Nexus5 bootloader内容初探及延伸思考

2018-04-19  本文已影响109人  difcareer

Android启动过程分析-从按下电源键到第一个用户进程[转载]中,我们知道BootLoader是在操作系统前执行的程序,有没有很好奇它到底有些啥内容呢?

正好,发现Github上有相关的项目:https://github.com/difcareer/nexus_5_bootloader_unpacker,手头也正好有个nexus5,那就一起来探索一下它的内容吧。

编译

gcc bootloader_unpacker.c -o bunp

这里应该没啥问题。

gcc -o iunp imgdata_tool.c -lpng

Mac编译这个报错fatal error: 'png.h' file not found。那先装一下这个库:

sudo port install libpng

看看位置:

Port libpng contains:
  /opt/local/bin/libpng-config
  /opt/local/bin/libpng16-config
  /opt/local/bin/png-fix-itxt
  /opt/local/bin/pngfix
  /opt/local/include/libpng16/png.h
  /opt/local/include/libpng16/pngconf.h
  /opt/local/include/libpng16/pnglibconf.h
  /opt/local/include/png.h
  /opt/local/include/pngconf.h
  /opt/local/include/pnglibconf.h
  /opt/local/lib/libpng.a
  /opt/local/lib/libpng.dylib
  /opt/local/lib/libpng16.16.dylib
  /opt/local/lib/libpng16.a
  /opt/local/lib/libpng16.dylib
  /opt/local/lib/pkgconfig/libpng.pc
  /opt/local/lib/pkgconfig/libpng16.pc
  /opt/local/share/doc/libpng/ANNOUNCE
  /opt/local/share/doc/libpng/CHANGES
  /opt/local/share/doc/libpng/LICENSE
  /opt/local/share/doc/libpng/README
  /opt/local/share/doc/libpng/TODO
  /opt/local/share/doc/libpng/examples/example.c
  /opt/local/share/man/man3/libpng.3.gz
  /opt/local/share/man/man3/libpngpf.3.gz
  /opt/local/share/man/man5/png.5.gz

指定头文件和链接库编译:

gcc -o iunp imgdata_tool.c -I/opt/local/include -L/opt/local/lib -lpng

ok了。

使用

编译好bunpiunp后,开始使用吧,我看了我的bootloader version是hhz12h,于是就在网上搜到了下载地址

./bunp [-v] <bootloader.img>

带上-v,会在解包的同时输出更多信息:

$ ./bunp -v ~/Downloads/bootloader-hammerhead-hhz12h.img
magic: BOOTLDR
num_images: 6
start_offset: 512
bootldr_size: 3193540
Unpacking image 1 = sbl1 to sbl1.img (size: 310836)
Unpacking image 2 = tz to tz.img (size: 285848)
Unpacking image 3 = rpm to rpm.img (size: 156040)
Unpacking image 4 = aboot to aboot.img (size: 334780)
Unpacking image 5 = sdi to sdi.img (size: 18100)
Unpacking image 6 = imgdata to imgdata.img (size: 2087936)

...

$ ll
total 6256
-rw-r--r--  1 andr0day  staff   327K  4 19 12:44 aboot.img
-rw-r--r--  1 andr0day  staff   2.0M  4 19 12:44 imgdata.img
-rw-r--r--  1 andr0day  staff   152K  4 19 12:44 rpm.img
-rw-r--r--  1 andr0day  staff   304K  4 19 12:44 sbl1.img
-rw-r--r--  1 andr0day  staff    18K  4 19 12:44 sdi.img
-rw-r--r--  1 andr0day  staff   279K  4 19 12:44 tz.img

可以看到被解包出6个image。

使用iunp进一步解包imagdata.img:

$ ./iunp -x imgdata.img
boot.png
charger.png
unlocked.png
start.png
bootloader.png
recovery.png
poweroff.png
fastboot_op.png
oem_unlock.png
unlock_yes.png
unlock_no.png
downloadmode.png
oem_laf.png
laf_yes.png
laf_no.png

可以看到imgdata.img里面全是png图片。

那么,有没有想过,我们刷机的刷的img保存在手机的什么位置呢?
/dev/block下:

ll /dev/block/platform/msm_sdcc.1/by-name/
lrwxrwxrwx root     root              1970-11-20 01:02 DDR -> /dev/block/mmcblk0p24
lrwxrwxrwx root     root              1970-11-20 01:02 aboot -> /dev/block/mmcblk0p6
lrwxrwxrwx root     root              1970-11-20 01:02 abootb -> /dev/block/mmcblk0p11
lrwxrwxrwx root     root              1970-11-20 01:02 boot -> /dev/block/mmcblk0p19
lrwxrwxrwx root     root              1970-11-20 01:02 cache -> /dev/block/mmcblk0p27
lrwxrwxrwx root     root              1970-11-20 01:02 crypto -> /dev/block/mmcblk0p26
lrwxrwxrwx root     root              1970-11-20 01:02 fsc -> /dev/block/mmcblk0p22
lrwxrwxrwx root     root              1970-11-20 01:02 fsg -> /dev/block/mmcblk0p21
lrwxrwxrwx root     root              1970-11-20 01:02 grow -> /dev/block/mmcblk0p29
lrwxrwxrwx root     root              1970-11-20 01:02 imgdata -> /dev/block/mmcblk0p17
lrwxrwxrwx root     root              1970-11-20 01:02 laf -> /dev/block/mmcblk0p18
lrwxrwxrwx root     root              1970-11-20 01:02 metadata -> /dev/block/mmcblk0p14
lrwxrwxrwx root     root              1970-11-20 01:02 misc -> /dev/block/mmcblk0p15
lrwxrwxrwx root     root              1970-11-20 01:02 modem -> /dev/block/mmcblk0p1
lrwxrwxrwx root     root              1970-11-20 01:02 modemst1 -> /dev/block/mmcblk0p12
lrwxrwxrwx root     root              1970-11-20 01:02 modemst2 -> /dev/block/mmcblk0p13
lrwxrwxrwx root     root              1970-11-20 01:02 pad -> /dev/block/mmcblk0p7
lrwxrwxrwx root     root              1970-11-20 01:02 persist -> /dev/block/mmcblk0p16
lrwxrwxrwx root     root              1970-11-20 01:02 recovery -> /dev/block/mmcblk0p20
lrwxrwxrwx root     root              1970-11-20 01:02 rpm -> /dev/block/mmcblk0p3
lrwxrwxrwx root     root              1970-11-20 01:02 rpmb -> /dev/block/mmcblk0p10
lrwxrwxrwx root     root              1970-11-20 01:02 sbl1 -> /dev/block/mmcblk0p2
lrwxrwxrwx root     root              1970-11-20 01:02 sbl1b -> /dev/block/mmcblk0p8
lrwxrwxrwx root     root              1970-11-20 01:02 sdi -> /dev/block/mmcblk0p5
lrwxrwxrwx root     root              1970-11-20 01:02 ssd -> /dev/block/mmcblk0p23
lrwxrwxrwx root     root              1970-11-20 01:02 system -> /dev/block/mmcblk0p25
lrwxrwxrwx root     root              1970-11-20 01:02 tz -> /dev/block/mmcblk0p4
lrwxrwxrwx root     root              1970-11-20 01:02 tzb -> /dev/block/mmcblk0p9
lrwxrwxrwx root     root              1970-11-20 01:02 userdata -> /dev/block/mmcblk0p28

一目了然。我们check一下,比如将imgdata pull 下来解包看看:

adb root
adb pull /dev/block/mmcblk0p17 imgdata.img
./iunp -x imgdata.img

可以成功解包出png文件。

顺便,我们验证一下boot.img:

adb pull /dev/block/mmcblk0p19

使用Android boot.img的解包/修改/重打包里面的工具进行解包:

./unpack-bootimg.sh boot.img

成功解出来了。

于是,一些之前没想明白的地方现在想通了。

  1. 为什么需要使用fastboot来刷img?
    我们知道使用fastboot时,手机需要进入bootloader模式,此时手机还没有没有加载kernel,权限还是最高权限,通过usb传递的数据,被手机接收后,可以写入到/dev/block下(看一下前面这个目录的权限)。

  2. 可以不用fastboot来刷img么?
    既然我们知道了刷机刷到手机的哪个位置,那自然是可以不用fastboot来刷机的,当然,为了写入/dev/block,我们需要root权限。(这个我倒没试过,理论上是可行的,刷完手机需要重启一下,那既然这样,还不如用fastboot刷)

  3. 结合mount信息,我们能了解更多:

# mount
rootfs / rootfs ro,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
tmpfs /mnt/asec tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/persist /persist ext4 rw,seclabel,nosuid,nodev,relatime,nomblk_io_submit,nodelalloc,errors=panic,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/modem /firmware vfat ro,relatime,uid=1000,gid=1000,fmask=0337,dmask=0227,codepage=cp437,iocharset=iso8859-1,shortname=lower,errors=remount-ro 0 0
/dev/fuse /mnt/shell/emulated fuse rw,nosuid,nodev,relatime,user_id=1023,group_id=1023,default_permissions,allow_other 0 0

比如/system,就是将/dev/block/platform/msm_sdcc.1/by-name/system挂在为ext4的文件系统,就可以操作里面的数据了,当然,我们直接访问/dev/block/platform/msm_sdcc.1/by-name/system是打不开的,必须得挂载了使用。

  1. 清数据
    现在看来,清数据其实很容易,比如使用fastboot命令时,有参数可以控制清除分区的数据,现在看来就很简单了。
上一篇下一篇

猜你喜欢

热点阅读