As I mentioned on Twitter earlier (@OwariDa, @ClevCode), using the excellent Hex-Rays ARM decompiler turned out to be quite handy for verifying the payload I’m developing and injecting into the XMM6260-based baseband in my Samsung S3 (GT-i9300). Rebooting my phone due to baseband crashes can be a bit time consuming. :D
The specific research I’m doing at the moment will be kept private, but for those who find the subject interesting I can give you the following simple example. It decompiles, as expected, to v12345678(“Hello World\n”). v12345678 = function @ address 0x12345678. 0xbadc0ded and 0xdeadbeef are used as markers, to make it possible to easily extract the payload from the object file.
.byte 0xba, 0xdc, 0x0d, 0xed /* marker */
adr r0, hello
ldr r1, print
print: .word 0x12345678 /* append |1 if thumb */
hello: .asciz "Hello World\n"
.byte 0xde, 0xad, 0xbe, 0xef /* marker */
How to extract the payload and sending it to your custom injector tool:
je@isis:~$ arm-elf-gcc -c -o code.o code.s && xxd -p code.o \
| perl -pne 's/\n//g' | perl -pne 's/.*badc0ded(.*)deadbeef.*/$1\n/g'
je@isis:~$ echo 00b503a00149884700bd00007856341248656c6c6f20576f726c640a00 \
| xxd -p -r | evil-injector-pwn # ;)
PS. Just in case anyone accustomed to x86 assembly wonders; Yes, the code above is position independent on ARM. No need for jump/call/pop-techniques. ;)