I was trying to reverse engineer a native lib code in an android app. the .so contains many functions. But the function sUQWWyTBEs() was referred in the Java code. I was curious how this function works.
This function returns a string like this 47fjlkj843h9asjklj94kljfsad93j4l2715943hasd... but what I wanted is that how this value was generated or returned.
the code of the function sUQWWyTBEs() decompiled with Ghidra:
*************************************************************
* FUNCTION
*************************************************************
undefined __cdecl Myapp_sUQWWyTBEs()
undefined w0:1 <RETURN>
longlong * x0:8 param_1
Myapp_sUQWWyTBEs XREF[2]: Entry Point (*) , 00101350
00100e44 08 00 40 f9 ldr x8, [param_1 ]
00100e48 01 00 00 b0 adrp x1, s_c7a584936712f32773d3d0a_00101000 ; = "c7a584936712f32773d3d0a"
00100e4c 21 60 08 91 add x1, x1, #0x218
00100e50 02 9d 42 f9 ldr x2, [x8, #0x538 ]
00100e54 40 00 1f d6 br x2
in my understanding, I have made the static analysis as like following:
00100e44 08 00 40 f9 ldr x8, [param_1 ]
load the value at memory address param_1 into register x8.
0100e48 01 00 00 b0 adrp x1, s_c7a584936712f32773d3d0a_00101000
sets register x1 to 0x101000.
00100e4c 21 60 08 91 add x1, x1, #0x218
adds 0x218 to x1, so it sets x1 to 0x101218.
00100e50 02 9d 42 f9 ldr x2, [x8, #0x538 ]
loads the value at x8 + 0x538 into x2.
00100e54 40 00 1f d6 br x2
and finally branches to the address stored in x2.
with that being said, Here I don't know the memory at address at x2, obviously it initially depends on the value param_1 holds. is there way or how can I refer where param_1 was initialized? I don't know very much about usage of Ghidra or other reverse engineering tools. any one might help would be appreciated.
Assuming this function is declared on the Java side as a native function, param_1 is a JNIEnv*. The Android JNI documentation states:
JNI defines two key data structures, "JavaVM" and "JNIEnv". Both of these are essentially pointers to pointers to function tables.
The code you show thus basically calls the function in the function table at offset 0x538. Assuming you're showing a 64-bit Android program, function pointers are 8 bytes so you need to figure out the 167th function pointer (starting from 0).
Take your copy of jni.h and extract the members of struct JNINativeInterface, number them starting from 0:
0: void* reserved0;
1: void* reserved1;
2: void* reserved2;
3: void* reserved3;
4: jint (*GetVersion)(JNIEnv *);
...
167: jstring (*NewStringUTF)(JNIEnv*, const char*);
So, assuming I did not make any mistakes, the code you are showing calls env->NewStringUTF with s_c7a584936712f32773d3d0a_00101000+0x218 as argument.
I think you can let Ghidra parse jni.h to make those types available. If you then change the type of param_1, that might be sufficient to let Ghidra do this mapping for you and produce a sensible decompilation to C/C++.
Related
I am getting raw data from OBD adapter, It is getting parsed for single line but for multiline response I am not able to parse.
I used below code to parse
String hexaData = getResult(); // getResult is here the raw data("4904014A4D422A490402333637364904033135303049040400000000") after parsing I am getting parsed value(JMB*36761500) which is correct and only working for single line
Log.i("CalID_hexa", hexaData);
final String result = getResult();
String workingData;
if (result.contains(":")) {//CAN(ISO-15765) protocol.
workingData = result.replaceAll(".:", "").substring(9);//9 is xxx49040701, xxx is bytes of information to follow.
