FreeCalypso > hg > freecalypso-reveng
view mot931c/hack-payload.disasm @ 278:42575bc59702
benq-fw-disasm: dug a little into BenQ's M32 firmware
author | Mychaela Falconia <falcon@freecalypso.org> |
---|---|
date | Wed, 12 Dec 2018 07:48:48 +0000 |
parents | 9082f3991fe5 |
children |
line wrap: on
line source
; This hack payload must be receiving control in the ARM state, ; as the instruction at 0 makes sense as ARM, but not as Thumb. ; SVC mode, IRQ & FIQ disabled 0: e321f0d3 msr CPSR_c, #211 ; 0xd3 ; disable the watchdog 4: e59f10b4 ldr r1, =0xfffff802 ; via 0xc0 8: e3a000f5 mov r0, #245 ; 0xf5 c: e1c100b2 strh r0, [r1, #2] 10: e3a000a0 mov r0, #160 ; 0xa0 14: e1c100b2 strh r0, [r1, #2] ; MODEM UART 18: e59f60a4 ldr r6, =0xffff5800 ; via 0xc4 ; wait for "INT" input 1c: e5d60005 ldrb r0, [r6, #5] 20: e3100001 tst r0, #1 24: 0afffffc beq 0x1c 28: e5d65000 ldrb r5, [r6] 2c: e3550049 cmp r5, #73 ; 0x49 30: 1afffff9 bne 0x1c 34: e5d60005 ldrb r0, [r6, #5] 38: e3100001 tst r0, #1 3c: 0afffffc beq 0x34 40: e5d65000 ldrb r5, [r6] 44: e355004e cmp r5, #78 ; 0x4e 48: 1afffff3 bne 0x1c 4c: e5d60005 ldrb r0, [r6, #5] 50: e3100001 tst r0, #1 54: 0afffffc beq 0x4c 58: e5d65000 ldrb r5, [r6] 5c: e3550054 cmp r5, #84 ; 0x54 60: 1affffed bne 0x1c ; send 'X' 64: e3a00058 mov r0, #88 ; 0x58 68: e5c60000 strb r0, [r6] ; receive 2 bytes of length (LSB first) 6c: e1a00000 mov r0, r0 70: e5d60005 ldrb r0, [r6, #5] 74: e3100001 tst r0, #1 78: 0afffffc beq 0x70 7c: e5d65000 ldrb r5, [r6] 80: e5d60005 ldrb r0, [r6, #5] 84: e3100001 tst r0, #1 88: 0afffffc beq 0x80 8c: e5d60000 ldrb r0, [r6] 90: e1855400 orr r5, r5, r0, lsl #8 ; receive next stage payload 94: e59f402c ldr r4, =0x800100 ; via 0xc8 98: e1a03004 mov r3, r4 9c: e5d60005 ldrb r0, [r6, #5] a0: e3100001 tst r0, #1 a4: 0afffffc beq 0x9c a8: e5d60000 ldrb r0, [r6] ac: e5c40000 strb r0, [r4] b0: e2844001 add r4, r4, #1 b4: e2555001 subs r5, r5, #1 b8: 1afffff7 bne 0x9c ; jump to it bc: e12fff13 bx r3 ; literal pool c0: fffff802 c4: ffff5800 c8: 00800100