Anatomy of the initrd and vmlinuz
mhhaque 2700012HF4 Visits (14664)
vmlinuz is the name of the Linux kernel executable. vmlinuz is a compressed Linux kernel, and it is capable of loading the operating system into memory so that the computer becomes usable and application programs can be run.
vmlinuz = Virtual Memory LINUx gZip = Compressed Linux kernel Executable
vmlinux = Virtual Memory LINUX = Non-compressed Linux Kernel Executable
At the head of this kernel image (vmlinuz) is a routine that does some minimal amount of hardware setup and then decompresses the kernel contained within the kernel image and places it into high memory. If an initial RAM disk image (initrd) is present, this routine moves it into memory (or we can say extract the compressed ramdisk image in to the real memory) and notes it for later use. The routine then calls the kernel and the kernel boot begins.
The initial RAM disk (initrd) is an initial root file system that is mounted prior to when the real rootfile system is available. The initrd is bound to the kernel and loaded as part of the kernel boot procedure. The kernel then mounts this initrd as part of the two-stage boot process to load the modules to make the real file systems available and get at the real root file system.
The initrd contains a minimal set of directories and executables to achieve this, such as the insmod tool to install kernel modules into the kernel.
Anatomy of the initrd:
The initrd image contains the necessary executables and system files to support the second-stageboot of a Linux system. Let see what inside the initrd image file:
Copy initrd image file into test directory & rename it as zip file & unzip that file.
Extract the uncompress initrd image file using cpio command:
Now you will have all the directory structure in the test directory looks like a root (/) file system.
Anatomy of the vmlinuz:
The vmlinuz itself is an executable binary file. Here we use readelf & objdump command to display information about BFD library, Object Header info etc.
The vmlinuz file contains other things besides the gzipped content, so you need to find out where the gzipped content starts. To do that, use:
We are looking for 1f 8b 08 00, which can be found from character 12 onwards, or, at 0013920 + 12 (start counting from 0) = 13932.
Now that we know where the gzipped content starts (at position 13932) you can use dd to extract that gzipped content and ungzip it.
Using readelf & objdump command: