- Knowledge to hexagon instruction set
- IDA hexagon processor module or binja hexagon
- Hexagon toolchain
- QEMU, version 6.2 confirmed working
- Extract modem.mdt, modem.bxx files from the deivce or firmware.
cd modem_files
# This will generate modem.elf
./modem_join.py modem
-
Analyze modem.elf in IDA/binary ninja/..., to figure out:
- Where the compressed RO/RW data segment is
- The function addresses responsible for decompressing RO/RW data
-
Modify and compile dlpage_extractor.c accordingly.
hexagon-unknown-linux-musl-clang -static -o dlpage_extractor -Wall dlpage_extractor.c
- Inject necessary modem segments into dlpage_extractor.
./modem_inject.py dlpage_extractor modem.elf
- Run dlpage_extractor in qemu-hexagon, if everything goes fine, decompressed segments can be dumped in QEMU.
gdb qemu-hexagon
> set args ./dlpage_extractor
> run
...
# Note that the dlpage range starts from VA 0xD0000000, but dlpage_extractor starts from 0x10000.
> dump binary memory q6zip_ro.bin 0xD0010000 0xDxxxxxxx
- Load the dumped range into IDA.
TODO.
Search for u16_1 u16_2 u32, where u16_1 == u16_2 and u32 belongs to modem text range.
TODO.