# layout of [vendor\_]boot.img
[1. boot.img v0-v2](#1-bootimg-v0-v2)
[2. boot.img v3-v4](#2-bootimg-v3-v4)
[3. vendor_boot.img v3-v4](#3-vendor_bootimg-v3-v4)
[4. signature part](#4-signature-part)
- [4.1 Boot Image Signature](#41-boot-image-signature-vboot-10)
- [4.2 AVB Footer](#42-avb-footer-vboot-20)
[5. boot in memory](#5-boot-in-memory)
## 1. boot.img v0-v2
### header
Value at 0x28 is one of {0x00,0x01,0x02,0x03,0x04}, this filed should be read first to identify header version.
item size in bytes position
+-----------------------------------------------------------+ --> 0
|<MAGIC HEADER> | 8 (value=ANDROID!) |
|--------------------------------+--------------------------| --> 8
|<kernel length> | 4 |
|--------------------------------+--------------------------| --> 12
|<kernel offset> | 4 |
|--------------------------------+--------------------------| --> 16 (0x10)
|<ramdisk length> | 4 |
|--------------------------------+--------------------------| --> 20
|<ramdisk offset> | 4 |
|--------------------------------+--------------------------| --> 24
|<second bootloader length> | 4 |
|--------------------------------+--------------------------| --> 28
|<second bootloader offset> | 4 |
|--------------------------------+--------------------------| --> 32 (0x20)
|<tags offset> | 4 |
|--------------------------------+--------------------------| --> 36
|<page size> | 4 |
|--------------------------------+--------------------------| --> 40 (0x28)
|<header version> | 4 (value in [0,1,2]) |
|--------------------------------+--------------------------| --> 44
|<os version & os patch level> | 4 |
|--------------------------------+--------------------------| --> 48 (0x30)
|<board name> | 16 |
|--------------------------------+--------------------------| --> 64 (0x40)
|<cmdline part 1> | 512 |
|--------------------------------+--------------------------| --> 576 (0x240)
|<hash digest> | 32 |
|--------------------------------+--------------------------| --> 608 (0x260)
|<cmdline part 2> | 1024 |
|--------------------------------+--------------------------| --> 1632 (0x660)
|<recovery dtbo length> [v1] | 4 |
|--------------------------------+--------------------------| --> 1636
|<recovery dtbo offset> [v1] | 8 |
|--------------------------------+--------------------------| --> 1644
|<header size> [v1] | 4 (v1: value=1648) |
| | (v2: value=1660) |
|--------------------------------+--------------------------| --> 1648 (0x670)
|<dtb length> [v2] | 4 |
|--------------------------------+--------------------------| --> 1652
|<dtb offset> [v2] | 8 |
|--------------------------------+--------------------------| --> 1660 (0x67c)
|<padding> | min(n * page_size |
| | - header_size) |
+--------------------------------+--------------------------+ --> pagesize
### data
+-----------------------------------------------------------+ --> pagesize
|<kernel> | kernel length |
|--------------------------------+--------------------------|
|<padding> | min(n * page_size - len) |
+-----------------------------------------------------------+
+-----------------------------------------------------------+
|<ramdisk> | ramdisk length |
|--------------------------------+--------------------------|
|<padding> | min(n * page_size - len) |
+-----------------------------------------------------------+
+-----------------------------------------------------------+
|<second bootloader> | second bootloader length |
|--------------------------------+--------------------------|
|<padding> | min(n * page_size - len) |
+-----------------------------------------------------------+
+-----------------------------------------------------------+
|<recovery dtbo> [v1] | recovery dtbo length |
|--------------------------------+--------------------------|
|<padding> [v1] | min(n * page_size - len) |
+-----------------------------------------------------------+
+-----------------------------------------------------------+
|<dtb> [v2] | dtb length |
|--------------------------------+--------------------------|
|<padding> [v2] | min(n * page_size - len) |
+-----------------------------------------------------------+ --> end of data part
## 2. boot.img v3-v4
For partitions: `/boot`, `/init_boot` or `/recovery`.
