bxxt is another wheel designed for noob author's needs. now it can only run in the android host, it means you can only run this tool in the phone or emulator (not your computer)
feature:
-
run perfectly in twrp environment
-
pack/unpack boot.img (may be also recovery.img)
include any device tree in the boot.img, it will decompile it and show you the plain text. and also decompressed kernel.
-
edit/inject selinux/sepolicy
-
patch binary file
the bad news is it only support android 6.0 - 10.0, may be support android 11 (depends on the boot.img version).
sorry about my code style, it may hard to read.
easy and simple, but you need to download android-ndk-r20b first.
$ cd /path/to/bxxt;
$ /path/to/android-ndk-r20b/build/ndk-build -j 8;
...
$ ls -l libs/*- unpack boot.img
$ # create an empty output directory first
$ mkdir out
$ bxxt boot -i boot.img -o out/- unpacked boot.img structure
$
$ # there's may be some dt.dts-xx files, means as same as kernel.dts-xx
$ ls /path/to/out
-rw-rw-rw- 1 0 0 738 Mar 27 10:31 METADATA # meta data
-rw------- 1 0 0 39450632 Mar 27 10:31 kernel # decompressed linux kernel
-rw-rw-rw- 1 0 0 624384 Mar 27 10:31 kernel.dts-00 # device tree (plain text, you can modify it)
-rw-rw-rw- 1 0 0 633469 Mar 27 10:31 kernel.dts-01
-rw-rw-rw- 1 0 0 624449 Mar 27 10:31 kernel.dts-02
drwxr-xr-x 9 0 0 4096 Mar 27 10:31 ramdisk # ramdisk directory
-rw-r--r-- 1 0 0 0 Mar 26 18:02 recovery_dtbo # recovery_dtbo file
-rw-r--r-- 1 0 0 0 Mar 26 18:02 second # second file
$
$ ls /path/to/out/ramdisk
drwxr-xr-x 2 0 0 4096 Jan 1 1970 apex
drwxr-xr-x 2 0 0 4096 Jan 1 1970 debug_ramdisk
drwxr-xr-x 2 0 0 4096 Jan 1 1970 dev
-rwxr-x--- 1 0 0 1891328 Jan 1 1970 init
drwxr-xr-x 2 0 0 4096 Jan 1 1970 mnt
drwxr-xr-x 2 0 0 4096 Jan 1 1970 proc
drwxr-xr-x 2 0 0 4096 Jan 1 1970 sys
-rw-r--r-- 1 0 0 524 Jan 1 1970 verity_key
$
$ # you can modify any lines in METADATA except marked as `DO NOT MODIFY` below
$ cat /path/to/out/METADATA
bxxt.kernel_addr=8000
bxxt.ramdisk_addr=1000000
bxxt.second_addr=f00000
bxxt.tags_addr=100
bxxt.dtb_addr=0
bxxt.recovery_dtbo_offset=0
bxxt.name=
bxxt.cmdline=androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x37
bxxt.extra_cmdline=
bxxt.kernel_compression=1 # ! DO NOT MODIFY
bxxt.header_version=0 # ! DO NOT MODIFY
bxxt.os_version=14000144
bxxt.header_size=0 # ! DO NOT MODIFY
bxxt.page_size=1000
bxxt.kernel_size=14890c7 # ! DO NOT MODIFY
bxxt.ramdisk_size=c5302 # ! DO NOT MODIFY
bxxt.second_size=0 # ! DO NOT MODIFY
bxxt.recovery_dtbo_size=0 # ! DO NOT MODIFY
bxxt.dtb_size=0 # ! DO NOT MODIFY
$
$ # decompiled dts file (if exist), you can also modify it
$ head /path/to/out/kernel.dts-00
/dts-v1/;
/ {
#address-cells = <0x2>;
#size-cells = <0x2>;
model = "Qualcomm Technologies, Inc. MSM 8998 v2.1 MTP";
compatible = "qcom,msm8998-mtp", "qcom,msm8998", "qcom,mtp";
$- pack boot.img
$ bxxt -i out/ -o boot_modified.img- patch binary
$ # @ means AT, @offset:size=to_byte_seq, the max `size` is 8
$ # that to_byte_seq is what you see in any hex editor
$ # if hex editor shows 00000000: 0A 0B 0C 0D 11 22 33 44
$ # and you want to modify 0A 0B to CC EE, just use
$ bxxt patch @00000000:2=ccee /path/to/binary/file
$ # or if you want the whole `0A 0B 0C 0D 11 22 33 44` to `01 02 03 04 05 06 07 08`
$ # use
$ bxxt patch @00000000:8=0102030405060708 /path/to/binary/file
$
$ # disable vbmeta verification example
$ bxxt patch @00000078:4=00000002 /dev/block/by-name/vbmeta_a- sepolicy modify, inject
remember to use single quote to wrap around the -s parameter.
modify sepolicy file
$ # input (-i) and output (-o) file can be the same
$ bxxt sepol -s 'create deltaforce' -i /path/to/sepolicy -o /path/to/out/sepolicylive mode (running system)
$ # live mode example
$ bxxt sepol -s 'create deltaforce' -lall supported commands (-s)
create aaaa
permissive aaaa
enforce aaaa
allow aaaa bbbb:file *
disallow aaaa bbbb:file *
allow aaaa bbbb:file open
disallow aaaa bbbb:file opensee COPYING under the source root.