release
dev builds
extras
themes manual
wiki
device status forums
mailing lists
IRC bugs
patches
dev guide



Search | Go
Wiki > Main > IaudioReverseEngineering

Iaudio Reverse Engineering using IDA Pro

Introduction

This is a short guide how to begin reverse engineering the Iaudio's firmware using IDA Pro.

I'm using IDA v4.7 and X5 firmware 2.10 beta 7.

Step 1

From x5_fw.bin extract bytes 0 to 67054 to file "x5_flash.bin"

This contains the first part of the firmware stored in FLASH memory. The whole x5_fw.bin is stored in flash but this first part is interesting because it is a "loader". It "loads" sections from FLASH into SDRAM and IRAM.

Step 2

Start IDA and open "x5_flash.bin"

  • Select processor "Motorola Coldfire", press SET and OK.
  • Select "Create ROM section"
  • Enter "ROM start address": 0xefd0
  • Enter "Loading address": 0xefd0
  • Press OK.

This constant 0xefd0 is a delta value describing where the firmware (x5_fw.bin) is stored in flash. It means that byte 0 of the file is stored in flash address 0x0000EFD0 in the CPU's address space.

Step 3

Now it's time to import the rest of the firmware.

  • Download iaudio_load.idc
  • Edit the file so the firmware filename and path is correct.
  • Run script using: File -> IDC file -> iaudio_load.idc
  • It will take some time to load and analyze the firmware. Take cup of coffee..

Now the firmware has been loaded and you can start working.

The load script makes a lot into code, but you have to go through and make some parts into code yourself. Note that IDA can't decode a few instructions, probably related to EMAC (they usually start with opcode 0xA3). Also find and make strings.

Happy reverse-engineering!

TODO

  • Document interesting functions - location and purpose.
  • Find how the last section of FLASH is loaded into SDRAM. Now the 341994 bytes of firmware is unloaded.

I Attachment Action Size Date Who Comment
iaudio_load.idcidc iaudio_load.idc manage 5.7 K 27 Jan 2006 - 19:05 AndyYoung IDA Load script for Iaudio X5 firmware
r1 - 27 Jan 2006 - 19:04:28 - AndyYoung
Copyright by the contributing authors.