Knowledgebase:
How to Extract Kernel Files for Linux OS users (Root Engine)
Posted by , Last modified by on 11 April 2019 08:45 AM

To use ROP/JOP technologies, you must have a raw kernel file extracted from the firmware. The firmware must match the particular device and, as a rule, can be found in the trusted sources on the Internet.

 Note: The following steps are relevant only for Ubuntu OS users.

 To get the uncompressed kernel file, do the following:

1. On the Internet, find an archive with the firmware file, download the firmware and unpack it using a corresponding archive extract utility.

2. The archive contains the boot.img file required for extracting the raw kernel file.

3. Unpack the boot.img file, using the Perl script:

 
./split_bootimg.pl boot.img

4. As a result, you get the boot.img-kernel file.

5. Analyze the boot.img-kernel file to find out if it is compressed or uncompressed. For the kernel file analysis, you can use the binwalk tool:

binwalk boot.img-kernel

 

Note: Install the binwalk tool using the following command: sudo apt-get install binwalk (this command is applicable only to Ubuntu starting from version 14.04).

6. The kernel file is uncompressed.

7. Select the boot.img-kernel file on the Linux kernel file for ROP/JOP technology page of the Root Engine wizard.

 

To get the compressed kernel file, do the following:

1. On the Internet, find an archive with the firmware file, download the firmware and unpack it using a corresponding archive extract utility.

2. The archive contains the boot.img file required for extracting the raw kernel file.

3. Unpack the boot.img file, using the Perl script:

 

./split_bootimg.pl boot.img

 

4. As a result, you get the boot.img-kernel file
5. Analyze it to find out if it is compressed or uncompressed. To analyze the boot.img-kernel file, you can use the binwalk tool:

sa@debian64$ binwalk boot.img-kernel
DECIMAL        HEXADECIMAL       DESCRIPTION
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

0                       0x0                           Linux kernel ARM boot executable zImage (little-endian)
15851               0x3DEB                   gzip compressed data, maximum compression, from Unix, last modified:
1970-01-01 00:00:00 (null date)


3. The kernel file is compressed with offset 15851.

4. Extract and unpack the file with offset simultaneously, executing the following command:

$ dd if=boot.img-kernel bs=1 skip=15851 | gunzip > boot.img-kernel.raw

 
Note: For unpacking the file, you can use Linux utilities depending on the archive type: gunzip for gz archives, tar for tar.gz archives, unxz for xz archives, etc
4. As a result, you get the boot.img-kernel.raw file which can be selected on the Linux kernel file for ROP/JOP technology page of the Root Engine wizard

(0 vote(s))
Helpful
Not helpful

Comments (0)