News Forum Phone database

> New Topic
> Reply
< Esato Forum Index > Sony Ericsson / Sony > Software, Firmware and Drivers > seus modification for debranding (semcxusb.dll) Bookmark topic

I have to admit that I don't know much about mobile phones and firmwares. However, I know some stuff of programming and reverse engineering. So, I thought that we could modify Sony Ericsson Update Service such a way to cheat SE server in order to debrand se phone easy and free, instead of updating with branded fw. That is to do a patch similar to this but the modification should be different for each se model.

I have disassembled the SEMCXUSB.dll (http://files-upload.com/221268/SEMCXUSB.rar.html) taken from SEUS v. 2.7.5.5, after a small search I've found the point where the program calls a function which the device type is stored into a variable. The disassembled info is the following:

Code:
10003CA0 _Java_com_sonyericsson_cs_common_iocommunication_DssNativeAPI_SemcUsbgetDeviceTy
peDescription@12:
10003CA0 8B44240C mov eax,[esp+0Ch]
10003CA4 833C85243B0110FF cmp dword ptr [L10013B24+eax*4],FFFFFFFFh
10003CAC 7517 jnz L10003CC5
10003CAE 8B4C2404 mov ecx,[esp+04h]
10003CB2 6894060110 push SSZ10010694_getDeviceTypeDescriptor___port_n
10003CB7 51 push ecx
10003CB8 E803010000 call SUB_L10003DC0
10003CBD 83C408 add esp,00000008h
10003CC0 33C0 xor eax,eax
10003CC2 C20C00 retn 000Ch

[...]

1000E36C 5F4A6176615F636F6D5F+ db '_Java_com_sonyericsson_cs_common_iocommunication_DssNativeAPI_SemcUsbgetDevi
ceTypeDescription@12',0

[...]

db 'getDeviceTypeDescriptor - port not open.',0
Align 4


If someone knows how to modify this in order to have a static value, or in order to retrieve data from a specific location (e.g. a file) please let me know.

sry for bad english


[ This Message was edited by: Doctor_E on 2007-05-11 21:34 ]
--
Posted: 2007-05-11 22:33:13
Edit : Quote


I can't help you specifically but the guy who started this thread at se-nse may have some advice for you:

http://forums.se-nse.net/index.php?showtopic=3996
--
Posted: 2007-05-12 05:27:14
Edit : Quote


Theanx, i have already post there
--
Posted: 2007-05-12 11:28:15
Edit : Quote


Also I have fount these functions in CamelHandler.dll (http://files-upload.com/222382/CamelHandler.rar.html), any help would be very important


Code:
100013C0 _Java_com_sonyericsson_cs_common_iocommunication_MISNativeAPI_getFirmwareVersion
@8:
100013C0 55 push ebp
100013C1 8BEC mov ebp,esp
100013C3 6AFF push FFFFFFFFh
100013C5 6860B30010 push L1000B360
100013CA 64A100000000 mov eax,fs:[00000000h]
100013D0 50 push eax
100013D1 64892500000000 mov fs:[00000000h],esp
100013D8 83EC18 sub esp,00000018h
100013DB 53 push ebx
100013DC 56 push esi
100013DD 8B7508 mov esi,[ebp+08h]
100013E0 57 push edi
100013E1 8965F0 mov [ebp-10h],esp
100013E4 33DB xor ebx,ebx
100013E6 68DCF00010 push SSZ1000F0DC_getFirmwareVersion
100013EB 56 push esi
100013EC 895DFC mov [ebp-04h],ebx
100013EF E87CFCFFFF call SUB_L10001070
100013F4 83C408 add esp,00000008h
100013F7 C645EF79 mov byte ptr [ebp-11h],79h
100013FB 6874010000 push 00000174h
10001400 E85BFDFFFF call SUB_L10001160
10001405 68B80B0000 push 00000BB8h
1000140A 8D45EF lea eax,[ebp-11h]
1000140D 6A01 push 00000001h
1000140F 50 push eax
10001410 E86BFDFFFF call SUB_L10001180
10001415 83C410 add esp,00000010h
10001418 83F801 cmp eax,00000001h
1000141B 742E jz L1000144B
1000141D 6877010000 push 00000177h
10001422 E849FDFFFF call SUB_L10001170
10001427 8B0E mov ecx,[esi]
10001429 83C404 add esp,00000004h
1000142C 68B4820110 push L100182B4
10001431 56 push esi
10001432 FF919C020000 call [ecx+0000029Ch]
10001438 8B4DF4 mov ecx,[ebp-0Ch]
1000143B 64890D00000000 mov fs:[00000000h],ecx
10001442 5F pop edi
10001443 5E pop esi
10001444 5B pop ebx
10001445 8BE5 mov esp,ebp
10001447 5D pop ebp
10001448 C20800 retn 0008h


[...]

10004280 _Java_com_sonyericsson_cs_common_iocommunication_MISNativeAPI_updateFirmware@24:

10004280 55 push ebp
10004281 8BEC mov ebp,esp
10004283 6AFF push FFFFFFFFh
10004285 6880B50010 push L1000B580
1000428A 64A100000000 mov eax,fs:[00000000h]
10004290 50 push eax
10004291 64892500000000 mov fs:[00000000h],esp
10004298 51 push ecx
10004299 B804800100 mov eax,00018004h
1000429E E86D100000 call SUB_L10005310
100042A3 53 push ebx
100042A4 56 push esi
100042A5 57 push edi
100042A6 8B7D08 mov edi,[ebp+08h]
100042A9 8965F0 mov [ebp-10h],esp
100042AC 68B4F60010 push SSZ1000F6B4_updateFirmware
100042B1 57 push edi
100042B2 C745FC00000000 mov dword ptr [ebp-04h],00000000h
100042B9 E8B2CDFFFF call SUB_L10001070
100042BE 83C408 add esp,00000008h
100042C1 6880080000 push 00000880h
100042C6 E895CEFFFF call SUB_L10001160
100042CB 8B7510 mov esi,[ebp+10h]
100042CE 83C404 add esp,00000004h
100042D1 85F6 test esi,esi
100042D3 7513 jnz L100042E8
100042D5 689CF60010 push SSZ1000F69C_Null_pointer_to_init
100042DA 57 push edi
100042DB E800FFFFFF call SUB_L100041E0
100042E0 83C408 add esp,00000008h
100042E3 E904010000 jmp L100043EC
100042E8 L100042E8:
100042E8 8B5D18 mov ebx,[ebp+18h]
100042EB 85DB test ebx,ebx
100042ED 7513 jnz L10004302
100042EF 6884F60010 push SSZ1000F684_Null_pointer_to_main
100042F4 57 push edi
100042F5 E8E6FEFFFF call SUB_L100041E0
100042FA 83C408 add esp,00000008h
100042FD E9EA000000 jmp L100043EC
10004302 L10004302:
10004302 68B80B0000 push 00000BB8h
10004307 8D45EC lea eax,[ebp-14h]
1000430A 6A01 push 00000001h
1000430C 50 push eax
1000430D C645EC71 mov byte ptr [ebp-14h],71h
10004311 C645ED00 mov byte ptr [ebp-13h],00h
10004315 E866CEFFFF call SUB_L10001180
1000431A 83C40C add esp,0000000Ch
1000431D 83F801 cmp eax,00000001h
10004320 7415 jz L10004337
10004322 688A080000 push 0000088Ah
10004327 E844CEFFFF call SUB_L10001170
1000432C 688B080000 push 0000088Bh
10004331 57 push edi
10004332 E9AD000000 jmp L100043E4
10004337 L10004337:
10004337 8B0F mov ecx,[edi]
10004339 6A00 push 00000000h
1000433B 56 push esi
1000433C 57 push edi
1000433D FF91E0020000 call [ecx+000002E0h]
10004343 8B17 mov edx,[edi]
10004345 6A00 push 00000000h
10004347 53 push ebx
10004348 57 push edi
10004349 8BF0 mov esi,eax
1000434B FF92E0020000 call [edx+000002E0h]
10004351 8B5514 mov edx,[ebp+14h]
10004354 894510 mov [ebp+10h],eax
10004357 8B451C mov eax,[ebp+1Ch]
1000435A 8DBDEC7FFEFF lea edi,[ebp-00018014h]
10004360 8D0C02 lea ecx,[edx+eax]
10004363 894D18 mov [ebp+18h],ecx
10004366 8BCA mov ecx,edx
10004368 8BD9 mov ebx,ecx
1000436A C1E902 shr ecx,02h
1000436D F3A5 rep movsd
1000436F 8BCB mov ecx,ebx
10004371 B341 mov bl,41h
10004373 83E103 and ecx,00000003h
10004376 F3A4 rep movsb
10004378 8B7510 mov esi,[ebp+10h]
1000437B 8BC8 mov ecx,eax
1000437D 8DBC15EC7FFEFF lea edi,[ebp+edx-00018014h]
10004384 8BD1 mov edx,ecx
10004386 C1E902 shr ecx,02h
10004389 F3A5 rep movsd
1000438B 8BCA mov ecx,edx
1000438D 83E103 and ecx,00000003h
10004390 F3A4 rep movsb
10004392 8B7D18 mov edi,[ebp+18h]
10004395 C6850180FEFF20 mov byte ptr [ebp-00017FFFh],20h
1000439C 8BC7 mov eax,edi
1000439E C6850280FEFF11 mov byte ptr [ebp-00017FFEh],11h
100043A5 C1E809 shr eax,09h
100043A8 FEC0 inc al
100043AA C6850380FEFF02 mov byte ptr [ebp-00017FFDh],02h
100043B1 88850080FEFF mov [ebp-00018000h],al
100043B7 33F6 xor esi,esi
100043B9 L100043B9:
100043B9 68B80B0000 push 00000BB8h
100043BE 8D4DEF lea ecx,[ebp-11h]
100043C1 6A01 push 00000001h
100043C3 51 push ecx
100043C4 E857CEFFFF call SUB_L10001220
100043C9 83C40C add esp,0000000Ch
100043CC 83F801 cmp eax,00000001h
100043CF 7430 jz L10004401
100043D1 68A5080000 push 000008A5h
100043D6 E895CDFFFF call SUB_L10001170
100043DB 68A6080000 push 000008A6h
100043E0 L100043E0:
100043E0 8B5508 mov edx,[ebp+08h]
100043E3 52 push edx
100043E4 L100043E4:
100043E4 E857FDFFFF call SUB_L10004140
100043E9 83C40C add esp,0000000Ch
100043EC L100043EC:
100043EC 32C0 xor al,al
100043EE 8B4DF4 mov ecx,[ebp-0Ch]
100043F1 64890D00000000 mov fs:[00000000h],ecx
100043F8 5F pop edi
100043F9 5E pop esi
100043FA 5B pop ebx
100043FB 8BE5 mov esp,ebp
100043FD 5D pop ebp
100043FE C21800 retn 0018h



[ This Message was edited by: Doctor_E on 2007-05-12 12:37 ]
--
Posted: 2007-05-12 13:36:28
Edit : Quote


And from file FTVCP2G.dll the following:


Code:10001190 FT_GetDeviceInfo:
10001190 83EC60 sub esp,00000060h
10001193 55 push ebp
10001194 56 push esi
10001195 57 push edi
10001196 B918000000 mov ecx,00000018h
1000119B 33C0 xor eax,eax
1000119D 8D7C240C lea edi,[esp+0Ch]
100011A1 F3AB rep stosd
100011A3 50 push eax
100011A4 8D442474 lea eax,[esp+74h]
100011A8 50 push eax
100011A9 8B442478 mov eax,[esp+78h]
100011AD 8D4C2414 lea ecx,[esp+14h]
100011B1 6A60 push 00000060h
100011B3 51 push ecx
100011B4 8D54241C lea edx,[esp+1Ch]
100011B8 6A60 push 00000060h
100011BA 52 push edx
100011BB 6810082200 push 00220810h
100011C0 50 push eax
100011C1 C744242C03000000 mov dword ptr [esp+2Ch],00000003h
100011C9 FF1554400010 call [KERNEL32.dll!DeviceIoControl]
100011CF 85C0 test eax,eax
100011D1 0F84B2000000 jz L10001289
100011D7 8B6C240C mov ebp,[esp+0Ch]
100011DB 85ED test ebp,ebp
100011DD 0F859B000000 jnz L1000127E
100011E3 8B442474 mov eax,[esp+74h]
100011E7 85C0 test eax,eax
100011E9 7430 jz L1000121B
100011EB 8B4C2410 mov ecx,[esp+10h]
100011EF 81F911003640 cmp ecx,40360011h
100011F5 7504 jnz L100011FB
100011F7 8928 mov [eax],ebp
100011F9 EB20 jmp L1000121B
100011FB L100011FB:
100011FB 81F910003640 cmp ecx,40360010h
10001201 7508 jnz L1000120B
10001203 C70001000000 mov dword ptr [eax],00000001h
10001209 EB10 jmp L1000121B
1000120B L1000120B:
1000120B 33D2 xor edx,edx
1000120D 81F920373840 cmp ecx,40383720h
10001213 0F95C2 setnz dl
10001216 83C202 add edx,00000002h
10001219 8910 mov [eax],edx
1000121B L1000121B:
1000121B 8B442478 mov eax,[esp+78h]
1000121F 85C0 test eax,eax
10001221 7406 jz L10001229
10001223 8B4C2414 mov ecx,[esp+14h]
10001227 8908 mov [eax],ecx
10001229 L10001229:
10001229 8B54247C mov edx,[esp+7Ch]
1000122D 85D2 test edx,edx
1000122F 7421 jz L10001252
10001231 8D7C241C lea edi,[esp+1Ch]
10001235 83C9FF or ecx,FFFFFFFFh
10001238 33C0 xor eax,eax
1000123A F2AE repne scasb
1000123C F7D1 not ecx
1000123E 2BF9 sub edi,ecx
10001240 8BC1 mov eax,ecx
10001242 8BF7 mov esi,edi
10001244 8BFA mov edi,edx
10001246 C1E902 shr ecx,02h
10001249 F3A5 rep movsd
1000124B 8BC8 mov ecx,eax
1000124D 83E103 and ecx,00000003h
10001250 F3A4 rep movsb
10001252 L10001252:
10001252 8B942480000000 mov edx,[esp+00000080h]
10001259 85D2 test edx,edx
1000125B 7421 jz L1000127E
1000125D 8D7C242C lea edi,[esp+2Ch]
10001261 83C9FF or ecx,FFFFFFFFh
10001264 33C0 xor eax,eax
10001266 F2AE repne scasb
10001268 F7D1 not ecx
1000126A 2BF9 sub edi,ecx
1000126C 8BC1 mov eax,ecx
1000126E 8BF7 mov esi,edi
10001270 8BFA mov edi,edx
10001272 C1E902 shr ecx,02h
10001275 F3A5 rep movsd
10001277 8BC8 mov ecx,eax
10001279 83E103 and ecx,00000003h
1000127C F3A4 rep movsb
1000127E L1000127E:
1000127E 5F pop edi
1000127F 8BC5 mov eax,ebp
10001281 5E pop esi
10001282 5D pop ebp
10001283 83C460 add esp,00000060h
10001286 C21800 retn 0018h
--
Posted: 2007-05-12 14:28:51
Edit : Quote


So has there been any more progress

--
Posted: 2007-06-04 10:52:34
Edit : Quote

---

New Topic   Reply

Forum Index