ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА














     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] THC releases Nokia Phone ROM images



На радость вирусо- и троянописателям для мобильников...

------------
http://www.thc.org/thc-rom/
Mobile Phone ROM Image and Reverse Engineering Invitation 
http://www.thc.org/thc-rom/ 2005-05-26 Abstract The following webpage contains 
ROM images from various mobile phone operating systems. Our intention is to 
motivate other reverse engineers to take a look at the images and to discover 
other hidden secrets. Other reasons are that it is said to be hard to extract 
the ROM. Certainly another reason is that Nokia does not release any technical 
information about the hardware and I find this rather disappointing. (It's my 
strong believe that when I buy hardware that I should also be allowed to know 
what's in it and how to use it.)


thc-nokia-rom-images.tar.gz (All in one. 34.1 MB)

NOKIA 6630
n6630-rom-0x5000000.dmp
n6630-rom-0x5000000-info.txt (ROM information dump)
n6630-virt-phys-map.txt (list of virtual to physical address mapping)

NOKIA n70
n70-rom-0x50000000.dmp
n70-rom-0x50000000-info.txt

NOKIA N-GAGE
ngage-rom-0x50000000.dmp
ngage-rom-0x50000000-info.txt
ngage-gsmstuff-0x5149D280.dll (gsm stack?)
ngage-virt-phys-map.txt

SonyEricsson P900
p900-rom-0x50000000.dmp
p900-rom-0x50000000-info.txt

Where to go from here:
- Get the symbian/Nokia SDK. Start with extracting the files from the rom image
  and load them into IDA (see e32rom.h). Get SDK's from different vendors. Some 
  come with more header files than others and it's best to have a mix of all
  headers.
- Load the ROM into IDA. Check for jumps/calls outside the ROM address space.
  (hint: to many secrets!)
- Write your own kernel module. Map some physical address pages that are
  currently not mapped. Wuuhhaa.

Some quick information:
1) Virtual Memory & MMU system. ARM, 32bit. Binaries are executed
   directly in ROM (XIP, no relocation to RAM).
1) Page directory contains pointers to 1MB sections or 4k page tables.
2) Virtual address map:

+----------------------------+------------------------------------------------+
| 0x0040 0000 - 0x2FFF FFFF  : User Data                                      |
| 0x3000 0000 - 0x3FFF FFFF  : Static data for Java                           |
| 0x4000 0000 - 0x4000 1FFF  : Super page + CPU page                          |
| 0x4001 0000 - 0x4001 0FFF  : Shadow RAM page temporary address              |
| 0x4100 0000 - 0x4100 3FFF  : Page Directory                                 |
| 0x4108 0000 - 0x4108 3FFF  : Page table info                                |
| 0x4200 0000 - 0x423F FFFF  : Page tables                                    |
| 0x5000 0000 - 0x57FF FFFF  : ROM image                                      |
| 0x5800 0000 - 0x5EFF FFFF  : Memory-mapped I/O (danger!)                    |
| 0x5F00 0000 - 0x5FFF FFFF  : Video RAM (fun!)                               |
| 0x6000 0000 - 0x7FFF FFFF  : RAM                                            |
| 0x8000 0000 - 0xXXXX XXXX  : Kernel data/bss section                        |
| 0xXXXX XXXX - 0xXXXX XXXX  : Reentrant/IRQ/FIQ/Null/Exception kernel stack  |
| 0xXXXX XXXX - 0xXXXX XXXX  : Fixed chunks data for ROM fixed processes (?)  |
| 0xXXXX XXXX - 0xXXXX XXXX  : Kernel server heap and stack                   |
| 0xXXXX XXXX - 0xXXXX XXXX  : Home Section / All Processes                   |
| 0xXXXX XXXX - 0xXXXX XXXX  : RAM-loaded EXE & DLL code                      |
| 0xFFF0 0000 - 0xFFFE FFFF  : Void / Empty                                   |
| 0xFFFF 0000 - 0xFFFF FFFF  : Vectors (hoho!)                                |
+----------------------------+------------------------------------------------+


Note: Big thanks goes to an anonymous contributor without his help all this
would not have been possible.

Yours sincerely,

The Hackers Choice
http://www.thc.org



 




Copyright © Lexa Software, 1996-2009.