find base memory address for boot image

Here are some notes how to find out the base address for the boot image:

check the bottom for the easier way 🙂

Read it form kernel config

Basically you need to read /proc/config.gz(adb pull /proc/config.gz) on a running kenel or use extract-ikconfig to extract the config.

  • Unpack the linux kernel sources(kernel-3.8.XX-src.tar.gz):
  • tar xvfz kernel-3.8.XX-src.tar.gz
  • Run chmod 755 ./scripts/extract-ikconfig
  • Run ./scripts/extract-ikconfig /tmp/zImage > /tmp/config

Then open with text editor and look for CONFIG_PHYS_OFFSET.

This is because in “arch/arm/mach-msm/include/mach/memory.h” it is defined like this:

/* physical offset of RAM */
#define PLAT_PHYS_OFFSET UL(CONFIG_PHYS_OFFSET)

or could be smth like this:

#ifndef PHYS_OFFSET
#ifdef PLAT_PHYS_OFFSET
#define PHYS_OFFSET     PLAT_PHYS_OFFSET
#else
#define PHYS_OFFSET     UL(CONFIG_PHYS_OFFSET)
#endif
#endif

or this:

#ifndef PHYS_OFFSET
#define PHYS_OFFSET             UL(CONFIG_DRAM_BASE)
#endif

so you need to check you memory.h to be sure.

From /proc/iomem

exec “adb shell cat /proc/iomem”

read the start address of the first “System RAM” before “Kernel code”

Example for Nexus 4

shell@android:/ $ cat /proc/iomem
cat /proc/iomem
00500000-00500fff : msm_ssbi.0
00700000-007060ff : hdmi_msm_qfprom_addr
008003e0-008003e7 : i2c_mux_rw
008003e0-008003e7 : msm_cam_i2c_mux
0080207c-0080207f : slimbus_slew_reg
0080207c-0080207f : msm_slim_ctrl
008020b8-008020bb : i2c_mux_ctl
008020b8-008020bb : msm_cam_i2c_mux
00a40000-00a40fff : msm_ebi_erp.0
00c00000-00c00fff : msm_ssbi.1
00d40000-00d40fff : msm_ebi_erp.1
01a01000-01a01fff : coresight-etb.0
01a03000-01a03fff : coresight-tpiu.0
01a04000-01a04fff : coresight-funnel.0
01a1c000-01a1cfff : coresight-etm.0
01a1d000-01a1dfff : coresight-etm.1
01a1e000-01a1efff : coresight-etm.2
01a1f000-01a1ffff : coresight-etm.3
03000000-0327ffff : wcnss_mmio
03204000-032040ff : pil_riva
04300000-0431ffff : kgsl_3d0_reg_memory
04300000-0431ffff : kgsl-3d0
04400000-044fffff : msm_vidc.0
04500000-045fffff : vfe32
04500000-045fffff : msm_vfe
04600000-046fffff : msm_gemini.0
04700000-047effff : mipi_dsi
04800000-048003ff : csid
04800000-048003ff : msm_csid
04800400-048007ff : csid
04800400-048007ff : msm_csid
04800800-04800bff : ispif
04800800-04800bff : msm_ispif
04800c00-04800fff : csiphy
04800c00-04800fff : msm_csiphy
04801000-048013ff : csiphy
04801000-048013ff : msm_csiphy
04a00000-04a00fff : hdmi_msm_hdmi_addr
04e00000-04efffff : msm_rotator.0
05100000-051effff : mdp
05300000-053fffff : vpe
05300000-053fffff : msm_vpe
07200000-072fffff : physbase
07200000-072fffff : physbase
07300000-073fffff : physbase
07300000-073fffff : physbase
07400000-074fffff : physbase
07400000-074fffff : physbase
07500000-075fffff : physbase
07500000-075fffff : physbase
07600000-076fffff : physbase
07600000-076fffff : physbase
07700000-077fffff : physbase
07700000-077fffff : physbase
07800000-078fffff : physbase
07800000-078fffff : physbase
07900000-079fffff : physbase
07900000-079fffff : physbase
07a00000-07afffff : physbase
07a00000-07afffff : physbase
07b00000-07bfffff : physbase
07b00000-07bfffff : physbase
07c00000-07cfffff : physbase
07c00000-07cfffff : physbase
07d00000-07dfffff : physbase
07d00000-07dfffff : physbase
10000000-100000ff : pil_gss
10008000-100080ff : pil_gss
12080000-12081fff : ppss_reg
12240000-12240fff : bamdma_dma
12244000-12247fff : bamdma_bam
12400000-124007ff : core_mem
12400800-12401fff : dml_mem
12402000-12403fff : bam_mem
12440000-12440003 : gsbi_qup_i2c_addr
12460000-12460fff : qup_phys_addr
12460000-12460fff : qup_i2c
12500000-12500fff : msm_hsusb_host
12500000-12500fff : msm_hsusb
12500000-12500fff : msm_otg
12510000-12510fff :
12800000-12803fff : pipe_mem
16200000-16200003 : gsbi_qup_i2c_addr
16200000-16200003 : qup_i2c
16280000-16280fff : qup_phys_addr
16280000-16280fff : qup_i2c
16300000-16300fff : gsbi_resource
16300000-16300003 : gsbi_qup_i2c_addr
16340000-16340fff : uartdm_resource
16340000-16340fff : msm_serial_hsl
16380000-16380fff : qup_phys_addr
16380000-16380fff : qup_i2c
18320000-1841ffff : msm_dmov
1a500000-1a5001ff : msm_rng.0
28080000-28081fff : slimbus_physical
28080000-28081fff : msm_slim_ctrl
28084000-28085fff : slimbus_bam_physical
28084000-28085fff : msm_slim_ctrl
28800000-288000ff : pil_qdsp6v4.0
2a03f720-2a04071f : tz_log.0
80200000-887fffff : System RAM
80208000-80d8fdd7 : Kernel code
80f04000-8128f133 : Kernel data
89000000-8d9fffff : System RAM
8f700000-8fdfffff : System RAM
8ff00000-8fffffff : System RAM
90100000-9fdfffff : System RAM
a3900000-fe9fefff : System RAM
shell@android:/ $

One thought on “find base memory address for boot image

  1. Pingback: Unpack/repack boot.img/ramdisk for Android | jj crackers

Comments are closed.