As I mentioned on Twitter earlier (@OwariDa, @ClevCode), using the excellent Hex-Rays ARM decompiler turned out to be quite handy for verifying the payload I’m developing and injecting into the XMM6260-based baseband in my Samsung S3 (GT-i9300). Rebooting my phone due to baseband crashes can be a bit time consuming. :D
The specific research I’m doing at the moment will be kept private, but for those who find the subject interesting I can give you the following simple example. It decompiles, as expected, to v12345678(“Hello World\n”). v12345678 = function @ address 0x12345678. 0xbadc0ded and 0xdeadbeef are used as markers, to make it possible to easily extract the payload from the object file.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
.text .syntax unified .code 16 .byte 0xba, 0xdc, 0x0d, 0xed /* marker */ payload: push {lr} adr r0, hello ldr r1, print blx r1 pop {pc} .align 4 print: .word 0x12345678 /* append |1 if thumb */ hello: .asciz "Hello World\n" .byte 0xde, 0xad, 0xbe, 0xef /* marker */ |
How to extract the payload and sending it to your custom injector tool:
1 2 3 4 5 |
je@isis:~$ arm-elf-gcc -c -o code.o code.s && xxd -p code.o \ | perl -pne 's/\n//g' | perl -pne 's/.*badc0ded(.*)deadbeef.*/$1\n/g' 00b503a00149884700bd00007856341248656c6c6f20576f726c640a00 je@isis:~$ echo 00b503a00149884700bd00007856341248656c6c6f20576f726c640a00 \ | xxd -p -r | evil-injector-pwn # ;) |
PS. Just in case anyone accustomed to x86 assembly wonders; Yes, the code above is position independent on ARM. No need for jump/call/pop-techniques. ;)