The iPhone Wiki - User contributions [en]

Secpack 2.0

2009-08-14T15:25:18Z

Blackhorn:

Secpack 2.0

2009-08-14T15:22:50Z

Blackhorn:

This is the security in the files sent to the [[X-Gold 608]].

==Sections==
The file contains sections like structure below

struct section_header
{
unsigned int id;
unsigned int size;
unsigned int sub_id;
};

followed by the data.

The size define the header size(0xC) and the size of data

==Section ID==
0xCF8 -- Header
0x2 -- Footer
0xB -- Memory Map
0x10 -- File Description (type (EEP, FLS, ...), ...)

==Header==
fls and eep have a 0xCF8 header on the file
0x634--Memory Map
0x714--Descriptor
0xCD4--Post secpack pointer to name
0xCEC--Data length

==Data==
You know what this is

==Footer==
Files also have 0x8D4 footer before the loader
0xB4--Traditional [[Secpack]]

==Loader==
This has two loaders, a bootrom loader which loads at 0x80000 and a bootloader loader which loads at 0x86000

Secpack 2.0

2009-08-14T15:22:27Z

Blackhorn:

This is the security in the files sent to the [[X-Gold 608]].

==Sections==
The file contains sections like structure below

struct section_header
{
unsigned int id;
unsigned int size;
unsigned int sub_id;
};

followed by the data.
The size define the header size(0xC) and the size of data

==Section ID==
0xCF8 -- Header
0x2 -- Footer
0xB -- Memory Map
0x10 -- File Description (type (EEP, FLS, ...), ...)

==Header==
fls and eep have a 0xCF8 header on the file
0x634--Memory Map
0x714--Descriptor
0xCD4--Post secpack pointer to name
0xCEC--Data length

==Data==
You know what this is

==Footer==
Files also have 0x8D4 footer before the loader
0xB4--Traditional [[Secpack]]

==Loader==
This has two loaders, a bootrom loader which loads at 0x80000 and a bootloader loader which loads at 0x86000

Secpack 2.0

2009-08-14T15:22:04Z

Blackhorn:

This is the security in the files sent to the [[X-Gold 608]].

==Sections===
The file contains sections like structure below

struct section_header
{
unsigned int id;
unsigned int size;
unsigned int sub_id;
};

followed by the data.
The size define the header size(0xC) and the size of data

==Section ID==
0xCF8 -- Header
0x2 -- Footer
0xB -- Memory Map
0x10 -- File Description (type (EEP, FLS, ...), ...)

==Header==
fls and eep have a 0xCF8 header on the file
0x634--Memory Map
0x714--Descriptor
0xCD4--Post secpack pointer to name
0xCEC--Data length

==Data==
You know what this is

==Footer==
Files also have 0x8D4 footer before the loader
0xB4--Traditional [[Secpack]]

==Loader==
This has two loaders, a bootrom loader which loads at 0x80000 and a bootloader loader which loads at 0x86000

IDA Pro Setup

2009-08-14T13:55:29Z

Blackhorn:

==How to set up IDA pro to reverse the 3G baseband==

The [[X-Gold 608]] has a memory map, as seen in it's page.

The [[Secpack 2.0]] takes up the first 0xCF8 of the .fls file.

So to load the 3G .fls file into IDA pro, the file offset is 0xCF8(for the secpack), and the CODE starts at the ROM start address of 0x20040000(since it's the main firmware)

For real noobs:
1. Drag the fls file into IDA
2. Select ARM
3. Change ROM start address to 0x20040000
4. Change Loading address to 0x20040000
5. Change File offset to 0xCF8
6. Copy Loading size into ROM size
7. Press OK
8. The entry point is the address at 0x20040408
9. Go to 20100004 and Press "C" to start. ~Deco
10. Read the instructions so you can find other places where you can press "C" to get more code. ~Deco

Here are some key combinations to use:
* c = turn the 'gibberish' into code
* d = turn the 'gibberish' into data
* a = turn the 'gibberish' into a string
* u = undefine what you just may have done, i usually use this since there is no real edit+undo in IDA so this is the next best thing
* Alt+G = toggle the Register T from 0 / 1 to toggle arm and thumb mode when needed

[http://dl.free.fr/pTmWY9YGJ This] might also be a decent starting point (pw: caique2001).

== some hints for getting the mnemonics from n00b for noobs (read: master noob for noobs ;-) )==

The autoanalysis didn't work very well. There were a lot of silly mnemonics, simply interleaving thumb and arm mode or other nasty stuff. I then tried to identify strings, pressing 'A'. Boring... What pushed it up a little bit is this:

Most code is 'embraced' by 'embracing' code:
- push / pop for thumb mod
- STMFD / LDMFD for arm mode

Even better, all versions of above codes have similar instruction sets. So you can find all occurences of STMFD by hex searching '2D E9', going two bytes back (did I say code is aligned? 4bytes in arm starting at 00 04 08 0c, 2bytes in thumb mode!) and pressing 'C'. If you see scrambled code, then (probably) the wrong mode (thumb) is enabled. Just press Alt-G, change the value for T to zero. See?!
The same goes for thumb mode. Push instructions are 'B5' preceeded by 02 0B 4E 72 30 10 F0 70 F3 7C 55 1F 30 3E 0E 1C 08 7F ... So just look for e.g. '10 B5' at two-byte boarders (Alt-B to set, Ctrl-B to search again) and you will easily find all occurences. Again, if it is scrambled, switch back to thumb mode (Alt-G, T=1).
After all, you can hex browse a little bit and press 'C' for missing code or 'A' for text.

Above is a very simple 'algorithm', maybe there is an appropiate IDA plugin. Or you could write one :-) !

[http://code.assembla.com/ks360/subversion/nodes/utils/Analyze.py Script] with [http://d-dome.net/idapython/ IDAPython]

==Addresses of known functions / code locations==
===Baseband 02.28.00===
* 0x201497B0 - maybe AT Command handler? (uses strings such as "OK", "ERROR", "UNKNOWN COMMAND")
* 0x203C51BC - probably prints text
* 0x201420AC - malloc (according to Darkmen)
* 0x203C58A0 - bytecpy (according to Darkmen)
* 0x203FB540 - NU_Create_Task (according to Darkmen)
* 0x2046DD00 - sprintf (according to Darkmen)
* 0x20165998 - NU_Receive_From_Mailbox (according to Darkmen)
* 0x203ED568 - NU_Send_To_Mailbox (according to Darkmen)

===iPod touch 2G Bootrom===
I think this might not be a good idea, because this page will wind up getting huge, but in case anyone thinks differently I'll add these for the hell of it.

====functions====
* 0x067A - BootromStart
* 0x45BA - InitProcessor
* 0x4778 - SetupMMU
* 0x4734 - MMU_MapAddr
* 0x3A84 - Do_MMU_Mappings
* 0x34FC - EnableInterrupts
* 0x652C - Setup_SPI
* 0x36DC - Setup_IdleTask
* 0x4906 - PrepareNOR
* 0x49BC - nor_spi_read_range
* 0x178C - malloc
* 0x34D8 - DisableInterrupts
* 0x7840 - memset
* 0x7858 - memzero (this looks funny in IDA, kind of, but really it's just optimized as part of memset)
* 0x1954 - free
* 0x4844 - addNORtoBlockDevList
* 0x4804 - default_block_read
* 0x10C8 - blockdev_read_hook(void *BDevStruct, void *OutputBuffer, __int32 InputImageStartAddress, int Offset, __int32 Size)
* 0x1258 - fake_default_block_read
* 0x136E - blockdev_write_hook
* 0x1518 - default_block_write
* 0x151E - default_block_erase
* 0x1090 - get_block_device(const char* deviceName)
* 0x8354 - strcmp
* 0x1AF0 - CreateImageList
* 0x1F68 - DoCreateImageList
* 0x204C - GetImage(u32 imageFourccTag)
* 0x1BF0 - SetupMemzStruct(u32 LoadAddress, u32 FileSize, u32 flags)
* 0x30E8 - InitUSB
* 0x795C - memcpy
* 0x0E84 - USB_Core_Init
* 0x1058 - StopUSB
* 0x328C - GetSystemInfo
* 0x3D94 - Get_Chip_ID
* 0x3DA0 - Get_Chip_Revision
* 0x3D74 - Get_Security_Epoch
* 0x3AE4 - Get_Board_ID
* 0x3DD4 - Get_Unique_Chip_ID
* 0x8286 - snprintf
* 0x7D5C - vfprintf_like_thingy
* 0x82A8 - printf
* 0x8422 - putchar
* 0x2E98 - usb_print
* 0x83CC - strncat
* 0x1C18 - FreeMemzStruct
* 0x67DC - Reboot (via watchdog, so yeah it looks a bit odd)
* 0x0644 - LoadAndJumpToFWImage(struct MemzStruct *pMemzInfo, __int32 LoadAddress, __int32 FileSize)
* 0x3338 - ProperlyJumpToImage(void unkown, u32 address, void unknown)
* 0x4584 - PrepMMUForJump (?)
* 0x1B78 - LoadFirmwareImage
* 0x2144 - doLoadFirmwareImage
* 0x1D04 - VerifyImage
* 0x5EA8 - ComputeSHA1(void *Input_Data, int Data_Size, void *SHA1_Of_Data)
* 0x4150 - AdjustClock
* 0x5E54 - CopyBlockToSHA1Engine
* 0x372E - yield
* 0x2400 - DecryptRSASignature
* 0x0898 - DoCrypto(int CryptOption, void *Input_Buffer, void *Output_Buffer, __int32 Size, int AESMode, void *Key, void *IV) [CryptOption 0x10 == encrypt, 0x11 == decrypt]
* 0x5010 - aes_encrypt
* 0x4DB8 - do_aes_encrypt
* 0x4D38 - send_key_to_aes
* 0x4D88 - send_iv_to_aes
* 0x4F44 - aes_decrypt
* 0x4E80 - do_aes_decrypt
* 0x2668 - parse_certificate_and_signature(void *pCertsData, int sizeOfCerts, void *pImageRsaSha1, int sizeofRsaSha1, void *pComputedImageSha1, int sha1Size, void *pImageBuffer, int imageFullSize)
* 0x356C - CheckIfDiagnosticDevice
* 0x3D64 - Get_Security_Domain
* 0x3D44 - Get_Production_Mode
* 0x1F00 - Find_Data_For_Tag
* 0x346C - Panic
* 0x0634 - WaitForInterrupt
* 0x4618 - UndefinedInstructionVector
* 0x46F0 - UndefinedInstructionHandler
* 0x4628 - SoftwareInterruptVector
* 0x4700 - SoftwareInterruptHandler
* 0x4640 - PrefetchAbortVector
* 0x46B4 - PrefetchAbortHandler
* 0x4664 - DataAbortVector
* 0x46A2 - DataAbortHandler
* 0x467C - AddressExceptionTrapVector
* 0x4680 - InterruptRequestVector
* 0x4710 - InterruptRequestHandler
* 0x4BEC - HandleInterruptRequest
* 0x4690 - FastInterruptRequestVector
* 0x4722 - FastInterruptRequestHandler
* 0x4C40 - HandleFastInterruptRequest

====variables====
* 0x220240D4 - SHA1 accelerator register table
* 0x22024200 - Block Device List
* 0x220250A0 - Permissions Flags
* 0x220254E0 - Interrupt Table
* 0x2202C000 - Page table

IDA Pro Setup

2009-08-14T13:55:05Z

Blackhorn:

==How to set up IDA pro to reverse the 3G baseband==

The [[X-Gold 608]] has a memory map, as seen in it's page.

The [[Secpack 2.0]] takes up the first 0xCF8 of the .fls file.

So to load the 3G .fls file into IDA pro, the file offset is 0xCF8(for the secpack), and the CODE starts at the ROM start address of 0x20040000(since it's the main firmware)

For real noobs:
1. Drag the fls file into IDA
2. Select ARM
3. Change ROM start address to 0x20040000
4. Change Loading address to 0x20040000
5. Change File offset to 0xCF8
6. Copy Loading size into ROM size
7. Press OK
8. The entry point is the address at 0x20040408
9. Go to 20100004 and Press "C" to start. ~Deco
10. Read the instructions so you can find other places where you can press "C" to get more code. ~Deco

Here are some key combinations to use:
* c = turn the 'gibberish' into code
* d = turn the 'gibberish' into data
* a = turn the 'gibberish' into a string
* u = undefine what you just may have done, i usually use this since there is no real edit+undo in IDA so this is the next best thing
* Alt+G = toggle the Register T from 0 / 1 to toggle arm and thumb mode when needed

[http://dl.free.fr/pTmWY9YGJ This] might also be a decent starting point (pw: caique2001).

== some hints for getting the mnemonics from n00b for noobs (read: master noob for noobs ;-) )==

The autoanalysis didn't work very well. There were a lot of silly mnemonics, simply interleaving thumb and arm mode or other nasty stuff. I then tried to identify strings, pressing 'A'. Boring... What pushed it up a little bit is this:

Most code is 'embraced' by 'embracing' code:
- push / pop for thumb mod
- STMFD / LDMFD for arm mode

Even better, all versions of above codes have similar instruction sets. So you can find all occurences of STMFD by hex searching '2D E9', going two bytes back (did I say code is aligned? 4bytes in arm starting at 00 04 08 0c, 2bytes in thumb mode!) and pressing 'C'. If you see scrambled code, then (probably) the wrong mode (thumb) is enabled. Just press Alt-G, change the value for T to zero. See?!
The same goes for thumb mode. Push instructions are 'B5' preceeded by 02 0B 4E 72 30 10 F0 70 F3 7C 55 1F 30 3E 0E 1C 08 7F ... So just look for e.g. '10 B5' at two-byte boarders (Alt-B to set, Ctrl-B to search again) and you will easily find all occurences. Again, if it is scrambled, switch back to thumb mode (Alt-G, T=1).
After all, you can hex browse a little bit and press 'C' for missing code or 'A' for text.

Above is a very simple 'algorithm', maybe there is an appropiate IDA plugin. Or you could write one :-) !

[http://code.assembla.com/ks360/subversion/nodes/utils/Analyze.py link Script] with [http://d-dome.net/idapython/ link IDAPython]

==Addresses of known functions / code locations==
===Baseband 02.28.00===
* 0x201497B0 - maybe AT Command handler? (uses strings such as "OK", "ERROR", "UNKNOWN COMMAND")
* 0x203C51BC - probably prints text
* 0x201420AC - malloc (according to Darkmen)
* 0x203C58A0 - bytecpy (according to Darkmen)
* 0x203FB540 - NU_Create_Task (according to Darkmen)
* 0x2046DD00 - sprintf (according to Darkmen)
* 0x20165998 - NU_Receive_From_Mailbox (according to Darkmen)
* 0x203ED568 - NU_Send_To_Mailbox (according to Darkmen)

===iPod touch 2G Bootrom===
I think this might not be a good idea, because this page will wind up getting huge, but in case anyone thinks differently I'll add these for the hell of it.

====functions====
* 0x067A - BootromStart
* 0x45BA - InitProcessor
* 0x4778 - SetupMMU
* 0x4734 - MMU_MapAddr
* 0x3A84 - Do_MMU_Mappings
* 0x34FC - EnableInterrupts
* 0x652C - Setup_SPI
* 0x36DC - Setup_IdleTask
* 0x4906 - PrepareNOR
* 0x49BC - nor_spi_read_range
* 0x178C - malloc
* 0x34D8 - DisableInterrupts
* 0x7840 - memset
* 0x7858 - memzero (this looks funny in IDA, kind of, but really it's just optimized as part of memset)
* 0x1954 - free
* 0x4844 - addNORtoBlockDevList
* 0x4804 - default_block_read
* 0x10C8 - blockdev_read_hook(void *BDevStruct, void *OutputBuffer, __int32 InputImageStartAddress, int Offset, __int32 Size)
* 0x1258 - fake_default_block_read
* 0x136E - blockdev_write_hook
* 0x1518 - default_block_write
* 0x151E - default_block_erase
* 0x1090 - get_block_device(const char* deviceName)
* 0x8354 - strcmp
* 0x1AF0 - CreateImageList
* 0x1F68 - DoCreateImageList
* 0x204C - GetImage(u32 imageFourccTag)
* 0x1BF0 - SetupMemzStruct(u32 LoadAddress, u32 FileSize, u32 flags)
* 0x30E8 - InitUSB
* 0x795C - memcpy
* 0x0E84 - USB_Core_Init
* 0x1058 - StopUSB
* 0x328C - GetSystemInfo
* 0x3D94 - Get_Chip_ID
* 0x3DA0 - Get_Chip_Revision
* 0x3D74 - Get_Security_Epoch
* 0x3AE4 - Get_Board_ID
* 0x3DD4 - Get_Unique_Chip_ID
* 0x8286 - snprintf
* 0x7D5C - vfprintf_like_thingy
* 0x82A8 - printf
* 0x8422 - putchar
* 0x2E98 - usb_print
* 0x83CC - strncat
* 0x1C18 - FreeMemzStruct
* 0x67DC - Reboot (via watchdog, so yeah it looks a bit odd)
* 0x0644 - LoadAndJumpToFWImage(struct MemzStruct *pMemzInfo, __int32 LoadAddress, __int32 FileSize)
* 0x3338 - ProperlyJumpToImage(void unkown, u32 address, void unknown)
* 0x4584 - PrepMMUForJump (?)
* 0x1B78 - LoadFirmwareImage
* 0x2144 - doLoadFirmwareImage
* 0x1D04 - VerifyImage
* 0x5EA8 - ComputeSHA1(void *Input_Data, int Data_Size, void *SHA1_Of_Data)
* 0x4150 - AdjustClock
* 0x5E54 - CopyBlockToSHA1Engine
* 0x372E - yield
* 0x2400 - DecryptRSASignature
* 0x0898 - DoCrypto(int CryptOption, void *Input_Buffer, void *Output_Buffer, __int32 Size, int AESMode, void *Key, void *IV) [CryptOption 0x10 == encrypt, 0x11 == decrypt]
* 0x5010 - aes_encrypt
* 0x4DB8 - do_aes_encrypt
* 0x4D38 - send_key_to_aes
* 0x4D88 - send_iv_to_aes
* 0x4F44 - aes_decrypt
* 0x4E80 - do_aes_decrypt
* 0x2668 - parse_certificate_and_signature(void *pCertsData, int sizeOfCerts, void *pImageRsaSha1, int sizeofRsaSha1, void *pComputedImageSha1, int sha1Size, void *pImageBuffer, int imageFullSize)
* 0x356C - CheckIfDiagnosticDevice
* 0x3D64 - Get_Security_Domain
* 0x3D44 - Get_Production_Mode
* 0x1F00 - Find_Data_For_Tag
* 0x346C - Panic
* 0x0634 - WaitForInterrupt
* 0x4618 - UndefinedInstructionVector
* 0x46F0 - UndefinedInstructionHandler
* 0x4628 - SoftwareInterruptVector
* 0x4700 - SoftwareInterruptHandler
* 0x4640 - PrefetchAbortVector
* 0x46B4 - PrefetchAbortHandler
* 0x4664 - DataAbortVector
* 0x46A2 - DataAbortHandler
* 0x467C - AddressExceptionTrapVector
* 0x4680 - InterruptRequestVector
* 0x4710 - InterruptRequestHandler
* 0x4BEC - HandleInterruptRequest
* 0x4690 - FastInterruptRequestVector
* 0x4722 - FastInterruptRequestHandler
* 0x4C40 - HandleFastInterruptRequest

====variables====
* 0x220240D4 - SHA1 accelerator register table
* 0x22024200 - Block Device List
* 0x220250A0 - Permissions Flags
* 0x220254E0 - Interrupt Table
* 0x2202C000 - Page table

IDA Pro Setup

2009-08-14T13:54:42Z

Blackhorn:

==How to set up IDA pro to reverse the 3G baseband==

The [[X-Gold 608]] has a memory map, as seen in it's page.

The [[Secpack 2.0]] takes up the first 0xCF8 of the .fls file.

So to load the 3G .fls file into IDA pro, the file offset is 0xCF8(for the secpack), and the CODE starts at the ROM start address of 0x20040000(since it's the main firmware)

For real noobs:
1. Drag the fls file into IDA
2. Select ARM
3. Change ROM start address to 0x20040000
4. Change Loading address to 0x20040000
5. Change File offset to 0xCF8
6. Copy Loading size into ROM size
7. Press OK
8. The entry point is the address at 0x20040408
9. Go to 20100004 and Press "C" to start. ~Deco
10. Read the instructions so you can find other places where you can press "C" to get more code. ~Deco

Here are some key combinations to use:
* c = turn the 'gibberish' into code
* d = turn the 'gibberish' into data
* a = turn the 'gibberish' into a string
* u = undefine what you just may have done, i usually use this since there is no real edit+undo in IDA so this is the next best thing
* Alt+G = toggle the Register T from 0 / 1 to toggle arm and thumb mode when needed

[http://dl.free.fr/pTmWY9YGJ This] might also be a decent starting point (pw: caique2001).

== some hints for getting the mnemonics from n00b for noobs (read: master noob for noobs ;-) )==

The autoanalysis didn't work very well. There were a lot of silly mnemonics, simply interleaving thumb and arm mode or other nasty stuff. I then tried to identify strings, pressing 'A'. Boring... What pushed it up a little bit is this:

Most code is 'embraced' by 'embracing' code:
- push / pop for thumb mod
- STMFD / LDMFD for arm mode

Even better, all versions of above codes have similar instruction sets. So you can find all occurences of STMFD by hex searching '2D E9', going two bytes back (did I say code is aligned? 4bytes in arm starting at 00 04 08 0c, 2bytes in thumb mode!) and pressing 'C'. If you see scrambled code, then (probably) the wrong mode (thumb) is enabled. Just press Alt-G, change the value for T to zero. See?!
The same goes for thumb mode. Push instructions are 'B5' preceeded by 02 0B 4E 72 30 10 F0 70 F3 7C 55 1F 30 3E 0E 1C 08 7F ... So just look for e.g. '10 B5' at two-byte boarders (Alt-B to set, Ctrl-B to search again) and you will easily find all occurences. Again, if it is scrambled, switch back to thumb mode (Alt-G, T=1).
After all, you can hex browse a little bit and press 'C' for missing code or 'A' for text.

Above is a very simple 'algorithm', maybe there is an appropiate IDA plugin. Or you could write one :-) !
[http://code.assembla.com/ks360/subversion/nodes/utils/Analyze.py link Script] with [http://d-dome.net/idapython/ link IDAPython

==Addresses of known functions / code locations==
===Baseband 02.28.00===
* 0x201497B0 - maybe AT Command handler? (uses strings such as "OK", "ERROR", "UNKNOWN COMMAND")
* 0x203C51BC - probably prints text
* 0x201420AC - malloc (according to Darkmen)
* 0x203C58A0 - bytecpy (according to Darkmen)
* 0x203FB540 - NU_Create_Task (according to Darkmen)
* 0x2046DD00 - sprintf (according to Darkmen)
* 0x20165998 - NU_Receive_From_Mailbox (according to Darkmen)
* 0x203ED568 - NU_Send_To_Mailbox (according to Darkmen)

===iPod touch 2G Bootrom===
I think this might not be a good idea, because this page will wind up getting huge, but in case anyone thinks differently I'll add these for the hell of it.

====functions====
* 0x067A - BootromStart
* 0x45BA - InitProcessor
* 0x4778 - SetupMMU
* 0x4734 - MMU_MapAddr
* 0x3A84 - Do_MMU_Mappings
* 0x34FC - EnableInterrupts
* 0x652C - Setup_SPI
* 0x36DC - Setup_IdleTask
* 0x4906 - PrepareNOR
* 0x49BC - nor_spi_read_range
* 0x178C - malloc
* 0x34D8 - DisableInterrupts
* 0x7840 - memset
* 0x7858 - memzero (this looks funny in IDA, kind of, but really it's just optimized as part of memset)
* 0x1954 - free
* 0x4844 - addNORtoBlockDevList
* 0x4804 - default_block_read
* 0x10C8 - blockdev_read_hook(void *BDevStruct, void *OutputBuffer, __int32 InputImageStartAddress, int Offset, __int32 Size)
* 0x1258 - fake_default_block_read
* 0x136E - blockdev_write_hook
* 0x1518 - default_block_write
* 0x151E - default_block_erase
* 0x1090 - get_block_device(const char* deviceName)
* 0x8354 - strcmp
* 0x1AF0 - CreateImageList
* 0x1F68 - DoCreateImageList
* 0x204C - GetImage(u32 imageFourccTag)
* 0x1BF0 - SetupMemzStruct(u32 LoadAddress, u32 FileSize, u32 flags)
* 0x30E8 - InitUSB
* 0x795C - memcpy
* 0x0E84 - USB_Core_Init
* 0x1058 - StopUSB
* 0x328C - GetSystemInfo
* 0x3D94 - Get_Chip_ID
* 0x3DA0 - Get_Chip_Revision
* 0x3D74 - Get_Security_Epoch
* 0x3AE4 - Get_Board_ID
* 0x3DD4 - Get_Unique_Chip_ID
* 0x8286 - snprintf
* 0x7D5C - vfprintf_like_thingy
* 0x82A8 - printf
* 0x8422 - putchar
* 0x2E98 - usb_print
* 0x83CC - strncat
* 0x1C18 - FreeMemzStruct
* 0x67DC - Reboot (via watchdog, so yeah it looks a bit odd)
* 0x0644 - LoadAndJumpToFWImage(struct MemzStruct *pMemzInfo, __int32 LoadAddress, __int32 FileSize)
* 0x3338 - ProperlyJumpToImage(void unkown, u32 address, void unknown)
* 0x4584 - PrepMMUForJump (?)
* 0x1B78 - LoadFirmwareImage
* 0x2144 - doLoadFirmwareImage
* 0x1D04 - VerifyImage
* 0x5EA8 - ComputeSHA1(void *Input_Data, int Data_Size, void *SHA1_Of_Data)
* 0x4150 - AdjustClock
* 0x5E54 - CopyBlockToSHA1Engine
* 0x372E - yield
* 0x2400 - DecryptRSASignature
* 0x0898 - DoCrypto(int CryptOption, void *Input_Buffer, void *Output_Buffer, __int32 Size, int AESMode, void *Key, void *IV) [CryptOption 0x10 == encrypt, 0x11 == decrypt]
* 0x5010 - aes_encrypt
* 0x4DB8 - do_aes_encrypt
* 0x4D38 - send_key_to_aes
* 0x4D88 - send_iv_to_aes
* 0x4F44 - aes_decrypt
* 0x4E80 - do_aes_decrypt
* 0x2668 - parse_certificate_and_signature(void *pCertsData, int sizeOfCerts, void *pImageRsaSha1, int sizeofRsaSha1, void *pComputedImageSha1, int sha1Size, void *pImageBuffer, int imageFullSize)
* 0x356C - CheckIfDiagnosticDevice
* 0x3D64 - Get_Security_Domain
* 0x3D44 - Get_Production_Mode
* 0x1F00 - Find_Data_For_Tag
* 0x346C - Panic
* 0x0634 - WaitForInterrupt
* 0x4618 - UndefinedInstructionVector
* 0x46F0 - UndefinedInstructionHandler
* 0x4628 - SoftwareInterruptVector
* 0x4700 - SoftwareInterruptHandler
* 0x4640 - PrefetchAbortVector
* 0x46B4 - PrefetchAbortHandler
* 0x4664 - DataAbortVector
* 0x46A2 - DataAbortHandler
* 0x467C - AddressExceptionTrapVector
* 0x4680 - InterruptRequestVector
* 0x4710 - InterruptRequestHandler
* 0x4BEC - HandleInterruptRequest
* 0x4690 - FastInterruptRequestVector
* 0x4722 - FastInterruptRequestHandler
* 0x4C40 - HandleFastInterruptRequest

====variables====
* 0x220240D4 - SHA1 accelerator register table
* 0x22024200 - Block Device List
* 0x220250A0 - Permissions Flags
* 0x220254E0 - Interrupt Table
* 0x2202C000 - Page table

Talk:Secpack 2.0

2009-01-29T15:33:31Z

Blackhorn: Removing all content from page

Talk:Secpack 2.0

2009-01-22T20:36:41Z

Blackhorn: New page: It's maybe out of the topic but I try to hack LG KS360, I am on the good way (Decrypt the "firmware" , extracts some data & files). The KS360 uses Secpack-2 and a Goldradio chip like iphon...

It's maybe out of the topic but I try to hack LG KS360, I am on the good way (Decrypt the "firmware" , extracts some data & files).
The KS360 uses Secpack-2 and a Goldradio chip like iphone. The problem comes when i want rebuild the "firmware" file.
I try to figure out how works the flash, reversing the flashing app.
I'm asking my self, what is the best way to solve this problem.
-Using the "official" flashing application -> keeps the good file format
-Use my own flashing application
Or maybe using the first methode implies using the second
Anybody can help me? Thanks
(Sorry for my english)