PDA

View Full Version : Vx Works image ... repacking, anyone interested in helping or taking on the job?


rebible
May 4th, 2012, 17:56
I am ideally looking for someone who would be interested in working on reverse engineering a vxworks image.

I am doing something similar to what is described at:
http://www.woodmann.com/forum/archive/index.php/t-11707.html

It is a vxworks binary flash image running on a powerpc. I have a rom dump (binary) I dumped 4mB which seems to be everything (It
works if reloaded, I don't know what the real code size is). the application is about 645kB

I would like to be able to extract the application binary, make modifications, and then re-pack it back into the image.

I have gotten as far as using deezee and extracting the actual running binary. But I haven't gone beyond that.

I have a second rom image (there are two embedded boards), so we can use it to see what is consistent as far as headers and crcs if necessary.

What I would like someone to do in order of importance.

1: give me a way to repack the binary image into the flash. (zip, crc, put back in e.g. 'Rezee').
Possibly integrate Dezee and the new 'Rezee' into a windows app for convenience.

The trick is there is probably a crc stored with the image in the ROM and we will have to find it.


2: help me figure out the addresses of the running image. If end comes to end, I can just put a call to the embedded monitor/debugger as a first step into the program and see where things are when it starts to run.



Additional resources:
I have a copy of a vxworks BSP package for the hardware.(not necessarily the same version)

The target hardware has a real time debugger. Unfortunately, the board configuration is "either the debugger" or "the application flash". The debugger runs out of its flash and I haven't been able to debug and watch it load the application from flash in to memory.

I have a real time debugger disassembler output of the start of the code.
I know where the boot code is located in flash e.g. and I have initial memory maps for the board.

thanks,
robert

gerbay
May 5th, 2012, 14:10
http://www.devttys0.com/2011/07/reverse-engineering-vxworks-firmware-wrt54gv8/

rebible
May 5th, 2012, 14:43
Quote:
[Originally Posted by gerbay;92475]http://www.devttys0.com/2011/07/reverse-engineering-vxworks-firmware-wrt54gv8/


thanks,
I found that this morning. Still looking for someone interested in either taking on the project or helping out.

robert

rebible
May 5th, 2012, 18:10
I ran the strings program.. on the extracted image. I could use some suggestions on how to find the offsets so that IDA or REC to make some sense of the code. I decided to start with extracted code before i got too tied up with getting it back into the bootloader.


Here it is and the code image too.

gerbay
May 8th, 2012, 15:37
info:

your board is MCP750 PPC Board. You could find MCP750 VxWorks BSP ..

I changed your filename to "trdump.img.0.bin" and I load IDA

I changed processor to PPC

I created ROM segment, start: 0x00000000, end: 0x000A052C

I created RAM segment, start 0x00100000, end: 00800000

and I pressed "C" for changing undefined data bytes to "CODE"

your firmware code like below:

Code:

ROM:00000000 # Segment type: Pure code
ROM:00000000 .section "ROM"
ROM:00000000 94 21 FF F8 stwu r1, -8(r1)
ROM:00000004 7C 08 02 A6 mflr r0
ROM:00000008 90 01 00 0C stw r0, 0xC(r1)
ROM:0000000C 48 00 6B 85 bl sub_6B90
ROM:00000010 80 01 00 0C lwz r0, 0xC(r1)
ROM:00000014 7C 08 03 A6 mtlr r0
ROM:00000018 38 21 00 08 addi r1, r1, 8
ROM:0000001C 4E 80 00 20 blr
ROM:00000020 # ---------------------------------------------------------------------------
ROM:00000020 /* disable external interrupts */
ROM:00000020
ROM:00000020 sysInit:
ROM:00000020 7C 63 1A 78 xor r3, r3, r3
ROM:00000024 7C 60 01 24 mtmsr r3 # /* disable external interrupts */
ROM:00000028 /* Zero-out registers: r0 & SPRGs */
ROM:00000028 7C 00 02 78 xor r0, r0, r0
ROM:0000002C 7C 10 43 A6 mtsprg0 r0
ROM:00000030 7C 11 43 A6 mtsprg1 r0
ROM:00000034 7C 12 43 A6 mtsprg2 r0
ROM:00000038 7C 13 43 A6 mtsprg3 r0
ROM:0000003C /*
ROM:0000003C * Set MPU/MSR to a known state
ROM:0000003C * Turn on FP
ROM:0000003C */
ROM:0000003C 70 63 00 00 andi. r3, r3, 0
ROM:00000040 60 63 20 00 ori r3, r3, 0x2000
ROM:00000044 7C 00 04 AC sync
ROM:00000048 7C 60 01 24 mtmsr r3
ROM:0000004C 4C 00 01 2C isync
ROM:00000050 /* Init the floating point control/status register */
ROM:00000050 FF 80 01 0C mtfsfi 7, 0
ROM:00000054
ROM:00000054 loc_54: # DATA XREF: sub_7C+2E8o
ROM:00000054 # sub_7C+2ECo ...
ROM:00000054 FF 00 01 0C mtfsfi 6, 0
ROM:00000058 FE 80 01 0C mtfsfi 5, 0
ROM:0000005C FE 00 01 0C mtfsfi 4, 0
ROM:00000060 FD 80 01 0C mtfsfi 3, 0
ROM:00000064 FD 00 01 0C mtfsfi 2, 0
ROM:00000068 FC 80 01 0C mtfsfi 1, 0
ROM:0000006C FC 00 01 0C mtfsfi 0, 0
...


I added some extra comments

I labeled "sysInit" function which is included "sysALib.s" BSP file..

Maybe this info helpful for you..

I'm sorry my bad English..