ARM payload development

As I mentioned on Twitter earlier (@OwariDa, @ClevCode), using the excellent Hex-Rays ARM decompiler turned out to be quite handy for verifying the payload I’m developing and injecting into the XMM6260-based baseband in my Samsung S3 (GT-i9300). Rebooting my phone due to baseband crashes can be a bit time consuming. :D

The specific research I’m doing at the moment will be kept private, but for those who find the subject interesting I can give you the following simple example. It decompiles, as expected, to v12345678(“Hello World\n”). v12345678 = function @ address 0x12345678. 0xbadc0ded and 0xdeadbeef are used as markers, to make it possible to easily extract the payload from the object file.

How to extract the payload and sending it to your custom injector tool:

PS. Just in case anyone accustomed to x86 assembly wonders; Yes, the code above is position independent on ARM. No need for jump/call/pop-techniques. ;)