272018 How to recover and decompress @ Linux kernel dumped MTD partion - Alan C. Assis
a blog about computers and other funny things
Alan C. Assis
How to recover and decompress a Linux kernel
dumped MTD partition
Lused the “dd” utility to recover the kernel image from my IP Camera. Now I want to analyze it
$ cp mtd2_Kernel.img /tmp/
Let see how is the kernel image:
$ file mtd2_kernel. img
mtd2_Kernel.img: u-boot legacy ulmage, Linux-2.6.24ss1, Linux/ARM, OS Kernel Imi
Hmm, it is u-boot ulmage, let us to remove the u-boot header:
$ dd if=mtd2_Kernel.img of=Image bs=64 skip=1
235514 records in
2355148 records out
1507264 bytes (1.5 MB) copied, @.0529103 s, 28.5 MB/s
Let see now:
$ file Image
Image: Linux kernel ARM boot executable zImage (little-endian)
Hmm, itis a zImage file, if I rename it and try to extract?
$ mv Image Image.gz
$ gunzip Image.gz
gzip: Image.gz: not in gzip format
No way!
{lesKLCRACKINGIREVERSE%20ENGINEERINGHow'20%0%420recover%20and%:20decompress%20a%20Linux%s20kerel¥s2Odumped'i20M... 1272018 How to recover and decompress @ Linux kernel dumped MTD partion - Alan C. Assis
(After more search I found this suggestions (http://www linuxquestions.org/questions/programming-
9/how-to-obtain-image-from-zimage-824499/))
Let try it:
$ my Image.gz zImage
$ arm-linux-objdump -EL -b binary -D -m armvSt zImage | grep 8b1f
31e evessbif andeq r8, r8, pc, Isl fp
2840. 6cab1fa4 stevs 15, cri, [fp], {68}
3646 esbi fats ldmia ri!, {r@, r3, 74, 75, r6, r7, sl, ip, s
We are interested only in the first address (31e4 = 12772)
$ dd if=zImage of=piggy.gz bs=1 skip=12772
149449248 records in
149449240 records out
1494492 bytes (1.5 MB) copied, 2.36995 s, 631 kB/s
$ file piggy.gz
piggy.gz: gzip compressed data, last modified: Mon Apr 8 16:01:49 2013, max coi
$ gunzip piggy.gz
gzip: piggy.gz: decompression Ok, trailing garbage ignored
Great!!!
Now I can inspect the kernel symbols because /proc/ksyms and /proc/kallsyms are not present.
{lesKLCRACKINGIREVERSE%20ENGINEERING/How'2010%420recover%20and%20decompress%20a%20Linux%s20kernel¥s2Odumped’i20M... 218272018 How to recover and decompress @ Linux kernel dumped MTD partion ~ Alan C. Assis
Advertisements
Master en Ciberseguridad
7800 3.900 €
Clic aqui
Master en Ciberseguridad ...
C6 CACY
space for
Boras erste
emereiacc)
linux (https://acassis.wordpress.com/category/linux/)
acassis
June 4, 2015June 4, 2015
3 thoughts on “How to recover and decompress a Linux
kernel dumped MTD partition”
Pingback: Using strings to recreate a Linux kernel config | Alan C. Assis
ponnex says
December 7, 2015 at 8:18 am
I would like to know how would you inspect kernel symbols from piggy file? @
Reply
acassis says:
December 7, 2015 at 12:10 pm
Hi Ponnex,
It depends on if kernel was compiled with enabled symbols (-g option in gec). BR, Alan
Reply
{les KLCRACKINGIREVERSE%20ENGINEERINGHow’20%0% 20recover%20and%20decompress% 20:
Liewx3420kernel"s20dumped%20M.. 3/3