FreeCalypso > hg > freecalypso-reveng
view moko11 @ 59:3f38da3933c2
Pirelli's IMEI obfuscation cracked!
| author | Michael Spacefalcon <msokolov@ivan.Harhan.ORG> | 
|---|---|
| date | Fri, 29 Nov 2013 00:39:02 +0000 | 
| parents | 277fd7b971f0 | 
| children | 
line wrap: on
 line source
The Init_Target() function in the TCS211 code from Sotovik (which sits in a binary lib with no source!) programs nCS0 and nCS1 memory timings with WS=3. We would like to determine whether or not the moko11 firmware does the same thing. We have no linker map file for moko11, so we have to dig around in the binary and try to match the code against known objects. In the Sotomodem version of Init_Target(), at offset 0x60 from the beginning of the function there is a BL instruction calling $CLKM_InitARMClock, and this call is immediately followed by the code that sets up the memory timings. Let's see what we can find in the moko11 binary image: 0012D4: RESET vector jumps here 010000: the code here appears to fully match the .inttext section of TI's int.obj 010058: appears to be the _INT_Initialize entry point (seems to be the same for all TI firmwares of that era) 010268: b 0x1e8364, should be a jump to the _INC_Initialize veneer 1D1E48: first function called from Application_Initialize, should be Init_Target() Matches the Sotomodem version of Init_Target() indeed, including the memory timing setup! 1E72B0: Expected start of $INC_Initialize, appears to match 1E72F4: bl 0x1e81fc, should be calling Application_Initialize() 1E81FC: Expected start of Application_Initialize(), contains 6 calls indeed 1E8364: looks like an ARM->Thumb call veneer indeed 1E8370: Thumb code begins, does bl 0x1e72b0 1E8378: back to ARM, veneer return
