[HOW TO] reverse engineer kernel

Search This thread


Senior Member
Nov 1, 2020
the alternative for the kernel source: "need defconfig and dtbs to bring an unofficial source. Better spam oss for release source"(found it somewhere but don't understand).if a device doesn't have kernel source code, what do you think?👹☠. we must decompile kernel zImage or can't customize it
Last edited:
May 10, 2022
you could do that. Or you can use mathematical means.

1. Download android studio,
2. ctrl a pixel3 or whatever phone model files from emulator to desktop [Warning 76k files]. Might want to stick to API images
3. run trusty file compare for files that are related to adb. See if they broke gnu licenses clause on modification based on changes to areas alone.
4. But before we get are panties in a bunch, make sure that you used the proper unlock flash_a and unlock flash_b for a/b type roms.

update: But iv pretty much tore this rom to pieces with ghidra, got assembly code and what not. Just looking for differences as we speak. It just kinda sucks that i cant even get the phone to get into recovery, or bootloader.
it resists all adb commands. which could be driver related or tooler related. I read that the speadrum driver and usb tool is an absolute must for forcing flash. idk this whole thing stinks

Top Liked Posts

  • There are no posts matching your filters.
  • 27

    So although companies of course are bound by law to release kernel sources, and most of them do, there are sometimes circumstances where you still would like to see the disassembly of the kernel code. For example sometimes an ASM deadlisting can be easier to understand than complicated C++ code. Or maybe you suspect that your kernel code is slightly different than the source code your manufacturer supplied, maybe due to a slightly different configuration. It happens.

    Anyway, whatever reason you might have, this is a small tutorial on how to obtain that kernel code in a deadlisting.

    1) First of all you need of course to dump the boot image. I normally do this via: cat /dev/block/mmcblk0p17 > /sdcard/boot.img. But it depends on which partition the boot image resides. Use a partition tool to find out.
    2) Seperate the kernel image from the boot image. I use Android Image kitchen myself.
    3) The kernel image is self extracting. This means that it is just the compressed kernel + the decompression code to decompress it. We want to use a regular decompression utility so we want to strip that decompression code off in order for a normal decompression utility to handle it. Now, on older kernels (up to 2013 I think) you could use a tool like this to decompress the kernel: http://forum.xda-developers.com/showthread.php?t=901152 It's based on the fact that the kernel is Gzip compressed. However newer kernels use LZO compression. Luckily it's quite easy to do it manually. First of all you need to cut off the part upto where the kernel image starts (the decompression code). You need to search for 0x89 0x4c 0x5A 0x4F. That's 0x89 followed by "LZO", which is the start of the compressed file header. Now in my case I needed the 2nd hit (in my case the 1st hit is followed by some text and then like 0x50 bytes later follows the second hit, I needed that one). So cut off the part upto that, rename the file as a .LZO file and then you can just decompress it with any LZO decompresser, for example "Universal Extractor".
    4) So now we have a decompressed kernel image. You could load this up into IDA pro already but reverse engineering will be hard since all symbols are missing. So how to get the symbols ? We can dump them from your phones memory too ! However the linux kernel is since quite some versions already protected against doing that, for obvious reasons. If you're root though, you can disable that protection via issueing:

    echo 0 > /proc/sys/kernel/kptr_restrict

    Next you can simply dump the symbols like:

    cat /proc/kallsyms >/sdcard/symbols.txt

    5) You now have a file containing all the symbols. But how to convert this into an IDA pro script ? You could write a simple tool or script that does it. Luckily I already did that for you, see the attached file :) However the symbol file you just dumped from memory wont contain the windows carriage returns after each line, which my tool needs (sorry too lazy to fix it up, lol), so you need to add them first. I use 'edit pad lite'. In that you simply copy en paste the file and save it. Once you open it in notepad you will now see it's perfectly carriage return formatted. Now use my tool to open it and it will create an IDC script
    6) ready to load it all up in IDA pro now ! Open the kernel in IDA pro, select ARM as processor (that is if you're on such a phone of course) and load the kernel to the right address. Usually it will be the first address of your IDC script. But also a tool like Android Image Kitchen will show you the correct address. Then if the kernel is opened and loaded at the correct address, simply open the IDC script and it will add all symbols.

    And there you have it ! A perfect deadlisting of your android kernel, containing all symbols ! Happy reverse engineering !
    very nice one. good job bro.

    Sent from my GT-I8190 using XDA Forums Pro
    Subscribed, amazing thread and amazing tool, thank you for the insight, any more reversing knowledge with olly or ida is greatly appreciated.
    Edit: i have the decompressed kernel now, i used the symbols to create the ida script using your script, now... i have to learn how to use it in ida :)

    Select ARM as processor and 0Xc0008000 as the kernel loading address (verify with your symbols, should be the same address as your first symbol) ! Good luck.
    blu will not post there source or email me back, so im going to reverse engineer it to piss them off. Decompilers for llvm and clang and such exist. blueline hasnt put to much effort into hiding the source. I found a json @ link file that simplified the process