GSM Shop GSM Shop
GSM-Forum  

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > Other Gsm/Mobile Related Forums > GSM Programming & Reverse Engineering

GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets.

Reply
 
LinkBack Thread Tools Display Modes
Old 07-29-2022, 20:39   #1 (permalink)
Freak Poster
 
Join Date: Oct 2009
Posts: 282
Member: 1144205
Status: Offline
Thanks Meter: 75
is virtual address or physical address otp area?


Quote:
Quote:
ROM:C0405338 mt_otp_ioctl__1 ; DATA XREF: ROM:C0826E80o
ROM:C0405338
ROM:C0405338 var_44 = -0x44
ROM:C0405338 var_38 = -0x38
ROM:C0405338 var_34 = -0x34
ROM:C0405338 var_30 = -0x30
ROM:C0405338 var_2C = -0x2C
ROM:C0405338 var_28 = -0x28
ROM:C0405338
ROM:C0405338 0D C0 A0 E1 MOV R12, SP
ROM:C040533C F0 DD 2D E9 STMFD SP!, {R4-R8,R10-R12,LR,PC}
ROM:C0405340 04 B0 4C E2 SUB R11, R12, #4
ROM:C0405344 20 D0 4D E2 SUB SP, SP, #0x20
ROM:C0405348 0D 30 A0 E1 MOV R3, SP
ROM:C040534C 7F 6D C3 E3 BIC R6, R3, #0x1FC0
ROM:C0405350 3F 60 C6 E3 BIC R6, R6, #0x3F
ROM:C0405354 02 40 A0 E1 MOV R4, R2
ROM:C0405358 01 70 A0 E1 MOV R7, R1
ROM:C040535C 08 30 96 E5 LDR R3, [R6,#8]
ROM:C0405360 14 20 94 E2 ADDS R2, R4, #0x14
ROM:C0405364 03 20 D2 30 SBCCCS R2, R2, R3
ROM:C0405368 00 30 A0 33 MOVCC R3, #0
ROM:C040536C 00 00 53 E3 CMP R3, #0
ROM:C0405370 30 00 00 1A BNE loc_C0405438
ROM:C0405374 04 10 A0 E1 MOV R1, R4
ROM:C0405378 14 20 A0 E3 MOV R2, #0x14
ROM:C040537C 38 00 4B E2 SUB R0, R11, #-var_38
ROM:C0405380 53 31 F8 EB BL __copy_from_user__1
ROM:C0405384 00 80 50 E2 SUBS R8, R0, #0
ROM:C0405388 C9 00 00 1A BNE loc_C04056B4
ROM:C040538C 38 00 4B E2 SUB R0, R11, #-var_38
ROM:C0405390 24 53 9F E5 LDR R5, =0xC0A0D8F0
ROM:C0405394 D7 FE FF EB BL id_offset__1
ROM:C0405398 30 00 1B E5 LDR R0, [R11,#var_30]
ROM:C040539C D0 10 A0 E3 MOV R1, #0xD0 ; ''
ROM:C04053A0 54 C4 F3 EB BL __kmalloc__1 ;
ROM:C04053A4 00 00 50 E3 CMP R0, #0
ROM:C04053A8 1C 00 85 E5 STR R0, [R5,#0x1C]
ROM:C04053AC 0B 40 E0 03 MOVEQ R4, #0xFFFFFFF4
ROM:C04053B0 1D 00 00 0A BEQ loc_C040542C
ROM:C04053B4 02 3B 06 E3+ MOV R3, #0x40046B02
ROM:C04053BC 03 00 57 E1 CMP R7, R3
ROM:C04053C0 42 00 00 0A BEQ loc_C04054D0
ROM:C04053C4 03 3B 06 E3+ MOV R3, #0x40046B03
ROM:C04053CC 03 00 57 E1 CMP R7, R3
ROM:C04053D0 1D 00 00 0A BEQ loc_C040544C
ROM:C04053D4 01 3B 06 E3+ MOV R3, #0x40046B01
ROM:C04053DC 03 00 57 E1 CMP R7, R3
ROM:C04053E0 08 00 00 1A BNE loc_C0405408
ROM:C04053E4 D4 02 9F E5 LDR R0, =aOtpIoctlEmmc_1 ; "OTP IOCTL: EMMC_OTP_GET_LENGTH\n"
ROM:C04053E8 80 26 06 EB BL printk__1
ROM:C04053EC 18 30 95 E5 LDR R3, [R5,#0x18]
ROM:C04053F0 38 00 4B E2 SUB R0, R11, #-var_38
ROM:C04053F4 33 FF 2F E1 BLX R3
ROM:C04053F8 38 10 1B E5 LDR R1, [R11,#var_38]
ROM:C04053FC C0 02 9F E5 LDR R0, =aOtpIoctlTheLen ; "OTP IOCTL: The Length is %d\n"
ROM:C0405400 28 80 0B E5 STR R8, [R11,#var_28]
ROM:C0405404 79 26 06 EB BL printk__1
ROM:C0405408
ROM:C0405408 loc_C0405408 ; CODE XREF: mt_otp_ioctl__1+A8j
ROM:C0405408 ; mt_otp_ioctl__1+214j
ROM:C0405408 08 30 96 E5 LDR R3, [R6,#8]
ROM:C040540C 14 20 94 E2 ADDS R2, R4, #0x14
ROM:C0405410 03 20 D2 30 SBCCCS R2, R2, R3
ROM:C0405414 00 30 A0 33 MOVCC R3, #0
ROM:C0405418 00 00 53 E3 CMP R3, #0
ROM:C040541C 14 40 A0 13 MOVNE R4, #0x14
ROM:C0405420 24 00 00 0A BEQ loc_C04054B8
ROM:C0405424
ROM:C0405424 loc_C0405424 ; CODE XREF: mt_otp_ioctl__1+17Cj
ROM:C0405424 ; mt_otp_ioctl__1+194j ...
ROM:C0405424 1C 00 95 E5 LDR R0, [R5,#0x1C]
ROM:C0405428 FA C1 F3 EB BL kfree__1
ROM:C040542C
ROM:C040542C loc_C040542C ; CODE XREF: mt_otp_ioctl__1+78j
ROM:C040542C ; mt_otp_ioctl__1+110j ...
ROM:C040542C 04 00 A0 E1 MOV R0, R4
ROM:C0405430 24 D0 4B E2 SUB SP, R11, #0x24
ROM:C0405434 F0 AD 9D E8 LDMFD SP, {R4-R8,R10,R11,SP,PC}
ROM:C0405438 ; ---------------------------------------------------------------------------
ROM:C0405438
ROM:C0405438 loc_C0405438 ; CODE XREF: mt_otp_ioctl__1+38j
ROM:C0405438 38 00 4B E2 SUB R0, R11, #-var_38
ROM:C040543C 14 10 A0 E3 MOV R1, #0x14
ROM:C0405440 9E 3A F8 EB BL __memzero__1
ROM:C0405444 0D 40 E0 E3 MOV R4, #0xFFFFFFF2
ROM:C0405448 F7 FF FF EA B loc_C040542C
ROM:C040544C ; ---------------------------------------------------------------------------
ROM:C040544C
ROM:C040544C loc_C040544C ; CODE XREF: mt_otp_ioctl__1+98j
ROM:C040544C 34 10 1B E5 LDR R1, [R11,#var_34]
ROM:C0405450 30 20 1B E5 LDR R2, [R11,#var_30]
ROM:C0405454 6C 02 9F E5 LDR R0, =aOtpIoctlEmmc_o ; "OTP IOCTL: EMMC_OTP_WRITE Offset(0x%x),"...
ROM:C0405458 64 26 06 EB BL printk__1
ROM:C040545C 08 00 96 E5 LDR R0, [R6,#8]
ROM:C0405460 2C 10 1B E5 LDR R1, [R11,#var_2C]
ROM:C0405464 30 30 1B E5 LDR R3, [R11,#var_30]
ROM:C0405468 03 C0 91 E0 ADDS R12, R1, R3
ROM:C040546C 00 C0 DC 30 SBCCCS R12, R12, R0
ROM:C0405470 00 00 A0 33 MOVCC R0, #0
ROM:C0405474 00 00 50 E3 CMP R0, #0
ROM:C0405478 1C 20 95 E5 LDR R2, [R5,#0x1C]
ROM:C040547C 37 00 00 0A BEQ loc_C0405560
ROM:C0405480 00 00 53 E3 CMP R3, #0
ROM:C0405484 7D 00 00 1A BNE loc_C0405680
ROM:C0405488
ROM:C0405488 loc_C0405488 ; CODE XREF: mt_otp_ioctl__1+244j
ROM:C0405488 28 10 4B E2 SUB R1, R11, #-var_28
ROM:C040548C 01 00 A0 E3 MOV R0, #1
ROM:C0405490 00 10 8D E5 STR R1, [SP,#0x44+var_44]
ROM:C0405494 34 10 1B E5 LDR R1, [R11,#var_34]
ROM:C0405498 05 FF FF EB BL mt_otp_access__1
ROM:C040549C 08 30 96 E5 LDR R3, [R6,#8]
ROM:C04054A0 14 20 94 E2 ADDS R2, R4, #0x14
ROM:C04054A4 03 20 D2 30 SBCCCS R2, R2, R3
ROM:C04054A8 00 30 A0 33 MOVCC R3, #0
ROM:C04054AC 00 00 53 E3 CMP R3, #0
ROM:C04054B0 14 40 A0 13 MOVNE R4, #0x14
ROM:C04054B4 DA FF FF 1A BNE loc_C0405424
ROM:C04054B8
ROM:C04054B8 loc_C04054B8 ; CODE XREF: mt_otp_ioctl__1+E8j
ROM:C04054B8 04 00 A0 E1 MOV R0, R4
ROM:C04054BC 38 10 4B E2 SUB R1, R11, #-var_38
ROM:C04054C0 14 20 A0 E3 MOV R2, #0x14
ROM:C04054C4 25 32 F8 EB BL __copy_to_user__1
ROM:C04054C8 00 40 A0 E1 MOV R4, R0
ROM:C04054CC D4 FF FF EA B loc_C0405424
ROM:C04054D0 ; ---------------------------------------------------------------------------
ROM:C04054D0
ROM:C04054D0 loc_C04054D0 ; CODE XREF: mt_otp_ioctl__1+88j
ROM:C04054D0 30 20 1B E5 LDR R2, [R11,#var_30]
ROM:C04054D4 F0 01 9F E5 LDR R0, =aOtpIoctlEmmc_0 ; "OTP IOCTL: EMMC_OTP_READ Offset(0x%x), "...
ROM:C04054D8 34 10 1B E5 LDR R1, [R11,#var_34]
ROM:C04054DC 43 26 06 EB BL printk__1
ROM:C04054E0 30 20 1B E5 LDR R2, [R11,#var_30]
ROM:C04054E4 1C 70 95 E5 LDR R7, [R5,#0x1C]
ROM:C04054E8 00 00 52 E3 CMP R2, #0
ROM:C04054EC 02 30 A0 01 MOVEQ R3, R2
ROM:C04054F0 25 00 00 1A BNE loc_C040558C
ROM:C04054F4
ROM:C04054F4 loc_C04054F4 ; CODE XREF: mt_otp_ioctl__1+264j
ROM:C04054F4 00 00 A0 E3 MOV R0, #0
ROM:C04054F8 07 20 A0 E1 MOV R2, R7
ROM:C04054FC 34 10 1B E5 LDR R1, [R11,#var_34]
ROM:C0405500 28 C0 4B E2 SUB R12, R11, #-var_28
ROM:C0405504 00 C0 8D E5 STR R12, [SP,#0x44+var_44]
ROM:C0405508 E9 FE FF EB BL mt_otp_access__1
ROM:C040550C 20 30 95 E5 LDR R3, [R5,#0x20]
ROM:C0405510 01 00 53 E3 CMP R3, #1
ROM:C0405514 63 00 00 0A BEQ loc_C04056A8
ROM:C0405518 34 30 1B E5 LDR R3, [R11,#var_34]
ROM:C040551C 80 00 53 E3 CMP R3, #0x80 ; ''
ROM:C0405520 1E 00 00 0A BEQ loc_C04055A0
ROM:C0405524
ROM:C0405524 loc_C0405524 ; CODE XREF: mt_otp_ioctl__1+2FCj
ROM:C0405524 ; mt_otp_ioctl__1+344j ...
ROM:C0405524 08 30 96 E5 LDR R3, [R6,#8]