### header
item size in bytes position
+-----------------------------------------------------------+ --> 0
|<MAGIC HEADER> | 8 (value=ANDROID!) |
|--------------------------------+--------------------------| --> 8
|<kernel size> | 4 |
|--------------------------------+--------------------------| --> 12
|<ramdisk size> | 4 |
|--------------------------------+--------------------------| --> 16
|<os version & os patch level> | 4 |
|--------------------------------+--------------------------| --> 20
|<header size> | 4 |
|--------------------------------+--------------------------| --> 24
|<reserved> | 4 * 4 |
|--------------------------------+--------------------------| --> 40 (0x28)
|<header version> | 4 (value in [3|4]) |
|--------------------------------+--------------------------| --> 44
|<cmdline> | 1024+512=1536 |
|--------------------------------+--------------------------| --> 1580
|<signature_size> (v4 only) | 4 (values in [4096|0]) |
|--------------------------------+--------------------------| --> 1584
|<padding> | min(n * page_size |
| | - header_size) |
+--------------------------------+--------------------------+ --> pagesize=4096
### data
+-----------------------------------------------------------+ --> pagesize
|<kernel> | kernel length |
+-----------------------------------------------------------+ --> + kernel len
|<ramdisk> | ramdisk length |
+-----------------------------------------------------------+ --> + ramdisk len
|<boot signature> (v4 only) | boot signature length |
| | GKI 1.0 : 4K |
| | GKI 2.0 : 16K |
+--------------------------------+--------------------------+ --> + boot sig len
|<padding> | min(n * page_size - len) |
+-----------------------------------------------------------+
## 3. vendor\_boot.img v3-v4
For partitions: `/vendor_boot` or `/vendor_kernel_boot`.
### header
item size in bytes position
+-----------------------------------------------------------+ --> 0
|<MAGIC HEADER> | 8 (vaue=VNDRBOOT) |
|--------------------------------+--------------------------| --> 8
|<header version> | 4 (value=3) |
|--------------------------------+--------------------------| --> 12
|<page size> | 4 |
|--------------------------------+--------------------------| --> 16
|<kernel load addr> | 4 |
|--------------------------------+--------------------------| --> 20
|<ramdisk load addr> | 4 |
|--------------------------------+--------------------------| --> 24
|<vendor ramdisk total size> | 4 |
|--------------------------------+--------------------------| --> 28
|<vendor cmdline> | 2048 |
|--------------------------------+--------------------------| --> 2076
|<tags offset> | 4 |
|--------------------------------+--------------------------| --> 2080
|<board name> | 16 |
|--------------------------------+--------------------------| --> 2096
|<header size> | 4 (v3: value=2112) |
| | 4 (v4: value=2128) |
|--------------------------------+--------------------------| --> 2100
|<dtb size> | 4 |
|--------------------------------+--------------------------| --> 2104
|<dtb load addr> | 8 |
|--------------------------------+--------------------------| --> 2112
|<vendor ramdisk table size> | 4 (v4 only) |
|--------------------------------+--------------------------| --> 2116
|<vendor ramdisk table entry num>| 4 (v4 only) |
|--------------------------------+--------------------------| --> 2120
|<vendor ramdisk table entry size| 4 (v4 only) |
|--------------------------------+--------------------------| --> 2124
|<bootconfig size> | 4 (v4 only) |
|--------------------------------+--------------------------| --> 2128
|<padding> | min(n * page_size |
| | - header_size) |
+--------------------------------+--------------------------+ --> pagesize
### data
+------------------+-------------+--------------------------+ --> pagesize
| | ramdisk 1 | |
| |-------------+ |
| | ramdisk 2 | |
|<vendor ramdisks> |-------------+ padded len |
| | ramdisk n | |
| |-------------+ | --> pagesize + vendor_ramdisk_total_size
| | padding | |
+------------------+-------------+--------------------------+ --> pagesize + vendor_ramdisk_total_size + padding
| | dtb | |
|<dtb> |-------------+ padded len |
| | padding | |
+------------------+-------------+--------------------------+ --> dtb offset + dtb size + padding
|<vendor ramdisk > | entry 1 | |
| table> |-------------+ |
| | entry 2 | padded len |
| |-------------+ |
| | entry n | |
| (v4) |-------------+ |
| | padding | |
+------------------+----------------------------------------+ --> vrt offset + vrt size + padding
|<bootconfig> (v4) | padded len |
+--------------------------------+--------------------------+
## 4. signature part
### 4.1 Boot Image Signature (VBoot 1.0)
+--------------------------------+--------------------------+ --> end of data part
|<signature> | signature length |
|--------------------------------+--------------------------+
|<padding> | defined by boot_signer |
+--------------------------------+--------------------------+
### 4.2 AVB Footer (VBoot 2.0)
item size in bytes position
+------+--------------------------------+-------------------------+ --> end of data part (say locaton +0)
| | VBMeta Header | total 256 |
| | | |
| | - Header Magic "AVB0" | 4 |
| | - avb_version Major | 4 |
| | - avb_version Minor | 4 |
| | - authentication_blob_size | 8 |
| | - auxiliary blob size | 8 |
| | - algorithm type | 4 |
| | - hash_offset | 8 |
| | - hash_size | 8 |
| | - signature_offset | 8 |
| | - signature_size | 8 |
| | - pub_key_offset | 8 |
|VBMeta| - pub_key_size | 8 |
| Blob | - pub_key_metadata_offset | 8 |
| | - pub_key_metadata_size | 8 |
| | - descriptors_offset | 8 |
| | - descriptors_size | 8 |
| | - rollback_index | 8 |
| | - flags | 4 |
| | - RESERVED | 4 |
| | - release string | 47 |
| | - NULL | 1 |
| | - RESERVED | 80 |
| |--------------------------------+-------------------------+ --> + 256
| | Authentication Blob | |
| | - Hash of Header & Aux Blob | alg.hash_num_bytes | --> + 256 + hash_offset
| | - Signature of Hash | alg.signature_num_bytes | --> + 256 + signature_offset
| | - Padding | align by 64 |
| +--------------------------------+-------------------------+
| | Auxiliary Blob | |
| | - descriptors | | --> + 256 + authentication_blob_size + descriptors_offset
| | - pub key | | --> + 256 + authentication_blob_size + pub_key_offset
| | - pub key meta data | | --> + 256 + authentication_blob_size + pub_key_metadata_offset
| | - padding | align by 64 |
| +--------------------------------+-------------------------+
| | Padding | align by block_size |
+------+--------------------------------+-------------------------+ --> + (block_size * n)
+---------------------------------------+-------------------------+
| | |
| | |
| DONOT CARE CHUNK | |
| | |
| | |
+---------------------------------------+-------------------------+
+---------------------------------------+-------------------------+ --> partition_size - block_size
| Padding | block_size - 64 |
+---------------------------------------+-------------------------+ --> partition_size - 64
| AVB Footer | total 64 |
| | |
| - Footer Magic "AVBf" | 4 |
| - Footer Major Version | 4 |
| - Footer Minor Version | 4 |
| - Original image size | 8 |
| - VBMeta offset | 8 |
| - VBMeta size | 8 |
| - Padding | 28 |
+---------------------------------------+-------------------------+ --> partition_size
## 5. boot in memory
```
┌────────────────────────────────────────┐
│ kernel │
├──────────────────┬─────────────────────┤
│ │ vendor ramdisk 1 │
│ ├─────────────────────┤
│ │ vendor ramdisk 2 │
│ vendor ramdisks ├─────────────────────┤
│ │ ... │
│ ├─────────────────────┤
│ │ vendor ramdisk n │
├──────────────────┴─────────────────────┤
│ generic ramdisk (from init_boot/boot) │
├──────────────────┬─────────────────────┤
│ │parameters │
│ ├─────────────────────┤
│ │param size (4) │
│ bootconfig ├─────────────────────┤
│ │param checksum (4) │
│ ├─────────────────────┤
│ │bootconfig magic(12) │ --> "#BOOTCONFIG\n"
└──────────────────┴─────────────────────┘
```