[Without PC] Unpack, Edit, Repack boot.img

Modding.MyMind · Dec 27, 2013

Hello friends, I'm back again with something I wish to share with you all. I have compiled three files to work flawlessly for ARM devices which will allow users to unpack, edit, and repack their boot.img without the use of a PC and all straight from their device.

---unmkbootimg, mkbootfs, mkbootimg---

Click here for the source on my Github.

Note:
-- The mkbootimg binary is based upon the AOSP with some added modifications to work in conjunction with unmkbootimg.
-- The unmkbootimg binary is based on the original mkbootimg source but with reverse engineering to compliment its helpful use in extraction and thus providing the needed command to rebuild properly.
-- The mkbootfs binary is based on the source provided within the dsixda kitchen to insure the proper structural repacking of the ramdisk, etc.

Requirements:
-- BusyBox (cpio, gunzip and gzip is mandatory)
-- /System Write Permissions (Does not need to be a modified kernel)
-- Terminal Emulator
-- ES File Explorer (or similar)
-- Hex Editor (or use of DD)

-- Unzip boot_manipulation.zip on your device and copy the three files over to /system/bin. Those three files inside the .zip will be named unmkbootimg, mkbootfs and mkbootimg.
-- EDIT: I have included a flashable zip for these files.
-- Set permissions to rwxr-xr-x (755) on each binary. Note: The flash zip does this already.

-- Open up your android terminal emulator.

-- Now go ahead and pull your boot.img from your device (or use another one if you wish). Here is an example:

Code:

root@android:/ # [COLOR="Red"]dd if=/dev/block/mmcblk0p20 of=/data/local/tmp/boot.img[/COLOR]
dd if=/dev/block/mmcblk0p20 of=/data/local/tmp/boot.img
32768+0 records in
32768+0 records out
16777216 bytes transferred in 1.496 secs (11214716 bytes/sec)
root@android:/ #

-- Open up your boot.img with the Hex Editor and look for: ANDROID!. Remove everything before it so that the ANDROID! header is the first to be read then save it over top of the boot.img. NOTE: This is only required if you are using a stock boot.img. Here is an example:

Code:

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  [COLOR="red"]A5 F0 BA B7 B0 43 E3 F8 3C E1 63 55 AE 75 C6 69  ¥ðº·°Cãø<ácU®uÆi[/COLOR]
00000010  [COLOR="red"]11 27 16 2F 51 48 E5 41 6F ED E1 7D C9 61 FB 3B  .'./QHåAoíá}Éaû;[/COLOR]
00000020  [COLOR="red"]5F 45 49 EE 48 79 6E 4E FB DE 18 FC A0 F4 9A C3  _EIîHynNûÞ.ü*ôšÃ[/COLOR]
00000030  [COLOR="red"]43 11 35 67 AD 7E 2F D8 F6 E8 B1 4D 7D E0 45 B6  C.5g.~/Øöè±M}àE¶[/COLOR]
00000040  [COLOR="red"]E2 08 5F 0B 56 7F 45 71 3D 38 E2 C4 76 3E 53 EE  â._.V.Eq=8âÄv>Sî[/COLOR]
00000050  [COLOR="red"]A4 3D 83 9F A2 BE D5 F4 75 5D B5 08 4E CC 9B BC  ¤=ƒŸ¢¾Õôu]µ.NÌ›¼[/COLOR]
00000060  [COLOR="red"]7F 7A 9E 3D 4B 19 1B 91 6D FB 82 A0 B5 A8 38 88  .zž=K..‘mû‚*µ¨8ˆ[/COLOR]
00000070  [COLOR="red"]25 07 B5 1B 74 A2 03 62 BE 78 FA 33 96 A0 32 70  %.µ.t¢.b¾xú3–*2p[/COLOR]
00000080  [COLOR="red"]05 56 50 EF 88 C1 F3 73 E4 C5 73 6A 4E F8 CA 0A  .VPïˆÁósäÅsjNøÊ.[/COLOR]
00000090  [COLOR="red"]D7 EF 2A 7F 09 30 21 BF 63 61 35 9A 9B 8A 62 42  ×ï*..0!¿ca5š›ŠbB[/COLOR]
000000A0  [COLOR="red"]28 C2 78 08 B0 CD 94 5F 7E EC F6 BA AD E6 AE 23  (Âx.°Í”_~ìöº.æ®#[/COLOR]
000000B0  [COLOR="red"]3E FD D8 A0 F1 F6 6D E2 D9 1E 2C E5 9F 91 84 92  >ýØ*ñömâÙ.,åŸ‘„’[/COLOR]
000000C0  [COLOR="red"]2E F0 6E 3C 1D 2B 1A D5 61 18 B2 F4 E0 66 B5 2F  .ðn<.+.Õa.²ôàfµ/[/COLOR]
000000D0  [COLOR="red"]AE 97 9F F8 53 65 CE ED 68 43 4B 2B D5 A1 B6 D9  ®—ŸøSeÎíhCK+Õ¡¶Ù[/COLOR]
000000E0  [COLOR="red"]7D 36 CE A9 CC EC F4 5A 07 D8 99 5A 91 CC 8F 71  }6Î©ÌìôZ.Ø™Z‘Ì.q[/COLOR]
000000F0  [COLOR="red"]A1 8D D7 82 C3 20 AB 7A 07 68 10 2D CC F6 A8 F9  ¡.×‚Ã «z.h.-Ìö¨ù[/COLOR]
00000100  41 4E 44 52 4F 49 44 21 08 D6 56 00 00 80 40 80  ANDROID!.ÖV..€@€
00000110  0E F0 07 00 00 80 80 81 00 00 00 00 00 00 30 81  .ð...€€.......0.
00000120  00 01 40 80 00 08 00 00 00 00 00 00 00 00 00 00  ..@€............
00000130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

-- Please note, HTC uses a 256 bit signature prior to the ANDROID! magic found in the boot.img. This may vary with other devices so keep that in mind. To remove the 256 bit junk so the boot.img is read properly you can use a hex editor and delete it or you can use DD. The following dd command I will be using is based on K2_CL in regards to the partition for our boot.img. Please make necessary adjustments to this command by insuring you know the location and where abouts of your own boot.img; Example:

Code:

dd bs=256 skip=1 if=/dev/block/mmcblk0p20 of=/data/local/tmp/boot.img

-- Alright, so we have the unmkbootimg, mkbootfs and mkbootimg located in /system/bin. We have pulled our boot.img and removed the junk before the magic android value: ANDROID!. Let's continue.

-- Go back to your android terminal emulator and change directories to /data/local/tmp. Here is an example:

Code:

root@android:/ # [COLOR="red"]cd /data/local/tmp[/COLOR]
cd /data/local/tmp
root@android:/data/local/tmp #

-- Now run unmkbootimg. Here is an example:

Code:

root@android:/data/local/tmp # [COLOR="red"]unmkbootimg -i boot.img[/COLOR]
unmkbootimg -i boot.img
kernel written to 'kernel' (5690888 bytes)
ramdisk written to 'ramdisk.cpio.gz' (521735 bytes)

To rebuild this boot image, you can use the command:
  mkbootimg --base 0 --pagesize 2048 --kernel_offset 0x80408000 --ramdisk_offset 0x81808000 --second_offset 0x81300000 --tags_offset 0x80400100 --cmdline 'console=ttyHSL0,115200,n8 user_debug=31' --kernel kernel --ramdisk ramdisk.cpio.gz -o boot.img
root@android:/data/local/tmp #

-- Before you go any futher, copy all text within your android terminal emulator and paste it in to a text document. I personally use 920 Text Editor from the play store. You will do this so when the time comes you can open it back up and copy/paste the command to rebuild your boot.img as listed (This will save you some time).

-- Congratulations, you have done well so far. By typing and entering the command 'ls', you can see what all is in your directory. Here is an example:

Code:

root@android:/data/local/tmp # [COLOR="red"]ls[/COLOR]
ls
boot.img
init.rc
kernel
ramdisk.cpio.gz
root@android:/data/local/tmp #

-- Now lets create a folder and lets call it ramdisk. Here is an example:

Code:

root@android:/data/local/tmp # [COLOR="red"]mkdir ramdisk[/COLOR]
mkdir ramdisk
root@android:/data/local/tmp #

-- Now lets change directories to that ramdisk folder. Here is an example:

Code:

root@android:/data/local/tmp # [COLOR="red"]cd ramdisk[/COLOR]
cd ramdisk
root@android:/data/local/tmp/ramdisk #

-- Go ahead and extract ramdisk.cpio.gz. Here is an example:

Code:

root@android:/data/local/tmp/ramdisk # [COLOR="red"]gunzip -c ../ramdisk.cpio.gz | cpio -i[/COLOR]
isk.cpio.gz | cpio -i     <                                                   
1851 blocks
root@android:/data/local/tmp/ramdisk #

-- Congratulations, you have done well so far. By typing and entering the command 'ls', you can see what all is in your directory. Here is an example:

Code:

root@android:/data/local/tmp/ramdisk # [COLOR="red"]ls[/COLOR]
ls
cwkeys
data
default.prop
dev
fstab.k2_cl
init
init.goldfish.rc
init.qcom.rc
init.qcom.sh
init.rc
init.target.rc
init.target.recovery.rc
init.trace.rc
init.usb.rc
proc
sbin
sys
system
ueventd.goldfish.rc
ueventd.rc
ueventd.target.rc
root@android:/data/local/tmp/ramdisk #

-- Now feel free at this point to make your edits within the ramdisk folder. When complete then come back and we shall finish the job.

-- Go ahead and move back out of the ramdisk folder by the following command:

Code:

root@android:/data/local/tmp/ramdisk # [COLOR="Red"]cd ..[/COLOR]
cd ..
root@android:/data/local/tmp #

-- You should now be in /data/local/tmp/.

-- Lets go ahead and repack the contents found in the ramdisk folder. Here, we will make use of the mkbootfs binary. Please take note that your original is named 'ramdisk.cpio.gz'. Here we will be repacking and renaming it to 'myramdisk.gz'. Here is an example:

Code:

root@android:/data/local/tmp # [COLOR="red"]mkbootfs ./ramdisk | gzip > myramdisk.gz[/COLOR]
mkbootfs ./ramdisk | gzip > myramdisk.gz
root@android:/data/local/tmp #

-- Open up your saved text file as instructed earlier and scroll to where you see this:

Code:

To rebuild this boot image, you can use the command:
  mkbootimg --base 0 --pagesize 2048 --kernel_offset 0x80408000 --ramdisk_offset
 0x81808000 --second_offset 0x81300000 --tags_offset 0x80400100 --cmdline 'conso
le=ttyHSL0,115200,n8 user_debug=31' --kernel kernel --ramdisk ramdisk.cpio.gz -o
 boot.img

-- Look for --ramdisk ramdisk.cpio.gz and INSURE you change it to --ramdisk myramdisk.gz. Also go ahead and change boot.img to modboot.img. Now copy the mkbootimg command and paste it in to your android terminal emulator. Press enter.

-- There are multiple ways you can apply the new boot.img. The smartest way would be to use fastboot so that you may boot the image vice flashing it in case you screwed something up on your own accord. However, I personally will write the boot.img straight to the boot partition using dd, then I reboot the device. If you wish to do the same then that is fine.

-- Now you have your new Modded Boot Image. Enjoy, and as always... CLICK THANKS if this was helpful to you and....

--- Happy Hunting!!!

Modding.MyMind · Dec 28, 2013

MKBOOTIMG-TOOLS

GITHUB SOURCE:
https://github.com/ModdingMyMind/mkbootimg_tools

Original Author: xiaolu (GITHUB SOURCE: https://github.com/xiaolu/mkbootimg_tools)
Heavily Modified By: @Modding.MyMind

This project is originally based from xiaolu. To make this compatible for ARM I modified the script, compiled some binaries such as file, bash, grep, gzip, lzma, xz, mkbootimg, etc.

-- This project uses busybox but due to how stripped and limited busybox is ultimately led to me having to compile a few binaries from source. These binaries must be part of the project in order for the project to be succesfull. For example, busybox grep will not always give accurate offsets for the android header. One of MANY bugs found with busybox.

This project supports device tree binaries found inside the Boot.img and Recovery.img.

This project supports multiple Ramdisk compressions.

-- This project will check the ramdisk compression and if it determines that the tool does not support that particular compression then it will display a hazard warning letting the user know that the compression is not supported and that the ramdisk currently cannot be decompressed or compressed until support has been officially added.
-- If the compression is supported it will display what type of compression the Ramdisk is and how many blocks it has when unpacked.

This project will determine your kernel size, ramdisk size, and TRUE OFFSETS (not just the standard mkbootimg.c offsets).

-- With respect to the offsets; You will learn that many available tools found available specifically handle images where the ANDROID! header is located at 0x0. Not all images are built like this from stock. This project will find the header, base, kernel offset, ramdisk offset, second offset, and tags offset. It will rebuild the image using DD to insure the android header is located at 0x0. The found offsets inside the image will be cross referenced to see if the OEM of that image built it using the standard mkbootimg.c. If it detects any offsets which are built using NON-standard offsets then it will display a warning as well as show you what the image TRUE offsets actually are. Those same offsets are then applied to properly rebuild your image to insure that it boots like it was intended to do.
-- The warning will let you know that you may modify mkbootimg.c with the NON-standard values if you wish to have a binary specific to your device. The offsets displayed are not the address. Because the offsets are determined and not the address this makes it possible for this project to not have to rebuild mkbootimg.c. When the project is used to rebuild your image using the mkbootimg args such as --ramdisk_offset, --kernel_offsets, etc, etc, this then tells mkbootimg.c to ignore the hardcoded offsets and only use the ones it has been instructed to use. This is even more successful by insuring the BASE is accurate and applying the base as one of the mkbootimg args (--base 0 <-- this is lazy and stupid).

The mkboot script requires two args whether unpacking the image or repacking the image.

-- mkboot boot.img bootfolder (This will unpack the image)
1. mkboot is the script.
2. boot.img is the actual image.
3. bootfolder will be created and become the project folder.

-- mkboot bootfolder newboot.img (This will repack the image)
1. mkboot is the script.
2. bootfolder is the project folder which has the needed files and information to repack.
3. This will be the name of the finished build.

UNPACK STANDARD IMAGE

This image uses standard mkbootimg.c:

root@android:/data/local/tmp/mkbootimg_tools-master # ./mkboot boot.img work

Unpack & decompress boot.img to work

kernel : zImage
ramdisk : ramdisk
page size : 2048
kernel size : 2529072
ramdisk size : 230255
base : 0x12200000
kernel offset : 0x00008000
ramdisk offset : 0x01000000
second_offset : 0x00f00000
tags offset : 0x00000100
cmd line : mem=471M console=ttyMSM2,115200n8 androidboot.hardware=thunderc lge.rev=10

Ramdisk is lzma format.
1436 blocks
Unpack completed.

root@android:/data/local/tmp/mkbootimg_tools-master #

REPACK STANDARD IMAGE

Image repacked with standard mkbootimg.c:

root@android:/data/local/tmp/mkbootimg_tools-master # ./mkboot work boot.img

mkbootimg from work/img_info.

kernel : zImage
ramdisk : new_ramdisk.lzma
page size : 2048
kernel size : 2529072
ramdisk size : 230029
base : 0x12200000
kernel offset : 0x00008000
ramdisk offset : 0x01000000
tags offset : 0x00000100
cmd line : mem=471M console=ttyMSM2,115200n8 androidboot.hardware=thunderc lge.rev=10

Kernel size: 2529072, new ramdisk size: 230029, boot.img: 2762752.

boot.img has been created.

root@android:/data/local/tmp/mkbootimg_tools-master #

UNPACK NON-STANDARD IMAGE

This image uses non-standard mkbootimg.c:

root@android:/data/local/tmp/mkbootimg_tools-master # ./mkboot recovery.img work

Unpack & decompress recovery.img to work

****** WARNING ******* WARNING ******* WARNING ******

This image is built using NON-standard mkbootimg!

