仅仅一点经验之谈
0x01 get u binary
dump binary from flash
dump binary when update firmware
…
0x02 loader to ida
like this ,I have a bluetooth binary ..
we got a firmware from some one smart door lock, in he firmware upgrade traffic.
When we use ida open it,we can see it .
- Firstly ,we know it is arm
- Secondlye ,we guess it is arm little-endian
So,we choice Processor type:
than ,we press ok… we can see:
we choice yes, than..
How to fill this table? Keep the default and press ok.
0x03 fix the binary
when the ida auto analysis has been finished.we saw like this.
what fuck this????
Only rom segmentation,we should create other segmentation and find the code seg. so we should to find some information and analysis this bin .
we use hot-key “D”,to fix some data.
Generally peaking ,
:00000000 DCD 0x20007AD8
after is interupt vector
In the red box is function pointer. and first function pointer is odd number ,so we can think this bin is 16-bit. So we change it use alt g
and choice T register value 0 to 1
控制位 含义
I I=1 禁用IRO中断
F F=1 禁用FIQ中断
T ARMv4以上T版本T=0 执行ARM指令,T=1执行Thumb指令。
ARMv5以上非T版本T=0 执行ARM指令,T=1表示下一条指令产生未定义指令中断。M[4:0]
thumb指令集是arm指令集的一个子集,是针对代码密度问题而提出的,它具有16位的代码宽度。与等价的32位代码相比较,thumb指令集在保留32位代码优势的同时,大大的节省了系统的存储空间。thumb不是一个完整的体系结构,不能指望处理器只执行thumb指令集而不支持arm指令集。
than we should guest the binary base address
we know ,usually the base low 3 bit is zero..and the interupt vector addr after of the base…so we guest the base addr is 0x1b000 ..so we try change base addr.
set the value equal 0x1b000
now ,these interrupt is functuon pointer:
Next step ,we should restore code
use P and C hot-key..
like this 0x10 data ,it maybe is push
opcode so we press P to analysis…
if we finish ,than we shoulde create some seg
like this url Setup and Find Entry-point in ARM Firmware - Hardware Wallet Research #4
先写到这。。还原 seg 我写脚本 恢复代码去了。
1 | import idaapi |
run this script we got