BINEDIT 补丁制作(AlexeyK).doc
一个小的theory.补丁的结构
In my idea the piercing is divided into 5 parts.. At the beginning of piercing goes the region of the code in ARM the regime of processor. This of vector and the processors of interruptions. Then goes the region of the basic code of piercing in THUMB the regime of processor. Majorities of functions, changed in patchakh, it is located here. In the structure of this region those corresponding for the call of the outlying functions are parts, as a rule, the functions of nucleus OC.The region of data then goes. Here in essence tabular resources (melodies, picture, the table of their description, text resources, the table of introduction T9and so forth.) and scripts MCC. By track go two interesting blocks, their special feature in that, that with the load of piercing they are copied into the region memory RAM. The first of them is copied in the beginning of region RAM and represents the nucleus of operating system, all base functions are located . In the piercings of one group this code is practically identical. The second block consists of data of initial initialization and is copied into the region of static data OF RAM.
Structure and working MCC.
In the piercings Of sysol apparently for decreasing the code were used two level structure of the code. Are the code in the commands of processor and to eat scripts those making it possible to start the frequently utilized functions (MCC). And that the most interesting the names of commands MCC are sewn in piercing itself. There is table in which into each command isolated on 8 bytes. In first 4 (8个)to be stored the address of function in the piercing, which answers for processing of data - body MCC of function. In the second 4 bytes to be stored address with the name MCC of function. In the nucleus OC there is a function which it answers for the starting MCC. by it in the register R0 is transferred the address MCC of script which it must be neglected. The starting of different functions on the functional buttons from standby mode is an example of the use of this function. Hollerith-coded into the register R0 loads address and is started the above-indicated function. With a change in the functions of the joystick Of resman are guided these addresses, the designation of buttons thus changes.
Function of working MCC after obtaining the address of script, is created in the memory the structure of the description MCC of process and it is written it into its beginning, then is read the first byte MCC of script it is multiplied by 8 (length of describer MCC) it is added the address of the beginning of the table of description. from the obtained address is read the address of the function of the processor OF MCC of script. Further control is transferred to the selected function and in R0 is transferred the address of the created structure of the description of current MCC of process.
All scripts are divided into in terms of the processes. In all processes of 21. and for the selection of concrete in MCC script answers the second byte. Physically this it indicates, that each MCC the function consists of 21 subfunction to which it transfers control base function depending on the value of the second byte. Call the hearth of functions is organized to the similarity of the starting of basic functions. I.e., for many base functions the hearth of functions is table with the addresses of starting and according to the number is selected necessary. In contrast to base functions, under the functions in R0 is transferred not the address of structure, and the address of current MCC of instruction. In the beginning of subfunctions this address remains from R0 into another register, for example
MOV R7,R0 (R7=R0)
or stack, which is considerably thinner frequent, since it is necessary to then restore value from the stack for the use. And then for the turning to the parameters of script is used reading data with the address in the register with the displacement, for example,
LDR R0, (R0= to R7+8) - reading address
LDRH R0, (R0=16 of bytes from the address Of r7+2) - reading word
LDRB R0, (R0= from the address Of r7+1) - reading byte
the remaining bytes MCC of script as a rule the parameters, obtained by function by method described earlier.
MCC instruction can be broken into 8 parameters
AA BB CCCC DDDD EEEE FFFFFFFF GGGG IIII, where
AA - first parameter the -code of base MCC of
BB - second -code of the flow (subfunction)
OF CCCC- the third - has different designation
DDDD - the fourth - also different designation
- the fifth - as previous two
FFFFFFFF - the sixth - as a rule contains address, or passage to another command, or lines for the command of laying out
GGGG - the seventh - has different designation
IIII - the eighth - in practice it is not used
it must be noted, that for some piercings a quantity of bytes in the parameters can be other, for example for X460
AA BB CCCC DDDD of 0000 EEEEEEEE FFFFFFFF GGGG IIII
the length of the fifth parameter is increased because of the system of the addressing of the command of processor LDR, the requiring arrangement of data with the addresses multiple 4, it is displaced to 4 bytes further, leaving the not utilized 4 bytes.
Accordingly access to the parameters MCC of command is effected so, with the condition, that the address of beginning MCC is preserved in R7.
1- LDRB Rx,
is 2nd LDRB Rx,
3- OF LDRH Rx,
4- LDRH Rx,
is 5th LDRH Rx,
6- LDR Rx,
7- LDRH Rx,
is eighth LDRH Rx,
the principle of the organization of functions and the transfer of the parameters
Piercing is written in the language from c or ++, which not so is important, the main thing it consists of functions, by which are transferred the parameters and respectively from which they return. As a rule with the call of function in the register LR (R14 for ARM of regime) remains the address of the following instruction of processor, T.e. the value of register PC (R15 for ARM). This is done so that the function it could return the motion of fulfillment conversely, this is done by record value LR in PC. This operation performs the command BL of processor. This is unconditional transfer with the address with the retention of the address of recovery, for example BL0x12034 -transition to the function, which begins from the address of 0x12034. But it is possible to forcedly write down the address of recovery by command MOV. But to then make to the function.
In THUMB regime moderately-priced are 8 registers R0 on R7. And if in the function are used what or of them, in order not to rub over data of function, caused it, the values of registers remain into the stack. The address of the apex of stack is stored in the register SP (R13 for ARM), with the retention of registers in it its value decreases on (4* of registers), during the restoration vice versa it increases. For these operations are used the commands PUSH - to preserve registers and POP - to restore registers. Commands can preserve and restore any collection of basic registers and still command PUSH it can preserve LR, and POP to restore PC. As a rule at the beginning of function there is retention of LR, and on its completion there is restoration PC, for example,
PUSH R0-R3,R6,LR - preserves into the stack registers R0, R1, R2, R3, R6, LR
POP R1,R5,PC - restores from the stack R1, R5 and PC, the respectively following command will be executed with the address PC.
