Welcome to XDA

Search to go directly to your device's forum

Register an account

Unlock full posting privileges

Ask a question

No registration required
Post Reply

On Device Debug!IDA+GDB trace automagic.apk in s1[success!]

OP <robin>

16th December 2012, 03:44 PM   |  #1  
OP Senior Member
Thanks Meter: 86
 
124 posts
Join Date:Joined: Jun 2012
Update:yes i did it,only need is ida 6.1!(no sdk,no ndk,no jre...)
jump to HOW-TO at post #5

##################################################
Does Anybody try debug on sony tablet?

we have many unknow for the system,
eg how update file encrypt(aes key for info.xml in libautomagic_library.so),
eg,how to decode rom file(in recovery)
why not to use programer ways,debug it!
gcc a gdb-server for our device,then remote debug with ida pro
it's should be best way to learn system.

Any body try this before?static decompare is not enough!
Click image for larger version

Name:	automagic.JPG
Views:	1046
Size:	54.9 KB
ID:	1567977
Click image for larger version

Name:	automagic1.JPG
Views:	820
Size:	148.9 KB
ID:	1567978
Last edited by <robin>; 20th December 2012 at 02:15 AM.
The Following 2 Users Say Thank You to <robin> For This Useful Post: [ View ]
17th December 2012, 03:37 AM   |  #2  
OP Senior Member
Thanks Meter: 86
 
124 posts
Join Date:Joined: Jun 2012
just know that ida 6.x include a android_server for remote debug!
my ver is 5.5,too old

will get new version and try....

by the way,find a thread about debug andriod so file with ida
http://forum.xda-developers.com/show...6&postcount=19
17th December 2012, 07:43 AM   |  #3  
OP Senior Member
Thanks Meter: 86
 
124 posts
Join Date:Joined: Jun 2012
seems debug andriod by ida is easy to start:
1,make adb work
2,push file android_server to device(include in ida 6.1)
Code:
adb push android_server /data/local/tmp/
3,change file attrib and run it
Code:
adb shell
chmod 755 android_server
su
./android_server
here will display
Code:
IDA Android 32-bit remote debug server(ST) v1.14. Hex-Rays (c) 2004-2011
Listening on port #23946...
4,open another adb to forward network package
Code:
adb forward tcp:23946 tcp:23946
5,open ida pro on pc,debug--attach--remote android
host=loacalhost
now display
Code:
=========================================================
[1] Accepting connection from localhost(127.0.0.1)...
just test my work pc and a android phone,succeed link and attach to sh
will try on my tablet this night...
################################################## ##########

now i'am on sony tablet s
Click image for larger version

Name:	11.jpg
Views:	1028
Size:	37.4 KB
ID:	1570345


################################################## ########
can't attached to target app!

Could not set the shlib bpt, shared object events will not be handled
B0001000: loaded /system/bin/linker
8000: process /system/bin/app_process has started (pid=4473)
Debugger: attached to process /system/bin/app_process (pid=4473)
################################################## ########
http://www.woodmann.com/forum/archiv...p/t-14714.html
The IDA 6.1 server (android_server) has problems with the Android 2.3.7 linker (system/bin/linker) so it could only hook to the Android Virtual Machine itself (Zygote) not to the linux native code thus the native code continued to run and didn't halt. Responsible for that is 'system/bin/app_process'. I replaced the binary with an Android 2.2 (Froyo) release and it worked properly then. The only downside is there is no debugger yet that provides hardware breakpoints so you cannot break at data access. You can create memory watches and break regularly to pinpoint the responsible code though.
################################################## ##########
update 2012-12-18 17:29
so,ida 6.1 debug server not fit our 3.x/4.x os.
i need find a new version(6.3?) or use gdb server
arm version gdb server include in android ndk....
Last edited by <robin>; 18th December 2012 at 10:29 AM.
The Following 4 Users Say Thank You to <robin> For This Useful Post: [ View ]
17th December 2012, 06:46 PM   |  #4  
Senior Member
Thanks Meter: 892
 
680 posts
Join Date:Joined: Feb 2007
Donate to Me
niceeeeeeeee keep on good work !
The Following User Says Thank You to condi For This Useful Post: [ View ]
18th December 2012, 04:15 PM   |  #5  
OP Senior Member
Thanks Meter: 86
 
124 posts
Join Date:Joined: Jun 2012
Angry
haha,goood lucking
sony update app stop at MY brekpoint!!!!

here is how:
1,push both ida debug server(android_server) and gdbserver to sony tablets
2,run android_server first,forward port 23946 to pc(android_server can't change port)
Click image for larger version

Name:	a2.JPG
Views:	826
Size:	26.6 KB
ID:	1612963
3,ida attach to app com.sony.autoupdate.ui(android debuger & port 23946)
Click image for larger version

Name:	a1.JPG
Views:	1015
Size:	27.7 KB
ID:	1612962
4,attach will log some error,ingore it(and breakpoint will not stop)
5,find our target (libautomagic_library.so),in my case it at address 0x81000000
Click image for larger version

Name:	a3.JPG
Views:	1091
Size:	100.9 KB
ID:	1612965
6,deattach(ida android debugger not kill target app)
7,pull libautomagic_library.so,load at base 0x81000000.set some break point
(eg,com_sony_automagic_downloader_jni_amclCheckUpd ate 0x8100DD54)
Click image for larger version

Name:	a4.JPG
Views:	868
Size:	107.7 KB
ID:	1612966
8,run gdbserver,set port and target pid,forward the port
pid can get by commod "ps" in adb shell
gdb can set any port,i use 1111
Click image for larger version

Name:	a6.JPG
Views:	805
Size:	37.5 KB
ID:	1612968
9,ida attach,use remote gbd debugger and port 1111
Click image for larger version

Name:	a5.JPG
Views:	662
Size:	14.6 KB
ID:	1612967
10,let app go,check update now

if you are lucky,ida will stop at address 0x8100DD54

only don't stop tool long,in the time i write ,os kill update app for time out


this is gdb debug server in android ndk r8c
gdbserver.7z
Last edited by <robin>; 3rd January 2013 at 09:37 AM.
The Following User Says Thank You to <robin> For This Useful Post: [ View ]
18th December 2012, 05:49 PM   |  #6  
OP Senior Member
Thanks Meter: 86
 
124 posts
Join Date:Joined: Jun 2012
Smile
ok,we know file info.xm is encrypt with aes 128(eaid:ENC0003)
25_info.7z
so i set 2 break point in function "amclAesDecrypt"
as image 1
Click image for larger version

Name:	b.JPG
Views:	468
Size:	50.0 KB
ID:	1573762

stop at break 1,
R0 is address of crypt,first 16 byte of info.xml,0x0DE80978...
R1 is output buffer,fill with 0
R2 is 3,for(eaid)
R3 is 0x10,for key/clip length
Click image for larger version

Name:	b1.1.JPG
Views:	417
Size:	159.1 KB
ID:	1573763

stop at break 2
R0 is return error code,0 for no error
R8 is input data(another debug,address changed)
R9 is plain,first 16 byte of xml
Click image for larger version

Name:	b2.1.JPG
Views:	364
Size:	159.6 KB
ID:	1573764

but i still not know,where is the key
will continue tomorrow

first part of info.xml
Code:
<?xml version="1.0" encoding="UTF-8"?>
<InformationFile Version="1.0" LastUpdate="2012-12-10T04:36:03Z" Noop="false">
<Extensions>
<Extension Key="ExtensionKey" Value="ExtensionValue" />
</Extensions>
<ControlConditions DefaultVariance="0" DefaultServiceStatus="open">
<ControlCondition Model="nbx03_024" Variance="0" ServiceStatus="open" />
</ControlConditions>
<ApplyConditions>
<ApplyCondition ApplyOrder="1" Force="false">
<Rules>
<Rule Type="System" Key="FirmwareVersion" Value="121116084" Operator="LessThan" />
</Rules>
<Distributions>
<Distribution ID="UpdateImageFull121116084" Version="121116084" URI="http://info.update.sony.net/ST005/nbx03_024/contents/0012/signed-nbx03_024-ota-121116084.zip" MAC="2284bf08dc9c535c1614721413f5785c56fe9369" Size="232604812" Type="" InstallType="binary" InstallParams="" />
</Distributions>
<Descriptions DefaultLang="Chinese(Simplified)">
<Description Lang="Chinese(Simplified)" Title="Sony Product Update">
<![CDATA[<displayVersion>121116084</displayVersion>
<full>true</full>
<wifionly>false</wifionly>
<battery>30</battery>
<url>http://service.sony.com.cn/st/Importance/52022.htm</url>
<desc>
2nd part not decrypt...

last part
Code:
res  removed]
  -  Removes  Favorite  application
  -  Removes  DLNA  application
        *  You  will  still  be  able  to  access  DLNA  enabled  devices  within  WALKMAN,  Album  and  Movies
  -  Removes  Throw  feature  within  Gallery  application
        *  You  can  throw  photo/video  using  Album  application
  -  Removes  current  Video  Player  and  Music  Player's  apps/widgets  placed  on  Home  screen
        *  To  be  replaced  by  Movies  and  Walkman

  *1  Sony  Tablet(TM)  S  only
</desc>]]>
                </Description>
            </Descriptions>
        </ApplyCondition>
    </ApplyConditions>
</InformationFile>
Last edited by <robin>; 20th December 2012 at 02:18 AM.
The Following 6 Users Say Thank You to <robin> For This Useful Post: [ View ]
20th December 2012, 11:15 AM   |  #7  
Senior Member
Thanks Meter: 7
 
122 posts
Join Date:Joined: Dec 2010
whoa ! great work
21st December 2012, 01:57 AM   |  #8  
psxpetey's Avatar
Senior Member
Thanks Meter: 87
 
1,002 posts
Join Date:Joined: Dec 2011
Now that ida has android what exactly does it include and what can you do? can you veiw. .so libraries in reasdable form?

Sent from my Sony Tablet S using xda app-developers app
21st December 2012, 04:45 AM   |  #9  
OP Senior Member
Thanks Meter: 86
 
124 posts
Join Date:Joined: Jun 2012
Quote:
Originally Posted by psxpetey

Now that ida has android what exactly does it include and what can you do? can you veiw. .so libraries in reasdable form?

what kind of reasdable?
in arm platform,it can only decode to asm code(win-tel can decode to c code)
it can show code in graphic view,and youc can ref to the string and variable name.
Click image for larger version

Name:	graphic.JPG
Views:	346
Size:	113.1 KB
ID:	1580293

for automagic.so,ida can get most function name
Click image for larger version

Name:	func.JPG
Views:	339
Size:	127.5 KB
ID:	1580290

show relationship of functions
xref from
Click image for larger version

Name:	xref.JPG
Views:	272
Size:	61.4 KB
ID:	1580291

xref to
Click image for larger version

Name:	xref1.JPG
Views:	271
Size:	109.3 KB
ID:	1580292

when stop at breakpoint,you can see the registers value
Click image for larger version

Name:	R.JPG
Views:	358
Size:	179.4 KB
ID:	1580305

Note:
step over of debug not works,you can use some breakpoint
when debug,you can see asm code only if the idb load base is same with inside tablet.
The Following 2 Users Say Thank You to <robin> For This Useful Post: [ View ]
21st December 2012, 05:29 AM   |  #10  
psxpetey's Avatar
Senior Member
Thanks Meter: 87
 
1,002 posts
Join Date:Joined: Dec 2011
Well I need to add a couple things to a function in a. .so library but using 5.5 I cant figure out how. What im trying to do is add an fwrite() and fopen() to an uncompress fucntion so I can dump some unencrpted data because the original files are encrypted.

Sent from my Sony Tablet S using xda app-developers app

Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes