解压缩Linux zImage

时间:2017-02-05 00:36:52

标签: linux-kernel reverse-engineering compression disassembly firmware

我正在尝试解压缩zImage。我有一个从闪存芯片中转储的固件二进制文件。用binwalk分析它给出了以下内容:

$ binwalk flash_dump.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
352832        0x56240         Linux kernel ARM boot executable zImage (big-endian)
10617408      0xA20240        Linux kernel ARM boot executable zImage (big-endian)
10630468      0xA23544        device tree image (dtb)

我试图将第一个Linux zImage分开:

$ dd if=flash_dump.bin of=zImage bs=1 skip=352832 count=10264576

10264576+0 records in
10264576+0 records out
10264576 bytes (10 MB, 9.8 MiB) copied, 13.7267 s, 748 kB/s

确保它仍然是zImage:

$ file zImage

zImage: Linux kernel ARM boot executable zImage (big-endian)

搜索gZip标头:

$ arm-none-eabi-objdump -EB -b binary -D -m armv5t zImage | grep 8b1f

15e4c:  b81c8b1f    ldmdalt ip, {r0, r1, r2, r3, r4, r8, r9, fp, pc}
401f8:  0b3d2bfe    bleq    0xf8b1f8

我似乎找不到gZip标题。

如何解压缩zImage?我想通过像IDA Pro这样的反汇编来看一下。

1 个答案:

答案 0 :(得分:0)

zImage是大端的(请参阅binwalk结果)。您应该改用1f8b的grep。