How to extract kernel.img with mkboot script

As I tried instructions to install Linux on Amlogic S905 Android TV boxes yesterday, I wanted to extract kernel.img file found in Android firmware, but Google did not help that much until I found mkboot part of mkbootimg_tools scripts.
mkboot

But first let’s see how kernel.img is created… Google provide a Python script called mkbootimg that combine the kernel image (e,.g. zImage), a rootfs/ramdisk and the device tree (DTB) file with a command line that looks like:


However, AFAIK the company does not provide a “unmkbootimg” script, and mkbootimg can only be used to create kernel.img, not decompile it. But that’s what mkboot does, and it works for kernel.img and recovery.img. Let’s retrieve the necessary files first:


mkboot is a bash script so we can use it right away:


So it can be used both for unpacking and repacking kernel.img to/from the output directory. Let’s run the command with an actual kernel.img file:


The script has indeed decompiled kernel.img with the kernel itself, the ramdisk (compressed and decompressed), and second.img that’s the DTB file. img_info contains the information shown during extraction above.


second.img and second.img.tmp files differ in size, so I ran through dtc to get the readable device tree file,. and the resulting files are identical:


So the tmp files must have had some padding, that the script stripped to create second.img.

In theory, you can change the kernel files, randisk or device tree, and repack everything with:


but it did not quite work here:


If we look a the first ./mkbootimg command in this post we can see some different offset in the decompile image, so I changed img_info as per the first command line, with base=0, kernel_offset=0x01080000, and ramdisk_offset=0x01000000, and it all worked out OK:

Share this:

Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress

ROCK Pi 4C Plus
Subscribe
Notify of
guest
The comment form collects your name, email and content to allow us keep track of the comments placed on the website. Please read and accept our website Terms and Privacy Policy to post a comment.
2 Comments
oldest
newest
Stane1983
8 years ago

“So the tmp files must have had some padding, that the script stripped to create second.img.”

Amlogic ditched their dtd format and they are using dts standard kernel format on 3.14 kernel. There are couple of dts files included in final eg p200 board dts file. These included files contain default values which are not board specific. I assume (didn’t check) that .tmp or first file you have is that 1st part with included file(s).

Khadas VIM4 SBC