RAMDISK_OFFSET is 0x01608000

You can modify mkbootimg.c with the above value(s)

****** WARNING ******* WARNING ******* WARNING ******

kernel : zImage
ramdisk : ramdisk
page size : 2048
kernel size : 5834192
ramdisk size : 4351685
base : 0x80600000
kernel offset : 0x00008000
ramdisk offset : 0x01608000
second_offset : 0x00f00000
tags offset : 0x00000100
cmd line : console=ttyHSL0,115200,n8 user_debug=31

Ramdisk is gzip format.
14837 blocks
Unpack completed.

root@android:/data/local/tmp/mkbootimg_tools-master #

REPACK NON-STANDARD IMAGE

Image repacked with non-standard mkbootimg.c:

root@android:/data/local/tmp/mkbootimg_tools-master # ./mkboot work recovery.img

mkbootimg from work/img_info.

kernel : zImage
ramdisk : new_ramdisk.gzip
page size : 2048
kernel size : 5834192
ramdisk size : 4358038
base : 0x80600000
kernel offset : 0x00008000
ramdisk offset : 0x01608000
tags offset : 0x00000100
cmd line : console=ttyHSL0,115200,n8 user_debug=31

Kernel size: 5834192, new ramdisk size: 4358038, recovery.img: 10194944.

recovery.img has been created.

root@android:/data/local/tmp/mkbootimg_tools-master #

UNPACK IMAGE WITH INCOMPATIBLE RAMDISK

root@android:/data/local/tmp/mkbootimg_tools-master # ./mkboot boot-1.img work

Unpack & decompress boot-1.img to work

kernel : zImage
ramdisk : ramdisk
page size : 2048
kernel size : 3580032
ramdisk size : 594701
base : 0x10000000
kernel offset : 0x00008000
ramdisk offset : 0x01000000
second_offset : 0x00f00000
tags offset : 0x00000100
cmd line :

****** HAZARD ******* HAZARD ******* HAZARD ******

Ramdisk is data format. Can't unpack ramdisk.
This tool currently does not support data.

****** HAZARD ******* HAZARD ******* HAZARD ******

root@android:/data/local/tmp/mkbootimg_tools-master #

REPACK IMAGE WITH INCOMPATIBLE RAMDISK

root@android:/data/local/tmp/mkbootimg_tools-master # ./mkboot work boot-1.img

mkbootimg from work/img_info.

****** HAZARD ******* HAZARD ******* HAZARD ******

Ramdisk is data format. Can't repack ramdisk.
This tool currently does not support data.

****** HAZARD ******* HAZARD ******* HAZARD ******

root@android:/data/local/tmp/mkbootimg_tools-master #

Modding.MyMind · Jan 2, 2014

mkbootimg updated in .zip file. Enjoy

I went through some mess to get it to work correctly lol.

Works like a champ now.

Sent from my K2_CL using Tapatalk

xpirt · Jan 2, 2014

Modding.MyMind said:
mkbootimg updated in .zip file. Enjoy

I went through some mess to get it to work correctly lol.

Works like a champ now.

Sent from my K2_CL using Tapatalk

Did you compiled mkbootimg?
Please can you say me in detail the not-booting problem? It rebooted continuously between bootloader and bootanimation?

xpirt

Modding.MyMind · Jan 2, 2014

xpirt said:
Did you compiled mkbootimg?
Please can you say me in detail the not-booting problem? It rebooted continuously between bootloader and bootanimation?

xpirt

Yea, I compiled it. The last one I compiled wasnt done correctly. The sha and rsa was corrupted. But I fixed it.

Sent from my K2_CL using Tapatalk

xpirt · Jan 2, 2014

Modding.MyMind said:
Yea, I compiled it. The last one I compiled wasnt done correctly. The sha and rsa was corrupted. But I fixed it.

Sent from my K2_CL using Tapatalk

I understand. And the bootloop I said is exactly what happened when packed with old mkbootimg?

xpirt

Modding.MyMind · Jan 2, 2014

@xpirt

No bootloop. It would boot once and show the splash screen. Then reboot straight in to the custom recovery. Basically what happen in the old mkbootimg was the source code having too many white spaces and some other syntax issues. I had to go through every single command line in every single file to fix it. Spent almost 15+ hours reworking the codes. Then I compiled it, placed it on my device in /data/local/tmp. Pulled my boot img from my partition using dd over to /data/local/tmp. Ran the steps to unpacking, editing, and then used the new mkbootimg to repack it. After completion I wrote the new boot.img over to the partition using dd. Then rebooted, worked flawlessly without any bugs, errors, or hiccups.

Sent from my K2_CL using Tapatalk

xpirt · Jan 2, 2014

Modding.MyMind said:
@xpirt

No bootloop. It would boot once and show the splash screen. Then reboot straight in to the custom recovery. Basically what happen in the old mkbootimg was the source code having too many white spaces and some other syntax issues. I had to go through every single command line in every single file to fix it. Spent almost 15+ hours reworking the codes. Then I compiled it, placed it on my device in /data/local/tmp. Pulled my boot img from my partition using dd over to /data/local/tmp. Ran the steps to unpacking, editing, and then used the new mkbootimg to repack it. After completion I wrote the new boot.img over to the partition using dd. Then rebooted, worked flawlessly without any bugs, errors, or hiccups.

Sent from my K2_CL using Tapatalk

Ok. Good, I'll try it out

xpirt

Modding.MyMind · Jan 2, 2014

xpirt said:
Ok. Good, I'll try it out

xpirt

Sounds good. If it is a stock boot.img then you will need to remove everything before the android magic value (ANDROID!). After that, have at it lol. I will be adding additional code later on that will automatically look for the android magic value and make the necessary changes to it so it reads properly. This will keep others from having to do it themselves. Until then, has to be done by the user since I have hard-coded the magic android value.

Sent from my K2_CL using Tapatalk

Modding.MyMind · Jan 2, 2014

Also plan to edit the unpackbootimg file so it will automatically extract the ramdisk archive automatically with out the need of the user having to use the ramdisk.sh file or by manually inputing the commands to do so. Got other plans as well. So a lot of improvements and bonuses are to come. Gonna try and make this thing a beast for arm devices.

Sent from my K2_CL using Tapatalk

Modding.MyMind · Jan 3, 2014

OP updated with more in depth instructions/examples. Also, I have taken out the ramdisk.sh file and have also removed the unpackbootimg file. I have implemented unmkbootimg and a remake of the mkbootimg file(s). Works like a boss and gives you all the information you need to rebuild your boot.img. Will work on ALL arm devices. Enjoy.

Modding.MyMind · Jan 3, 2014

Added download link to open source. See OP.

Sent from my K2_CL using Tapatalk

Modding.MyMind · Jan 10, 2014

OP has been updated. I have included an additional binary called mkbootfs to work in conjuction with the other two given the necessary structural building properties of the boot.img. I have tested this on A LOT of boot.img's and all have been successful. I have also updated the instructions for using these binaries on your android device. Enjoy.

russellvone · Jan 10, 2014

sweet sweet victory!

Modding.MyMind · Jan 10, 2014

russellvone said:
sweet sweet victory!

This project was a pain bro. I almost gave up on it. Was dancing on thin ice until I had a break through which pushed me to complete the task. Works beautifully now

.

Sent from my K2_CL using Tapatalk

aureljared · Jan 10, 2014

Modding.MyMind said:
This project was a pain bro. I almost gave up on it. Was dancing on thin ice until I had a break through which pushed me to complete the task. Works beautifully now .

Sent from my K2_CL using Tapatalk

This is awesome.

Can you share the source code for this?

Sent from my GT-I8730 using Tapatalk

Modding.MyMind · Jan 10, 2014

PM Sent

Sent from my K2_CL using Tapatalk

aureljared · Jan 11, 2014

Modding.MyMind said:
PM Sent

Sent from my K2_CL using Tapatalk

Thank you!

Sent from my GT-I8730 using Tapatalk

Modding.MyMind · Jan 12, 2014

OP updated with four photo attachments.

Sent from my K2_CL using Tapatalk

aureljared · Jan 19, 2014

(Probably n00bish) Question:
How do I compile the binaries from the source? By gcc or make?

Beamed from my Galaxy Express using Tapatalk

[Without PC] Unpack, Edit, Repack boot.img

Modding.MyMind

Guest

Attachments

Modding.MyMind

Guest

Modding.MyMind

Guest

Recognized Developer / Inactive RC

Modding.MyMind

Guest

Recognized Developer / Inactive RC

Modding.MyMind

Guest

Recognized Developer / Inactive RC

Modding.MyMind

Guest

Modding.MyMind

Guest

Modding.MyMind

Guest

Modding.MyMind

Guest

Modding.MyMind

Guest

Senior Member

Modding.MyMind

Guest

Senior Member

Modding.MyMind

Guest

Senior Member

Modding.MyMind

Guest

Senior Member

Similar threads

Top Liked Posts