Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Binary disassembly and decompilation howto using Ghidra #44

Open
nbritton opened this issue May 4, 2020 · 6 comments
Open

Binary disassembly and decompilation howto using Ghidra #44

nbritton opened this issue May 4, 2020 · 6 comments

Comments

@nbritton
Copy link

nbritton commented May 4, 2020
edited
Loading

The main chip on my AirSense 10 AutoSet is a STMicroelectronics STM32F405ZGT6. This is an ARM Cortex-M4 32-bit ISA, however the Internet says the Cortex-M series only supports the 16-bit Thumb ISA.

STM32F405ZG Datasheet:
https://www.st.com/resource/en/datasheet/stm32f405zg.pdf

16-bit Thumb ISA Quick Reference:
http://infocenter.arm.com/help/topic/com.arm.doc.qrc0006e/QRC0006_UAL16.pdf

High-res photos of the front and back of the main board in the AirSense 10 AutoSet: http://imgur.com/a/01iV4kP

I was able to successfully disassemble and decompile functions into C source code using Ghidra, below are the steps that I followed:

https://ghidra-sre.org
https://www.oracle.com/java/technologies/javase-jdk14-downloads.html

Screen Shot 2020-05-03 at 11 36 25 PM

Screen Shot 2020-05-03 at 11 23 23 PM

Screen Shot 2020-05-03 at 11 24 09 PM

Screen Shot 2020-05-03 at 11 24 36 PM

Screen Shot 2020-05-03 at 11 34 08 PM

Screen Shot 2020-05-03 at 11 34 21 PM

Screen Shot 2020-05-03 at 11 24 52 PM

Screen Shot 2020-05-03 at 11 25 24 PM

Screen Shot 2020-05-03 at 11 26 17 PM

Screen Shot 2020-05-03 at 11 27 07 PM
@dblunk88
Copy link

dblunk88 commented May 4, 2020

Thank you for the detailed guide, but I also think that you need to set the load address to 0x8000000

@nbritton
Copy link
Author

nbritton commented May 4, 2020
edited
Loading

Yeah I think you could be right. 08008590 is a data block referenced by a pointer located at 08004128, and PTR_DAT_08004108 is referenced by FUN_08004100:08004100 which returns the pointer data. That appears to make more sense.

Are we able to share the decompiled source code? Just wondering on the best way to collaborate on deconstructing what the functions and parameter data are doing.

At the very least I'd like to figure out how to clear the gibberish that is displayed on my home screen.

@gszakacs
Copy link

gszakacs commented May 4, 2020
edited
Loading

Not sure if I inderstand you correctly, but if if you are referring to gibberish as
image
then simply comment out the following two lines in the patch-airsense file:

FLAGSTR=$(printf 'FLAGS=0x%02x' $BUILD_FLAGS)
printf $FLAGSTR | patch 0x17588

COMMIT_HASH=$(git log -n1 --format=format:"%H" | head -c 7)
printf 'GIT=%s\x00' $COMMIT_HASH | patch 0x17764

This will leave the button titles with their original values which are:
My options
and
Sleep Report

@wormyrocks
Copy link
Collaborator

Yes, those options are for debugging purposes - it gives an at-a-glance view of what version of the hacked firmware has been compiled as well as which UI settings have been enabled or disabled. Feel free to comment that out of the patch script.

@nbritton
Copy link
Author

nbritton commented May 5, 2020

Ok cool, I didn't realize those were intentional, I just thought it was some gibberish buffer overflow or something. I'm a principal computer systems engineer but this project isn't anywhere near my area of specialization so I don't have a lot of direct experience with reverse engineering.

@jjsardar
Copy link

how change image in home ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gszakacs @wormyrocks @nbritton @dblunk88 @jjsardar