[*] Binary protection state of connmand
Partial RELRO No Canary found NX disabled No PIE No RPATH No RUNPATH No Symbols
[*] Function fprintf tear down of connmand
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/connmand @ 0x42240 */
| #include <stdint.h>
|
; (fcn) fcn.00042240 () | void fcn_00042240 (int32_t arg1) {
| r0 = arg1;
0x00042240 push {r4, r5, r6, lr} |
0x00042244 ldr r1, [pc, 0x28] | r1 = *(0x42270);
0x00042248 mov r5, r0 | r5 = r0;
0x0004224c ldr r0, [pc, 0x24] | r0 = *(0x42274);
0x00042250 bl 0x1b660 | r0 = fopen64 ();
0x00042254 subs r4, r0, 0 | r4 = r0 - 0;
0x00042258 popeq {r4, r5, r6, pc} |
0x0004225c mov r2, r5 | r2 = r5;
0x00042260 ldr r1, [pc, 0x14] | r1 = "_proc_sys_net_ipv4_conf_all_rp_filter";
0x00042264 bl 0x1b8e8 | fprintf (r0, "_proc_sys_net_ipv4_conf_all_rp_filter", r2, r3, r4)
0x00042268 mov r0, r4 | r0 = r4;
0x0004226c pop {r4, r5, r6, lr} |
0x00042270 b 0x1c2e4 | return void (*0x1c2e4)() ();
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/connmand @ 0x423e0 */
| #include <stdint.h>
|
| #define BIT_MASK(t,v) ((t)(-((v)!= 0)))&(((t)-1)>>((sizeof(t)*CHAR_BIT)-(v)))
|
; (fcn) fcn.000423e0 () | void fcn_000423e0 (int32_t arg1, int32_t arg2) {
| r0 = arg1;
| r1 = arg2;
0x000423e0 push {r4, r5, r6, lr} |
0x000423e4 mov r5, r1 | r5 = r1;
0x000423e8 mov r1, r0 | r1 = r0;
0x000423ec ldr r0, [pc, 0x40] | r0 = *(0x42430);
0x000423f0 bl 0x1bc78 | r0 = g_strdup_printf ();
0x000423f4 subs r6, r0, 0 | r6 = r0 - 0;
0x000423f8 popeq {r4, r5, r6, pc} |
0x000423fc ldr r1, [pc, 0x34] | r1 = "/proc/sys/net/ipv6/conf/%s/use_tempaddr";
0x00042400 bl 0x1b660 | r0 = fopen64 ();
0x00042404 mov r4, r0 | r4 = r0;
0x00042408 mov r0, r6 | r0 = r6;
0x0004240c bl 0x1b60c | g_free ();
0x00042410 cmp r4, 0 |
0x00042414 popeq {r4, r5, r6, pc} |
0x00042418 bic r2, r5, r5, asr 31 | r2 = BIT_MASK (r5, r5);
0x0004241c mov r0, r4 | r0 = r4;
0x00042420 ldr r1, [pc, 0x14] | r1 = *(0x42438);
0x00042424 bl 0x1b8e8 | fprintf (r0, r1)
0x00042428 mov r0, r4 | r0 = r4;
0x0004242c pop {r4, r5, r6, lr} |
0x00042430 b 0x1c2e4 | return void (*0x1c2e4)() ();
| }
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/connmand @ 0x60c38 */
| #include <stdint.h>
|
; (fcn) fcn.00060c38 () | void fcn_00060c38 (int32_t arg1) {
| r0 = arg1;
0x00060c38 ldr r3, [pc, 0xfc] |
0x00060c3c push {r4, r5, r6, r7, r8, lr} |
0x00060c40 ldr r3, [r3, 8] | r3 = "__connman_bridge_create";
0x00060c44 mov r5, r0 | r5 = r0;
0x00060c48 tst r3, 1 |
| if ((r3 & 1) != 0) {
0x00060c4c beq 0x60c64 |
0x00060c50 mov r3, r0 | r3 = r0;
