Coby Kyros MID1125 Boot Image Analysis
Header Structure
This is from bootimg.h in the Android source:
struct boot_img_hdr
{
unsigned char magic[BOOT_MAGIC_SIZE];
unsigned kernel_size; /* size in bytes */
unsigned kernel_addr; /* physical load addr */
unsigned ramdisk_size; /* size in bytes */
unsigned ramdisk_addr; /* physical load addr */
unsigned second_size; /* size in bytes */
unsigned second_addr; /* physical load addr */
unsigned tags_addr; /* physical addr for kernel tags */
unsigned page_size; /* flash page size we assume */
unsigned unused[2]; /* future expansion: should be 0 */
unsigned char name[BOOT_NAME_SIZE]; /* asciiz product name */
unsigned char cmdline[BOOT_ARGS_SIZE];
unsigned id[8]; /* timestamp / checksum / sha1 / etc */
};
Kyros Header
Hex dump:
00000000 41 4e 44 52 4f 49 44 21 00 d5 4b 00 00 80 00 40 |ANDROID!..K....@|
00000010 09 b3 0b 00 00 00 00 41 00 00 00 00 00 00 f0 40 |.......A.......@|
00000020 00 01 00 40 00 20 00 00 00 00 00 00 00 00 00 00 |...@. ..........|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 63 6f 6e 73 6f 6c 65 3d 74 74 79 54 43 43 2c 31 |console=ttyTCC,1|
00000050 31 35 32 30 30 6e 38 00 00 00 00 00 00 00 00 00 |15200n8.........|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000240 97 3a 04 0b bb 90 5c c1 e0 b9 b2 5d 1f d9 80 62 |.:....\....]...b|
00000250 9e 75 c7 54 00 00 00 00 00 00 00 00 00 00 00 00 |.u.T............|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000800
Decoded:
magic[] = "ANDROID!";
kernel_size = 4969728; /* 607 pages */
kernel_addr = 0x40008000;
ramdisk_size = 766729; /* 94 pages */
ramdisk_addr = 0x41000000;
second_size = 0;
second_addr = 0x0;
tags_addr = 0x40000100;
page_size = 8192; /* 8k */
unused[] = {0x0, 0x0};
name[] = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0};
cmdline[] = "console=ttyTCC,115200n8";
id[] = {0x0b043a97, 0xc15c90bb, 0x5db2b9e0, 0x6280d91f, 0x54c7759e, 0x0, 0x0, 0x0};
Extracting
The page_size is the size in bytes of a flash page. Each section is an integral number of flash pages. To find the number of pages, divide the section size in bytes by the page size in bytes and round up.
Extract the sections:
mkdir boot; cd boot
dd if=../boot.img bs=8192 count=1 of=header
dd if=../boot.img bs=8192 skip=1 count=607 of=kernel
dd if=../boot.img bs=8192 skip=608 count=94 of=ramdisk.gz
dd if=../boot.img bs=8192 skip=302 of=junk
Extract the ramdisk contents:
mkdir ramdisk; cd ramdisk
cat ../ramdisk.gz | gunzip -c | cpio -i
Recovery Image
Hex dump:
00000000 41 4e 44 52 4f 49 44 21 20 5b 4d 00 00 80 00 40 |ANDROID! [M....@|
00000010 78 1c 1c 00 00 00 00 41 00 00 00 00 00 00 f0 40 |x......A.......@|
00000020 00 01 00 40 00 20 00 00 00 00 00 00 00 00 00 00 |...@. ..........|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 63 6f 6e 73 6f 6c 65 3d 74 74 79 54 43 43 2c 31 |console=ttyTCC,1|
00000050 31 35 32 30 30 6e 38 00 00 00 00 00 00 00 00 00 |15200n8.........|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000240 09 1c 0e df 29 d9 b9 4b 34 f6 dc 4b 38 e6 d0 24 |....)..K4..K8..$|
00000250 41 77 00 35 00 00 00 00 00 00 00 00 00 00 00 00 |Aw.5............|
00000260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00002000
Decoded:
page_size = 8192;
kernel_size = 5069600; /* 619 pages */
ramdisk_size = 1842296; /* 225 pages */
Extract sections:
mkdir recovery; cd recovery
dd if=../recovery.img bs=8192 count=1 of=header
dd if=../recovery.img bs=8192 skip=1 count=619 of=kernel
dd if=../recovery.img bs=8192 skip=620 count=225 of=ramdisk.gz
dd if=../recovery.img bs=8192 skip=845 of=junk
yaffs2 images
yaffs2utils/bin/unyaffs2 cache.img cache
yaffs2utils/bin/unyaffs2 data.img data
yaffs2utils/bin/unyaffs2 system.img system