| Author |
K750i EROM CID36 red - disassembled w/ comments |
hendrix
Joined: Jan 05, 2006
Posts: 2
PM |
What can i say. Use cracked sonics to read the memory from
44000000 - 4400291f. Then plug this into an ELF binary and set the
section address of the <.text> section to 44000000. then disassemble
it using ARM setting and using THUMB setting (arm7 processor) (giving you 2 files).
then put together the EROMs disassembly by selecting the right instructions from
the AMR/THUMB output.
Hint to start off: EROM starts with a vector table with ARM instructions. After that,
you are on your own. lol. "bx" and "blx" change from ARM<->THUMB mode BTW
interesting for you guys is probably
A) boot sequence (starting at 44000000 which is mapped to 0000000 at that moment)
B) __handleUSBcmd_ function
comments are sparse, except in the interesting places 
have fun:
some key addresses:
00018000: f9050054 ; copied from 440028bc (0xd bytes):
00018004: 00000103 ; basebandID1 (first 2 bytes missing)
00018008: ffffffff ; basebandID2
0001800c: 00 ; 0/1 flag: basebandID has been constructed (see 44001db0)
00018010-
00018dc0: cleared region upon boot
00018018: ptr_to_struct ; see (init00018018) and other accesses
00018340: d03777ed ; flag for "no USB command so far" -> boot to firmware on timeout
00018349: 00 ; initialized to 00 (see d03777ed)
44000000 size 20000 : EROM (128kB)
44020000 size 13e0000 : firmware (20MB)
45400000 size b00000 : filesystem part1 (12MB)
45f00000 size 100000 : gdfs (1MB)
46000000 end
50000000 size 2000000 : filesystem part2 (32MB)
52000000 end
f9090000: 4080 ; basebandID (will be byteswapped for 00018004)
EROM.out: file format elf32-littlearm
Disassembly of section .text:
.arm ; booting : instruction 1 : jump to c4
44000000: e59ff018 ldr pc, [pc, #24] (44000020) ; 000000c4 reset
44000004: e59ff018 ldr pc, [pc, #24] (44000024) ; 44020004 undefined intruction
44000008: e59ff018 ldr pc, [pc, #24] (44000028) ; 44020008 software int
4400000c: e59ff018 ldr pc, [pc, #24] (4400002c) ; 4402000c abort (prefetch)
44000010: e59ff018 ldr pc, [pc, #24] (44000030) ; 44020010 abort (data)
44000014: e59ff018 ldr pc, [pc, #24] (44000034) ; 44020014 reserved
44000018: e59ff018 ldr pc, [pc, #24] (44000038) ; 44020018 IRQ
4400001c: e59ff018 ldr pc, [pc, #24] (4400003c) ; 4402001c FIQ
44000020: 000000c4 .int 000000c4
44000024: 44020004 .int 44020004
44000028: 44020008 .int 44020008
4400002c: 4402000c .int 4402000c
44000030: 44020010 .int 44020010
44000034: 44020014 .int 44020014
44000038: 44020018 .int 44020018
4400003c: 4402001c .int 4402001c
44000040: 44000040 .int 44000040 ; end of vector-table, start of code
44000044: 4400ffff .int 4400ffff ; end of EROM code
44000048: 00000000 .int 00000000
4400004C: 00000000 .int 00000000
; setup stackpointers for some modes
; call: init some hardware
; returns r0 = 1
.thumb
44000050: a000 add r0, pc, #0 (adr r0,44000054)
44000052: 4700 bx r0
.arm
44000054: e92d0003 stmdb sp!, {r0, r1}
44000058: e3a01414 mov r1, #335544320 ; 0x14000000
4400005c: e3a00040 mov r0, #64 ; 0x40
44000060: e5810000 str r0, [r1]
44000064: e8bd0003 ldmia sp!, {r0, r1}
44000068: e92d4000 stmdb sp!, {lr}
4400006c: e10f0000 mrs r0, CPSR ; backup CPSR
44000070: e329f0d7 msr CPSR_fc, #215 ; 0xd7 = nzcvIFt 10111=Abort-mode
44000074: e59fd030 ldr sp, [pc, #48] (440000ac) ; sp=f3001108 (setup Abort sp)
44000078: e329f0db msr CPSR_fc, #219 ; 0xdb = nzcvIFt 11011=Undefined-mode
4400007c: e59fd02c ldr sp, [pc, #44] (440000b0) ; sp=f3001110 (setup Undefined sp)
44000080: e329f0d1 msr CPSR_fc, #209 ; 0xd1 = nzcvIFt 10001=FIQ-mode
44000084: e59fd028 ldr sp, [pc, #40] (440000b4) ; sp=f3001118 (setup FIQ sp)
44000088: e129f000 msr CPSR_fc, r0 ; restore CPSR
4400008c: eb00001b bl 44000100 ; init some hardware
; returns r0 = 0x1d
44000090: e3500001 cmp r0, #1 ; r0 == 1 ?
44000094: 1a000001 bne 440000a0
44000098: e3a00000 mov r0, #0 ; return r0 = 0
4400009c: ea000000 b 440000a4
440000a0: e3a00001 mov r0, #1 ; return r0 = 1
440000a4: e8bd4000 ldmia sp!, {lr}
440000a8: e12fff1e bx lr
440000ac: f3001108 .int f3001108
440000b0: f3001110 .int f3001110
440000b4: f3001118 .int f3001118
440000b8: 00000000 .int 00000000
440000bc: 00000000 .int 00000000
; ptr to functiontable_0
440000c0: 000000d0 .int 000000d0
; booting : instruction 2 : jump to 440001ac
440000c4: e51ff004 ldr pc, [pc, #-4] (440000c8) ; 440001ac
440000c8: 440001ac .int 440001ac
440000cc: 00000000 .int 00000000
; functiontable_0
440000d0: 00000009 .int 00000009 ; sizeoftable
440000d4: 5c029fab .int 5c029fab ; checksum: sum of tablecontents
440000d8: 000025f4 .int 000025f4 (#0) ; ptr to signature (+44000000)
440000dc: 00000000 .int 00000000 (#1)
440000e0: 00000000 .int 00000000 (#2)
440000e4: 44020000 .int 44020000 (#3)
440000e8: 440028e0 .int 440028e0 (#4) ; functiontable_1 (verification functions)
440000ec: 440028d0 .int 440028d0 (#5)
440000f0: 4c000000 .int 4c000000 (#6)
440000f4: ffffffff .int ffffffff (#7)
440000f8: 44002808 .int 44002808 (#8)
440000fc: 00000000 .int 00000000
; init some hardware
; returns r0 = 0x1d
44000100: ee110f10 mrc 15, 0, r0, cr1, cr0, {0}
44000104: e3800a01 orr r0, r0, #4096 ; 0x1000
44000108: e3c00004 bic r0, r0, #4 ; 0x4
4400010c: e3c00001 bic r0, r0, #1 ; 0x1
44000110: e3800c01 orr r0, r0, #256 ; 0x100
44000114: e3c00a02 bic r0, r0, #8192 ; 0x2000
44000118: e3c00902 bic r0, r0, #32768 ; 0x8000
4400011c: ee010f10 mcr 15, 0, r0, cr1, cr0, {0}
44000120: ee191f11 mrc 15, 0, r1, cr9, cr1, {0}
44000124: e3a00801 mov r0, #65536 ; r0 = 0x10000
44000128: e380001c orr r0, r0, #28 ; r0 |= 0x1c
4400012c: e3800001 orr r0, r0, #1 ; r0 |= 0x1
44000130: ee090f11 mcr 15, 0, r0, cr9, cr1, {0}
44000134: ee190f31 mrc 15, 0, r0, cr9, cr1, {1}
44000138: e3a00000 mov r0, #0 ; r0 = 0x0
4400013c: e380001c orr r0, r0, #28 ; r0 |= 0x1c
44000140: e3800001 orr r0, r0, #1 ; r0 |= 0x1
44000144: ee090f31 mcr 15, 0, r0, cr9, cr1, {1}
44000148: e12fff1e bx lr
; _IRQon_a returns old IRQ-bit status
_IRQon_a: e10f0000 mrs r0, CPSR
44000150: e3c0c080 bic ip, r0, #128 ; 0x80 = clear IRQ bit (enable IRQ)
44000154: e121f00c msr CPSR_c, ip
44000158: e1a003a0 mov r0, r0, lsr #7
4400015c: e2000001 and r0, r0, #1 ; 0x1
44000160: e12fff1e bx lr ; return old IRQ bit
; _IRQoff_a returns old IRQ-bit status
_IRQoff_a: e10f0000 mrs r0, CPSR
44000168: e380c080 orr ip, r0, #128 ; 0x80 = set IRQ bit (disable IRQ)
4400016c: e121f00c msr CPSR_c, ip
44000170: e1a003a0 mov r0, r0, lsr #7
44000174: e2000001 and r0, r0, #1 ; 0x1
44000178: e12fff1e bx lr ; return old IRQ bit
...
---- EDIT1
grr 236k text is too much for the bulletin. somebody can help me out where to upload it??
---- EDIT2
the rapidshare link is:
http://rapidshare.de/files/10510690/EROM_red.asm.html
---- EDIT3
updated the offset-list in flash memory.
---- EDIT4
find same post on SE-NSE:
http://forums.se-nse.net/index.php?showtopic=2558
[ This Message was edited by: hendrix on 2006-01-07 12:17 ] | |
|
souljav
Joined: Dec 08, 2005
Posts: 27
PM |
WOW i wish i knew wat all dis meanz lol |
batesie
Joined: Feb 13, 2004
Posts: > 500
From: London, UK
PM |
nice work hendrix! i think if your not a developer already then you should be...
[addsig] |
TheGlassJAw
Joined: May 17, 2003
Posts: 370
From: london
PM |
well duh, everybody knows that! |
jockyw2001
Joined: Oct 29, 2005
Posts: 37
PM |
@hendrix:
This is brilliant! Greatly appreciated, and finally we can think of running linux on SE phones
A couple of questions:
You refer to 50000000- 52000000: FILESYSTEM2 , this must be the 32MB phone memory (NAND flash). We know that after flashing the filesystem must be customized with customized.xml, certificates, etc. Are these files stored in FILESYSTEM2 ? If yes, are they stored in a hidden partition, at least they are not visible via BT? Do you think there is a way to avoid the post-flash customize operation?
PS: I have added a link in the "Daredevils" thread. This stuff is too good!
/JockyW |
hendrix
Joined: Jan 05, 2006
Posts: 2
PM |
what do you mean by BT?
--
it apears that the filesystem2 is some kind of "locked". when sonics reads this memory, it returns just crap ("e0"). probably theres no way around reversing the firmware partially to get the unlocking procedure. probably just some peek/poke data in the hardware and it will be readable.
--
i guess we can put the vertificates into the FS flashfile right away, saving us from finalizing the phone.
with jockeyw2001's program to make arbitrary flashfiles and the my program below to reconstruct the filesystem from a flashfile/memory readout. somebody needs to write the "reverse program" to my filesystem reconstructor. so the workflow would be:
- make filesystem (there are 4 filesystems) from flashfile
- mount filesystem (#0) image (its a FAT filesystem) as read/write
- copy certificates and customize.xml to /tpa/preset/...
- unmount altered diskimage
- todo: create memory-image from filesystems
- plug the memory-image into jockey's program
- flash with davinci -> already finalized
link to my programs:
A: (worschestyre sauce) : extract the mountable diskimage from a Filesystem (FS) flashfile
B: (oyster sauce) : extract the mountable diskimage from a sonics memoryread ( Sonics -> read memory -> address $45400000, length $b00000 )
Mountable means, the diskimage (a file) behaves like a harddisk, where you can read/write data to/from. on this filesystem there are the themes, the games, and all the stuff that is installed by default on your phone.
http://rapidshare.de/files/10[....]esystemreconstruction.zip.html
---- EDIT
rephrased some stuff, make it better readable. lol. i hope.
