Page 1 of 5 12345 LastLast
Results 1 to 15 of 72

Thread: BlackBerry OS

  1. #1
    fritzFS
    Guest

    BlackBerry OS

    Hello,

    have anyone tried any reverse engineering/cracking on this?

    Are there any tools or documentation?

    thank you
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    http://www.blackberry.net/developers

    IDA should work with this also, but I have not personally tested their debugger/simulator.

  3. #3
    fritzFS
    Guest
    Thank you, naides,

    I've also stumbled across that link little bit earlier so I'm checking it out.

    Still, if anyone has any expirience, do not hesitate to answer ;-)
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    A google for "blackberry reversing" turns up at least a couple of interesting results, which are probably a good start, and when posting a question like this it would be very appropriate to mention these and other things you might have found while taking a quick look into the subject yourself first (not to mention instead of saying "I already knew about that" when you get a reply).
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  5. #5
    fritzFS
    Guest
    yes, yes, delta, I knew that also!

    Ok, information I got so far :

    - BlackBerry OS has (modified) Java VM written in ARM
    - applications code is stored in .cod file which is not publicly known
    (information known so far can be found here : http://drbolsen.wordpress.com/2006/08/11/10/)
    - BB code differs pretty much except in simple bytecode from Java's original so comparing them isn't 100% useful
    - guy named Hex coded a loader for IDA which loads .cod file and dumps the main structures

    Good way would be to download simulator from:
    http://www.blackberry.com/developers/downloads/index.shtml
    and start tracing from there ...

    Anyway, pretty screwed position for anyone who tries to crack BB application :-(
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    That's better.

    And what makes you screwed? You have a compiler, a simulator, an IDA loader and a guy who obviously knows quite a bit about it and is willing to cooperate with others in exploring it further (i.e. Hex), seems like a pretty damn good start to me.

    I also found this note by Hex in another place:

    .cod is a RIM JVM code format. It’s a modified version of Sun’s Javavirtual Machin. The native code for Blackberry is ARM. Yes there’s a standard way for even decompiling the .cod files. The full version of rapc compiler contains the class the provides such ability. But JDE version of rapc contains only the classes for compilation. Format is propietary. But we can reverse it…
    I've also invited Hex to participate in this thread, so let's see if he joins the discussion.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  7. #7
    <script>alert(0)</script> disavowed's Avatar
    Join Date
    Apr 2002
    Posts
    1,281
    You may also want to check out http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-FX.pdf
    It's the presentation that FX gave at Black Hat on BlackBerry analysis.

  8. #8
    This is "berry" interesting

  9. #9
    Hexxx
    Guest
    Hello everyone. Ask me the questions and i'll answer.

    P.S. I'll upload the IDA loader with source code tomorrow, and post a link here. I've got to release the project at my work. So i just had no time to upload it.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    Thank you. We look forward to your contributions.

    Regards,
    JMI

  11. #11
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Hey Hexxx, thanks for dropping by! Sounds great with the IDA loader + source!

    And now fritzFS and everyone else, the table is set for you, we have the information above, and one of the world's leading Blackberry reversers is with us here in the thread. Make good use of it, and let the discussion begin.

    I'll also start with a simple (and possibly stupid) question for Hexxx: As I quote above, you say that "the full version of rapc compiler contains the class to decompile cod files". Isn't this "full version" of the compiler available somewhere on the net, or is it just company internal to the Blackberry guys?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  12. #12
    Hexxx
    Guest
    It's not available in the web. I've found the references to the decompiler in rapc.exe. They've left the reference to some "net.rim.tools.decompiler" class in rapc.jar. But there was no such class in rapc.jar.

    They will never give such version of rapc into public, because it will allow to crack all their applications

    rapc.jar - it's a compiler written in java. All the code is obfuscated.
    Rapc can both convert the .class files into .cod and compile .java to .cod
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Ok, thanks for the info! That conversion of class files to cod files that you mention feels quite useful to me for mapping the exchanged opcodes/bytecodes of the cod files vs common java bytecodes, especially if they are just simple substitutions to make the files incompatible with normal java decompilers, right? If just a few opcodes are substituted for other opcodes, a comparative analysis of the class file and corresponding produced cod file would clear this issue up quite quickly I guess?

    Also, if the substituted opcodes have the same size as the original java bytecodes, one would even be able to create a patcher that can revert the "coddified" code to normal java bytecode, to be able to make partial use of pure java decompilers I guess, or in the opposite way make it easy to modify existing java decompilers to process the switched opcodes instead. But I guess the substitutions aren't all that simple, or are they?

    Have you made any research in this area, i.e. regarding which opcodes are exchanged compared to pure java, and in what way they are exchanged?

    Since your loader parses the main cod file structures, I guess you also have quite some knowledge about how much these structures (i.e. everything in the file except the pure bytecode) differ from normal java class files too? Is it a big difference?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  14. #14
    Hexxx
    Guest
    Not so simple as it seems. Of course i've already compared BB jvm to Sun Jvm. Simple bytecodes such as iload are substituted. But all the call and goto instructions are quite different.

    The filesystem in BB is based on a set of databases. When the .cod file is uploaded to device. It is split into several parts: header with code, relocations, data, etc Each part is written to the corresponding database. All that stuff does so called Javaloader.
    The header of .cod file is a template, which is filled with record Id's by javaloader after .cod file was split into database records.

    So when JVM runs it accesses the databases. Did you ever think why the BB device are poor featured and starting so slow? The database mechanism is so god damn slow.

    Returning to JVM. All the call and goto instruction are handling the database requests. So when it needs to call some function from other .cod file. It does another database request...
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #15
    fritzFS
    Guest
    This also sounds like valuable information:

    http://drbolsen.wordpress.com/2006/11/29/answering-the-questions/
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •