News Forum Phone database

> New Topic
> Reply
< Esato Forum Index > Sony Ericsson / Sony > Software, Firmware and Drivers > K750i EROM CID36 red - disassembled w/ comments Bookmark topic

What can i say. Use cracked sonics to read the memory from
44000000 - 4400291f. Then plug this into an ELF binary and set the
section address of the section to 44000000. then disassemble
it using ARM setting and using THUMB setting (arm7 processor) (giving you 2 files).
then put together the EROMs disassembly by selecting the right instructions from
the AMR/THUMB output.
Hint to start off: EROM starts with a vector table with ARM instructions. After that,
you are on your own. lol. "bx" and "blx" change from ARMTHUMB mode BTW

interesting for you guys is probably
A) boot sequence (starting at 44000000 which is mapped to 0000000 at that moment)
B) __handleUSBcmd_ function

comments are sparse, except in the interesting places

have fun:


some key addresses:

00018000: f9050054 ; copied from 440028bc (0xd bytes):
00018004: 00000103 ; basebandID1 (first 2 bytes missing)
00018008: ffffffff ; basebandID2
0001800c: 00 ; 0/1 flag: basebandID has been constructed (see 44001db0)

00018010-
00018dc0: cleared region upon boot

00018018: ptr_to_struct ; see (init00018018) and other accesses

00018340: d03777ed ; flag for "no USB command so far" -> boot to firmware on timeout

00018349: 00 ; initialized to 00 (see d03777ed)

44000000 size 20000 : EROM (128kB)
44020000 size 13e0000 : firmware (20MB)
45400000 size b00000 : filesystem part1 (12MB)
45f00000 size 100000 : gdfs (1MB)
46000000 end

50000000 size 2000000 : filesystem part2 (32MB)
52000000 end

f9090000: 4080 ; basebandID (will be byteswapped for 00018004)


EROM.out: file format elf32-littlearm

Disassembly of section .text:

.arm ; booting : instruction 1 : jump to c4
44000000: e59ff018 ldr pc, [pc, #24] (44000020) ; 000000c4 reset
44000004: e59ff018 ldr pc, [pc, #24] (44000024) ; 44020004 undefined intruction
44000008: e59ff018 ldr pc, [pc, #24] (44000028) ; 44020008 software int
4400000c: e59ff018 ldr pc, [pc, #24] (4400002c) ; 4402000c abort (prefetch)
44000010: e59ff018 ldr pc, [pc, #24] (44000030) ; 44020010 abort (data)
44000014: e59ff018 ldr pc, [pc, #24] (44000034) ; 44020014 reserved
44000018: e59ff018 ldr pc, [pc, #24] (44000038) ; 44020018 IRQ
4400001c: e59ff018 ldr pc, [pc, #24] (4400003c) ; 4402001c FIQ
44000020: 000000c4 .int 000000c4
44000024: 44020004 .int 44020004
44000028: 44020008 .int 44020008
4400002c: 4402000c .int 4402000c
44000030: 44020010 .int 44020010
44000034: 44020014 .int 44020014
44000038: 44020018 .int 44020018
4400003c: 4402001c .int 4402001c

44000040: 44000040 .int 44000040 ; end of vector-table, start of code
44000044: 4400ffff .int 4400ffff ; end of EROM code
44000048: 00000000 .int 00000000
4400004C: 00000000 .int 00000000

; setup stackpointers for some modes
; call: init some hardware
; returns r0 = 1
.thumb
44000050: a000 add r0, pc, #0 (adr r0,44000054)
44000052: 4700 bx r0
.arm
44000054: e92d0003 stmdb sp!, {r0, r1}
44000058: e3a01414 mov r1, #335544320 ; 0x14000000
4400005c: e3a00040 mov r0, #64 ; 0x40
44000060: e5810000 str r0, [r1]
44000064: e8bd0003 ldmia sp!, {r0, r1}
44000068: e92d4000 stmdb sp!, {lr}
4400006c: e10f0000 mrs r0, CPSR ; backup CPSR
44000070: e329f0d7 msr CPSR_fc, #215 ; 0xd7 = nzcvIFt 10111=Abort-mode
44000074: e59fd030 ldr sp, [pc, #48] (440000ac) ; sp=f3001108 (setup Abort sp)
44000078: e329f0db msr CPSR_fc, #219 ; 0xdb = nzcvIFt 11011=Undefined-mode
4400007c: e59fd02c ldr sp, [pc, #44] (440000b0) ; sp=f3001110 (setup Undefined sp)
44000080: e329f0d1 msr CPSR_fc, #209 ; 0xd1 = nzcvIFt 10001=FIQ-mode
44000084: e59fd028 ldr sp, [pc, #40] (440000b4) ; sp=f3001118 (setup FIQ sp)
44000088: e129f000 msr CPSR_fc, r0 ; restore CPSR
4400008c: eb00001b bl 44000100 ; init some hardware
; returns r0 = 0x1d
44000090: e3500001 cmp r0, #1 ; r0 == 1 ?
44000094: 1a000001 bne 440000a0
44000098: e3a00000 mov r0, #0 ; return r0 = 0
4400009c: ea000000 b 440000a4
440000a0: e3a00001 mov r0, #1 ; return r0 = 1
440000a4: e8bd4000 ldmia sp!, {lr}
440000a8: e12fff1e bx lr
440000ac: f3001108 .int f3001108
440000b0: f3001110 .int f3001110
440000b4: f3001118 .int f3001118

440000b8: 00000000 .int 00000000
440000bc: 00000000 .int 00000000

; ptr to functiontable_0
440000c0: 000000d0 .int 000000d0
; booting : instruction 2 : jump to 440001ac
440000c4: e51ff004 ldr pc, [pc, #-4] (440000c8) ; 440001ac
440000c8: 440001ac .int 440001ac

440000cc: 00000000 .int 00000000

; functiontable_0
440000d0: 00000009 .int 00000009 ; sizeoftable
440000d4: 5c029fab .int 5c029fab ; checksum: sum of tablecontents
440000d8: 000025f4 .int 000025f4 (#0) ; ptr to signature (+44000000)
440000dc: 00000000 .int 00000000 (#1)
440000e0: 00000000 .int 00000000 (#2)
440000e4: 44020000 .int 44020000 (#3)
440000e8: 440028e0 .int 440028e0 (#4) ; functiontable_1 (verification functions)
440000ec: 440028d0 .int 440028d0 (#5)
440000f0: 4c000000 .int 4c000000 (#6)
440000f4: ffffffff .int ffffffff (#7)
440000f8: 44002808 .int 44002808 (#8)
440000fc: 00000000 .int 00000000

; init some hardware
; returns r0 = 0x1d
44000100: ee110f10 mrc 15, 0, r0, cr1, cr0, {0}
44000104: e3800a01 orr r0, r0, #4096 ; 0x1000
44000108: e3c00004 bic r0, r0, #4 ; 0x4
4400010c: e3c00001 bic r0, r0, #1 ; 0x1
44000110: e3800c01 orr r0, r0, #256 ; 0x100
44000114: e3c00a02 bic r0, r0, #8192 ; 0x2000
44000118: e3c00902 bic r0, r0, #32768 ; 0x8000
4400011c: ee010f10 mcr 15, 0, r0, cr1, cr0, {0}
44000120: ee191f11 mrc 15, 0, r1, cr9, cr1, {0}
44000124: e3a00801 mov r0, #65536 ; r0 = 0x10000
44000128: e380001c orr r0, r0, #28 ; r0 |= 0x1c
4400012c: e3800001 orr r0, r0, #1 ; r0 |= 0x1
44000130: ee090f11 mcr 15, 0, r0, cr9, cr1, {0}
44000134: ee190f31 mrc 15, 0, r0, cr9, cr1, {1}
44000138: e3a00000 mov r0, #0 ; r0 = 0x0
4400013c: e380001c orr r0, r0, #28 ; r0 |= 0x1c
44000140: e3800001 orr r0, r0, #1 ; r0 |= 0x1
44000144: ee090f31 mcr 15, 0, r0, cr9, cr1, {1}
44000148: e12fff1e bx lr

; _IRQon_a returns old IRQ-bit status
_IRQon_a: e10f0000 mrs r0, CPSR
44000150: e3c0c080 bic ip, r0, #128 ; 0x80 = clear IRQ bit (enable IRQ)
44000154: e121f00c msr CPSR_c, ip
44000158: e1a003a0 mov r0, r0, lsr #7
4400015c: e2000001 and r0, r0, #1 ; 0x1
44000160: e12fff1e bx lr ; return old IRQ bit

; _IRQoff_a returns old IRQ-bit status
_IRQoff_a: e10f0000 mrs r0, CPSR
44000168: e380c080 orr ip, r0, #128 ; 0x80 = set IRQ bit (disable IRQ)
4400016c: e121f00c msr CPSR_c, ip
44000170: e1a003a0 mov r0, r0, lsr #7
44000174: e2000001 and r0, r0, #1 ; 0x1
44000178: e12fff1e bx lr ; return old IRQ bit

...

---- EDIT1
grr 236k text is too much for the bulletin. somebody can help me out where to upload it??

---- EDIT2
the rapidshare link is:
http://rapidshare.de/files/10510690/EROM_red.asm.html

---- EDIT3
updated the offset-list in flash memory.

---- EDIT4
find same post on SE-NSE:
http://forums.se-nse.net/index.php?showtopic=2558

[ This Message was edited by: hendrix on 2006-01-07 12:17 ]
--
Posted: 2006-01-06 14:53:23
Edit : Quote


WOW i wish i knew wat all dis meanz lol
--
Posted: 2006-01-06 14:56:09
Edit : Quote


nice work hendrix! i think if your not a developer already then you should be...
--
Posted: 2006-01-06 15:11:58
Edit : Quote


well duh, everybody knows that!
--
Posted: 2006-01-06 15:15:35
Edit : Quote


@hendrix:

This is brilliant! Greatly appreciated, and finally we can think of running linux on SE phones

A couple of questions:
You refer to 50000000- 52000000: FILESYSTEM2 , this must be the 32MB phone memory (NAND flash). We know that after flashing the filesystem must be customized with customized.xml, certificates, etc. Are these files stored in FILESYSTEM2 ? If yes, are they stored in a hidden partition, at least they are not visible via BT? Do you think there is a way to avoid the post-flash customize operation?

PS: I have added a link in the "Daredevils" thread. This stuff is too good!

/JockyW
--
Posted: 2006-01-06 20:41:19
Edit : Quote


what do you mean by BT?

--

it apears that the filesystem2 is some kind of "locked". when sonics reads this memory, it returns just crap ("e0"). probably theres no way around reversing the firmware partially to get the unlocking procedure. probably just some peek/poke data in the hardware and it will be readable.

--

i guess we can put the vertificates into the FS flashfile right away, saving us from finalizing the phone.
with jockeyw2001's program to make arbitrary flashfiles and the my program below to reconstruct the filesystem from a flashfile/memory readout. somebody needs to write the "reverse program" to my filesystem reconstructor. so the workflow would be:

- make filesystem (there are 4 filesystems) from flashfile
- mount filesystem (#0) image (its a FAT filesystem) as read/write
- copy certificates and customize.xml to /tpa/preset/...
- unmount altered diskimage
- todo: create memory-image from filesystems
- plug the memory-image into jockey's program
- flash with davinci -> already finalized

link to my programs:
A: (worschestyre sauce) : extract the mountable diskimage from a Filesystem (FS) flashfile
B: (oyster sauce) : extract the mountable diskimage from a sonics memoryread ( Sonics -> read memory -> address $45400000, length $b00000 )

Mountable means, the diskimage (a file) behaves like a harddisk, where you can read/write data to/from. on this filesystem there are the themes, the games, and all the stuff that is installed by default on your phone.

http://rapidshare.de/files/10[....]esystemreconstruction.zip.html

---- EDIT
rephrased some stuff, make it better readable. lol. i hope.


[ This Message was edited by: hendrix on 2006-01-07 11:50 ]
--
Posted: 2006-01-07 02:15:48
Edit : Quote


i c... now this comes with worschestyre sauce or with oyster sauce?

jesus christ! talk layman guys! hehehehe

anyway, whatever the sound of this.. it means... errr...

ok i still dont get it!
--
Posted: 2006-01-07 02:36:28
Edit : Quote


Quote:
On 2006-01-07 02:15:48, hendrix wrote:
what do you mean by BT?

Bluetooth

Excellent work hendrix.
If I have some spare time I will try out your findings.

Cheers,
JockyW
--
Posted: 2006-01-13 15:01:26
Edit : Quote


lol at u all for thinkin its gonna be this easy to make ur own little firmwares... take a look at the forums on www.setool.net to see some real pros... If it was this easy to dissasemble a firmware file change it and put it back together dont u think these guys would be doing it? or other people would be doing it? There is a good reason why u dont see new firmwares comin out from people who have made them!

ITS FECKIN IMPOSSIBLE>>> I wont go into why coz i cant be bothered but go ahead and try to flash it an see your phone die before ur very own eyes... lol

J.
--
Posted: 2006-01-13 20:03:12
Edit : Quote


voda_jon
why are you so sceptical? indeed there're a few real pros at setool or other forums

hendrix, keep up good work!

...if I could get a small C compiler for win32
Anyone, pls compile it for windows... Wait, the result file should be mounted, I get no *nix now.

hendrix, maybe just make a tar archive instead of partition image? Someone knows the way to look into partition images in Windows?

_________________

BR, Mikhan aka mb @senews.org
S700i (R3M008),K750i (W800 R1AA008),T65 (R6A006),Z520i (R3C035)

[ This Message was edited by: mb-new on 2006-01-14 00:06 ]

[ This Message was edited by: mb-new on 2006-01-14 00:07 ]
--
Posted: 2006-01-14 01:04:00
Edit : Quote

---

New Topic   Reply

Forum Index