Difference between revisions of "IDA Pro Setup"

From The iPhone Wiki
Jump to: navigation, search
(How to set up IDA pro to reverse the 3G baseband)
 
(18 intermediate revisions by 9 users not shown)
Line 16: Line 16:
 
7. Press OK
 
7. Press OK
 
8. The entry point is the address at 0x20040408
 
8. The entry point is the address at 0x20040408
  +
9. Go to 20100004 and Press "C" to start. ~Deco
  +
10. Read the instructions so you can find other places where you can press "C" to get more code. ~Deco
   
   
  +
Here are some key combinations to use:
9. Go to 20100004 and Press "C" to start. ~Deco
 
  +
* c = turn the 'gibberish' into code
10. Read the instructions so you can find other places where you can press "C" to get more code. ~Deco
 
  +
* d = turn the 'gibberish' into data
  +
* a = turn the 'gibberish' into a string
  +
* u = undefine what you just may have done, i usually use this since there is no real edit+undo in IDA so this is the next best thing
  +
* Alt+G = toggle the Register T from 0 / 1 to toggle arm and thumb mode when needed
  +
  +
== some hints for getting the mnemonics from n00b for noobs (read: master noob for noobs ;-) )==
  +
  +
The autoanalysis didn't work very well. There were a lot of silly mnemonics, simply interleaving thumb and arm mode or other nasty stuff. I then tried to identify strings, pressing 'A'. Boring... What pushed it up a little bit is this:
  +
  +
Most code is 'embraced' by 'embracing' code:
  +
- push / pop for thumb mod
  +
- STMFD / LDMFD for arm mode
  +
  +
Even better, all versions of above codes have similar instruction sets. So you can find all occurences of STMFD by hex searching '2D E9', going two bytes back (did I say code is aligned? 4bytes in arm starting at 00 04 08 0c, 2bytes in thumb mode!) and pressing 'C'. If you see scrambled code, then (probably) the wrong mode (thumb) is enabled. Just press Alt-G, change the value for T to zero. See?!
  +
The same goes for thumb mode. Push instructions are 'B5' preceeded by 02 0B 4E 72 30 10 F0 70 F3 7C 55 1F 30 3E 0E 1C 08 7F ... So just look for e.g. '10 B5' at two-byte boarders (Alt-B to set, Ctrl-B to search again) and you will easily find all occurences. Again, if it is scrambled, switch back to thumb mode (Alt-G, T=1).
  +
After all, you can hex browse a little bit and press 'C' for missing code or 'A' for text.
  +
  +
Above is a very simple 'algorithm', maybe there is an appropiate IDA plugin. Or you could write one :-) !
  +
  +
[http://code.assembla.com/ks360/subversion/nodes/utils/Analyze.py Script] with [http://d-dome.net/idapython/ IDAPython]
  +
  +
== IDA Pro Signature Files ==
  +
  +
Link to download signature files that can be used in reversing the iPhone baseband.
  +
  +
They are mostly Real View runtime library sigs:
  +
  +
RVCT RTL 2.2
  +
RVCT RTL 3.1
  +
RVCT RTL 4.4
  +
  +
ThreadX sig for iPhone 4 - however this only picks up a couple of functions, not sure how Apple compiled threadx, with which compiler, optimizations.
  +
  +
  +
On an iPhone 4 firmware can pickup upto 800 functions when all the sigs applied.
  +
  +
[http://www.mediafire.com/?kz4dlcnzfwixkkv Sigs]
  +
  +
==Addresses of known functions / code locations==
  +
===Baseband 02.28.00===
  +
* 0x201497B0 - maybe AT Command handler? (uses strings such as "OK", "ERROR", "UNKNOWN COMMAND")
  +
* 0x203C51BC - probably prints text
  +
* 0x201420AC - malloc (according to Darkmen)
  +
* 0x203C58A0 - bytecpy (according to Darkmen)
  +
* 0x203FB540 - NU_Create_Task (according to Darkmen)
  +
* 0x2046DD00 - sprintf (according to Darkmen)
  +
* 0x20165998 - NU_Receive_From_Mailbox (according to Darkmen)
  +
* 0x203ED568 - NU_Send_To_Mailbox (according to Darkmen)
  +
  +
  +
===Baseband 5.12.01 3.1.3 (Build 7E18)===
  +
* 0x203C2714 - IMEI routine
  +
* 0x2062CF28 - default IMEI (0A 40 99 09 01 46 00 00)

Latest revision as of 09:18, 10 February 2012

How to set up IDA pro to reverse the 3G baseband

The X-Gold 608 has a memory map, as seen in it's page.

