airbreak icon indicating copy to clipboard operation
airbreak copied to clipboard

Published 20 hours ago verified publisher icon osresearch

Binary disassembly and decompilation howto using Ghidra

Open nbritton opened this issue 5 years ago • 6 comments

The main chip on my AirSense 10 AutoSet is a STMicroelectronics STM32F405ZGT6. This is an ARM Cortex-M4 32-bit ISA, however the Internet says the Cortex-M series only supports the 16-bit Thumb ISA.

STM32F405ZG Datasheet: https://www.st.com/resource/en/datasheet/stm32f405zg.pdf

16-bit Thumb ISA Quick Reference: http://infocenter.arm.com/help/topic/com.arm.doc.qrc0006e/QRC0006_UAL16.pdf

High-res photos of the front and back of the main board in the AirSense 10 AutoSet: http://imgur.com/a/01iV4kP

I was able to successfully disassemble and decompile functions into C source code using Ghidra, below are the steps that I followed:

https://ghidra-sre.org https://www.oracle.com/java/technologies/javase-jdk14-downloads.html

Screen Shot 2020-05-03 at 11 36 25 PM Screen Shot 2020-05-03 at 11 23 23 PM Screen Shot 2020-05-03 at 11 24 09 PM Screen Shot 2020-05-03 at 11 24 36 PM Screen Shot 2020-05-03 at 11 34 08 PM Screen Shot 2020-05-03 at 11 34 21 PM Screen Shot 2020-05-03 at 11 24 52 PM Screen Shot 2020-05-03 at 11 25 24 PM Screen Shot 2020-05-03 at 11 26 17 PM Screen Shot 2020-05-03 at 11 27 07 PM

nbritton avatar May 04 '20 04:05 nbritton

Thank you for the detailed guide, but I also think that you need to set the load address to 0x8000000

dblunk88 avatar May 04 '20 19:05 dblunk88

Yeah I think you could be right. 08008590 is a data block referenced by a pointer located at 08004128, and PTR_DAT_08004108 is referenced by FUN_08004100:08004100 which returns the pointer data. That appears to make more sense.

Are we able to share the decompiled source code? Just wondering on the best way to collaborate on deconstructing what the functions and parameter data are doing.

At the very least I'd like to figure out how to clear the gibberish that is displayed on my home screen.

nbritton avatar May 04 '20 20:05 nbritton

Not sure if I inderstand you correctly, but if if you are referring to gibberish as image then simply comment out the following two lines in the patch-airsense file:

FLAGSTR=$(printf 'FLAGS=0x%02x' $BUILD_FLAGS) printf $FLAGSTR | patch 0x17588

COMMIT_HASH=$(git log -n1 --format=format:"%H" | head -c 7) printf 'GIT=%s\x00' $COMMIT_HASH | patch 0x17764

This will leave the button titles with their original values which are: My options and Sleep Report

gszakacs avatar May 04 '20 21:05 gszakacs

Yes, those options are for debugging purposes - it gives an at-a-glance view of what version of the hacked firmware has been compiled as well as which UI settings have been enabled or disabled. Feel free to comment that out of the patch script.

wormyrocks avatar May 04 '20 23:05 wormyrocks

Ok cool, I didn't realize those were intentional, I just thought it was some gibberish buffer overflow or something. I'm a principal computer systems engineer but this project isn't anywhere near my area of specialization so I don't have a lot of direct experience with reverse engineering.

nbritton avatar May 05 '20 00:05 nbritton

how change image in home ?

jjsardar avatar Dec 14 '23 09:12 jjsardar