Android boot.img zImage format

Androids boot.img / zImage / recovery.img are formated thusly

Androids boot.img is composed of 4 sections: Header, Kernel, Ramdisk, and Second stage.

Each section is aligned to the flash devices page size. Each section ends at the end of the last page it uses. The header is one page long. 2048 is the default page size.

##Boot Img Hdr |Section| Bytes| First Byte| Comments| |-------|------|-----------|---------| |Boot Magic |8 |0 |Presumably as in the magic number that the file command uses| |Kernel size |4 |8 |in bytes| |Kernel Address |4 |12 |default is 0x10008000. Whatever number you type is added to 0x00008000.| |Ramdisk size |4 |16 |in bytes| |Ramdisk Address|4 |20 |default is 0x11000000. base address + 0x01000000.| |Second size |4 |24 |in bytes| |Second Address |4 |28 |default is 0x10F00000. base address + 0x00F00000.| |Tags Address |4 |32 |default is 0x10000100. base address + 0x00000100.| |Page Size |4 |36 |2048 is the default. 2048 and 4096 are the only values accepted by mkbootimg| |Unused |8 |40 |Reserved for future expansion| |Name |16 |48 |Boot Image name.| |CMDLine |512|64 |Kernel command line, I presume.| |ID |20 |576|According to bootimg.h, its supposed to cover timestamp/checksum/SHA1/etc, but all I see is SHA1|

##Kernel The Kernel begins one page in, 2048 bytes by default. On ARM, it begins with 0000A0E1 eight times. 0000A0E1 is ARM's NOP. The end of the kernel is at 2048 + Kernel size(from the header). The end of the kernel block(kernel plus padding) is (2048 + Kernel size + 2047)/2048 times 2048. Drop the remainder.

Remember to replace 2048 with the page size of your flash.

TODO: Figure out how to pull a config.gz from this.

##Ramdisk The ramdisks I've seen begin with 1F8B08. Gzip's header. Might not be true with all.

##Second Stage

Based on mkbootimg's source and quick examination of a compiled image.

