How to modify the boot.img in Android
Modifying init.rc can be tricky because init.rc is read only once at system boot up, and it’s restored from the recovery image when rebooted.
Therefore, to modify init.rc, you need to modify the recovery image.
I’m writing this post based on Nexus7, but editing init.rc should be similar with other Android devices.
Steps to edit init.rc
- Download boot.img from Android device
- Unpack the boot.img
- Edit init.rc
- Repack the boot.img
- Replace the boot.img with new boot image
-
Download boot.img from Android device
First go into Android shell using
adb root adb shell
, and check out the partitions using this command
cat /proc/partitions
For my device, the command prints out
major minor #blocks name 179 0 15466496 mmcblk0 179 1 12288 mmcblk0p1 179 2 8192 mmcblk0p2 179 3 665600 mmcblk0p3 179 4 453632 mmcblk0p4 179 5 512 mmcblk0p5 179 6 10240 mmcblk0p6 179 7 5120 mmcblk0p7 179 8 512 mmcblk0p8 179 9 14302208 mmcblk0p9 179 32 2048 mmcblk0boot1 179 16 2048 mmcblk0boot0
From the above list of partitions, we need to find out which one is boot partition
In order to find boot partition, run
ls -l /dev/block/platform/sdhci-tegra.3/by-name/
And the command will give the name of each partition like shown below
lrwxrwxrwx root root 2000-01-02 21:22 APP -> /dev/block/mmcblk0p3 lrwxrwxrwx root root 2000-01-02 21:22 CAC -> /dev/block/mmcblk0p4 lrwxrwxrwx root root 2000-01-02 21:22 LNX -> /dev/block/mmcblk0p2 lrwxrwxrwx root root 2000-01-02 21:22 MDA -> /dev/block/mmcblk0p8 lrwxrwxrwx root root 2000-01-02 21:22 MSC -> /dev/block/mmcblk0p5 lrwxrwxrwx root root 2000-01-02 21:22 PER -> /dev/block/mmcblk0p7 lrwxrwxrwx root root 2000-01-02 21:22 SOS -> /dev/block/mmcblk0p1 lrwxrwxrwx root root 2000-01-02 21:22 UDA -> /dev/block/mmcblk0p9 lrwxrwxrwx root root 2000-01-02 21:22 USP -> /dev/block/mmcblk0p6
LNX -> boot.img
From the output above, we know LNX -> /dev/block/mmcblk0p2 is the boot.img
Using fdisk -l /dev/block/mmcblk0p2 to get more information
Copy the image from boot partitions to /data/local/tmp/ directory using this command
cat /dev/block/mmcblk0p2 > /data/local/tmp/boot.img
Now we need to bring the boot.img from android device to our computer using
adb pull /data/lcoal/tmp/boot.img .
This command will copy boot.img to your current directory executing the command
2. Unpack the boot.img
The boot and recover images are not proper filesystems, so we are going to need to unpack the boot image to see the contents in there.
We can extract the image using a script, which you can download from here : Extract-Tool
./unpack-bootimg.pl boot.img
Will extract files such as
boot.img-ramdisk.cpio.gz boot.img-kernel.gz boot.img-ramdisk/
3. Edit init.rc
init.rc and other files are in boot.img-ramdisk/ directory, so you can change the bootimage as you want.
4. Repack the boot.img
Run this command to repack boot image
./repack-bootimg.pl boot.img-kernel.gz boot.img-ramdisk newboot.img
repack-bootimg.pl and mkbootimg should be in same directory.
5. Replace the boot.img with new boot image
adb push newboot.img /data/local/tmp/ adb shell cat /data/local/tmp/newboot.img > /dev/block/mmcblk0p2
Resource
http://droidcore.blogspot.com/2012/12/how-to-edit-initrc-in-android.html
http://android-dls.com/wiki/index.php?title=HOWTO:_Unpack%2C_Edit%2C_and_Re-Pack_Boot_Images#Background
https://forum.xda-developers.com/showthread.php?t=1739119
While unpacking, hit with following error
~/prac/android$ ~/github-repos/android/boot-image-extract/unpack-bootimg.pl boot.img
Found a secondary file after the ramdisk image. According to the spec (mkbootimg.h) this file can exist, but this script is not designed to deal with this scenario.
~/prac/android$