Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
How to Extract Android Kernel And Modify The Boot Ramdisk (Android 4.4) on Allwinner based Processor

Extracting Existing Kernel + Ramfs

Enter the machine using adb shell

Run cat /proc/partitions

  #  Path                     Purpose        Size
  0 /dev/block/mmcblk0                       7761920
  1 /dev/block/mmcblk0p1      data           6085631
  2 /dev/block/mmcblk0p2      bootloader     16384
  3 /dev/block/mmcblk0p3                     1
  5 /dev/block/mmcblk0p5      uboot          16384
  6 /dev/block/mmcblk0p6      kernel         16384
  7 /dev/block/mmcblk0p7      system         786432
  8 /dev/block/mmcblk0p8      misc           16384
  9 /dev/block/mmcblk0p9      recovery       32768
 10 /dev/block/mmcblk0p10     sysrecovery    16384
 11 /dev/block/mmcblk0p11     private        16384
 12 /dev/block/mmcblk0p12     Reserve0       16384
 13 /dev/block/mmcblk0p13     klog           32768
 14 /dev/block/mmcblk0p14     Reserve1       16384
 15 /dev/block/mmcblk0p15     Reserve2       655360

Dump the partition to a file using dd

dd if=/dev/block/mmcblk0p6 of=/data/kernel_ramfs.img

Extract it to your linux system adb pull /data/kernel_ramfs.img

Install abootimg

Run sudo apt-get install abootimg

Check the Kernel Dump

Run abootimg -i kernel_ramfs.img. It need to show

Android Boot Image Info:

* file name = kernel_ramfs.img

* image size = 16777216 bytes (16.00 MB)
  page size  = 2048 bytes

* Boot Name = ""

* kernel size       = 9797076 bytes (9.34 MB)
  ramdisk size      = 2017625 bytes (1.92 MB)

* load addresses:
  kernel:       0x40008000
  ramdisk:      0x41000000
  tags:         0x40000100

* empty cmdline
* id = 0x7c37c0d4 0xcefde745 0xe81b85ba 0xf05275ba 0xbe7de0ad 0x00000000 0x00000000 0x00000000

That means you dump the correct kernel+ramfs

Extract Kernel Dump

abootimg -x kernel_ramfs.img

It will extract zImage and also initrd.img

Extract Ramdisk, Modify And Repack

mkdir initrd
cd initrd
cat ../initrd.img | gunzip | cpio -vid

Modify the ramdisk accordingly (e.g. you modify init.rc or add another additonal files) Then repack accordingly

cd initrd
find . | cpio --create --format='newc' | gzip > ../myinitrd.img

Repacking Boot.Img

abootimg --create myboot.img -f bootimg.cfg -k zImage -r myinitrd.img

Adb Put and Redumping

adb push myboot.img /data/myboot.img
adb shell dd if=mybootimg of=/dev/block/mmcblk0p6

Reboot - And pray for the best

@petrosmp

This comment has been minimized.

Copy link

@petrosmp petrosmp commented Sep 16, 2018

adb pull /data/kernel_ramfs.img
returns
adb: error: failed to copy '/data/kernel_ramfs.img' to '.\kernel_ramfs.img': remote Permission denied

My device is rooted (and connected), adb is running with root privileges and I also tried
adb shell
su
mount -o remount,rw /dev/block/stl9 /system
chmod 777 /system/app
exit
exit

and then re running it but sadly with no succes. Any ideas?

@kpirnie

This comment has been minimized.

Copy link

@kpirnie kpirnie commented Mar 7, 2019

@petrosmp Without knowing what device you are attempting this with, all we can do is guess and cannot help you pull it.

Let us know what device you are talking about, and maybe we can help you figure out where your ramdisk is actually located

@arendtio

This comment has been minimized.

Copy link

@arendtio arendtio commented Aug 10, 2019

@petrosmp I guess the problem is that your adb has not read access to the file. Just because you run it with root privileges on your PC doesn't mean it has root privileges on the device. You can validate this assumption by doing 'adb shell' and then ls -l /data/kernel_ramfs.img (without su).

So copying it to a place where you are allowed to access the file without being root should solve the issue. For me runningmv /data/kernel_ramfs.img /storage/6264-6339/; chmod a+r /storage/6264-6339/kernel_ramfs.img as root worked just fine (that is my sdcard). Afterward, I was able to pull the file via adb pull /storage/6264-6339/kernel_ramfs.img.

@HermesNWO

This comment has been minimized.

Copy link

@HermesNWO HermesNWO commented Sep 4, 2019

@petrosmp You have to activate OEM unlock in developper options !

@ytrezq

This comment has been minimized.

Copy link

@ytrezq ytrezq commented Mar 26, 2020

@petrosmp.
In my case, simply unpacking and repacking without changing anything through

abootimg -x boot.img
rm -f boot.img
abootimg --create boot.img -f bootimg.cfg -k zImage -r initrd.img

results in a different boot.img (but of the same size) which doesn’t work on my Samsung Galaxy tab s3.

@TheTangledMind

This comment has been minimized.

Copy link

@TheTangledMind TheTangledMind commented Aug 9, 2020

I dont get the same information that you do from cat. I get this.

130|gts6lwifi:/ # cat /proc/partitions
major minor #blocks name

1 0 8192 ram0
1 1 8192 ram1
1 2 8192 ram2
1 3 8192 ram3
1 4 8192 ram4
1 5 8192 ram5
1 6 8192 ram6
1 7 8192 ram7
1 8 8192 ram8
1 9 8192 ram9
1 10 8192 ram10
1 11 8192 ram11
1 12 8192 ram12
1 13 8192 ram13
1 14 8192 ram14
1 15 8192 ram15
8 0 249835520 sda
8 1 2048 sda1
8 2 2048 sda2
8 3 4 sda3
8 4 8 sda4
8 5 32768 sda5
8 6 20480 sda6
8 7 10240 sda7
8 8 10240 sda8
8 9 20480 sda9
8 10 1024 sda10
8 11 512 sda11
8 12 40960 sda12
8 13 512 sda13
8 14 4096 sda14
8 15 16384 sda15
259 17 97280 sda16
259 18 87040 sda17
259 19 65536 sda18
259 20 10240 sda19
259 21 65536 sda20
259 22 80852 sda21
259 23 16384 sda22
259 24 16384 sda23
259 25 6381568 sda24
259 26 1347584 sda25
259 27 1024000 sda26
259 28 409600 sda27
259 29 40960 sda28
259 30 51200 sda29
259 31 239978364 sda30
8 16 8192 sdb
8 17 3776 sdb1
8 18 4260 sdb2
8 32 8192 sdc
8 33 3776 sdc1
8 34 4260 sdc2
8 48 61440 sdd
8 49 1024 sdd1
8 50 4096 sdd2
8 51 2048 sdd3
8 52 512 sdd4
8 53 512 sdd5
8 54 4096 sdd6
8 55 4 sdd7
8 56 1024 sdd8
8 57 384 sdd9
8 58 512 sdd10
8 59 512 sdd11
8 60 512 sdd12
8 61 256 sdd13
8 62 256 sdd14
8 63 4 sdd15
259 0 8192 sdd16
259 1 4 sdd17
259 2 2048 sdd18
259 3 8192 sdd19
259 4 128 sdd20
259 5 512 sdd21
259 6 64 sdd22
259 7 80 sdd23
259 8 2048 sdd24
259 9 32 sdd25
259 10 32 sdd26
259 11 32 sdd27
259 12 512 sdd28
259 13 2048 sdd29
259 14 2048 sdd30
259 15 1024 sdd31
259 16 18536 sdd32
179 0 15138816 mmcblk0
179 1 15134720 mmcblk0p1
gts6lwifi:/ #

@Pokemetti

This comment has been minimized.

Copy link

@Pokemetti Pokemetti commented Aug 24, 2020

@TheTangledMind You have to adb shell and then do the command, otherwise it is your PCs information.

@RudraSama

This comment has been minimized.

Copy link

@RudraSama RudraSama commented May 6, 2021

adb pull /data/kernel_ramfs.img
returns
adb: error: failed to copy '/data/kernel_ramfs.img' to '.\kernel_ramfs.img': remote Permission denied

My device is rooted (and connected), adb is running with root privileges and I also tried
adb shell
su
mount -o remount,rw /dev/block/stl9 /system
chmod 777 /system/app
exit
exit

and then re running it but sadly with no succes. Any ideas?

copy kernel_ramfs.img to /sdcard and pull it from sdcard

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment