You can use William Enck’s to split this into a kernel and a ramdisk.If you can dodge the comments questioning your motivation for doing this, Stack Overflow will tell you to use the vmlinux-extract script that comes with the kernel to extract the compressed image.(The system does not behave like a traditional hibernate / restore system; the hibernate image is only recreated if you update the system.) Going back and looking through U-Boot showed the following helpful decoding of the BSP area: ## A Side BSP Information: Magic Number :0xlx(a55a5aa5: Valid, other: Invalid) Boot Mode :0xlx(0: Normal, 1: Recovery, 2: Easy Recovery, 3: Re-Easy Recovery, default: Normal) Launch Mode :0xlx(0: APL, 1: Test Mode.apk, 2: Slave Test Mode, 3: Boot Error, default: APL) Test Mode Sub-Mode:0xlx(0: Text Mode_A.key,1: Serv Mode,2: Tech Mode,default: Tech Mode) Bootimage Side :0xlx(0: Side A, 1: Side B, default: Side A) Recoveryimg Side :0xlx(0: Side A, 1: Side B, default: Side A) Debug Switch :0xlx(0: OFF, 1: ON, default: OFF) Usb OTG Switch :0xlx(0: Host, 1: Device, default: Host) Memchk flag :0xlx(0: No, 1: Yes, default: No) Warp boot :0xlx(0: Side A, 1: Side B, default: Side A) Boot Sub-Mode :0xlx(0: Normal, 1: Catch snapshot,2: Warp,default: Normal) Update flag :0xlx(0: Recovery-Update, 1:uboot update, 2:update, 3:update, 4:update, 5:opening data update, 6: UI update, 7: All image update, 8: TESTMODE_N.
This requires a USB OTG port, something I didn’t have (as noted in my previous post). What I ended up doing was grepping the /system partition for ttymxc to see how the serial ports were used.
I found several hits in libraries in lib/; running strings on each file and grepping for ttymxc showed the following breakdown of port usage: Of these, the one I felt most comfortable hijacking was ttymxc1, the Bluetooth module. warp: save table overflow warp_set_savearea: unsupported alignment kernel/power/warp.c warp: Can't alloc work memory. Warp work area 0x%p-0x%p Warp HD savearea 0x%p-0x%p I suspect this explains why we have – and will not – see an open-source release from Pioneer; I am not a lawyer, but I asked Pioneer for the GPL source for this product and they never responded.
What followed was a bunch of flailing around, grepping for useful things.
If we go back to the original screen, it starts out “CAUTION! Grepping for ‘caution’ produced a wealth of hits in /app: is the way most people would debug a problem like this.
This was getting very strange; the system was ignoring half of the modifications I made to the SD card, and was acting as if it were caching filesystem metadata. Once the power is on, directly restore memory image from snapshot at a burst. （ROM 64K） And area where snapshot of system memory is saved other than a memory area for Root file system. - kernel *Various drivers are implemented to support Suspend/Resume of PM. Nonetheless, good for Pioneer, I hope they continue to do the right thing by releasing all of rest of the open-source code they are using. – it’s basically a wrapper that loads a raw binary “hibernate driver” blob from flash, and then calls into it with function pointers.
At this point, a friend on IRC looked at my partition map and pointed out that there was no partition covering the first 538MB or so of the SD card. Looking at that unallocated space, I found something that resembled a FAT root directory entry for the following files: Snapshot ID : x Snapshot total size : 0x xx compressed size : 0xxx compressed size : 0xx not supported savearea illegal driver illegal magic no illegal snapshot ID Invalid format version x (require:x) --- Check memory --- --- Write Snapshot --- Snapshot size overflow. By this operation, loads of initiation code loading and memory accessing are greatly reduced and achieve the high speed. Pioneer has released quite a bit of source code at the above URL, including the Linux kernel and Quake (?! It’s really gross but probably equivalent to dynamic linking, so they may be GPL-compliant now.
The system boots off U-Boot (a fairly-heavily modified version of u-boot-imx); it reads an nvram-like region called the BSP that instructs the system to boot one of five included copies of Linux/Android.
One copy is stored in the NOR flash, and boots when the system fails to load anything off the SD card.
Unfortunately, neither it nor any of the other tricks I read about online worked, but Matasano’s blackbag “deezee” utility actually worked to extract the kernel from the image: This indicates that this system is probably derived from Freescale’s Android JB4.2.2_1.0.0 distribution. (Jupiter seems to be the codename for the NEX series, we will see this come up repeatedly.
NX264 if the codename for the AVIC-5000NEX, according to the resistor and silkscreen on the main board.) You can unpack the cpio archive / ramdisk to get the fstab which indicates the correct mountpoints for the ext4 partitions.
I have zero experience reversing Android systems, so I started from scratch here.