如何解包，编辑，重新打包boot images

HOWTO: Unpack, Edit, and Repack Boot Images

http://forum.xda-developers.com/showthread.php?t=443994

Several people have already figured out the details on their own, but I have gotten requests to do a more comprehensive tutorial on how the boot and recovery images are structured, and how you can edit them.

一些朋友已经弄清楚了自己的问题，但是仍然很多朋友想要更详细的教程，关于boot和recovery镜像如何构成，你是怎么编辑它们的呢？

Background
Your phone has several devices which hold different parts of the filesystem:

手机里头的不同的设备（分区？）有不同的文件系统。

Code:

#cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00020000 "misc"
mtd1: 00500000 00020000 "recovery"
mtd2: 00280000 00020000 "boot"
mtd3: 04380000 00020000 "system"
mtd4: 04380000 00020000 "cache"
mtd5: 04ac0000 00020000 "userdata"

In this tutorial, we will deal with "recovery" and "boot". The "boot" device holds the files that are automatically loaded onto the root of your filesystem every time you boot (details below).
"system" holds everything that gets mounted in your system/ directory, and userdata/ is everything that shows up in data/ (this is all the apps you've installed, your preferences, etc).
The recovery and boot partitions are at /dev/mtd/mtd1 and /dev/mtd/mtd2, and before you do anything else you should back these up (note: this may not be the best way of doing this because it may not deal properly with bad blocks etc, but it's all we've got until somebody comes up with a better method, and besides you will probably be restoring from update.zip anyway):

在这篇教程里，我们将讲讲“recovery”和“boot”，boot分区保存了每次启动之后初始阶段载入文件系统的文件。“system”保存了挂载在system目录的所有东西，“userdata” 就是date目录的东西（里面包裹你说安装的app和一些个人配置，等等）。recovery和boot分区在/dev/mtd1 和 /dev/mtd2，所以在开始之前，你得把它们备份。（注意： 这可能不是最好的办法，因为无法处理坏块的问题，但是还没有更好的办法之前，我们所做的只有这些，反正你还可以通过update.zip恢复。）

Code:

# cat /dev/mtd/mtd1 > /sdcard/mtd1.img
# cat /dev/mtd/mtd2 > /sdcard/mtd2.img

The other thing you should do is put your favorite update.zip file into the root directory of your sd card so that if you screw up your boot partition you can boot into recovery mode and re-apply the update. You probably want one of the pre-rooted recovery images found elsewhere on the forums.
There is also another important file you should know about. In /system/recovery.img there is a full copy of everything that is loaded on mtd1. This file is automatically flashed onto mtd1 every time you shut down. That means two things: 1. Any changes you make directly to /dev/mtd/mtd1 get blown away on reboot and 2. If you want to change /dev/mtd/mtd1 you're probably better off just sticking the image in /system/recovery.img and rebooting. When creating your own custom update.zip files (especially when adapting the stock images), you can get tripped up if you forget to replace /system/recovery.img and it ends up overwriting /dev/mtd/mtd1 unbeknownst to you. Watch out.

另外一件事你应该把你最喜欢的update.zip放入你的sdcard的根目录文件夹，如果你毁掉了boot分区，你可以进入recovery模式然后重新应用更新。你可以在论坛上找到已经root过的recovery镜像。另外你需要知道的一个重要文件就是/system/recovery.img，这是mtd1的完整副本。这个文件在每次关机后将会自动刷入mtd1。这意味了两个事情：1.任何你直接在/dev/mtd/mtd1做的修改，在重启之后都要还原。2. 如果你想要改变/dev/mtd/mtd1 最好在/system/recovery里更改然后重启。当你自己做update.zip（特别是适配移植镜像？），如果你忘记替换update.zip中的/system/recovery.img，会被默认写入/dev/mtd/mtd1中，这样就会出问题。

Structure of boot and recovery images
The boot and recovery images are not proper filesystems. Instead, they are a custom android format consisting of a 2k header, followed by a gzipped kernel, followed by a ramdisk, followed by a second stage loader (optional, we have not seen these in the wild yet). This structure is outlined in mkbootimg.h:

boot和recovery镜像的结构

这个两个镜像不是标准的文件系统。有安卓自定义的2k的文件头，然后一个gzipped的内核，之后是一个ramdisk，最后一个二阶段的载入器（可选的，大多数情况没有使用）。这个结构在mkbootimg.h 中定义了。

