotek floppy emulator (another project).

gizmomelb
Guest
gizmomelb

@Dante

Hi Dante! The square S802 boxes are going by the M8 brand, however Beelink have a round (Tronsmart S89 clone essentially – same motherboard, different firmware but you can flash with the S89 firmware) S802 device which is named M8 (and another one named S82). Confusing!

gizmomelb
Guest
gizmomelb

@cnxsoft

Hi cnxsoft – yeah I’ll go virtualbox or if I look around I can probably find an old VMDK VMware ubuntu image I was using to play around with thin client firmware from quite a few years back.

m][sko
Guest
m][sko

@cnxsoft
I don’t have any problem with debian 7.0 armhf rootfs with kernel 3.0 over NFS
But it is maybe that you use initrd https://www.ibm.com/developerworks/library/l-initrd/
As I build most amlogic modules as static as I don’t need any hotplug 🙂

I didn’t use linaro(Ubuntu).

m][sko
Guest
m][sko

@m][sko
my uboot paramters for AML8726-MX,
http://pastebin.com/V6bhWYqh

trackback

[…] the device tree file (DTD) for your device from its firmware image or, if not available, directly from the NAND […]

trackback

[…] quite possible you need to extract the device tree file from your firmware or […]

John
Guest
John

I have a problem: When run the command “split_bootimg.pl boot.img” i’m getting just kernel and ramdisk. I don’t have the second.gz file. What can i do?

John
Guest
John

@cnxsoft
Yes, my kernel version is less then 3.7. I have 3.4.5. In this what can i do to make my device tree?

Joel
Guest
Joel

I am in the same situation….no boot.img-second.gz file. LG Optimus Fx3Q, Android 4.1.2, kernel version unknown (I am running a custom one, but probably less than 3.7).

So all it takes is recompiling the kernel against a newer source? Are there any roadblocks/considerations/gremlins associated with such a task?

Joel
Guest
Joel

@cnxsoft

Would merging the kernel source with say, the Optimus F6 (a similar device, which I think has a 3.7+ kernel out there) be any easier? Or is that what you had in mind with my original question?

I’ve compiled Linux Kernels before (the Debian way), so merging the kernel sources, although daunting, seems less of a chore than writing a device tree by hand (especially when I don’t know where to start). Sadly, although similar, the F6 tree does not work for this device (ROM won’t compile).

Thanks for your opinion.

Member

Check and see if the device tree is exposed in /proc. Exposing it is a kernel option.

Also the dtc compiler is part of the Linux kernel tree. You don’t have to build it separately.

It is possible to append the DTB onto the end of the kernel image, in that case it is not a separate file. It is still there, just harder to get to.

Just because these chips are on Linux 3.10 does not force them onto device tree. I have several systems here still using board files on 3.10. I really, really wish these vendors could understand the benefits of contributing code to mainline and then start doing it. A few are starting but many more aren’t.

Hint to vendors – your pile of out of tree code that has to keep getting ported to each release is only going to growing larger and larger until it collapses and buries you. Once the code is in mainline that part of the pile will stop growing. This is nothing new and has been going on for twenty years. There are hundreds of dead companies out there that collapsed under the ever growing expense of maintaining proprietary Linux versions.

Li
Guest
Li

I got the blog has incorrect magic number error.

dtc -I dtb boot.img-second.gz -O dts -o meson8.dtd
DTC: dtb->dts on file “boot.img-second.gz”
FATAL ERROR: Blob has incorrect magic number

trackback

[…] I followed the instructions to extract a device tree file from Android, until I get boot.img-second.gz file, which I copied to the boot partition in the SD card with […]

mdel
Guest
mdel

cnxsoft :
I’ve done the same for Tronsmart Vega S89 (Elite). S89 firmware is usually distributed as an IMG file to be used with AML Flash Burning tool, but I haven’t found a way to extract such file yet

A quick follow up on that, it’s only for Amlogic but i found a way to get your dtb out of an .img update (not ota zip) blob.

I’m using Amlogic Customization Tool (apparently official tool sourced from some russian forums). It’s purpose is to edit an existing img data file and basically have access to any part of the data, including dtd/dts/dtb.

Here’s a link to the version of Customization Tool i’ve tested (2.0.7), including a pdf manual which describes how to configure java JDK on your windows (i had to use full paths everywhere as %JAVA_HOME% was not interpreted by my win7).

https://mega.nz/#F!aIkDUDhJ!UydfamKmRRKhkk6K_W8Apw

The software is in english, you have to set the first option from the second menu.

Now when you load the img file you can select various extraction options, “Edit DTD” will give you access to the dtd / dts / dtb files.
You can directly edit the DTS file, or copy it, you can also generate your “modified” dtb file, it is located in the “tmp” directory of the tool install folder.

I have taken that “extracted” dtb file and decoded it using dtc tool command as described above, it produced a dts file without errors.

I also have an OTA firmware (the next version) for the same device (“same” as far as i can tell, as it all comes from forums or blog websites), including the boot.img file.

So following the process described above i get a second dts file and both are almost identical, only one parameter differs (amlogic,setmask).
So i would assume the customization tool method is valid. I have not tested it against a kernel on that device, i’m not there yet.

one thing though, the dts produced directly inside the customization tool, is quite different from the one generated by dtc, but as far as i could tell it mostly concerns hex values being written as decimal and some data arrays being written inline.

hope it helps.

ugh
Guest
ugh

I try to copy text from the examples, and a bar appears over what I’m trying to copy. I select from below, copy, and it copies a bunch of line numbers. I triple-click to select a line, and the whole thing fades into a different style and discards my selection, so I have to make it again. I try to select another box, the bar appears and moves what I just tried to select down.

Dude, they’re boxes of text. Stop trying to be more clever than you are with this nonsense. It’s bad enough that you have a wall of about 90 fucking ads without giving people headaches just trying to copy text.

Jeff
Guest
Jeff

cnxsoft,

I will like to know, I have three different boxes, two uses the same S802 and one S812 and have Openelec.zip for all and the original .img and .zip. The architecture I reckon are all different ie: Ethernet chip etc.

I was able to pull the DTD for the M8 from your instructions above from the original K200-ota file fine, and I am sure can do the same for OpenELEC.zip. my question is.

If I have the LibreELEC.zip how can I put this DTD into it to boot? As I am having bootings issues with LE on the M8.

Jeff
Guest
Jeff

cnxsoft,

What I will like you to help me with is how to put this DTD I pulled into the a source code. You showed us how to pull the DTD of any Amlogic FW; now, can you show us how we can put this information into any source code.

Kutlay
Guest
Kutlay

i have a mtk device and i cant build kernel and our provider doesnt send an ota update how can i do? Can i try fake ota update? Thanks..

Annonymous
Guest
Annonymous

I didn’t get this command
” Writing boot.img-second.gz … complete. ”

I got the kernel and ramdisk file. so no dtb file extracted.
Well. I need these all foe compiling CM13

Vincent
Guest
Vincent

I didn’t get this command
” Writing boot.img-second.gz … complete. ”

I got the kernel and ramdisk file. so no dtb file extracted.

Help!

Vincent
Guest
Vincent

@cnxsoft
Hi,

Thanks for the quick reply. The device is Xiaomi Mi 5, Kernel version 3.18.20

So what should be done in my case?

Thanks!

Shams Sayied
Guest
Shams Sayied

Hi, My entire mobile firmware file link is here ==>

https://drive.google.com/file/d/0B1dRSby1cq8jU3FiOG1fZjFsVEk/view?usp=sharing

Would you please give me device and vendor tree??

Shams Sayied
Guest
Shams Sayied

@cnxsoft
Bro there is no kernel for my device.

MBD
Guest
MBD

Why my Second size: 0 (0x00000000)?

Page size: 2048 (0x00000800)
Kernel size: 4759152 (0x00489e70)
Ramdisk size: 1690049 (0x0019c9c1)
Second size: 0 (0x00000000)
Board name:
Command line:
Writing boot.img-kernel … complete.
Writing boot.img-ramdisk.gz … complete.

—-
I used boot.img size 8M from Samsung S3 device

eugene28
Guest
eugene28

dtb.img file extracted from boot.img this way, not compatible with latest Libreelec, Ubuntu images. Do you know why?

Tony
Guest
Tony

What is the use of this .dts file?
How to use it to compile kernel without source using a similar device’s kernel source ?