[ This Message was edited by: hendrix on 2006-01-07 11:50 ] |
rockygali
Joined: Nov 21, 2005
Posts: > 500
From:
PM, WWW
|
i c... now this comes with worschestyre sauce or with oyster sauce?
jesus christ! talk layman guys! hehehehe
anyway, whatever the sound of this.. it means... errr...
ok i still dont get it!
"Darkness is the absence of light.. and not the opposite..." |
jockyw2001
Joined: Oct 29, 2005
Posts: 37
PM |
Quote:
|
On 2006-01-07 02:15:48, hendrix wrote:
what do you mean by BT?
|
|
Bluetooth
Excellent work hendrix.
If I have some spare time I will try out your findings.
Cheers,
JockyW |
voda_jon
Joined: Nov 28, 2004
Posts: > 500
PM |
lol at u all for thinkin its gonna be this easy to make ur own little firmwares... take a look at the forums on www.setool.net to see some real pros... If it was this easy to dissasemble a firmware file change it and put it back together dont u think these guys would be doing it? or other people would be doing it? There is a good reason why u dont see new firmwares comin out from people who have made them!
ITS FECKIN IMPOSSIBLE>>> I wont go into why coz i cant be bothered but go ahead and try to flash it an see your phone die before ur very own eyes... lol 
J. |
mb-new
Joined: Dec 28, 2004
Posts: 135
From: Moscow, Russia
PM, WWW
|
voda_jon
why are you so sceptical? indeed there're a few real pros at setool or other forums
hendrix, keep up good work!
...if I could get a small C compiler for win32
Anyone, pls compile it for windows... Wait, the result file should be mounted, I get no *nix now.
hendrix, maybe just make a tar archive instead of partition image? Someone knows the way to look into partition images in Windows?
_________________
BR, Mikhan aka mb @senews.org
S700i (R3M008),K750i (W800 R1AA008),T65 (R6A006),Z520i (R3C035)
[ This Message was edited by: mb-new on 2006-01-14 00:06 ]
[ This Message was edited by: mb-new on 2006-01-14 00:07 ] |
Beep
Joined: Nov 18, 2005
Posts: 172
From: Bottom of the Garden...
PM, WWW
|
maybe, instead of adding stuff...
...take it away.
see what's the minimum you can have, then add to that.
The MAIN must contain most of all that's needed and also must contain some kind of RESET image.
It would be v.cool if Firmware_Lt (Lite) was about.
Good Luck with what ever you peeps do |
voda_jon
Joined: Nov 28, 2004
Posts: > 500
PM |
i'm sceptical coz i know this cant be done an dont see any reason to get all excited about the possibility of a specialised firmware for sony ericsson phones...
If it could be done it would of bin done by now and loads would be doing it.... but as there isnt even 1 customised firmware doin the rounds what are the chances that its possible?
0 i tell yeh! |
mb-new
Joined: Dec 28, 2004
Posts: 135
From: Moscow, Russia
PM, WWW
|
I've managed to compile the both sauces for windows
But I can't read any file, I see only a listing of directories
How to read files from that images?
BR, Mikhan aka mb
M600 + HBH-DS970 |
baste07
Joined: Nov 07, 2002
Posts: > 500
PM |
sorry.. but what's the code above for? i hope something new and usefull fo the k750i |
darkmen
Joined: Mar 24, 2006
Posts: 23
From: Ukraine
PM, WWW
|
Hello all,
Take a look at this program.
Its unpack FS file for k750/w800/k600 to files/folders tree.
http://sephone.h15.ru/sefstool_v11.rar
[ This Message was edited by: Darkmen on 2006-03-24 15:07 ] | |
|
Access the forum with a mobile phone via esato.mobi
|
Posted: 2006-01-06 14:53
