解包三星刷机包中的system.img(Mac OS版本)
2024-09-28 21:40:18 #Android #Firmware

1. 解压

Samfw.com下载的是一个zip,以SAMFW.COM_SM-A217F_TGY_A217FZHSADWI1_fac.zip为例,直接解压能出现以下几个文件:

1
2
3
4
5
6
7
8
9
cxxsheng@XXXXXXXX SAMFW.COM_SM-A217F_TGY_A217FZHSADWI1_fac % ls -l
total 9054208
-rwx------@ 1 cxxsheng  staff  4509010126 Sep 20  2023 AP_A217FZHSADWI1_CL24202344_QB71112077_REV00_user_low_ship_MULTI_CERT_meta_RKEY_OS12.tar.md5
-rwx------@ 1 cxxsheng  staff     5376188 Sep 20  2023 BL_A217FZHSADWI1_CL24202344_QB71112077_REV00_user_low_ship_MULTI_CERT.tar.md5
-rwx------@ 1 cxxsheng  staff    27330760 Sep 20  2023 CP_A217FXXSADWI1_CP24943611_CL24202344_QB70902586_REV00_user_low_ship_MULTI_CERT.tar.md5
-rwx------@ 1 cxxsheng  staff    46069954 Sep 20  2023 CSC_OZS_A217FOZSADWI1_CL24202344_QB71112077_REV00_user_low_ship_MULTI_CERT.tar.md5
-rwx------@ 1 cxxsheng  staff    46059719 Sep 20  2023 HOME_CSC_OZS_A217FOZSADWI1_CL24202344_QB71112077_REV00_user_low_ship_MULTI_CERT.tar.md5
-rwx------@ 1 cxxsheng  staff         719 Feb  7  2022 _FirmwareInfo_Samfw.com.txt
cxxsheng@XXXXXXXX SAMFW.COM_SM-A217F_TGY_A217FZHSADWI1_fac %

继续解压AP_A217FZHSADWI1_CL24202344_QB71112077_REV00_user_low_ship_MULTI_CERT_meta_RKEY_OS12.tar.md5

1
2
3
4
5
6
7
8
9
10
11
12
cxxsheng@XXXXXXXX SAMFW.COM_SM-A217F_TGY_A217FZHSADWI1_fac % tar -xvf AP_A217FZHSADWI1_CL24202344_QB71112077_REV00_user_low_ship_MULTI_CERT_meta_RKEY_OS12.tar.md5
x boot.img.lz4
x recovery.img.lz4
x dtbo.img.lz4
x super.img.lz4
x userdata.img.lz4
x misc.bin.lz4
x vbmeta.img.lz4
x metadata.img.lz4
x vbmeta_samsung.img.lz4
x meta-data/
x meta-data/fota.zip

继续解压super.img.lz4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cxxsheng@XXXXXXXX SAMFW.COM_SM-A217F_TGY_A217FZHSADWI1_fac % 7z x super.img.lz4

7-Zip [64] 17.05 : Copyright (c) 1999-2021 Igor Pavlov : 2017-08-28
p7zip Version 17.05 (locale=utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)

Scanning the drive for archives:
1 file, 3273506624 bytes (3122 MiB)

Extracting archive: super.img.lz4
--
Path = super.img.lz4
Type = lz4

Everything is Ok

Size:       5351957720
Compressed: 3273506624

最后得出来了一个super.img

2. 解包super.img

1
2
3
cxxsheng@XXXXXXXX SAMFW.COM_SM-A217F_TGY_A217FZHSADWI1_fac % file super.img
super.img: Android sparse image, version: 1.0, Total of 1356800 4096-byte output blocks in 101 input chunks.
cxxsheng@XXXXXXXX SAMFW.COM_SM-A217F_TGY_A217FZHSADWI1_fac %

这里需要使用lpunpack.py来解包super.img,可以从GitHub上直接下载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cxxsheng@XXXXXXXX SAMFW.COM_SM-A217F_TGY_A217FZHSADWI1_fac % lpunpack.py super.img out/
Sparse image detected.
Process conversion to non sparse image ....[ok]
Extracting partition [system] .... [ok]
Extracting partition [vendor] .... [ok]
Extracting partition [product] .... [ok]
Extracting partition [odm] .... [ok]
cxxsheng@XXXXXXXX SAMFW.COM_SM-A217F_TGY_A217FZHSADWI1_fac % cd out 
cxxsheng@XXXXXXXX out % ls
odm.img		product.img	system.img	vendor.img
cxxsheng@XXXXXXXX out % ls -l
total 10519552
-rwx------  1 cxxsheng  staff     4349952 Sep 27 17:22 odm.img
-rwx------  1 cxxsheng  staff  1065545728 Sep 27 17:22 product.img
-rwx------  1 cxxsheng  staff  3826253824 Sep 27 17:22 system.img
-rwx------  1 cxxsheng  staff   489086976 Sep 27 17:22 vendor.img

得到system.img,并且用file命令查看这个文件信息。

1
2
3
cxxsheng@XXXXXXXX out % file system.img 
system.img: Linux rev 1.0 ext2 filesystem data, UUID=5aceb523-09b9-551f-8359-437ee4e7f7e1 (extents) (large files) (huge files)
cxxsheng@XXXXXXXX out %

可以看到是ext2的文件系统格式,这个系统可以直接用7z解压就行了,如下:

1
7z x system.img

3. F2FS文件系统

有时候file命令查看文件信息是F2FS的文件系统如下:

1
2
3
cxxsheng@XXXXXXXX out % file system.img 
system.img: F2FS filesystem, UUID=2e533b9d-cbfe-4c0c-9726-3e45a77dc44a, volume name "/"
cxxsheng@XXXXXXXX out %

这时候7z就不支持这个格式了,而Linux系统可以直接进行挂载,而Mac OS系统貌似并不支持这个文件格式。于是乎,我想到了是否可以Android模拟器进行mount来操作。赶紧验证下,进入adb shell输入以下命令:

1
2
emu64x:/ $ cat /proc/filesystems | grep f2fs                                   
	f2fs

可以看到模拟器应该是支持f2fs文件格式的,可以进一步实践!

4. 利用模拟器挂载img

首先使用adb push来把system.img压入到/data/local/tmp目录下:

1
adb push system.img /data/local/tmp

然后进入shell并且输入su来获取权限,并尝试用只读到方式挂载system.img

1
2
emulator64_x86_64:/data/local/tmp # mount -ro loop system.img secure_directory/ 
mount: '/dev/block/loop29'->'secure_directory/': I/O error

查看一下错误日志:

1
2
3
4
5
6
7
8
9
10
1|emulator64_x86_64:/data/local/tmp # dmesg | tail                                                           [ 3356.872222] type=1400 audit(1727430971.837:23): avc: denied { read } for comm="loop30" path="/data/local/tmp/system.img" dev="dm-5" ino=65557 scontext=u:r:kernel:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0
[ 3356.873810] Buffer I/O error on dev loop30, logical block 0, async page read
[ 3356.879270] blk_update_request: I/O error, dev loop30, sector 0 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0
[ 3356.879500] type=1400 audit(1727430971.845:24): avc: denied { read } for comm="loop30" path="/data/local/tmp/system.img" dev="dm-5" ino=65557 scontext=u:r:kernel:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0
[ 3356.880869] Buffer I/O error on dev loop30, logical block 0, async page read
[ 3356.885243] loop30: unable to read partition table
[ 3356.885898] loop_reread_partitions: partition scan of loop30 () failed (rc=-5)
[ 3356.948104] blk_update_request: I/O error, dev loop30, sector 2 op 0x0:(READ) flags 0x1000 phys_seg 1 prio class 0
[ 3356.949082] type=1400 audit(1727430971.913:25): avc: denied { read } for comm="loop30" path="/data/local/tmp/system.img" dev="dm-5" ino=65557 scontext=u:r:kernel:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=0
[ 3356.952802] EXT4-fs (loop30): unable to read superblock

仿佛是Selinux的问题,先将其关闭后重新挂载:

1
2
3
4
5
6
7
8
emulator64_x86_64:/data/local/tmp # setenforce 0                                                              emulator64_x86_64:/data/local/tmp # mount -ro loop system.img secure_directory/                              
emulator64_x86_64:/data/local/tmp # ls secure_directory/                                                     acct                carrier        dev                init.environ.rc  oem          product                 sys
apex                config         dpolicy_system     linkerconfig     omr          sdcard                  system
audit_filter_table  d              efs                metadata         optics       second_stage_resources  system_dlkm
bin                 data           etc                mnt              postinstall  sepolicy_version        system_ext
bugreports          data_mirror    init               odm              prism        spu                     vendor
cache               debug_ramdisk  init.container.rc  odm_dlkm         proc         storage                 vendor_dlkm
emulator64_x86_64:/data/local/tmp #

可以看到已经成功了。

Prev
2024-09-28 21:40:18 #Android #Firmware
Next