bkerler
10-24-2007, 13:15
Hi there ...
looking into NPRG6250SEC.hex, I just hit something interesting which may
lead to the checksum-function ...
After pointing to the amss *at least I suspect it to be*, following stringmatching occurs :
ROM:00804520
ROM:00804520 loc_804520 ; CODE XREF: sub_804498+70j
ROM:00804520 10 4A LDR R2, =0x5264CEBC ; jumptable 00804508 case 6
ROM:00804522 11 49 LDR R1, =0x5FE85DDF
ROM:00804524 38 1C ADD R0, R7, #0
ROM:00804526 01 F0 D5 F8 BL sub_8056D4
ROM:0080452A 00 28 CMP R0, #0
ROM:0080452C 11 D1 BNE loc_804552 ; jumptable 00804508 cases 1,2,4,5,8-12
ROM:0080452E
ROM:0080452E loc_80452E ; CODE XREF: sub_804498+A8j
ROM:0080452E ; sub_804498+B8j
ROM:0080452E B4 61 STR R4, [R6,#0x18]
ROM:00804530
ROM:00804530 loc_804530 ; CODE XREF: sub_804498+68j
ROM:00804530 ; sub_804498+70j ...
ROM:00804530 00 20 MOV R0, #0 ; default
ROM:00804530 ; jumptable 00804508 case 0
ROM:00804532
ROM:00804532 loc_804532 ; CODE XREF: sub_804498+BCj
ROM:00804532 F8 BD POP {R3-R7,PC}
ROM:00804534 ; ---------------------------------------------------------------------------
ROM:00804534
ROM:00804534 loc_804534 ; CODE XREF: sub_804498+70j
ROM:00804534 0D 4A LDR R2, =0x5A8FB6C9 ; jumptable 00804508 case 7
ROM:00804536 0E 49 LDR R1, =0xFA0F129C
ROM:00804538 38 1C ADD R0, R7, #0
ROM:0080453A 01 F0 CB F8 BL sub_8056D4
ROM:0080453E 00 28 CMP R0, #0
ROM:00804540 F5 D0 BEQ loc_80452E
ROM:00804542 06 E0 B loc_804552 ; jumptable 00804508 cases 1,2,4,5,8-12
ROM:00804544 ; ---------------------------------------------------------------------------
ROM:00804544
ROM:00804544 loc_804544 ; CODE XREF: sub_804498+70j
ROM:00804544 0B 4A LDR R2, =0x5264FEEB ; jumptable 00804508 case 3
ROM:00804546 0C 49 LDR R1, =0x12349876
ROM:00804548 38 1C ADD R0, R7, #0
ROM:0080454A 01 F0 C3 F8 BL sub_8056D4
ROM:0080454E 00 28 CMP R0, #0
ROM:00804550 ED D0 BEQ loc_80452E
ROM:00804552
ROM:00804552 loc_804552 ; CODE XREF: sub_804498+70j
ROM:00804552 ; sub_804498+94j ...
ROM:00804552 01 20 MOV R0, #1 ; jumptable 00804508 cases 1,2,4,5,8-12
ROM:00804554 ED E7 B loc_804532
The value 76983412EBFE6452, which is 0x5264FEEB and 0x12349876 actually
is also stored in phone's NAND at pos 0x8000 and 0xC000. (not amss!, but MIBIB)
Question Nr. 1 :
Is this some version check ? *developer or production ?*
Also Hash of AMSS (sha1) is not calculated everytime, see this jumptable :
loc_800ECA ; CODE XREF: sub_800EA4+20j
ROM:00800ECA 01 F0 51 FF BL sub_802D70
ROM:00800ECE 01 28 CMP R0, #1
ROM:00800ED0 56 D1 BNE loc_800F80
ROM:00800ED2 3E 48 LDR R0, =0x8253A8
ROM:00800ED4 01 F0 12 FE BL sub_802AFC
ROM:00800ED8 01 28 CMP R0, #1
ROM:00800EDA 51 D1 BNE loc_800F80
ROM:00800EDC 05 22 MOV R2, #5
ROM:00800EDE 3B 4B LDR R3, =0x8253A8
ROM:00800EE0 D2 01 LSL R2, R2, #7
ROM:00800EE2 21 1C ADD R1, R4, #0
ROM:00800EE4 9C 18 ADD R4, R3, R2
ROM:00800EE6 06 29 CMP R1, #6 ; switch 6 cases
ROM:00800EE8 39 48 LDR R0, =0x826B04
ROM:00800EEA 4A D2 BCS loc_800F82 ; default
ROM:00800EEC 01 A3 ADR R3, jpt_800EF2
ROM:00800EEE 5B 5C LDRB R3, [R3,R1]
ROM:00800EF0 5B 00 LSL R3, R3, #1
ROM:00800EF2 9F 44 ADD PC, R3 ; switch jump
ROM:00800EF2 ; ---------------------------------------------------------------------------
ROM:00800EF4 02 jpt_800EF2 DCB 2 ; DATA XREF: sub_800EA4+48o
ROM:00800EF4 ; jump table for switch statement
ROM:00800EF5 08 DCB 8
ROM:00800EF6 12 DCB 0x12
ROM:00800EF7 1A DCB 0x1A
ROM:00800EF8 26 DCB 0x26
ROM:00800EF9 2C DCB 0x2C
Where does 0x8253A8 point to ? Or am I missunderstanding that this is only
a function that is called ?
Any help appreciated :)
Cya,
Viper BJK
looking into NPRG6250SEC.hex, I just hit something interesting which may
lead to the checksum-function ...
After pointing to the amss *at least I suspect it to be*, following stringmatching occurs :
ROM:00804520
ROM:00804520 loc_804520 ; CODE XREF: sub_804498+70j
ROM:00804520 10 4A LDR R2, =0x5264CEBC ; jumptable 00804508 case 6
ROM:00804522 11 49 LDR R1, =0x5FE85DDF
ROM:00804524 38 1C ADD R0, R7, #0
ROM:00804526 01 F0 D5 F8 BL sub_8056D4
ROM:0080452A 00 28 CMP R0, #0
ROM:0080452C 11 D1 BNE loc_804552 ; jumptable 00804508 cases 1,2,4,5,8-12
ROM:0080452E
ROM:0080452E loc_80452E ; CODE XREF: sub_804498+A8j
ROM:0080452E ; sub_804498+B8j
ROM:0080452E B4 61 STR R4, [R6,#0x18]
ROM:00804530
ROM:00804530 loc_804530 ; CODE XREF: sub_804498+68j
ROM:00804530 ; sub_804498+70j ...
ROM:00804530 00 20 MOV R0, #0 ; default
ROM:00804530 ; jumptable 00804508 case 0
ROM:00804532
ROM:00804532 loc_804532 ; CODE XREF: sub_804498+BCj
ROM:00804532 F8 BD POP {R3-R7,PC}
ROM:00804534 ; ---------------------------------------------------------------------------
ROM:00804534
ROM:00804534 loc_804534 ; CODE XREF: sub_804498+70j
ROM:00804534 0D 4A LDR R2, =0x5A8FB6C9 ; jumptable 00804508 case 7
ROM:00804536 0E 49 LDR R1, =0xFA0F129C
ROM:00804538 38 1C ADD R0, R7, #0
ROM:0080453A 01 F0 CB F8 BL sub_8056D4
ROM:0080453E 00 28 CMP R0, #0
ROM:00804540 F5 D0 BEQ loc_80452E
ROM:00804542 06 E0 B loc_804552 ; jumptable 00804508 cases 1,2,4,5,8-12
ROM:00804544 ; ---------------------------------------------------------------------------
ROM:00804544
ROM:00804544 loc_804544 ; CODE XREF: sub_804498+70j
ROM:00804544 0B 4A LDR R2, =0x5264FEEB ; jumptable 00804508 case 3
ROM:00804546 0C 49 LDR R1, =0x12349876
ROM:00804548 38 1C ADD R0, R7, #0
ROM:0080454A 01 F0 C3 F8 BL sub_8056D4
ROM:0080454E 00 28 CMP R0, #0
ROM:00804550 ED D0 BEQ loc_80452E
ROM:00804552
ROM:00804552 loc_804552 ; CODE XREF: sub_804498+70j
ROM:00804552 ; sub_804498+94j ...
ROM:00804552 01 20 MOV R0, #1 ; jumptable 00804508 cases 1,2,4,5,8-12
ROM:00804554 ED E7 B loc_804532
The value 76983412EBFE6452, which is 0x5264FEEB and 0x12349876 actually
is also stored in phone's NAND at pos 0x8000 and 0xC000. (not amss!, but MIBIB)
Question Nr. 1 :
Is this some version check ? *developer or production ?*
Also Hash of AMSS (sha1) is not calculated everytime, see this jumptable :
loc_800ECA ; CODE XREF: sub_800EA4+20j
ROM:00800ECA 01 F0 51 FF BL sub_802D70
ROM:00800ECE 01 28 CMP R0, #1
ROM:00800ED0 56 D1 BNE loc_800F80
ROM:00800ED2 3E 48 LDR R0, =0x8253A8
ROM:00800ED4 01 F0 12 FE BL sub_802AFC
ROM:00800ED8 01 28 CMP R0, #1
ROM:00800EDA 51 D1 BNE loc_800F80
ROM:00800EDC 05 22 MOV R2, #5
ROM:00800EDE 3B 4B LDR R3, =0x8253A8
ROM:00800EE0 D2 01 LSL R2, R2, #7
ROM:00800EE2 21 1C ADD R1, R4, #0
ROM:00800EE4 9C 18 ADD R4, R3, R2
ROM:00800EE6 06 29 CMP R1, #6 ; switch 6 cases
ROM:00800EE8 39 48 LDR R0, =0x826B04
ROM:00800EEA 4A D2 BCS loc_800F82 ; default
ROM:00800EEC 01 A3 ADR R3, jpt_800EF2
ROM:00800EEE 5B 5C LDRB R3, [R3,R1]
ROM:00800EF0 5B 00 LSL R3, R3, #1
ROM:00800EF2 9F 44 ADD PC, R3 ; switch jump
ROM:00800EF2 ; ---------------------------------------------------------------------------
ROM:00800EF4 02 jpt_800EF2 DCB 2 ; DATA XREF: sub_800EA4+48o
ROM:00800EF4 ; jump table for switch statement
ROM:00800EF5 08 DCB 8
ROM:00800EF6 12 DCB 0x12
ROM:00800EF7 1A DCB 0x1A
ROM:00800EF8 26 DCB 0x26
ROM:00800EF9 2C DCB 0x2C
Where does 0x8253A8 point to ? Or am I missunderstanding that this is only
a function that is called ?
Any help appreciated :)
Cya,
Viper BJK