Sometimes for the output from the function is used register passage BX. In this case in what of basic register is restored value LR from the stack and it is achieved passage to it, for example, at the beginning of the function:
PUSH R5-R7, LR
and in the end:
POP R5-R7
POP R3
BX R3
As were said earlier in THUMB regime they were accessible 8 registers, and which is done when they do not be sufficient. It is very simple - stack is used. At the beginning of function in this case there is a command SUB SP,SP,XX (SP=SP-XX), where XX a quantity of bytes of those utilized for the temporary variables. XX because of the problems of addressing is always multiple 4. However, since processor can carry out logical and arithmetic operations only with the basic registers, that for using variable in the stack on the code of function is formed the large number of rotation on the displacement from the stack
LDR R0, - reading data from the stack before the use
STR R0, - the record of results into the temporary variables
the use of an stack not only method. If the large storage capacities are necessary, that is used the so-called HEAP. There are functions which they make it possible to isolate region to memory by the demand (alloc) of it it is transferred to R0 the size of the necessary block, and it returns the address of accessible section also in R0. Then this region is used at the discretion of function.
Thus far the discussion dealt with the local variables, utilized in the function, in a number with this, constants and global variables can be used. Constants can be formed with two methods. Due to the mathematical and logical operations or to be stored immediately after function, for example obtaining the number of 0x00230000 is possible calculated so
MOV R0, 0x23 (R0=0x23)
OF LSL R0, 16 (R0=R0<<16) or R0=R0*2^16
or is loaded on the displacement from the current address (PC)
OF LDR R0, (R0=0x00230000), where XX a quantity of bytes divided into 4 to the address on which the number of 0x00230000
the first version located occupies in the memory 4 bytes, the second 6 bytes, what to use depends on the optimizer of compiler s.
Global variables this of address in the memory RAM, designation of which is fixed for all functions of patch Turning to them occurs for 2 stages: the constant (address) loads in the register, and then data are taken on the displacement from the register, for example use by global variable of 0x0165340
LDR R1, (R1=0x0165340) - obtaining the address global variable
LDRB R0, (R0= of byte to 0x0165340) - reading byte to
ADD R0,5 (R0=R0+5) - the fulfillment of the actions above the data in this case an increase on 5
STRB R0, (into the byte to 0x0165341 it is written value R0) - the retention of changes in the following byte.
Also can be used commands LDR, STR, LDRH и STRH. Is possible a change in the address itself (as a rule it is used with the use as the global variable structures or the massifs) address can belong not only to region RAM, but also to region of data of the piercing.
Now a little about the transmission of data to the function and the recovery of results. For the transfer of the parameters register- stack system is used. Registers first are used, and when they do not be sufficient, that the parameters remain into the stack, before the call of function. For the transfer of the parameters not all registers are used, and as a rule only R0-R3, the data as a rule are not transferred through R3-R7, and the use of an stack begins. For example for the transfer of 3 parameters to the function the code can appear thus:
LDR R1, (R1= value to R7+8)
ADD R2, R4,6 (R2=R4+6)
OF MOV Of r0,2 (R0=2)
BL of function (passage to the address of function with the retention of the address of recovery)
or if the transferred parameters it is more than 4, for example 6
SUB SP, SP, 8 (SP=SP-8) - the isolation of place the hearth of 2 parameters
MOV R0, 6
STR R0,
MOV R0, 0x01567884
STR R0,
MOV R0, 34
MOV R3, 0xFFFF
MOV R2, 0
MOV R1, 1
BL of function
ADD SP, SP, it is eighth the restoration of stack
turning to variables, transferred through the stack it occurs analogously as to local variable in the stack, only difference the amount of displacement exceeds value, which the function removes for the internal variables.
The recovery of data from the function in essence is produced through the register R0 and the stack. With the recovery through the stack, before the starting of function is separated more than place, how it is filled up, the not utilized space is used for the data of recovery. For the recovery of values can be used other registers.
That all above written is typical for the majority of functions and piercings, but it depends very greatly on the utilized compiler and his tuning of the optimization of the code. For example, if we compare piercings from X100 (X600) and E800, that is one and the same code, carrying out logically identical actions, due to the optimization in the latter occupies considerably less than the place and is more difficult for understanding of that, it makes what.
Creation of .
Well here after this brief introduction it is possible to try that to change in the patch
Which will be required us:
Disassembler (best is IDA, but as to be discussed they do not argue the tastes, I use binedit)
Of hex editor or that still better the compiler (in me there is no compiler, I bypass with the possibilities of binedit)
calculator c by the possibility of fulfilling the actions above the numbers in Hex the size (it approaches rather well calculator Windows in the engineering version)
the piercing of telephone, in which we will rummage.(I was used X600XEDL2)
the file of the description of the addresses of the corresponding piercing (sym, map and T.d.). As a result of the strange confluence of circumstances, it proved to be, that for X600XEDL2 there is no appropriate of sym of file. That zh, however, we will stop because of such trifles. It will arrive to find still other, but similar piercing, for which this file exists. On the miracle! such piercings exist - this X10XEWK3.bin and to it sym file.
It is also desirable to have comp. rather better, also, on more rapid, in order not to await all possible searches will be thus far carried out by hours. I use Cel 950 on the chip of i815 with 512 meters of memory. It is rather weak certainly on the present measures, but that there is, i.e..
Formulation of the problem.
All who uses the telephones Of samsung from the first series Of sysol (E100, X100, X600, X460, E700 yes even others) know about the meanness of Korean by developer, after allotting telephone sufficiently not poor iron, they threw all poured into the pipe. The presence of a comparatively large storage capacity under the melodies is a monstrous example this, especially at the moment of release, and the absence of the function of their installation to the subscribers. To understand the sense of this realization is not practically possible, but which is made, that is made. Year ago this was large problem and it was discussed on each forum, one way or another connected with the telephones. All so remained, but deeply respected Vadiks, repaired insidiousness of Koreans, after writing first “of melodies to the groups” for X100XEDC2, and then also “melodies on ++” for X100XEDG1. came out this successful and necessary, that much people earned on it the heap of the money (it's a pity to me conscience it did not allow J) and even, until now, from abroad they request by it to also make, but speech not about this. In there are (it was) several omissions, for example, with the removal of the melody of that set to the subscriber, telephone kept silent as fish or, not so it is important, but nevertheless, correctly were not reflected ikonki with the outgoing bells, even with the discovery of the list of melodies from the properties of subscriber, was always selected the melody on silence, while not that which was already to it selected. First two are like satisfactorily solved, only third remained. Here to it I propose to study.
Since will be corrected the imperfection of , it is necessary to establish it to the piercing before the search for the solution of problem.
That on the whole it is necessary to make for creating the correction of piercing ():
To find place in the piercing where occurs the problem
to be dismantled that also for which it answers and how it is possible this to correct
to introduce the necessary corrections and to verify result
to share with results with those surrounding (although many this point they can not make J)
let us begin from the search for place problem. For the beginning let us include telephone and let us look that it occurs. We press right button and we select “to find name”, we fall in the telephone directory, we select subscriber, to which earlier was assigned the melody. we do turn to the end to the left and that we do see? The name of melody is written. Consequently with the selection of subscriber the name of melody also takes out of the base of subscribers. But after harvesting options and after opening the list of melodies we see, that is selected the melody on silence. Having a little thought we decide, that with the formation of menu with the list of melodies simply is done not the correct selection of melody. From what it is possible to draw a conclusion that necessary to search for the solution of the problem Hollerith-coded of the formation of menu. So they were determined with the field of search, now does arise question - as to search for? Yes it is very simple. Practically all menu in the telephone are formed through MCC scripts, it is necessary to only find this MCC script. What again problem - AS? It is, in addition simple. There are even 3 versions. The first to piercing from sym of file and to determine all MCC of structure, honest telling me this version not to be pleased - to this will leave not one day, that any desire will disappear to make . The second version me to be pleased is more. We load piercing into BinEdit and on the supplementary sheet by menu start scanning the menu of telephone. If who does not know, the this is the second button on the supplementary sheet. We await from 10 minutes and ad infinitum. We as a result obtain the tree of the points of menu. In the line of search we collect “my sounds” and press introduction. Several times are possible. There will be several versions. We select 2 which they do not have parental menu we click by . Editor to the left it will be opened in Hex
the editor OF MCC with approximately such contents (for X600XEDI2):
007F80901C 08 0033 0000 0000 00000000 0000 0000To carry out 0x8 of x2=51 of x3=0 of x4=0 of x5=0 of x6=0
of 007F80A01d 08 0057 0001 0000 007F80C0 0000 0000If x1=8 of x2=87 of x3=1 that passage to 0x7F80C0
of 007F80B01F 00 0000 0000 0000 00804A20 0000 0000Otherwise passage to 0x804A20
of the second line checks the presence of melodies into tfs and with their absence makes to the address of 0x007F80C, where the code of the formation of necessary menu is located, otherwise passage to the address of 0x00804A20 where to be derived communication “emptily”:
Necessary code:
007F80C0C8 00 0000 0000 0000 00000000 0000 0000Preparation of the window
of 007F80D08C 00 0000 0000 0000 00000000 0000 0000Discharge of the list
of 007F80E02E 0A 0000 004F 004D 00000000 0000 0000MCC_SKDISPLAY
of 007F80F080 0A 03C7 0000 0000 00000000 0000 0000Title “my sounds”
of 007F81001C 08 003D 0000 0000 00000000 0000 0000To carry out 0x8 of x2=61 of x3=0 of x4=0 of x5=0 of x6=0
of 007F8110EA of 00 0000 0000 0000 007F8180 0000 0000MCC_LONG_LIST
of 007F81201d 09 0001 000E 0000 007F8180 0000 0000If x1=9 of x2=1 of x3=14 that passage to 0x7F8180
of 007F81301E 09 0001 0008 0000 007F8180 0000 0000Or if x1=9 of x2=1 of x3=8 that passage to 0x7F8180
of 007F81401E 09 0001 0009 0000 00A43F1C 0000 0000Or if x1=9 of x2=1 of x3=9 that passage to 0xA43F1C
of 007F81504D 01 0000 0000 0000 00000000 0000 0000recovery from the menu to 1 level
here in the order. the first command in the essence makes nothing, the beginning of the formation of menu simply designates. in the the to be produced cleaning the buffer of the utilized for the points dynamic menu (menu with an arbitrary quantity of points). the third makes something with the display, (can cleaning, it was not investigated) the fourth is derived (or more precisely is filled the buffer of title) text on the index in 3 parameters from the line resources “my sounds”. I will thus far pass the fifth (it that to us and it is necessary). The task of reactions to the external actions then occurs, and if it is more precise, that codes 1d, 1E correspond to commands MCC_IF and MCC_ELSE, flow 09 - this of the event of keyboard. 0000 or 0001 - this is the regime of the keys (it is tempered and pressed), in the fourth parameter the code of key is located. In this case they are used only by 000E - left of key, 0008 - button is call, 0009 - vklcancellation, the reassignment of the addresses of passage occurs for these buttons. Remaining buttons in this case are used on silence and are assigned by command MCC_LONG_LIST. Last line - this completion of the formation of menu.
