• Introducing XDA Computing: Discussion zones for Hardware, Software, and more!    Check it out!

OnePlus One LK (Little Kernel) Bootloader Debugging with IDA

Search This thread

(dylanger)

Senior Member
Dec 12, 2015
97
49
MCC 505
Hey Guys,

I'm trying to change the way the Android Bootloader functions on my OnePlus One, I've managed to dd my ABOOT partition from my phone and load it into IDA and I get the following result (0F900000 being ImgBase):
ROM:0F900000 B loc_F900020
ROM:0F900004 B loc_F91B9C4
ROM:0F900008 B loc_F91B9E0
ROM:0F90000C B loc_F91B9FC
ROM:0F900010 B loc_F91BA18
ROM:0F900014 B loc_F91BA34
ROM:0F900018 B loc_F91BA38
ROM:0F90001C B loc_F91BA98

LK's source:
.section ".text.boot"
.globl _start
_start:
b reset
b arm_undefined
b arm_syscall
b arm_prefetch_abort
b arm_data_abort
b arm_reserved
b arm_irq
b arm_fiq


However when I try and look at how Fastboot is loaded (app/aboot/fastboot.c) in IDA doesn't seem to pick it up, its all hex / not registering as ARM, see below.

ROM:0F9518D0 aRadio DCB "RADIO",0 ; DATA XREF: ROM:0F95514Co
ROM:0F9518D6 DCW 0
ROM:0F9518D8 aRadioUpdateSuc DCB "radio update success",0xA,0
ROM:0F9518EE DCW 0
ROM:0F9518F0 aRadioUpdateFai DCB "radio update failed",0xA,0
ROM:0F951905 DCB 0, 0, 0
ROM:0F951908 DCB 0x66 ; f
ROM:0F951909 DCB 0x61, 0x69, 0x6C
ROM:0F95190C DCD 0x752D6465, 0x74616470, 0x65, 0x61647075, 0x722D6574
ROM:0F95190C DCD 0x6F696461, 0
ROM:0F951928 aStartRadioUpda DCB "start radio update",0xA,0
ROM:0F95193C aFota DCB "FOTA",0
ROM:0F951941 DCB 0, 0, 0
ROM:0F951944 aFotaPartitionW DCB "FOTA partition written successfully!",0
ROM:0F951969 DCB 0, 0, 0
ROM:0F95196C aPartitionSDoes DCB "partition %s doesn't exist",0xA,0
ROM:0F951988 aMmcWriteFailur DCB "mmc write failure %s %d",0xA,0
ROM:0F9519A1 DCB 0, 0, 0
ROM:0F9519A4 aMmcReadFailu_0 DCB "mmc read failure %s %d",0xA,0
ROM:0F9519BC aResetDeviceInf DCB "reset-device-info",0
ROM:0F9519CE DCW 0
ROM:0F9519D0 DCD 0x746F6F72, 0x7465642D, 0x746365, 0x74697257, 0x65722065
ROM:0F9519D0 DCD 0x73657571, 0x756F2074, 0x666F2074, 0x73252720, 0x6F622027
ROM:0F9519D0 DCD 0x61646E75, 0x73656972, 0xA, 0x74697257, 0x20676E69


Has anyone successfully loaded LK Bootloader into IDA? Is there something I'm missing?

Cheers guys!
 

Sultanxda

Recognized Developer
Hey Guys,

I'm trying to change the way the Android Bootloader functions on my OnePlus One, I've managed to dd my ABOOT partition from my phone and load it into IDA and I get the following result (0F900000 being ImgBase):
ROM:0F900000Bloc_F900020
ROM:0F900004Bloc_F91B9C4
ROM:0F900008Bloc_F91B9E0
ROM:0F90000CBloc_F91B9FC
ROM:0F900010Bloc_F91BA18
ROM:0F900014Bloc_F91BA34
ROM:0F900018Bloc_F91BA38
ROM:0F90001CBloc_F91BA98

LK's source:
.section ".text.boot"
.globl _start
_start:
breset
barm_undefined
barm_syscall
barm_prefetch_abort
barm_data_abort
barm_reserved
barm_irq
barm_fiq


However when I try and look at how Fastboot is loaded (app/aboot/fastboot.c) in IDA doesn't seem to pick it up, its all hex / not registering as ARM, see below.

ROM:0F9518D0 aRadio DCB "RADIO",0 ; DATA XREF: ROM:0F95514Co
ROM:0F9518D6 DCW 0
ROM:0F9518D8 aRadioUpdateSuc DCB "radio update success",0xA,0
ROM:0F9518EE DCW 0
ROM:0F9518F0 aRadioUpdateFai DCB "radio update failed",0xA,0
ROM:0F951905 DCB 0, 0, 0
ROM:0F951908 DCB 0x66 ; f
ROM:0F951909 DCB 0x61, 0x69, 0x6C
ROM:0F95190C DCD 0x752D6465, 0x74616470, 0x65, 0x61647075, 0x722D6574
ROM:0F95190C DCD 0x6F696461, 0
ROM:0F951928 aStartRadioUpda DCB "start radio update",0xA,0
ROM:0F95193C aFota DCB "FOTA",0
ROM:0F951941 DCB 0, 0, 0
ROM:0F951944 aFotaPartitionW DCB "FOTA partition written successfully!",0
ROM:0F951969 DCB 0, 0, 0
ROM:0F95196C aPartitionSDoes DCB "partition %s doesn't exist",0xA,0
ROM:0F951988 aMmcWriteFailur DCB "mmc write failure %s %d",0xA,0
ROM:0F9519A1 DCB 0, 0, 0
ROM:0F9519A4 aMmcReadFailu_0 DCB "mmc read failure %s %d",0xA,0
ROM:0F9519BC aResetDeviceInf DCB "reset-device-info",0
ROM:0F9519CE DCW 0
ROM:0F9519D0 DCD 0x746F6F72, 0x7465642D, 0x746365, 0x74697257, 0x65722065
ROM:0F9519D0 DCD 0x73657571, 0x756F2074, 0x666F2074, 0x73252720, 0x6F622027
ROM:0F9519D0 DCD 0x61646E75, 0x73656972, 0xA, 0x74697257, 0x20676E69


Has anyone successfully loaded LK Bootloader into IDA? Is there something I'm missing?

Cheers guys!

The vanilla LK is open-source: https://www.codeaurora.org/cgit/quic/la/kernel/lk/tree/?h=LA.BF.1.1.1.c3_1
 

(dylanger)

Senior Member
Dec 12, 2015
97
49
MCC 505
The vanilla LK is open-source: <Omitted URL>

Thank you for that I did see the git, however the source doesn't match up with IDA's decompiled ARM assembly. Some of it is rendered in HEX and its not assembly, I was just wondering if anyone has successfully loaded an ABOOT partition into IDA before?

(URLs below as I couldn't link images)

IDA with the ABOOT / LK Partition Loaded
onedefence.com/public/ABOOT/ABoot1.PNG

IDA at welcome to lk dprintf
onedefence.com/public/ABOOT/ABoot2.PNG

IDA at welcome to lk dprintf Hex View
onedefence.com/public/ABOOT/ABoot3.PNG

LK welcome to lk dprintf source
onedefence.com/public/ABOOT/ABoot4.PNG
 
Last edited:

(dylanger)

Senior Member
Dec 12, 2015
97
49
MCC 505
Continued from: http://forum.xda-developers.com/android/help/phones-secure-boot-locked-bootloader-t3276098/page2

Have you tried the latest aboot from CM13 nightly?
https://download.cyanogenmod.org/?device=bacon

I've tested it and it boots with CM12.1, and is actually a newer version. I haven't a chance to spin up a machine with IDA to check these out yet, I'll probably take a crack at it tomorrow.

Hmm, no dice same outcome as before, just tested with the latest CM13 nightlies.
IDA6.PNG


I think its because the plugin is old, hmm, this could open up a few doors through, like password protected fastboot commands I.E "fastboot flash recovery someRecovery.img sp3c1alK3y"

I wonder why IDA isn't picking up the ARM Assembly?
 

binsol

Member
May 30, 2015
18
10
I'm getting the same output on the newer aboots as well. I'm going to have to brush up on IDA, it's been a while.

(dylanger) said:
I think this could also unlock the ability to change the boot splash screens on newer firmware as the images in the LOGO partition are encrypted, the code inside of this newer ABOOT could contain the decryption process

Does the older aboots have this code, or is this only something in the more recent ones that don't disassemble?
 

(dylanger)

Senior Member
Dec 12, 2015
97
49
MCC 505
I'm getting the same output on the newer aboots as well. I'm going to have to brush up on IDA, it's been a while.



Does the older aboots have this code, or is this only something in the more recent ones that don't disassemble?

Yeah the older one does, but it looks like someone actually has managed to extract PNGs from newer LOGO.bin (CM12 and 13)
http://forum.xda-developers.com/oneplus-one/themes-apps/mod-cm12-logo-bin-image-injector-v1-0-t3161139

I have an understanding of ARM and Assembly but not much on the actual loading of files into IDA, heaps of possibilities with this though.