I've got concept of "rooting" bada kernel.
This requires some apps and API libraries patching and in effect does allow access to the hundreds of low-level system functions.
Preamble:
Bada does register various API classes using functions __SysRegisterClass(int unknown, int ClassID, ClassInfo* cInfo) and __SysRegisterClassV2(int ClassID, char* className, ClassInfoV2* cInfo, int unknown)
Sample ClassPointers in ClassInfoV2 of class "SysBase" with ID 0x1000001 goes like this:
And exactly this table of pointers can be obtained by calling simple function
SysGetInterfaceV2(0x1000001);
As you can see, table is very easy to parse (already did it in IDA), it's array of structure:
struct ApiFunc
{
char name[52];
int some_bool;
void *ptr;
};
[/CODE]
Some classes does contain about 600 functions.
Parsing such array does allow calling any of these functions in any of bada apps, only pointer to SysGetInterfaceV2 function has to be known (does differ in different bada builds)
General concept:
1) Patch function of badakernel called AppPkgSvcCheckSoIntegrity, to always return true. This is easiet to be done from FOTA level.
2) Patch some Bada OSP .so file to enter CPU supervisor mode, call SysGetInterfaceV2 and return list of function pointers
3) Use exposed API function in any bada application to get access straight to LCD driver or TFS4 FileManager for example.
Advantages:
Allows to call any low level bada function using modified API - infinite possibilities.
Disadvantages:
This does turn off important layer of bada security - potential risk of abusing it by malware creators.
Any developer wants to continue it? I already spent too much time on analysing bada.
The concept above came from Bada 2.0 apps_decompressed analyse.
This requires some apps and API libraries patching and in effect does allow access to the hundreds of low-level system functions.
Preamble:
Bada does register various API classes using functions __SysRegisterClass(int unknown, int ClassID, ClassInfo* cInfo) and __SysRegisterClassV2(int ClassID, char* className, ClassInfoV2* cInfo, int unknown)
Sample ClassPointers in ClassInfoV2 of class "SysBase" with ID 0x1000001 goes like this:
Code:
LOAD:41348658 ApiFunc <"SysDispatch", 1, SysDispatch+1>
LOAD:41348658 ApiFunc <"__SysRegisterClassV2", 1, __SysRegisterClassV2+1>
LOAD:41348658 ApiFunc <"SysUnregisterClassV2", 1, SysUnregisterClassV2+1>
LOAD:41348658 ApiFunc <"SysGetInterfaceV2", 1, SysGetInterfaceV2+1>
LOAD:41348658 ApiFunc <"__SysRegisterClass", 1, __SysRegisterClass+1>
LOAD:41348658 ApiFunc <"SysUnregisterClass", 1, SysUnregisterClass+1>
LOAD:41348658 ApiFunc <"SysGetInterface", 1, SysGetInterface+1>
LOAD:41348658 ApiFunc <"SysSetLastError", 1, SysSetLastError+1>
LOAD:41348658 ApiFunc <"SysGetLastError", 1, SysGetLastError+1>
LOAD:41348658 ApiFunc <"_SysAssertBreakpoint", 1, _SysAssertBreakpoint+1>
LOAD:41348658 ApiFunc <"_SysAssertReport", 1, _SysAssertReport+1>
LOAD:41348658 ApiFunc <"_SysGetDllNameByDID", 1, _SysGetDllNameByDID+1>
LOAD:41348658 ApiFunc <"_SysGetAppNameByDID", 1, _SysGetAppNameByDID+1>
LOAD:41348658 ApiFunc <"_SysGetDidByDllName", 1, _SysGetDidByDllName+1>
LOAD:41348658 ApiFunc <"_SysGetDidByAppName", 1, _SysGetDidByAppName+1>
LOAD:41348658 ApiFunc <"SysGenerateUUID", 1, SysGenerateUUID+1>
LOAD:41348658 ApiFunc <"SysGetFirmUpInfo", 1, SysGetFirmUpInfo+1>
LOAD:41348658 ApiFunc <"SysGetLcdHeight", 1, SysGetLcdHeight+1>
LOAD:41348658 ApiFunc <"SysGetLcdWidth", 1, SysGetLcdWidth+1>
LOAD:41348658 ApiFunc <"SysGetLcdBitsPerPixel", 1, SysGetLcdBitsPerPixel+1>
LOAD:41348658 ApiFunc <"SysGetDiagnoseInfo", 1, SysGetDiagnoseInfo+1>
LOAD:41348658 ApiFunc <"SysIsLcdHorizontal", 1, SysIsLcdHorizontal+1>
LOAD:41348658 ApiFunc <"SysGetUAString", 1, SysGetUAString+1>
LOAD:41348658 ApiFunc <"SysSetUAString", 1, SysSetUAString+1>
LOAD:41348658 ApiFunc <"SysGetRealTick", 1, SysGetRealTick+1>
LOAD:41348658 ApiFunc <"_SysGetDebugLevel", 1, _SysGetDebugLevel+1>
LOAD:41348658 ApiFunc <"_SysAppCoreDump", 1, _SysAppCoreDump+1>
LOAD:41348658 ApiFunc <"SysGetModelName", 1, SysGetModelName+1>
LOAD:41348658 ApiFunc <"SysDebugPrintf", 1, SysDebugPrintf+1>
LOAD:41348658 ApiFunc <"SysRawDebugPrintf", 1, SysRawDebugPrintf+1>
LOAD:41348658 ApiFunc <"SysTracePrintf", 1, SysTracePrintf+1>
LOAD:41348658 ApiFunc <"_SysSaveAssertMsg", 1, _SysSaveAssertMsg+1>
LOAD:41348658 ApiFunc <"SysRegisterRsrc", 1, SysRegisterRsrc+1>
LOAD:41348658 ApiFunc <"SysUnRegisterRsrc", 1, SysUnRegisterRsrc+1>
LOAD:41348658 ApiFunc <"SysRegisterRsrcEx", 1, SysRegisterRsrcEx+1>
LOAD:41348658 ApiFunc <"SysUnRegisterRsrcUsingHdl", 1, SysUnRegisterRsrcUsingHdl+1>
LOAD:41348658 ApiFunc <"SysUnRegisterRsrcExUsingHdl", 1, \
LOAD:41348658 SysUnRegisterRsrcExUsingHdl+1>
LOAD:41348658 ApiFunc <"SysUnRegisterRsrcEx", 1, SysUnRegisterRsrcEx+1>
LOAD:41348658 ApiFunc <"SysRegisterRsrcApp", 1, SysRegisterRsrcApp+1>
LOAD:41348658 ApiFunc <"SysSetLcdHorizontal", 1, SysSetLcdHorizontal+1>
LOAD:41348658 ApiFunc <"SysIsFeatureEnabled", 1, SysIsFeatureEnabled+1>
LOAD:41348658 ApiFunc <"SysGetOperatorSWVersion", 1, SysGetOperatorSWVersion+1>
LOAD:41348658 ApiFunc <"SysGetSamsungSWVersion", 1, SysGetSamsungSWVersion+1>
LOAD:41348658 ApiFunc <"SysGetHiddenSWVersion", 1, SysGetHiddenSWVersion+1>
LOAD:41348658 ApiFunc <"SysInitRsrcType", 1, SysInitRsrcType+1>
LOAD:41348658 ApiFunc <"SysDeInitRsrcTypeDbg", 1, SysDeInitRsrcTypeDbg+1>
LOAD:41348658 ApiFunc <"SysRsrcTypeInUseDbg", 1, SysRsrcTypeInUseDbg+1>
LOAD:41348658 ApiFunc <"SysTotalAllocCountRsrcTypeDbg", 1, \
LOAD:41348658 SysTotalAllocCountRsrcTypeDbg+1>
LOAD:41348658 ApiFunc <"SysCreateHandleDbg", 1, SysCreateHandleDbg+1>
LOAD:41348658 ApiFunc <"SysDeleteHandleDbg", 1, SysDeleteHandleDbg+1>
LOAD:41348658 ApiFunc <"SysDeleteHandleExDbg", 1, SysDeleteHandleExDbg+1>
LOAD:41348658 ApiFunc <"SysRegisterHandleDbg", 1, SysRegisterHandleDbg+1>
LOAD:41348658 ApiFunc <"SysGetHandleByNameDbg", 1, SysGetHandleByNameDbg+1>
LOAD:41348658 ApiFunc <"SysGetRsrcTypeHeadDbg", 1, SysGetRsrcTypeHeadDbg+1>
LOAD:41348658 ApiFunc <"SysVerifyRegisteredHandleDbg", 1, \
LOAD:41348658 SysVerifyRegisteredHandleDbg+1>
LOAD:41348658 ApiFunc <"SysVerifyUnRegisteredHandleDbg", 1, \
LOAD:41348658 SysVerifyUnRegisteredHandleDbg+1>
LOAD:41348658 ApiFunc <"SysGetHandleNameDbg", 1, SysGetHandleNameDbg+1>
LOAD:41348658 ApiFunc <"SysGetHandleOwnerTaskDbg", 1, SysGetHandleOwnerTaskDbg+1>
LOAD:41348658 ApiFunc <"SysSetZombieHandleDbg", 1, SysSetZombieHandleDbg+1>
LOAD:41348658 ApiFunc <"SysVerifyZombieHandleDbg", 1, SysVerifyZombieHandleDbg+1>
LOAD:41348658 ApiFunc <"SysGetInternalHandleDbg", 1, SysGetInternalHandleDbg+1>
LOAD:41348658 ApiFunc <"SysGetHeadHandleDbg", 1, SysGetHeadHandleDbg+1>
LOAD:41348658 ApiFunc <"SysGetNextHandleDbg", 1, SysGetNextHandleDbg+1>
LOAD:41348658 ApiFunc <"SysVerifyInternalHandleDbg", 1, \
LOAD:41348658 SysVerifyInternalHandleDbg+1>
LOAD:41348658 ApiFunc <"SysGetUnRegisteredHandleDbg", 1, \
LOAD:41348658 SysGetUnRegisteredHandleDbg+1>
LOAD:41348658 ApiFunc <"SysGetHandleDbg", 1, SysGetHandleDbg+1>
LOAD:41348658 ApiFunc <"SysGetHandleRefCountDbg", 1, SysGetHandleRefCountDbg+1>
LOAD:41348658 ApiFunc <"SysSetSysHandleForDeleteDbg", 1, \
LOAD:41348658 SysSetSysHandleForDeleteDbg+1>
LOAD:41348658 ApiFunc <"_SysGetAppDebugLevel", 1, _SysGetAppDebugLevel+1>
LOAD:41348658 ApiFunc <"_SysSetAppDebugLevel", 1, _SysSetAppDebugLevel+1>
LOAD:41348658 ApiFunc <"SysSetModuleStatus", 1, SysSetModuleStatus+1>
LOAD:41348658 ApiFunc <"SysGetModuleStatus", 1, SysGetModuleStatus+1>
LOAD:41348658 ApiFunc <"SysGetSWVersion", 1, SysGetSWVersion+1>
LOAD:41348658 ApiFunc <"SysSecureDebugPrintf", 1, SysSecureDebugPrintf+1>
LOAD:41348658 ApiFunc <"SysGetSystemInfo", 1, SysGetSystemInfo+1>
LOAD:41348658 ApiFunc <"SysSetSystemInfo", 1, SysSetSystemInfo+1>
LOAD:41348658 ApiFunc <"SysGetBuildInfo", 1, SysGetBuildInfo+1>
LOAD:41348658 ApiFunc <"SysSetDiagnoseInfo", 1, SysSetDiagnoseInfo+1>
LOAD:41348658 ApiFunc <"SysGetVersion", 1, SysGetVersion+1>
LOAD:41348658 ApiFunc <"SysGetModelPetName", 1, SysGetModelPetName+1>
LOAD:41348658 ApiFunc <"SysSecBootUnlock", 1, sub_40060054>
SysGetInterfaceV2(0x1000001);
As you can see, table is very easy to parse (already did it in IDA), it's array of structure:
struct ApiFunc
{
char name[52];
int some_bool;
void *ptr;
};
[/CODE]
Some classes does contain about 600 functions.
Parsing such array does allow calling any of these functions in any of bada apps, only pointer to SysGetInterfaceV2 function has to be known (does differ in different bada builds)
General concept:
1) Patch function of badakernel called AppPkgSvcCheckSoIntegrity, to always return true. This is easiet to be done from FOTA level.
2) Patch some Bada OSP .so file to enter CPU supervisor mode, call SysGetInterfaceV2 and return list of function pointers
3) Use exposed API function in any bada application to get access straight to LCD driver or TFS4 FileManager for example.
Advantages:
Allows to call any low level bada function using modified API - infinite possibilities.
Disadvantages:
This does turn off important layer of bada security - potential risk of abusing it by malware creators.
Any developer wants to continue it? I already spent too much time on analysing bada.
The concept above came from Bada 2.0 apps_decompressed analyse.
Last edited: