search

baselsayeh / e5577s_321_kernel

hacked up kernel source for e5577s_321 (and e5577Cs_321)
1 stars 1 forks source link

..... #2

Closed saqie1393 closed 3 years ago

saqie1393 commented 3 years ago

solve

baselsayeh commented 3 years ago

Vxwork just extract with 7zip and open in ida dissambler ? some little instruction about open and cpu start adresss

Disassembly with IDA fails, as I do not know the loader address.

2.png

_Originally posted by @saqie1393 in #1 (comment)_

Should work. Try running 'auto analysis' or anything like that in ida. And make sure to choose "armv7 little endian" as an architecture.

baselsayeh commented 3 years ago

which dissambler you use for analyze...vxwork extract with 7zip....?

i use IDA 32BiT

20210516_145037.jpg 20210516_145050.jpg 20210516_145114.jpg

this is my ida setting where are serach sting value?

correct. as for the loading address, it should be located at offset 0x38 from the vxworks partition. image it should be 0x50d10000

saqie1393 commented 3 years ago

20210516_160046.jpg

look like this setting ?

saqie1393 commented 3 years ago

same frimware 21.333.64.00.1456 analyze but not find....this type of window

118379115-133d8500-b5e1-11eb-8df5-6e5c87fdc4c5.png

baselsayeh commented 3 years ago

same frimware 21.333.64.00.1456 analyze but not find....this type of window

118379115-133d8500-b5e1-11eb-8df5-6e5c87fdc4c5.png

Are you sure that you have done the auto-analysis????? try going to address 0x512E7174 (loading address + function address). Do you see any code that has been disassembled?

baselsayeh commented 3 years ago

same frimware 21.333.64.00.1456 analyze but not find....this type of window 118379115-133d8500-b5e1-11eb-8df5-6e5c87fdc4c5.png

Are you sure that you have done the auto-analysis????? try going to address 0x512E7174 (loading address + function address). Do you see any code that has been disassembled?

auto analyzed is on....loading address and rom address change.....with 0x512E7174...

show this type of window

20210516_163101.jpg

Are you sure that you are using the same firmware (E5573cs-322 21.333.64.00.1456)? can you send me the vxworks file?

baselsayeh commented 3 years ago

same frimware 21.333.64.00.1456 analyze but not find....this type of window 118379115-133d8500-b5e1-11eb-8df5-6e5c87fdc4c5.png

Are you sure that you have done the auto-analysis????? try going to address 0x512E7174 (loading address + function address). Do you see any code that has been disassembled?

auto analyzed is on....loading address and rom address change.....with 0x512E7174... show this type of window 20210516_163101.jpg

Are you sure that you are using the same firmware (E5573cs-322 21.333.64.00.1456)? can you send me the vxworks file?

https://www.mediafire.com/file/t49navi0wypbte3/balong_modem.7z/file

Just noticed the picture. Go to sub_512E7174 (press g and type 0x512e7174). Does ida recognized that as a function? if so, decompile that function (f5), and you should find the script offset there.

baselsayeh commented 3 years ago

can you share screenshot?

of the disassembled function? image it will look slightly different, as im using ghidra rather than ida

baselsayeh commented 3 years ago

20210516_182459.jpg

show start up this one?

no. keep the loading address to 0x50d10000.

baselsayeh commented 3 years ago

you can find in this vxwork Offset value 52612?

Yes you can. image

this process will be different for each firmware/device. searching for "WAS_CSEL_MNTN_TreselectionTimerStopEventRpt" or "WAS_CSEL_PhyLrrcEutraMeasStopInIdleCnf" xrefs will lead to this offset image (The xrefs are shown on the right, the function we are interested in is FUN_512e7174)

i would recommend you to use the offsets that are already found, so that you dont have to do this reverse engineer process if you dont have any prior knowledge about

baselsayeh commented 3 years ago

you can find in this vxwork Offset value 52612?

Yes you can. image this process will be different for each firmware/device. searching for "WAS_CSEL_MNTN_TreselectionTimerStopEventRpt" or "WAS_CSEL_PhyLrrcEutraMeasStopInIdleCnf" xrefs will lead to this offset image (The xrefs are shown on the right, the function we are interested in is FUN_512e7174) i would recommend you to use the offsets that are already found, so that you dont have to do this reverse engineer process if you dont have any prior knowledge about

IDA pro not find this ...can this software work in window pc?

yes it can, but it will also work on ida using auto analysis.

baselsayeh commented 3 years ago

the offset is 0x5261B268, found at function 0x005dc9fc

From: saqie1393 @.> Sent: Sunday, May 16, 2021 5:06 PM To: baselsayeh/e5577s_321_kernel @.> Cc: Basel Sayeh @.>; Comment @.> Subject: Re: [baselsayeh/e5577s_321_kernel] Vxwork just extract with 7zip and open in ida dissambler ? (#2)

you find on ida i am different installation of ida pro but not find that......?

you can find this firmware code

https://www.mediafire.com/file/de32wvcb2vhmowa/balong_modemE5577.7z/file

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/baselsayeh/e5577s_321_kernel/issues/2#issuecomment-841822563, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA2HTCJ5T4Z22I42FNHC7ODTN7GQDANCNFSM446WJSYQ.

baselsayeh commented 3 years ago

Search -> for strings -> search after the search is complete, copy and paste the string to the filter box, and you should find it in the results

From: saqie1393 @.> Sent: Sunday, May 16, 2021 5:29 PM To: baselsayeh/e5577s_321_kernel @.> Cc: Basel Sayeh @.>; Comment @.> Subject: Re: [baselsayeh/e5577s_321_kernel] Vxwork just extract with 7zip and open in ida dissambler ? (#2)

i am install ghidra how to search WAS_CSEL_MNTN_TreselectionTimerStopEventRpt ?

— You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://github.com/baselsayeh/e5577s_321_kernel/issues/2#issuecomment-841825163, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AA2HTCMDAXP24F6AMKXIPQDTN7JGJANCNFSM446WJSYQ.

baselsayeh commented 3 years ago

https://www.mediafire.com/file/t49navi0wypbte3/balong_modem.7z/file

ecall __arm_ioremap 0x52612EA0 1 1

In this binary, the function is in FUN_005d74f4, and the offset is 0x52612ea0 image

If you cant find it by string search, use bindiff and compare between the (E5573cs-322 21.333.64.00.1456 vxworks) and the target vxworks image. The program will compare the binaries and find similar functions. after using it on this firmware, FUN_005d7174 (from 21.333.64.00.1456) should be identical to (FUN_005d74f4) read the bindiff manual here

baselsayeh commented 3 years ago

loading address set 0x51d0000 in ghidra software ...when analyze ...this binary ..

For now, you dont need to set the loading address.

baselsayeh commented 3 years ago

https://www.mediafire.com/file/jmauk4ozxq0fkpb/modem.zip/file

i have this modem i understand other firmware little bit analyse you can find that my modem offset ?

the value is 0x52aeb9f0, located in FUN_005de258

baselsayeh commented 3 years ago

any simple way to find offset any new firmware load search value ? in ghidra extension ?

I'm afraid not. You need to have reverse engineering experience