I have a kernel in which one initramfs is embedded.
I want to extract it.
I got the output x86 boot sector when I do file bzImage
I have System.map file for this kernel image.
Is there any way to extract the embedded initramfs image from this kernel with or without the help of System.map file ?
The interesting string found in System map file is: (Just in case it helps)
57312:c17fd8cc T __initramfs_start 57316:c19d7b90 T __initramfs_size
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
There is some information about this in the gentoo wiki: https://wiki.gentoo.org/wiki/Custom_Initramfs#Salvaging
It recommends the usage of binwalk which works exceedingly well.
I’ll give a quick walk-through with an example:
first extract the bzImage file with binwalk:
> binwalk --extract bzImage DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Microsoft executable, portable (PE) 18356 0x47B4 xz compressed data 9772088 0x951C38 xz compressed data
I ended up with three files: 47B4, 47B4.xz and 951C38.xz
> file 47B4 47B4: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, BuildID[sha1]=aa47c6853b19e9242401db60d6ce12fe84814020, stripped
Now lets run binwalk again on 47B4:
> binwalk --extract 47B4 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 ELF, 64-bit LSB executable, AMD x86-64, version 1 (SYSV) 9818304 0x95D0C0 Linux kernel version "4.4.6-gentoo (<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cfbda0a0bb8fa7a0bcbb">[email protected]</a>) (gcc version 4.9.3 (Gentoo Hardened 4.9.3 p1.5, pie-0.6.4) ) #1 SMP Tue Apr 12 14:55:10 CEST 2016" 9977288 0x983DC8 gzip compressed data, maximum compression, from Unix, NULL date (1970-01-01 00:00:00) <snip>
This came back with a long list of found paths and several potentially interesting files. Lets have a look.
> file _47B4.extracted/* <snip> _47B4.extracted/E9B348: ASCII cpio archive (SVR4 with no CRC)
file E9B348 is a (already decompressed) cpio archive, just what we are looking for! Bingo!
To unpack the uncompressed cpio archive (your initramfs!) in your current directory just run
> cpio -i < E9B348
That was almost too easy. binwalk is absolutely the tool you are looking for. For reference, I was using v2.1.1 here.
Method 2
As far as I know, the initramfs cpio archive is just linked into the kernel.
Hence, this should work:
- use
ddto extract the range betweenc17fd8ccandc19d7b90 - unpack the resulting data ny using an CPIO unpacker.
Method 3
Using “dd to extract the range between c17fd8cc and c19d7b90” is not going to work, because those are kernel virtual addresses, and your image is in physical space. You would need to translate them into image offsets in order for this to work. Generally, subtract the virtual offset (in this case, looks like 0xC0000000) and possibly add PHYS_OFFSET (usually 0x8000) but that depends on your kernel.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0