The Secpack 2.0 takes up the first 0xCF8 of the .fls file.

So to load the 3G .fls file into IDA pro, the file offset is 0xCF8(for the secpack), and the CODE starts at the ROM start address of 0x20040000(since it's the main firmware)

For real noobs:

1. Drag the fls file into IDA
2. Select ARM
3. Change ROM start address to 0x20040000
4. Change Loading address to 0x20040000
5. Change File offset to 0xCF8
6. Copy Loading size into ROM size
7. Press OK
8. The entry point is the address at 0x20040408
9. Go to 20100004 and Press "C" to start. ~Deco
10. Read the instructions so you can find other places where you can press "C" to get more code. ~Deco


Here are some key combinations to use:

  • c = turn the 'gibberish' into code
  • d = turn the 'gibberish' into data
  • a = turn the 'gibberish' into a string
  • u = undefine what you just may have done, i usually use this since there is no real edit+undo in IDA so this is the next best thing
  • Alt+G = toggle the Register T from 0 / 1 to toggle arm and thumb mode when needed

some hints for getting the mnemonics from n00b for noobs (read: master noob for noobs ;-) )

The autoanalysis didn't work very well. There were a lot of silly mnemonics, simply interleaving thumb and arm mode or other nasty stuff. I then tried to identify strings, pressing 'A'. Boring... What pushed it up a little bit is this:

Most code is 'embraced' by 'embracing' code: - push / pop for thumb mod - STMFD / LDMFD for arm mode

Even better, all versions of above codes have similar instruction sets. So you can find all occurences of STMFD by hex searching '2D E9', going two bytes back (did I say code is aligned? 4bytes in arm starting at 00 04 08 0c, 2bytes in thumb mode!) and pressing 'C'. If you see scrambled code, then (probably) the wrong mode (thumb) is enabled. Just press Alt-G, change the value for T to zero. See?! The same goes for thumb mode. Push instructions are 'B5' preceeded by 02 0B 4E 72 30 10 F0 70 F3 7C 55 1F 30 3E 0E 1C 08 7F ... So just look for e.g. '10 B5' at two-byte boarders (Alt-B to set, Ctrl-B to search again) and you will easily find all occurences. Again, if it is scrambled, switch back to thumb mode (Alt-G, T=1). After all, you can hex browse a little bit and press 'C' for missing code or 'A' for text.

Above is a very simple 'algorithm', maybe there is an appropiate IDA plugin. Or you could write one :-) !

Script with IDAPython

IDA Pro Signature Files

Link to download signature files that can be used in reversing the iPhone baseband.

They are mostly Real View runtime library sigs:

   RVCT RTL 2.2
   RVCT RTL 3.1
   RVCT RTL 4.4
   ThreadX sig for iPhone 4 - however this only picks up a couple of functions, not sure how Apple compiled threadx, with which compiler, optimizations. 


On an iPhone 4 firmware can pickup upto 800 functions when all the sigs applied.

Sigs

Addresses of known functions / code locations

Baseband 02.28.00

  • 0x201497B0 - maybe AT Command handler? (uses strings such as "OK", "ERROR", "UNKNOWN COMMAND")
  • 0x203C51BC - probably prints text
  • 0x201420AC - malloc (according to Darkmen)
  • 0x203C58A0 - bytecpy (according to Darkmen)
  • 0x203FB540 - NU_Create_Task (according to Darkmen)
  • 0x2046DD00 - sprintf (according to Darkmen)
  • 0x20165998 - NU_Receive_From_Mailbox (according to Darkmen)
  • 0x203ED568 - NU_Send_To_Mailbox (according to Darkmen)


Baseband 5.12.01 3.1.3 (Build 7E18)

  • 0x203C2714 - IMEI routine
  • 0x2062CF28 - default IMEI (0A 40 99 09 01 46 00 00)