Iaudio Reverse Engineering using IDA Pro
This is a short guide how to begin reverse engineering the Iaudio's firmware
using IDA Pro.
I'm using IDA v4.7 and X5 firmware 2.10 beta 7.
From x5_fw.bin extract bytes 0 to 67054 to file "x5_flash.bin"
This contains the first part of the firmware stored in FLASH memory. The whole x5_fw.bin is stored in flash but this first part is interesting because it is a "loader". It "loads" sections from FLASH into SDRAM and IRAM.
Start IDA and open "x5_flash.bin"
- Select processor "Motorola Coldfire", press SET and OK.
- Select "Create ROM section"
- Enter "ROM start address": 0xefd0
- Enter "Loading address": 0xefd0
- Press OK.
This constant 0xefd0 is a delta value describing where the firmware (x5_fw.bin) is stored in flash. It means that byte 0 of the file is stored in flash address 0x0000EFD0 in the CPU's address space.
Now it's time to import the rest of the firmware.
- Download iaudio_load.idc
- Edit the file so the firmware filename and path is correct.
- Run script using: File -> IDC file -> iaudio_load.idc
- It will take some time to load and analyze the firmware. Take cup of coffee..
Now the firmware has been loaded and you can start working.
The load script makes a lot into code, but you have to go through and make some parts into code yourself. Note that IDA can't decode a few instructions, probably related to EMAC (they usually start with opcode 0xA3). Also find and make strings.
- Document interesting functions - location and purpose.
- Find how the last section of FLASH is loaded into SDRAM. Now the 341994 bytes of firmware is unloaded.
Copyright © by the contributing authors.