• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

[dev][kernel][kexec]

Search This thread

delewer

Senior Member
Aug 20, 2011
186
233
Paris
Last Update : August, 19, 2014
Hi,

I'm still try to bypass the MMU protection.
I have fixe a lot of bug, like memory misalignment, bad adresses allocation, dtb correction, etc...
Last sources and binaries here :
kexec-tools V11.zip : http://forum.xda-developers.com/attachment.php?attachmentid=2902912&stc=1&d=1408401794
kexec-tools binaries V11.zip : http://forum.xda-developers.com/attachment.php?attachmentid=2902913&stc=1&d=1408401794

Sorry, i have always 13 sec reboot after new kernel boot.
"cpu_proc_fin" use a "mcr p15" to init cache and proc that cause freeze.
I try to find solution for that.


Last Update : June, 22, 2014
Hi,

My sources are horrible... but i give something new.

This kexec is for stock kernel only (tested on .757). I thinks theses sources work on other kernel too.

In "kexec-tools V10.zip", you have all my sources. It's highly recommended to mod them to have something OK.

In "kexec binaries.zip", you have binaries to install
=> "kexec_load.ko" and "procfs_rw.ko" must be placed in "/system/lib/modules" folder with "chmod 777"
=> "kexec" must be placed in /system/bin" folder with "chmod 777"
=> cd /system/lib/modules
=> insmod kexec_load.ko

For sources :
Mod and adapt all you want, it's free.
You have 2 scripts in Zip : "./compil-kexec" in "kexec-tools" folder to rebuild and send in device directly (install Adbtcp on device and send by tcp with : adb connect xxx.xxx.xxx.xxx) = work perfectly with me.
"scriptZ1" is for compil stock kernel or another kernel (doomlord kernel for eg)
You must rename "custom_final_files" folder after compil to "final_file" manually ; You can have guest kernel in "custom_final_files" and stock kernel in "final_files" for "kexec-tools" path ... Don't mix a guest and host kernel please ^^

I am tired... i let you test and say if it's ok for you...

Thank a lot to munjeni for his help.

kexec-tools V10.zip : http://forum.xda-developers.com/attachment.php?attachmentid=2811994&stc=1&d=1403456181
kexec binaries.zip : http://forum.xda-developers.com/attachment.php?attachmentid=2811995&stc=1&d=1403456181


Last Update : November, 23, 2013
Hi,
For few days now, i haven't no more kernel panic with my kexec.
I have fixed few stuffs into sources, and add a lot.

These adds are, to include a "dt.img" image file into kexec load process.

This image file is a "device_tree" image to match hardware to software.

So, i assume to don't include atags into boot process, but pass bootloader informations by this DT.
I have programmed a little scan memory to found dynamicly all magic tags, because i found 3 device_tree into memory (magic is "0xd00dfeed").
These 2 device_tree are echo from first and nice structure.

The boot process need to have informations from this DT, and need all informations to initialize hardware (no HDW initialisation by the kernel)
I must first fix issues ; Regroup zImage and dt.img into memory to load a solid bloc to kexec_load module to boot into, and second, fix an offset i can't explain, 0x800 in memory causing misalignment memory

Keep tuned..



Last Update : November, 17, 2013

Hi everybody,

My kexec-tools work for Sony Xperia Z1 stock kernel "3.4.0-perf"
This tools can work on all locked bootloader for all locked device, not only Sony or Z1 models.
This kexec-tools add a kexec_load kernel module (LKM) and use a driver to grant a communication between "kexec" user program and kexec_load.ko module

what is for ?
"kexec" user program load in memory a custom kernel in zImage format, but can load ".tar" image too
This user tool load ramdisk in memory if necessary
This tool is for this purpose only, and don't keep in memory the custom kernel at device reboot.
It is a "user" program, not a "kernel" extension... So, to really do the magic, we need the host kernel (stock sony locked kernel) have a kexec_load capability to reboot in a new gest kernel (custom kernel).

Infortuntly, stock kernel don't have kexec_load capability.
Sony have compiled his stock kernel without this option, and "standard" kexec-tools "need" this option to work. :eek:

To see all system call capability of kernel, you can run theses command :
Code:
echo 0 > /proc/sys/kernel/dmesg_restrict 
echo 0 > /proc/sys/kernel/kptr_restrict
cat /proc/kallsyms
Do all grep you want here.
The "echo 0" "restrict" is here to unmask logical adresses to "system calls"
Like you can see, "__NR_kexec_load" capability isn't here.

To add kexec_load capability in stock locked kernel, we need to add manualy a kernel module wich add this function into the kernel.
Why ? Because the way to keep in memory a custom kernel need to know a lot of parameters, and keep a specific memory range alive at reboot.
Only kernel can do this.
All user program will be terminated at reboot.

"Standard" kexec_load.ko module use a method to implement the "__NR_kexec_load" function in system call table.
Since 2.6.0 kernel, linux for security reason, have locked in memory the "system_call_table" ; No more add or modification is authorized.
If kexec tool try to add a value, "kexec_load" for us, we causes a kernel panic, and reboot device.

For this reason, i have modify kexec user program and kexec_load module to implement a driver to talk to each other.

this driver replace syscall method, and we no more need to use a system call table.
For this reason, this tool is now compatible with modern kernel like our "3.4.0"
For this reason, this tool must work for other device (Xperia X, P, S, etc...) and another brand
For this reason, if kernel is locked, we can bootstrap to run a new kernel.


Installation
First, you can compil your own kexec tool
Here, sources : http://forum.xda-developers.com/attachment.php?attachmentid=2397299&stc=1&d=1384689174

And here, the binaries : http://forum.xda-developers.com/attachment.php?attachmentid=2397305&stc=1&d=1384689406
(it's not a cwm zip, i have no time to create an installer for now ; use "./compil-kexec" if you want an automatic install)
Install *.ko in /system/lib/modules
Install kexec and kdump in /system/bin
Grant with "chmod 777"


Unzip in kexec-tools folder
Install a toolchain (sudo apt-get install gcc-arm-linux-gnueabi)
launch => ./compil-kexec

what's all
This script can do everythinks for you
- Compilation of tools
- Compilation of modules
- installation in device
This script can compil for every brand you have.
Except you must remove or adapt the patch (see below why)


Patch ??
This patch is because a module must be compiled in the same time the kernel himself.
For this reason a "vermagic", an identifier, is used by system to block every module not compil with kernel
Some custom kernel bypass this to authorize every modules.
But for stock kernel, it is not allowed.
You can easely strapp this by busybox.
"busybox modprobe" for help
"-f" to force load without vermagic

To see this vermagic :
Code:
# uname -r
This "uname -r" must be the same that
Code:
# strings kexec_load.ko | grep vermagic
vermagic=3.4.0-perf-g66807d4-02450-g9a218f1 SMP preempt mod_unload modversions ARMv7
If you want use automaticaly this vermagic, you can modify into the custom kernel this file :
Code:
"include/config/kernel.release" and add :
"3.4.0-perf-g66807d4-02450-g9a218f1"
This file will be use at module compil to match the vermagic.


Infortunatly, it is not enought. :silly:

The infamous "no symbol version for module_layout"
When a module compil is created, it use symbols link to system call function, translate by adresses
Theses symbols are not at same physical adresses in stock kernel and modules (compiled from DooMLoRD kernel).
So, theses adresses must be convert into modules itself to match with stock symbols adress.
A patch is needed.
If you use my script, modules are automatically patched.

Here patches :
Code:
sed -i 's/\x32\x76\x86\x29/\x72\xFF\x5E\x20/' procfs_rw.ko
sed -i 's/\x32\x76\x86\x29/\x72\xFF\x5E\x20/' kexec_load.ko
sed -i 's/\xBB\xD0\xF8\x4D/\x0E\x1C\x63\x77/' kexec_load.ko
sed -i 's/\xA6\x26\x81\x1A/\xD4\x56\x02\x7E/' kexec_load.ko
sed -i 's/\xA3\xD1\xEC\x96/\xEC\x43\x28\x1A/' kexec_load.ko
sed -i 's/\x8C\xE6\x6A\x5F/\x3D\xDF\x02\xF2/' kexec_load.ko
sed -i 's/\x3E\xF3\xEF\xE9/\x18\x7F\xA6\x8A/' kexec_load.ko
sed -i 's/\x8B\xD2\x92\x10/\xC8\x19\x08\x9C/' kexec_load.ko
sed -i 's/\x1C\xE8\x18\xE1/\x7C\x71\x9E\xEF/' kexec_load.ko
sed -i 's/\xAB\x2C\x2F\x8B/\x8E\xD7\x63\xC0/' kexec_load.ko
sed -i 's/\xF5\x62\xAA\x4B/\x34\x80\x1B\x74/' kexec_load.ko
sed -i 's/\x00\x52\xD6\xD7/\x6F\x80\x91\x20/' kexec_load.ko
sed -i 's/\x4F\x77\x57\x6A/\x0C\x57\xC7\x63/' kexec_load.ko
sed -i 's/\xCA\x2F\x65\x71/\x92\xB8\x7F\x53/' kexec_load.ko
sed -i 's/\x0F\xD0\xA0\x91/\xFA\x80\x15\xB4/' kexec_load.ko
sed -i 's/\x29\xA0\x6D\x48/\x6C\x6B\x96\x54/' kexec_load.ko
sed -i 's/\x6D\x1F\x1F\x37/\xCC\x5E\x79\x8B/' kexec_load.ko
sed -i 's/\xFD\x23\xD0\xFB/\xE3\xE3\x68\x52/' kexec_load.ko
You can use hexedit or hexdump to see these adresses :
Code:
hexdump kexec_load.ko | grep ff72         
0003d50 b0b0 80ac ff72 205e 6f6d 7564 656c 6c5f
how does it work ?
# kexec --help
For kexec help... nothing more to say.

# lsmod
List loaded modules... You must see
kexec_load 31369 0 - Live 0x00000000 (O)

# rmmod kexec_load.ko
Remove kexec_load module from memory.

# grep kexec /proc/device
To see installed driver.
You must see :
100 kexec_driver

First number is "major" number to identify your driver in system.

# mknod /dev/kexec_driver c 100 0
Install driver.
Major number (here 100), is important for module.
This Major must be the same between module and driver.
By default, 100 is used.

# insmod kexec_load.ko
To install "LKM", kexec_load kernel module.
If another Major is needed, you can use "insmod kexec_load.ko 101" for Major 101
You can use "modprob" if you want, but you must configure the module folder.


How kexec and module exchange informations ?
By the driver.
Normal output for a kernel module is to write in "dmsg" file.
To see kernel output, launch this command :
Code:
# dmesg
To see last kernel log, see in :
Code:
# cat /proc/last_kmsg
For kexec module, this normal way still exist, and give a lot of informations, but to speak with, you must use the driver.
/dev/kexec_driver

You can yourself test communication:
Code:
# cat /dev/kexec_driver
You can send kernel by this communication channel.
Type following commands for help
  => echo help >/dev/kexec_driver
  => dmesg | grep Kexec
Code:
# echo help >/dev/kexec_driver
# cat /dev/kexec_driver
Last command : 'help'
 Please type following command :
      => dmesg|grep Kexec
Every command send into driver is receive by kexec_load.ko module and running into the kernel.
The answer can by read thru the driver

Here, you can see that normal way to see messages is allway dmesg.

Code:
# dmesg|grep Kexec
<4>[15050.521628] Kexec: Starting kexec_module...
<6>[15050.521656] Kexec: kexec_driver_contener allocation
<6>[15050.521673] Kexec: kexec_memory_buffer allocation
<4>[15050.521691] Kexec:----------------------------------------------------
<4>[15050.521710] Kexec: kexec_driver created with major : '100'
<4>[15050.521728] Kexec: Please, prepare by typing the following commands :
<4>[15050.521746] Kexec:  => mknod /dev/kexec_driver c 100 0
<4>[15050.521761] Kexec:  => cat /dev/kexec_driver
<4>[15050.521775] Kexec:-----------------------------------------------------
<4>[15050.521791] Kexec:  For help
<4>[15050.521803] Kexec:  => echo help >/dev/kexec_driver
(...)
I have add a lot of informations to help to configure kexec.



rdtags, atags ??
Not sure for this part of kernel.
"atags" is the most used method to bootloader to parse commands and informations to kernel at boot.
"atags" is a form of structure in memory to organise informations.
At boot, a address chain is created and can be compulse in /proc/atags file.
This file is read only system.
"rdtags" is another way to bootloader to parse information to kernel.
"rdtags" is not stocked in "/proc"
But, as i see, stock kernel can use "atags" from bootloader.
kexec can substitute bootloader function to create fromscratch a atags chain, and parse to new kernel.
I have change this part to stock atags in "/data/atags", and reuse or change if need.

If this don't work, i must create a rdtags chain to replace atags ; It's not a hard work.


Status

For the moment, kexec tools works.
=> Phase one OK.

I can start Phase Two : new kernel patch.
If you want to help me...

Actually, load a custom kernel and boot into with kexec tools work.
But at boot into, a kernel panic occurs.

It seems, a part of kexec patch is missing in custom kernel.
 

Attachments

  • kexec-tools-delewer-V1.zip
    540.4 KB · Views: 559
  • Kexec-binaries-delewer-v1.zip
    701.8 KB · Views: 288
  • kexec-tools-delewer-V1.1.zip
    599.9 KB · Views: 98
Last edited:

Shaky156

Senior Member
Aug 19, 2012
1,209
2,238
Redmi K20 Pro
Realme GT
Hi new thread created for kernel kexec development.

Status: not working: wrong values for mem defines under the kernel is giving segmentation fault as its attempting to write to memory areas that are currently being used byyyyy the system


Instructions:
Make kernel compatible?:
1. Download kernel diff patch from below
2. Terminal - diff patch > diff.txt

How to use:
1. Download kexec-tools (kexec binary) from below
2. Copy into system/bin directory and give it executable permission
3. Download compatible kernel
4. Terminal - kexec --load-hardboot zImage --initrd=initrd.img --mem-min=0x20000000 --command-line="$(cat /proc/cmdline)"
kexec -e

Download links:
Kexec tool- https://db.tt/8DZXQ9eV
Ramdisk firmware 1.548 : https://db.tt/8DZXQ9eV
zImage (kernel):


Source code:
Kernel diff patch: https://db.tt/Xi2htT7Q (currently contains wrong values for mem defines)
Kexec-tools: https://db.tt/I22ofr3b


Special thanks: @delewer @krabappel2548
 
Last edited:

Shaky156

Senior Member
Aug 19, 2012
1,209
2,238
Redmi K20 Pro
Realme GT
Recieved segmentation fault with delewers calculated mem values too

We need to write to memory where we have write access to, maybe lockedbootloader is not allowing us to write? Orrr we are just writing to wrong area of memory
 
Last edited:

krabappel2548

Inactive Recognized Developer
Nov 15, 2011
6,443
16,111
Lommel
Devdb?

Pm me i dont know what Devdb is lol




Recieved segmentation fault with delewers calculated mem values too

We need to write to memory where we have write access to, maybe lockedbootloader is not allowing us to write? Orrr we are just writing to wrong area of memory

I'll discuss with Kali- today if he's available.



If kexec works on the Z1, can it be ported over to Xperia Z/ZL/T/Ultra? I believe they don't all share the same processor.

Doesn't need to be same processor, can be ported :)

Sent from my C6903 using xda app-developers app
 

Shaky156

Senior Member
Aug 19, 2012
1,209
2,238
Redmi K20 Pro
Realme GT
If kexec works on the Z1, can it be ported over to Xperia Z/ZL/T/Ultra? I believe they don't all share the same processor.

Yes it wont matter much, since its not s800 it should be easier for you guys :), take the kexec-tool use that, implement the patch write to the correct mem addresses which is free, it should boot if you guys have issues let me know,

I need to calculate the correct addresses.

Ive noticed s800 uses a dt.img, might need to modify kexec-tool to support dt.img, not sure what dt.img does yet, only know it holds values
 
  • Like
Reactions: AlaskaLinuxUser

krabappel2548

Inactive Recognized Developer
Nov 15, 2011
6,443
16,111
Lommel
Last edited:

delewer

Senior Member
Aug 20, 2011
186
233
Paris
krabappel2548, i have compil your kernel by my script (fromscratch)

My script (instruction in "DoomLord Build kernel thread" : scriptZ1 http://forum.xda-developers.com/attachment.php?attachmentid=2346163&d=1382568778
(for thoses who want to help us...)

You have a little mod to do here (bad compil) :
In "sound/soc/msm/qdsp6v2/rtac.c"

you must change
#include <q6voice.h>
by
#include "q6voice.h"

btw : no more ideas to load kexec for the moment ...
 

Knucklessg1

Senior Member
Mar 27, 2010
559
102
knucklessg1.blogspot.com
krabappel2548, i have compil your kernel by my script (fromscratch)

My script (instruction in "DoomLord Build kernel thread" : scriptZ1 http://forum.xda-developers.com/attachment.php?attachmentid=2346163&d=1382568778
(for thoses who want to help us...)

You have a little mod to do here (bad compil) :
In "sound/soc/msm/qdsp6v2/rtac.c"

you must change
#include <q6voice.h>
by
#include "q6voice.h"

btw : no more ideas to load kexec for the moment ...

Sorry, I'm trying to get caught up on the forum, but what seems to be the current standing issue to get kexec working?
 

Shaky156

Senior Member
Aug 19, 2012
1,209
2,238
Redmi K20 Pro
Realme GT
Memory regions

00000000-07afffff : System RAM
00008000-00b79383 : Kernel code
00d04000-00f0cddb : Kernel data
0ff00000-779fffff : System RAM
7ff00000-7ff3ffff : rdtags_mem
7ff80000-7ffa0fff : last_kmsg
7ffa1000-7ffa5fff : last_amsslog

System RAM MEM = 00000000
So --min-mem=0x20000000

Now need to find a free memory area thatll allow us to write and hopefully the mmu/pmu on locked bootloader wont cancel it
@delewer? @DooMLoRD @kali @Bin4ry
 
Last edited:

king960

Senior Member
Feb 4, 2013
318
71
25
Warsaw
I know I shouldn't disturb, but i must ask: if You achieve Your goal, would it be possible to port it to devices like Xperia P, S, T, U and other NXT? It would be great, many ppl are ready to give a prize for it. Thanks in advance, good luck and sorry again.

Sent from my LT22i using xda app-developers app
 

Shaky156

Senior Member
Aug 19, 2012
1,209
2,238
Redmi K20 Pro
Realme GT
I know I shouldn't disturb, but i must ask: if You achieve Your goal, would it be possible to port it to devices like Xperia P, S, T, U and other NXT? It would be great, many ppl are ready to give a prize for it. Thanks in advance, good luck and sorry again.

Sent from my LT22i using xda app-developers app

These devices are not 2013 devices, they arent s800 socs, so they are much easier to do, simply take the kexec-tools from op, implement the patch in your kernel, write the correct memory values for your specific device and execute in terminal via the command in op, minmem depends on your device too, good luck :)
 
  • Like
Reactions: Knucklessg1

king960

Senior Member
Feb 4, 2013
318
71
25
Warsaw
I think some1 tried it already, but it works only for unlocked devices... Anyway, thanks for help. ;)

Sent from my LT22i using xda app-developers app
 
Last edited:

Knucklessg1

Senior Member
Mar 27, 2010
559
102
knucklessg1.blogspot.com
I know I shouldn't disturb, but i must ask: if You achieve Your goal, would it be possible to port it to devices like Xperia P, S, T, U and other NXT? It would be great, many ppl are ready to give a prize for it. Thanks in advance, good luck and sorry again.

Sent from my LT22i using xda app-developers app

Does doing this require having an Unlocked Boot loader prior to implementation?

Sent from my C6603 using xda app-developers app
 
Last edited:

delewer

Senior Member
Aug 20, 2011
186
233
Paris
A few informations about kexec-tools debug


in kexec.c
Fonction :
if (file_type.load(argc, argv, kernel_buf,
kernel_size, &info) < 0) {
fprintf(stderr, "Cannot load %s\n", kernel);
return -1;
}

With a forced execution of kexec (bypass error to see...)
--mem-min=0x90000000

kernel: 0xb6b9d008 kernel_size: 3e9340
debug: 1 - after get memory range
debug: 2 - after type test
debug: 3 - after type test
debug: 4 - after info.kexec
debug: Focus 1 - argc '5' ; argv 'be856774' ; kernel_buf 'b6b9d008' ; kernel_size '3e9340' ; info 'be856548' ; i '1' ; file_type.name 'zImage'
Could not find a free area of memory of 3f1340 bytes...
Cannot load zImage
debug: 10 - before trampoline
debug: 11 - after trampoline
debug: 12 - before segment load
debug: 13 - after segment load
debug: 8 - before sort_segment
debug: 9 - after sort_segment
debug: 6 - before purgatory
debug: 7 - after purgatory
kexec_load: entry = (nil) flags = 280004
nr_segments = 0
kexec_load failed: Function not implemented
entry = (nil) flags = 280004
nr_segments = 0
debug: 5 - return result : ffffffff


With a forced bypass on file_type.load , we have this :
--mem-min=0x20000000

debug: Focus 1 - argc '5' ; argv 'bef18774' ; kernel_buf 'b6bc7008' ; kernel_size '3e9340' ; info 'bef18548' ; i '1' ; file_type.name 'zImage'
Segmentation fault
 
  • Like
Reactions: mirhl and Shaky156

Shaky156

Senior Member
Aug 19, 2012
1,209
2,238
Redmi K20 Pro
Realme GT
A few informations about kexec-tools debug


in kexec.c
Fonction :
if (file_type.load(argc, argv, kernel_buf,
kernel_size, &info) < 0) {
fprintf(stderr, "Cannot load %s\n", kernel);
return -1;
}

With a forced execution of kexec (bypass error to see...)
--mem-min=0x90000000

kernel: 0xb6b9d008 kernel_size: 3e9340
debug: 1 - after get memory range
debug: 2 - after type test
debug: 3 - after type test
debug: 4 - after info.kexec
debug: Focus 1 - argc '5' ; argv 'be856774' ; kernel_buf 'b6b9d008' ; kernel_size '3e9340' ; info 'be856548' ; i '1' ; file_type.name 'zImage'
Could not find a free area of memory of 3f1340 bytes...
Cannot load zImage
debug: 10 - before trampoline
debug: 11 - after trampoline
debug: 12 - before segment load
debug: 13 - after segment load
debug: 8 - before sort_segment
debug: 9 - after sort_segment
debug: 6 - before purgatory
debug: 7 - after purgatory
kexec_load: entry = (nil) flags = 280004
nr_segments = 0
kexec_load failed: Function not implemented
entry = (nil) flags = 280004
nr_segments = 0
debug: 5 - return result : ffffffff


With a forced bypass on file_type.load , we have this :
--mem-min=0x20000000

debug: Focus 1 - argc '5' ; argv 'bef18774' ; kernel_buf 'b6bc7008' ; kernel_size '3e9340' ; info 'bef18548' ; i '1' ; file_type.name 'zImage'
Segmentation fault


Did you compile this kexec yourself? Or did you get this from krapabbel? I issued krapabbel to compile a new debug version have gave him the code but never heard back from him :/
Anywayz so cannot find free memory is the issue
 

Top Liked Posts

  • There are no posts matching your filters.
  • 21
    Last Update : August, 19, 2014
    Hi,

    I'm still try to bypass the MMU protection.
    I have fixe a lot of bug, like memory misalignment, bad adresses allocation, dtb correction, etc...
    Last sources and binaries here :
    kexec-tools V11.zip : http://forum.xda-developers.com/attachment.php?attachmentid=2902912&stc=1&d=1408401794
    kexec-tools binaries V11.zip : http://forum.xda-developers.com/attachment.php?attachmentid=2902913&stc=1&d=1408401794

    Sorry, i have always 13 sec reboot after new kernel boot.
    "cpu_proc_fin" use a "mcr p15" to init cache and proc that cause freeze.
    I try to find solution for that.


    Last Update : June, 22, 2014
    Hi,

    My sources are horrible... but i give something new.

    This kexec is for stock kernel only (tested on .757). I thinks theses sources work on other kernel too.

    In "kexec-tools V10.zip", you have all my sources. It's highly recommended to mod them to have something OK.

    In "kexec binaries.zip", you have binaries to install
    => "kexec_load.ko" and "procfs_rw.ko" must be placed in "/system/lib/modules" folder with "chmod 777"
    => "kexec" must be placed in /system/bin" folder with "chmod 777"
    => cd /system/lib/modules
    => insmod kexec_load.ko

    For sources :
    Mod and adapt all you want, it's free.
    You have 2 scripts in Zip : "./compil-kexec" in "kexec-tools" folder to rebuild and send in device directly (install Adbtcp on device and send by tcp with : adb connect xxx.xxx.xxx.xxx) = work perfectly with me.
    "scriptZ1" is for compil stock kernel or another kernel (doomlord kernel for eg)
    You must rename "custom_final_files" folder after compil to "final_file" manually ; You can have guest kernel in "custom_final_files" and stock kernel in "final_files" for "kexec-tools" path ... Don't mix a guest and host kernel please ^^

    I am tired... i let you test and say if it's ok for you...

    Thank a lot to munjeni for his help.

    kexec-tools V10.zip : http://forum.xda-developers.com/attachment.php?attachmentid=2811994&stc=1&d=1403456181
    kexec binaries.zip : http://forum.xda-developers.com/attachment.php?attachmentid=2811995&stc=1&d=1403456181


    Last Update : November, 23, 2013
    Hi,
    For few days now, i haven't no more kernel panic with my kexec.
    I have fixed few stuffs into sources, and add a lot.

    These adds are, to include a "dt.img" image file into kexec load process.

    This image file is a "device_tree" image to match hardware to software.

    So, i assume to don't include atags into boot process, but pass bootloader informations by this DT.
    I have programmed a little scan memory to found dynamicly all magic tags, because i found 3 device_tree into memory (magic is "0xd00dfeed").
    These 2 device_tree are echo from first and nice structure.

    The boot process need to have informations from this DT, and need all informations to initialize hardware (no HDW initialisation by the kernel)
    I must first fix issues ; Regroup zImage and dt.img into memory to load a solid bloc to kexec_load module to boot into, and second, fix an offset i can't explain, 0x800 in memory causing misalignment memory

    Keep tuned..



    Last Update : November, 17, 2013

    Hi everybody,

    My kexec-tools work for Sony Xperia Z1 stock kernel "3.4.0-perf"
    This tools can work on all locked bootloader for all locked device, not only Sony or Z1 models.
    This kexec-tools add a kexec_load kernel module (LKM) and use a driver to grant a communication between "kexec" user program and kexec_load.ko module

    what is for ?
    "kexec" user program load in memory a custom kernel in zImage format, but can load ".tar" image too
    This user tool load ramdisk in memory if necessary
    This tool is for this purpose only, and don't keep in memory the custom kernel at device reboot.
    It is a "user" program, not a "kernel" extension... So, to really do the magic, we need the host kernel (stock sony locked kernel) have a kexec_load capability to reboot in a new gest kernel (custom kernel).

    Infortuntly, stock kernel don't have kexec_load capability.
    Sony have compiled his stock kernel without this option, and "standard" kexec-tools "need" this option to work. :eek:

    To see all system call capability of kernel, you can run theses command :
    Code:
    echo 0 > /proc/sys/kernel/dmesg_restrict 
    echo 0 > /proc/sys/kernel/kptr_restrict
    cat /proc/kallsyms
    Do all grep you want here.
    The "echo 0" "restrict" is here to unmask logical adresses to "system calls"
    Like you can see, "__NR_kexec_load" capability isn't here.

    To add kexec_load capability in stock locked kernel, we need to add manualy a kernel module wich add this function into the kernel.
    Why ? Because the way to keep in memory a custom kernel need to know a lot of parameters, and keep a specific memory range alive at reboot.
    Only kernel can do this.
    All user program will be terminated at reboot.

    "Standard" kexec_load.ko module use a method to implement the "__NR_kexec_load" function in system call table.
    Since 2.6.0 kernel, linux for security reason, have locked in memory the "system_call_table" ; No more add or modification is authorized.
    If kexec tool try to add a value, "kexec_load" for us, we causes a kernel panic, and reboot device.

    For this reason, i have modify kexec user program and kexec_load module to implement a driver to talk to each other.

    this driver replace syscall method, and we no more need to use a system call table.
    For this reason, this tool is now compatible with modern kernel like our "3.4.0"
    For this reason, this tool must work for other device (Xperia X, P, S, etc...) and another brand
    For this reason, if kernel is locked, we can bootstrap to run a new kernel.


    Installation
    First, you can compil your own kexec tool
    Here, sources : http://forum.xda-developers.com/attachment.php?attachmentid=2397299&stc=1&d=1384689174

    And here, the binaries : http://forum.xda-developers.com/attachment.php?attachmentid=2397305&stc=1&d=1384689406
    (it's not a cwm zip, i have no time to create an installer for now ; use "./compil-kexec" if you want an automatic install)
    Install *.ko in /system/lib/modules
    Install kexec and kdump in /system/bin
    Grant with "chmod 777"


    Unzip in kexec-tools folder
    Install a toolchain (sudo apt-get install gcc-arm-linux-gnueabi)
    launch => ./compil-kexec

    what's all
    This script can do everythinks for you
    - Compilation of tools
    - Compilation of modules
    - installation in device
    This script can compil for every brand you have.
    Except you must remove or adapt the patch (see below why)


    Patch ??
    This patch is because a module must be compiled in the same time the kernel himself.
    For this reason a "vermagic", an identifier, is used by system to block every module not compil with kernel
    Some custom kernel bypass this to authorize every modules.
    But for stock kernel, it is not allowed.
    You can easely strapp this by busybox.
    "busybox modprobe" for help
    "-f" to force load without vermagic

    To see this vermagic :
    Code:
    # uname -r
    This "uname -r" must be the same that
    Code:
    # strings kexec_load.ko | grep vermagic
    vermagic=3.4.0-perf-g66807d4-02450-g9a218f1 SMP preempt mod_unload modversions ARMv7
    If you want use automaticaly this vermagic, you can modify into the custom kernel this file :
    Code:
    "include/config/kernel.release" and add :
    "3.4.0-perf-g66807d4-02450-g9a218f1"
    This file will be use at module compil to match the vermagic.


    Infortunatly, it is not enought. :silly:

    The infamous "no symbol version for module_layout"
    When a module compil is created, it use symbols link to system call function, translate by adresses
    Theses symbols are not at same physical adresses in stock kernel and modules (compiled from DooMLoRD kernel).
    So, theses adresses must be convert into modules itself to match with stock symbols adress.
    A patch is needed.
    If you use my script, modules are automatically patched.

    Here patches :
    Code:
    sed -i 's/\x32\x76\x86\x29/\x72\xFF\x5E\x20/' procfs_rw.ko
    sed -i 's/\x32\x76\x86\x29/\x72\xFF\x5E\x20/' kexec_load.ko
    sed -i 's/\xBB\xD0\xF8\x4D/\x0E\x1C\x63\x77/' kexec_load.ko
    sed -i 's/\xA6\x26\x81\x1A/\xD4\x56\x02\x7E/' kexec_load.ko
    sed -i 's/\xA3\xD1\xEC\x96/\xEC\x43\x28\x1A/' kexec_load.ko
    sed -i 's/\x8C\xE6\x6A\x5F/\x3D\xDF\x02\xF2/' kexec_load.ko
    sed -i 's/\x3E\xF3\xEF\xE9/\x18\x7F\xA6\x8A/' kexec_load.ko
    sed -i 's/\x8B\xD2\x92\x10/\xC8\x19\x08\x9C/' kexec_load.ko
    sed -i 's/\x1C\xE8\x18\xE1/\x7C\x71\x9E\xEF/' kexec_load.ko
    sed -i 's/\xAB\x2C\x2F\x8B/\x8E\xD7\x63\xC0/' kexec_load.ko
    sed -i 's/\xF5\x62\xAA\x4B/\x34\x80\x1B\x74/' kexec_load.ko
    sed -i 's/\x00\x52\xD6\xD7/\x6F\x80\x91\x20/' kexec_load.ko
    sed -i 's/\x4F\x77\x57\x6A/\x0C\x57\xC7\x63/' kexec_load.ko
    sed -i 's/\xCA\x2F\x65\x71/\x92\xB8\x7F\x53/' kexec_load.ko
    sed -i 's/\x0F\xD0\xA0\x91/\xFA\x80\x15\xB4/' kexec_load.ko
    sed -i 's/\x29\xA0\x6D\x48/\x6C\x6B\x96\x54/' kexec_load.ko
    sed -i 's/\x6D\x1F\x1F\x37/\xCC\x5E\x79\x8B/' kexec_load.ko
    sed -i 's/\xFD\x23\xD0\xFB/\xE3\xE3\x68\x52/' kexec_load.ko
    You can use hexedit or hexdump to see these adresses :
    Code:
    hexdump kexec_load.ko | grep ff72         
    0003d50 b0b0 80ac ff72 205e 6f6d 7564 656c 6c5f
    how does it work ?
    # kexec --help
    For kexec help... nothing more to say.

    # lsmod
    List loaded modules... You must see
    kexec_load 31369 0 - Live 0x00000000 (O)

    # rmmod kexec_load.ko
    Remove kexec_load module from memory.

    # grep kexec /proc/device
    To see installed driver.
    You must see :
    100 kexec_driver

    First number is "major" number to identify your driver in system.

    # mknod /dev/kexec_driver c 100 0
    Install driver.
    Major number (here 100), is important for module.
    This Major must be the same between module and driver.
    By default, 100 is used.

    # insmod kexec_load.ko
    To install "LKM", kexec_load kernel module.
    If another Major is needed, you can use "insmod kexec_load.ko 101" for Major 101
    You can use "modprob" if you want, but you must configure the module folder.


    How kexec and module exchange informations ?
    By the driver.
    Normal output for a kernel module is to write in "dmsg" file.
    To see kernel output, launch this command :
    Code:
    # dmesg
    To see last kernel log, see in :
    Code:
    # cat /proc/last_kmsg
    For kexec module, this normal way still exist, and give a lot of informations, but to speak with, you must use the driver.
    /dev/kexec_driver

    You can yourself test communication:
    Code:
    # cat /dev/kexec_driver
    You can send kernel by this communication channel.
    Type following commands for help
      => echo help >/dev/kexec_driver
      => dmesg | grep Kexec
    Code:
    # echo help >/dev/kexec_driver
    # cat /dev/kexec_driver
    Last command : 'help'
     Please type following command :
          => dmesg|grep Kexec
    Every command send into driver is receive by kexec_load.ko module and running into the kernel.
    The answer can by read thru the driver

    Here, you can see that normal way to see messages is allway dmesg.

    Code:
    # dmesg|grep Kexec
    <4>[15050.521628] Kexec: Starting kexec_module...
    <6>[15050.521656] Kexec: kexec_driver_contener allocation
    <6>[15050.521673] Kexec: kexec_memory_buffer allocation
    <4>[15050.521691] Kexec:----------------------------------------------------
    <4>[15050.521710] Kexec: kexec_driver created with major : '100'
    <4>[15050.521728] Kexec: Please, prepare by typing the following commands :
    <4>[15050.521746] Kexec:  => mknod /dev/kexec_driver c 100 0
    <4>[15050.521761] Kexec:  => cat /dev/kexec_driver
    <4>[15050.521775] Kexec:-----------------------------------------------------
    <4>[15050.521791] Kexec:  For help
    <4>[15050.521803] Kexec:  => echo help >/dev/kexec_driver
    (...)
    I have add a lot of informations to help to configure kexec.



    rdtags, atags ??
    Not sure for this part of kernel.
    "atags" is the most used method to bootloader to parse commands and informations to kernel at boot.
    "atags" is a form of structure in memory to organise informations.
    At boot, a address chain is created and can be compulse in /proc/atags file.
    This file is read only system.
    "rdtags" is another way to bootloader to parse information to kernel.
    "rdtags" is not stocked in "/proc"
    But, as i see, stock kernel can use "atags" from bootloader.
    kexec can substitute bootloader function to create fromscratch a atags chain, and parse to new kernel.
    I have change this part to stock atags in "/data/atags", and reuse or change if need.

    If this don't work, i must create a rdtags chain to replace atags ; It's not a hard work.


    Status

    For the moment, kexec tools works.
    => Phase one OK.

    I can start Phase Two : new kernel patch.
    If you want to help me...

    Actually, load a custom kernel and boot into with kexec tools work.
    But at boot into, a kernel panic occurs.

    It seems, a part of kexec patch is missing in custom kernel.
    12
    Attempts on Xperia P (sorry IF i noob-ed with this post)

    http://forum.xda-developers.com/showthread.php?t=2053466

    Sent from my LT22i using xda app-developers app

    It's a dead thread.
    Because, it's a epic failed (for now).

    ********

    Status of my attempts :

    Modules loads : OK for two modules (kexec_load and procfs_rw)
    - procfs_rw.ko => create "/proc/atags" => ok, but bad buf... it must be fix (easy part)
    - kexec_load.ko => Loaded => ok but, the way to use is "syscall" add for kexec_load function => failed
    why ? Because after 2.6 kernel (Z1 have 3.4.0 kernel), syscall_table is read only and had fixed size. So if i attempt to add value (kexec_load in our case), we have kernel panic.

    But i have a solution to add function in LKM, is to add a "real" module call.

    I have add a "kexec_driver" in "/dev" structure by :
    Code:
    insmod kexec_load.ko
    mknod /dev/kexec_driver c 254 0
    (...)
    crw-rw-rw- root     root     254,   0 2013-11-11 15:26 kexec_driver

    Driver is in alpha stage and highty experimental

    To be continue...
    10
    just for information...
    compressed kernel with lzma his bigger than no lzma lol
    4,1 Vs 4,15

    so, i thave try :
    kexec --load zImage.lzma --mem-min=0x0f00000000 --command-line="$(cat /proc/cmdline)"
    debug: Focus 1 - argc '5' ; argv 'bea96754' ; kernel_buf 'b6bdf008' ; kernel_size '3f5414' ; info 'bea96528' ; i '1' ; file_type.name 'zImage'
    debug: malloc - xmalloc mem_range '4511824'
    Could not find a free area of memory of 3fd414 bytes...

    lol ... if you could find a way to reduced size ?? :p


    Did you reserved and freed memory for kexec? Something like:
    +#if defined(CONFIG_KEXEC_HARDBOOT)
    +static void kexec_hardboot_reserve(void)
    +{
    + if (memblock_reserve(KEXEC_HARDBOOT_START, KEXEC_HARDBOOT_SIZE)) {
    + printk(KERN_ERR "Failed to reserve memory for KEXEC_HARDBOOT: "
    + "%[email protected]%.8X\n",
    + KEXEC_HARDBOOT_SIZE / SZ_1M, KEXEC_HARDBOOT_START);
    + return;
    + }
    + memblock_free(KEXEC_HARDBOOT_START, KEXEC_HARDBOOT_SIZE);
    + memblock_remove(KEXEC_HARDBOOT_START, KEXEC_HARDBOOT_SIZE);
    +
    + kexec_hardboot_device.num_resources = ARRAY_SIZE(kexec_hardboot_resources);
    + kexec_hardboot_device.resource = kexec_hardboot_resources;
    +}
    +#endif

    Standard kexec not working and allso kexec can boot only kexec patched kernels, so I get them only working using hard kexec, hard worked on them and finaly I had a fully working kexec for Sony Xperia Go, Sola, P and U, maybe this help -> https://github.com/munjeni/android_kernel_xperiago/commits/jb-dev?page=2

    I will start working on your work after I get Xperia Z1 Mini! You made a realy interesting thread, I am realy interested in this! Hope we get some progress. :good:

    And one more thing, I will backport my Boot Menu to Z1 and Z1S soon as we get kexec working! More info here -> http://forum.xda-developers.com/showthread.php?t=2418241
    10
    Excellent work Delewer!

    So is it currently functional but with bugs or does it still need work before others can start testing it?

    Are your tests at the moment with Sony stock kernel (i,e, DooMKernel) or with AOSP kernel (i.e. CM kernel running CM10 or equivalent)?

    It's not a fonctionnal kexec ; all i see in my sources say it work, but it is not yet, it's frustating to me to be so close.

    I test only with DoomKernel, to be sure when ok, to see it is.
    When ok, aosp will be kexeced immediatly after... for sure !!!

    Most important for now it's to have log from new kernel to debug the first crash ; if i have a log, we win the battle.
    7
    Hi new thread created for kernel kexec development.

    Status: not working: wrong values for mem defines under the kernel is giving segmentation fault as its attempting to write to memory areas that are currently being used byyyyy the system


    Instructions:
    Make kernel compatible?:
    1. Download kernel diff patch from below
    2. Terminal - diff patch > diff.txt

    How to use:
    1. Download kexec-tools (kexec binary) from below
    2. Copy into system/bin directory and give it executable permission
    3. Download compatible kernel
    4. Terminal - kexec --load-hardboot zImage --initrd=initrd.img --mem-min=0x20000000 --command-line="$(cat /proc/cmdline)"
    kexec -e

    Download links:
    Kexec tool- https://db.tt/8DZXQ9eV
    Ramdisk firmware 1.548 : https://db.tt/8DZXQ9eV
    zImage (kernel):


    Source code:
    Kernel diff patch: https://db.tt/Xi2htT7Q (currently contains wrong values for mem defines)
    Kexec-tools: https://db.tt/I22ofr3b


    Special thanks: @delewer @krabappel2548