Page 2 of 5 FirstFirst 12345 LastLast
Results 16 to 30 of 72

Thread: BlackBerry OS

  1. #16
    Hexxx
    Guest
    i've sent the source code to fritzFS
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #17
    fritzFS
    Guest
    Ok, guys, here it goes ...

    Thx hexxx
    Attached Files Attached Files
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #18
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Very nice information Hexxx, and thanks also for the tool! Do you have, or know of, any other specialized tools that might be of assistance when attempting to reverse Blackberry apps?

    And nice link fritzFS, I'll include the info here for documenting purposes:

    COD file is a result of conversion of a normal java application. RIM provides a special tool which allows to do that - rapc.exe. The first thing you can notice about this tool is that it contains two parts - rapc.exe and rapc.jar. The first part seems to be a simple wraper around jar file which looks like a main code repository. But quick look on rapc.jar brings you a bad news - it is obfuscated by RetroGuard (http://www.retrologic.com). Well, nobody expected that it would be easy. But an old trick (http://www.multimedia.cx/pre/re-retroguard.html) with RetroGuard still works fine. The result of deobfuscation is still far away from a normal java source code but it gives us a nice starting point - unique identifiers for functions, variables and constants. The next magic word is Refactoring. It is probably the most boring and in the same time interesting part of the process. At this stage we are looking for any clue inside of the code - memory references, constants, application messages, and etc. Once a clue is found we slowly progress forward from this point trying to trace all usage of discovered constant or function, replacing non-sense identifiers to functional ones. Imagine yorself to be a kind of Sherlock Holmes investigating a difficult case. Lucky for us RIM left a lot of clues inside.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  4. #19
    Hexxx
    Guest
    The JVM in the device firmware was identical to the that one in the simulator. So reversing the simulator (jvm.dll) instead of reversing the arm code in the firmware is good idea. I can tell about the firmware if you're interested.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #20
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Good to have that confirmed about the simulator, thanks!

    And of course we're interested to hear about the firmware!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  6. #21
    More information is usually better than less information.

    Regards,
    JMI

  7. #22
    Hexxx
    Guest
    RimOS is based on AMX. The system messaging system, tasks, memory all was like AMX in 6xxx models. In 7xxx it was changed a bit, then in 8xxx they totaly refactored the code and used the other compiler so the quality of code has changed dramaticaly. The firmware and ramloaders used to update the firmware are digitaly signed. There's no way to hack the signature it's RSA- 2048 based. So, you can't patch it. The firmware updates usually consist of one file with arm code and mutiple .cod and .alx files.
    The arm code file for GSM device is placed at path like this:
    C:\Program Files\Common Files\Research In Motion\Shared\Loader Files\7100-vesion\GPRS\
    There's a file named rimYYYYx.bin
    where YYYY - model, x - Generation (g - gsm, i - iden, c - Cdma)
    For example:
    rim7100g.bin - Firmware for Blackberry 7100, it's a GSM model.

    When the device starts it runs bootloader (the device lights the led), then it checks the signature of the firmware, starts the firmware, firmware code setups the hardware and runs the system task. The last task that starts is RIM_TASK it's a JVM task. Then JVM loads all the .cod files checks their validity and starts running the "java" code.
    Last edited by Hexxx; November 30th, 2006 at 10:15.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #23
    Hexxx
    Guest
    Quote Originally Posted by JMI View Post
    More information is usually better than less information.

    Regards,
    Having all the source code of MS Windows doesn't help to write TDI drivers at all

    Better to have a little valid information then a lot of invalid.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  9. #24
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Very interesting information Hexxx, thanks again!

    C'mon people, aren't there any aspiring Blackberry reversers here who'd like to make use of this excellent source of information while its available, and ask some further questions or discuss some aspects of Blackberry reversing?

    And Hexxx, what are you currently working on in the field of Blackberry reversing? Do you feel "stuck" at some point? Are you perhaps even doing something that would benefit from a collaborative effort?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #25
    Hexxx
    Guest
    I felt stuck for half year. Now i'm just sick and tired of reversing it.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #26
    fritzFS
    Guest
    dELTA,
    if I understood Hexxx correctly, it would be good to reverse the jvm.dll together even though it sounds like a lot of work.

    Am I right or is it pointless?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #27
    drbolsen
    Guest

    Hi

    Hi guys,

    I was afraid that nobody was interested in bb reversing so it is a nice surprise to me to see here a number of people doing the same stuff
    Last edited by drbolsen; November 30th, 2006 at 19:43.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  13. #28
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,204
    Blog Entries
    5
    Hey drbolsen, I'm glad you saw my note on your blog, nice to see you! Ok, people, now we have google's both most prominent people on the web reagrding the subject of Blackberry reversing here, so make it count.

    So, drbolsen, what's your current view on Blackberry reversing, and interests in it? Are you working actively on some aspects of it at the moment? Something interesting to share or discuss perhaps? Welcome to the board either way, here there are always "a number of people interested in" most reversing subjects, and also many very skillful and bright, so feel free to bring any reversing discussions you like here!

    And fritzFS, you are indeed right about that it would be good to reverse the jvm.dll together, care to take the first shot?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  14. #29
    fritzFS
    Guest
    Ok, couple of questions first:

    Did they wrote JVM from the beginning or modified original?
    At that time, Sun didn't yet publish Java under GPL so how would they get the original source?

    I downloaded Java HotSpot (VM) source and looked at it, it's not easy to understand it right away (1500 C/C++ header and source files, 250 000 lines of code).

    Basically, what I'm trying to ask is this:
    This JVM.DLL is some kind of stripped version of original and it's only connection to original is that it works on same principle, so it's useless to compare original JVM code with this one since the original is too complex?

    I hope someone understood me

    Oh, btw, for those who didn't download it yet:
    http://download.java.net/openjdk/jdk7/
    Last edited by fritzFS; December 1st, 2006 at 08:57.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  15. #30
    drbolsen
    Guest

    Hey ...

    Hey guys, thank you for nice words and a warm welcome.

    Well, I am still interested in BB reversing and I am more than happy to share information I have got so far. Two heads are always better than one. I think it worths to say that my participation in this project directly depends on my future workload. Work is work, BB is for fun.

    Although I don't think that it would be very dificult task after all. It took around a week to create a script I had published on my blog. Publish it was far bigger problem for me, he-he.

    Analysing rapc.jar is not such difficult even with obfuscation and even for me (I am not a java guru at all, lol , but some java stuff I had to learn from books like Java for Dummies ) as RIM left a lot of clues and UI(or log?) messages inside of the code.

    I hope that it would be a good start. Check my script it works fine and it gives you idea where to dig at first. Then we can discuss a vector of work and go ahead. What do you think ?

    Cheers
    Last edited by drbolsen; December 1st, 2006 at 10:08.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •