Assorted IDA notes

Barry Carter edited this page Jul 15, 2018 · 9 revisions

Assorted notes from the reversing of Pebble Time firmware (ginge)

All tracing done on: Pebble time

tin_tin_dvt 4.3

Cortex M4 STMF429

IDA Settings
Type: Arm 7M
Address base for ROM: 0x08004000
Address base for File: 0x08004000
(silk) Code offset: 0x080041D0    (browse to it and press c, or put it in the file offset box)
(snowy_dvt) Code offset: 0x080041C0

Note that a tintin_fw.bin is flashed into ROM immediately after the bootloader. It has what is said to be a standard Cortex-M3 prefix — the first dword is the stack pointer that one requests the bootloader to set (open question: why doesn’t the entry point code do that?); the second dword is an entry point; and from then on are interrupt vectors. You can get something bootloader-like from a SDK install: SDK/3.7/Pebble/{platform}/qemu/qemu_micro_flash.bin, and rip the first 16k off the front. (I call that "tintin_boot.bin".) Another open question: how does one 'tell' the bootloader that "no, something is wrong, and we reset and I just want you go into recovery mode"?

Interesting addresses
RCC = 0x40023800
RCC_GPIOS? = 0x30
RCC_APB1ENR = 0x40
USART1_BASE 0x40011000  (loc 0x8060aaa and others in IDA. No reference to USART2 and 3)

dump address: 0x806D2F0 seems to be related to SPI2 which is presumably display related for the FPGA

0x8038388: SPI Init routine from FreeRTOS

For CM3 based watches

For CM4 (Pebble Time/Time Steel)

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.