[H3x]

FIRST OF ALL: THIS THREAD IS DEDICATED TO PEOPLE WITH SOME GREATER KNOWLEGDE/PATIENCE AND I WOULD LIKE TO KEEP IT RATHER FREE OF QUESTIONS LIKE "why XS++/FAR/SETool2 doesn't work?", "what is the loudest acoustic driver?" AND REQUESTS TO MAKE A SPECIFIC PATCH (sysgfx for W810i etc). THERE ARE BETTER PLACES FOR THAT KIND OF DISCUSSIONS.

I would like to encourage forum big ones to help, sharing their knowledge. There are LOTS of Russian sites containing stuff like that and I would like to make a small step forward placing some elements here at SE-NSE for people who would like to look at patching using a little bigger arsenal than just HEX editor...

-------------------------------------------------------------------------------

Original tutorial was published by Joker XT at JokerXT.3dn.ru, I’m only translating it (adding some hints) for further discussion at SE-NSE. If there are some unclear translating issues here is the source in Russian:
 JokerXT.3dn.ru.htm (247.12K)
Number of downloads: 433 maybe other members have their own translating suggestions to make things more precise.

Credits go to:
BLiZZARD777 for starting THIS THREAD, which enabled finding Joker's sources;
redguy for translating a huge part of this.
I think that thread wasn't clear enough, so I thought it would be a good idea to make things more "friendly" creating this one...

-------------------------------------------------------------------------------

Things marked with:(???????????????????) are fragments that might not been translated correctly though understanding the meaning is possible from the context.

Porting patches using their sources

© Joker XT (2007)
E-mail: Hitman35@rambler.ru
ICQ: 340-884-365
Website: JokerXT.3dn.ru visit, I would be pleased to see you on my site

To start with, we need to download necessary apps like IDA PRO, Smelter, FASMARM and two .idc files to apply patches in IDA.

FASMARM - http://jokerxt.3dn.ru/files/armpc.rar
IDC scripts - http://jokerxt.3dn.ru/files/idc.rar
Smelter - http://avkiev.kiev.u...ter/Smelter.rar (right klick and “Save As…”)*
*(H3ct0R): Smelter needed Richtx32.ocx file to run on my PC. You can download it from the net,
copy it to Windows\system32 folder, then register: Start -> Run -> regsvr32 \windows\system32\Richtx32.ocx -> OK.

We will use "Changing radiostation with side buttons" patch as a example. Porting it from W800 SW-R1BC002 to K750 SW-R1CA021.

;W800 SW-R1BC002
;Переключение радиостанций боковыми кнопками
;"Громкость +" - +1 станция из списка
;"Volume +" - +1 station from the list
;"Громкость -" - -1 станция из списка
;"Volume -" - -1 station from the list
;(c) Joker XT
;(r) IronMaster
+44000000
27785c: 51AB1245 D14A1D45
277864: B1AB1245 D74A1D45
cdd094: A1D0CD44 E54A1D45
11d4ad0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFB5002101E0FFB50121064F386856F7
11d4ae0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 9FFBFFBDFFB55568024E3560024EB047
11d4af0: FFFFFFFFFFFFFFFFFFFFFFFF FFBDFFFF9081034CA1D0CD44

Now we have to convert both .mbn MAINs to .raw format (using GExtract for example).

DISASSEMBLING

Open W800_R1BC002.raw in IDA
In first window choose Processor type: ARM processors: ARM710a
Click on Set button and OK.
In second window: ROM start address: 0x44020000 and Loading address: 0x44020000.*
Change both ROM size and Loading size from 0x011B4550 to 0x12B4550 for example.**
Click OK.
(H3ct0R)
*44020000 is base value. It's different across phone models, so you'll have to use this to choose a compatible one:

jagheterfredrik, on 2007-04-21 14:06, said:

Flash ID 0x200D (ST Microelectronics), included in K750, W800, D750 etc, have base +44020000.
Flash ID 0x2019 (ST Microelectronics), included in W810, Z550 etc, have base +44140000.
Flash ID 0x897E (Intel), included in W810, Z550, DB2020 etc, have base +44140000.
Flash ID 0x890D (Intel), included in DB2010, have base +440A0000.
Flash ID 0x890D (Intel), included in DB2000, have base +200A0000.

In our example everything is fine as our phones are K750 and W800.