ROM:C0405528 2C 00 1B E5 LDR R0, [R11,#var_2C]
ROM:C040552C 30 20 1B E5 LDR R2, [R11,#var_30]
ROM:C0405530 02 C0 90 E0 ADDS R12, R0, R2
ROM:C0405534 03 C0 DC 30 SBCCCS R12, R12, R3
ROM:C0405538 00 30 A0 33 MOVCC R3, #0
ROM:C040553C 00 00 53 E3 CMP R3, #0
ROM:C0405540 1C 10 95 E5 LDR R1, [R5,#0x1C]
ROM:C0405544 0D 00 00 0A BEQ loc_C0405580
ROM:C0405548
ROM:C0405548 loc_C0405548 ; CODE XREF: mt_otp_ioctl__1:emmc_get_wp_size_j
ROM:C0405548 00 00 52 E3 CMP R2, #0
ROM:C040554C AD FF FF 0A BEQ loc_C0405408
ROM:C0405550 78 01 9F E5 LDR R0, =aEmmc_otpIoctlC ; "EMMC_OTP IOCTL: Copy to user buffer Err"...
ROM:C0405554 00 40 A0 E3 MOV R4, #0
ROM:C0405558 24 26 06 EB BL printk__1
ROM:C040555C B0 FF FF EA B loc_C0405424
ROM:C0405560 ; ---------------------------------------------------------------------------
ROM:C0405560
ROM:C0405560 loc_C0405560 ; CODE XREF: mt_otp_ioctl__1+144j
ROM:C0405560 02 00 A0 E1 MOV R0, R2
ROM:C0405564 03 20 A0 E1 MOV R2, R3
ROM:C0405568 D9 30 F8 EB BL __copy_from_user__1
ROM:C040556C
ROM:C040556C emmc_otp_get_host_
ROM:C040556C 00 00 50 E3 CMP R0, #0
ROM:C0405570 45 00 00 1A BNE loc_C040568C
ROM:C0405574 1C 20 95 E5 LDR R2, [R5,#0x1C]
ROM:C0405578 30 30 1B E5 LDR R3, [R11,#var_30]
ROM:C040557C C1 FF FF EA B loc_C0405488
ROM:C0405580 ; ---------------------------------------------------------------------------
ROM:C0405580
ROM:C0405580 loc_C0405580 ; CODE XREF: mt_otp_ioctl__1+20Cj
ROM:C0405580 F6 31 F8 EB BL __copy_to_user__1
ROM:C0405584 00 20 A0 E1 MOV R2, R0
ROM:C0405588
ROM:C0405588 emmc_get_wp_size_
ROM:C0405588 EE FF FF EA B loc_C0405548
ROM:C040558C ; ---------------------------------------------------------------------------
ROM:C040558C
ROM:C040558C loc_C040558C ; CODE XREF: mt_otp_ioctl__1+1B8j
ROM:C040558C 07 00 A0 E1 MOV R0, R7
ROM:C0405590 FF 10 A0 E3 MOV R1, #0xFF
ROM:C0405594 19 3A F8 EB BL memset__1
ROM:C0405598 30 30 1B E5 LDR R3, [R11,#var_30]
ROM:C040559C D4 FF FF EA B loc_C04054F4
ROM:C04055A0 ; ---------------------------------------------------------------------------
ROM:C04055A0
ROM:C04055A0 loc_C04055A0 ; CODE XREF: mt_otp_ioctl__1+1E8j
ROM:C04055A0 14 31 9F E5 LDR R3, =0xC0A0D8F0
ROM:C04055A4 00 70 A0 E3 MOV R7, #0
ROM:C04055A8 24 01 9F E5 LDR R0, =aImei_checksumI ; "IMEI_checksum is: %d buff_bcd[7] is %"...
ROM:C04055AC 1C 80 93 E5 LDR R8, [R3,#0x1C]
ROM:C04055B0 07 20 D8 E5 LDRB R2, [R8,#7]
ROM:C04055B4 0F A0 02 E2 AND R10, R2, #0xF
