I have switched my mind from doing the kernel porting to some other activities, which is reverse engineering ARM binaries for Symbian platform. When just starting, I thought to my self: why don’t I try to reverse engineer the original Agestar firmware, and may be I can complete some drivers for STAR STR9100. So I did, and I can get the watchdog function to work (at least I think it works).
zImage and bootpImage are compressed kernel image, this is compressed by using GZip method 8. The easiest way to decompress it is to give it to gunzip. I just searched the kernel image for the sequence 1f 8b 08, and cut it using khexedit. You don’t have to find where the compressed data ends, gunzip will ignore trailing garbage.
The kernel contains some symbols for linking on dynamic module loading. You can see these symbols and their address by reading /proc/kallsyms. Some other information from /proc can be useful in reverse engineering for example you can read /proc/irq to get the irq number for devices. Some other device drivers creates a proc entries that contain their state.
Reverse engineering dynamic/loadable modules (.o/.ko) are a bit easier than built in modules. The code is more isolated, and it has clear names (init_module, exit_module, etc). The interface for different kind of modules is usually clear (for example an rtc driver must provide rtc_open, etc), so reverse engineering simple modules is quite easy.
And of course the source code of the kernel is very helpful to understand the code flow. Human can easily follow the assembly code by comparing it to the kernel source. Unfortunately this process can not yet be done automatically. If it can, I think many people can quickly reverse engineer Linux kernels on devices where the source code is not given by the vendor.