[HOW TO] reverse engineer kernel

Search This thread

gekkehenkie11

Inactive Recognized Developer
Dec 9, 2010
2,767
5,582
Hi,

So although companies of course are bound by law to release kernel sources, and most of them do, there are sometimes circumstances where you still would like to see the disassembly of the kernel code. For example sometimes an ASM deadlisting can be easier to understand than complicated C++ code. Or maybe you suspect that your kernel code is slightly different than the source code your manufacturer supplied, maybe due to a slightly different configuration. It happens.

Anyway, whatever reason you might have, this is a small tutorial on how to obtain that kernel code in a deadlisting.

1) First of all you need of course to dump the boot image. I normally do this via: cat /dev/block/mmcblk0p17 > /sdcard/boot.img. But it depends on which partition the boot image resides. Use a partition tool to find out.
2) Seperate the kernel image from the boot image. I use Android Image kitchen myself.
3) The kernel image is self extracting. This means that it is just the compressed kernel + the decompression code to decompress it. We want to use a regular decompression utility so we want to strip that decompression code off in order for a normal decompression utility to handle it. Now, on older kernels (up to 2013 I think) you could use a tool like this to decompress the kernel: http://forum.xda-developers.com/showthread.php?t=901152 It's based on the fact that the kernel is Gzip compressed. However newer kernels use LZO compression. Luckily it's quite easy to do it manually. First of all you need to cut off the part upto where the kernel image starts (the decompression code). You need to search for 0x89 0x4c 0x5A 0x4F. That's 0x89 followed by "LZO", which is the start of the compressed file header. Now in my case I needed the 2nd hit (in my case the 1st hit is followed by some text and then like 0x50 bytes later follows the second hit, I needed that one). So cut off the part upto that, rename the file as a .LZO file and then you can just decompress it with any LZO decompresser, for example "Universal Extractor".
4) So now we have a decompressed kernel image. You could load this up into IDA pro already but reverse engineering will be hard since all symbols are missing. So how to get the symbols ? We can dump them from your phones memory too ! However the linux kernel is since quite some versions already protected against doing that, for obvious reasons. If you're root though, you can disable that protection via issueing:

Code:
echo 0 > /proc/sys/kernel/kptr_restrict

Next you can simply dump the symbols like:

Code:
cat /proc/kallsyms >/sdcard/symbols.txt

5) You now have a file containing all the symbols. But how to convert this into an IDA pro script ? You could write a simple tool or script that does it. Luckily I already did that for you, see the attached file :) However the symbol file you just dumped from memory wont contain the windows carriage returns after each line, which my tool needs (sorry too lazy to fix it up, lol), so you need to add them first. I use 'edit pad lite'. In that you simply copy en paste the file and save it. Once you open it in notepad you will now see it's perfectly carriage return formatted. Now use my tool to open it and it will create an IDC script
6) ready to load it all up in IDA pro now ! Open the kernel in IDA pro, select ARM as processor (that is if you're on such a phone of course) and load the kernel to the right address. Usually it will be the first address of your IDC script. But also a tool like Android Image Kitchen will show you the correct address. Then if the kernel is opened and loaded at the correct address, simply open the IDC script and it will add all symbols.

And there you have it ! A perfect deadlisting of your android kernel, containing all symbols ! Happy reverse engineering !
 

Attachments

  • idccreate1.rar
    136.3 KB · Views: 1,968
Last edited:

gekkehenkie11

Inactive Recognized Developer
Dec 9, 2010
2,767
5,582
very nice one. good job bro.
Subscribed, amazing thread and amazing tool, thank you for the insight, any more reversing knowledge with olly or ida is greatly appreciated.

Glad you liked it guys.

Decent introduction, but this is just the beginning... Good for comparison purposes as you mentioned, but what else? *shrug*

Not sure what you mean, you want me to teach you how to read ASM and/or use IDA pro ? That's a bit beyond the purpose of this thread I'm afraid.
 

pirej

Senior Member
Jan 13, 2013
1,414
3,204
Skopje
@gekkehenkie11 Does the kernel decompressing end eventually ??? :)
extracting.png

Im trying to follow your guide and im ok so far, i got the symbols from my phone, im decompresing the kernel right now.. we will see about using your script and IDA pro later.

THANK YOU!

Edit: i have the decompressed kernel now, i used the symbols to create the ida script using your script, now... i have to learn how to use it in ida :)
 
Last edited:

gekkehenkie11

Inactive Recognized Developer
Dec 9, 2010
2,767
5,582
Edit: i have the decompressed kernel now, i used the symbols to create the ida script using your script, now... i have to learn how to use it in ida :)

Select ARM as processor and 0Xc0008000 as the kernel loading address (verify with your symbols, should be the same address as your first symbol) ! Good luck.
 
  • Like
Reactions: pirej

pirej

Senior Member
Jan 13, 2013
1,414
3,204
Skopje
When i load the symbol-script made with your tool in to ida.. i get this type of error messages, a lot of them :)
C0103568: can't rename byte as 'vfp_propagate_nan' because the name is already used in the program.
C0F96E58: can't rename byte as 'byte_mux_ops' because the name has a reserved prefix.
C0F242FC: can't rename byte as 'ten_thousand' because this byte can't have a name (it is a tail byte).

There really is "vfp_propagate_nan" twice in my symbols dumped from my phone, is this normal or i did something wrong?
 
Last edited:

blakegriplingph

Senior Member
May 13, 2011
1,001
149
Amazon Fire
Realme C3
And I assume this would allow us to, like, recreate a particular kernel's source code when the original sources to it are unavailable, using extant code from a similar repo, right?
 

alpeshvdy

Member
Nov 21, 2015
24
6
After achieving deadlist how do we do to get kernel source in conventional format (like they have on github)..

I'm not asking u to write a guide. I'm asking "where i can find tutorial"

I find in 4pda forum to use "snowman decompiler" plugin in ida to convert deadlist to c++

Should i use it??
 

Atronid

Senior Member
Jul 3, 2017
187
33
Hello, first thank you for this precious guide !

I'm currently facing problems reverse engineering kernel-ranchu kernel provided to modern AVD. Tried both of your methods and I can't get a valid kernel img. Any idea why ?
 

lolvatveo

Senior Member
Nov 1, 2020
133
5
There is no certified way to reverse source code from binary. The process in which it has been compiled has to be reversed.

Now if you want to analyze binary and cross-examine it with android from source files, then you can derive using basic lamba functions to infer missing pieces.

But..... binaries can be engineered in a way that the code becomes obvious ESPECIALLY if you have Android from Source.

Essentially, you can download android from source using google repo tool, repo the release edition, compare side by side, file for file, what is different.

I Use these linux command s



From there i use a custom python file that 'line for line' searches for the strings, if they match, it logs the match.

once done with that, it sends it over to sublime text, which for some reason, on rare occasions resolves the binaries immediately, especially when paired with the matching strings file.


For files that are obviously encrypted, i wait till the end and brute force popular hashes, map out links, use lambda functions and use general deduction to solve to source.

If you want to learn how to analyze binaries with linux watch "malware analysis" videos on youtube
😠😡
OEM/Manufukturer has an open source policy but some of them don't publish the kernel source code. I found the helpful answer to reverse kernel and I'll put it in the right suitable place.
 
May 10, 2022
16
4
lol im sorry. this is what im working with
Screenshot from 2022-05-25 13-57-53.png


unless you are trying to get from img to bin? or trying to get bin to text? or bin to c?
 
May 10, 2022
16
4
blu will not post there source or email me back, so im going to reverse engineer it to piss them off. Decompilers for llvm and clang and such exist. blueline hasnt put to much effort into hiding the source. I found a json @ link file that simplified the process
 
  • Like
Reactions: lolvatveo

Top Liked Posts

  • There are no posts matching your filters.
  • 27
    Hi,

    So although companies of course are bound by law to release kernel sources, and most of them do, there are sometimes circumstances where you still would like to see the disassembly of the kernel code. For example sometimes an ASM deadlisting can be easier to understand than complicated C++ code. Or maybe you suspect that your kernel code is slightly different than the source code your manufacturer supplied, maybe due to a slightly different configuration. It happens.

    Anyway, whatever reason you might have, this is a small tutorial on how to obtain that kernel code in a deadlisting.

    1) First of all you need of course to dump the boot image. I normally do this via: cat /dev/block/mmcblk0p17 > /sdcard/boot.img. But it depends on which partition the boot image resides. Use a partition tool to find out.
    2) Seperate the kernel image from the boot image. I use Android Image kitchen myself.
    3) The kernel image is self extracting. This means that it is just the compressed kernel + the decompression code to decompress it. We want to use a regular decompression utility so we want to strip that decompression code off in order for a normal decompression utility to handle it. Now, on older kernels (up to 2013 I think) you could use a tool like this to decompress the kernel: http://forum.xda-developers.com/showthread.php?t=901152 It's based on the fact that the kernel is Gzip compressed. However newer kernels use LZO compression. Luckily it's quite easy to do it manually. First of all you need to cut off the part upto where the kernel image starts (the decompression code). You need to search for 0x89 0x4c 0x5A 0x4F. That's 0x89 followed by "LZO", which is the start of the compressed file header. Now in my case I needed the 2nd hit (in my case the 1st hit is followed by some text and then like 0x50 bytes later follows the second hit, I needed that one). So cut off the part upto that, rename the file as a .LZO file and then you can just decompress it with any LZO decompresser, for example "Universal Extractor".
    4) So now we have a decompressed kernel image. You could load this up into IDA pro already but reverse engineering will be hard since all symbols are missing. So how to get the symbols ? We can dump them from your phones memory too ! However the linux kernel is since quite some versions already protected against doing that, for obvious reasons. If you're root though, you can disable that protection via issueing:

    Code:
    echo 0 > /proc/sys/kernel/kptr_restrict

    Next you can simply dump the symbols like:

    Code:
    cat /proc/kallsyms >/sdcard/symbols.txt

    5) You now have a file containing all the symbols. But how to convert this into an IDA pro script ? You could write a simple tool or script that does it. Luckily I already did that for you, see the attached file :) However the symbol file you just dumped from memory wont contain the windows carriage returns after each line, which my tool needs (sorry too lazy to fix it up, lol), so you need to add them first. I use 'edit pad lite'. In that you simply copy en paste the file and save it. Once you open it in notepad you will now see it's perfectly carriage return formatted. Now use my tool to open it and it will create an IDC script
    6) ready to load it all up in IDA pro now ! Open the kernel in IDA pro, select ARM as processor (that is if you're on such a phone of course) and load the kernel to the right address. Usually it will be the first address of your IDC script. But also a tool like Android Image Kitchen will show you the correct address. Then if the kernel is opened and loaded at the correct address, simply open the IDC script and it will add all symbols.

    And there you have it ! A perfect deadlisting of your android kernel, containing all symbols ! Happy reverse engineering !
    1
    very nice one. good job bro.

    Sent from my GT-I8190 using XDA Forums Pro
    1
    Subscribed, amazing thread and amazing tool, thank you for the insight, any more reversing knowledge with olly or ida is greatly appreciated.
    1
    Edit: i have the decompressed kernel now, i used the symbols to create the ida script using your script, now... i have to learn how to use it in ida :)

    Select ARM as processor and 0Xc0008000 as the kernel loading address (verify with your symbols, should be the same address as your first symbol) ! Good luck.
    1
    blu will not post there source or email me back, so im going to reverse engineer it to piss them off. Decompilers for llvm and clang and such exist. blueline hasnt put to much effort into hiding the source. I found a json @ link file that simplified the process