I have a kernel that the vendor hasn't provided the source for. It is the gziped kernel. Where does the data part of the sequence start? I tried to find the magic number (1f 8b) and copy that into a gzip file, but I can't decode it in 7zip.
Asked
Active
Viewed 3,479 times
1 Answers
5
You have the correct approach for a gzip-compressed binary. The decompression is different for burrows-wheeler (bzip2) or LZMA. If it doesn't decompress with 7zip, try using something like gzip/zcat.
An example of decompressing gzip-encoded kernels, based on Benjamin Coddington's post How to extract vmlinux from vmlinuz [archived from the original]:
$ mkdir -p /tmp/kernel-uncompressed/; cd /tmp/kernel-uncompressed/
$ f="vmlinuz-`uname -r`" # e.g. "vmlinuz-2.6.18-128.el5.uvm6PAE"
$ cp /boot/$f .
$ od -t x1 -A d $f | grep "1f 8b 08"
0008320 1b 00 1f 8b 08 00 d5 c2 9a 49 02 03 ec 3b 7d 7c
$ offset=8322 # Where the gzip marker starts, based on the above output.
$ dd bs=1 skip=$offset if=$f | zcat > vmlinux
wjandrea
- 28,235
- 9
- 60
- 81
Brian Cain
- 14,403
- 3
- 50
- 88
-
FYI, I tried this but got an error `gzip: stdin has flags 0x85 -- not supported`. [It looks like that's because it's not a gzip file](/a/41273767/4518341). The output of `file` says `bzImage`, so I guess it uses bzip2. – wjandrea Mar 17 '22 at 23:08
-
After some research, I found out [it's better to use `scripts/extract-vmlinux` than do it manually](https://askubuntu.com/a/1312215/301745). – wjandrea Mar 18 '22 at 19:31