Results 1 to 5 of 5

Thread: Vx Works image ... repacking, anyone interested in helping or taking on the job?

Hybrid View

  1. #1

    Vx Works image ... repacking, anyone interested in helping or taking on the job?

    I am ideally looking for someone who would be interested in working on reverse engineering a vxworks image.

    I am doing something similar to what is described at:
    http://www.woodmann.com/forum/archive/index.php/t-11707.html

    It is a vxworks binary flash image running on a powerpc. I have a rom dump (binary) I dumped 4mB which seems to be everything (It
    works if reloaded, I don't know what the real code size is). the application is about 645kB

    I would like to be able to extract the application binary, make modifications, and then re-pack it back into the image.

    I have gotten as far as using deezee and extracting the actual running binary. But I haven't gone beyond that.

    I have a second rom image (there are two embedded boards), so we can use it to see what is consistent as far as headers and crcs if necessary.

    What I would like someone to do in order of importance.

    1: give me a way to repack the binary image into the flash. (zip, crc, put back in e.g. 'Rezee').
    Possibly integrate Dezee and the new 'Rezee' into a windows app for convenience.

    The trick is there is probably a crc stored with the image in the ROM and we will have to find it.


    2: help me figure out the addresses of the running image. If end comes to end, I can just put a call to the embedded monitor/debugger as a first step into the program and see where things are when it starts to run.



    Additional resources:
    I have a copy of a vxworks BSP package for the hardware.(not necessarily the same version)

    The target hardware has a real time debugger. Unfortunately, the board configuration is "either the debugger" or "the application flash". The debugger runs out of its flash and I haven't been able to debug and watch it load the application from flash in to memory.

    I have a real time debugger disassembler output of the start of the code.
    I know where the boot code is located in flash e.g. and I have initial memory maps for the board.

    thanks,
    robert
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    http://www.devttys0.com/2011/07/reverse-engineering-vxworks-firmware-wrt54gv8/

  3. #3
    Quote Originally Posted by gerbay View Post
    http://www.devttys0.com/2011/07/reverse-engineering-vxworks-firmware-wrt54gv8/
    thanks,
    I found that this morning. Still looking for someone interested in either taking on the project or helping out.

    robert
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    I ran the strings program.. on the extracted image. I could use some suggestions on how to find the offsets so that IDA or REC to make some sense of the code. I decided to start with extracted code before i got too tied up with getting it back into the bootloader.


    Here it is and the code image too.
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    info:

    your board is MCP750 PPC Board. You could find MCP750 VxWorks BSP ..

    I changed your filename to "trdump.img.0.bin" and I load IDA

    I changed processor to PPC

    I created ROM segment, start: 0x00000000, end: 0x000A052C

    I created RAM segment, start 0x00100000, end: 00800000

    and I pressed "C" for changing undefined data bytes to "CODE"

    your firmware code like below:

    Code:
    ROM:00000000             # Segment type: Pure code
    ROM:00000000                             .section "ROM"
    ROM:00000000 94 21 FF F8                 stwu      r1, -8(r1)
    ROM:00000004 7C 08 02 A6                 mflr      r0
    ROM:00000008 90 01 00 0C                 stw       r0, 0xC(r1)
    ROM:0000000C 48 00 6B 85                 bl        sub_6B90
    ROM:00000010 80 01 00 0C                 lwz       r0, 0xC(r1)
    ROM:00000014 7C 08 03 A6                 mtlr      r0
    ROM:00000018 38 21 00 08                 addi      r1, r1, 8
    ROM:0000001C 4E 80 00 20                 blr
    ROM:00000020             # ---------------------------------------------------------------------------
    ROM:00000020             /* disable external interrupts */
    ROM:00000020
    ROM:00000020             sysInit:
    ROM:00000020 7C 63 1A 78                 xor       r3, r3, r3
    ROM:00000024 7C 60 01 24                 mtmsr     r3            # /* disable external interrupts */
    ROM:00000028             /* Zero-out registers: r0 & SPRGs */
    ROM:00000028 7C 00 02 78                 xor       r0, r0, r0
    ROM:0000002C 7C 10 43 A6                 mtsprg0   r0
    ROM:00000030 7C 11 43 A6                 mtsprg1   r0
    ROM:00000034 7C 12 43 A6                 mtsprg2   r0
    ROM:00000038 7C 13 43 A6                 mtsprg3   r0
    ROM:0000003C             /*
    ROM:0000003C              *      Set MPU/MSR to a known state
    ROM:0000003C              *      Turn on FP
    ROM:0000003C              */
    ROM:0000003C 70 63 00 00                 andi.     r3, r3, 0
    ROM:00000040 60 63 20 00                 ori       r3, r3, 0x2000
    ROM:00000044 7C 00 04 AC                 sync
    ROM:00000048 7C 60 01 24                 mtmsr     r3
    ROM:0000004C 4C 00 01 2C                 isync
    ROM:00000050             /* Init the floating point control/status register */
    ROM:00000050 FF 80 01 0C                 mtfsfi    7, 0
    ROM:00000054
    ROM:00000054             loc_54:                                 # DATA XREF: sub_7C+2E8o
    ROM:00000054                                                     # sub_7C+2ECo ...
    ROM:00000054 FF 00 01 0C                 mtfsfi    6, 0
    ROM:00000058 FE 80 01 0C                 mtfsfi    5, 0
    ROM:0000005C FE 00 01 0C                 mtfsfi    4, 0
    ROM:00000060 FD 80 01 0C                 mtfsfi    3, 0
    ROM:00000064 FD 00 01 0C                 mtfsfi    2, 0
    ROM:00000068 FC 80 01 0C                 mtfsfi    1, 0
    ROM:0000006C FC 00 01 0C                 mtfsfi    0, 0
    ...
    I added some extra comments

    I labeled "sysInit" function which is included "sysALib.s" BSP file..

    Maybe this info helpful for you..

    I'm sorry my bad English..
    Last edited by gerbay; May 8th, 2012 at 15:39. Reason: extra information

Similar Threads

  1. Replies: 1
    Last Post: August 15th, 2009, 01:11
  2. OllyDbg taking 100% CPU when target is running
    By dELTA in forum OllyDbg Support Forums
    Replies: 20
    Last Post: April 18th, 2008, 11:18
  3. Softice and Hex Works - Not working for some reason
    By CowNaetion in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: August 13th, 2001, 19:15
  4. Solid Works
    By MR_Candyman in forum Tools of Our Trade (TOT) Messageboard
    Replies: 2
    Last Post: December 21st, 2000, 11:50

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •