Hi,
These are scripts for packing and unpacking the bootimage of Kobo devices.
I made these a while ago but never had a reason to release them until now
They are tested on a Kobo Aura HD and a couple of images (clara,h2o,hd iirc)
Instead of running through the code. I solely used the image binary for reverse engineering.
The memory maps are done in hexadecimal offset instead of decimal offsets (crazy humans)
Which as you can see makes more sense. I think I found all the checksums and magic markers.
Of course with all reverse engineering don't expect this to be in 100% working order.
But should give you enough room to play
kbunpack.sh: unpacks a bootimage into its parts.
kbpack.sh: packs and or repacks the bootimage.
So you can insert new kernels waveforms dtb's and more.
This is what I know to be true thus far, this isnt 100% fact.
Code:
Flash/Mmc layout found in master boot record with an offset of
9.5MiB to 24MiB.
Sector Size= 512 bytes
Device Sectors Size Id Type Name
------------------------------------------------------------
mmcblk0 19456 9.5M -- RAW bootimage Aura HD
mmcblk0 49152 24.0M -- RAW bootimage Aura H2O
------------------------------------------------------------
mmcblk0p1 524289 256M 83 Linux rootfs
mmcblk0p2 524289 256M 83 Linux recoveryfs
mmcblk0p3 rest rest b FAT32 KOBOeReader
------------------------------------------------------------
The map of the boot image, goes for most devices.
Newer devices have a firmware and device tree blob (mx6)
[ master boot record ] at 0x00000000
[ serial number ] at 0x00000200
[ u-boot binary ] at 0x00000400
[ ntx config size ] at 0x0007fff0
[ ntx hardware config ] at 0x00080000
[ firmware blob size ] at 0x00080bf0
[ firmware blob ] at 0x00080c00
[ linux device tree blob ] at 0x000a0c00
[ u-boot environment ] at 0x000c0000
[ data1 (unknown) ] at 0x000e0000
[ data2 (unknown) ] at 0x000f0000
[ uImage/kernel ] at 0x00100000
[ ramdisk/initrd (unused) ] at 0x00400000
[ e-ink waveform size ] at 0x006ffff0
[ e-ink waveform ] at 0x00700000
[ logo (unused) ] at 0x00900000 (overwritten if waveform is bigger)
[ Aura HD END-------------] at 0x00980000
[ Aura H2O END------------] at 0x01800000
u-boot has been modified by ntx for three purposes:
1. adding the board configuration
2. adding multiple boot configurations, they modified it
to boot into 3 configurations
* boot from rootfs into Kobo e-Reader software
(press power)
* boot from recoveryfs into recovery software
(hold light button, then press power)
* boot from external mmc/sdcard if present on device.
(hold light button and hold power button)
3. custom boot functions that start with 'ntx_' that
loads into memory:
* ntx hardware configuration
* device tree blob (mx6)
* e-ink waveform
then starts the kernel
On the root partition /dev/root which is a softlink to either
* /dev/mmcblk0p1 (rootfs)
* /dev/mmcblk0p2 (recoveryfs)
* /dev/mmcblk1p1 (micro sd card)
searches for /linuxrc (softlink to /bin/busybox)
searches for /sbin/init (softlink to /bin/busybox)
kicks of /etc/init.d/rcS (in single user mode)
kicks of /etc/inittab (in multi user mode)
/etc/init.d/rcS
* mounts /proc /sys /dev /var /tmp (basic liunx setup)
* loads udev to populate /dev (i think they chose for udev as mdev hangs on hotplug/kernel panic *kernel bug*)
* drivers are loaded (loading with insmod instead of fixing modprobe and loading it)
* powerled is turned off
* e-Reader software is loaded
Unpacking:
Code:
build@build:~$ ./kbunpack.sh boot.img
Kobo Boot Image Unpacker v0.1b (c) April 2019 GPLv2 by BloodRagg
Extracting Image
extracting: mbr.img (mbr)
extracting: serial.img (serial)
extracting: ubootbin.img (ubootbin)
extracting: hwconfig.img (hwconfig)
extracting: fw.img (fw)
extracting: dtb.img (dtb)
extracting: ubootenv.img (ubootenv)
extracting: data1.img (data1)
extracting: data2.img (data2)
extracting: uimage.img (uimage)
extracting: initrd.img (initrd)
extracting: waveform.img (waveform)
Done.
build@build:~$ ls -l
-rw-rw-r-- 1 build build 2048 mei 26 12:16 data1.bin
-rw-rw-r-- 1 build build 65536 mei 26 12:16 data1.img
-rw-rw-r-- 1 build build 2048 mei 26 12:16 data2.bin
-rw-rw-r-- 1 build build 65536 mei 26 12:16 data2.img
-rw-rw-r-- 1 build build 66 mei 26 12:16 hwconfig.bin
-rw-rw-r-- 1 build build 3072 mei 26 12:16 hwconfig.img
-rw-rw-r-- 1 build build 6144 mei 26 12:16 initrd.bin
-rw-rw-r-- 1 build build 3145712 mei 26 12:16 initrd.img
-rw-rw-r-- 1 build build 512 mei 26 12:16 mbr.img
-rw-rw-r-- 1 build build 456 mei 26 12:16 mbr.txt
-rw-rw-r-- 1 build build 512 mei 26 12:16 serial.img
-rw-rw-r-- 1 build build 17 mei 26 12:16 serial.txt
-rw-rw-r-- 1 build build 145972 mei 26 12:16 ubootbin.bin
-rw-rw-r-- 1 build build 523248 mei 26 12:16 ubootbin.img
-rw-rw-r-- 1 build build 131072 mei 26 12:16 ubootenv.img
-rw-rw-r-- 1 build build 674 mei 26 12:16 ubootenv.txt
-rw-rw-r-- 1 build build 1953688 mei 26 12:16 uimage.bin
-rw-rw-r-- 1 build build 3145728 mei 26 12:16 uimage.img
-rw-rw-r-- 1 build build 6760928 mei 26 12:16 waveform.bin
-rw-rw-r-- 1 build build 17825808 mei 26 12:16 waveform.img
-rw-rw-r-- 1 build build 1953624 mei 26 12:16 zimage.bin
build@build:~$
Packing...
Code:
./kbpack.sh boot.img hwconfig=hwconfig.bin uimage=uimage.bin mbr=mbr.img waveform=waveform.bin
Kobo Boot Image Packer v0.1b (c) April 2019 GPLv2 by BloodRagg
Building Image
adding: hwconfig.bin (hwconfig)
adding: uimage.bin (uimage)
adding: mbr.img (mbr)
adding: waveform.bin (waveform)
Done.
Imagefile: boot.img
build@build:~$
Enjoy,
BloodRagg
Disclaimer:
This shell script is provided as is without any guarantees or warranty. In
association with the product, I make no warranties or responsibility of any
kind, either express or implied, including but not limited to warranties of
merchantability, fitness for a particular purpose, of title, or of
noninfringement of third party rights. Use of the product by a user is at
the user’s risk.