Results 1 to 4 of 4

Thread: bzImage decompression?

  1. #1

    bzImage decompression?

    For a very particular thing, I need to decompress a bzImage in order to Disassemblers it .

    I take the bzImage, remove the bootsect.s and setup.s header to get the
    compressed kernel. but I can't unzip it because the extracted kernel
    does not begin with gzip magic number (0x1f,0x8b|| 0x9e). But it should
    (if I look to arch/i386/boot/compressed/misc.c and gunzip() ).
    www.routerclub.com

  2. #2
    hi wsgtrsys!

    ok - the structure of bzimage files you can see here
    http://en.wikipedia.org/wiki/Image:Anatomy-of-bzimage.png

    note that the compression used is gzip, not bzip2 as one could assume by the file name.

    i did it the other way around - i loaded my bzImage into a hex editor. next is to find the compressed image within. as its gzip it will start with the Magic bytes 0x1f 0x8b
    ( http://schmidt.devlib.org/file-formats/gzip-archive-file-format.html )

    the first occurence could possibly be the start of the compressed kernel image.
    for fun i gzipped a test file and it starts with 0x1f 0x8b 0x08, which matches our first occurrence in the bzImage file.

    Code:
    0000555C 00000000 C4A72C00 00800B00 60232C00 18000000 E7AB1B00 1F8B0800
    So you can extract the data from this addres starting at your 0x1f 0x8b 0x08 bytes (in this case 0x5574) to end of file and save it to disk as ie yourfile.gz. (I did this all with cygwin hexedit.exe )

    next you can gzip -d yourfile.gz and load it into your favorite disassembler
    hehehehehe

    regards,

    --
    0xf001

  3. #3
    thanks 0xf001!
    i read this article:
    http://linux.derkeiler.com/Mailing-Lists/Kernel/2004-03/5506.html

    and decompression the kernel,but the vmlinux don't have elf head,IDA pro can't Disassemblers it .sou i use w32dasm Disassemblers it ,but w32dasm Disassem result is too difficult understand.

    so i think,how can set it ,then IDA can Disassemblers it ?

    there is vmlinux file:
    ftp://61.161.79.48/vmlinux
    www.routerclub.com

  4. #4
    hi,

    use HTE, it can open raw files

    [edit] - btw the link you showed pretty much explains everything - oltough they make it unnecessary complicated ! you need to know how the kernel loads itself look maybe a bit about boot process and kernel startup ;

    regards, 0xf001

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •