Skip to content

Refactor bootimg parser to avoid packed struct #5816

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
Ashishworks wants to merge 6 commits into
base: dev
Choose a base branch
from
+119 −44
Draft

Refactor bootimg parser to avoid packed struct #5816

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8c5a119
Refactor bootimg parser to avoid packed struct
Ashishworks Jan 18, 2026
3e5126d
Add bootimg format tests
Ashishworks Jan 18, 2026
bf74290
bootimg: parse header using offset API
Ashishworks Jan 19, 2026
7e81095
Merge branch 'dev' into fix-5814-bootimg-no-packed
Ashishworks Jan 19, 2026
796ebe6
test: enforce LF line endings for format tests
Ashishworks Jan 20, 2026
556e348
Merge branch 'dev' into fix-5814-bootimg-no-packed
Ashishworks Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitattributes
View file
Open in desktop
Copy link
Member

@wargio wargio Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

revert this

Copy link
Author

@Ashishworks Ashishworks Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay

Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
subprojects/rizin-shell-parser/src/grammar.json linguist-generated=true
subprojects/rizin-shell-parser/src/node-types.json linguist-generated=true
subprojects/rizin-shell-parser/src/parser.c linguist-generated=true
test/db/formats/* text eol=lf
151 changes: 107 additions & 44 deletions librz/bin/p/bin_bootimg.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@
#include <rz_lib.h>
#include <rz_bin.h>

typedef struct boot_img_hdr BootImage;

#define BOOT_MAGIC "ANDROID!"
#define BOOT_MAGIC_SIZE 8
Expand All @@ -17,62 +16,126 @@ typedef struct boot_img_hdr BootImage;
#define ADD_REMAINDER(val, aln) ((val) + ((aln) != 0 ? ((val) % (aln)) : 0))
#define ROUND_DOWN(val, aln) ((aln) != 0 ? (((val) / (aln)) * (aln)) : (val))

RZ_PACKED(
struct boot_img_hdr {
ut8 magic[BOOT_MAGIC_SIZE];
typedef struct boot_img_hdr {
ut8 magic[BOOT_MAGIC_SIZE];

ut32 kernel_size; /* size in bytes */
ut32 kernel_addr; /* physical load addr */
ut32 kernel_size;
ut32 kernel_addr;

ut32 ramdisk_size; /* size in bytes */
ut32 ramdisk_addr; /* physical load addr */
ut32 ramdisk_size;
ut32 ramdisk_addr;

ut32 second_size; /* size in bytes */
ut32 second_addr; /* physical load addr */
ut32 second_size;
ut32 second_addr;

ut32 tags_addr; /* physical addr for kernel tags */
ut32 page_size; /* flash page size we assume */
ut32 unused[2]; /* future expansion: should be 0 */
ut8 name[BOOT_NAME_SIZE]; /* asciiz product name */
ut8 cmdline[BOOT_ARGS_SIZE];
ut32 id[8]; /* timestamp / checksum / sha1 / etc */
ut32 tags_addr;
ut32 page_size;
ut32 unused[2];
ut8 name[BOOT_NAME_SIZE];
ut8 cmdline[BOOT_ARGS_SIZE];
ut32 id[8];

ut8 extra_cmdline[BOOT_EXTRA_ARGS_SIZE];
} BootImage;

/* Supplemental command line data; kept here to maintain
* binary compatibility with older versions of mkbootimg */
ut8 extra_cmdline[BOOT_EXTRA_ARGS_SIZE];
});

typedef struct {
Sdb *kv;
BootImage bi;
RzBuffer *buf;
} BootImageObj;


