Trouble extracting cpio embedded into kernel file

[eldondevat]

I have what I believe to be a fairly standard initramfs embedded into a kernel bzImage. Running binwalk on the bzImage I had hoped would successfully extract the cpio archive. It seems that the CPIO archive is partially extracted, but it doesn't seem to work as expected. binwalk prints the following when run:

 binwalk --run-as=root -S  --extract /bzImage-6.6.3 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Microsoft executable, portable (PE)
7549241       0x733139        Zlib compressed data, default compression
7653261       0x74C78D        Private key in DER format (PKCS header length: 4, sequence length: 1189
7661537       0x74E7E1        AES S-Box
7661793       0x74E8E1        AES S-Box
11771337      0xB39DC9        gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
12467410      0xBE3CD2        MySQL MISAM index file Version 10

Since I know my initramfs is a gzipped cpio , 0xB39DC9 looks good. Unfortunately, trying to decompress the extracted element gives an error.

# zcat B39DC9.gz >decompressed

gzip: B39DC9.gz: invalid compressed data--format violated

The fragment decompressed is identified as a cpio:

# file decompressed 
decompressed: ASCII cpio archive (SVR4 with no CRC)

But it only contains entries, and I would expect several more:

 # busybox cpio -t <decompressed 
bin
busybox

Also, this cpio is only about 1.1M, I was able to recreate the cpio by booting the kernel with the rdinit parameter and poking around, and the cpio seems to be about 6 megs decompressed (the bzImage is approximately 16).