On Device Debug!IDA+GDB trace automagic.apk in s1[success!]

Search This thread
By:
Advanced…
R

<robin>

Senior Member
Jun 12, 2012
124
92
Update:yes i did it,only need is ida 6.1!(no sdk,no ndk,no jre...)
jump to HOW-TO at post #5

##################################################
Does Anybody try debug on sony tablet?

we have many unknow for the system,
eg how update file encrypt(aes key for info.xml in libautomagic_library.so),
eg,how to decode rom file(in recovery)
why not to use programer ways,debug it!
gcc a gdb-server for our device,then remote debug with ida pro
it's should be best way to learn system.

Any body try this before?static decompare is not enough!
automagic.JPG
automagic1.JPG
 
Last edited:
  • Like
Reactions: synthor, pirlano and papacarla
R

<robin>

Senior Member
Jun 12, 2012
124
92
seems debug andriod by ida is easy to start:
1,make adb work
2,push file android_server to device(include in ida 6.1)
Code: 
adb push android_server /data/local/tmp/
3,change file attrib and run it
Code: 
adb shell
chmod 755 android_server
su
./android_server
here will display
Code: 
IDA Android 32-bit remote debug server(ST) v1.14. Hex-Rays (c) 2004-2011
Listening on port #23946...
4,open another adb to forward network package
Code: 
adb forward tcp:23946 tcp:23946
5,open ida pro on pc,debug--attach--remote android
host=loacalhost
now display
Code: 
=========================================================
[1] Accepting connection from localhost(127.0.0.1)...

just test my work pc and a android phone,succeed link and attach to sh
will try on my tablet this night...
############################################################

now i'am on sony tablet s:laugh:
11.jpg


##########################################################
can't attached to target app!

Could not set the shlib bpt, shared object events will not be handled
B0001000: loaded /system/bin/linker
8000: process /system/bin/app_process has started (pid=4473)
Debugger: attached to process /system/bin/app_process (pid=4473)
##########################################################
http://www.woodmann.com/forum/archive/index.php/t-14714.html
The IDA 6.1 server (android_server) has problems with the Android 2.3.7 linker (system/bin/linker) so it could only hook to the Android Virtual Machine itself (Zygote) not to the linux native code thus the native code continued to run and didn't halt. Responsible for that is 'system/bin/app_process'. I replaced the binary with an Android 2.2 (Froyo) release and it worked properly then. The only downside is there is no debugger yet that provides hardware breakpoints so you cannot break at data access. You can create memory watches and break regularly to pinpoint the responsible code though.
############################################################
update 2012-12-18 17:29
so,ida 6.1 debug server not fit our 3.x/4.x os.
i need find a new version(6.3?) or use gdb server
arm version gdb server include in android ndk....
 
Last edited:
  • Like
Reactions: synthor, pirlano, papacarla and 2 others
R

<robin>

Senior Member
Jun 12, 2012
124
92
haha,goood lucking:victory:
sony update app stop at MY brekpoint!!!!

here is how:
1,push both ida debug server(android_server) and gdbserver to sony tablets
2,run android_server first,forward port 23946 to pc(android_server can't change port)
a2.JPG
3,ida attach to app com.sony.autoupdate.ui(android debuger & port 23946)
a1.JPG
4,attach will log some error,ingore it(and breakpoint will not stop)
5,find our target (libautomagic_library.so),in my case it at address 0x81000000
a3.JPG
6,deattach(ida android debugger not kill target app)
7,pull libautomagic_library.so,load at base 0x81000000.set some break point
(eg,com_sony_automagic_downloader_jni_amclCheckUpdate 0x8100DD54)
a4.JPG
8,run gdbserver,set port and target pid,forward the port
pid can get by commod "ps" in adb shell
gdb can set any port,i use 1111
a6.JPG
9,ida attach,use remote gbd debugger and port 1111
a5.JPG
10,let app go,check update now

if you are lucky,ida will stop at address 0x8100DD54

only don't stop tool long,in the time i write ,os kill update app for time out
:cowboy:

this is gdb debug server in android ndk r8c
View attachment gdbserver.7z
 
Last edited:
  • Like
Reactions: synthor and pirlano
R

<robin>

Senior Member
Jun 12, 2012
124
92
ok,we know file info.xm is encrypt with aes 128(eaid:ENC0003)
View attachment 25_info.7z
so i set 2 break point in function "amclAesDecrypt"
as image 1
b.JPG

stop at break 1,
R0 is address of crypt,first 16 byte of info.xml,0x0DE80978...
R1 is output buffer,fill with 0
R2 is 3,for(eaid)
R3 is 0x10,for key/clip length
b1.1.JPG

stop at break 2
R0 is return error code,0 for no error
R8 is input data(another debug,address changed)
R9 is plain,first 16 byte of xml:victory::victory:
b2.1.JPG

but i still not know,where is the key:silly:
will continue tomorrow

first part of info.xml
Code: 
<?xml version="1.0" encoding="UTF-8"?>
<InformationFile Version="1.0" LastUpdate="2012-12-10T04:36:03Z" Noop="false">
<Extensions>
<Extension Key="ExtensionKey" Value="ExtensionValue" />
</Extensions>
<ControlConditions DefaultVariance="0" DefaultServiceStatus="open">
<ControlCondition Model="nbx03_024" Variance="0" ServiceStatus="open" />
</ControlConditions>
<ApplyConditions>
<ApplyCondition ApplyOrder="1" Force="false">
<Rules>
<Rule Type="System" Key="FirmwareVersion" Value="121116084" Operator="LessThan" />
</Rules>
<Distributions>
<Distribution ID="UpdateImageFull121116084" Version="121116084" URI="http://info.update.sony.net/ST005/nbx03_024/contents/0012/signed-nbx03_024-ota-121116084.zip" MAC="2284bf08dc9c535c1614721413f5785c56fe9369" Size="232604812" Type="" InstallType="binary" InstallParams="" />
</Distributions>
<Descriptions DefaultLang="Chinese(Simplified)">
<Description Lang="Chinese(Simplified)" Title="Sony Product Update">
<![CDATA[<displayVersion>121116084</displayVersion>
<full>true</full>
<wifionly>false</wifionly>
<battery>30</battery>
<url>http://service.sony.com.cn/st/Importance/52022.htm</url>
<desc>

2nd part not decrypt...:p

last part
Code: 
res  removed]
  -  Removes  Favorite  application
  -  Removes  DLNA  application
        *  You  will  still  be  able  to  access  DLNA  enabled  devices  within  WALKMAN,  Album  and  Movies
  -  Removes  Throw  feature  within  Gallery  application
        *  You  can  throw  photo/video  using  Album  application
  -  Removes  current  Video  Player  and  Music  Player's  apps/widgets  placed  on  Home  screen
        *  To  be  replaced  by  Movies  and  Walkman

  *1  Sony  Tablet(TM)  S  only
</desc>]]>
                </Description>
            </Descriptions>
        </ApplyCondition>
    </ApplyConditions>
</InformationFile>
 
Last edited:
  • Like
Reactions: synthor, pirlano, OCedHrt and 4 others
R

<robin>

Senior Member
Jun 12, 2012
124
92
psxpetey said:
Now that ida has android what exactly does it include and what can you do? can you veiw. .so libraries in reasdable form?
Click to expand...
Click to collapse

what kind of reasdable?
in arm platform,it can only decode to asm code(win-tel can decode to c code)
it can show code in graphic view,and youc can ref to the string and variable name.
graphic.JPG

for automagic.so,ida can get most function name
func.JPG

show relationship of functions
xref from
xref.JPG

xref to
xref1.JPG

when stop at breakpoint,you can see the registers value
R.JPG

Note:
step over of debug not works,you can use some breakpoint
when debug,you can see asm code only if the idb load base is same with inside tablet.
 
  • Like
Reactions: pirlano and OCedHrt
psxpetey

psxpetey

Senior Member
Dec 4, 2011
1,325
125
www.youtube.com
Sony Ericsson Xperia Arc
Well I need to add a couple things to a function in a. .so library but using 5.5 I cant figure out how. What im trying to do is add an fwrite() and fopen() to an uncompress fucntion so I can dump some unencrpted data because the original files are encrypted.

Sent from my Sony Tablet S using xda app-developers app
 
R

<robin>

Senior Member
Jun 12, 2012
124
92
woow,inline patch apps!
i just a begainer of ida,trace is already hard work…
 
Last edited:
DualJoe

DualJoe

Senior Member
Oct 12, 2011
2,198
1,103
de
Doesn't work here. I tried on CM10 and 10.1 using built-in gdbserver and the one from NDK r8d. IDA just connects to the Java VM. The native code still runs unaffected. CM7/2.3.7 runs fine.
 
