FreeCalypso > hg > freecalypso-reveng
annotate pirelli/firmware @ 157:9082f3991fe5
mot931c break-in procedure cracked
author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> |
---|---|
date | Wed, 14 May 2014 05:34:37 +0000 |
parents | 277fd7b971f0 |
children |
rev | line source |
---|---|
57
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
1 Following on the success of our match of moko11 disassembly against some known |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
2 objects (see ../moko11), let's try doing the same thing with Pirelli's fw. |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
3 |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
4 Let's see if the code in Pirelli's fw at 0x40000 matches .inttext from TI's |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
5 int.obj: so far, so good! Let's see how far we can get: |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
6 |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
7 040000: beginning of match with .inttext in TI's int.obj |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
8 040268: b 0x3f6b40, should be a jump to the _INC_Initialize veneer |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
9 3BB7D4: first function called from Application_Initialize() |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
10 the logic of Init_Target() is recognizable, but it's a modified |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
11 version, not the same object blob as we have |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
12 the setup of memory timings matches that done by OsmocomBB! |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
13 3F11F8: this should be Application_Initialize() |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
14 differences begin: instead of 6 function calls, there are 12, |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
15 with one of them conditionalized on the return value of the previous |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
16 3F3E74: expecting to see $INC_Initialize here - yes! |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
17 3F6B40: looks like an ARM->Thumb call veneer indeed |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
18 3F6B4C: Thumb code begins, does bl 0x3f3e74 |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
19 3F6B54: back to ARM, veneer return |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
20 |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
21 data objects: |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
22 |
277fd7b971f0
some success in finding familiar TI code in moko11 and Pirelli fw binary images
Michael Spacefalcon <msokolov@ivan.Harhan.ORG>
parents:
diff
changeset
|
23 01775048: INC_Initialize state variable |