Reverse Engineering Linux Kernel Image and Modules

I have switched my mind from doing the kernel porting to some other activities, which is reverse engineering ARM binaries for Symbian platform. When just starting, I thought to my self: why don’t I try to reverse engineer the original Agestar firmware, and may be I can complete some drivers for STAR STR9100. So I did, and I can get the watchdog function to work (at least I think it works).

zImage and bootpImage are compressed kernel image, this is compressed by using GZip method 8. The easiest way to decompress it is to give it to gunzip. I just searched the kernel image for the sequence 1f 8b 08, and cut it using khexedit. You don’t have to find where the compressed data ends, gunzip will ignore trailing garbage.

The kernel contains some symbols for linking on dynamic module loading. You can see these symbols and their address by reading /proc/kallsyms. Some other information from /proc can be useful in reverse engineering for example you can read /proc/irq to get the irq number for devices. Some other device drivers creates a proc entries that contain their state.

Reverse engineering dynamic/loadable modules (.o/.ko) are a bit easier than built in modules. The code is more isolated, and it has clear names (init_module, exit_module, etc). The interface for different kind of modules is usually clear (for example an rtc driver must provide rtc_open, etc), so reverse engineering simple modules is quite easy.

And of course the source code of the kernel is very helpful to understand the code flow. Human can easily follow the assembly code by comparing it to the kernel source. Unfortunately this process can not yet be done automatically. If it can, I think many people can quickly reverse engineer Linux kernels on devices where the source code is not given by the vendor.

5 thoughts on “Reverse Engineering Linux Kernel Image and Modules”

  1. I will try those. This is the second time, I came across your link through google and found a reply to my original post. Google rocks!

    Thank you!

  2. I never thingking to reverse enginering .ko when i got unresolve symbol after loaded the driver in diffrent kernel version

    Thnks for the info

Leave a Reply

Your email address will not be published. Required fields are marked *