Mobile Phone ROM Image and Reverse Engineering Invitation http://www.thc.org/thc-rom/ 2005-05-26 Abstract The following webpage contains ROM images from various mobile phone operating systems. Our intention is to motivate other reverse engineers to take a look at the images and to discover other hidden secrets. Other reasons are that it is said to be hard to extract the ROM. Certainly another reason is that Nokia does not release any technical information about the hardware and I find this rather disappointing. (It's my strong believe that when I buy hardware that I should also be allowed to know what's in it and how to use it.) NOKIA 6630 n6630-rom-0x5000000.dmp n6630-rom-0x5000000-info.txt (ROM information dump) n6630-virt-phys-map.txt (list of virtual to physical address mapping) NOKIA n70 n70-rom-0x50000000.dmp n70-rom-0x50000000-info.txt NOKIA N-GAGE ngage-rom-0x50000000.dmp ngage-rom-0x50000000-info.txt ngage-gsmstuff-0x5149D280.dll (gsm stack?) ngage-virt-phys-map.txt SonyEricsson P900 p900-rom-0x50000000.dmp p900-rom-0x50000000-info.txt Where to go from here: - Get the symbian/Nokia SDK. Start with extracting the files from the rom image and load them into IDA (see e32rom.h). Get SDK's from different vendors. Some come with more header files than others and it's best to have a mix of all headers. - Load the ROM into IDA. Check for jumps/calls outside the ROM address space. (hint: to many secrets!) - Write your own kernel module. Map some physical address pages that are currently not mapped. Wuuhhaa. Some quick information: 1) Virtual Memory & MMU system. ARM, 32bit. Binaries are executed directly in ROM (XIP, no relocation to RAM). 1) Page directory contains pointers to 1MB sections or 4k page tables. 2) Virtual address map: +----------------------------+------------------------------------------------+ | 0x0040 0000 - 0x2FFF FFFF : User Data | | 0x3000 0000 - 0x3FFF FFFF : Static data for Java | | 0x4000 0000 - 0x4000 1FFF : Super page + CPU page | | 0x4001 0000 - 0x4001 0FFF : Shadow RAM page temporary address | | 0x4100 0000 - 0x4100 3FFF : Page Directory | | 0x4108 0000 - 0x4108 3FFF : Page table info | | 0x4200 0000 - 0x423F FFFF : Page tables | | 0x5000 0000 - 0x57FF FFFF : ROM image | | 0x5800 0000 - 0x5EFF FFFF : Memory-mapped I/O (danger!) | | 0x5F00 0000 - 0x5FFF FFFF : Video RAM (fun!) | | 0x6000 0000 - 0x7FFF FFFF : RAM | | 0x8000 0000 - 0xXXXX XXXX : Kernel data/bss section | | 0xXXXX XXXX - 0xXXXX XXXX : Reentrant/IRQ/FIQ/Null/Exception kernel stack | | 0xXXXX XXXX - 0xXXXX XXXX : Fixed chunks data for ROM fixed processes (?) | | 0xXXXX XXXX - 0xXXXX XXXX : Kernel server heap and stack | | 0xXXXX XXXX - 0xXXXX XXXX : Home Section / All Processes | | 0xXXXX XXXX - 0xXXXX XXXX : RAM-loaded EXE & DLL code | | 0xFFF0 0000 - 0xFFFE FFFF : Void / Empty | | 0xFFFF 0000 - 0xFFFF FFFF : Vectors (hoho!) | +----------------------------+------------------------------------------------+ Note: Big thanks goes to an anonymous contributor without his help all this would not have been possible. Yours sincerely, The Hackers Choice http://www.thc.org