Created
May 1, 2012 00:40
-
-
Save ezterry/2564016 to your computer and use it in GitHub Desktop.
Hack acer 4.0 kernel to allow mounting of system
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import gzip | |
import os | |
import sys | |
import StringIO | |
import struct | |
#This script will <EVIL> patch the pre-compiled zImage | |
#to bypass the /system remount block on the AcerA500 | |
#ICS rom ... please run this script in linux or cygwin as | |
#the unix gzip is required | |
#kernel to remove /system from | |
input_image='boot.img-zImage' | |
output_image='patchedboot.img-zImage' | |
#read in the data | |
data = open(input_image,'rb').read() | |
#find the start of the gzip header | |
idx=data.index('\x1F\x8B\x08') | |
loader=data[:idx] | |
zimage=data[idx:] | |
#in addition to loader there is data after the gzip, however we | |
#need more information to find it | |
#write gzip portion to temp file | |
fp=open(input_image + "_tmp.gz",'wb') | |
fp.write(zimage) | |
fp.close() | |
#Decompress the gzip image: | |
#FYI trailing data is expected, and causes problems with the gzip module | |
os.system("gzip -dc " + input_image + "_tmp.gz > " + input_image + "_tmp") | |
#read back in | |
gz = open(input_image + "_tmp",'rb') | |
#extract the decompressed image | |
img=gz.read() | |
gz.close() | |
#search for the tail part of the loader program | |
#get the size of the compressed image as a binary string | |
sz=len(img) | |
sz=struct.pack("<L",sz) | |
#determine the tail and max size | |
maxsz=zimage.index(sz) | |
tail=zimage[maxsz:] | |
#now build uncompressed image | |
idx=img.index('/system') | |
newimg = img[:idx] | |
newimg += "/\x66\x75\x63\x6b\x6d\x65" | |
newimg += img[idx+7:] | |
#write uncompressed image for reference | |
fp=open(output_image + "_tmp",'wb') | |
fp.write(newimg) | |
fp.close() | |
#build final image | |
zimagefile = StringIO.StringIO() | |
gz= gzip.GzipFile(fileobj=zimagefile,mode='wb') | |
gz.write(newimg) | |
gz.close() | |
zimagefile.seek(0) | |
#clear the uncompressed version from ram | |
del(newimg) | |
#read back in the new compressed image | |
newimg=zimagefile.read() | |
#write new compressed image for reference | |
fp=open(output_image + "_tmp.gz",'wb') | |
fp.write(newimg) | |
fp.close() | |
#check we can re-inject the gzip image | |
if(len(newimg)>maxsz): | |
print("ERROR: modified zImage larger than original, unable to re-inject") | |
sys.exit(0) | |
#add padding to the tail | |
tail=("\x00" * (maxsz-len(newimg)))+tail | |
#now write final file | |
fp=open(output_image,'wb') | |
fp.write(loader) | |
fp.write(newimg) | |
fp.write(tail) | |
fp.close() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The A701 kernel has many debug strings with '/system'
Thus line 51 needed to be changed from
idx=img.index('/system')
to
idx=img.index('/system\x00')
to generate what appears to be the corrected zImage