blob: 9a515eeefb965b26bf635ef7fa3de8cf96258471 [file] [log] [blame]
#!/usr/bin/env python3
#
# Copyright 2018, The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Unpacks the boot image.
Extracts the kernel, ramdisk, second bootloader, dtb and recovery dtbo images.
"""
from argparse import ArgumentParser, FileType, RawDescriptionHelpFormatter
from struct import unpack
import os
import shlex
BOOT_IMAGE_HEADER_V3_PAGESIZE = 4096
VENDOR_RAMDISK_NAME_SIZE = 32
VENDOR_RAMDISK_TABLE_ENTRY_BOARD_ID_SIZE = 16
def create_out_dir(dir_path):
"""creates a directory 'dir_path' if it does not exist"""
if not os.path.exists(dir_path):
os.makedirs(dir_path)
def extract_image(offset, size, bootimage, extracted_image_name):
"""extracts an image from the bootimage"""
bootimage.seek(offset)
with open(extracted_image_name, 'wb') as file_out:
file_out.write(bootimage.read(size))
def get_number_of_pages(image_size, page_size):
"""calculates the number of pages required for the image"""
return (image_size + page_size - 1) // page_size
def cstr(s):
"""Remove first NULL character and any character beyond."""
return s.split('\0', 1)[0]
def format_os_version(os_version):
if os_version == 0:
return None
a = os_version >> 14
b = os_version >> 7 & ((1<<7) - 1)
c = os_version & ((1<<7) - 1)
return '{}.{}.{}'.format(a, b, c)
def format_os_patch_level(os_patch_level):
if os_patch_level == 0:
return None
y = os_patch_level >> 4
y += 2000
m = os_patch_level & ((1<<4) - 1)
return '{:04d}-{:02d}'.format(y, m)
def decode_os_version_patch_level(os_version_patch_level):
"""Returns a tuple of (os_version, os_patch_level)."""
os_version = os_version_patch_level >> 11
os_patch_level = os_version_patch_level & ((1<<11) - 1)
return (format_os_version(os_version),
format_os_patch_level(os_patch_level))
class BootImageInfoFormatter:
"""Formats the boot image info."""
def format_pretty_text(self):
lines = []
lines.append(f'boot magic: {self.boot_magic}')
if self.header_version < 3:
lines.append(f'kernel_size: {self.kernel_size}')
lines.append(
f'kernel load address: {self.kernel_load_address:#010x}')
lines.append(f'ramdisk size: {self.ramdisk_size}')
lines.append(
f'ramdisk load address: {self.ramdisk_load_address:#010x}')
lines.append(f'second bootloader size: {self.second_size}')
lines.append(
f'second bootloader load address: '
f'{self.second_load_address:#010x}')
lines.append(
f'kernel tags load address: {self.tags_load_address:#010x}')
lines.append(f'page size: {self.page_size}')
else:
lines.append(f'kernel_size: {self.kernel_size}')
lines.append(f'ramdisk size: {self.ramdisk_size}')
lines.append(f'os version: {self.os_version}')
lines.append(f'os patch level: {self.os_patch_level}')
lines.append(f'boot image header version: {self.header_version}')
if self.header_version < 3:
lines.append(f'product name: {self.product_name}')
lines.append(f'command line args: {self.cmdline}')
if self.header_version < 3:
lines.append(f'additional command line args: {self.extra_cmdline}')
if self.header_version in {1, 2}:
lines.append(f'recovery dtbo size: {self.recovery_dtbo_size}')
lines.append(
f'recovery dtbo offset: {self.recovery_dtbo_offset:#018x}')
lines.append(f'boot header size: {self.boot_header_size}')
if self.header_version == 2:
lines.append(f'dtb size: {self.dtb_size}')
lines.append(f'dtb address: {self.dtb_load_address:#018x}')
if self.header_version >= 4:
lines.append(
f'boot.img signature size: {self.boot_signature_size}')
return '\n'.join(lines)
def format_mkbootimg_argument(self):
args = []
args.extend(['--header_version', str(self.header_version)])
if self.os_version:
args.extend(['--os_version', self.os_version])
if self.os_patch_level:
args.extend(['--os_patch_level', self.os_patch_level])
args.extend(['--kernel', os.path.join(self.image_dir, 'kernel')])
args.extend(['--ramdisk', os.path.join(self.image_dir, 'ramdisk')])
if self.header_version <= 2:
if self.second_size > 0:
args.extend(['--second',
os.path.join(self.image_dir, 'second')])
if self.recovery_dtbo_size > 0:
args.extend(['--recovery_dtbo',
os.path.join(self.image_dir, 'recovery_dtbo')])
if self.dtb_size > 0:
args.extend(['--dtb', os.path.join(self.image_dir, 'dtb')])
args.extend(['--pagesize', f'{self.page_size:#010x}'])
# Kernel load address is base + kernel_offset in mkbootimg.py.
# However we don't know the value of 'base' when unpacking a boot
# image in this script, so we set 'base' to zero and 'kernel_offset'
# to the kernel load address, 'ramdisk_offset' to the ramdisk load
# address, ... etc.
args.extend(['--base', f'{0:#010x}'])
args.extend(['--kernel_offset',
f'{self.kernel_load_address:#010x}'])
args.extend(['--ramdisk_offset',
f'{self.ramdisk_load_address:#010x}'])
args.extend(['--second_offset',
f'{self.second_load_address:#010x}'])
args.extend(['--tags_offset', f'{self.tags_load_address:#010x}'])
# dtb is added in boot image v2, and is absent in v1 or v0.
if self.header_version == 2:
# dtb_offset is uint64_t.
args.extend(['--dtb_offset', f'{self.dtb_load_address:#018x}'])
args.extend(['--board', self.product_name])
args.extend(['--cmdline', self.cmdline + self.extra_cmdline])
else:
args.extend(['--cmdline', self.cmdline])
return args
def unpack_boot_image(args):
"""extracts kernel, ramdisk, second bootloader and recovery dtbo"""
info = BootImageInfoFormatter()
info.boot_magic = unpack('8s', args.boot_img.read(8))[0].decode()
kernel_ramdisk_second_info = unpack('9I', args.boot_img.read(9 * 4))
# header_version is always at [8] regardless of the value of header_version.
info.header_version = kernel_ramdisk_second_info[8]
if info.header_version < 3:
info.kernel_size = kernel_ramdisk_second_info[0]
info.kernel_load_address = kernel_ramdisk_second_info[1]
info.ramdisk_size = kernel_ramdisk_second_info[2]
info.ramdisk_load_address = kernel_ramdisk_second_info[3]
info.second_size = kernel_ramdisk_second_info[4]
info.second_load_address = kernel_ramdisk_second_info[5]
info.tags_load_address = kernel_ramdisk_second_info[6]
info.page_size = kernel_ramdisk_second_info[7]
os_version_patch_level = unpack('I', args.boot_img.read(1 * 4))[0]
else:
info.kernel_size = kernel_ramdisk_second_info[0]
info.ramdisk_size = kernel_ramdisk_second_info[1]
os_version_patch_level = kernel_ramdisk_second_info[2]
info.second_size = 0
info.page_size = BOOT_IMAGE_HEADER_V3_PAGESIZE
info.os_version, info.os_patch_level = decode_os_version_patch_level(
os_version_patch_level)
if info.header_version < 3:
info.product_name = cstr(unpack('16s',
args.boot_img.read(16))[0].decode())
info.cmdline = cstr(unpack('512s', args.boot_img.read(512))[0].decode())
args.boot_img.read(32) # ignore SHA
info.extra_cmdline = cstr(unpack('1024s',
args.boot_img.read(1024))[0].decode())
else:
info.cmdline = cstr(unpack('1536s',
args.boot_img.read(1536))[0].decode())
if info.header_version in {1, 2}:
info.recovery_dtbo_size = unpack('I', args.boot_img.read(1 * 4))[0]
info.recovery_dtbo_offset = unpack('Q', args.boot_img.read(8))[0]
info.boot_header_size = unpack('I', args.boot_img.read(4))[0]
else:
info.recovery_dtbo_size = 0
if info.header_version == 2:
info.dtb_size = unpack('I', args.boot_img.read(4))[0]
info.dtb_load_address = unpack('Q', args.boot_img.read(8))[0]
else:
info.dtb_size = 0
info.dtb_load_address = 0
if info.header_version >= 4:
info.boot_signature_size = unpack('I', args.boot_img.read(4))[0]
else:
info.boot_signature_size = 0
# The first page contains the boot header
num_header_pages = 1
# Convenient shorthand.
page_size = info.page_size
num_kernel_pages = get_number_of_pages(info.kernel_size, page_size)
kernel_offset = page_size * num_header_pages # header occupies a page
image_info_list = [(kernel_offset, info.kernel_size, 'kernel')]
num_ramdisk_pages = get_number_of_pages(info.ramdisk_size, page_size)
ramdisk_offset = page_size * (num_header_pages + num_kernel_pages
) # header + kernel
image_info_list.append((ramdisk_offset, info.ramdisk_size, 'ramdisk'))
if info.second_size > 0:
second_offset = page_size * (
num_header_pages + num_kernel_pages + num_ramdisk_pages
) # header + kernel + ramdisk
image_info_list.append((second_offset, info.second_size, 'second'))
if info.recovery_dtbo_size > 0:
image_info_list.append((info.recovery_dtbo_offset,
info.recovery_dtbo_size,
'recovery_dtbo'))
if info.dtb_size > 0:
num_second_pages = get_number_of_pages(info.second_size, page_size)
num_recovery_dtbo_pages = get_number_of_pages(
info.recovery_dtbo_size, page_size)
dtb_offset = page_size * (
num_header_pages + num_kernel_pages + num_ramdisk_pages +
num_second_pages + num_recovery_dtbo_pages)
image_info_list.append((dtb_offset, info.dtb_size, 'dtb'))
if info.boot_signature_size > 0:
# boot signature only exists in boot.img version >= v4.
# There are only kernel and ramdisk pages before the signature.
boot_signature_offset = page_size * (
num_header_pages + num_kernel_pages + num_ramdisk_pages)
image_info_list.append((boot_signature_offset, info.boot_signature_size,
'boot_signature'))
create_out_dir(args.out)
for offset, size, name in image_info_list:
extract_image(offset, size, args.boot_img, os.path.join(args.out, name))
info.image_dir = args.out
return info
class VendorBootImageInfoFormatter:
"""Formats the vendor_boot image info."""
def format_pretty_text(self):
lines = []
lines.append(f'boot magic: {self.boot_magic}')
lines.append(f'vendor boot image header version: {self.header_version}')
lines.append(f'page size: {self.page_size:#010x}')
lines.append(f'kernel load address: {self.kernel_load_address:#010x}')
lines.append(f'ramdisk load address: {self.ramdisk_load_address:#010x}')
if self.header_version > 3:
lines.append(
f'vendor ramdisk total size: {self.vendor_ramdisk_size}')
else:
lines.append(f'vendor ramdisk size: {self.vendor_ramdisk_size}')
lines.append(f'vendor command line args: {self.cmdline}')
lines.append(
f'kernel tags load address: {self.tags_load_address:#010x}')
lines.append(f'product name: {self.product_name}')
lines.append(f'vendor boot image header size: {self.header_size}')
lines.append(f'dtb size: {self.dtb_size}')
lines.append(f'dtb address: {self.dtb_load_address:#018x}')
if self.header_version > 3:
lines.append(
f'vendor ramdisk table size: {self.vendor_ramdisk_table_size}')
lines.append('vendor ramdisk table: [')
indent = lambda level: ' ' * 4 * level
for entry in self.vendor_ramdisk_table:
(output_ramdisk_name, ramdisk_size, ramdisk_offset,
ramdisk_type, ramdisk_name, board_id) = entry
lines.append(indent(1) + f'{output_ramdisk_name}: ''{')
lines.append(indent(2) + f'size: {ramdisk_size}')
lines.append(indent(2) + f'offset: {ramdisk_offset}')
lines.append(indent(2) + f'type: {ramdisk_type:#x}')
lines.append(indent(2) + f'name: {ramdisk_name}')
lines.append(indent(2) + 'board_id: [')
stride = 4
for row_idx in range(0, len(board_id), stride):
row = board_id[row_idx:row_idx + stride]
lines.append(
indent(3) + ' '.join(f'{e:#010x},' for e in row))
lines.append(indent(2) + ']')
lines.append(indent(1) + '}')
lines.append(']')
lines.append(
f'vendor bootconfig size: {self.vendor_bootconfig_size}')
