Assorted IDA notes

Barry Carter edited this page Dec 11, 2016 · 8 revisions

Assorted notes from the reversing of Pebble Time firmware (ginge)

All tracing done on: Pebble time

tin_tin_dvt 4.3

Cortex M4 STMF429

IDA Settings
Type: Arm 7M
Address base for ROM: 0x08004000
Address base for File: 0x08004000
(silk) Code offset: 0x080041D0    (browse to it and press c, or put it in the file offset box)
(snowy_dvt) Code offset: 0x080041C0

Note that a tintin_fw.bin is flashed into ROM immediately after the bootloader. It has what is said to be a standard Cortex-M3 prefix — the first dword is the stack pointer that one requests the bootloader to set (open question: why doesn’t the entry point code do that?); the second dword is an entry point; and from then on are interrupt vectors. You can get something bootloader-like from a SDK install: SDK/3.7/Pebble/{platform}/qemu/qemu_micro_flash.bin, and rip the first 16k off the front. (I call that "tintin_boot.bin".) Another open question: how does one 'tell' the bootloader that "no, something is wrong, and we reset and I just want you go into recovery mode"?

Interesting addresses
RCC = 0x40023800
RCC_GPIOS? = 0x30
RCC_APB1ENR = 0x40
USART1_BASE 0x40011000  (loc 0x8060aaa and others in IDA. No reference to USART2 and 3)

dump address: 0x806D2F0 seems to be related to SPI2 which is presumably display related for the FPGA

0x8038388: SPI Init routine from FreeRTOS
Possible Hardware connections
Display: SPI2
SmartStrap: USART1
TIM2 Config: 100MHZ

For CM3 based watches

For CM4 (Pebble Time/Time Steel)