howto: Disassembing Blackberry software

Using IDA Pro disassembler. After installing Blackberry OS software to your PC, you can find firmware sfi file extracted to folder like C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\<software version>\GPRS\. There is single sfi file named like rim8800g.sfi or rim0x84001503.sfi. It contains OS and DSPOS firmware. OS firmware contain system kernel and Java Machine. DSPOS is prabably a system partition image. I’ll explain how to disassemble OS firmware.

First you have to gather some information about sfi file. RiM released tools named Command-Line Programmer which allow you to load software to your device. This software can also be used to reveal branch of useful information about sfi file. Use: cfp fileinfo file.sfi and you will see in which address space OS will be loaded (OS Address) and so on. Save it to file, it help us to set proper disassembler options.

cfp.rar

 

Now open sfi with HEX editor (e.g. WinHex). First 8 bytes are file header – you can skip them. The next 4 bytes is section id. If it is 0x02 (little indian byte order) – that is what we are looking for. Id 0x02 correspond to OS firmware section and I suppose it is always first section. Write down next four bytes and subtract 0x10 (16 decimal). Result is section size. E.g. data BC0B6900 correspond to 690BAC size (BC0B6900 in little endian is 00690BBC and minus 0x10 is 690BAC). Skip next four bytes and you are where the section data begins (first section starts always at 0x14 offset). In WinHex you can mark beginning of block using Alt + 1. Next go to the section end – go 690BAC bytes forth (in WinHex Alt + G, then select relative to: current position and type the offset, then go back 1 byte). Copy whole section data into new bin file (WinHex: select block end – Alt + 2 and copy block into new file – Ctrl + Shift + N). Now you have OS firmware extracted.

sfi-mfi-file-struct.txt

 

To disassemble run IDA, open your bin file, change processor type to XScaleL and click OK. ROM and RAM section addresses you can find in cfp log (named as OS Address and RAM usage). Input file loading address set to ROM start address and click OK. Now go to App Start address and press C. It will start disassembling process here. You can use also interrupt vectors (first 32 bytes) to get some code entry-points.

In this point, everything looks great. But there is one problem – google can’t find papers about Blackberry CPU. I don’t know how I/O portsĀ are mapped (in ARM they are mapped to some memory space, there is no special commands like in, out). So any informations will be welcomed.