Siemens SGold: I / O sniffer

Sniffer is a special program for analyzing and intercepting network traffic and transmitting data through interfaces

and much more. In this case, we will monitor operations (read and write) with I / O ports.

using the example of the Siemens SGold line phone and I will try to explain how it all works.

Foreword

Many immediately have a question about the feasibility and usefulness of this venture, because these phones are outdated long ago.

First, let's consider the phone as just some kind of device that has a microcontroller based on ARM926EJ-S (without documentation) and we want to make our firmware for our needs using the data obtained. Secondly, scientific interest!

Theory

So, what do we have? And we have a PMB 8875 S-GoldLite microcontroller based on an ~~Intel processor~~ , that is, ARM9 . And like any normal microcontroller, there are devices and ready interfaces inside it, such as USART , SSC , I2C , PLL , RTC , timers, sorry for the expression, EBU (External Bus Unit), and other terrible bourgeois abbreviations.

I / O ports

As noted earlier, there are some devices and interfaces. And in the 4-gigabyte (32-bit) address space they are assigned their own ranges. Yes, the address space of our microcontroller is physically divided into:

0x00000000-0x00003FFF - SRAM # 1

0x00080000-0x00097FFF - SRAM # 2

0x00400000-0x0040FFFF - BootROM

0xF0000000-0xFFFFFFFF - I / O ports, embedded device registers

And external RAM and ROM can be inserted into a free physical address using the notorious EBU .

So, for example, for the device USART0, the range F1000000-F1000084 is allocated .

It looks in working condition something like this:

Each WORD (in ARM is 4 bytes) in this range is a register for controlling this interface.

That is, by recording certain values in certain registers, we transmit commands or data to the device,

and reading them, we get the data and check the states.

I forgot to say that the USART0 (Universal Synchronous Asynchronous Receiver and Transmitter) is used as a transmitter and a receiver over the cable, roughly speaking, a COM port , but with low voltage.

And let's take a closer look at the process of transferring 1 byte in the simplest case:

#define USART_REG(a) * ( (unsigned int *) ( a ) ) #define USART0_BASE 0xF1000000 #define USART0_CLC USART0_BASE /* Clock Control Register */ #define USART0_ID USART0_BASE + 0x08 /* Module Identification Register */ #define USART0_CON USART0_BASE + 0x10 /* Control Register */ #define USART0_BG USART0_BASE + 0x14 /* Baudrate Timer Reload Register */ #define USART0_FDV USART0_BASE + 0x18 /* Fractional Divider Register */ #define USART0_TXB USART0_BASE + 0x20 /* Transmit Buffer */ #define USART0_RXB USART0_BASE + 0x24 /* Receive Buffer */ #define USART0_FCSTAT USART0_BASE + 0x68 /* Flowcontrol status register */ #define USART0_ICR USART0_BASE + 0x70 void USART0_InitAndTransmit() { unsigned char tx = 0xDD; //   USART_REG(USART0_CLC) = 0x200; //      USART_REG(USART0_BG) = 0x05; USART_REG(USART0_FDV) = 0xDA; //    USART_REG(USART0_CON) = 0x8811; //     USART_REG(USART0_TXB) = tx & 0xFF; //         while(!(USART_REG(USART0_FCSTAT) & 2)); //    USART_REG(USART0_ICR) = (USART_REG(USART0_ICR)) | 0x02; }

Well, that is, in order to transmit something to the device, you need to write them to these damn registers, and read them from them, and we will use this for interception.

MMU and Redirection Table

MMU is a device in a microcontroller for managing memory and address space. It may or may not be included, but it works for us and sets access modes to different memory areas, and the most interesting is that it can redirect or mirror addresses.

I started talking about physical addresses and all that, but there are still virtual ones that can be created using the MMU .

All 4-gigabyte address space is written in a small redirect table.

The redirection table is a section of memory, usually in SRAM , which describes 4096 MB of address space. And each cell the size of a WORD describes 1 MB . Simple calculations can find out its size - 16 KB . There is also a second level of tables, but we will not climb into the jungle, it is not necessary. So, the position of the cell from the beginning tells MMU about the physical address

which must be translated into a virtual one, the value of which is written in it. The cell also describes the attributes of this space in 1 MB - cached, buffered, access modes. If the cell is empty, that is, it is equal to 0x00000000 (or at least the bits responsible for accessibility), then the address that it should describe does not exist, and the processor will not see it.

For understanding, the example of such a table is:

Cell address	Value	Description
0x0000	0x00000C12	Describes 0x00000000-0x000FFFFF / RW / Nekeshir. Nebuf
0x0004	0x00100C12	Describes 0x00100000-0x001FFFFF / RW / Nekeshir. Nebuf
0x0008	0x00200C12	Describes 0x00200000-0x002FFFFF / RW / Nekeshir. Nebuf
0x000C	0x00300C12	Describes 0x00300000-0x003FFFFF / RW / Nekeshir. Nebuf
0x0010	0x00400C12	Describes 0x00400000-0x004FFFFF / RW / Nekeshir. Nebuf
.....
0x3840	0xF1000C12	Mirror with 0xF1000000-0xF10FFFFF at 0xE1000000-0xE10FFFFF
.....
0x3C40	0xF1000C12	Describes 0xF1000000-0xF10FFFFF / RW / Nekeshir. Nebuf
.....
0xFFFC	0x00000000	Addresses 0xFFF00000-0xFFFFFFFF processor does not see

And yes, we describe this table ourselves and wherever we want, in any part of RAM or Flash , and in order for the MMU to know about it, it is necessary to register the address in the CP15 coprocessor register , but this is not important for us.

Interrupt vectors

Interruptions are iron (from devices), software (through special instructions BKPT and SWI ) and from errors (exceptions).

As a result of an interrupt, the processor, oddly enough, interrupts the execution of instructions at the current address and goes to the so-called interrupt vector, that is, a specific address, depending on the type of interrupt. And it usually contains an instruction for switching to the handler for this interrupt / exception.

Consider these vectors:

Bottom address	Top address	Vector	Description
0x00000000	0xFFFF0000	Reset	Reset
0x00000004	0xFFFF0004	Undefined_Instruction	Unknown instruction
0x00000008	0xFFFF0008	Swi	Software interrupt
0x0000000C	0xFFFF000C	Prefetch_Abort	Command Read Failure
0x00000010	0xFFFF0010	Data_Abort	Denied access to data
0x00000014	0xFFFF0014	RESERVED	Reserved
0x00000018	0xFFFF0018	IRQ	Iron interrupt
0x0000001C	0xFFFF001C	FIQ	Iron interrupt

In Siemens SGold, they look like this:

But we are only interested in one Data Abort vector. This interrupt occurs when the processor tries to commit

read / write operation from a nonexistent address or an address that is currently not accessible.

The Siemens SGold firmware uses this vector simply as registering an error and shutting down the device with a characteristic sound.

That is, a handler whose pointer is located at 0x00000030 can be safely replaced with its own.

Mechanism for tracking read / write operations

Now that we are up to date, we can also consider how this thing works.

Let us look at the first picture in the article, I will not be afraid of this word, a flowchart.

Take a look at the ARM code of the assembler (do not look for meaning or completeness in it):

 LDR R1, =0xF4700000 ;    R1  0xF4700000 LDR R2, [R1, #0x14] ;    R2     R1 + 0x14 (    0xF4700014) BIC R2, R2, #1 ;  0-    R2 STR R2, [R1, #0x14] ;    R2     R1 + 0x14 (    0xF4700014) MOV R2, #2 ;    R2  2

The most interesting begins on the instructions:

 LDR R2, [R1, #0x14] ;    R2     R1 + 0x14 (    0xF4700014)

Here, the processor first asks the MMU : “ Is the address 0xF4700014 there and is there access to it?”

The MMU says that yes and the processor reads the content from the address and continues to work.

We replace the Data Abort exception handler with our own, for this it is enough to change the pointer to the address 0x00000030 .

Mirror the address space 0xF4700000-0xF47FFFFF to 0xE4700000-0xE47FFFFF through the forwarding table,

and we erase the original address there. It turns out that 0xF4700014 - does not exist, that is, the processor does not see it, but there is

0xE4700014 - translated (mirrored) from the physical address 0xF4700014 .

We repeat the code, the processor stumbles upon that very instruction, asks about the existence of the address and here you are, hello, no!

Panic. In such cases, the processor jumps to the interrupt vector and gets to where? That's right, in our handler. We carefully preserve the context of the interrupted program so that nothing is lost and not stuck.

Next, there is an emulation of this instruction, but taking into account that there is no address and you should take 0xE4700014 instead .

There is an emulation: determining the location of the instruction, analyzing what it should do, actually doing all this, applying to the context (remember which one we saved), recording all the transaction data (instruction address, register address, value and type of operation) where somehow, calmly restore it and direct the processor to the next instruction.

If the firmware will perform operations with addresses 0xF4700000-0xF47FFFFF , then it will inevitably fall on the handler, and he, in turn, regularly keep a log of these operations. Beauty is the same! True, instead of one instruction, you need to execute a huge handler, but it has little effect on performance and performance.

Implementation mechanism

I think that the implementation of all this is highly dependent on the platform and this code will not give anyone anything,

but it will still be strange without it. Everything was developed in IAR 4.2.

arm_defs.h

 #ifndef __ARM_DEFS_H__ #define __ARM_DEFS_H__ #define WORD(a) * ( (unsigned int *) ( a ) ) #define HWRD(a) * ( (unsigned short *) ( a ) ) #define BYTE(a) * ( (unsigned char *) ( a ) ) #define INS_BIT(i,b) ( ( i >> b )&1 ) #define I32_FIELD(i,b,e) ( ( ( i << ( 31 - b ) ) >> 31 - b ) >> ( e ) ) #define I32_FIELD_FAST(i,e,m) ( ( i >> e ) & m ) #define IARM_COND(i) ( ( i >> 28 )&0xF ) #define IARM_Rn(i) ( ( i >> 16 )&0xF ) #define IARM_Rd(i) ( ( i >> 12 )&0xF ) #define IARM_Rs(i) ( ( i >> 8 )&0xF ) #define IARM_Rm(i) ( ( i >> 0 )&0xF ) #define IARM_ImmHi(i) ( ( i >> 16 )&0xF ) #define IARM_ImmLo(i) ( ( i >> 0 )&0xF ) #define IARM_Imm12(i) ( ( i >> 0 )&0xFFF ) #define IARM_ShiftImm(i) I32_FIELD_FAST(i,7,0x1F) #define IARM_Shift(i) I32_FIELD_FAST(i,5,3) #define IARM_Shift_LSL 0 #define IARM_Shift_LSR 1 #define PC_ALIGN(pc) (pc & 0xFFFFFFFE) #define MAX_REGS 17 #define _R0 0 #define _R1 1 #define _R2 2 #define _R3 3 #define _R4 4 #define _R5 5 #define _R6 6 #define _R7 7 #define _R8 8 #define _R9 9 #define _R10 10 #define _R11 11 #define _R12 12 #define _SP 13 #define _LR 14 #define _PC 15 #define _CPSR 16 #define GET_PSR_N(cpsr) ((cpsr >> 31)&1) #define GET_PSR_Z(cpsr) ((cpsr >> 30)&1) #define GET_PSR_C(cpsr) ((cpsr >> 29)&1) #define GET_PSR_V(cpsr) ((cpsr >> 28)&1) #define GET_PSR_Q(cpsr) ((cpsr >> 27)&1) #define GET_PSR_I(cpsr) ((cpsr >> 7)&1) #define GET_PSR_F(cpsr) ((cpsr >> 6)&1) #define GET_PSR_T(cpsr) ((cpsr >> 5)&1) #define GET_PSR_M(cpsr) ((cpsr)&0x1F) #define SET_PSR_T(cpsr, i) (cpsr |= ( i << 5)) #define MUSR 0x10 // User Mode #define MFIQ 0x11 // FIQ Mode #define MIRQ 0x12 // IRQ Mode #define MSVC 0x13 // Supervisor Mode #define MABT 0x17 // Abort Mode #define MUND 0x1B // Undefined Mode #define MSYS 0x1F // System Mode #define MMSK 0x1F // Mask Mode #define CEQ 0 // : Z == 1 #define CNE 1 //  : Z == 0 #define CCS 2 // : C == 1 #define CHS 2 //    : C == 1 #define CCC 3 //  : C == 0 #define CLO 3 //  : C == 0 #define CMI 4 // /: N == 1 #define CPL 5 // /  : N == 0 #define CVS 6 // : V == 1 #define CVC 7 //  : V == 0 #define CHI 8 //  : C == 1 && Z == 0 #define CLS 9 //    : C == 0 && Z == 1 #define CGE 10 //   ,  : N == V #define CLT 11 //  ,  : N != V #define CGT 12 //  ,  : Z == 0 && N == V #define CLE 13 //   ,  : Z == 1 && N != V #define CAL 14 //   #define CMSK 15 //   // LDR / STR #define IARM_IS_LDR(i) \ ( I32_FIELD_FAST(i,26,3)==1 && INS_BIT(i,22)==0 && INS_BIT(i,20)==1 ) #define IARM_IS_STR(i) \ ( I32_FIELD_FAST(i,26,3)==1 && INS_BIT(i,22)==0 && INS_BIT(i,20)==0 ) #define IARM_LDR_I(i) INS_BIT(i,25) #define IARM_LDR_P(i) INS_BIT(i,24) #define IARM_LDR_U(i) INS_BIT(i,23) #define IARM_LDR_W(i) INS_BIT(i,21) // if Load and Store word or unsigned byte instructions #define IARM_IS_LDRHS(i) ( (i >> 25)&7 == 0 && (i >> 7)&1 == 1 && (i >> 4)&1 == 1 ) #define IARM_LDRHS_P(i) INS_BIT(i,24) #define IARM_LDRHS_U(i) INS_BIT(i,23) #define IARM_LDRHS_I(i) INS_BIT(i,22) #define IARM_LDRHS_W(i) INS_BIT(i,21) #define IARM_LDRHS_L(i) INS_BIT(i,20) #define IARM_LDRHS_S(i) INS_BIT(i, 6) #define IARM_LDRHS_H(i) INS_BIT(i, 5) /* THUMBs command detector Load / Store */ // PC-relative load #define ITHUMB_LS_PCREL(i) (((i >> 11) & 0x1F) == 0x09) #define ITHUMB_LS_PCREL_Rd(i) ((i >> 8) & 0x07) #define ITHUMB_LS_PCREL_Offset(i) (i & 0xF) // load/store with register offset #define ITHUMB_LS_WITHREGOFFSET(i) (((i >> 9) &(~0x06)) == 0x28) #define ITHUMB_LS_WITHREGOFFSET_Ro(i) ((i >> 6) & 0x07) #define ITHUMB_LS_WITHREGOFFSET_Rb(i) ((i >> 3) & 0x07) #define ITHUMB_LS_WITHREGOFFSET_Rd(i) ((i >> 0) & 0x07) #define ITHUMB_LS_WITHREGOFFSET_L(i) ((i >> 11) & 0x01) #define ITHUMB_LS_WITHREGOFFSET_B(i) ((i >> 10) & 0x01) // load/store sign-extended byte/halfword #define ITHUMB_LS_SIGNEXTBYTEHWRD(i) (((i >> 9) &(~0x06)) == 0x29) #define ITHUMB_LS_SIGNEXTBYTEHWRD_Ro(i) ((i >> 6) & 0x07) #define ITHUMB_LS_SIGNEXTBYTEHWRD_Rb(i) ((i >> 3) & 0x07) #define ITHUMB_LS_SIGNEXTBYTEHWRD_Rd(i) ((i >> 0) & 0x07) #define ITHUMB_LS_SIGNEXTBYTEHWRD_H(i) ((i >> 11) & 0x01) #define ITHUMB_LS_SIGNEXTBYTEHWRD_S(i) ((i >> 10) & 0x01) // load/store with immediate offset #define ITHUMB_LS_WITHIMMOFFSET(i) (((i >> 11) &(~0x03)) == 0x0C) #define ITHUMB_LS_WITHIMMOFFSET_L(i) ((i >> 11) & 0x01) #define ITHUMB_LS_WITHIMMOFFSET_B(i) ((i >> 12) & 0x01) #define ITHUMB_LS_WITHIMMOFFSET_Rb(i) ((i >> 3) & 0x07) #define ITHUMB_LS_WITHIMMOFFSET_Rd(i) ((i >> 0) & 0x07) #define ITHUMB_LS_WITHIMMOFFSET_Offset(i) ((i >> 6) & 0x1F) // load/store halfword #define ITHUMB_LS_HWRD(i) (((i >> 11) & (~0x01)) == 0x10) #define ITHUMB_LS_HWRD_L(i) ((i >> 11) & 0x01) #define ITHUMB_LS_HWRD_Rb(i) ((i >> 3) & 0x07) #define ITHUMB_LS_HWRD_Rd(i) ((i >> 0) & 0x07) #define ITHUMB_LS_HWRD_Offset(i) ((i >> 6) & 0x1F) // SP-relative load/store #define ITHUMB_LS_SPREL(i) (((i >> 12) & 0x0F) == 0x09) #define ITHUMB_LS_SPREL_L(i) ((i >> 11) & 0x01) #define ITHUMB_LS_SPREL_Rd(i) ((i >> 8) & 0x07) #define ITHUMB_LS_SPREL_Offset(i) (i & 0xF) #endif // __ARM_DEFS_H__

