-
Notifications
You must be signed in to change notification settings - Fork 20
Blob Reversing
The USB Armory is intended to be a fully open platform. In order for this to be true, everything must be available for audit: apps, kernel, bootloader, and firmware.
There is a boot rom dumper which will allow us to inspect the ROM inside the i.MX53. Eventually inspect the firmware of the SD cards should also be analyzed.
# imx53_bootrom-dump 0 16 > bootrom-0-16k.bin
# imx53_bootrom-dump 0x404000 48 > bootrom-1-48k.bin
# cat bootrom-0-16k.bin > image.bin
# truncate --size 4m image.bin
# cat bootrom-1-48k.bin >> image.bin
Consult §7.4.1 of IMX53RM (i.MX53 Multimedia Applications Processor Reference Manual); figure 7-2 illustrates the memory mapping.
Additionally, §7.10 describes some functions of the HAB library:
The RVT table contains the pointers to the HAB API functions and is located at 0x00000094
The HAB ... includes a software implementation of SHA-256 for cases where a hardware accelerator cannot be used. The core RSA signature verification operations are performed by a software implementation contained in the HAB library. The main features supported by HAB are X.509 Public key certificate ... [and] CMS signature format support
Also of interest is §7.4.5 which says:
The exception vectors located at the start of iROM are used to map all the ARM exceptions (except the reset exception) to a duplicate exception vector table in internal RAM. During the boot phase, the iRAM vectors point to the serial downloader in iROM.
Things to consider:
- X.509 certificate parser will be found
- RSA signature verification will be found
- i.MX53 has a USB downloader: find instructions relating to USB
- SAHARAv4 may be used: find instructions that call it
- When secure boot is active, the processor will probably reset if signature checks fail. Look for resets...
- as you reverse things, name your subroutines descriptively until you understand their true names
- SHA256 initial registers are at 0x40b094
- SHA256 round constants are at 0x40b0b4
- 0x40a2bc is a function that seems to explain math errors
- http://www.rockbox.org/wiki/ObjdumpGuide
- http://chdk.wikia.com/wiki/GPL_Disassembling
- http://bunniefoo.com/bunnie/sdcard-30c3-pub.pdf
- https://youtu.be/r3GDPwIuRKI
- https://www.blackhat.com/presentations/bh-europe-04/bh-eu-04-dehaas/bh-eu-04-dehaas.pdf
- http://beginners.re/Reverse_Engineering_for_Beginners-en.pdf
- http://www.mathyvanhoef.com/2013/12/reversing-and-exploiting-arm-binaries.html
- http://hexblog.com/files/recon%202010%20Skochinsky.pdf
- http://doar-e.github.io/blog/2014/04/30/corrupting-arm-evt/