Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dissecting Windows Mobile roms Willem Hengeveld

Published byShanon Bruce Modified over 8 years ago

Similar presentations

Presentation on theme: "Dissecting Windows Mobile roms Willem Hengeveld"— Presentation transcript:

1 Dissecting Windows Mobile roms Willem Hengeveld http://xs4all.nl/~itsme itsme@xs4all.nl

2 dissecting windows mobile roms2 Windows Mobile roms ● What are these roms? ● Where to find these roms? ● What is in these roms? ● What are your scripts for?

3 dissecting windows mobile roms3 roms ● Not actually ROM, ● but NAND or NOR flash ● Until 2003 : NOR ● strataflash ● Since 2003 : NAND ● diskonchip ● onenand

4 dissecting windows mobile roms4 Where to find these rom images ● Firmware updater ● loaded from flashcard ● Usb updater ● Sometimes obfuscated or encrypted ● Extract from device ● Various c++ tools written to access ● See itsutils pdocread, psdread ● Access usually through activesync ● Sometimes via bootloader commands

5 dissecting windows mobile roms5 What data is in the rom ● Baseband OS ● Application OS ● Bootloaders ● Splash images ● Applications ● Config data ● Protected data like imei, simlock, etc. ● User data

6 dissecting windows mobile roms6

7 7 XIP ● Originally: eXecute In Place ● Pocketpc: 5 – 10 XIP sections ● Signatures in XIP chain ● Windows mobile: just 1, containing kernel ● Format documented in romldr.h

8 dissecting windows mobile roms8 IMGFS

9 dissecting windows mobile roms9 Perl scripts ● For decoding updaters ● For xip blocks ● For imgfs data ● For decoding simlock data ● For analyzing fat filesystems ● For decoding cab's ● For decoding baseband images ●...

10 dissecting windows mobile roms10 goal ● Figure out meaning of every byte in rom image ● Extract executables for analysis ● Create my own rom images ● Careful not to brick too many phones ● My focus was mostly on HTC devices

11 dissecting windows mobile roms11 Splitting updaters ● When starting with an updater ● Need to strip several layers ● Obfuscation ● Encryption ● Signatures ● Block remapping ● Depends very much on device + vendor ● Fileformat undocumented

12 dissecting windows mobile roms12 Splitting updaters ● HTC's Pocketpc 2003 + smartphone 2002 ● splitrom.pl ● HTC smartphone 2003 ● typhoonnbfdecode.pl ● HTC ppc 2005 + sm 2005 and later ● nbh2dbh.pl + dbhdecode.pl

13 dissecting windows mobile roms13 Split result After splitting the updater you get several files ● Bootloaders ● Baseband rom ● Splash images ● Windows CE OS rom ● More depending on the device

14 dissecting windows mobile roms14 XIP ● decoding ● dumprom.cpp ● dumpxip.pl ● Modifying ● Some bash + makexip.pl, chainedit.pl, drparse.pl ● Not very well documented

15 dissecting windows mobile roms15 IMGFS ● Decoding ● rdmsflsh.pl ● Modifying ● (from mamaich) AddFile.exe, DelFile.exe – bin only, sometimes crashes ● editimgfs.pl ● cpp_editimgfs.cpp

16 dissecting windows mobile roms16 dumpxip.pl ● Reconstructs.exe and.dll's ● Readable for IDA, may not really exec. ● Reconstructs.exe and.dll's ● Readable for IDA, may not really exec.

17 dissecting windows mobile roms17 dumpxip.pl ● Needs to call decompression lib ● Which is in a win32 dll ( or.lib ) ● Not easily reverse engineered ● No standard algorithm ( like gzip, pkzip, zlib ) ● Initially using Win32::API ● Later using my own.xs module

18 dissecting windows mobile roms18 CompressUtils.xs ● First version ● directly linked to.lib from SDK ● Windows only ● Second version ● Runs on macosx <=10.5 ● Use 'dllloader' – emulates LoadLibrary ● No change to the xs code. ● Note: needs to run within a 32bit x86 perl.

19 dissecting windows mobile roms19 dllloader ● Implements LoadLibrary + GetProcAddress ● Takes win32 executable ● extracts sections ● Processes relocation info ● Processes imports ● Replaces trivial imports (like LocalAlloc) with own implementation. This works fine for dlls which don't have many dependencies.

20 dissecting windows mobile roms20 Writing a decoder ● Separate decoding from use ( like reencoding, printing ) ● Decoder should return hash with parsed fields. ● Verify if values fall in expected range. ● Create hierarchy of decoders mirroring fileformat ● Use standarized internal representation ● Utf-8 for strings ● Perl time values for timestamps ● ints in numeric scalars

21 dissecting windows mobile roms21 Source code ● http://xs4all.nl/~itsme/projects/xda/ http://xs4all.nl/~itsme/projects/xda/ ● http://xs4all.nl/~itsme/projects/perl/ http://xs4all.nl/~itsme/projects/perl/ ● Not (yet) on CPAN

22 dissecting windows mobile roms22 Questions?

Download ppt "Dissecting Windows Mobile roms Willem Hengeveld"

Similar presentations

Northwestern University, IL, US,

Northwestern University, IL, US,
Chapter 3 Loaders and Linkers

Chapter 3 Loaders and Linkers
9.0 EMBEDDED SOFTWARE DEVELOPMENT TOOLS 9.1 Introduction Application programs are typically developed, compiled, and run on host system Embedded programs.

9.0 EMBEDDED SOFTWARE DEVELOPMENT TOOLS 9.1 Introduction Application programs are typically developed, compiled, and run on host system Embedded programs.
Handheld TFTP Server with USB Andrew Pangborn Michael Nusinov RIT Computer Engineering – CE Design 03/20/2008.

Handheld TFTP Server with USB Andrew Pangborn Michael Nusinov RIT Computer Engineering – CE Design 03/20/2008.
File Management Systems

File Management Systems
GNU/Linux Filesystem 1 st AUT GNU/Linux Festival Computer Engineering & IT Department Bahador Bakhshi.

GNU/Linux Filesystem 1 st AUT GNU/Linux Festival Computer Engineering & IT Department Bahador Bakhshi.
1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.

1 CE6130 現代作業系統核心 Modern Operating System Kernels 許 富 皓.
Processes in Unix, Linux, and Windows CS-502 Fall 20071 Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.

Processes in Unix, Linux, and Windows CS-502 Fall Processes in Unix, Linux, and Windows CS502 Operating Systems (Slides include materials from Operating.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.

1.3 Executing Programs. How is Computer Code Transformed into an Executable? Interpreters Compilers Hybrid systems.
IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.

IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.
NET+OS Bootloader Overview Requirements How to Build How to Customize Changes to Applications Configuration Settings.

NET+OS Bootloader Overview Requirements How to Build How to Customize Changes to Applications Configuration Settings.
Shell and Flashing Images Commands and upgrades. RS-232 Driver chip – ST3232C Driver chip is ST3232C Provides electrical interface between UART port and.

Shell and Flashing Images Commands and upgrades. RS-232 Driver chip – ST3232C Driver chip is ST3232C Provides electrical interface between UART port and.
Chapter Seven Advanced Shell Programming. 2 Lesson A Developing a Fully Featured Program.

Chapter Seven Advanced Shell Programming. 2 Lesson A Developing a Fully Featured Program.
Advanced Shell Programming. 2 Objectives Use techniques to ensure a script is employing the correct shell Set the default shell Configure Bash login and.

Advanced Shell Programming. 2 Objectives Use techniques to ensure a script is employing the correct shell Set the default shell Configure Bash login and.
CSR Firmware Sony Training Seminar 10th April 2002.

CSR Firmware Sony Training Seminar 10th April 2002.
XP New Perspectives on Microsoft Office Access 2003 Tutorial 12 1 Microsoft Office Access 2003 Tutorial 12 – Managing and Securing a Database.

XP New Perspectives on Microsoft Office Access 2003 Tutorial 12 1 Microsoft Office Access 2003 Tutorial 12 – Managing and Securing a Database.
May 10, 2012 Lloyd Moore, President/Owner. Quick Start Video Building Mobility 1.2 SDK Emulator Quirks Installing On A Device Summary Overview.

May 10, 2012 Lloyd Moore, President/Owner. Quick Start Video Building Mobility 1.2 SDK Emulator Quirks Installing On A Device Summary Overview.
AT91RM9200 Boot strategies This training module describes the boot strategies on the AT91RM9200 including the internal Boot ROM and the U-Boot program.

AT91RM9200 Boot strategies This training module describes the boot strategies on the AT91RM9200 including the internal Boot ROM and the U-Boot program.
ICOM 5007 - Noack Operating Systems - Administrivia Prontuario - Please time-share and ask questions Info is in my homepage amadeus/~noack/ Make bookmark.

ICOM Noack Operating Systems - Administrivia Prontuario - Please time-share and ask questions Info is in my homepage amadeus/~noack/ Make bookmark.

Similar presentations

Ads by Google