Michael's musings

Tue, 05 Jan 2010

no-op instructions for ARM

At http://www.credil.org/ we had to deal with some code that was not yet GPL compliant, fixing bugs (removing features!) from a .so file that we had. We had some of the source code, but not enough to recompile it.

We needed to disable certain calls, so we disassembled the object file with objdump -d. We then reviewed the code, looked for the calls we wanted to remove, which are "bl" instructions.

../../prebuilt/linux-x86/toolchain/arm-eabi-4.3.1/bin/arm-eabi-objdump -d libmyso.so >libmyso.S

All branch instructions are conditional, but one valid condition is "branch always" (and link, which means it's a subroutine). See: http://www.peter-cockerell.net/aalp and http://www.peter-cockerell.net/aalp/html/frames.html, section C which is at: http://www.peter-cockerell.net/aalp/html/app-c.html

Just look, if we change 'e' to 'f', it becomes Branch Never! We tried that.

Oops, this doesn't work. Peter Cockerell's book (from 1987) documents ARMv3, and we are up to ARMv9. It seems that his bit pattern now means to branch, and change to THUMB mode... The clue that this is what happens is that when we disassembled the result we saw "blx", but the real clue was that the offset was no longer "place", instead was "place+2". Thumb instructions are 16-bit big.

See http://www.keil.com/support/man/docs/armasm/armasm_cihfddaf.htm for details of BLX.

So, how to create a NOP? We didn't see an official one. Some googling revealed that "MOV R0 R0" is a good choice.

http://www.keil.com/support/man/docs/armasm/armasm_cjafcggi.htm

To assemble this:

First nibble is 0b1110 (15, 0xE) for "Always".

Second nibble is 0b0001 (1, 0x1), for 00, Immediate bit = 0, first bit of opcode is 1. (The Opcode is 0b1101 (14, 0xD) for MOV)

Third nibble is 0b1010 (10, 0xA), three bits of opcode, S bit set to 0.

Fourth nibble is 0x0000 (R0), and Fifth nibble is 0x0000 (R0).

The last 12 bits are 0.

The result is: 0b1110 0001 1010 0000 0000 0000 0000 0000. Or 0xE1A00000.

We didn't realize that the Android phones are in big-endian mode, so when we searched for the right instructions to change, we did not find them.

When you objdump a .so file, it's mapped directly, so the offsets that objdump products are actual file offsets.

Fri, 06 Nov 2009

dumping list of active services

From the shell of your rooted android phone run:

# dumpsys activity.services
Currently running services:
  activity.services
-------------------------------------------------------------------------------
DUMP OF SERVICE activity.services:
Services in Current Activity Manager State:
  Active services:
  * ServiceRecord{43a3dca0 com.android.inputmethod.latin/.LatinIME}
    intent={act=android.view.InputMethod cmp=com.android.inputmethod.latin/.LatinIME}
    packageName=com.android.inputmethod.latin
    processName=com.android.inputmethod.latin
    permission=android.permission.BIND_INPUT_METHOD
    baseDir=/system/app/LatinIME.apk/system/app/LatinIME.apk dataDir=/data/data/com.android.inputmethod.latin
    app=ProcessRecord{43a3e670 660:com.android.inputmethod.latin/10002}
    isForeground=false lastActivity=-296633
    startRequested=false startId=0 executeNesting=0 executingStart=-296565 crashCount=0
    totalRestartCount=0 restartCount=0 restartDelay=0 restartTime=-296633 nextRestartTime=-329523
    * IntentBindRecord{43a3e110}:
      intent={act=android.view.InputMethod cmp=com.android.inputmethod.latin/.LatinIME}
      binder=android.os.BinderProxy@4392a698
      requested=true received=true hasBound=true doRebind=false
      * Client AppBindRecord{43a3e288 ProcessRecord{439c0190 572:system/1000}}
        Per-process Connections:
          ConnectionRecord{43a3e400 com.android.inputmethod.latin/.LatinIME:@43a3da60}
    All Connections:
      ConnectionRecord{43a3e400 com.android.inputmethod.latin/.LatinIME:@43a3da60}

  Connection bindings to services:
  * ConnectionRecord{43a3e400 com.android.inputmethod.latin/.LatinIME:@43a3da60}
    binding=AppBindRecord{43a3e288 com.android.inputmethod.latin/.LatinIME:system}
    conn=android.app.ActivityThread$PackageInfo$ServiceDispatcher$InnerConnection@43a3da60 flags=0x1

If you run it without any arguments, you get a big huge dump of all sorts of interesting things. I do not yet know how to get it to give me a list of just the services that have registered themselves, or are actively running.