IOS how to?

If I wanted to check out how an IOS is built up. Where do I look?

By disassembling an IOS?

I don't know how. I was just curios. Disassembling it would mean I would get assembly code out of it, right? In that case, how can you make custom IOSes and such as assembly code is close to impossible to understand?

Assembly is not that hard to understand if you have the correct tools. The hardest part is the symbols are stripped which makes even more difficult.

Ok! What are the tools required?

edit: What does it mean that the symbols are stripped?



Edited 1 time(s). Last edit at 06/28/2009 06:08PM by profetylen.

Quote
profetylen
Ok! What are the tools required?

edit: What does it mean that the symbols are stripped?

It means that any bit of human-readable information (pointer names, the like) will be absent, and replaced with something like generic numbers.



Edited 1 time(s). Last edit at 06/29/2009 04:14AM by WikiFSX.

Quote
WikiFSX
It means that any bit of human-readable information (pointer names, the like) will be absent, and replaced with something like generic numbers.

OK!

If i disassemble a thing, will I then get C-code out of it, just replaced variable names with generic numbers?

How do I dissassmble it or where can I learn about dissassembling?

No, you will get assembler code

OK!

How do I dissassemble stuff so I can get assembly code?

You need a hex editor with dissassembling capabilities. Also, you may want to google around the internet for a bit and figure out how to understand asm.

OK! I already know a little asm :P

However I donwloaded an IOS with NUS Downloader and decrypted it.

I realized it consists of a bunch of files, named 00000071, 00000072, 00000073, 00000001.app, 00000002.app, tmd.417m cetk to mention a few examples.

Where exactly is the machine code in these and what are loaded first for example when you install an IOS?

Starlet is an ARM CPU, so it's ARM machine code. I use devkitARM to disassemble IOS, as IDA Pro Free only has x86 support. The kernel is the first IOS code run. Check the TMD for the boot index and boot content ID. Strip the elf "loader" from the kernel .app. It's all of the data before the byte before the "ELF" string. The other contents are .elf modules loaded by the kernel. Using arm-eabi-objdump doesn't work however with the elfs alone, extraction of the text sections are needed. objdump doesn't work with these elfs because objdump only uses section headers, and IOS elfs only have program headers.

Thank you all for the info! :)

Hmmm.. How do I even start devkitARM?

Download and install devkitARM. Use arm-eabi-objdump and arm-eabi-readelf.(The former to disassemble, the latter to obtain the start-end offsets of sections to extract them, and the sections' virtual/physical addresses.)
Here's my dasm.txt reference.(Based on chishm's gbadev posts)
Replace the filename before the > with the input extracted binary, and replace the filename after the > with the dissassembly filename.

NDS:

arm-eabi-objdump -D -b binary -m arm arm9.bin > _9_ARM.s
arm-eabi-objdump -D -b binary -m arm arm7.bin > _7_ARM.s
arm-eabi-objdump -D -b binary -m arm -M force-thumb arm9.bin > _9_THUMB.s
arm-eabi-objdump -D -b binary -m arm -M force-thumb arm7.bin > _7_THUMB.s

Wii Starlet:

arm-eabi-objdump -D -b binary -m arm -EB text.bin > text_arm.s
arm-eabi-objdump -D -b binary -m arm -M force-thumb -EB text.bin > text_thumb.s