Nexus5 bootloader内容初探及延伸思考编译使用
Nexus5 bootloader内容初探及延伸思考编译使用
用户2930595
发布于 2018-08-23 09:45:22
发布于 2018-08-23 09:45:22
在Android启动过程分析-从按下电源键到第一个用户进程[转载]中,我们知道BootLoader是在操作系统前执行的程序,有没有很好奇它到底有些啥内容呢?
正好,发现Github上有相关的项目:https://github.com/difcareer/nexus_5_bootloader_unpacker,手头也正好有个nexus5,那就一起来探索一下它的内容吧。
编译
gcc bootloader_unpacker.c -o bunp这里应该没啥问题。
gcc -o iunp imgdata_tool.c -lpngMac编译这个报错fatal error: 'png.h' file not found。那先装一下这个库:
sudo port install libpng看看位置:
Port libpng contains:
/opt/local/bin/libpng-config
/opt/local/bin/libpng16-config
/opt/local/bin/png-fix-itxt
/opt/local/bin/pngfix
/opt/local/include/libpng16/png.h
/opt/local/include/libpng16/pngconf.h
/opt/local/include/libpng16/pnglibconf.h
/opt/local/include/png.h
/opt/local/include/pngconf.h
/opt/local/include/pnglibconf.h
/opt/local/lib/libpng.a
/opt/local/lib/libpng.dylib
/opt/local/lib/libpng16.16.dylib
/opt/local/lib/libpng16.a
/opt/local/lib/libpng16.dylib
/opt/local/lib/pkgconfig/libpng.pc
/opt/local/lib/pkgconfig/libpng16.pc
/opt/local/share/doc/libpng/ANNOUNCE
/opt/local/share/doc/libpng/CHANGES
/opt/local/share/doc/libpng/LICENSE
/opt/local/share/doc/libpng/README
/opt/local/share/doc/libpng/TODO
/opt/local/share/doc/libpng/examples/example.c
/opt/local/share/man/man3/libpng.3.gz
/opt/local/share/man/man3/libpngpf.3.gz
/opt/local/share/man/man5/png.5.gz指定头文件和链接库编译:
gcc -o iunp imgdata_tool.c -I/opt/local/include -L/opt/local/lib -lpngok了。
使用
编译好bunp和iunp后,开始使用吧,我看了我的bootloader version是hhz12h,于是就在网上搜到了下载地址。
./bunp [-v] <bootloader.img>带上-v,会在解包的同时输出更多信息:
$ ./bunp -v ~/Downloads/bootloader-hammerhead-hhz12h.img
magic: BOOTLDR
num_images: 6
start_offset: 512
bootldr_size: 3193540
Unpacking image 1 = sbl1 to sbl1.img (size: 310836)
Unpacking image 2 = tz to tz.img (size: 285848)
Unpacking image 3 = rpm to rpm.img (size: 156040)
Unpacking image 4 = aboot to aboot.img (size: 334780)
Unpacking image 5 = sdi to sdi.img (size: 18100)
Unpacking image 6 = imgdata to imgdata.img (size: 2087936)
...
$ ll
total 6256
-rw-r--r-- 1 andr0day staff 327K 4 19 12:44 aboot.img
-rw-r--r-- 1 andr0day staff 2.0M 4 19 12:44 imgdata.img
-rw-r--r-- 1 andr0day staff 152K 4 19 12:44 rpm.img
-rw-r--r-- 1 andr0day staff 304K 4 19 12:44 sbl1.img
-rw-r--r-- 1 andr0day staff 18K 4 19 12:44 sdi.img
-rw-r--r-- 1 andr0day staff 279K 4 19 12:44 tz.img可以看到被解包出6个image。
使用iunp进一步解包imagdata.img:
$ ./iunp -x imgdata.img
boot.png
charger.png
unlocked.png
start.png
bootloader.png
recovery.png
poweroff.png
fastboot_op.png
oem_unlock.png
unlock_yes.png
unlock_no.png
downloadmode.png
oem_laf.png
laf_yes.png
laf_no.png可以看到imgdata.img里面全是png图片。
那么,有没有想过,我们刷机的刷的img保存在手机的什么位置呢?
在/dev/block下:
ll /dev/block/platform/msm_sdcc.1/by-name/
lrwxrwxrwx root root 1970-11-20 01:02 DDR -> /dev/block/mmcblk0p24
lrwxrwxrwx root root 1970-11-20 01:02 aboot -> /dev/block/mmcblk0p6
lrwxrwxrwx root root 1970-11-20 01:02 abootb -> /dev/block/mmcblk0p11
lrwxrwxrwx root root 1970-11-20 01:02 boot -> /dev/block/mmcblk0p19
lrwxrwxrwx root root 1970-11-20 01:02 cache -> /dev/block/mmcblk0p27
lrwxrwxrwx root root 1970-11-20 01:02 crypto -> /dev/block/mmcblk0p26
lrwxrwxrwx root root 1970-11-20 01:02 fsc -> /dev/block/mmcblk0p22
lrwxrwxrwx root root 1970-11-20 01:02 fsg -> /dev/block/mmcblk0p21
lrwxrwxrwx root root 1970-11-20 01:02 grow -> /dev/block/mmcblk0p29
lrwxrwxrwx root root 1970-11-20 01:02 imgdata -> /dev/block/mmcblk0p17
lrwxrwxrwx root root 1970-11-20 01:02 laf -> /dev/block/mmcblk0p18
lrwxrwxrwx root root 1970-11-20 01:02 metadata -> /dev/block/mmcblk0p14
lrwxrwxrwx root root 1970-11-20 01:02 misc -> /dev/block/mmcblk0p15
lrwxrwxrwx root root 1970-11-20 01:02 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx root root 1970-11-20 01:02 modemst1 -> /dev/block/mmcblk0p12
lrwxrwxrwx root root 1970-11-20 01:02 modemst2 -> /dev/block/mmcblk0p13
lrwxrwxrwx root root 1970-11-20 01:02 pad -> /dev/block/mmcblk0p7
lrwxrwxrwx root root 1970-11-20 01:02 persist -> /dev/block/mmcblk0p16
lrwxrwxrwx root root 1970-11-20 01:02 recovery -> /dev/block/mmcblk0p20
lrwxrwxrwx root root 1970-11-20 01:02 rpm -> /dev/block/mmcblk0p3
lrwxrwxrwx root root 1970-11-20 01:02 rpmb -> /dev/block/mmcblk0p10
lrwxrwxrwx root root 1970-11-20 01:02 sbl1 -> /dev/block/mmcblk0p2
lrwxrwxrwx root root 1970-11-20 01:02 sbl1b -> /dev/block/mmcblk0p8
lrwxrwxrwx root root 1970-11-20 01:02 sdi -> /dev/block/mmcblk0p5
lrwxrwxrwx root root 1970-11-20 01:02 ssd -> /dev/block/mmcblk0p23
lrwxrwxrwx root root 1970-11-20 01:02 system -> /dev/block/mmcblk0p25
lrwxrwxrwx root root 1970-11-20 01:02 tz -> /dev/block/mmcblk0p4
lrwxrwxrwx root root 1970-11-20 01:02 tzb -> /dev/block/mmcblk0p9
lrwxrwxrwx root root 1970-11-20 01:02 userdata -> /dev/block/mmcblk0p28一目了然。我们check一下,比如将imgdata pull 下来解包看看:
adb root
adb pull /dev/block/mmcblk0p17 imgdata.img
./iunp -x imgdata.img可以成功解包出png文件。
顺便,我们验证一下boot.img:
adb pull /dev/block/mmcblk0p19使用Android boot.img的解包/修改/重打包里面的工具进行解包:
./unpack-bootimg.sh boot.img成功解出来了。
于是,一些之前没想明白的地方现在想通了。
- 为什么需要使用fastboot来刷img? 我们知道使用fastboot时,手机需要进入bootloader模式,此时手机还没有没有加载kernel,权限还是最高权限,通过usb传递的数据,被手机接收后,可以写入到/dev/block下(看一下前面这个目录的权限)。
- 可以不用fastboot来刷img么? 既然我们知道了刷机刷到手机的哪个位置,那自然是可以不用fastboot来刷机的,当然,为了写入/dev/block,我们需要root权限。(这个我倒没试过,理论上是可行的,刷完手机需要重启一下,那既然这样,还不如用fastboot刷)
- 结合
mount信息,我们能了解更多:
# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 rw,seclabel,nosuid,nodev,relatime,nomblk_io_submit,nodelalloc,errors=panic,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0比如/system,就是将/dev/block/platform/msm_sdcc.1/by-name/system挂在为ext4的文件系统,就可以操作里面的数据了,当然,我们直接访问/dev/block/platform/msm_sdcc.1/by-name/system是打不开的,必须得挂载了使用。
- 清数据 现在看来,清数据其实很容易,比如使用fastboot命令时,有参数可以控制清除分区的数据,现在看来就很简单了。
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2018.04.19 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录