static int bootimg_header_load(BootImageObj *obj, Sdb *db) {
char *n;
int i;
if (rz_buf_size(obj->buf) < sizeof(BootImage)) {
return false;
}
// TODO make it endian-safe (void)rz_buf_fread_at (buf, 0, (ut8*)bi, "IIiiiiiiiiiiii", 1);
BootImage *bi = &obj->bi;
(void)rz_buf_read_at(obj->buf, 0, (ut8 *)bi, sizeof(BootImage));
if ((n = rz_str_ndup((char *)bi->name, BOOT_NAME_SIZE))) {
sdb_set(db, "name", n);
free(n);
}
if ((n = rz_str_ndup((char *)bi->cmdline, BOOT_ARGS_SIZE))) {
sdb_set(db, "cmdline", n);
free(n);
}
for (i = 0; i < 8; i++) {
sdb_num_set(db, "id", (ut64)bi->id[i]);
}
if ((n = rz_str_ndup((char *)bi->extra_cmdline, BOOT_EXTRA_ARGS_SIZE))) {
sdb_set(db, "extra_cmdline", n);
free(n);
}
return true;
char *n = NULL;
int i = 0;
BootImage *bi = &obj->bi;
ut64 offset = 0;

// Read magic
if (!rz_buf_read_offset(obj->buf, &offset, bi->magic, BOOT_MAGIC_SIZE)) {
return false;
}
if (memcmp(bi->magic, BOOT_MAGIC, BOOT_MAGIC_SIZE)) {
return false;
}

// Read all 32-bit header fields (little-endian)
if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->kernel_size)) {
return false;
}
if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->kernel_addr)) {
return false;
}

if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->ramdisk_size)) {
return false;
}
if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->ramdisk_addr)) {
return false;
}

if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->second_size)) {
return false;
}
if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->second_addr)) {
return false;
}

if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->tags_addr)) {
return false;
}
if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->page_size)) {
return false;
}

if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->unused[0])) {
return false;
}
if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->unused[1])) {
return false;
}

// Read strings/arrays
if (!rz_buf_read_offset(obj->buf, &offset, bi->name, BOOT_NAME_SIZE)) {
return false;
}
if (!rz_buf_read_offset(obj->buf, &offset, bi->cmdline, BOOT_ARGS_SIZE)) {
return false;
}

for (i = 0; i < 8; i++) {
if (!rz_buf_read_le32_offset(obj->buf, &offset, &bi->id[i])) {
return false;
}
}

if (!rz_buf_read_offset(obj->buf, &offset, bi->extra_cmdline, BOOT_EXTRA_ARGS_SIZE)) {
return false;
}
Comment on lines +63 to +115
Copy link
Member

@wargio wargio Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

create a function. check the issue.

Copy link
Author

@Ashishworks Ashishworks Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay


// Fill SDB
if ((n = rz_str_ndup((char *)bi->name, BOOT_NAME_SIZE))) {
sdb_set(db, "name", n);
free(n);
}
if ((n = rz_str_ndup((char *)bi->cmdline, BOOT_ARGS_SIZE))) {
sdb_set(db, "cmdline", n);
free(n);
}
Comment on lines +118 to +125
Copy link
Member

@wargio wargio Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a terrible idea if you don't sanitize the values.

Copy link
Author

@Ashishworks Ashishworks Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood, I'll try a different approach.


for (i = 0; i < 8; i++) {
char key[16];
snprintf(key, sizeof(key), "id.%d", i);
Copy link
Member

@wargio wargio Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
snprintf(key, sizeof(key), "id.%d", i);
rz_strf(key, "id.%d", i);

sdb_num_set(db, key, (ut64)bi->id[i]);
}

if ((n = rz_str_ndup((char *)bi->extra_cmdline, BOOT_EXTRA_ARGS_SIZE))) {
sdb_set(db, "extra_cmdline", n);
free(n);
}

return true;
}

static Sdb *get_sdb(RzBinFile *bf) {
Expand Down
Binary file added test/db/bins/bootimg/android_boot_min.img
View file
Open in desktop
Copy link
Member

@wargio wargio Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is a dedicated repo for this (check tests/README.md). also where this file comes from?

Copy link
Author

@Ashishworks Ashishworks Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, let me try a different approach.

Binary file not shown.
11 changes: 11 additions & 0 deletions test/db/formats/bootimg
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
NAME=BOOTIMG: minimal - info + header section
FILE=db/bins/bootimg/android_boot_min.img
CMDS=<<EOF
iI~bintype
iS~header
EOF
EXPECT=<<EOF
bintype image
0x00000000 0x660 0x00000000 0x1000 0x0 -r-- header
EOF
RUN
Loading