Code:

+-----------------+
| boot header     | 1 page
+-----------------+
| kernel          | n pages
+-----------------+
| ramdisk         | m pages
+-----------------+
| second stage    | o pages
+-----------------+

n = (kernel_size + page_size - 1) / page_size
m = (ramdisk_size + page_size - 1) / page_size
o = (second_size + page_size - 1) / page_size

0. all entities are page_size aligned in flash
1. kernel and ramdisk are required (size != 0)
2. second is optional (second_size == 0 -> no second)

A ramdisk is basically a small filesystem containing the core files needed to initialize the system. It includes the critical init process, as well as init.rc, which is where you can set many system-wide properties. If you really want to know more about it, here is the documentation. Here's a list of files on a typical ramdisk:

ramdisk是一小的文件系统，包括了初始化系统的核心文件。包括一些中断例程进程，还有用来设置系统初始化属性的init.rc，如果你想要知道更多，这是文档。在ramdisk里有列表如下的文件。

PS.ramdisk 载入主内存（ram）运行系统，不依赖副存储设备。

Code:

./init.trout.rc
./default.prop
./proc
./dev
./init.rc
./init
./sys
./init.goldfish.rc
./sbin
./sbin/adbd
./system
./data

The recovery image typically has a few extra files, which constitute the recovery binary and supporting files (the application that gets run if you hold down home+power when rebooting). These files are:

这个recovery镜像有一些其他的文件，包含了recovery的二进制文件和一些支持文件（重启按住home和power键加能启动recovery）。这些文件是：

PS.每个手机启动recovery的按键不一样。本文说的htc的g1。

Code:

./res
./res/images
./res/images/progress_bar_empty_left_round.bmp
./res/images/icon_firmware_install.bmp
./res/images/indeterminate3.bmp
./res/images/progress_bar_fill.bmp
./res/images/progress_bar_left_round.bmp
./res/images/icon_error.bmp
./res/images/indeterminate1.bmp
./res/images/progress_bar_empty_right_round.bmp
./res/images/icon_firmware_error.bmp
./res/images/progress_bar_right_round.bmp
./res/images/indeterminate4.bmp
./res/images/indeterminate5.bmp
./res/images/indeterminate6.bmp
./res/images/progress_bar_empty.bmp
./res/images/indeterminate2.bmp
./res/images/icon_unpacking.bmp
./res/images/icon_installing.bmp
./sbin/recovery

Unpacking, Editing, and Re-Packing the images
Note: below I give you the details for unpacking and repacking manually, but I have attached two perl scripts that do most of this for you
If you are good with a hex editor, you can open up any of these images and strip off the first 2k of data. Then, look for a bunch of zeroes followed by the hex 1F 8B (which is the magic number of a gzip file). Copy everything from the first line of the file, through the zeroes, and stopping at the 1F 8B. That is the kernel. Everything from the 1F 8B through the end is the ramdisk. You could save each of these files separately. In order to see the contents of the ramdisk, you need to un-gzip it and then un-cpio it. You could use a command like this (ideally after creating a new directory and cd'ing into it):

解包，编辑，重新打包镜像

注意：下面我将解了解包和重新打包文件的详细方法，但是我放了两个perl脚本可以代你完成大多数工作。

如果你擅长使用16进制编辑器的话，你可以用16进制编辑器打开这些文件，前面2k的数据是头，忽略之。然后找一堆0后面跟1f 8b（这个是gzip文件的magic number）。把前两者之间的内容复制。这个就是内核。从1f 8b开始就是ramdisk。你可以把它们分开保存。为了看到ramdisk的内容，你需要解压，然后un-cpio （拷贝工具）。

PS.之所以解压了还要cpio是因为，ramdisk是先用cpio工具拷贝成一个文件，然后用zip打包。如果只解压的话得到的只是一个大文件，需要再处理一次才能得到各个文件。

可以使用这样一个命令：

Code:

gunzip -c ../your-ramdisk-file | cpio -i

That will place all of the files from the ramdisk in your working directory. You can now edit them.
In order to re-create the ramdisk, you need to re-cpio them and re-gzip those files, with a command like the following (remember, cpio will include everything in the current working directory, so you probably want to remove any other cruft you might have in there):

上面的命令把所有文件放进了你当前工作的目录，你可以编辑之。该完之后打包就需要重新cpio拷贝，重新gzip压缩，使用如下的命令（注意，cpio把当前目录的所有文件都拷贝了，所以你得把一些没用的文件移除掉。）

Code:

find . | cpio -o -H newc | gzip > ../newramdisk.cpio.gz

The final step is to combine the kernel and your new ramdisk into the full image, using the mkbootimg program (which you should download and compile from the git repository):

最后一步就是把ramdisk和内核合并到一个镜像文件里，使用mkbootimg工具（你需要git仓库里下载然后编译。）

PS.编译……

Code:

mkbootimg --cmdline 'no_console_suspend=1 console=null' --kernel your-kernel-file --ramdisk newramdisk.cpio.gz -o mynewimage.img

Now, there's a lot of hassle in pulling apart files in hex editors and remembering all of these commands, so I wrote unpack and repack perl scripts for you (attached). Hooray.

现在，这么一大堆事情，用16进制编辑器里分离出文件，还要记住这么多命令，太麻烦了，所以我写了一个解包和打包的perl脚本，在附件里。好！！

Flashing your new image back onto the phone
You will probably only ever be flashing boot images directly to the phone, given the fact that /system/recovery.img automatically flashes the recovery device for you (as noted above). If you have created a new recovery image, just stick it in /system/recovery.img and reboot. If you are flashing a boot image, stick it on your phone via adb (a tool included in the Android SDK):

将你的新镜像刷入手机

你可能之前自己直接给手机刷过boot镜像，还有/system/recovery.img 会自动刷入recovery（之前也提到过了）。如果你已经做好了recovery镜像，只需要放入/system/recovery.img，然后重启就是了。如果要刷入了一个boot镜像，要通过adb（一个android sdk工具）。

Code:

adb push ./mynewimage.img /sdcard

Then, open a shell to your phone via 'adb shell', get root, and do the following two commands to flash your new boot image:

打开手机的shell，获得root权限，然后执行下面两个命令，刷入新的boot镜像。

Code:

# cat /dev/zero >> /dev/mtd/mtd2
   write: No space left on device [this is ok, you can ignore]
# flash_image boot /sdcard/mynewimage.img

Reboot.
If your phone starts all the way up, congratulations. If not, you did something wrong and you'll need to boot into recovery mode and apply your update.zip file (reboot while holding down home+power, when you get the recovery screen press alt+L and then alt+S).

重启。

如果你的手机启动成功，祝贺你。如果没有，你可能哪里出错了，你需要重新进入recovery模式，然后应用你的update文件。（重启的时候按住home和power键，在recovery界面的时候按住alt+l 然后 alt+s）

Something fun to do with your new found power
If you place a file titled initlogo.rle in the root directory of your boot image, the phone will display this image upon boot (after the "G1" image and before the Android animation). In order to create this file, you need to create a 320x480 image in Photoshop or Gimp and save it as a "raw image" file. You then need to compress that image with the program to565. More details on that here.

还可以做的一些好玩的事情

如果你将一个initlogo.rle图片文件，放在boot镜像的根目录的话，手机启动的时候将会显示这个图片（在g1图片和安卓动画之间）。你可以在Photoshop或者gimp里新建一个320x480的图片然后以raw图片格式保存。然后需要用到to565程序将图片压缩，更多细节请看这里。

This is not the same thing as applying an update.zip
You will see other places on the forums that describe how to create customized update.zip files, as well as update.zip files that people are sharing. For example, there is a recent update.zip which is a modified version of rc30 (with the anti-root aspects disabled). The update.zip files include new boot images, recovery images, and typically replacements for the entire system/ directory as well as other updates. If you are creating a custom boot or recovery image, it is typically a good idea to start with the image distributed with the most recent update you have applied (flashing an image from an older release could have unintended consequences).

这个和应用一个update.zip不是一回事

你能在论坛上找到如何自定义update.zip的方法，一些人还分享了update.zip文件。比如最近修改版的rc30（关闭了防root功能）。这个升级包包括了新的boot，recovery镜像，基本上完全替换了system这个目录，其他的update也差不多。如果你正在做一个自定义的boot或者recovery，在一个最新应用的升级包里的boot、recovery镜上开始修改比较好。（从旧的版本上弄可能出现意外的状况）