return '\n'.join(lines)
def format_mkbootimg_argument(self):
args = []
args.extend(['--header_version', str(self.header_version)])
args.extend(['--pagesize', f'{self.page_size:#010x}'])
args.extend(['--base', f'{0:#010x}'])
args.extend(['--kernel_offset', f'{self.kernel_load_address:#010x}'])
args.extend(['--ramdisk_offset', f'{self.ramdisk_load_address:#010x}'])
args.extend(['--tags_offset', f'{self.tags_load_address:#010x}'])
args.extend(['--dtb_offset', f'{self.dtb_load_address:#018x}'])
args.extend(['--vendor_cmdline', self.cmdline])
args.extend(['--board', self.product_name])
if self.dtb_size > 0:
args.extend(['--dtb', os.path.join(self.image_dir, 'dtb')])
if self.header_version > 3:
args.extend(['--vendor_bootconfig',
os.path.join(self.image_dir, 'bootconfig')])
for entry in self.vendor_ramdisk_table:
(output_ramdisk_name, _, _, ramdisk_type,
ramdisk_name, board_id) = entry
args.extend(['--ramdisk_type', str(ramdisk_type)])
args.extend(['--ramdisk_name', ramdisk_name])
for idx, e in enumerate(board_id):
if e:
args.extend([f'--board_id{idx}', f'{e:#010x}'])
vendor_ramdisk_path = os.path.join(
self.image_dir, output_ramdisk_name)
args.extend(['--vendor_ramdisk_fragment', vendor_ramdisk_path])
else:
args.extend(['--vendor_ramdisk',
os.path.join(self.image_dir, 'vendor_ramdisk')])
return args
def unpack_vendor_boot_image(args):
info = VendorBootImageInfoFormatter()
info.boot_magic = unpack('8s', args.boot_img.read(8))[0].decode()
info.header_version = unpack('I', args.boot_img.read(4))[0]
info.page_size = unpack('I', args.boot_img.read(4))[0]
info.kernel_load_address = unpack('I', args.boot_img.read(4))[0]
info.ramdisk_load_address = unpack('I', args.boot_img.read(4))[0]
info.vendor_ramdisk_size = unpack('I', args.boot_img.read(4))[0]
info.cmdline = cstr(unpack('2048s', args.boot_img.read(2048))[0].decode())
info.tags_load_address = unpack('I', args.boot_img.read(4))[0]
info.product_name = cstr(unpack('16s', args.boot_img.read(16))[0].decode())
info.header_size = unpack('I', args.boot_img.read(4))[0]
info.dtb_size = unpack('I', args.boot_img.read(4))[0]
info.dtb_load_address = unpack('Q', args.boot_img.read(8))[0]
# Convenient shorthand.
page_size = info.page_size
# The first pages contain the boot header
num_boot_header_pages = get_number_of_pages(info.header_size, page_size)
num_boot_ramdisk_pages = get_number_of_pages(
info.vendor_ramdisk_size, page_size)
num_boot_dtb_pages = get_number_of_pages(info.dtb_size, page_size)
ramdisk_offset_base = page_size * num_boot_header_pages
image_info_list = []
image_info_list.append(
(ramdisk_offset_base, info.vendor_ramdisk_size, 'vendor_ramdisk'))
if info.header_version > 3:
info.vendor_ramdisk_table_size = unpack('I', args.boot_img.read(4))[0]
vendor_ramdisk_table_entry_num = unpack('I', args.boot_img.read(4))[0]
vendor_ramdisk_table_entry_size = unpack('I', args.boot_img.read(4))[0]
info.vendor_bootconfig_size = unpack('I', args.boot_img.read(4))[0]
num_vendor_ramdisk_table_pages = get_number_of_pages(
info.vendor_ramdisk_table_size, page_size)
vendor_ramdisk_table_offset = page_size * (
num_boot_header_pages + num_boot_ramdisk_pages + num_boot_dtb_pages)
vendor_ramdisk_table = []
vendor_ramdisk_symlinks = []
for idx in range(vendor_ramdisk_table_entry_num):
entry_offset = vendor_ramdisk_table_offset + (
vendor_ramdisk_table_entry_size * idx)
args.boot_img.seek(entry_offset)
ramdisk_size = unpack('I', args.boot_img.read(4))[0]
ramdisk_offset = unpack('I', args.boot_img.read(4))[0]
ramdisk_type = unpack('I', args.boot_img.read(4))[0]
ramdisk_name = cstr(unpack(
f'{VENDOR_RAMDISK_NAME_SIZE}s',
args.boot_img.read(VENDOR_RAMDISK_NAME_SIZE))[0].decode())
board_id = unpack(
f'{VENDOR_RAMDISK_TABLE_ENTRY_BOARD_ID_SIZE}I',
args.boot_img.read(
4 * VENDOR_RAMDISK_TABLE_ENTRY_BOARD_ID_SIZE))
output_ramdisk_name = f'vendor_ramdisk{idx:02}'
image_info_list.append((ramdisk_offset_base + ramdisk_offset,
ramdisk_size, output_ramdisk_name))
vendor_ramdisk_symlinks.append((output_ramdisk_name, ramdisk_name))
vendor_ramdisk_table.append(
(output_ramdisk_name, ramdisk_size, ramdisk_offset,
ramdisk_type, ramdisk_name, board_id))
info.vendor_ramdisk_table = vendor_ramdisk_table
bootconfig_offset = page_size * (num_boot_header_pages
+ num_boot_ramdisk_pages + num_boot_dtb_pages
+ num_vendor_ramdisk_table_pages)
image_info_list.append((bootconfig_offset, info.vendor_bootconfig_size,
'bootconfig'))
dtb_offset = page_size * (num_boot_header_pages + num_boot_ramdisk_pages
) # header + vendor_ramdisk
if info.dtb_size > 0:
image_info_list.append((dtb_offset, info.dtb_size, 'dtb'))
create_out_dir(args.out)
for offset, size, name in image_info_list:
extract_image(offset, size, args.boot_img, os.path.join(args.out, name))
info.image_dir = args.out
if info.header_version > 3:
vendor_ramdisk_by_name_dir = os.path.join(
args.out, 'vendor-ramdisk-by-name')
create_out_dir(vendor_ramdisk_by_name_dir)
for src, dst in vendor_ramdisk_symlinks:
src_pathname = os.path.join('..', src)
dst_pathname = os.path.join(
vendor_ramdisk_by_name_dir, f'ramdisk_{dst}')
if os.path.lexists(dst_pathname):
os.remove(dst_pathname)
os.symlink(src_pathname, dst_pathname)
return info
def unpack_image(args):
boot_magic = unpack('8s', args.boot_img.read(8))[0].decode()
args.boot_img.seek(0)
if boot_magic == 'ANDROID!':
info = unpack_boot_image(args)
elif boot_magic == 'VNDRBOOT':
info = unpack_vendor_boot_image(args)
else:
raise ValueError(f'Not an Android boot image, magic: {boot_magic}')
if args.format == 'mkbootimg':
mkbootimg_args = info.format_mkbootimg_argument()
if args.null:
print('\0'.join(mkbootimg_args) + '\0', end='')
else:
print(shlex.join(mkbootimg_args))
else:
print(info.format_pretty_text())
def get_unpack_usage():
return """Output format:
* info
Pretty-printed info-rich text format suitable for human inspection.
* mkbootimg
Output shell-escaped (quoted) argument strings that can be used to
reconstruct the boot image. For example:
$ unpack_bootimg --boot_img vendor_boot.img --out out --format=mkbootimg |
tee mkbootimg_args
$ sh -c "mkbootimg $(cat mkbootimg_args) --vendor_boot repacked.img"
vendor_boot.img and repacked.img would be equivalent.
If the -0 option is specified, output unescaped null-terminated argument
strings that are suitable to be parsed by a shell script (xargs -0 format):
$ unpack_bootimg --boot_img vendor_boot.img --out out --format=mkbootimg \\
-0 | tee mkbootimg_args
$ declare -a MKBOOTIMG_ARGS=()
$ while IFS= read -r -d '' ARG; do
MKBOOTIMG_ARGS+=("${ARG}")
done <mkbootimg_args
$ mkbootimg "${MKBOOTIMG_ARGS[@]}" --vendor_boot repacked.img
"""
def parse_cmdline():
"""parse command line arguments"""
parser = ArgumentParser(
formatter_class=RawDescriptionHelpFormatter,
description='Unpacks boot, recovery or vendor_boot image.',
epilog=get_unpack_usage(),
)
parser.add_argument('--boot_img', type=FileType('rb'), required=True,
help='path to the boot, recovery or vendor_boot image')
parser.add_argument('--out', default='out',
help='output directory of the unpacked images')
parser.add_argument('--format', choices=['info', 'mkbootimg'],
default='info',
help='text output format (default: info)')
parser.add_argument('-0', '--null', action='store_true',
help='output null-terminated argument strings')
return parser.parse_args()
def main():
"""parse arguments and unpack boot image"""
args = parse_cmdline()
unpack_image(args)
if __name__ == '__main__':
main()