Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,786,517 Members 37,351 Now Online
XDA Developers Android and Mobile Development Forum

On Device Debug!IDA+GDB trace automagic.apk in s1[success!]

Tip us?
 
<robin>
Old
(Last edited by <robin>; 20th December 2012 at 01:15 AM.)
#1  
Senior Member - OP
Thanks Meter 84
Posts: 124
Join Date: Jun 2012
Prompt On Device Debug!IDA+GDB trace automagic.apk in s1[success!]

Update:yes i did it,only need is ida 6.1!(no sdk,no ndk,no jre...)
jump to HOW-TO at post #5

##################################################
Does Anybody try debug on sony tablet?

we have many unknow for the system,
eg how update file encrypt(aes key for info.xml in libautomagic_library.so),
eg,how to decode rom file(in recovery)
why not to use programer ways,debug it!
gcc a gdb-server for our device,then remote debug with ida pro
it's should be best way to learn system.

Any body try this before?static decompare is not enough!
Click image for larger version

Name:	automagic.JPG
Views:	942
Size:	54.9 KB
ID:	1567977
Click image for larger version

Name:	automagic1.JPG
Views:	759
Size:	148.9 KB
ID:	1567978
The Following 2 Users Say Thank You to <robin> For This Useful Post: [ Click to Expand ]
 
<robin>
Old
#2  
Senior Member - OP
Thanks Meter 84
Posts: 124
Join Date: Jun 2012
just know that ida 6.x include a android_server for remote debug!
my ver is 5.5,too old

will get new version and try....

by the way,find a thread about debug andriod so file with ida
http://forum.xda-developers.com/show...6&postcount=19
 
<robin>
Old
(Last edited by <robin>; 18th December 2012 at 09:29 AM.)
#3  
Senior Member - OP
Thanks Meter 84
Posts: 124
Join Date: Jun 2012
seems debug andriod by ida is easy to start:
1,make adb work
2,push file android_server to device(include in ida 6.1)
Code:
adb push android_server /data/local/tmp/
3,change file attrib and run it
Code:
adb shell
chmod 755 android_server
su
./android_server
here will display
Code:
IDA Android 32-bit remote debug server(ST) v1.14. Hex-Rays (c) 2004-2011
Listening on port #23946...
4,open another adb to forward network package
Code:
adb forward tcp:23946 tcp:23946
5,open ida pro on pc,debug--attach--remote android
host=loacalhost
now display
Code:
=========================================================
[1] Accepting connection from localhost(127.0.0.1)...
just test my work pc and a android phone,succeed link and attach to sh
will try on my tablet this night...
################################################## ##########

now i'am on sony tablet s
Click image for larger version

Name:	11.jpg
Views:	898
Size:	37.4 KB
ID:	1570345


################################################## ########
can't attached to target app!

Could not set the shlib bpt, shared object events will not be handled
B0001000: loaded /system/bin/linker
8000: process /system/bin/app_process has started (pid=4473)
Debugger: attached to process /system/bin/app_process (pid=4473)
################################################## ########
http://www.woodmann.com/forum/archiv...p/t-14714.html
The IDA 6.1 server (android_server) has problems with the Android 2.3.7 linker (system/bin/linker) so it could only hook to the Android Virtual Machine itself (Zygote) not to the linux native code thus the native code continued to run and didn't halt. Responsible for that is 'system/bin/app_process'. I replaced the binary with an Android 2.2 (Froyo) release and it worked properly then. The only downside is there is no debugger yet that provides hardware breakpoints so you cannot break at data access. You can create memory watches and break regularly to pinpoint the responsible code though.
################################################## ##########
update 2012-12-18 17:29
so,ida 6.1 debug server not fit our 3.x/4.x os.
i need find a new version(6.3?) or use gdb server
arm version gdb server include in android ndk....
The Following 4 Users Say Thank You to <robin> For This Useful Post: [ Click to Expand ]
 
condi
Old
#4  
Senior Member
Thanks Meter 885
Posts: 680
Join Date: Feb 2007

 
DONATE TO ME
niceeeeeeeee keep on good work !
Sony Tablet S/P/Xperia:
S.onyXT.S v1.0 [UNBRICKER] - Xperia Tab S auto unbrick tool!
S.onyTablet.S v6.5 [ALLinONE] - root for ICS, JB!
S.onyTablet.S v3.0 [FLASHER]
[FW R5A WIFI/3G] NEW! custom preROOTed newest stock nbx03 R5A with R1A's recovery!

Files mirror - My Google Drive

If u found this post useful, click on the 'thanks' button...
Like my work? Feel free to buy a pack of pampers for my baby
The Following User Says Thank You to condi For This Useful Post: [ Click to Expand ]
 
<robin>
Old
(Last edited by <robin>; 3rd January 2013 at 08:37 AM.)
#5  
Senior Member - OP
Thanks Meter 84
Posts: 124
Join Date: Jun 2012
haha,goood lucking
sony update app stop at MY brekpoint!!!!

here is how:
1,push both ida debug server(android_server) and gdbserver to sony tablets
2,run android_server first,forward port 23946 to pc(android_server can't change port)
Click image for larger version

Name:	a2.JPG
Views:	701
Size:	26.6 KB
ID:	1612963
3,ida attach to app com.sony.autoupdate.ui(android debuger & port 23946)
Click image for larger version

Name:	a1.JPG
Views:	873
Size:	27.7 KB
ID:	1612962
4,attach will log some error,ingore it(and breakpoint will not stop)
5,find our target (libautomagic_library.so),in my case it at address 0x81000000
Click image for larger version

Name:	a3.JPG
Views:	945
Size:	100.9 KB
ID:	1612965
6,deattach(ida android debugger not kill target app)
7,pull libautomagic_library.so,load at base 0x81000000.set some break point
(eg,com_sony_automagic_downloader_jni_amclCheckUpd ate 0x8100DD54)
Click image for larger version

Name:	a4.JPG
Views:	758
Size:	107.7 KB
ID:	1612966
8,run gdbserver,set port and target pid,forward the port
pid can get by commod "ps" in adb shell
gdb can set any port,i use 1111
Click image for larger version

Name:	a6.JPG
Views:	697
Size:	37.5 KB
ID:	1612968
9,ida attach,use remote gbd debugger and port 1111
Click image for larger version

Name:	a5.JPG
Views:	564
Size:	14.6 KB
ID:	1612967
10,let app go,check update now

if you are lucky,ida will stop at address 0x8100DD54

only don't stop tool long,in the time i write ,os kill update app for time out


this is gdb debug server in android ndk r8c
gdbserver.7z
The Following User Says Thank You to <robin> For This Useful Post: [ Click to Expand ]
 
<robin>
Old
(Last edited by <robin>; 20th December 2012 at 01:18 AM.)
#6  
Senior Member - OP
Thanks Meter 84
Posts: 124
Join Date: Jun 2012
ok,we know file info.xm is encrypt with aes 128(eaid:ENC0003)
25_info.7z
so i set 2 break point in function "amclAesDecrypt"
as image 1
Click image for larger version

Name:	b.JPG
Views:	429
Size:	50.0 KB
ID:	1573762

stop at break 1,
R0 is address of crypt,first 16 byte of info.xml,0x0DE80978...
R1 is output buffer,fill with 0
R2 is 3,for(eaid)
R3 is 0x10,for key/clip length
Click image for larger version

Name:	b1.1.JPG
Views:	386
Size:	159.1 KB
ID:	1573763

stop at break 2
R0 is return error code,0 for no error
R8 is input data(another debug,address changed)
R9 is plain,first 16 byte of xml
Click image for larger version

Name:	b2.1.JPG
Views:	335
Size:	159.6 KB
ID:	1573764

but i still not know,where is the key
will continue tomorrow

first part of info.xml
Code:
<?xml version="1.0" encoding="UTF-8"?>
<InformationFile Version="1.0" LastUpdate="2012-12-10T04:36:03Z" Noop="false">
<Extensions>
<Extension Key="ExtensionKey" Value="ExtensionValue" />
</Extensions>
<ControlConditions DefaultVariance="0" DefaultServiceStatus="open">
<ControlCondition Model="nbx03_024" Variance="0" ServiceStatus="open" />
</ControlConditions>
<ApplyConditions>
<ApplyCondition ApplyOrder="1" Force="false">
<Rules>
<Rule Type="System" Key="FirmwareVersion" Value="121116084" Operator="LessThan" />
</Rules>
<Distributions>
<Distribution ID="UpdateImageFull121116084" Version="121116084" URI="http://info.update.sony.net/ST005/nbx03_024/contents/0012/signed-nbx03_024-ota-121116084.zip" MAC="2284bf08dc9c535c1614721413f5785c56fe9369" Size="232604812" Type="" InstallType="binary" InstallParams="" />
</Distributions>
<Descriptions DefaultLang="Chinese(Simplified)">
<Description Lang="Chinese(Simplified)" Title="Sony Product Update">
<![CDATA[<displayVersion>121116084</displayVersion>
<full>true</full>
<wifionly>false</wifionly>
<battery>30</battery>
<url>http://service.sony.com.cn/st/Importance/52022.htm</url>
<desc>
2nd part not decrypt...

last part
Code:
res  removed]
  -  Removes  Favorite  application
  -  Removes  DLNA  application
        *  You  will  still  be  able  to  access  DLNA  enabled  devices  within  WALKMAN,  Album  and  Movies
  -  Removes  Throw  feature  within  Gallery  application
        *  You  can  throw  photo/video  using  Album  application
  -  Removes  current  Video  Player  and  Music  Player's  apps/widgets  placed  on  Home  screen
        *  To  be  replaced  by  Movies  and  Walkman

  *1  Sony  Tablet(TM)  S  only
</desc>]]>
                </Description>
            </Descriptions>
        </ApplyCondition>
    </ApplyConditions>
</InformationFile>
The Following 6 Users Say Thank You to <robin> For This Useful Post: [ Click to Expand ]
 
Meelouw
Old
#7  
Senior Member
Thanks Meter 7
Posts: 122
Join Date: Dec 2010
whoa ! great work
 
psxpetey
Old
#8  
psxpetey's Avatar
Senior Member
Thanks Meter 84
Posts: 975
Join Date: Dec 2011
Now that ida has android what exactly does it include and what can you do? can you veiw. .so libraries in reasdable form?

Sent from my Sony Tablet S using xda app-developers app
Rooting your tab? terminal not popping up? try this http://forum.xda-developers.com/show....php?t=2010074
 
<robin>
Old
#9  
Senior Member - OP
Thanks Meter 84
Posts: 124
Join Date: Jun 2012
Quote:
Originally Posted by psxpetey View Post
Now that ida has android what exactly does it include and what can you do? can you veiw. .so libraries in reasdable form?
what kind of reasdable?
in arm platform,it can only decode to asm code(win-tel can decode to c code)
it can show code in graphic view,and youc can ref to the string and variable name.
Click image for larger version

Name:	graphic.JPG
Views:	323
Size:	113.1 KB
ID:	1580293

for automagic.so,ida can get most function name
Click image for larger version

Name:	func.JPG
Views:	316
Size:	127.5 KB
ID:	1580290

show relationship of functions
xref from
Click image for larger version

Name:	xref.JPG
Views:	251
Size:	61.4 KB
ID:	1580291

xref to
Click image for larger version

Name:	xref1.JPG
Views:	250
Size:	109.3 KB
ID:	1580292

when stop at breakpoint,you can see the registers value
Click image for larger version

Name:	R.JPG
Views:	334
Size:	179.4 KB
ID:	1580305

Note:
step over of debug not works,you can use some breakpoint
when debug,you can see asm code only if the idb load base is same with inside tablet.
The Following 2 Users Say Thank You to <robin> For This Useful Post: [ Click to Expand ]
 
psxpetey
Old
#10  
psxpetey's Avatar
Senior Member
Thanks Meter 84
Posts: 975
Join Date: Dec 2011
Well I need to add a couple things to a function in a. .so library but using 5.5 I cant figure out how. What im trying to do is add an fwrite() and fopen() to an uncompress fucntion so I can dump some unencrpted data because the original files are encrypted.

Sent from my Sony Tablet S using xda app-developers app
Rooting your tab? terminal not popping up? try this http://forum.xda-developers.com/show....php?t=2010074

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes