In the packaging stage after the Android system is compiled, all compiled executable files, library files, and various configuration files will be packaged into each image file. Sometimes we need to see what is packaged in the image file, then we can mount it to a directory by some methods, and then view it.
Table of contents
1. Tools used
1.1 simg2img
Brief description:
Convert image files in sparse format to image files in raw format.
Compile android source code will be generated by default.
Path:
out/host/linux-x86/bin/simg2img
1.2 lpunpack
Brief description:
This tool can parse system.img, product.img, vendor.img and other files from super.img.
Path:
out/host/linux-x86/bin/lpunpack
Compile instructions:
source build/envsetup.sh
lunch
make lpunpack
1.3 unpack_bootimg
Brief description:
A tool dedicated to parsing boot.img.
路径:
out/host/linux-x86/bin/unpack_bootimg
system/core/mkbootimg/unpack_bootimg.py
Compile instructions:
source build/envsetup.sh
lunch
make unpack_bootimg
1.4 mkdtimg
Brief description:
convert the dtbo.img file into a dtb file, one dtbo.img will contain multiple dtb files;
compile android source code will be generated by default.
Path:
out/host/linux-x86/bin/mkdtimg
1.5 dtc
Brief description:
convert the dtb file into a readable dts file;
compile android source code will be generated by default.
Path:
out/host/linux-x86/bin/dtc
2. Parse the image file
This time, the following image files are prepared for example analysis:
#用file查看一下每个img文件的格式信息
sun@sun-pc:~/android/imgs$ file *.img
boot.img: Android bootimg, kernel (0x8000), ramdisk (0x1000000), page size: 4096, cmdline (console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memc)
dtbo.img: data
metadata.img: Android sparse image, version: 1.0, Total of 4096 4096-byte output blocks in 4 input chunks.
persist.img: Linux rev 1.0 ext4 filesystem data, UUID=e44c9479-7df0-4905-8ac0-216d5c8adf3e (extents) (large files) (huge files)
recovery.img: Android bootimg, kernel (0x8000), ramdisk (0x1000000), page size: 4096, cmdline (console=ttyMSM0,115200n8 androidboot.hardware=qcom androidboot.console=ttyMSM0 androidboot.memc)
super.img: Android sparse image, version: 1.0, Total of 3145728 4096-byte output blocks in 120 input chunks.
userdata.img: Android sparse image, version: 1.0, Total of 11564499 4096-byte output blocks in 28 input chunks.
vbmeta.img: data
vbmeta_system.img: data
2.1 boot.img,recovery.img
Both of these are in Android bootimg format, and the method is the same as
boot.img
# sun@sun-pc:~/android/imgs$ ../system/core/mkbootimg/unpack_bootimg.py --boot_img boot.img --out boot
sun@sun-pc:~/android/imgs$ ../out/host/linux-x86/bin/unpack_bootimg --boot_img boot.img --out boot
#查看解析出的boot目录
sun@sun-pc:~/android/imgs$ ls boot
dtb kernel ramdisk
recovery.img
# sun@sun-pc:~/android/imgs$ ../system/core/mkbootimg/unpack_bootimg.py --boot_img recovery.img --out recovery
sun@sun-pc:~/android/imgs$ ../out/host/linux-x86/bin/unpack_bootimg --boot_img recovery.img --out recovery
#查看解析出的boot目录
sun@sun-pc:~/android/imgs$ ls recovery
dtb kernel ramdisk recovery_dtbo
2.2 dtbo.img
(1) First parse the dtb file from dtbo.img
#创建dtbo目录,然后使用mkdtimg工具解析dtbo.img,-b后边是输出路径(dtb是自定义的文件名前缀)
sun@sun-pc:~/android/imgs$ mkdir dtbo && ../out/host/linux-x86/bin/mkdtimg dump dtbo.img -b dtbo/dtb
sun@sun-pc:~/android/imgs$ ls dtbo
dtb.0 dtb.1 dtb.10 dtb.11 dtb.12 dtb.13 dtb.14 dtb.15 dtb.16 dtb.17 ... dtb.6 dtb.7 dtb.8 dtb.9
#查看一下文件信息,的确是dtb(Device Tree Blob)文件
sun@sun-pc:~/android/imgs$ file dtbo/dtb.0
dtbo/dtb.0: Device Tree Blob version 17, size=110367, boot CPU=0, string block size=7979, DT structure block size=102332
(2) Convert the dtb file in the previous step into a readable dts file
#将dtb.0转化为0.dts
sun@sun-pc:~/android/imgs$ ../out/host/linux-x86/bin/dtc dtbo/dtb.0 dtbo/0.dts
#如果觉得一个个文件转化比较麻烦,可以使用下面的命令
find ./dtbo -name 'dtb.*' | xargs -n1 sh -c '../out/host/linux-x86/bin/dtc $1 -o $1.dts && rename "s/dtb\.//" $1.dts' sh
2.3 metadata.img,userdata.img
These two parsing steps are the same, take metadata.img as an example below
(1) Convert metadata.img in sparse format to metadata_raw.img in raw format
sun@sun-pc:~/android/imgs$ ../out/host/linux-x86/bin/simg2img metadata.img metadata_raw.img
(2) Mount metadata_raw.img to a directory, and then access the directory to access the content of the image file
#首先创建目录metadata,然后将metadata_raw.img挂载到此目录
sun@sun-pc:~/android/imgs$ mkdir metadata && sudo mount -o ro metadata_raw.img metadata
#可以看到metadata目录已经有内容了
sun@sun-pc:~/android/imgs$ ls
lost+found
2.4 super.img
(1) Convert sparse format to raw format
sun@sun-pc:~/android/imgs$ ../out/host/linux-x86/bin/simg2img super.img super_raw.img
(2) Use lpunpack to parse super_raw.img
sun@sun-pc:~/android/imgs$ mkdir super
sun@sun-pc:~/android/imgs$ ../out/host/linux-x86/bin/lpunpack super_raw.img super
sun@sun-pc:~/android/imgs$ ls super
product_a.img product_b.img system_a.img system_b.img vendor_a.img vendor_b.img
(3) Mount the parsed image file
#以system_a.img为例,其他同理
sun@sun-pc:~/android/imgs/super$ mkdir system_a
sun@sun-pc:~/android/imgs/super$ sudo mount -o ro system_a.img system_a
#查看system_a.img解析出来的文件
sun@sun-pc:~/android/imgs/super$ ll system_a
总用量 172
drwxr-xr-x. 22 root root 4096 1月 1 2009 ./
drwxrwxr-x 3 sun sun 4096 8月 26 13:49 ../
drwxr-xr-x. 2 root root 4096 1月 1 2009 acct/
drwxr-xr-x. 2 root root 4096 1月 1 2009 apex/
lrw-r--r--. 1 root root 11 1月 1 2009 bin -> /system/bin
lrw-r--r--. 1 root root 50 1月 1 2009 bugreports -> /data/user_de/0/com.android.shell/files/bugreports
lrw-r--r--. 1 root root 11 1月 1 2009 cache -> /data/cache
lrw-r--r--. 1 root root 19 1月 1 2009 charger -> /system/bin/charger
dr-xr-xr-x. 2 root root 4096 1月 1 2009 config/
lrw-r--r--. 1 root root 17 1月 1 2009 d -> /sys/kernel/debug/
drwxrwx--x. 2 sun sun 4096 1月 1 2009 data/
drwxr-xr-x. 2 root root 4096 1月 1 2009 debug_ramdisk/
lrw-------. 1 root root 23 1月 1 2009 default.prop -> system/etc/prop.default
drwxr-xr-x. 2 root root 4096 1月 1 2009 dev/
lrw-r--r--. 1 root root 11 1月 1 2009 etc -> /system/etc
lrwxr-x---. 1 root 2000 16 1月 1 2009 init -> /system/bin/init
-rwxr-x---. 1 root 2000 2067 1月 1 2009 init.environ.rc*
-rwxr-x---. 1 root 2000 34196 1月 1 2009 init.rc*
-rwxr-x---. 1 root 2000 3343 1月 1 2009 init.recovery.qcom.rc*
-rwxr-x---. 1 root 2000 7690 1月 1 2009 init.usb.configfs.rc*
-rwxr-x---. 1 root 2000 5649 1月 1 2009 init.usb.rc*
-rwxr-x---. 1 root 2000 611 1月 1 2009 init.zygote32.rc*
-rwxr-x---. 1 root 2000 1029 1月 1 2009 init.zygote64_32.rc*
drwx------. 2 root root 16384 1月 1 2009 lost+found/
drwxr-xr-x. 2 root root 4096 1月 1 2009 metadata/
drwxr-xr-x. 2 root sun 4096 1月 1 2009 mnt/
drwxr-xr-x. 2 root root 4096 1月 1 2009 odm/
drwxr-xr-x. 2 root root 4096 1月 1 2009 oem/
drwxr-xr-x. 2 root root 4096 1月 1 2009 postinstall/
drwxr-xr-x. 2 root root 4096 1月 1 2009 proc/
drwxr-xr-x. 2 root root 4096 1月 1 2009 product/
lrw-r--r--. 1 root root 24 1月 1 2009 product_services -> /system/product_services
drwxr-xr-x. 3 root root 4096 1月 1 2009 res/
drwxr-x---. 2 root 2000 4096 1月 1 2009 sbin/
lrw-r--r--. 1 root root 21 1月 1 2009 sdcard -> /storage/self/primary
drwxr-x--x. 2 root 1028 4096 1月 1 2009 storage/
drwxr-xr-x. 2 root root 4096 1月 1 2009 sys/
drwxr-xr-x. 14 root root 4096 1月 1 2009 system/
-rw-r--r--. 1 root root 2608 1月 1 2009 ueventd.rc
drwxr-xr-x. 2 root 2000 4096 1月 1 2009 vendor
2.5 persist.img
This image is in linux ext4 format, just mount it directly
sun@sun-pc:~/android/imgs$ mkdir persist
sun@sun-pc:~/android/imgs$ sudo mount -o ro persist.img persist
sun@sun-pc:~/android/imgs$ ls persist
lost+found sensors
2.6 vbmeta.img,vbmeta_system.img
These two image files have not yet found the relevant analysis methods, and will be updated later if they are found.