in Mobile phones, Reversing

howto: Disassembing Blackberry software

Using IDA Pro disassembler. After installing Blackberry OS software to your PC, you can find firmware sfi file extracted to folder like C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\<software version>\GPRS\. There is single sfi file named like rim8800g.sfi or rim0x84001503.sfi. It contains OS and DSPOS firmware. OS firmware contain system kernel and Java Machine. DSPOS is prabably a system partition image. I’ll explain how to disassemble OS firmware.

First you have to gather some information about sfi file. RiM released tools named Command-Line Programmer which allow you to load software to your device. This software can also be used to reveal branch of useful information about sfi file. Use: cfp fileinfo file.sfi and you will see in which address space OS will be loaded (OS Address) and so on. Save it to file, it help us to set proper disassembler options.

CFP 3.9.0.49 patched

 

Now open sfi with HEX editor (e.g. WinHex). First 8 bytes are file header – you can skip them. The next 4 bytes is section id. If it is 0x02 (little indian byte order) – that is what we are looking for. Id 0x02 correspond to OS firmware section and I suppose it is always first section. Write down next four bytes and subtract 0x10 (16 decimal). Result is section size. E.g. data BC0B6900 correspond to 690BAC size (BC0B6900 in little endian is 00690BBC and minus 0x10 is 690BAC). Skip next four bytes and you are where the section data begins (first section starts always at 0x14 offset). In WinHex you can mark beginning of block using Alt + 1. Next go to the section end – go 690BAC bytes forth (in WinHex Alt + G, then select relative to: current position and type the offset, then go back 1 byte). Copy whole section data into new bin file (WinHex: select block end – Alt + 2 and copy block into new file – Ctrl + Shift + N). Now you have OS firmware extracted.

BlackBerry SFI/MFI file structure description

 

To disassemble run IDA, open your bin file, change processor type to XScaleL and click OK. ROM and RAM section addresses you can find in cfp log (named as OS Address and RAM usage). Input file loading address set to ROM start address and click OK. Now go to App Start address and press C. It will start disassembling process here. You can use also interrupt vectors (first 32 bytes) to get some code entry-points.

In this point, everything looks great. But there is one problem – google can’t find papers about Blackberry CPU. I don’t know how I/O portsĀ are mapped (in ARM they are mapped to some memory space, there is no special commands like in, out). So any informations will be welcomed.

Write a Comment

Comment

  1. Hello Master, i had downloaded your cfp patched, i have here a blackberry 8320, and have too signed and unsigned mfi.

    i try to load unsigned mfi to device and it load succesfully, but the phone dont power on, does not enter in No aplication linked Mode, but if i use signed mfi, after the load the phone restart in NAL mode.

    I think, we can load mfi unsigned but the device will not power in Nal mode, so we have to sign this files(mfi), i have 3 different mfi unsigned for this handset(8320) and with all then is the same.

    Here are the 3 mfi unsigned, Check it out please and say if this file are correct or wrong:

    http://www.4shared.com/file/sJqA5uY_/MFI-13711-012.htm
    http://www.4shared.com/file/RfN4t6zw/mfi-13711-013.htm
    http://www.4shared.com/file/1J7Wu_NM/MFI-13711-014.htm

    Thank you very much my friend.

    Keep It up !!!

  2. You could flash unsigned MFI, but bootloader won’t boot it without valid sign (maybe with some old devices it will, but IMHO there is no point to investigate such outdated phones).
    To generate valid sign we need to know RIMs private key and it is highly unlikely to get it.

  3. Hello sir,

    I’m also researching about modified CFP,
    I’ve extracted the RAMLOADER from CFP to unencrypted ARM Loader,
    @there I found some interesting stuff,
    device need to approve signed loader(if we modified it) by ecc-sha256 and ecc sha512 crypto,
    do you know about this crypto?
    I desperately looking how to calculate this crypto,
    also please let me know how to calculate rimsa1 crypto

    thank you

  4. @QQ: that’s interesting, are you willing to share this RAMLOADER? I’ve tried to extract it myself, but I failed.
    sha256 and sha512 are hashing algorithms which can be calculated easily (e.g. using linux app sha256sum or WinHex or whatever). By ecc you mean Elliptic Curve Cipher? AFAIK these are pretty strong.
    And about this rimsa1, I never heard about this. Google also give me nothing.

  5. Hello sir,

    no problem about sharing the ramloader,just email me,what type do you need,i’ll send you through email,
    yes i know about hashing standard sha256,yes about ecc google gives nothing,
    from my research is it seem RIM combine ecc and sha, and gives 0x80 bytes(hex) crypto,
    everytime i want to change the loader to become custom,
    these crypto don’t allow ramloader to executed,
    i’ve tried to execute it through jtag, but still… can’t executed without the correct RAMLOADER,
    and also i found interesting stuff too,
    this ecc-sha crypto,if we correct it right,we don’t need rtas,
    I found a lot insteresting stuff too,
    a lot of methos i’ve tried, and it seem cpu very protecting bootloader even on jtag mode,
    only bootloader area won’t eraseable and rewriteable,
    i’m confused now,meet a dead end,
    a lot of type i’ve tried here, from old 8100 until 9930,no matter it is gsm band or cdma band,
    each of them have different characteristic,
    but in the end, i meet this crypto,
    from the way i look on IDA, if this crypto is approved by WRITEONCE(CPUBootloader),then executed approved,otherwise it failed.
    Maybe you’ll have different view from what i missing after taking a look what exactly cfp processed on device and take it a look about how device process the flash chip into making partition between boot,sfi/mfi,fsos,osnv,etc

    i’ll wait on email,
    Thanks

  6. addition note:

    pbl(primarybootloader) part maybe writeonce and protected by CPU vendor,
    and we don’t care about it
    but sbl should be eraseable,because it is on flash chip,
    so bootrom should be rewriteable even on jtag mode,
    but in the end, i only found unrewriteable on jtag mode,
    but the other part like amss(sfi/mfi part) still rewriteable on jtag,
    and os nv part also i found rewriteable
    but everytime i forced to run my custom RAMloader to make sbl rewriteable,
    it meet that suck dead end, ecc sha crypto again