howto: Disassembing Blackberry software

Using IDA Pro disassembler. After installing Blackberry OS software to your PC, you can find firmware sfi file extracted to folder like C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\<software version>\GPRS\. There is single sfi file named like rim8800g.sfi or rim0x84001503.sfi. It contains OS and DSPOS firmware. OS firmware contain system kernel and Java Machine. DSPOS is prabably a system partition image. I’ll explain how to disassemble OS firmware.

First you have to gather some information about sfi file. RiM released tools named Command-Line Programmer which allow you to load software to your device. This software can also be used to reveal branch of useful information about sfi file. Use: cfp fileinfo file.sfi and you will see in which address space OS will be loaded (OS Address) and so on. Save it to file, it help us to set proper disassembler options.

cfp.rar

 

Now open sfi with HEX editor (e.g. WinHex). First 8 bytes are file header – you can skip them. The next 4 bytes is section id. If it is 0x02 (little indian byte order) – that is what we are looking for. Id 0x02 correspond to OS firmware section and I suppose it is always first section. Write down next four bytes and subtract 0x10 (16 decimal). Result is section size. E.g. data BC0B6900 correspond to 690BAC size (BC0B6900 in little endian is 00690BBC and minus 0x10 is 690BAC). Skip next four bytes and you are where the section data begins (first section starts always at 0x14 offset). In WinHex you can mark beginning of block using Alt + 1. Next go to the section end – go 690BAC bytes forth (in WinHex Alt + G, then select relative to: current position and type the offset, then go back 1 byte). Copy whole section data into new bin file (WinHex: select block end – Alt + 2 and copy block into new file – Ctrl + Shift + N). Now you have OS firmware extracted.

sfi-mfi-file-struct.txt

 

To disassemble run IDA, open your bin file, change processor type to XScaleL and click OK. ROM and RAM section addresses you can find in cfp log (named as OS Address and RAM usage). Input file loading address set to ROM start address and click OK. Now go to App Start address and press C. It will start disassembling process here. You can use also interrupt vectors (first 32 bytes) to get some code entry-points.

In this point, everything looks great. But there is one problem – google can’t find papers about Blackberry CPU. I don’t know how I/O ports are mapped (in ARM they are mapped to some memory space, there is no special commands like in, out). So any informations will be welcomed.

Blackberry VSMTools – modifying branding files

About year ago I got my first Blackberry device. Of course I did some research of what we can do with it. I mean of course, more than RiM allow us to do.

First I’ve got my phone debranded. That involves uploading branding file to device. When I did that, I started to wonder if I could edit or create my own branding file with my own splashscreen image or other data changed. I found some VSM file format description (but incomplete). I did my own research (including software disassembling) and finally I created VSMTools. It’s an easy-to-use command line tools which allow you to extract, edit or create your own VSM file.

vsmtools06.rar is my tool to extract, edit and create branding VSM files. I’ve also documented VSM file structure. I got it all except sign section. VSM files are digitally signed and as far as I know it is done by RSA-SHA1 private key and the public key (which I covered in this document). It is used to check the file integrity. I can’t tell any more about the sign mechanism, if you do have any information about that, please contact me. Sign section may be not present in VSM. Blackberry 8800 accept unsigned files, but maybe some newer devices don’t.

vms_file_struct.txt

Some usefull links related with VSM files: topic about hacking VSM files on GSM Forum, VSM resources description in BlackBerry API.

My old Siemens patches

Siemens SL45i (or SL45, SL42 – it’s the same phone) is – in my opinion – the best cellphone of it’s time. I spend a lot of time reversing it’s software and try to making it better by developing patches. Scene of patching this phone was very busy, hundred of patches was developed. In some point, RizaPN, most recognizable patchmaker created “Binary File Access” – patch that allow us to load and run executable files from memory card. I’ve developed some of that files, even wrote a simple game. I collected all patches which I still have. Some of them are missing, so it is not complete pack, but the most important ones are present. If you have any of my missing patches – please contact me.

Some of the most productive patchmakers which I’d like to recall are: RizaPN, lalo.lerry, mamaich, Chaos, DeadManS, rc-flitzer, ValeraVi, vBart and many others. Thank you guys.

My patches for Siemens SL45i – pack of V-Klay patches contains Thermometer v1.2, MP3 indicators v3.1, Fast animated logo, Green button function, Playlist MP3 instead, Buttons Animation, Band selection and Auto OC. Some of them are documented with assembler source code.

My apps for Siemens SL45i – pack of binary executable files (bin) contains Archer (simply arcade game), Playlist Converter, Thermometer v1.1 and OC Info. With sources.

Siemens SX1 – I developed several flash patches between March and December of 2007. This patches are in sxpr format – it is APatcher format. Just to see files you could use Microsoft Word, Wordpad or OpenOffice Writer. This files contain some Wordpad formatting so it is not convenient to open them in notepad.

My patches for Siemens SX1 – all my patches are collected in single archive. The most complex one (date and profile name in mainscreen) contain assembler source. List of patches in archive: Disable Low Battery Message and sound, Don’t change backlight level in camera, Change camera standby timer, Change camera standby timer v2, Disable Selected profile message, Don’t display profile name in mainscreen, Display date and profile name symbol in mainscreen, Don’t show OpLogo picture, Display date and profile name symbol in mainscreen v2, Don’t show profiles in shutdown menu.