How To Get Boot.img From Android Phone

Android_boot_image_editor

A tool for contrary technology Android ROM images.

Getting Started

install required packages

Linux: sudo apt install git device-tree-compiler lz4 xz-utils zlib1g-dev openjdk-11-jdk gcc g++ python3 python-is-python3 p7zip-full

Mac: brew install lz4 xz dtc

Mac: Make sure you accept JDK9+ properly installed.

Windows Subsystem for Linux(WSL): sudo apt install git device-tree-compiler lz4 xz-utils zlib1g-dev openjdk-eleven-jdk gcc one thousand++ python

Windows: Make certain yous have python3, JDK9+ and openssl properly installed. An easy style is to install Anaconda and Oracle JDK 11, then run the program under anaconda PowerShell. Or install them with chocolate: choco install openssl dtc-msys2

Parsing and packing

Put your boot.img to current directory, then start gradle 'unpack' task:

cp              <original_boot_image>              boot.img ./gradlew unpack

Your get the flattened kernel and /root filesystem under ./build/unzip_boot:

              build/unzip_boot/ ├── boot.json     (boot image info) ├── boot.avb.json (AVB only) ├── kernel ├── 2d        (second bootloader, if exists) ├── dtb           (dtb, if exists) ├── dtbo          (dtbo, if exists) └── root          (extracted initramfs)                          

Then y'all can edit the actual file contents, like rootfs or kernel. Now, pack the kick.img again

You become the repacked boot.img at $(CURDIR):

Well done y'all did it! The last step is to star this repo :smiling

alive demo

Supported ROM prototype types

Image Type	file names	platforms	note
kick images	boot.img, vendor_boot.img, init_boot.img	all
recovery images	recovery.img, recovery-two-pace.img	all
vbmeta images	vbmeta.img, vbmeta_system.img etc.	all
dtbo images	dtbo.img	linux & mac
sparse images	system.img, vendor.img, product.img etc.	linux & mac	need hacking mode*
OTA payload	payload.bin	linux & mac

Please annotation that the boot.img MUST follows AOSP verified boot flow, either Kick image signature in VBoot 1.0 or AVB HASH footer (a.1000.a. AVB) in VBoot two.0.

hacking way*:

Open up build.gradle.kts, Line #eight, change

to

This will enable c++ modules, which is necessary for working with thin images.

compatible devices

Device Model	Manufacturer	Uniform	Android Version	Annotation
ADT-three (adt3)	Askey/Google	Y	12 (spp2.210219.010)	amlogic inside, Android Boob tube
Pixel three (blueline)	Google	Y	12 (spp2.210219.008, 2021)
Pixel iii (blueline)	Google	Y	11 (RP1A.200720.009, 2020)	more ...
Pixel three (blueline)	Google	Y	Q preview (qpp2.190228.023, 2019)	more ...
Redmi K30 4G (phoenix[n])	XiaoMi	Y	10	verified by @eebssk1
TS10	Topway	Y	10	car headunit, @mariodantas
Pixel Twoscore (marlin)	HTC	Y	9.0.0 (PPR2.180905.006, Sep 2018)	more ...
K3 (CPH1955)	OPPO	Y for recovery.img N for boot.img	Pie	more
Z18 (NX606J)	ZTE	Y	8.1.0	more than...
Nexus 9 (volantis/flounder)	HTC	Y(with some tricks)	vii.1.i (N9F27M, Oct 2017)	tricks
Nexus 5x (bullhead)	LG	Y	6.0.0_r12 (MDA89E)
Moto Ten (2013) T-Mobile	Motorola	N
X7 (PD1602_A_3.12.8)	VIVO	N	?	Outcome 35

more examples

working with recovery.img

Please remember to clean the piece of work directory start.

rm                *.img cp                <your_recovery_image>                recovery.img ./gradlew unpack ./gradlew pack

working with vbmeta.img

rm                *.img cp                <your_vbmeta_image>                vbmeta.img ./gradlew unpack ./gradlew pack

clean workspace

When you finished electric current work and need to clean the workspace for side by side epitome, it'due south a practiced idea to call the `clear` command:

working with boot.img and vbmeta.img

If your vbmeta.img contains hash of boot.img, you MUST update vbmeta image together.

rm                *.img cp                <your_boot_image>                boot.img cp                <your_vbmeta_image>                vbmeta.img ./gradlew unpack ./gradlew pack

Your kicking.img.signed and vbmeta.img.signd will be updated together, then you can wink them to your device.

working with vendor_boot.img + vbmeta.img (Pixel 5 etc.)

Most devices include hash descriptor of vendor_boot.img in vbmeta.img, and so if you demand to modify vendor_boot.img, yous need to update vbmeta.img together.

rm                *.img cp                <your_vendor_boot_image>                vendor_boot.img cp                <your_vbmeta_image>                vbmeta.img ./gradlew unpack ./gradlew pack ./gradlew flash

Delight note that to use 'gradle flash', your host motorcar must be connectted to your DUT with adb, and you already 'adb root'.

edit device-tree blob(dtb) inside vendor_boot.img

If you desire to edit the device-tree hulk in identify:

cp                <your_vendor_boot_image>                vendor_boot.img cp                <your_vbmeta_image>                vbmeta.img ./gradlew unpack ==>                now you can edit build/unzip_boot/dtb.src directly ./gradlew pack

During unpack stage, dtb will be dumped to file build/unzip_boot/dtb, dts will be decompiled to build/unzip_boot/dtb.src. You can edit dtb.src directly, and information technology volition be compiled to dtb duing repack stage.

If you only desire to supersede the dtb with the one that is compiled outside this tool, please

cp                <your_vendor_boot_image>                vendor_boot.img cp                <your_vbmeta_image>                vbmeta.img ./gradlew unpack rm build/unzip_boot/dtb.src cp                <your_dtb>                build/unzip_boot/dtb ./gradlew pack

working with system.img

First enable hacking way by setting bHackingMode = true in file build.gradle.kts, then

cp                <your_system_image>                organisation.img ./gradlew unpack

Y'all get system.img.unsparse, that's a manifestly ext4 filesystem data.

How to disable AVB verification

The idea is to gear up flag=two in main vbmeta.

rm                *.img cp                <your_vbmeta_image>                vbmeta.img ./gradlew unpack vim -u NONE -Northward build/unzip_boot/vbmeta.avb.json  -c                                  ":19s/0/ii/g"                                -c                                  ":wq"                                ./gradlew pack

Then flash vbmeta.img.signed to your device.

boot.img layout

Read kicking layout of Android boot.img and vendor_boot.img. Read miac layout of misc.img

References and Acknowledgement

more ...

Android version list https://source.android.com/source/build-numbers.html
Android build-numbers https://source.android.com/setup/start/build-numbers

cpio & fs_config
https://android.googlesource.com/platform/arrangement/core
https://www.kernel.org/medico/Documentation/early on-userspace/buffer-format.txt
AVB
https://android.googlesource.com/platform/external/avb/
boot_signer
https://android.googlesource.com/platform/system/extras
mkbootimg
https://android.googlesource.com/platform/system/tools/mkbootimg/+/refs/heads/master/
kicking header definition
https://android.googlesource.com/platform/organization/tools/mkbootimg/+/refs/heads/chief/include/bootimg/bootimg.h
kernel info extractor
https://android.googlesource.com/platform/build/+/refs/heads/chief/tools/extract_kernel.py
mkdtboimg
https://android.googlesource.com/platform/system/libufdt/
libsparse
https://android.googlesource.com/platform/arrangement/core/+/refs/heads/master/libsparse/
Android Nexus/Pixle factory images
https://developers.google.cn/android/images

This project is developed with products by Jetbrains.

How to merge init_boot.img into boot.img:

• unpack init_boot.img and copy out "build/unzip_boot/root".
• clear workspace by gradle clear, so unpack kick.img
• copy back the "build/unzip_boot/root"
• edit build/unzip_boot/kicking.json

• modify ramdisk.size to ane
• alter ramdisk.file from "build/unzip_boot/ramdisk.img" to "build/unzip_boot/ramdisk.img.lz4"

How To Get Boot.img From Android Phone,

Source: https://github.com/cfig/Android_boot_image_editor

Posted by: perrydaunded.blogspot.com

Share this post