Use IDA reverse ARM (setup and find enryp-point)

仅仅一点经验之谈

0x01 get u binary

  • dump binary from flash

  • dump binary when update firmware

0x02 loader to ida

like this ,I have a bluetooth binary ..

we got a firmware from some one smart door lock, in he firmware upgrade traffic.

When we use ida open it,we can see it .

  • Firstly ,we know it is arm
  • Secondlye ,we guess it is arm little-endian

So,we choice Processor type:

than ,we press ok… we can see:

we choice yes, than..

How to fill this table? Keep the default and press ok.

0x03 fix the binary

when the ida auto analysis has been finished.we saw like this.

what fuck this????

Only rom segmentation,we should create other segmentation and find the code seg. so we should to find some information and analysis this bin .

we use hot-key “D”,to fix some data.

Generally peaking ,

:00000000 DCD 0x20007AD8 after is interupt vector

In the red box is function pointer. and first function pointer is odd number ,so we can think this bin is 16-bit. So we change it use alt g and choice T register value 0 to 1

控制位 含义

I I=1 禁用IRO中断
F F=1 禁用FIQ中断
T ARMv4以上T版本T=0 执行ARM指令,T=1执行Thumb指令。
ARMv5以上非T版本T=0 执行ARM指令,T=1表示下一条指令产生未定义指令中断。M[4:0]

thumb指令集是arm指令集的一个子集,是针对代码密度问题而提出的,它具有16位的代码宽度。与等价的32位代码相比较,thumb指令集在保留32位代码优势的同时,大大的节省了系统的存储空间。thumb不是一个完整的体系结构,不能指望处理器只执行thumb指令集而不支持arm指令集。

than we should guest the binary base address

we know ,usually the base low 3 bit is zero..and the interupt vector addr after of the base…so we guest the base addr is 0x1b000 ..so we try change base addr.

set the value equal 0x1b000

now ,these interrupt is functuon pointer:

Next step ,we should restore code

use P and C hot-key..

like this 0x10 data ,it maybe is push opcode so we press P to analysis…

if we finish ,than we shoulde create some seg

like this url Setup and Find Entry-point in ARM Firmware - Hardware Wallet Research #4

先写到这。。还原 seg 我写脚本 恢复代码去了。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
import idaapi

def is_addr_shoulde_P(i):
if Byte(i) == 0x10:
MakeFunction(i)



def do_addr_P(va_start,va_end):
for i in xrange(va_start,va_end):
is_addr_shoulde_P(i)


if __name__ == '__main__':
do_addr_P(0x01B5B4,0x02B5B4)

run this script we got