272018 How to recover and decompress @ Linux kernel dumped MTD partion - Alan C. Assis a blog about computers and other funny things Alan C. Assis How to recover and decompress a Linux kernel dumped MTD partition Lused the “dd” utility to recover the kernel image from my IP Camera. Now I want to analyze it $ cp mtd2_Kernel.img /tmp/ Let see how is the kernel image: $ file mtd2_kernel. img mtd2_Kernel.img: u-boot legacy ulmage, Linux-2.6.24ss1, Linux/ARM, OS Kernel Imi Hmm, it is u-boot ulmage, let us to remove the u-boot header: $ dd if=mtd2_Kernel.img of=Image bs=64 skip=1 235514 records in 2355148 records out 1507264 bytes (1.5 MB) copied, @.0529103 s, 28.5 MB/s Let see now: $ file Image Image: Linux kernel ARM boot executable zImage (little-endian) Hmm, itis a zImage file, if I rename it and try to extract? $ mv Image Image.gz $ gunzip Image.gz gzip: Image.gz: not in gzip format No way! {lesKLCRACKINGIREVERSE%20ENGINEERINGHow'20%0%420recover%20and%:20decompress%20a%20Linux%s20kerel¥s2Odumped'i20M... 1272018 How to recover and decompress @ Linux kernel dumped MTD partion - Alan C. Assis (After more search I found this suggestions (http://www linuxquestions.org/questions/programming- 9/how-to-obtain-image-from-zimage-824499/)) Let try it: $ my Image.gz zImage $ arm-linux-objdump -EL -b binary -D -m armvSt zImage | grep 8b1f 31e evessbif andeq r8, r8, pc, Isl fp 2840. 6cab1fa4 stevs 15, cri, [fp], {68} 3646 esbi fats ldmia ri!, {r@, r3, 74, 75, r6, r7, sl, ip, s We are interested only in the first address (31e4 = 12772) $ dd if=zImage of=piggy.gz bs=1 skip=12772 149449248 records in 149449240 records out 1494492 bytes (1.5 MB) copied, 2.36995 s, 631 kB/s $ file piggy.gz piggy.gz: gzip compressed data, last modified: Mon Apr 8 16:01:49 2013, max coi $ gunzip piggy.gz gzip: piggy.gz: decompression Ok, trailing garbage ignored Great!!! Now I can inspect the kernel symbols because /proc/ksyms and /proc/kallsyms are not present. {lesKLCRACKINGIREVERSE%20ENGINEERING/How'2010%420recover%20and%20decompress%20a%20Linux%s20kernel¥s2Odumped’i20M... 218272018 How to recover and decompress @ Linux kernel dumped MTD partion ~ Alan C. Assis Advertisements Master en Ciberseguridad 7800 3.900 € Clic aqui Master en Ciberseguridad ... C6 CACY space for Boras erste emereiacc) linux (https://acassis.wordpress.com/category/linux/) acassis June 4, 2015June 4, 2015 3 thoughts on “How to recover and decompress a Linux kernel dumped MTD partition” Pingback: Using strings to recreate a Linux kernel config | Alan C. Assis ponnex says December 7, 2015 at 8:18 am I would like to know how would you inspect kernel symbols from piggy file? @ Reply acassis says: December 7, 2015 at 12:10 pm Hi Ponnex, It depends on if kernel was compiled with enabled symbols (-g option in gec). BR, Alan Reply {les KLCRACKINGIREVERSE%20ENGINEERINGHow’20%0% 20recover%20and%20decompress% 20: Liewx3420kernel"s20dumped%20M.. 3/3