P

pirlano

Senior Member
Feb 9, 2010
1,148
1,550
Valle Castellana, L'Aquila, Groningen, Madrid, Bru
<robin> said:
haha,goood lucking:victory:
sony update app stop at MY brekpoint!!!!

here is how:
1,push both ida debug server(android_server) and gdbserver to sony tablets
2,run android_server first,forward port 23946 to pc(android_server can't change port)
View attachment 1612963
3,ida attach to app com.sony.autoupdate.ui(android debuger & port 23946)
View attachment 1612962
4,attach will log some error,ingore it(and breakpoint will not stop)
5,find our target (libautomagic_library.so),in my case it at address 0x81000000
View attachment 1612965
6,deattach(ida android debugger not kill target app)
7,pull libautomagic_library.so,load at base 0x81000000.set some break point
(eg,com_sony_automagic_downloader_jni_amclCheckUpdate 0x8100DD54)
View attachment 1612966
8,run gdbserver,set port and target pid,forward the port
pid can get by commod "ps" in adb shell
gdb can set any port,i use 1111
View attachment 1612968
9,ida attach,use remote gbd debugger and port 1111
View attachment 1612967
10,let app go,check update now

if you are lucky,ida will stop at address 0x8100DD54

only don't stop tool long,in the time i write ,os kill update app for time out
:cowboy:

this is gdb debug server in android ndk r8c
View attachment 1575726
Click to expand...
Click to collapse

5) how i can find it? if i scroll (not so easy) i can find the same library at 3 address, what's the correct one? i think none, i think there is an other way to get the correct base offset (something like "info sharedlibrary" with command line but in IDA)?
EDIT: using command line gdb and info sharedlibrary i get the correct offset :)
7) how i can change the base offset where to load my library, there is a command or what?
EDIT: load new file, than check, manual load and set the correct offest, right? :)

also, i'm trying to debug liboemcamera.so, and i'm using mm-qcamera-daemon binary to debug it, but when i start gdbserver, suddenly mm-qcamera-daemon stop it by itself, and if i attach debug with IDA and resume it, it will say "running", but it stay freezed, how i can solve this problem?
 
Last edited:
R

<robin>

Senior Member
Jun 12, 2012
124
92
pirlano said:
5) how i can find it? if i scroll (not so easy) i can find the same library at 3 address, what's the correct one? i think none, i think there is an other way to get the correct base offset (something like "info sharedlibrary" with command line but in IDA)?
EDIT: using command line gdb and info sharedlibrary i get the correct offset :)
7) how i can change the base offset where to load my library, there is a command or what?
EDIT: load new file, than check, manual load and set the correct offest, right? :)

also, i'm trying to debug liboemcamera.so, and i'm using mm-qcamera-daemon binary to debug it, but when i start gdbserver, suddenly mm-qcamera-daemon stop it by itself, and if i attach debug with IDA and resume it, it will say "running", but it stay freezed, how i can solve this problem?
Click to expand...
Click to collapse


o...something long time ago,did i realy do all this?:p
5>i think there is a windows called Modules in ida,it show library path/base and size
7>yes,you are right,manual load and set base

may be i done all this in 3.2.1,so if you tab is 4.0.3,
you need new gdb server for new ndk
does ida have new version?:silly:
 
P

pirlano

Senior Member
Feb 9, 2010
1,148
1,550
Valle Castellana, L'Aquila, Groningen, Madrid, Bru
<robin> said:
o...something long time ago,did i realy do all this?:p
5>i think there is a windows called Modules in ida,it show library path/base and size
7>yes,you are right,manual load and set base

may be i done all this in 3.2.1,so if you tab is 4.0.3,
you need new gdb server for new ndk
does ida have new version?:silly:
Click to expand...
Click to collapse

yes i'm using new gdb server from latest ndk
no new version for IDA :(

i obtain different addresses, maybe because of ASLR, this is the command to disable it:
"echo 0 > /proc/sys/kernel/randomize_va_space"
trying now if something change :)
EDIT: nice! with ASLR off, libraries will be loaded always at the same address :)

btw, solved freeze, by attaching debug and writing "cont" command on gdb in less than 1 second :)

but now i have ptrace: I/O error.
cannot trace, or execute instruction step by step because it will cause this error
 
Last edited:
You must log in or register to reply here.

Similar threads

C
S.onyTablet.S v6.5 [ALLinONE] - new: Update OEM Apps! automatic ICS ROOT!, JB ROOT!
Replies
2K
Views
822K
T
tomvh1
B
Automated ADB Driver Installer for Sony Tablet S, P, and Xperia Tablet S
Replies
31
Views
170K
M
minakong
bubby323
[DEV] Sony Tablet S Rooting and Hacking Progress // Lets do this.
Replies
268
Views
133K
sankedcw
sankedcw
D
How to Root the Sony Tablet S
Replies
222
Views
240K
Dansen48
Dansen48
C
S.onyTablet.S v3.0 [FLASHER] - Tab S/P/Xperia fws! new: Xperia Tab JB 4.1.1 !!!!!!!
Replies
400
Views
205K
kn1000
kn1000

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 7
    R
    <robin>
    ok,we know file info.xm is encrypt with aes 128(eaid:ENC0003)
    View attachment 25_info.7z
    so i set 2 break point in function "amclAesDecrypt"
    as image 1
    b.JPG

    stop at break 1,
    R0 is address of crypt,first 16 byte of info.xml,0x0DE80978...
    R1 is output buffer,fill with 0
    R2 is 3,for(eaid)
    R3 is 0x10,for key/clip length
    b1.1.JPG

    stop at break 2
    R0 is return error code,0 for no error
    R8 is input data(another debug,address changed)
    R9 is plain,first 16 byte of xml:victory::victory:
    b2.1.JPG

    but i still not know,where is the key:silly:
    will continue tomorrow

    first part of info.xml
    Code: 
    <?xml version="1.0" encoding="UTF-8"?>
<InformationFile Version="1.0" LastUpdate="2012-12-10T04:36:03Z" Noop="false">
<Extensions>
<Extension Key="ExtensionKey" Value="ExtensionValue" />
</Extensions>
<ControlConditions DefaultVariance="0" DefaultServiceStatus="open">
<ControlCondition Model="nbx03_024" Variance="0" ServiceStatus="open" />
</ControlConditions>
<ApplyConditions>
<ApplyCondition ApplyOrder="1" Force="false">
<Rules>
<Rule Type="System" Key="FirmwareVersion" Value="121116084" Operator="LessThan" />
</Rules>
<Distributions>
<Distribution ID="UpdateImageFull121116084" Version="121116084" URI="http://info.update.sony.net/ST005/nbx03_024/contents/0012/signed-nbx03_024-ota-121116084.zip" MAC="2284bf08dc9c535c1614721413f5785c56fe9369" Size="232604812" Type="" InstallType="binary" InstallParams="" />
</Distributions>
<Descriptions DefaultLang="Chinese(Simplified)">
<Description Lang="Chinese(Simplified)" Title="Sony Product Update">
<![CDATA[<displayVersion>121116084</displayVersion>
<full>true</full>
<wifionly>false</wifionly>
<battery>30</battery>
<url>http://service.sony.com.cn/st/Importance/52022.htm</url>
<desc>

    2nd part not decrypt...:p

    last part
    Code: 
    res  removed]
  -  Removes  Favorite  application
  -  Removes  DLNA  application
        *  You  will  still  be  able  to  access  DLNA  enabled  devices  within  WALKMAN,  Album  and  Movies
  -  Removes  Throw  feature  within  Gallery  application
        *  You  can  throw  photo/video  using  Album  application
  -  Removes  current  Video  Player  and  Music  Player's  apps/widgets  placed  on  Home  screen
        *  To  be  replaced  by  Movies  and  Walkman

  *1  Sony  Tablet(TM)  S  only
</desc>]]>
                </Description>
            </Descriptions>
        </ApplyCondition>
    </ApplyConditions>
</InformationFile>
    View
    5
    R
    <robin>
    seems debug andriod by ida is easy to start:
    1,make adb work
    2,push file android_server to device(include in ida 6.1)
    Code: 
    adb push android_server /data/local/tmp/
    3,change file attrib and run it
    Code: 
    adb shell
chmod 755 android_server
su
./android_server
    here will display
    Code: 
    IDA Android 32-bit remote debug server(ST) v1.14. Hex-Rays (c) 2004-2011
Listening on port #23946...
    4,open another adb to forward network package
    Code: 
    adb forward tcp:23946 tcp:23946
    5,open ida pro on pc,debug--attach--remote android
    host=loacalhost
    now display
    Code: 
    =========================================================
[1] Accepting connection from localhost(127.0.0.1)...

    just test my work pc and a android phone,succeed link and attach to sh
    will try on my tablet this night...
    ############################################################

    now i'am on sony tablet s:laugh:
    11.jpg


    ##########################################################
    can't attached to target app!

    Could not set the shlib bpt, shared object events will not be handled
    B0001000: loaded /system/bin/linker
    8000: process /system/bin/app_process has started (pid=4473)
    Debugger: attached to process /system/bin/app_process (pid=4473)
    ##########################################################
    http://www.woodmann.com/forum/archive/index.php/t-14714.html
    The IDA 6.1 server (android_server) has problems with the Android 2.3.7 linker (system/bin/linker) so it could only hook to the Android Virtual Machine itself (Zygote) not to the linux native code thus the native code continued to run and didn't halt. Responsible for that is 'system/bin/app_process'. I replaced the binary with an Android 2.2 (Froyo) release and it worked properly then. The only downside is there is no debugger yet that provides hardware breakpoints so you cannot break at data access. You can create memory watches and break regularly to pinpoint the responsible code though.
    ############################################################
    update 2012-12-18 17:29
    so,ida 6.1 debug server not fit our 3.x/4.x os.
    i need find a new version(6.3?) or use gdb server
    arm version gdb server include in android ndk....
    View
    3
    R
    <robin>
    Update:yes i did it,only need is ida 6.1!(no sdk,no ndk,no jre...)
    jump to HOW-TO at post #5

    ##################################################
    Does Anybody try debug on sony tablet?

    we have many unknow for the system,
    eg how update file encrypt(aes key for info.xml in libautomagic_library.so),
    eg,how to decode rom file(in recovery)
    why not to use programer ways,debug it!
    gcc a gdb-server for our device,then remote debug with ida pro
    it's should be best way to learn system.

    Any body try this before?static decompare is not enough!
    automagic.JPG
    automagic1.JPG
    View
    2
    R
    <robin>
    psxpetey said:
    Now that ida has android what exactly does it include and what can you do? can you veiw. .so libraries in reasdable form?
    Click to expand...
    Click to collapse

    what kind of reasdable?
    in arm platform,it can only decode to asm code(win-tel can decode to c code)
    it can show code in graphic view,and youc can ref to the string and variable name.
    graphic.JPG

    for automagic.so,ida can get most function name
    func.JPG

    show relationship of functions
    xref from
    xref.JPG

    xref to
    xref1.JPG

    when stop at breakpoint,you can see the registers value
    R.JPG

    Note:
    step over of debug not works,you can use some breakpoint
    when debug,you can see asm code only if the idb load base is same with inside tablet.
    View
    2
    R
    <robin>
    haha,goood lucking:victory:
    sony update app stop at MY brekpoint!!!!

    here is how:
    1,push both ida debug server(android_server) and gdbserver to sony tablets
    2,run android_server first,forward port 23946 to pc(android_server can't change port)
    a2.JPG
    3,ida attach to app com.sony.autoupdate.ui(android debuger & port 23946)
    a1.JPG
    4,attach will log some error,ingore it(and breakpoint will not stop)
    5,find our target (libautomagic_library.so),in my case it at address 0x81000000
    a3.JPG
    6,deattach(ida android debugger not kill target app)
    7,pull libautomagic_library.so,load at base 0x81000000.set some break point
    (eg,com_sony_automagic_downloader_jni_amclCheckUpdate 0x8100DD54)
    a4.JPG
    8,run gdbserver,set port and target pid,forward the port
    pid can get by commod "ps" in adb shell
    gdb can set any port,i use 1111
    a6.JPG
    9,ida attach,use remote gbd debugger and port 1111
    a5.JPG
    10,let app go,check update now

    if you are lucky,ida will stop at address 0x8100DD54

    only don't stop tool long,in the time i write ,os kill update app for time out
    :cowboy:

    this is gdb debug server in android ndk r8c
    View attachment gdbserver.7z
    View

New posts