未知的arm linux內核映像格式

Question

我有一個ARM linux內核映像文件。但我不確定 究竟是什麼樣的格式...

'文件'命令告訴我，它是純數據。

首先，我認爲這是vmlinuz，並試圖解壓縮它。

我搜索了'gzip'頭部簽名和 從那裏解壓縮。

但我得到的是以下makefile腳本。

# 
# Automatically generated make config: don't edit 
# Linux/arm 2.6.38.7 Kernel Configuration 
# Sat Apr 28 17:29:46 2012 
# 
CONFIG_ARM=y 
CONFIG_SYS_SUPPORTS_APM_EMULATION=y 
CONFIG_HAVE_SCHED_CLOCK=y 
CONFIG_ARCH_SCHED_CLOCK=y 
# CONFIG_ARCH_USES_GETTIMEOFFSET is not set 
CONFIG_GENERIC_CLOCKEVENTS=y 
CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y 
CONFIG_KTIME_SCALAR=y 
CONFIG_STACKTRACE_SUPPORT=y 
CONFIG_LOCKDEP_SUPPORT=y 
CONFIG_TRACE_IRQFLAGS_SUPPORT=y 
CONFIG_HARDIRQS_SW_RESEND=y 
CONFIG_GENERIC_IRQ_PROBE=y 
CONFIG_RWSEM_GENERIC_SPINLOCK=y 
CONFIG_ARCH_HAS_CPU_IDLE_WAIT=y 
CONFIG_GENERIC_HWEIGHT=y 
CONFIG_GENERIC_CALIBRATE_DELAY=y 
CONFIG_NEED_DMA_MAP_STATE=y 
CONFIG_VECTORS_BASE=0xffff0000 
# CONFIG_ARM_PATCH_PHYS_VIRT is not set 
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" 
CONFIG_CONSTRUCTORS=y 
CONFIG_HAVE_IRQ_WORK=y 
CONFIG_IRQ_WORK=y 

# 
# General setup 
# 
CONFIG_EXPERIMENTAL=y 
CONFIG_LOCK_KERNEL=y 
CONFIG_INIT_ENV_ARG_LIMIT=32 
CONFIG_CROSS_COMPILE="" 
CONFIG_LOCALVERSION="" 
# CONFIG_LOCALVERSION_AUTO is not set 
CONFIG_HAVE_KERNEL_GZIP=y 
CONFIG_HAVE_KERNEL_LZMA=y 
CONFIG_HAVE_KERNEL_LZO=y 
CONFIG_KERNEL_GZIP=y 
# CONFIG_KERNEL_LZMA is not set 
# CONFIG_KERNEL_LZO is not set 
CONFIG_SWAP=y 
CONFIG_SYSVIPC=y 
CONFIG_SYSVIPC_SYSCTL=y 
# CONFIG_BSD_PROCESS_ACCT is not set 
CONFIG_HAVE_GENERIC_HARDIRQS=y 

# 
# IRQ subsystem 
# 
CONFIG_GENERIC_HARDIRQS=y 
# CONFIG_GENERIC_HARDIRQS_NO_DEPRECATED is not set 
CONFIG_HAVE_SPARSE_IRQ=y 
CONFIG_GENERIC_IRQ_SHOW=y 
# CONFIG_GENERIC_PENDING_IRQ is not set 
# CONFIG_AUTO_IRQ_AFFINITY is not set 
# CONFIG_IRQ_PER_CPU is not set 
CONFIG_SPARSE_IRQ=y 

# 
# RCU Subsystem 
# 
CONFIG_TREE_RCU=y 
# CONFIG_PREEMPT_RCU is not set 
# CONFIG_RCU_TRACE is not set 
CONFIG_RCU_FANOUT=32 
# CONFIG_RCU_FANOUT_EXACT is not set 
# CONFIG_TREE_RCU_TRACE is not set 
CONFIG_IKCONFIG=y 
CONFIG_IKCONFIG_PROC=y 
CONFIG_LOG_BUF_SHIFT=14 
CONFIG_CGROUPS=y 
# CONFIG_CGROUP_DEBUG is not set 
# CONFIG_CGROUP_NS is not set 
# CONFIG_CGROUP_FREEZER is not set 
# CONFIG_CGROUP_DEVICE is not set 
CONFIG_CPUSETS=y 
CONFIG_PROC_PID_CPUSET=y 
# CONFIG_CGROUP_CPUACCT is not set 
# CONFIG_RESOURCE_COUNTERS is not set 
# CONFIG_CGROUP_SCHED is not set 
# CONFIG_BLK_CGROUP is not set 
CONFIG_NAMESPACES=y 
# CONFIG_UTS_NS is not set 
# CONFIG_IPC_NS is not set 
# CONFIG_USER_NS is not set 
# CONFIG_PID_NS is not set 
# CONFIG_HAVE_GET_CYCLES is not set 
# CONFIG_HAVE_TRACE_CLOCK is not set 
CONFIG_HAVE_TRACE_CLOCK_GENERIC=y 
CONFIG_HAVE_TRACE_CLOCK_32_TO_64=y 
# CONFIG_HAVE_UNSYNCHRONIZED_TSC is not set 
# CONFIG_SCHED_AUTOGROUP is not set 
# CONFIG_SYSFS_DEPRECATED is not set 
# CONFIG_RELAY is not set 
CONFIG_BLK_DEV_INITRD=y 
CONFIG_INITRAMFS_SOURCE="" 
CONFIG_RD_GZIP=y 
CONFIG_RD_BZIP2=y 
CONFIG_RD_LZMA=y 
CONFIG_RD_XZ=y 
CONFIG_RD_LZO=y 
# CONFIG_CC_OPTIMIZE_FOR_SIZE is not set 
CONFIG_SYSCTL=y 
CONFIG_ANON_INODES=y 
# CONFIG_EXPERT is not set 
# CONFIG_EMBEDDED is not set 
CONFIG_UID16=y 
CONFIG_SYSCTL_SYSCALL=y 
CONFIG_KALLSYMS=y 
# CONFIG_KALLSYMS_ALL is not set 
# CONFIG_KALLSYMS_EXTRA_PASS is not set 
CONFIG_HOTPLUG=y 
CONFIG_PRINTK=y 
CONFIG_BUG=y 
CONFIG_ELF_CORE=y 
CONFIG_BASE_FULL=y 
CONFIG_FUTEX=y 
CONFIG_EPOLL=y 
CONFIG_SIGNALFD=y 
CONFIG_TIMERFD=y 
CONFIG_EVENTFD=y 
CONFIG_SHMEM=y 
CONFIG_AIO=y 
CONFIG_HAVE_PERF_EVENTS=y 
CONFIG_PERF_USE_VMALLOC=y 

# 
# Kernel Performance Events And Counters 
# 
CONFIG_PERF_EVENTS=y 
# CONFIG_PERF_COUNTERS is not set 
# CONFIG_DEBUG_PERF_USE_VMALLOC is not set 
CONFIG_VM_EVENT_COUNTERS=y 
CONFIG_SLUB_DEBUG=y 
CONFIG_COMPAT_BRK=y 
# CONFIG_SLAB is not set 
CONFIG_SLUB=y 
CONFIG_PROFILING=y 
# CONFIG_MARKERS is not set 
CONFIG_OPROFILE=y 
CONFIG_HAVE_OPROFILE=y 
# CONFIG_KPROBES is not set 

我徹底看了一下hexdump的二進制文件。 我認爲這是一個純粹的ARM二進制文件。

前幾個字節拆開如下

msr CPSR_c, #211 ; 0xd3 
mrc 15, 0, r9, cr0, cr0, {0} 
bl 0x000148e0 
movs sl, r5 
beq 0x00014924 
add r3, pc, #44 ; 0x2c 
ldm r3, {r4, r8} 
sub r4, r3, r4 
add r8, r8, r4 
bl 0x00000154 
bl 0x0000018c 
bl 0x00000050 
ldr sp, [pc, #12] ; 0x00000044 
add lr, pc, #4 
mov r8, r4 
add pc, sl, #16 
b 0x00014894 
andhi r8, r0, r8, ror #3 
andhi r8, r0, r8, asr #32 
andhi r0, r0, r0 
add r4, r8, #16384 ; 0x4000 
mov r0, r4 
mov r3, #0 
add r6, r0, #16384 ; 0x4000 
str r3, [r0], #4 
str r3, [r0], #4 
str r3, [r0], #4 
str r3, [r0], #4 
teq r0, r6 
bne 0x00000060 
ldr r7, [sl, #8] 
add r0, pc, #196 ; 0xc4 
ldm r0, {r3, r5, r6} 
sub r0, r0, r3 
add r5, r5, r0 
add r6, r6, r0 
lsr r5, r5, #20 
lsr r6, r6, #20 
orr r3, r7, r5, lsl #20 
str r3, [r4, r5, lsl #2] 
cmp r5, r6 
addcc r5, r5, #0 
bcc 0x00000098 
mov r3, pc 
lsr r3, r3, #20 
orr r3, r7, r3, lsl #20 
add r0, r4, #8192 ; 0x2000 
str r3, [r0, #0]! 
ldr r6, [pc, #124] ; 0x00000144 
add r0, r0, #4 
add r6, r4, r6, lsr #18 
cmp r0, r6 
add r3, r3, #1048576 ; 0x100000 
strls r3, [r0], #4 
bls 0x000000cc 
lsr r0, r2, #20 
lsls r0, r0, #20 
moveq r0, r8 
sub r3, r0, r8 
add r3, r3, #-2147483648 ; 0x80000000 
add r3, r4, r3, lsr #18 
orr r6, r7, r0 
str r6, [r3] 
mov r7, #36864 ; 0x9000 
orr r3, r7, #-134217728 ; 0xf8000000 
orr r7, r7, #268435456 ; 0x10000000 
lsr r3, r3, #20 
lsl r3, r3, #2 

....

這是用於對ARM模擬器（SOC設計者）引導過程 內核圖像文件。它工作正常。

我想要的是這個內核的ELF文件 ，我可以像IDA一樣用反彙編程序打開它。

，但我不能檢索這個內核映像原ELF格式的文件...

一些幫助，將不勝感激。

謝謝你提前。

Answer 1

ARM Linux內核通常是自加載的簡單二進制文件，通過從原始ELF中提取代碼+ rdata部分並附加「piggy」加載器生成。它們被引導程序加載到內存中的某個位置，然後從那裏運行。小豬裝載機將主載荷解包/複製到最終地址並跳轉到最後地址。

從二進制文件還原ELF可能是可能的（最終運行時地址通常固定爲0xC0008000，通過分析啓動代碼可以找到.data/.bss範圍），但符號表更復雜。最近的內核不按原樣使用ELF符號表，但採用壓縮來節省空間。如果您可以啓動內核，最簡單的方法是讀取/proc/ksyms或/proc/kallsyms，因爲它將具有未壓縮格式的符號。否則，你必須在二進制文件中找到壓縮表並手動解壓。