Linux Kernel – How to Extract Filesystem Image from vmlinux.bin

archivelinux-kernel

jor1k ships a vmlinux.bin. I think there is an initrd inside, cause I don't know where else it would be. I am trying to extract the filesystem image so I can change it, but I don't know how to.

I tried using extract-vmlinux from the Linux source distribution, but it Cannot find vmlinux.

Best Answer

You can look for the cpio newc header (starting with 0707010):

$ grep -abo 0707010 vmlinux.bin | head -n1
2531404:0707010

The -a (for all files even binary ones), -b (for byte offset), and -o (for only the matching part (and report the byte offset of the matching part instead of the line containing the matching part)) are non-standard GNU extensions to grep but are handy to find out where a given string is to be found in a file (contrary to many other grep implementations, GNU grep also supports non-text files (that is, that may contain 0 byte values may have arbitrarily long sequence of bytes between two LF characters, may not end in a LF characters or may contain bytes or sequences of bytes that don't make valid characters in the current locale) which is a requirement in that regard.

$ tail -c +2531405 vmlinux.bin| cpio -t | head
bin
bin/sleep
bin/kill
bin/watch
bin/deluser
bin/getopt
bin/uname
bin/nice
bin/zcat
bin/cpio

(grep -b offsets start at 0, while tail -c ones start at 1).

Related Solutions

Linux – Repack the filesystem image from vmlinux.bin (embedded initramfs) without rebuilding

Yes, it is possible but changing the .init.ramfs section size and addresses is not enough because the Kernel's ELF executable is statically linked with the virtual address of the start and end of the initramfs' section.

In the Linux sources the relevant code is located in the iniramfs.c source file:

void __init populate_rootfs(void)
{
  char *err = unpack_to_rootfs(__initramfs_start, __initramfs_end - __initramfs_start, 0); 
...
}

So you also need to change these two offsets in the machine code of the invocation of the unpack_to_rootfs() function, which is located in the .init.text section. ( watch out for any relevant entries in the relocation table! ...if one exists )

Also, in reference to Icarus's reply, the manipulation of the initramfs' section' size, file offset and starting virtual address, as well as these two aforementioned offsets (arguments to the unpack_to_rootfs() function), enables you to add you own custom LARGER initramfs section that is loaded ABOVE the maximum virtual address of the ELF file. The Program Header's (PHeader) "Memory Size" field needs to be modified too, in order to reflect the larger initramfs section appended after the end of the old virtual address space.

P.S. The "hole" in the Kernel's virtual address space remaining after moving the original init.ramfs section to a new high starting virtual address, does not hurt anything because the associated memory is later freed by the free_initmem(void) function defined in the init.c source file.

Best Answer

Related Solutions

Linux – Repack the filesystem image from vmlinux.bin (embedded initramfs) without rebuilding

Related Question