**It's done to increase the disassembling range. Thanks to this we can see the regions of firmware containing free space, where patch bodies are placed. These values are different in different firmwares and 0x011B4550 is the value appropriate for W800 R1BC002 firmware only. For W810i R4EA031 for example the size should be changed like this: 0x01574985 -> 0x01674985.

When 'Generating list of strings' window appears, close it.

Go to Options -> General and set 'Number of opcode bytes' field to «4»
Go to Options -> general -> analysis -> processor specific analysis options -> disable pointer referencing and check this option. Then click on: Options -> general -> analysis -> reanalyze program.
The next step: Options -> Setup data types… and uncheck 1 byte and 2 word then OK.

Open K750_R1CA021.raw in IDA, and do the same actions mentioned above...

Go to IDA where W800_R1BC002.raw is open.
Go to File -> IDC file… and choose ApplyPatch.idc (from the downloaded pack).
In the opened window choose our patch "Changing radiostation with side buttons.vkp" and on 'Patch Now' question answer 'Yes'.
That's all, the firmware is patched...


Now, look at the patch. There is a first entrypoint at: 27785c: 51AB1245 D14A1D45. We have to go to that address: 27785c + 44000000 = 4427785c*
(H3ct0R)
*Addition can be performed simply in the Windows calculator - fire it up, then choose View -> Scientific and mark 'Hex' field.
*44000000 is base taken from the patch code with + sign in front of it).

Press "G" and enter the address (4427785c), then press "O", and it MUST look like this:

Quote

4427785C D1 4A 1D 45 DCD unk_451D4AD1

Double click on unk_451D4AD1 - we jumped into the patch body... The code looks ugly as it's not Thumb (16 bit) but ARM (32 bit) view format. Move up to 451D4AD0 and press "Alt + G", choose T and Value 1, to set it to Thumb.
Then press "C".

Take the second and third entrypoint and perform the same operations...


Go to the address of the beginning of the patch: 11d4ad0 + 44000000 = 451d4ad0.
Look there, finding this:

ROM:451D4AD0; ---------------------------------------------------------------------------
ROM:451D4AD0							 CODE16
ROM:451D4AD0
ROM:451D4AD0			 loc_451D4AD0			; DATA XREF: ROM:4427785Co
ROM:451D4AD0 FF B5					   PUSH	{R0-R7,LR}
ROM:451D4AD2 00 21					   MOV	 R1, #0
ROM:451D4AD4 01 E0					   B	   loc_451D4ADA
ROM:451D4AD6; ---------------------------------------------------------------------------
ROM:451D4AD6
ROM:451D4AD6			 loc_451D4AD6			; DATA XREF: ROM:44277864o
ROM:451D4AD6 FF B5					   PUSH	{R0-R7,LR}
ROM:451D4AD8 01 21					   MOV	 R1, #1
ROM:451D4ADA
ROM:451D4ADA			 loc_451D4ADA			; CODE XREF: ROM:451D4AD4j
ROM:451D4ADA 06 4F					   LDR	 R7, dword_451D4AF4
ROM:451D4ADC 38 68					   LDR	 R0, [R7]
ROM:451D4ADE 56 F7 9F FB				 BL	  sub_4512B220
ROM:451D4AE2 FF BD					   POP	 {R0-R7,PC}
ROM:451D4AE4; ---------------------------------------------------------------------------
ROM:451D4AE4
ROM:451D4AE4			 loc_451D4AE4			; DATA XREF: ROM:44CDD094o
ROM:451D4AE4 FF B5					   PUSH	{R0-R7,LR}
ROM:451D4AE6 55 68					   LDR	 R5, [R2,#4]
ROM:451D4AE8 02 4E					   LDR	 R6, dword_451D4AF4
ROM:451D4AEA 35 60					   STR	 R5, [R6]
ROM:451D4AEC 02 4E					   LDR	 R6, off_451D4AF8
ROM:451D4AEE B0 47					   BLX	 R6
ROM:451D4AF0 FF BD					   POP	 {R0-R7,PC}
ROM:451D4AF0; ---------------------------------------------------------------------------
ROM:451D4AF2 FF						  DCB 0xFF
ROM:451D4AF3 FF						  DCB 0xFF
ROM:451D4AF4 90 81 03 4C dword_451D4AF4  DCD 0x4C038190; DATA XREF: ROM:loc_451D4ADAr
ROM:451D4AF4							; ROM:451D4AE8r
ROM:451D4AF8 A1 D0 CD 44 off_451D4AF8	DCD loc_44CDD0A0+1; DATA XREF: ROM:451D4AECr

Beautiful!

Now we have to make the source *.asm file:
Again go to 451D4AD0. Once moved, choose Edit -> Begin selection, and mark our entire code. Then go to File -> Produce file -> Create ASM file, and give a name to our *.asm file - "rad" for example. Open it, seeing:

;
;
; ЙННННННННННННННННННННННННННННННННННННННН
�ННННННННННННННННННННННННННННННННН»
; є	This file is generated by The Interactive Disassembler (IDA)	 є
; є	Copyright (c) 2004 by DataRescue sa/nv, <ida@datarescue.com>		   є
; є		  Licensed to: Lennart Reus, 1 user, std, 07/2003				 є
; ИННННННННННННННННННННННННННННННННННННННН
�НННННННННННННННННННННННННННННННННј
;
; ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД
�ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД
			 CODE16
 
loc_451D4AD0; DATA XREF: ROM:4427785Co
			 PUSH   {R0-R7,LR}
			 MOV	R1, #0
			 B	  loc_451D4ADA
; ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД
�ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД
 
loc_451D4AD6; DATA XREF: ROM:44277864o
			 PUSH   {R0-R7,LR}
			 MOV	R1, #1
 
loc_451D4ADA; CODE XREF: ROM:451D4AD4j
			 LDR	R7, dword_451D4AF4
			 LDR	R0, [R7]
			 BL	 sub_4512B220
			 POP	{R0-R7,PC}
; ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД
�ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД
 
loc_451D4AE4; DATA XREF: ROM:44CDD094o
			 PUSH   {R0-R7,LR}
			 LDR	R5, [R2,#4]
			 LDR	R6, dword_451D4AF4
			 STR	R5, [R6]
			 LDR	R6, off_451D4AF8
			 BLX	R6
			 POP	{R0-R7,PC}
; ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД
�ДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДДД
			 DCB 0xFF
			 DCB 0xFF
dword_451D4AF4	  DCD 0x4C038190; DATA XREF: ROM:loc_451D4ADAr
			; ROM:451D4AE8r
off_451D4AF8 DCD loc_44CDD0A0+1; DATA XREF: ROM:451D4AECr
			 DCB 0xFF

Remove all unnecessary stuff - it should look like this now:

loc_451D4AD0
			 PUSH   {R0-R7,LR}
			 MOV	R1, #0
			 B	  loc_451D4ADA
 
loc_451D4AD6
			 PUSH   {R0-R7,LR}
			 MOV	R1, #1
 
loc_451D4ADA
			 LDR	R7, dword_451D4AF4
			 LDR	R0, [R7]
			 BL	 sub_4512B220
			 POP	{R0-R7,PC}
 
loc_451D4AE4
			 PUSH   {R0-R7,LR}
			 LDR	R5, [R2,#4]
			 LDR	R6, dword_451D4AF4
			 STR	R5, [R6]
			 LDR	R6, off_451D4AF8
			 BLX	R6
			 POP	{R0-R7,PC}
			 DCB 0xFF
			 DCB 0xFF
dword_451D4AF4	  DCD 0x4C038190
off_451D4AF8 DCD loc_44CDD0A0+1

1. Add ":" signs to items that start the blocks (loc_451D4AE4 -> loc_451D4AE4:);
2. Remove all "#";
3. The data at the end of the patch must be at the address multiple of 4. So add align 4 after the code to the data;
4. Command ADR must be changed to adr (not applicable to use this patch);
5. In file all addresses, which are beyond the patch (???????????????????), loc_address, sub_ address etc. must be changed to 0x address.
6. Add: include "x.inc" at the beginning;
7. Add 'org' - that means, you must add a piece of code to the respect address later. (???????????????????)

After these changes, our file MUST look like that:

include "x.inc"
 
org 0x451D4AD0
loc_451D4AD0:
			 PUSH   {R0-R7,LR}
			 MOV	R1, 0
			 B	  loc_451D4ADA
 
loc_451D4AD6:
			 PUSH   {R0-R7,LR}
			 MOV	R1, 1
 
loc_451D4ADA:
			 LDR	R7, dword_451D4AF4
			 LDR	R0, [R7]
			 BL	 0x4512B220
			 POP	{R0-R7,PC}
 
loc_451D4AE4:
			 PUSH   {R0-R7,LR}
			 LDR	R5, [R2,4]
			 LDR	R6, dword_451D4AF4
			 STR	R5, [R6]
			 LDR	R6, off_451D4AF8
			 BLX	R6
			 POP	{R0-R7,PC}
align 4
dword_451D4AF4	  DCD 0x4C038190
off_451D4AF8 DCD 0x44CDD0A0+1

The file is almost done. Now all of 0x... addresses must be copied to the beginning:

include "x.inc"
address1	 equ 0x4512B220
address2	 equ 0x44CDD0A0
address3	 equ 0x451D4AD0
ram		  equ 0x4C038190
 
org address3
loc_451D4AD0:
			 PUSH   {R0-R7,LR}
			 MOV	R1, 0
			 B	  loc_451D4ADA
 
loc_451D4AD6:
			 PUSH   {R0-R7,LR}
			 MOV	R1, 1
 
loc_451D4ADA:
			 LDR	R7, dword_451D4AF4
			 LDR	R0, [R7]
			 BL	 address1
			 POP	{R0-R7,PC}
 
loc_451D4AE4:
			 PUSH   {R0-R7,LR}
			 LDR	R5, [R2,4]
			 LDR	R6, dword_451D4AF4
			 STR	R5, [R6]
			 LDR	R6, off_451D4AF8
			 BLX	R6
			 POP	{R0-R7,PC}
align 4
dword_451D4AF4	  DCD ram
off_451D4AF8 DCD address2+1

Now add pieces:

First: 4427785C D1 4A 1D 45				 DCD loc_451D4AD0+1
Second: 44277864 D7 4A 1D 45				 DCD loc_451D4AD6+1
Third: 44CDD094 E5 4A 1D 45				 DCD loc_451D4AE4+1

First:

org 0x4427785C
DCD loc_451D4AD0+1

Second:

org 0x44277864
DCD loc_451D4AD6+1

Third:

org 0x44CDD094
DCD loc_451D4AE4+1

Add to the source and change addresses according to this scheme:

include "x.inc"
address1	 equ 0x4512B220
address2	 equ 0x44CDD0A0
patch		equ 0x451D4AD0
ram		  equ 0x4C038190
hook1			 equ 0x4427785C
hook2			 equ 0x44277864
hook3			 equ 0x44CDD094
 
org hook1
DCD loc_451D4AD0+1
 
org hook2
DCD loc_451D4AD6+1
 
org hook3
DCD loc_451D4AE4+1
 
org patch
loc_451D4AD0:
			 PUSH   {R0-R7,LR}
			 MOV	R1, 0
			 B	  loc_451D4ADA
 
loc_451D4AD6:
			 PUSH   {R0-R7,LR}
			 MOV	R1, 1
 
loc_451D4ADA:
			 LDR	R7, dword_451D4AF4
			 LDR	R0, [R7]
			  BL	 address1
			 POP	{R0-R7,PC}
 
loc_451D4AE4:
			 PUSH   {R0-R7,LR}
			 LDR	R5, [R2,4]
			 LDR	R6, dword_451D4AF4
			 STR	R5, [R6]
			 LDR	R6, off_451D4AF8
			 BLX	R6
			 POP	{R0-R7,PC}
align 4
dword_451D4AF4	  DCD ram
off_451D4AF8 DCD address2+1

Now we need to find addresses for K750 SW-R1CA021.
Open Smelter, go to Fullflash -> Open and choose our file K750_R1CA021.raw (since Smelter doesn't see '.raw' files, choose 'all files' below).
After opening, go to Fullflash -> Load base and set it to 44020000.


Porting address1:

address1	 equ 0x4512B220

Go to 0x4512B220 and move a little bit lower (because making pattern from middle of the function is better IMHO) in the W800 flashfile and create a pattern:

ROM:4512B24C			 loc_4512B24C			; CODE XREF: sub_4512B220+20j
ROM:4512B24C 2A 7C					   LDRB	R2, [R5,#0x10]
ROM:4512B24E 10 1C					   ADD	 R0, R2, #0
ROM:4512B250 12 30					   ADD	 R0, #0x12
ROM:4512B252 14 21					   MOV	 R1, #0x14
ROM:4512B254 3B F0 5E FC				 BL	  sub_45166B14
ROM:4512B258 03 1C					   ADD	 R3, R0, #0
ROM:4512B25A 00 2A					   CMP	 R2, #0
ROM:4512B25C 0F D1					   BNE	 loc_4512B27E
ROM:4512B25E 13 23					   MOV	 R3, #0x13
ROM:4512B260 0D E0					   B	   loc_4512B27E

2A7C101C12301421????????031C002A0FD1 – this is a pattern in our case.

Press a big "B" button in the Smelter's panel, copy the pattern here and press OK.
We found an address, click the line with address and F3 to copy it.
Go to the same address in K750_R1CA021.
Press "Alt+B", in String fill b5 then Search Up...
Ready? Got an address. Go to this address-1 and press "C".
Compare functions, they are equal aren't they? Yes!

address1	 equ 0x4511C92C;0x4512B220 – [hw]W800[/hw]

Find the second address the same way:

address2	 equ 0x44CD2F54;0x44CDD0A0 – [hw]W800[/hw]

The address of the patch and ram must not be changed:

patch		equ 0x451D4AD0
ram		  equ 0x4C038190

(H3ct0R: they have to be changed when readdressing and porting patches across different platforms like W800/W810).


Now port the "hook's":

hook1			 equ 0x4427785C

First: undo the patch in IDA.
Go to File > IDC file… and choose UndoPatch.idc.
In the opened window take our patch "Changing radiostation with side buttons.vkp" and answer 'Yes' to the question.

Go to the address of the first "hook" 0x4427785C, press "D" at the same address:

ROM:44277850 8D 13 00 00				 DCD 0x138D
ROM:44277854 91 D7 12 45				 DCD 0x4512D791
ROM:44277858 BE 07 00 00				 DCD 0x7BE
ROM:4427785C 51 AB 12 45				 DCD 0x4512AB51
ROM:44277860 BF 07 00 00				 DCD 0x7BF
ROM:44277864 B1 AB 12 45				 DCD 0x4512ABB1
ROM:44277868 06 00 00 00				 DCD 6
ROM:4427786C 7D AD 12 45				 DCD 0x4512AD7D
ROM:44277870 00 00 00 00				 DCD 0
ROM:44277874 00 00 00 00				 DCD 0
ROM:44277878 46 05 41 44				 DCD 0x44410546
ROM:4427787C 00 00 00 00				 DCD 0
ROM:44277880 30 78 27 44				 DCD 0x44277830
ROM:44277884 05 00 00 00				 DCD 5

Making pattern:
8D130000????????BE070000????????BF070000????????06000000????????0000000000000000????????00000000

Found:

hook1			 equ 0x44278324;0x4427785C – [hw]W800[/hw]

Find other "hooks":

hook2			 equ 0x4427832C;0x44277864 – [hw]W800[/hw]
hook3			 equ 0x44CD2F48;0x44CDD094 – [hw]W800[/hw]

Get it all together:

include "x.inc"
address1	 equ 0x4511C92C;0x4512B220 – [hw]W800[/hw]
address2	 equ 0x44CD2F54;0x44CDD0A0 – [hw]W800[/hw]
patch		equ 0x451D4AD0
ram		  equ 0x4C038190
hook1			 equ 0x44278324;0x4427785C – [hw]W800[/hw]
hook2			 equ 0x4427832C;0x44277864 – [hw]W800[/hw]
hook3			 equ 0x44CD2F48;0x44CDD094 – [hw]W800[/hw]
 
org hook1
DCD loc_451D4AD0+1
 
org hook2
DCD loc_451D4AD6+1
 
org hook3
DCD loc_451D4AE4+1
 
org patch
loc_451D4AD0:
			 PUSH   {R0-R7,LR}
			 MOV	R1, 0
			 B	  loc_451D4ADA
 
loc_451D4AD6:
			 PUSH   {R0-R7,LR}
			 MOV	R1, 1
 
loc_451D4ADA:
			 LDR	R7, dword_451D4AF4
			 LDR	R0, [R7]
			 BL	 address1
			 POP	{R0-R7,PC}
 
loc_451D4AE4:
			 PUSH   {R0-R7,LR}
			 LDR	R5, [R2,4]
			 LDR	R6, dword_451D4AF4
			 STR	R5, [R6]
			 LDR	R6, off_451D4AF8
			 BLX	R6
			 POP	{R0-R7,PC}
align 4
dword_451D4AF4	  DCD ram
off_451D4AF8 DCD address2+1

That's all the file is ready . It has to be assembled with FASMARM now.

REASSEMBLING

Start Command prompt: Start -> Run -> cmd -> OK.

(On my PC the program is in D:\armpc2)

D: and Enter
Then, cd D:\armpc2 and Enter
To assemble our file write: make rad.asm K750 R1CA021.raw 44020000

Where:
rad.asm – the name of our file;
K750 R1CA021.raw – the name of our firmware (the one that we are porting our patch to);
44020000 – base appropriate to our phone (the one that we are porting our patch to);

Press Enter and see:
Can not find D:\armpc2\rad.asm.vkp
flat assembler for ARM version 1.66
2 passes, 104 bytes.

Or something similar...
Go to the folder D:\armpc2\ and take our patch rad.asm.vkp

That's all!!!
Wrote all this in a simple manner, hope you understood it.

© Joker XT (2007)

-------------------------------------THE END-------------------------------------

I have some questions about this tutorial myself, as I would like to use it to port patches to W810. I'll be posting them soon, now I need some rest as composing this long post was a real effort for me due to those DDoS attacks on SE-NSE servers.

I know this is very valuable stuff though, as I have some patching experience from the SL45i C166 platform. Hope that others find it useful too.

As soon as I get some of the things straight I'll write another tutorial completely myself about finding entrypoints across different platforms without the use of Smelter. A method to create an advanced "move system folders" patch will also be explained here soon.

This post has been edited by H3ct0R: 14 August 2007 - 05:22 PM

[amith007]

big effort bro...n a superb contribution to se-nse...as always.....hats off... n

waiting for the 810 version.............................

[qwerty12]

You are BRILLIANT!

Thanks a lot for this

[TVH]

This is GREAT. Is w810i tutorial coming soon?

[BLiZZARD777]

this is my thing,isn't it hector
no thanks to me

[hydraulik]

Thank you, BLiZZARD777

and of course, thank you, hector!

[H3x]

BLiZZARD777, on 2007-08-07 17:26, said:

this is my thing,isn't it hector
no thanks to me

Sorry for that one. You're right, I wouldn't have found anything without your posts. Credits added to my first post .

TVH, on 2007-08-07 17:24, said:

This is GREAT. Is w810i tutorial coming soon?

This might sound confusing, but this IS for W810i also . The idea is to to understand disassembling and finding offsets, entrypoints, functions to port patches across different platforms. K750/W800 is just an example to get familiar with some apps and tricks. I've ported some simpler W800i patches to W810i already and I can assure this thread can be REALLY useful in porting more complex ones.

MY FIRST QUESTION

@den_po, jagheterfredrik or anyone else capable of answering this...

Analyzing the structure Joker's patch:

;W800 SW-R1BC002
;Переключение радиостанций боковыми кнопками
;"Громкость +" - +1 станция из списка
;"Volume +" - +1 station from the list
;"Громкость -" - -1 станция из списка
;"Volume -" - -1 station from the list
;(c) Joker XT
;(r) IronMaster
+44000000
27785c: 51AB1245 D14A1D45
277864: B1AB1245 D74A1D45
cdd094: A1D0CD44 E54A1D45
11d4ad0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF FFB5002101E0FFB50121064F386856F7
11d4ae0: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 9FFBFFBDFFB55568024E3560024EB047
11d4af0: FFFFFFFFFFFFFFFFFFFFFFFF FFBDFFFF9081034CA1D0CD44

we can clearly see that there's a new block of data added at offset 11d4ad0 with these 3 entrypoints (byte-swapped address hooks) pointing to it:

27785c: 51AB1245 D14A1D45
277864: B1AB1245 D74A1D45
cdd094: A1D0CD44 E54A1D45

Unfortunately when I prepare RAW with GExtract the file is shorter than 11d4ad0 as the last offset is 11b4540 and I can't go into patch body like mentioned in Joker's tutorial here:

Quote

Press "G" and enter the address (4427785c), then press "O", and it MUST look like this:
QUOTE
4427785C D1 4A 1D 45 DCD unk_451D4AD1


Double click on unk_451D4AD1 - we jumped into the patch body... The code looks ugly as it's not Thumb (16 bit) but ARM (32 bit) view format. Move up to 451D4AD0 and press "Alt + G", choose T and Value 1, to set it to Thumb.

I think that IDA doesn't "see" 451D4AD1 address (11d4ad0 + base + 1) and I would like to know why... What am I missing here? I don't get "unk_" prefix, which should be there.

This post has been edited by H3ct0R: 08 August 2007 - 07:53 AM

[depeha]

Hey guys.. I try do this with sysgfx w800->w550 , but it didn't found 121015D + 44000000 = 4521015D and another all adresses except those: adc3b0,adc298,adc320,adc610,29cea0,d432b4. Can someone tell me where I did mistake? Or can be this patch modifying?

[qwerty12]

www.sony-ericsson.ru have the most amount on patching but it is all in Russian

Mobilefree.ru comes second from my travels on the internet.

[H3x]

qwerty12, on 2007-08-08 09:32, said:

www.sony-ericsson.ru have the most amount on patching but it is all in Russian

Mobilefree.ru comes second from my travels on the internet.

You're right, that's why it would be nice to build English alternatives at SE-NSE.

[NovaJet]

This is complicated. Think I'll just stick to downloading them patchies... keep up the good work guys!

[qwerty12]

H3ct0R, on 2007-08-08 08:51, said:

You're right, that's why it would be nice to build English alternatives at SE-NSE.

We need someone as translator . The thing is; if we all know in English how to patch properly ; more patches can come out and more can be ported. It makes things easier for the Russians

Personally ; I would love to see the screenshot patch Darkmen made for K750 (through davinci) on W810 for free (because im a cheap )

Den_po also talks a bit about porting his date_time_in_files made by camera patch and gives the inc file of the patch.

This post has been edited by qwerty12: 08 August 2007 - 08:10 AM

[eyeyousee]

Thanks H3ct0R and Blizzard777, redguy! Great help from you guys! and JokerXT!

This post has been edited by eyeyousee: 08 August 2007 - 08:12 AM

[H3x]

I've found an answer to my first question myself .
ROM size and Loading size values MUST be increased when loading file in IDA.
Place 12 instead of 11 for example.

Updates coming soon.

Damn, they are still attacking SE-NSE...

[BLiZZARD777]

but i just cannot see how can joker xt see what string is popup window in ida,because i would like to make patch that removes popup message delivered and that is a bit complicated to me even i know to how to make patches...


they are attacking it last 5 days
sorry for offtopic

This post has been edited by BLiZZARD777: 08 August 2007 - 12:52 PM

[H3x]

BLiZZARD777, on 2007-08-08 14:48, said:

but i just cannot see how can joker xt see what string is popup window in ida,because i would like to make patch that removes popup message delivered and that is a bit complicated to me even i know to how to make patches...

Creating patches like that is possible when:
1. You are fluent in assembler;
2. You know ARM7 processor structure;
3. You know the method to find functions in firmware, what in fact Joker XT can do, but I think it is very complicated (look point 1.). IMHO it can be done when you know a way to dump RAM, disassemble it and check what it contains (something like this was used for Siemens phones at least). And this is advanced programming unfortunately.

So making patches like changing battery colour, folder-moving, icon changing etc is only hmmm... 5% of the real potential .



But some parts of finding functions method could be useful so any hints are appreciated, as I could use some new stuff myself. I've been working on W810i port of this patch:

;W800 SW-R1BC002
;Keylock password
;(c) IronMaster, Joker XT
+44000000
e9c0c0: EDBBE944 01531D45
11d5300: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 00B5054FB847FFB404210222034B014F
11d5310: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF B847FFBDD550DE44EDBBE94456130000

and here is it's disassembled source:

include "x.inc"
address1	 equ 0x44DE50D4
address2	 equ 0x44E9BBEC
patch		equ 0x451D5300
vrezka1			 equ 44E9C0C0

org vrezka1
DCD loc_451D5300+1

org patch
loc_451D5300:	
		PUSH	{LR}
		LDR	R7, off_451D5318
		BLX	R7
		PUSH	{R0-R7}
		MOV	R1, 4
		MOV	R2, 2
		LDR	R3, dword_451D531C
		LDR	R7, off_451D5314
		BLX	R7
		POP	{R0-R7,PC}
align 4
off_451D5314	DCD address1+1
off_451D5318	DCD address2+1
dword_451D531C	DCD 0x1356

I spent a lot of time creating many different patterns to localize these two

address1	 equ 0x44DE50D4
address2	 equ 0x44E9BBEC

in R4EA031, but this firmware is A LOT more different from W800 R1BC002 than I suspected (I know how to change all other addresses including those from the body of the patch though).

Any English speaker that can help here would be welcome . den_po?

This post has been edited by H3ct0R: 10 August 2007 - 12:53 AM

[Karun]

i have a tutorial here by joker XT bout adapting patches to master patch.....but am havin trouble understanding......


Adaptation of patcha hearth master -patc (MP) by joker XT
Regards to beginning patcheram! ))
many questions assign to me about how to adapt patch under MP, and here I decided to write the article, which will help you in this matter...

GetBuffer = 0x451FD000
Magic = 0xB1C2D3E4;eto required magic number))
PatchID = 0xXXXX;eto ID

The most important construction, which must be put in the beginning of iskhodnika of patcha,
although it is not compulsory into the beginning of patcha, it is must there, where the code of patcha is caused first:

ldr r0, config+4;v r0 we load ID patcha
bl GetBuffer;vyzyvayem func. GetBuffer = 0x451FD000 in order to obtain the buffer of tuning
beq ex;vykhod, if patch is switched off or it does not work in any profile or buffer = 0

ex:
pop {...,.pch};eto usually the end of patcha

After func. GetBuffer in r6 leaves the buffer...

Further it is necessary at the end of iskhodnika to write Konfig- section, for example:

align 4
config DCD Magic, PatchID, onstartup, 0
db "{p=`.My patch` id=.XXXX cp=.me ver=1.0}"
db "line 1"
db "line 2"
...
db "line N", 0

line 1, line 2, line N - these are tags from file format.txt,
which goes together with master -midletom... onstartup - this is the address of procedure,
which will be caused with the start of telephone, but if nothing it is necessary to cause, then we place 0...
Dopustm we khotm to load from the buffer brightness for the lantern, make as follows:

ldrb r0, [ r6, 1 ]
bl Flash_.light

But in the Konfig- section must be written:
Config DCD Magic, PatchID, onstartup, 0
db "{p=`.My patch` id=.XXXX cp=.me ver=1.0}"
db "{1 b of `Yarkost'` r=0..100 v=50}", 0

You will focus attention on the fact that displacement I placed 1, but not 0. 0 cannot be placed,
tk in the zero bias is written key for the profiles, for the checking does work patch in this profile...
`Yarkost'` - this is the text, which will be mapped into you midlete, it it is possible to write and in Russian, but better in English,
tk our zabugornye friends also use such patchami))

Let us examine any tag:
{0x44 address `.Address` value=.443D2FDE}

0x44 - this is mixing in pcf- file (possible simply 68 V dec, displacement then it will be 0x44, and possible also 0x44)
{68 address `.Address` value=.443D2FDE} (68 = 0x44)

In the tags the reductions act, you look format.txt.

{68 a of `.Address` v=.443D2FDE}

Patch is adapted, it remained to make from it *..vkp...
If that he forgot, then I will write... Everything...))

The End…

can anyone help?

[geogriffin]

I am interested in firmware hacking. A question I have - what is the entry point of the firmware? As in, what is the boot method and order? Execution must start in a PROM somewhere, since it can do that whole "'c' button to flash" thing without a valid MAIN firmware... But at what address does execution start in the firmware?

I don't normally use IDA because the useful versions aren't free, but I am interested in whether it is possible to disassemble the entire firmware. This is why I want the entry point, because as far as I can tell, you need to know an offset in which some function start in order to generate meaningful code (or else you might get some garbage assembly?).

Also, how is it ever possible to find functions in the assembly if the firmware's api functions are not documented? I have previous experience creating an aimbot for a windows game, in which finding calls to different windows api functions (along with active debugging) helped me find the function I needed to create the hack. So how is it possible to sift through the disassembly if nothing at all is known about the firmware in the first place? Surely, there is no way to actively debug the phone?

Great translation, by the way. I could only understand like 3/4 of that russian tutorial through google translator

[bimasakti85]

For se-nsers who need those tools, go to : sense.4shared.com. The pass is "se-nse". Enjoy...

[BLiZZARD777]

try it must work hector:

Quote

;W810 SW-R4DB005
;Keylock password
+44140000
115fa74: B9F52945 01506F45
15b5000: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF 00B5054FB847FFB404210222034B014F
15b5010: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF B847FFBD01EE1F45B9F529455B150000

This post has been edited by BLiZZARD777: 15 August 2007 - 04:47 PM