Ok, so IDA is a bit more colorful...
Sunday, November 11, 2007
Saturday, October 27, 2007
DBS: Disassembly by Simulation
So, back to the GSM project. I figured, sure, I could design a GSM receiver from scratch, or probably social engineer some datasheets from older phones. But why not stick with what I know, the iPhone. It has a fully functional GSM transceiver. I spent two days starting from the ground up with the firmware. I found the Nucleus OS calls(it's cool, they use ASCII ids) and traced out every task and interrupt. But the first set of task didn't make sense. They called a common main loop, but passed unintelligible data. I wonder if the dev team figured this out...
But either way, I've been becoming increasing aggravated with IDA. It misses so many xrefs, and is a totally static disassembly. So I came up with this idea. Instead of doing everything manually, run it through a simulator first. Not only can you get xrefs to functions, but you can also get memory/register states to functions. It would easily determine what is code and what is data. It would do all relocations for you. It wouldn't miss any references the program uses. IDA misses any that even involve tracking the register states for two instructions.
So I started coding around midnight, I now have a simulator which can run through and disassemble the bootrom. It traces through the bootrom, and actually jumps to the correct place in the NOR. It's really cool to watch. All the crypto stuff(like the IPSF RSA bug) will soon make sense as well.
The code is online here. I am still debating whether or not to make a pretty GUI for this, or just to have it extend IDA.
But either way, I've been becoming increasing aggravated with IDA. It misses so many xrefs, and is a totally static disassembly. So I came up with this idea. Instead of doing everything manually, run it through a simulator first. Not only can you get xrefs to functions, but you can also get memory/register states to functions. It would easily determine what is code and what is data. It would do all relocations for you. It wouldn't miss any references the program uses. IDA misses any that even involve tracking the register states for two instructions.
So I started coding around midnight, I now have a simulator which can run through and disassemble the bootrom. It traces through the bootrom, and actually jumps to the correct place in the NOR. It's really cool to watch. All the crypto stuff(like the IPSF RSA bug) will soon make sense as well.
The code is online here. I am still debating whether or not to make a pretty GUI for this, or just to have it extend IDA.
Tuesday, September 25, 2007
iPhone GPS
The Navizon software is pretty cool. It doesn't work by RIT, but in New York City it's good to within a couple hundred yards. If you want to use this signal strength stuff in your program, I reversed some parts of the CoreTelephony API, and wrote a very basic cell site stumbler and added it to the svn of the stumbler project here. Although there is a way to do this much more precisly. GSM is a TDMA/FDMA based system. The TDMA portion requires precise timing to have the mobile transmit its data at the correct time. Therefore the phone must be aware of its absolute distance from the tower, which is much more accurate then the signal stregth measurement. I found the schematics of the Nokia 5190, which I have one of. Since finding the datasheet for the S-Gold2 is pretty much hopeless, I'm hoping to find the datasheets for the older gsm chips, so I can get a feel for how these chips work.
Tuesday, September 11, 2007
My New Project
I was working with the firmware to try to read the signal strength from many towers for the GPS project. But this would require extensive modifications to the firmware.
So my new project. First, a cheap GSM receiver to connect to a computer. These guys have done a lot of work with gsm already, but they are using the USRP which for the full setup costs a grand. I think a GSM receiver can be built for around $20. And thats what I'll start doing on this blog.
So my new project. First, a cheap GSM receiver to connect to a computer. These guys have done a lot of work with gsm already, but they are using the USRP which for the full setup costs a grand. I think a GSM receiver can be built for around $20. And thats what I'll start doing on this blog.
Subscribe to:
Posts (Atom)
