SweetW0R @ 04.03.2013, 15:42
Can small knurled FAQ what to do. Look and enthusiasm among members of the forum on the increase. LG Optimus with a long time will stay in the market.
I would have poked your ...
1) It is necessary to know a little bit assembly.
2) Need a program-disassembler IDA Pro.
Small FAQ:
Loading disassembliruemy file previously recognized him BaseImage (memory address at which the file is downloaded), and specifying the offset (if any) on the first team. The first team is usually an unconditional jump to the main process, and looks like this: B locXX.
In QUALCOMah bootloader is in emmc_apps.bin file and loaded at address zero, with an offset in the file at 0x200 bytes.
In tiOMAP protection is in U-Boot, imagebase here there could be anything, but usually this type: 0xXX000000.
Processor Type choose: ARM. Team Type: Any.
Disassembliruem as much as possible by pressing C.
Now the point: there is in bootloader debug output lines in the UART.
We need to find Secure Boot Block.
Thus, in the bootloader from LG before secureboot displayed Entry UART: type "SecureBoot started".
We need to find this place. Usually output lines is as follows:
LDR R0, [a pointer to the string]
BL subXXXX
So, if the program is loaded on the right ImageBase, then when you move to [a pointer to a string], it is possible to look at the piece of memory where the line will be visible.
So, if this is the case found, then half the job done.
Now in this block (a block is small, so it can analyze and) somewhere will call hash verification procedures (BL subXXXX).
After her check result of the check, and jump on any mistake, or at the end of SecureBoot procedure.
It is necessary to patch so that a jump is made on the end SecureBoot procedure for any result of check hash.
Typically, the end of the procedure displays a successful completion of the UART string (e.g. "SecureBooting End").
Patches as we want, for example, put an end to unconditional transfers SecureBooting, NOPim, change the result returned by the hash verification procedure ... In general do everything that allows us to our imagination, if only passed on SecureBootEnd. Only now have to patch opcodes :-( After successfully patching get Respect and pros in turnip:. Rolleyes:, and then run for a good beer alive, because after disassemblinga starts to ache terribly noggin, and before the eyes of running mov command, the add, cmp and other nasty things:. rofl:
P.S. To start disassemble dig deeper source of L7, laid me
HerePost has been editedpayback - 05.03.13, 10:43