But a nice by-product is the "Thumb Dumb Disassembler". For iPhone reverse engineering, if the code is compiled to ARM then ravel-arm can be used to give very useful information. However, if it is compiled to Thumb then ravel can't handle the code correctly. It will treat the code as ARM and output garbage. Sadly, unlike otool, there is no force-Thumb mode in ravel so we can't do much.
When nobody can save you, you have to save yourself. Therefore I've written a disassembler specially for Thumb mode. This disassembler can extract useful data and perform numerical arithmetic linearly (ignoring all branches). I term this Dumb Disassembler as it doesn't perform branch analysis nor symbolic arithmetic. A Smart Disassembler will do both and the result in decompiler-quality output.
The Thumb Dumb Disassembler can be downloaded in thumb-ddis.zip. Unlike other networkpx projects, Thumb Dumb Disassembler is released in GPLv3.
(Sidetrack: What about the VFDecrypt key? In pre-3.0 asr there is a specific
__DATA,__restore
section to store the key. In post-3.0 asr this is computed in run time using the SHA-1 and SHA-256 keys of the CPU identifier (s5l8900x) and the content of the whole ramdisk. And then I got a 64-char incorrect password from it. There is another way to extract the key: run the asr, put a break point at 0x00011836, and retrieve the CFString at r0. On my device both the 2.2.1 and 3.0 asr Bus-errored me when I try to actually run them.)Now, let's talk about something not so technical. One of the new customer features in iPhoneOS 3.0 is the Spotlight. But one essential component missing from the Mac OS X Spotlight is the calculator.
When the SDK was just released, some developers noticed the directories
/System/Library/SearchBundles/*.searchBundle
and it does mean Spotlight is extensible right? Indeed it is. After disassembling the 2 searchBundles in it, I have a rough idea of how these bundles work. So with minimum effort, I've created this
Calculator.searchBundle
:Because 3.0 is not jailbroken yet, only the Simulator version exists. If you have the SDK, you can now download Calculator.searchBundle.zip to test the bundle. The source code is also provided (under BSD license) so you can code up your own.
Note that the 3.0 SDK is not finalized so the code shown here may not work in June.