0x00060c54 ldr r2, [pc, 0xe4] | r2 = *(0x60d3c);
0x00060c58 ldr r1, [pc, 0xe4] | r1 = "__connman_bridge_create";
0x00060c5c ldr r0, [pc, 0xe4] | r0 = "src_bridge.c";
0x00060c60 bl 0x2acc4 | connman_debug ();
| }
0x00060c64 mov r2, 0 | r2 = 0;
0x00060c68 ldr r1, [pc, 0xdc] | r1 = "_s:_s___name__s";
0x00060c6c mov r0, 2 | r0 = 2;
0x00060c70 bl 0x1c1e8 | r0 = socket (r0, "_s:_s___name__s", r2);
0x00060c74 subs r6, r0, 0 | r6 = r0 - 0;
| if (r6 >= r0) {
0x00060c78 blt 0x60ca8 |
0x00060c7c mov r2, r5 | r2 = r5;
0x00060c80 ldr r1, [pc, 0xc8] | r1 = *(0x60d4c);
0x00060c84 bl 0x1c35c | r0 = ioctl (r0, r1);
0x00060c88 cmn r0, 1 |
| if (r0 != 1) {
0x00060c8c bne 0x60cb0 | goto label_1;
| }
0x00060c90 bl 0x1c770 | r0 = errno_location ();
0x00060c94 ldr r3, [r0] | r3 = *(r0);
0x00060c98 cmp r3, 0x11 |
| if (r3 == 0x11) {
0x00060c9c beq 0x60cb0 | goto label_1;
| }
0x00060ca0 mov r0, r6 | r0 = r6;
0x00060ca4 bl 0x1b66c | close (r0);
| }
0x00060ca8 mvn r4, 0x5e | r4 = ~0x5e;
0x00060cac b 0x60cfc | goto label_2;
| label_1:
0x00060cb0 mov r1, r5 | r1 = r5;
0x00060cb4 ldr r0, [pc, 0x98] | r0 = *(0x60d50);
0x00060cb8 bl 0x1bc78 | r0 = g_strdup_printf ();
0x00060cbc subs r7, r0, 0 | r7 = r0 - 0;
| if (r7 == r0) {
0x00060cc0 beq 0x60d24 | goto label_3;
| }
0x00060cc4 ldr r1, [pc, 0x8c] | r1 = "/sys/class/net/%s/bridge/forward_delay";
0x00060cc8 bl 0x1b660 | r0 = fopen64 ();
0x00060ccc mov r4, r0 | r4 = r0;
0x00060cd0 mov r0, r7 | r0 = r7;
0x00060cd4 bl 0x1b60c | g_free ();
0x00060cd8 cmp r4, 0 |
| if (r4 != 0) {
0x00060cdc bne 0x60d04 | goto label_4;
| }
0x00060ce0 bl 0x1c770 | r0 = errno_location ();
0x00060ce4 ldr r3, [r0] | r3 = *(r0);
0x00060ce8 cmp r3, 0 |
0x00060cec rsb r4, r3, 0 | r4 = r3 - ;
| if (r3 > 0) {
0x00060cf0 bgt 0x60d28 | goto label_5;
| }
| do {
| label_0:
0x00060cf4 mov r0, r6 | r0 = r6;
0x00060cf8 bl 0x1b66c | close (r0);
| label_2:
0x00060cfc mov r0, r4 | r0 = r4;
0x00060d00 pop {r4, r5, r6, r7, r8, pc} |
| label_4:
0x00060d04 mov r2, 0 | r2 = 0;
0x00060d08 ldr r1, [pc, 0x4c] | r1 = *(0x60d58);
0x00060d0c mov r0, r4 | r0 = r4;
0x00060d10 bl 0x1b8e8 | fprintf (r0, r1, r2)
0x00060d14 mov r0, r4 | r0 = r4;
0x00060d18 bl 0x1c2e4 | fclose (r0);
0x00060d1c mov r4, 0 | r4 = 0;
0x00060d20 b 0x60cf4 |
| } while (1);
| label_3:
0x00060d24 mvn r4, 0xb | r4 = ~0xb;
| label_5:
0x00060d28 mov r2, r5 | r2 = r5;
0x00060d2c ldr r1, [pc, 0x2c] | r1 = "_u";
0x00060d30 mov r0, r6 | r0 = r6;
0x00060d34 bl 0x1c35c | ioctl (r0, "_u");
0x00060d38 b 0x60cf4 | goto label_0;
| }
[*] Function fprintf used 4 times connmand