From the analysis conducted it is possible to draw a conclusion that, for the formation of menu with the list of melodies from tfs, answers MCC the function
of 007F81001C 08 003D 0000 0000 00000000 0000 0000To carry out 0x8 of x2=61 of x3=0 of x4=0 of x5=0 of x6=0
After carrying out analogous analysis for the different versions of the formation of menu "my sounds" it is possible to arrive at the analogous results. After all this he forgot to describe the third version of the search for this code. Honestly telling precisely in them 4 it used when was carried out search. If we a little recall, then it is earlier, to patcha in the properties of subscriber not there was point "my sounds", it appeared only after the installation of patcha. Conclusion asserts itself - to search for the formation of menu in MSS the code of patcha. In principle there exactly the code described is higher and anaziz be carried out to respectively analogously. So with MSS by the function of that forming menu they were dismantled, but as all this it does make? At the very beginning was described the principle of the operation of nucleus OS with MSS by the code. This there where about the tables of basic functions and their hearth of functions. I.e., it is must, knowing the code of function and under the functions to find the necessary code. To make this is possible as the minimum 2 methods. First of all to independently find the table of the addresses MSS of functions to the initial address of table to add 0xЗ*8 and to look the address of the starting of function MCC_.TACK. Calculator here can be required. Then it is necessary to look the code of function and by remembering that which is transferred by it in R0 according to the table, whose address exists in this function to find the address of subfunction. Is the second version - to use binedit. It is discovered from the right the supplementary sheet MSS and we find through the code of yS08 the address of necessary function by dual flick on it it is discovered hex editor from the right with the necessary address and switches into the regime of the survey of the code we will obtain the following picture:
000C7E7CB5F0 PUSH {R4,R5,R6,R7,LR} Сохранить регистры R4,R5,R6,R7,LR
000C7E7EB0DF SUB SP, SP, #0x17C SP = SP - 380
000C7E801C07 ADD R7, R0, #0 R7 = R0 + 0
000C7E82F7DFFE91BL 000A7BA8 Переход по адресу 000A7BA8 с сохранением адреса возврата
000C7E862801 CMP R0, #0x1 Сравнить R0 и 1
000C7E88D101 BNE 000C7E8E если не равно (not Z) то переход на адрес 000C7E8E
000C7E8A2400 MOV R4, #0x0 R4 = 0
000C7E8CE001 B 000C7E92 Переход по адресу 000C7E92
000C7E8E48F4 LDR R0, R0 = значение по адресу (PC + 976)= 0x016F6238
000C7E907804 LDRB R4, R4 = байт по адресу
000C7E92887A LDRH R2, R2 = слово по адресу ' биты 16-31 приравниваются 0
000C7E944BF3 LDR R3, R3 = значение по адресу (PC + 972)= 0x016F8C12
000C7E96205A MOV R0, #0x5A R0 = 90
000C7E982110 MOV R1, #0x10 R1 = 16
000C7E9A2A91 CMP R2, #0x91 Сравнить R2 и 145
000C7E9C4EF2 LDR R6, R6 = значение по адресу (PC + 968)= 0x016E135C
000C7E9E4DF3 LDR R5, R5 = значение по адресу (PC + 972)= 0x016F8E44
000C7EA0935E STR R3, слово по адресу = R3
000C7EA2D203 BCS 000C7EAC если больше или равно (C) то переход на адрес 000C7EAC
000C7EA4A302 ADR R3, PC, #0x8 R3 = PC + #8 = 0xC7EB0
000C7EA6189B ADD R3, R3, R2 R3 = R3 + R2
000C7EA85A9B LDRH R3, R3 = 16 бит по адресу
000C7EAA449F ADD R15(PC), R3 PC = PC + R3
000C7EB0015E B 000C800Cпри 0x0 Переход по адресу C800C
…
000C7F241918 B 000C97C6при 0x3A Переход по адресу C97C6
000C7F261922 B 000C97D0при 0x3B Переход по адресу C97D0
000C7F281A66 B 000C9914при 0x3C Переход по адресу C9914
000C7F2A1A9A B 000C9948при 0x3D Переход по адресу C9948
000C7F2C1B1A B 000C99C8при 0x3E Переход по адресу C99C8
000C7F2E1B1C B 000C99CAпри 0x3F Переход по адресу C99CA
000C7F301C7A B 000C9B28при 0x40 Переход по адресу C9B28
…
Let us carry out brief analysis taking into account the aforesaid earlier. First of all this function and at its beginning is retention of registers and that most important of the address of recovery, that also tells about the beginning of function. In the second line the apex of stack to 380 bytes displaces, local variables consequently precisely so many occupy. In the third line in the register R7 remains the value R0, if still we remember, that this is the address MCC of instruction. Further goes the starting of what that function without the parameters and after it to be carried out the analysis of its results. If result is the truth (it is equal to 1), that R4 is made level by 0, R4 it otherwise becomes equal to byte to 0x016F6238. Further begins the most interesting. To register R2 is assigned a value undertaken with the address . In our case this is the third parameter MCC of command, namely 0x003D. Awarding to registers R1, R3, R0 values we pass as little us those interesting, in this stage. It is now important to trace, as the third parameter is used. The fact that we see from the address of 0x000C7EB0 it is not the explicit code, but it corresponds to its logical essence. If you open this code in IDA or into binedit from the address indicated, that you will obtain other entirely picture. Problem consists in that, that will produced the attempt not the code, and given. Is here shown the example CASE of passage (as I him call). So that IDA would correctly interpret data the code necessary to make the correction of jmp of passages. binedit this task in essence manages on the automaton. Which actually occurs. With the checking for exceeding of the permissible range I hope all understandably, the third parameter cannot be more than 145 (0x91). If it is less that the following machination is conducted. In R3 is written the address of the beginning of the table of displacement. to it twice is added the value R2, and in R3 from the obtained address is written necessary displacement. By last step simply changes the current address of fulfillment by the amount of displacement, which is equivalent to command B. What zh we find to what address it is necessary to pass with the value of the third parameter of 0x003D. In our case this 0x000C9948. Let us look the code with this address.
000C99482100 MOV R1, #0x0 R1 = 0
000C994AAB5C ADD R3, SP, #0x170 R3 = SP + #368
000C994C8019 STRH R1, слово по адресу = R1
000C994E2114 MOV R1, #0x14 R1 = 20
000C99508059 STRH R1, слово по адресу = R1
000C99522180 MOV R1, #0x80 R1 = 128
000C99548099 STRH R1, слово по адресу = R1
000C99563304 ADD R3, #0x4 R3 = R3 + 4
000C9958AB5D ADD R3, SP, #0x174 R3 = SP + #372
000C995A8058 STRH R0, слово по адресу = R0
000C995C4C57 LDR R4, R4 = значение по адресу (PC + 348)= 0x016580E8
000C995E2301 MOV R3, #0x1 R3 = 1
000C99602200 MOV R2, #0x0 R2 = 0
000C99621C20 ADD R0, R4, #0 R0 = R4 + 0
000C9964A95C ADD R1, SP, #0x170 R1 = SP + #368
000C9966F7E8F81DBL 000B19A4 Переход по адресу 000B19A4 с сохранением адреса возврата
000C996A88B8 LDRH R0, R0 = слово по адресу ' биты 16-31 приравниваются 0
000C996C4F54 LDR R7, R7 = значение по адресу (PC + 336)= 0x016581B0
000C996E2800 CMP R0, #0x0 Сравнить R0 и 0
000C9970D018 BEQ 000C99A4 если равно (Z) то переход на адрес 000C99A4
000C99722801 CMP R0, #0x1 Сравнить R0 и 1
000C9974D115 BNE 000C99A2 если не равно (not Z) то переход на адрес 000C99A2
000C99764853 LDR R0, R0 = значение по адресу (PC + 332)= 0x016E1388
000C9978F00CFC88BL 000D628C Переход по адресу 000D628C с сохранением адреса возврата
000C997C883A LDRH R2, R2 = слово по адресу ' биты 16-31 приравниваются 0
000C997E4935 LDR R1, R1 = значение по адресу (PC + 212)= 0x016E0F08
000C99809000 STR R0, слово по адресу = R0
000C99824F51 LDR R7, R7 = значение по адресу (PC + 324)= 0x016E0F10
000C99849201 STR R2, слово по адресу = R2
000C99868808 LDRH R0, R0 = слово по адресу ' биты 16-31 приравниваются 0
000C99888839 LDRH R1, R1 = слово по адресу ' биты 16-31 приравниваются 0
000C998A1840 ADD R0, R0, R1 R0 = R0 + R1
000C998C0403 LSL R3, R0, 16 R3 = R0 << 16
000C998E0C1B LSR R3, R3, 16 R3 = R3 >> 16
000C99902200 MOV R2, #0x0 R2 = 0
000C99922103 MOV R1, #0x3 R1 = 3
000C99941C20 ADD R0, R4, #0 R0 = R4 + 0
000C9996F7E7FFCFBL 000B1938 Переход по адресу 000B1938 с сохранением адреса возврата
000C999AF00CF96DBL 000D5C78 Переход по адресу 000D5C78 с сохранением адреса возврата
000C999E494B LDR R1, R1 = значение по адресу (PC + 300)= 0x016E13BC
000C99A08008 STRH R0, слово по адресу = R0
000C99A2E141 B 000C9C28 Переход по адресу 000C9C28
000C99A4883A LDRH R2, R2 = слово по адресу ' биты 16-31 приравниваются 0
000C99A64F29 LDR R7, R7 = значение по адресу (PC + 164)= 0x016E1360
000C99A88839 LDRH R1, R1 = слово по адресу ' биты 16-31 приравниваются 0
000C99AA9201 STR R2, слово по адресу = R2
000C99AC4F46 LDR R7, R7 = значение по адресу (PC + 280)= 0x016E0F10
000C99AE9100 STR R1, слово по адресу = R1
000C99B04928 LDR R1, R1 = значение по адресу (PC + 160)= 0x016E0F08
000C99B28808 LDRH R0, R0 = слово по адресу ' биты 16-31 приравниваются 0
000C99B48839 LDRH R1, R1 = слово по адресу ' биты 16-31 приравниваются 0
000C99B61840 ADD R0, R0, R1 R0 = R0 + R1
000C99B80403 LSL R3, R0, 16 R3 = R0 << 16
000C99BA0C1B LSR R3, R3, 16 R3 = R3 >> 16
000C99BC2200 MOV R2, #0x0 R2 = 0
000C99BE2103 MOV R1, #0x3 R1 = 3
000C99C01C20 ADD R0, R4, #0 R0 = R4 + 0
000C99C2F7E7FFB9BL 000B1938 Переход по адресу 000B1938 с сохранением адреса возврата
000C99C6E7EC B 000C99A2 Переход по адресу 000C99A2
000C99C8E12E B 000C9C28 Переход по адресу 000C9C28
000C99CAE12D B 000C9C28 Переход по адресу 000C9C28
By inside we feel, that this of , but all is so incomprehensible, some numbers. What? Why? Why? Head around and after the window it is dark.
Let us try to be dismantled.
Here to know that for similar. To gladden in this situation it can only one, these are the presence of file with the description of addresses from the piercing or as in this situation the presence of another piercing with this description. For IDA if still did not connect we try through flirt to connect signatures which it politely granted Hex, if you have old version IDA, that this focus will not pass, it is necessary to load X10XEWK3 and to connect sym file. If you use binedit and still they did not alter sym file to their piercing, that it is discovered the connected piercing and we load the there higher mentioned patch After load it is discovered from the right the supplementary sheet “of signature” and by outer left button on the supplementary sheet we load appropriate sym file.
we also find MCC_TASK 08 and through CASE to passage is discovered the analogous code, on that we obtain something similar.
000C3D082200 MOV R2, #0x0 R2 = 0
000C3D0AAB5B ADD R3, SP, #0x16C R3 = SP + #364
000C3D0C801A STRH R2, слово по адресу = R2
000C3D0E2214 MOV R2, #0x14 R2 = 20
000C3D10805A STRH R2, слово по адресу = R2
000C3D128098 STRH R0, слово по адресу = R0
000C3D143304 ADD R3, #0x4 R3 = R3 + 4
000C3D16AB5C ADD R3, SP, #0x170 R3 = SP + #368
000C3D188059 STRH R1, слово по адресу = R1
000C3D1A4C9D LDR R4, R4 = значение по адресу (PC + 628)= DspLongList (0x01655F50)
000C3D1C2301 MOV R3, #0x1 R3 = 1
000C3D1E2200 MOV R2, #0x0 R2 = 0
000C3D201C20 ADD R0, R4, #0 R0 = R4 + 0
000C3D22A95B ADD R1, SP, #0x16C R1 = SP + #364
000C3D24F7E8FCB2BL lk_SetLongListExtInfoВызов\ адрес 000AC68C
000C3D2888B8 LDRH R0, R0 = слово по адресу ' биты 16-31 приравниваются 0
Is here only initial fragment given for the brevity, but also evidently that the code is very similar on it. Let us create the descriptions of addresses for our piercing, if memory does not change X600XEDL2. Let us compare the lines chosen in the previous fragments. It is evident on them that to address 0x016580E8 corresponds address (0x01655F50) and name DspLongList, is analogous for the function with address 0x000B19A4 name lk_.SetLongListExtInfo. For creating our table let us open the supplementary sheet of signature. In the first field we conduct address in the field next name and press button SET (this krasnen'kaya button), in the list the address must appear and if we now renew supplementary sheet the code to the left it is possible to look changes, after performing a similar operation for all appropriate addresses let us preserve everything made in sig or sym file for the subsequent possible use. To preserve into sig size better, since in this size it is possible to also preserve their descriptions of functions, for example what registers and for which they are used, and also it is possible to create signatures for the automatic search for equivalents in other piercings. Let us look that it came out:
000C99482100 MOV R1, #0x0 R1 = 0
000C994AAB5C ADD R3, SP, #0x170 R3 = SP + #368
000C994C8019 STRH R1, слово по адресу = R1
какой то локальной переменной присваивается значение 0
000C994E2114 MOV R1, #0x14 R1 = 20
000C99508059 STRH R1, слово по адресу = R1
какой то локальной переменной присваивается значение 20
000C99522180 MOV R1, #0x80 R1 = 128
000C99548099 STRH R1, слово по адресу = R1
какой то локальной переменной присваивается значение 128
000C99563304 ADD R3, #0x4 R3 = R3 + 4
000C9958AB5D ADD R3, SP, #0x174 R3 = SP + #372
эти две строчки приводят к одному и тому же результату. Налицо глюк компилятора
000C995A8058 STRH R0, слово по адресу = R0
what that of local variable is appropriated value from R0. what precisely can be looked analyzing again the beginning of function. If laziness by itself looked, then this 90. and all these values greatly resemble the geometric dimensions of place where they are derived the points of menu. Conclusions make themselves.
000C995C4C57 LDR R4, R4 = значение по адресу (PC + 348)= DspLongList (0x016580E8)
000C995E2301 MOV R3, #0x1 R3 = 1
000C99602200 MOV R2, #0x0 R2 = 0
000C99621C20 ADD R0, R4, #0 R0 = R4 + 0
000C9964A95C ADD R1, SP, #0x170 R1 = SP + #368
000C9996F7E7FFCFBL lk_PutLongList Вызов установка пункта в списке R0 - номер пункта \ адрес 000B1938
Опять типичный пример запуска функции, но параметров в этом случае больше 4. По названию функции, не сложно предположить, что происходи установка пункта в списке меню. как раз то что надо исправить. То есть передать в функцию нужный номер пункта.
Из кода видно, что в стек по смешению 0 записывается значение из R0, а на сколько помним, в R0 как раз предыдущая функция возвратила индекс мелодии. По смещению 4 записывается значение R2, а это индекс первого отображаемого пункта. Дальше в R0 и R1 грузятся количества мелодий и мелодий MMS и потом после сложения они записываются в R3. Сдвиги используются для обнуления старших 2 байтов регистра R3.
Регистрам R2 и R1 присваиваются значения 0 и 3 соответственно, назначение их можно определить только проанализировав саму функцию lk_PutLongList, но в данном случае это скорее всего не понадобиться. В R0 записывается начало буфера со списком.
000C999AF00CF96DBL Mbox_IsUseAsRingtone Вызов\ адрес 000D5C78
000C999E494B LDR R1, R1 = значение по адресу (PC + 300)= gv_MboxMelodyRingtoneIdx (0x016E13BC)
000C99A08008 STRH R0, слово по адресу = R0
Судя по названию это проверочная функция, по её результатам выставляется значение глобальной переменной gv_MboxMelodyRingtoneIdx
000C99A2E141 B 000C9C28 Переход по адресу 000C9C28
Завершение обработки по параметру 1 и начало обработки по параметру 0
000C99A4883A LDRH R2, R2 = слово по адресу ' биты 16-31 приравниваются 0
000C99A64F29 LDR R7, R7 = значение по адресу (PC + 164)= gv_MboxMelIndex (0x016E1360)
000C99A88839 LDRH R1, R1 = слово по адресу ' биты 16-31 приравниваются 0
000C99AA9201 STR R2, слово по адресу = R2
000C99AC4F46 LDR R7, R7 = значение по адресу (PC + 280)= gv_NbMMSMelody (0x016E0F10)
000C99AE9100 STR R1, слово по адресу = R1
000C99B04928 LDR R1, R1 = значение по адресу (PC + 160)= gv_NbMelody (0x016E0F08)
000C99B28808 LDRH R0, R0 = слово по адресу ' биты 16-31 приравниваются 0
000C99B48839 LDRH R1, R1 = слово по адресу ' биты 16-31 приравниваются 0
000C99B61840 ADD R0, R0, R1 R0 = R0 + R1
000C99B80403 LSL R3, R0, 16 R3 = R0 << 16
000C99BA0C1B LSR R3, R3, 16 R3 = R3 >> 16
000C99BC2200 MOV R2, #0x0 R2 = 0
000C99BE2103 MOV R1, #0x3 R1 = 3
000C99C01C20 ADD R0, R4, #0 R0 = R4 + 0
000C99C2F7E7FFB9BL lk_PutLongList Вызов установка пункта в списке R0 - номер пункта \ адрес 000B1938
With exception of the use of other registers, we functionally see the same starting of function, only as the index of melody is transferred the value of the global variable of gv_MboxMelIndex, as is not difficult to surmise this the index of melody on silence. Exactly this version of menu is used
000C99C6E7EC B 000C99A2 Переход по адресу 000C99A2
000C99C8E12E B 000C9C28 Переход по адресу 000C9C28
In principle they found and they dismantled the place where necessary to make, and can and it is not must, correction. Further I will propose to vapor of the versions of the correction of situation and one of the solutions. It can it is possible to make even better. I will not against see other solutions.
To any it is understandable that necessary to transmit into the function of lk_PutLongList point necessary to us, but what in it number and as is better to correct. To correct here or to write its analogous function. there are always many versions, good it is small, optimum one and in each different J. For the beginning I will exclude version with writing of my function. First of all at the beginning of subfunction to CASE of passage there were also what that awardings, then if we look to the code, that can not immediately, but strikes as not optimally it it is written. One also is repeated 2 times. The desire to calculate index in accordance with 4 parameters appears and for all versions to then use one starting of the installation of index. I itself persuaded to guide the fact that is and to add into 4 parameters value of 2 for the selection of the melody of subscriber.
So it is now necessary to learn where to take this index. To be remembered it was derived the name of melody in the properties of the subscriber before the starting of the designation of melody. After looking this conclusion you will stumble on the code of Vadiks- A and you will see that with the load of the data about the subscriber the name of melody it remains to 0x017FEEBC. But indeed to ga_MboxChangeName also the name of melody. This code means it is possible to duplicate, instead of ga_MboxChangeName to only use 0x017FEEBC.
One of the solutions
with the method of the solution of problem they were dismantled, it is now necessary to think as all this to realize.
As to write algorithms I here will not be, there is and rather better me. But here it is possible to have a talk about the means. By simplest solution, it will writing the code in whatever you be ARM assembler and after compilation obtain the finished code of , and calls to repair the fourth parameter with 0 to 2. But that to make if there is no such compiler, as in me for example. When it still it did not make in binedit, although it is planned. All it is necessary to make with knobs. Sense in the basic simple is created the empty block of with the addresses which it it must replace. and by the introduction of hex of the code to introduce necessary commands. You will ask as to determine what codes to introduce? You look at the code, search for necessary commands and you smash the code. Thus it will not come out to find the codes only of passages and load of data. For the data all simply first byte determines the regime of load and register, it is possible to take and as in others similar, the second byte - these are displacement to the data is divided into 4, T.e. we determine it by simple calculation. The address of data - address of command we divide by 4. After renovation we do check all correctly, if no, that we increase or it is decreased the value of the second byte for 1. For the search for the code of passages it is possible to use a calculator of passages into binedit. It is there necessary to introduce the address of instruction, command and the address of passage. will be as a result obtained hex instruction code.
Still one problem which can arise, this where to store the address of 0x017FEEBC. It is possible to attempt to push in it into itself, if vacant place exists as in this case. or it is possible to go to the craftiness, as I made. The fact is, that in the functions besides strictly the useful code, there is the so-called service code, which in principle can be removed entirely without worsening in the functionality. As a rule this is laying out. This will press approximately so, is started function result of which it is logical value. If truth, that is formed the line of laying out and it is derived to the external interface (COM2 of telephone). On silence the laying out is opened and region that occupied by this code can be used at its discretion. It is possible to also shorten the formed line. and to quietly place its data. So it was made.
This is what it came out:
000C996A88B8 LDRH R0, R0 = слово по адресу ' биты 16-31 приравниваются 0
000C996C2800 CMP R0, #0x0 Сравнить R0 и 0
000C996ED102 BNE 000C9976 если не равно (not Z) то переход на адрес 000C9976
000C99704936 LDR R1, R1 = значение по адресу (PC + 216)= gv_MboxMelIndex (0x016E1360)
000C99728808 LDRH R0, R0 = слово по адресу ' биты 16-31 приравниваются 0
000C9974E013 B 000C999E Переход по адресу 000C999E
000C99762801 CMP R0, #0x1 Сравнить R0 и 1
000C9978D101 BNE 000C997E если не равно (not Z) то переход на адрес 000C997E
000C997A4852 LDR R0, R0 = значение по адресу (PC + 328)= ga_MboxChangeName (0x016E1388)
000C997CE002 B 000C9984 Переход по адресу 000C9984
000C997E2802 CMP R0, #0x2 Сравнить R0 и 2
000C9980D122 BNE 000C99C8 если не равно (not Z) то переход на адрес 000C99C8
000C9982484D LDR R0, R0 = значение по адресу (PC + 308)= 0x017FEEBC
000C9984F00CFC82BL Mbox_GetMelodyNameIndexВызов\ адрес 000D628C
000C9988E009 B 000C999E Переход по адресу 000C999E
000C998A0000 LSL R0, R0, 0 R0 = R0 << 0
000C998C0000 LSL R0, R0, 0 R0 = R0 << 0
000C998E0000 LSL R0, R0, 0 R0 = R0 << 0
000C99900000 LSL R0, R0, 0 R0 = R0 << 0
000C99920000 LSL R0, R0, 0 R0 = R0 << 0
000C99940000 LSL R0, R0, 0 R0 = R0 << 0
000C99960000 LSL R0, R0, 0 R0 = R0 << 0
000C99980000 LSL R0, R0, 0 R0 = R0 << 0
000C999A0000 LSL R0, R0, 0 R0 = R0 << 0
000C999C0000 LSL R0, R0, 0 R0 = R0 << 0
000C999E9000 STR R0, слово по адресу = R0
000C99A04847 LDR R0, R0 = значение по адресу (PC + 284)= MboxMelodyFirstDspList (0x016581B0)
000C99A28808 LDRH R0, R0 = слово по адресу ' биты 16-31 приравниваются 0
000C99A49001 STR R0, слово по адресу = R0
000C99A6482B LDR R0, R0 = значение по адресу (PC + 172)= gv_NbMelody (0x016E0F08)
000C99A84947 LDR R1, R1 = значение по адресу (PC + 284)= gv_NbMMSMelody (0x016E0F10)
000C99AA1840 ADD R0, R0, R1 R0 = R0 + R1
000C99AC0403 LSL R3, R0, 16 R3 = R0 << 16
000C99AE0C1B LSR R3, R3, 16 R3 = R3 >> 16
000C99B02200 MOV R2, #0x0 R2 = 0
000C99B22103 MOV R1, #0x3 R1 = 3
000C99B41C20 ADD R0, R4, #0 R0 = R4 + 0
000C99B6F7E7FFBFBL lk_PutLongList Вызов установка пункта в списке R0 - номер пункта \ адрес 000B1938
000C99BA88B9 LDRH R1, R1 = слово по адресу ' биты 16-31 приравниваются 0
000C99BC2901 CMP R1, #0x1 Сравнить R1 и 1
000C99BED103 BNE 000C99C8 если не равно (not Z) то переход на адрес 000C99C8
000C99C0F00CF95ABL Mbox_IsUseAsRingtone Вызов\ адрес 000D5C78
000C99C44941 LDR R1, R1 = значение по адресу (PC + 260)= gv_MboxMelodyRingtoneIdx (0x016E13BC)
000C99C68008 STRH R0, слово по адресу = R0
Still vacant place as is evident remained, which can be used and for other values of the fourth parameter
the conclusion
for writing of the version of the correction of left 4 hours, for writing of this opus 2 in the evening, the conclusion of to make more simply . 先不看了,顶了再说 . 有中文的么? 是好东西,E文看不懂啊。。。。。。。。。。。 噢~~~~原来是这么回事~~http://mobile.0110.cn/images/smilies/lol.gifhttp://mobile.0110.cn/images/smilies/lol.gif 这个帖子是针对三星的固件而写的,当然了,西门有可以借鉴的地方!
原文是俄语的,没有英文版,呵呵 楼主是用在线工具翻译的吧,由于语言的差异,再加上翻译工具的限制,看起来会很累(即使你英语很好) 呵呵!不过毕竟是好文章!谢谢了 第二行中,不能写成“补丁的结构”,全文是讲述固件(firmware或者flash)的结构的
页:
[1]