解包Android的boot.img

我們知道Adnroid的Boot.img包其實就是就是把kernel和ramdisk.img再加一個page的頭碼成的。其結構就如下所示

/*
** +-----------------+ 
** | boot header     | 1 page
** +-----------------+
** | kernel          | n pages  
** +-----------------+
** | ramdisk         | m pages  
** +-----------------+
** | second stage    | o pages
** +-----------------+
**
** n = (kernel_size + page_size - 1) / page_size
** m = (ramdisk_size + page_size - 1) / page_size
** o = (second_size + page_size - 1) / page_size
**
** 0. all entities are page_size aligned in flash
** 1. kernel and ramdisk are required (size != 0)
** 2. second is optional (second_size == 0 -> no second)
** 3. load each element (kernel, ramdisk, second) at
**    the specified physical address (kernel_addr, etc)
** 4. prepare tags at tag_addr.  kernel_args[] is
**    appended to the kernel commandline in the tags.
** 5. r0 = 0, r1 = MACHINE_TYPE, r2 = tags_addr
** 6. if second_size != 0: jump to second_addr
**    else: jump to kernel_addr
*/  

參考android的mkbootfs的源碼和網上的一些資料寫了一個解壓boot.img的程序。代碼實在是太丑了。寫得有點急，就只管功能了~(大神繞過）

費話不說，上代碼。

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>

//#include "mincrypt/sha.h"
//typedef struct boot_img_hdr boot_img_hdr;

#define BOOT_MAGIC "ANDROID!"
#define BOOT_MAGIC_SIZE 8
#define BOOT_NAME_SIZE 16
#define BOOT_ARGS_SIZE 512



struct boot_img_hdr
{
	unsigned char magic[BOOT_MAGIC_SIZE];
	
	unsigned kernel_size;
	unsigned kernel_addr;
	
	unsigned ramdisk_size;
	unsigned ramdisk_addr;
	
	unsigned second_size;
	unsigned second_addr;
	
	unsigned tags_addr;
	unsigned page_size;
	unsigned unused[2];
	
	unsigned char name[BOOT_NAME_SIZE];
	unsigned char cmdline[BOOT_ARGS_SIZE];

	unsigned id[8];

};


static void *load_file(const char *fname)
{
	int fd;
	int img_size;
	char *buffer;

	 fd=open(fname, O_RDONLY);
        if(fd < 0)
        {
                return 0;
        }

        img_size = lseek(fd, 0, SEEK_END);
        if(img_size < 0) goto oops;

	printf("\nimg_size is %d\n",img_size);
        if(lseek(fd, 0, SEEK_SET) !=0) goto oops;

        buffer = (char *) malloc(img_size);
        if(buffer == 0) goto oops;

        if(read(fd, buffer, img_size) != img_size) goto oops;
		


	return buffer;
	printf("you cant't see this\n");

oops:
        close(fd);
        if(buffer != 0) free(buffer);
        return 0;

}


int main(int argc, char ** argv)
{
	struct boot_img_hdr hdr;	
	int pagesize=2048;
	char boot_name[10];
	char *ramdisk_name="ramdisk.img";
	char *kernel_name="kernel";
	int num_kpage;
	int img_size;
	void *image_buffer;
	char * kernel_buffer;
	char * ramdisk_buffer;
	int kfd;
	int rfd;

	memset(&hdr, 0, sizeof(hdr));
	
	if(argc != 2)
	{
		printf("Paramater error\n");
		exit(0);
	}
	strcpy(boot_name, argv[1]);
	
	image_buffer = load_file(boot_name);
	
	memcpy(&hdr, image_buffer, sizeof(hdr));
	
	printf("kernel_size is%d\nkernel_addr is%d\nramdisk_size is%d\nramdisk_addr is%d\ncommand_line%s\n", hdr.kernel_size, hdr.kernel_addr,hdr.ramdisk_size, hdr.ramdisk_addr,hdr.cmdline);
	
	kernel_buffer = (char *) malloc(hdr.kernel_size);
	memcpy(kernel_buffer, image_buffer+2048, hdr.kernel_size);

	kfd = open(kernel_name, O_CREAT | O_TRUNC | O_WRONLY, 0644);	
	if((write(kfd,kernel_buffer,hdr.kernel_size)!=hdr.kernel_size))
	{
		printf(" write kernel fail\n");
	}
	
	num_kpage= (hdr.kernel_size+ pagesize -1)/pagesize;
	num_kpage++;
	ramdisk_buffer = (char *) malloc(hdr.ramdisk_size);
	
	
	memcpy(ramdisk_buffer, image_buffer+num_kpage*2048, hdr.ramdisk_size);
	rfd = open(ramdisk_name, O_CREAT | O_TRUNC | O_WRONLY, 0644);
	if((write(rfd,ramdisk_buffer,hdr.ramdisk_size)!=hdr.ramdisk_size))
	{
		printf(" write ramdisk.img fail\n");
	}

	printf("\nUnpack to %s , %s \n",kernel_name,ramdisk_name);	
	printf("unpacking finished!\n\n");

	free(kernel_buffer);
	close(kfd);
	free(ramdisk_buffer);
	close(rfd);
	free(image_buffer);
	
	printf("=======================================\n\n");
	return (0);

}

作者：華

轉載請注明出處：http://blog.csdn.net/godisagirl2/article/details/8664808