sniffer.h

 #ifndef __SNIFFER_H__ #define __SNIFFER_H__ #include "arm_defs.h" extern void da_handler(); #define IO_ADDRESS 0xF0000000 #define IO_ADDRESS_MIRROR 0xE0000000 #define IO_ADDRESS_DIF 0x10000000 #define VECTOR_DATAABORT_JUMPER 0xE59FF018 #define VECTOR_DATAABORT_JUMPER_OFS 0x10 #define VECTOR_DATAABORT_HANDLER_OFS 0x30 #define MMU_ATTR 0xC12 #define MMU_TABLE 0x00090000 #define MMU_GRID(a) * ( (unsigned int *) ( (MMU_TABLE + ((a >> 20) & 0xFFF) * 4) ) ) #define MMU_GRID_MIRROR(a) MMU_GRID(a - IO_ADDRESS_DIF) #define MMU_GRID_SETATTR(a) ((a & 0xFFF00000) | MMU_ATTR) typedef struct { unsigned int r0; unsigned int r1; unsigned int r2; unsigned int r3; unsigned int r4; unsigned int r5; unsigned int r6; unsigned int r7; unsigned int r8; unsigned int r9; unsigned int r10; unsigned int r11; unsigned int r12; unsigned int sp; unsigned int lr; unsigned int pc; unsigned int cpsr; }REGISTERS; typedef struct { union regs { unsigned int a[MAX_REGS]; REGISTERS s; }; }CONTEXT; void io_sniffer_init(void (*sniff_prc)(unsigned int address, unsigned int value, unsigned int pc, char is_ldr)); void io_sniffer_deinit(); int io_sniffer_add(unsigned int io_address); int io_sniffer_remove(unsigned int io_address); #endif // __SNIFFER_H__

system.h

 #ifndef __SYSTEM_H__ #define __SYSTEM_H__ __arm void SetDomainAccess(unsigned int domains); __arm void SetMemoryAccess(unsigned int domains); __arm void UnlockAllMemoryAccess(); __arm void DisableInterrupt(); __arm void EnableInterrupt(); __arm void EnableModeForOSWork(); __arm void DisableModeForOSWork(); #endif // __SYSTEM_H__

da_handler.asm

 #include "arm_defs.h" EXTERN context EXTERN abt_stack EXTERN emualate_ldr_str CODE32 ARM RSEG CODE:CODE PUBLIC da_handler da_handler: //   R0 - R12   LDR SP, =context STMIA SP, {R0-R12} //     LDR SP, =abt_stack ADD SP, SP, #0x4000 //  CPSR   MRS R1, SPSR LDR R0, =context STR R1, [R0, #_CPSR*4] //  PC   SUB LR, LR, #0x08 STR LR, [R0, #_PC*4] //      AND R2, R1, #MMSK CMP R2, #MUSR //   USR,   SYS MOVEQ R2, #MSYS //     MRS R1, CPSR BIC R1, R1, #MMSK ORR R1, R1, R2 MSR CPSR_c, R1 //  SP  LR   STR SP, [R0, #_SP*4] STR LR, [R0, #_LR*4] //   , //     ABT BIC R1, R1, #MMSK ORR R1, R1, #MABT MSR CPSR_c, R1 BL emualate_ldr_str //  CPSR   LDR R0, =context LDR R1, [R0, #_CPSR*4] MSR SPSR_cxsf, R1 //      AND R2, R1, #MMSK CMP R2, #MUSR //   USR,   SYS MOVEQ R2, #MSYS //     MRS R1, CPSR BIC R1, R1, #MMSK ORR R1, R1, R2 MSR CPSR_c, R1 //  SP  LR   LDR SP, [R0, #_SP*4] LDR LR, [R0, #_LR*4] //    ABT BIC R1, R1, #MMSK ORR R1, R1, #MABT MSR CPSR_c, R1 //  PC LDR SP, =context LDR LR, [SP, #_PC*4] //   R0-R12 LDMIA SP, {R0-R12} //     //    MOVS PC, LR END