Matcher m = Pattern.compile("[^a-z0-9 ]", Pattern.CASE_INSENSITIVE).matcher(convertHexToString(workingData));
if(m.find()) workingData = result.replaceAll("0:49", "").replaceAll(".:", "");
} else {//ISO9141-2, KWP2000 Fast and KWP2000 5Kbps (ISO15031) protocols.
workingData = result.replaceAll("49040.", "");
}
calId = convertHexToString(workingData).replaceAll("[\u0000-\u001f]", "");
L.stringStringHashMap.put("CAL_ID",calId);
public String convertHexToString(String hex) {
StringBuilder sb = new StringBuilder();
//49204c6f7665204a617661 split into two characters 49, 20, 4c...
for (int i = 0; i < hex.length() - 1; i += 2) {
//grab the hex in pairs
String output = hex.substring(i, (i + 2));
//convert hex to decimal
int decimal = Integer.parseInt(output, 16);
//convert the decimal to character
sb.append((char) decimal);
}
return sb.toString();
}
How to parse multiline response like below response on PID 09 04 from OBD Adapter:
18 DA F1 11 10 13 49 04 01 33 37 38
18 DA F1 1D 10 13 49 04 01 33 37 38
18 DA F1 11 21 30 35 2D 52 59 45 2D
18 DA F1 11 22 41 37 34 30 00 00 55
18 DA F1 1D 21 30 36 2D 52 59 45 2D
18 DA F1 1D 22 41 37 37 30 00 00 55
How can I parse the above?
If you want to parse multiple line responses as single line responses then you can first form the array from the multiple line response separating the lines by character \n. After forming the array of responses, you can join the strings in one single line.
You have two issues here. The first is that you sent your request using a broadcast address, that's why two ECUs (namely, 18 DA F1 11 and 18 DA F1 1D) answered to your request. You either have to sort these out or ask only one ECU directly.
The second is you should learn about ISO 15765-2 (also named ISO-TP), which is a transport protocol, much like TCP (or rather IP) is for Ethernet. https://en.wikipedia.org/wiki/ISO_15765-2 contains a rough outline.
A general notice: If you're serious about implementing OBD2 communication, write a layered architecture, in which the communication layer (BLE, TTY, TCP, etc.) sits below the vehicle protocol which ISO-TP sits on top of. On the actual application layer you can then decode the individual PIDs and their measurements.
I use client.screencap method from adbkit to get the PNG stream and save the image like this:
let stream = await client.screencap(deviceId);
stream.pipe(fs.createWriteStream('output.png'));
Rather, I want to resize it first because the output image is so big ( around 2 - 3 Mb ). So I try to get the buffer of the stream and resize it by reducing width, height (use Jimp library) and save the image.
let stream = await client.screencap(deviceId);
let chunks = [];
for await (const chunk of stream) {
chunks.push(chunk);
}
let buffer = Buffer.concat(chunks);
console.log(buffer);
// resize and save (Use Jimp library to read the buffer and resize)
...
in console.log(buffer), I got
<Buffer 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 00 00 01 73 ae ce 1c e9 00 00 00 04 ... 159002 more bytes>
But sometime I got empty buffer like this:
<Buffer >
I don't know why the buffer is empty. Because of client.screencap method is not stable?
Or they are an any better solution to do a thing like this?
I am trying to print some currency with Citaq v8 (it has a termal printer), but it prints ?, because of the printer character set.
I have byte array (UTF-8) data to print. But the printer has default some character set. How can I change the default character set programatically(like using byte array)? I need to change printer charset settings.
Device: Citaq v8 (the device has a termal printer)
PS: I could not find any developer docs.
Perhaps UTF-8 is not supported as a character set/code table.
Even EPSON is supported only on some models.
FS ( C <Function 48>
Select character encode system
ASCII FS ( C pL pH fn m
Hex 1C 28 43 02 00 30 m
Decimal 28 40 67 2 0 48 m
TM-P20
1, 49 ASCII (ISCII) ISCII: Indian Script Code for Information Interchange
2, 50 UTF-8 Unicode encoding system
TM-m30II, TM-m30II-H, TM-m30II-NT
1, 49 1-byte character encoding Non-Unicode encoding method (ASCII [extended], Shift JIS, Big5, GB2312, GB18030, KS C, etc.)
2, 50 UTF-8 Unicode encoding system
You need to set the printer code page using the following two ESC/POS commands, and the character string to be requested for printing must be encoded and converted according to the code page before sending.
ESC t
Select character code table
ASCII ESC t n
Hex 1B 74 n
Decimal 27 116 n
ESC R
Select an international character set
ASCII ESC R n
Hex 1B 52 n
Decimal 27 82 n
Alternatively, you can create all the page contents to be printed with a Bitmap image and print it with one of the ESC/POS commands related to image printing.
However, it will be slow.
I am sending this command AE A7 04 00 05 09 BC B7 to BLE, onCharacteristicWrite returns status=0, but BLE device does not send any data ( I mean I do not get any response ). So what is wrong ? Maybe I am sending in a wrong format ?
public void WriteValue()
{
mNotifyCharacteristic.setValue("AE A7 04 00 05 09 BC B7".getBytes());
mBluetoothGatt.writeCharacteristic(mNotifyCharacteristic);
}
On Android try set write type to WRITE_TYPE_NO_RESPONSE
Btw, you should use LightBlue to test first https://itunes.apple.com/us/app/lightblue-explorer-bluetooth-low-energy/id557428110?mt=8
Try to replace the third line with mNotifyCharacteristic.setValue(new byte[]{(byte)0xAE, (byte)0xA7, 4, 0, 5, 9, (byte)0xBC, (byte)0xB7});
Test use byte[ ]
I think it good then use getbyte
I use byte[ ] can write successful
You can try it
Byte[] data = new byte[5];
data[0]=xx;
data[1]=xx;
........
Characteristic.Setvalue(data);
If not work try use other road
Not the same characteristic
i am building android application which connect to nfc secure element and get data to the android device.for building secure element i used java card API.In the jcop tools send ATR command to reset the java card.This is the sending commands.
/card -a a000000003000000 -c com.ibm.jc.CardManager
resetCard with timeout: 0 (ms)
--Waiting for card...
ATR=3B F8 18 00 FF 81 31 FE 45 4A 43 4F 50 76 32 34 ;.....1.EJCOPv24
31 43 1C
ATR: T=1, FI=1/DI=8 (31clk/etu), N=-1, IFSC=254, BWI=4/CWI=5, Hist="JCOPv241"
=> 00 A4 04 00 08 A0 00 00 00 03 00 00 00 00
i am using jcop tools for that.Secure element part is complete.but my android application need to send more request to secure element at one second.I used create a tag and send data this way.
byte[] GET_STRING = {
(byte) 0x80, // CLA Class
0x04, // INS Instruction
0x00, // P1 Parameter 1
0x00, // P2 Parameter 2
0x10 // LE maximal number of bytes expected in result
};
result = tag.transceive(GET_STRING);
int len = result.length;
if (!(result[len-2]==(byte)0x90&&result[len-1]==(byte) 0x00))
throw new RuntimeException("could not retrieve msisdn");
byte[] data = new byte[len-2];
System.arraycopy(result, 0, data, 0, len-2);
String str = new String(data).trim();
tag.close()
But I need to know how to send ATR command using android isoDep connection. if it is not possible how to reset the java card after getting data.
Thanks
Sajith
Regarding your terminology:
On the contactless interface, you card does not have a reset sequence that produces an ATR. However, there is two comparable events on the contactless interface. One is turning the HF field off ann on. This causes a power-loss and consequently a hard reset of the card. The second one is to put the contactless card in HALT state and re-activate the card through the activation & selection procedure as specified in ISO/IEC 14443-3. This would typically also cause a card to reset its internal state.
Regarding your question of how to reset a contactless card that is connected through Android's IsoDep:
Hard reset: That's only possible through bringing the card out of the NFC device's read range and then scanning it again.
"Soft reset": On most devices this should be possible through closing and re-opening the connection using the IsoDep instance:
IsoDep isoDepTag = IsoDep.get(tag);
[...]
isoDepTag.close();
isoDepTag.connect();
[...]
However, you should be avare that some device (e.g. the Galaxy S4 in combination with certain Android versions) will not properly perform a soft reset (HALT + reactivation/selection) and, instead, just continue the previous connection.