A tutorial promised long time ago

How to modify patches to other firmware version. This is not the only way to, just one personal methodic

Part 1

We'll need following programs: IDA 4.30 and PATSearch.

Let's go (all examples are for C/M/S35 FullFlash).

Loading FullFlash (FF) into IDA:

  1. File -> OpenFile, choose our FF file.

  2. "Load a new file": Processor type -> Siemens C166: c166 ->Set; LoadFile ->Binary file; Options -> Load as code segment

  3. "Disassembly memory organization": RAM -> Create RAM section; RAM start address 0x0; RAM size 0x200000; ROM -> Create ROM Section; ROM start address 0xC00000; ROM Size 0x400000; Input File -> Loading address 0xC00000

  4. View -> OpenSubview -> Segments Delete all segments except RAM and ROM.

  5. Expand segment RAM upto 0x200000

  6. Go to the beginning of ROM segment by double-clicking on it, then select all the segment by pressing Ctrl+Shift+PageDown. Now press C for conversion to code and answer 'Force' to force conversion

  7. There is a time to have a coffee, tee or something else. IDA will signal us on ending by setting up green bullet


Example of porting patch (Indifferent Logo, from 18 to 24 firmware)

;Patch: Indifferent Logo
;Firmware: C/M35 1804
;Release: 26.07.04
;Author: BoBa!

;Resolve bug with SIM having operator name hardcoded===============
0x26F734: 48802D02E13C0D01E12CF016F1C2 DAC1E4D608413D0948802D0DE13C

;Logo in roaming===================================================
0x01D7FE: 3D03 CC00

;Logo with and SIM=================================================
0x01D7E4: 3D10 CC00

  1. Load 1804 FF into IDA

  2. Enable operation codes showing: Option -> General ->Disassembly -> Display disassembly line parts -> Number of opcode bytes -> 4

  3. Move to patch address in IDA ('G' key). Address in patch is an address in FF file. Ida addresses bytes not in FF file, but in processor address space. To translate file address to processor address one should add FF load address (0xC00000 for C/M/S35). So, our patch address for IDA is 0xC1D7FE (remember that IDA use hex-encoded address always, so you shouldn't write 0x prefix). At that address we have conditional jump:

    The picture you'll have can be different a little, as I use somewhat hacked FF.

  4. Select part of code around instruction we're interested in:

  5. Insert this selection into PATSearch having 2404 firmware loaded and press 'GO'

    PATSearch will show us address C1DF98

  6. Load 2404 FF into IDA

  7. Go to C1DF98, and see exactly that piece of code:

    There is our conditional jump instruction too:

  8. So, result patch for 2404 firmware (remember 0xC000000 offset ?) is
    ;Logo in roaming===================================================
    0x01DFAA: 3D03 CC00

That's all. Does anybody said it was too hard?

As practice you can port 'Logo with any SIM' patch by yourself


BoBa! 2004

Translation eliterr 2004


: 29.06.2007
Copyright by BoBa!