Researching COD file format

Recently I made some research in order to extract certain information from Blackberry application files. I found useful information on Dr. {B0lsen} blog (headers, section layout – really great work). I’ve investigated resources layout – it contains fields like application name, description, icon file etc. During my research I’ve been able to clarify some aspect of Dr. {Bolsen} description (still I’ll appreciate your work), and resulting in this paper.

cod-file-struct.txt

I hope someone find it useful.

howto: Disassembing Blackberry software

Using IDA Pro disassembler. After installing Blackberry OS software to your PC, you can find firmware sfi file extracted to folder like C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\<software version>\GPRS\. There is single sfi file named like rim8800g.sfi or rim0x84001503.sfi. It contains OS and DSPOS firmware. OS firmware contain system kernel and Java Machine. DSPOS is prabably a system partition image. I’ll explain how to disassemble OS firmware.

First you have to gather some information about sfi file. RiM released tools named Command-Line Programmer which allow you to load software to your device. This software can also be used to reveal branch of useful information about sfi file. Use: cfp fileinfo file.sfi and you will see in which address space OS will be loaded (OS Address) and so on. Save it to file, it help us to set proper disassembler options.

cfp.rar

 

Now open sfi with HEX editor (e.g. WinHex). First 8 bytes are file header – you can skip them. The next 4 bytes is section id. If it is 0x02 (little indian byte order) – that is what we are looking for. Id 0x02 correspond to OS firmware section and I suppose it is always first section. Write down next four bytes and subtract 0x10 (16 decimal). Result is section size. E.g. data BC0B6900 correspond to 690BAC size (BC0B6900 in little endian is 00690BBC and minus 0x10 is 690BAC). Skip next four bytes and you are where the section data begins (first section starts always at 0x14 offset). In WinHex you can mark beginning of block using Alt + 1. Next go to the section end – go 690BAC bytes forth (in WinHex Alt + G, then select relative to: current position and type the offset, then go back 1 byte). Copy whole section data into new bin file (WinHex: select block end – Alt + 2 and copy block into new file – Ctrl + Shift + N). Now you have OS firmware extracted.

sfi-mfi-file-struct.txt

 

To disassemble run IDA, open your bin file, change processor type to XScaleL and click OK. ROM and RAM section addresses you can find in cfp log (named as OS Address and RAM usage). Input file loading address set to ROM start address and click OK. Now go to App Start address and press C. It will start disassembling process here. You can use also interrupt vectors (first 32 bytes) to get some code entry-points.

In this point, everything looks great. But there is one problem – google can’t find papers about Blackberry CPU. I don’t know how I/O ports are mapped (in ARM they are mapped to some memory space, there is no special commands like in, out). So any informations will be welcomed.

Blackberry VSMTools – modifying branding files

About year ago I got my first Blackberry device. Of course I did some research of what we can do with it. I mean of course, more than RiM allow us to do.

First I’ve got my phone debranded. That involves uploading branding file to device. When I did that, I started to wonder if I could edit or create my own branding file with my own splashscreen image or other data changed. I found some VSM file format description (but incomplete). I did my own research (including software disassembling) and finally I created VSMTools. It’s an easy-to-use command line tools which allow you to extract, edit or create your own VSM file.

vsmtools06.rar is my tool to extract, edit and create branding VSM files. I’ve also documented VSM file structure. I got it all except sign section. VSM files are digitally signed and as far as I know it is done by RSA-SHA1 private key and the public key (which I covered in this document). It is used to check the file integrity. I can’t tell any more about the sign mechanism, if you do have any information about that, please contact me. Sign section may be not present in VSM. Blackberry 8800 accept unsigned files, but maybe some newer devices don’t.

vms_file_struct.txt

Some usefull links related with VSM files: topic about hacking VSM files on GSM Forum, VSM resources description in BlackBerry API.