Hi,
So although companies of course are bound by law to release kernel sources, and most of them do, there are sometimes circumstances where you still would like to see the disassembly of the kernel code. For example sometimes an ASM deadlisting can be easier to understand than complicated C++ code. Or maybe you suspect that your kernel code is slightly different than the source code your manufacturer supplied, maybe due to a slightly different configuration. It happens.
Anyway, whatever reason you might have, this is a small tutorial on how to obtain that kernel code in a deadlisting.
1) First of all you need of course to dump the boot image. I normally do this via: cat /dev/block/mmcblk0p17 > /sdcard/boot.img. But it depends on which partition the boot image resides. Use a partition tool to find out.
2) Seperate the kernel image from the boot image. I use Android Image kitchen myself.
3) The kernel image is self extracting. This means that it is just the compressed kernel + the decompression code to decompress it. We want to use a regular decompression utility so we want to strip that decompression code off in order for a normal decompression utility to handle it. Now, on older kernels (up to 2013 I think) you could use a tool like this to decompress the kernel: http://xdaforums.com/showthread.php?t=901152 It's based on the fact that the kernel is Gzip compressed. However newer kernels use LZO compression. Luckily it's quite easy to do it manually. First of all you need to cut off the part upto where the kernel image starts (the decompression code). You need to search for 0x89 0x4c 0x5A 0x4F. That's 0x89 followed by "LZO", which is the start of the compressed file header. Now in my case I needed the 2nd hit (in my case the 1st hit is followed by some text and then like 0x50 bytes later follows the second hit, I needed that one). So cut off the part upto that, rename the file as a .LZO file and then you can just decompress it with any LZO decompresser, for example "Universal Extractor".
4) So now we have a decompressed kernel image. You could load this up into IDA pro already but reverse engineering will be hard since all symbols are missing. So how to get the symbols ? We can dump them from your phones memory too ! However the linux kernel is since quite some versions already protected against doing that, for obvious reasons. If you're root though, you can disable that protection via issueing:
Next you can simply dump the symbols like:
5) You now have a file containing all the symbols. But how to convert this into an IDA pro script ? You could write a simple tool or script that does it. Luckily I already did that for you, see the attached file However the symbol file you just dumped from memory wont contain the windows carriage returns after each line, which my tool needs (sorry too lazy to fix it up, lol), so you need to add them first. I use 'edit pad lite'. In that you simply copy en paste the file and save it. Once you open it in notepad you will now see it's perfectly carriage return formatted. Now use my tool to open it and it will create an IDC script
6) ready to load it all up in IDA pro now ! Open the kernel in IDA pro, select ARM as processor (that is if you're on such a phone of course) and load the kernel to the right address. Usually it will be the first address of your IDC script. But also a tool like Android Image Kitchen will show you the correct address. Then if the kernel is opened and loaded at the correct address, simply open the IDC script and it will add all symbols.
And there you have it ! A perfect deadlisting of your android kernel, containing all symbols ! Happy reverse engineering !
So although companies of course are bound by law to release kernel sources, and most of them do, there are sometimes circumstances where you still would like to see the disassembly of the kernel code. For example sometimes an ASM deadlisting can be easier to understand than complicated C++ code. Or maybe you suspect that your kernel code is slightly different than the source code your manufacturer supplied, maybe due to a slightly different configuration. It happens.
Anyway, whatever reason you might have, this is a small tutorial on how to obtain that kernel code in a deadlisting.
1) First of all you need of course to dump the boot image. I normally do this via: cat /dev/block/mmcblk0p17 > /sdcard/boot.img. But it depends on which partition the boot image resides. Use a partition tool to find out.
2) Seperate the kernel image from the boot image. I use Android Image kitchen myself.
3) The kernel image is self extracting. This means that it is just the compressed kernel + the decompression code to decompress it. We want to use a regular decompression utility so we want to strip that decompression code off in order for a normal decompression utility to handle it. Now, on older kernels (up to 2013 I think) you could use a tool like this to decompress the kernel: http://xdaforums.com/showthread.php?t=901152 It's based on the fact that the kernel is Gzip compressed. However newer kernels use LZO compression. Luckily it's quite easy to do it manually. First of all you need to cut off the part upto where the kernel image starts (the decompression code). You need to search for 0x89 0x4c 0x5A 0x4F. That's 0x89 followed by "LZO", which is the start of the compressed file header. Now in my case I needed the 2nd hit (in my case the 1st hit is followed by some text and then like 0x50 bytes later follows the second hit, I needed that one). So cut off the part upto that, rename the file as a .LZO file and then you can just decompress it with any LZO decompresser, for example "Universal Extractor".
4) So now we have a decompressed kernel image. You could load this up into IDA pro already but reverse engineering will be hard since all symbols are missing. So how to get the symbols ? We can dump them from your phones memory too ! However the linux kernel is since quite some versions already protected against doing that, for obvious reasons. If you're root though, you can disable that protection via issueing:
Code:
echo 0 > /proc/sys/kernel/kptr_restrict
Next you can simply dump the symbols like:
Code:
cat /proc/kallsyms >/sdcard/symbols.txt
5) You now have a file containing all the symbols. But how to convert this into an IDA pro script ? You could write a simple tool or script that does it. Luckily I already did that for you, see the attached file However the symbol file you just dumped from memory wont contain the windows carriage returns after each line, which my tool needs (sorry too lazy to fix it up, lol), so you need to add them first. I use 'edit pad lite'. In that you simply copy en paste the file and save it. Once you open it in notepad you will now see it's perfectly carriage return formatted. Now use my tool to open it and it will create an IDC script
6) ready to load it all up in IDA pro now ! Open the kernel in IDA pro, select ARM as processor (that is if you're on such a phone of course) and load the kernel to the right address. Usually it will be the first address of your IDC script. But also a tool like Android Image Kitchen will show you the correct address. Then if the kernel is opened and loaded at the correct address, simply open the IDC script and it will add all symbols.
And there you have it ! A perfect deadlisting of your android kernel, containing all symbols ! Happy reverse engineering !
Attachments
Last edited: