3

I have picked up a rooted Acer phone and dd-ed the LK partition to analyze it in IDA. The goal is to pinpoint the routine processing fastboot commands. Stripping first 512 bytes produces apparently meaningful disassembly. However, the cross reference of the string fastboot: processing commands\n doesn't look very meaningful. This has led me to believe that the image might need to be re-based to some address to get the references correct. Any idea how I can do that?

enter image description here

enter image description here

sherlock
  • 1,381
  • 3
  • 23
  • 40
  • This looks like a development question, which is off-topic on this site, thus I vote to close it. You might ask it at Stack Overflow, instead. –  Oct 26 '16 at 07:20
  • Which processor is used here ? – w s Oct 26 '16 at 08:50
  • ARM 32, Little Endian – sherlock Oct 26 '16 at 08:55
  • 1
    I wouldn't discount the image starting at position 0, as that's where ARM stores some jump addresses for hardware-related signals. Your string references look perfectly fine to me; loading the offset between the current instruction and the string, then adding PC, is the standard ARM way of getting position independent code. More about that in my answer here. – Guntram Blohm Oct 26 '16 at 11:20

1 Answers1

2

When I needed to do something similar I tried to do the following:

  1. I found all known LDR macros (as far as I remember they are not relative)
  2. I found addresses of some strings that had to have a chance to be referenced directly (more than 10, less than 100)
  3. After that I brute-forced all 32-bit address range with step 4 in order to find such a shift that complies with maximum number of strings referenced by LDR correctly. Of course this can be done with IDAPython.

From this shift the address may be concluded.

In addition you can cross-reference function prologues with jumps and calls with absolute addressing.

BTW, if I'm not mistaken you will probably find an interrupt table at the start of the image - absolute jumps like in the following example:

00000000   LDR   PC, =Reset
00000004   LDR   PC, =Undef
00000008   LDR   PC, =SVC
0000000C   LDR   PC, =PrefAbort
00000010   LDR   PC, =DataAbort
00000014   NOP
00000018   LDR   PC, =IRQ
0000001C   LDR   PC, =FIQ

The values of the loaded addresses may hint an area to search for.

w s
  • 8,458
  • 1
  • 24
  • 40