ROM:C04055B8 0A 10 A0 E1 MOV R1, R10
ROM:C04055BC 0B 26 06 EB BL printk__1
ROM:C04055C0 07 30 A0 E1 MOV R3, R7
ROM:C04055C4
ROM:C04055C4 loc_C04055C4 ; CODE XREF: mt_otp_ioctl__1+2B4j
ROM:C04055C4 03 20 D8 E7 LDRB R2, [R8,R3]
ROM:C04055C8 01 30 83 E2 ADD R3, R3, #1
ROM:C04055CC 0F 10 02 E2 AND R1, R2, #0xF
ROM:C04055D0 22 22 A0 E1 MOV R2, R2,LSR#4
ROM:C04055D4 82 20 A0 E1 MOV R2, R2,LSL#1
ROM:C04055D8 09 00 52 E3 CMP R2, #9
ROM:C04055DC 09 20 42 82 SUBHI R2, R2, #9
ROM:C04055E0 07 00 53 E3 CMP R3, #7
ROM:C04055E4 02 20 81 E0 ADD R2, R1, R2
ROM:C04055E8 02 70 87 E0 ADD R7, R7, R2
ROM:C04055EC F4 FF FF 1A BNE loc_C04055C4
ROM:C04055F0 00 00 57 E3 CMP R7, #0
ROM:C04055F4 28 00 00 0A BEQ loc_C040569C
ROM:C04055F8 07 10 A0 E1 MOV R1, R7 ;
ROM:C04055FC D4 00 9F E5 LDR R0, =aBcd_checkIsDRN ; "BCD_check is: %d/r/n"
ROM:C0405600 FA 25 06 EB BL printk__1
ROM:C0405604 CD 3C 0C E3+ MOV R3, #0xCCCCCCCD
ROM:C040560C 93 17 82 E0 UMULL R1, R2, R3, R7
ROM:C0405610 A2 21 A0 E1 MOV R2, R2,LSR#3
ROM:C0405614 02 21 82 E0 ADD R2, R2, R2,LSL#2
ROM:C0405618 82 70 47 E0 SUB R7, R7, R2,LSL#1
ROM:C040561C 0A 70 67 E2 RSB R7, R7, #0xA
ROM:C0405620 93 27 83 E0 UMULL R2, R3, R3, R7
ROM:C0405624 A3 31 A0 E1 MOV R3, R3,LSR#3
ROM:C0405628 03 31 83 E0 ADD R3, R3, R3,LSL#2
ROM:C040562C 83 70 47 E0 SUB R7, R7, R3,LSL#1
ROM:C0405630 0A 00 57 E1 CMP R7, R10
ROM:C0405634 BA FF FF 0A BEQ loc_C0405524
ROM:C0405638
ROM:C0405638 loc_C0405638 ; CODE XREF: mt_otp_ioctl__1+36Cj
ROM:C0405638 00 10 95 E5 LDR R1, [R5]
ROM:C040563C 98 00 9F E5 LDR R0, =aUnavailableIme ; "------------------------unavailable IME"...
ROM:C0405640 EA 25 06 EB BL printk__1
ROM:C0405644 00 30 95 E5 LDR R3, [R5]
ROM:C0405648 34 10 1B E5 LDR R1, [R11,#var_34]
ROM:C040564C 00 C0 A0 E3 MOV R12, #0
ROM:C0405650 1C 20 95 E5 LDR R2, [R5,#0x1C]
ROM:C0405654 0C 00 A0 E1 MOV R0, R12
ROM:C0405658 00 C0 85 E5 STR R12, [R5]
ROM:C040565C 28 C0 4B E2 SUB R12, R11, #-var_28
ROM:C0405660 83 13 41 E0 SUB R1, R1, R3,LSL#7
ROM:C0405664 01 30 A0 E3 MOV R3, #1
ROM:C0405668 20 30 85 E5 STR R3, [R5,#0x20]
ROM:C040566C 30 30 1B E5 LDR R3, [R11,#var_30]
ROM:C0405670 34 10 0B E5 STR R1, [R11,#var_34]
ROM:C0405674 00 C0 8D E5 STR R12, [SP,#0x44+var_44]
ROM:C0405678 8D FE FF EB BL mt_otp_access__1
ROM:C040567C A8 FF FF EA B loc_C0405524
ROM:C0405680 ; ---------------------------------------------------------------------------
ROM:C0405680
ROM:C0405680 loc_C0405680 ; CODE XREF: mt_otp_ioctl__1+14Cj
ROM:C0405680 02 00 A0 E1 MOV R0, R2
ROM:C0405684 03 10 A0 E1 MOV R1, R3
ROM:C0405688 0C 3A F8 EB BL __memzero__1
ROM:C040568C
ROM:C040568C loc_C040568C ; CODE XREF: mt_otp_ioctl__1+238j
ROM:C040568C 4C 00 9F E5 LDR R0, =aEmmc_otpIoct_0 ; "EMMC_OTP IOCTL: Copy from user buffer E"...
ROM:C0405690 00 40 A0 E3 MOV R4, #0
ROM:C0405694 D5 25 06 EB BL printk__1
ROM:C0405698
ROM:C0405698 emmc_otp_query_length_
ROM:C0405698 61 FF FF EA B loc_C0405424
ROM:C040569C ; ---------------------------------------------------------------------------
ROM:C040569C
ROM:C040569C loc_C040569C ; CODE XREF: mt_otp_ioctl__1+2BCj
ROM:C040569C 40 00 9F E5 LDR R0, =a00000000000000 ; "000000000000000 IMEI\r\n"
ROM:C04056A0 D2 25 06 EB BL printk__1
ROM:C04056A4 E3 FF FF EA B loc_C0405638
ROM:C04056A8 ; ---------------------------------------------------------------------------
ROM:C04056A8
ROM:C04056A8 loc_C04056A8 ; CODE XREF: mt_otp_ioctl__1+1DCj
ROM:C04056A8 38 00 9F E5 LDR R0, =aFoundUnavailab ; "found unavailable IMEI----has fixed off"...
ROM:C04056AC CF 25 06 EB BL printk__1
ROM:C04056B0 9B FF FF EA B loc_C0405524
ROM:C04056B4 ; ---------------------------------------------------------------------------
ROM:C04056B4
ROM:C04056B4 loc_C04056B4 ; CODE XREF: mt_otp_ioctl__1+50j
ROM:C04056B4 0D 40 E0 E3 MOV R4, #0xFFFFFFF2
ROM:C04056B8 5B FF FF EA B loc_C040542C
ROM:C04056B8 ; End of function mt_otp_ioctl__1


the emmc otp start i think is here 0xC0A0D8F0 but this is virtual or physical ? for me the imei 0xE5480000 for the scatter is this

partition_index: SYS21
partition_name: OTP
file_name: NONE
is_download: false
type: NORMAL_ROM
linear_start_addr: 0xffff0200
physical_start_addr: 0x0
partition_size: 0x2b00000
region: EMMC_USER
storage: HW_STORAGE_EMMC
boundary_check: true
is_reserved: false
operation_type: BINREGION
reserve: 0x00

I think the trick is to put the byte 01 in 0xC0A0D8F8 to be able to write emmc in this sector. Does anyone have any tips?
is it possible to read this or write this area 0xC0A0Dxxx
  Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


 



All times are GMT +1. The time now is 03:38.



Powered by Searchlight © 2022 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2022 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2017 -
Page generated in 0.15613 seconds with 7 queries

SEO by vBSEO