sniffer.c

 #include "sniffer.h" #include "system.h" CONTEXT context; unsigned char abt_stack[0x4000]; unsigned char sniffer_map[0x100]; unsigned int da_jumper = 0; unsigned int da_address = 0; void (*sniff_p)(unsigned int address, unsigned int value, unsigned int pc, char is_ldr) = 0; __arm void sniff_proc(unsigned int address, unsigned int value, unsigned int pc, char is_ldr) { if (sniff_p) sniff_p(address, value, pc, is_ldr); } __arm int emualate_ldr_str_sub(CONTEXT *context) { unsigned int cpsr; unsigned int instruction; unsigned int address; //unsigned char cond; char i, l, b, h, w, s, u, p; char rn, rd, rm; cpsr = context->s.cpsr; // ARM if (!GET_PSR_T(cpsr)) { //   instruction = WORD(context->s.pc); //   //cond = IARM_COND(instruction); //  (LDR) if (IARM_IS_LDR(instruction)) { p = IARM_LDR_P(instruction); i = IARM_LDR_I(instruction); u = IARM_LDR_U(instruction); w = IARM_LDR_W(instruction); rn = IARM_Rn(instruction); rd = IARM_Rd(instruction); rm = IARM_Rm(instruction); int sign; unsigned int index; //       if (!i) index = IARM_Imm12(instruction); //        else { //    if (!IARM_ShiftImm(instruction) && !IARM_Shift(instruction)) index = context->a[rm]; //      else { //    unsigned short si = IARM_ShiftImm(instruction); //   unsigned short st = IARM_Shift(instruction); switch(st) { case IARM_Shift_LSL: index = context->a[rm] << si; break; case IARM_Shift_LSR: if (si) { index = 0; break; } else { index = context->a[rm] >> si; break; } } } } //    if (u) sign = 1; //    else sign = -1; //  - if (!p) { address = context->a[rn]; context->a[rn] = address + index*sign; context->a[rd] = WORD(address - IO_ADDRESS_DIF); //     sniff_proc(address, context->a[rd], context->s.pc, 1); } else { //  - if (w) { address = context->a[rn] + index*sign; context->a[rn] = address; context->a[rd] = WORD(address - IO_ADDRESS_DIF); //     sniff_proc(address, context->a[rd], context->s.pc, 1); } //   /- else { address = context->a[rn] + index*sign; context->a[rd] = WORD(address - IO_ADDRESS_DIF); //     sniff_proc(address, context->a[rd], context->s.pc, 1); } } } //  (STR) else if (IARM_IS_STR(instruction)) { p = IARM_LDR_P(instruction); i = IARM_LDR_I(instruction); u = IARM_LDR_U(instruction); w = IARM_LDR_W(instruction); rn = IARM_Rn(instruction); rd = IARM_Rd(instruction); rm = IARM_Rm(instruction); int sign; unsigned int index; //       if (!i) index = IARM_Imm12(instruction); //        else { //    if (!IARM_ShiftImm(instruction) && !IARM_Shift(instruction)) index = context->a[rm]; //      else { //    unsigned short si = IARM_ShiftImm(instruction); //   unsigned short st = IARM_Shift(instruction); switch(st) { case IARM_Shift_LSL: index = context->a[rm] << si; break; case IARM_Shift_LSR: if (si) { index = 0; break; } else { index = context->a[rm] >> si; break; } } } } //    if (u) sign = 1; //    else sign = -1; //  - if (!p) { address = context->a[rn]; context->a[rn] = address + index*sign; WORD(address - IO_ADDRESS_DIF) = context->a[rd]; //     sniff_proc(address, context->a[rd], context->s.pc, 0); } else { //  - if (w) { address = context->a[rn] + index*sign; context->a[rn] = address; WORD(address - IO_ADDRESS_DIF) = context->a[rd]; //     sniff_proc(address, context->a[rd], context->s.pc, 0); } //   /- else { address = context->a[rn] + index*sign;; WORD(address - IO_ADDRESS_DIF) = context->a[rd]; //     sniff_proc(address, context->a[rd], context->s.pc, 0); } } } context->s.pc += 4; return 1; } else // THUMB { //   instruction = HWRD(context->s.pc); if (ITHUMB_LS_WITHREGOFFSET(instruction)) { rd = ITHUMB_LS_WITHREGOFFSET_Rd(instruction); l = ITHUMB_LS_WITHREGOFFSET_L(instruction); b = ITHUMB_LS_WITHREGOFFSET_B(instruction); //  if (l) { //   if (b) context->a[rd] = BYTE(address - IO_ADDRESS_DIF); else //   context->a[rd] = WORD(address - IO_ADDRESS_DIF); //     sniff_proc(address, context->a[rd], context->s.pc, 1); } //  else { //   if (b) BYTE(address - IO_ADDRESS_DIF) = context->a[rd]; else //   WORD(address - IO_ADDRESS_DIF) = context->a[rd]; //     sniff_proc(address, context->a[rd], context->s.pc, 0); } } else if (ITHUMB_LS_SIGNEXTBYTEHWRD(instruction)) { address = context->a[ITHUMB_LS_SIGNEXTBYTEHWRD_Rb(instruction)] + context->a[ITHUMB_LS_SIGNEXTBYTEHWRD_Ro(instruction)]; rd = ITHUMB_LS_SIGNEXTBYTEHWRD_Rd(instruction); h = ITHUMB_LS_SIGNEXTBYTEHWRD_H(instruction); s = ITHUMB_LS_SIGNEXTBYTEHWRD_S(instruction); //   if (!h && !s) { HWRD(address - IO_ADDRESS_DIF) = context->a[rd]; //     sniff_proc(address, context->a[rd], context->s.pc, 0); //  } else if (h && !s) { context->a[rd] = HWRD(address - IO_ADDRESS_DIF); //     sniff_proc(address, context->a[rd], context->s.pc, 1); //      } else if (!h && s) { context->a[rd] = BYTE(address - IO_ADDRESS_DIF); if (INS_BIT(context->a[rd], 7)) context->a[rd] |= 0xFFFFFF00; //     sniff_proc(address, context->a[rd], context->s.pc, 1); //      } else if (h && s) { context->a[rd] = HWRD(address - IO_ADDRESS_DIF); if (INS_BIT(context->a[rd], 15)) context->a[rd] |= 0xFFFF0000; //     sniff_proc(address, context->a[rd], context->s.pc, 1); } } else if (ITHUMB_LS_WITHIMMOFFSET(instruction)) { rd = ITHUMB_LS_WITHIMMOFFSET_Rd(instruction); l = ITHUMB_LS_WITHIMMOFFSET_L(instruction); b = ITHUMB_LS_WITHIMMOFFSET_B(instruction); if (b) address = context->a[ITHUMB_LS_WITHIMMOFFSET_Rb(instruction)] + ITHUMB_LS_WITHIMMOFFSET_Offset(instruction); else address = context->a[ITHUMB_LS_WITHIMMOFFSET_Rb(instruction)] + (ITHUMB_LS_WITHIMMOFFSET_Offset(instruction) << 2); //  if (l) { //   if (b) context->a[rd] = BYTE(address - IO_ADDRESS_DIF); else //   context->a[rd] = WORD(address - IO_ADDRESS_DIF); //     sniff_proc(address, context->a[rd], context->s.pc, 1); } //  else { //   if (b) BYTE(address - IO_ADDRESS_DIF) = context->a[rd]; else //   WORD(address - IO_ADDRESS_DIF) = context->a[rd]; //     sniff_proc(address, context->a[rd], context->s.pc, 0); } } else if (ITHUMB_LS_HWRD(instruction)) { rd = ITHUMB_LS_HWRD_Rd(instruction); l = ITHUMB_LS_HWRD_L(instruction); address = context->a[ITHUMB_LS_HWRD_Rb(instruction)] + (ITHUMB_LS_HWRD_Offset(instruction) << 1); //  if (l) context->a[rd] = HWRD(address - IO_ADDRESS_DIF); //  else HWRD(address - IO_ADDRESS_DIF) = context->a[rd]; //     sniff_proc(address, context->a[rd], context->s.pc, l); } else if (ITHUMB_LS_SPREL(instruction)) { address = context->s.sp + (ITHUMB_LS_SPREL_Offset(instruction) << 2); rd = ITHUMB_LS_SPREL_Rd(instruction); l = ITHUMB_LS_SPREL_L(instruction); //  if (l) context->a[rd] = WORD(address - IO_ADDRESS_DIF); else //  WORD(address - IO_ADDRESS_DIF) = context->a[rd]; //     sniff_proc(address, context->a[rd], context->s.pc, l); } context->s.pc += 2; return 1; } } __arm void emualate_ldr_str(CONTEXT *context) { SetDomainAccess(0xFFFFFFFF); emualate_ldr_str_sub(context); SetDomainAccess(1); } void io_sniffer_init(void (*sniff_prc)(unsigned int address, unsigned int value, unsigned int pc, char is_ldr)) { if (sniff_prc) { UnlockAllMemoryAccess(); da_jumper = WORD(VECTOR_DATAABORT_JUMPER_OFS); da_address = WORD(VECTOR_DATAABORT_HANDLER_OFS); WORD(VECTOR_DATAABORT_JUMPER_OFS) = VECTOR_DATAABORT_JUMPER; WORD(VECTOR_DATAABORT_HANDLER_OFS) = (int)&da_handler; SetMemoryAccess(1); sniff_p = sniff_prc; for (int i = 0; i < 0x100; i++) sniffer_map[i] = 0; } } void io_sniffer_deinit() { UnlockAllMemoryAccess(); da_jumper = WORD(VECTOR_DATAABORT_JUMPER_OFS); da_address = WORD(VECTOR_DATAABORT_HANDLER_OFS); WORD(VECTOR_DATAABORT_JUMPER_OFS) = (unsigned int)&da_jumper; WORD(VECTOR_DATAABORT_HANDLER_OFS) = (unsigned int)&da_address; for (int i = 0; i < 0x100; i++) { if (sniffer_map[i]) { unsigned int io_address = IO_ADDRESS | (i << 20) | MMU_ATTR; MMU_GRID(io_address) = MMU_GRID_SETATTR(io_address); MMU_GRID_MIRROR(io_address) = 0x00000000; } sniffer_map[i] = 0; } SetMemoryAccess(1); sniff_p = 0; } int io_sniffer_add(unsigned int io_address) { if ((io_address >> 28) == 0x0F) { unsigned char sm = (io_address >> 20) & 0x0FF; if (!sniffer_map[sm]) { UnlockAllMemoryAccess(); MMU_GRID(io_address) = 0x00000000; MMU_GRID_MIRROR(io_address) = MMU_GRID_SETATTR(io_address); SetMemoryAccess(1); sniffer_map[sm] = 1; return 1; } } return 0; } int io_sniffer_remove(unsigned int io_address) { if ((io_address >> 28) == 0x0F) { unsigned char sm = (io_address >> 20) & 0x0FF; if (sniffer_map[sm]) { UnlockAllMemoryAccess(); MMU_GRID(io_address) = MMU_GRID_SETATTR(io_address); MMU_GRID_MIRROR(io_address) = 0x00000000; SetMemoryAccess(1); sniffer_map[sm] = 0; return 1; } } return 0; }

system.c

 #include "system.h" #include "intrinsics.h" #pragma swi_number=0x00 __swi __arm void system_mode_sg(); #pragma swi_number=0x04 __swi __arm void system_mode_nsg(); #pragma swi_number=0x81B5 __swi __arm int is_nsg(); __arm void SetDomainAccess(unsigned int domains) { __MCR(15, 0, domains, 3, 0, 0); for (int i = 0; i < 20; i++); } __arm void SetMemoryAccess(unsigned int domains) { if (is_nsg()) system_mode_nsg(); else system_mode_sg(); __disable_interrupt(); SetDomainAccess(domains); __enable_interrupt(); } __arm void UnlockAllMemoryAccess() { if (is_nsg()) system_mode_nsg(); else system_mode_sg(); __disable_interrupt(); SetDomainAccess(0xFFFFFFFF); __enable_interrupt(); } __arm void DisableInterrupt() { if (is_nsg()) system_mode_nsg(); else system_mode_sg(); __disable_interrupt(); } __arm void EnableInterrupt() { if (is_nsg()) system_mode_nsg(); else system_mode_sg(); __enable_interrupt(); } unsigned long cpsr = 0; __arm void EnableModeForOSWork() { cpsr = __get_CPSR(); cpsr &= 0xC0; cpsr |= 0x1F; __set_CPSR(cpsr); } __arm void DisableModeForOSWork() { if (cpsr) __set_CPSR(cpsr); cpsr = 0; }

Result

And finally, I’ll tell you what it was that was finally achieved using this sniffer.

The executable file io_sniffer.elf is downloaded to the phone , it starts.

Configure the sniffer so that it catches operations with the I2C interface ( 0xF4800000 ).

In addition to the handler, there is a special task (thread, stream), which in real time transfers everything to the computer via cable, and there is a program that receives data and displays it in a window.

If you click on the phone button, then its speaker will click (included in the phone settings), this is caused by the Dialog device , which is exchanged via the I2C buswith a microcontroller. And in theory, we should see that the firmware does this,

that this device synthesizes sound like this:

I2C: key click

 0xA07EE064|I2C |CLC |0xF4800000||0x00000100| 0xA07EE06C|I2C |BUSCON |0xF4800014||0xA0007E11| 0xA07EE070|I2C |SYSCON |0xF4800010||0x00880000| 0xA07EE07C|I2C |SYSCON |0xF4800010||0x00880000| 0xA089550C|I2C |ICR |0xF48000FC||0x00000000| 0xA0895514|I2C |ICR |0xF48000FC||0x00004000| 0xA0895518|I2C |ICR |0xF48000FC||0x00000000| 0xA0895520|I2C |ICR |0xF48000FC||0x00001000| 0xA0895868|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895878|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895888|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895938|I2C |RTB |0xF4800018||0x00001262| 0xA0895940|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895950|I2C |SYSCON |0xF4800010||0x04880000| 0xA0895964|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA0895970|I2C |WHBSYSCON|0xF4800020||0x00100000| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895388|I2C |SYSCON |0xF4800010||0x04980230| 0xA089539C|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895420|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895438|I2C |SYSCON |0xF4800010||0x00980230| 0xA0895444|I2C |RTB |0xF4800018||0x00000010| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895388|I2C |SYSCON |0xF4800010||0x00980130| 0xA089539C|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895590|I2C |SYSCON |0xF4800010||0x00980130| 0xA08955A8|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955B4|I2C |WHBSYSCON|0xF4800020||0x00080000| 0xA08955BC|I2C |SYSCON |0xF4800010||0x008800A0| 0xA08955DC|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955E8|I2C |WHBSYSCON|0xF4800020||0x00000080| 0xA08955F0|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955FC|I2C |WHBSYSCON|0xF4800020||0x00000020| 0xA0895530|I2C |ICR |0xF48000FC||0x00004000| 0xA07EDF94|I2C |BUSCON |0xF4800014||0x00000000| 0xA07EDF9C|I2C |CLC |0xF4800000||0x00000001| 0xA07EE064|I2C |CLC |0xF4800000||0x00000100| 0xA07EE06C|I2C |BUSCON |0xF4800014||0xA0007E11| 0xA07EE070|I2C |SYSCON |0xF4800010||0x00880000| 0xA07EE07C|I2C |SYSCON |0xF4800010||0x00880000| 0xA089550C|I2C |ICR |0xF48000FC||0x00000000| 0xA0895514|I2C |ICR |0xF48000FC||0x00004000| 0xA0895518|I2C |ICR |0xF48000FC||0x00000000| 0xA0895520|I2C |ICR |0xF48000FC||0x00001000| 0xA0895868|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895878|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895888|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895938|I2C |RTB |0xF4800018||0x00001362| 0xA0895940|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895950|I2C |SYSCON |0xF4800010||0x04880000| 0xA0895964|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA0895970|I2C |WHBSYSCON|0xF4800020||0x00100000| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895388|I2C |SYSCON |0xF4800010||0x04980230| 0xA089539C|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895420|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895438|I2C |SYSCON |0xF4800010||0x00980230| 0xA0895444|I2C |RTB |0xF4800018||0x00000010| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895388|I2C |SYSCON |0xF4800010||0x00980130| 0xA089539C|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895590|I2C |SYSCON |0xF4800010||0x00980130| 0xA08955A8|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955B4|I2C |WHBSYSCON|0xF4800020||0x00080000| 0xA08955BC|I2C |SYSCON |0xF4800010||0x008800A0| 0xA08955DC|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955E8|I2C |WHBSYSCON|0xF4800020||0x00000080| 0xA08955F0|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955FC|I2C |WHBSYSCON|0xF4800020||0x00000020| 0xA0895530|I2C |ICR |0xF48000FC||0x00004000| 0xA07EDF94|I2C |BUSCON |0xF4800014||0x00000000| 0xA07EDF9C|I2C |CLC |0xF4800000||0x00000001| 0xA07EE064|I2C |CLC |0xF4800000||0x00000100| 0xA07EE06C|I2C |BUSCON |0xF4800014||0xA0007E11| 0xA07EE070|I2C |SYSCON |0xF4800010||0x00880000| 0xA07EE07C|I2C |SYSCON |0xF4800010||0x00880000| 0xA089550C|I2C |ICR |0xF48000FC||0x00000000| 0xA0895514|I2C |ICR |0xF48000FC||0x00004000| 0xA0895518|I2C |ICR |0xF48000FC||0x00000000| 0xA0895520|I2C |ICR |0xF48000FC||0x00001000| 0xA0895868|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895878|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895888|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895938|I2C |RTB |0xF4800018||0x00004462| 0xA0895940|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895950|I2C |SYSCON |0xF4800010||0x04880000| 0xA0895964|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA0895970|I2C |WHBSYSCON|0xF4800020||0x00100000| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895388|I2C |SYSCON |0xF4800010||0x04980230| 0xA089539C|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895420|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895438|I2C |SYSCON |0xF4800010||0x00980230| 0xA0895444|I2C |RTB |0xF4800018||0x00000062| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895388|I2C |SYSCON |0xF4800010||0x00980130| 0xA089539C|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895590|I2C |SYSCON |0xF4800010||0x00980130| 0xA08955A8|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955B4|I2C |WHBSYSCON|0xF4800020||0x00080000| 0xA08955BC|I2C |SYSCON |0xF4800010||0x008800A0| 0xA08955DC|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955E8|I2C |WHBSYSCON|0xF4800020||0x00000080| 0xA08955F0|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955FC|I2C |WHBSYSCON|0xF4800020||0x00000020| 0xA0895530|I2C |ICR |0xF48000FC||0x00004000| 0xA07EDF94|I2C |BUSCON |0xF4800014||0x00000000| 0xA07EDF9C|I2C |CLC |0xF4800000||0x00000001| 0xA07EE064|I2C |CLC |0xF4800000||0x00000100| 0xA07EE06C|I2C |BUSCON |0xF4800014||0xA0007E11| 0xA07EE070|I2C |SYSCON |0xF4800010||0x00880000| 0xA07EE07C|I2C |SYSCON |0xF4800010||0x00880000| 0xA089550C|I2C |ICR |0xF48000FC||0x00000000| 0xA0895514|I2C |ICR |0xF48000FC||0x00004000| 0xA0895518|I2C |ICR |0xF48000FC||0x00000000| 0xA0895520|I2C |ICR |0xF48000FC||0x00001000| 0xA0895868|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895878|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895888|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895938|I2C |RTB |0xF4800018||0x00004662| 0xA0895940|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895950|I2C |SYSCON |0xF4800010||0x04880000| 0xA0895964|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA0895970|I2C |WHBSYSCON|0xF4800020||0x00100000| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895388|I2C |SYSCON |0xF4800010||0x04980230| 0xA089539C|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895420|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895438|I2C |SYSCON |0xF4800010||0x00980230| 0xA0895444|I2C |RTB |0xF4800018||0x00000067| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895388|I2C |SYSCON |0xF4800010||0x00980130| 0xA089539C|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895590|I2C |SYSCON |0xF4800010||0x00980130| 0xA08955A8|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955B4|I2C |WHBSYSCON|0xF4800020||0x00080000| 0xA08955BC|I2C |SYSCON |0xF4800010||0x008800A0| 0xA08955DC|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955E8|I2C |WHBSYSCON|0xF4800020||0x00000080| 0xA08955F0|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955FC|I2C |WHBSYSCON|0xF4800020||0x00000020| 0xA0895530|I2C |ICR |0xF48000FC||0x00004000| 0xA07EDF94|I2C |BUSCON |0xF4800014||0x00000000| 0xA07EDF9C|I2C |CLC |0xF4800000||0x00000001| 0xA07EE064|I2C |CLC |0xF4800000||0x00000100| 0xA07EE06C|I2C |BUSCON |0xF4800014||0xA0007E11| 0xA07EE070|I2C |SYSCON |0xF4800010||0x00880000| 0xA07EE07C|I2C |SYSCON |0xF4800010||0x00880000| 0xA089550C|I2C |ICR |0xF48000FC||0x00000000| 0xA0895514|I2C |ICR |0xF48000FC||0x00004000| 0xA0895518|I2C |ICR |0xF48000FC||0x00000000| 0xA0895520|I2C |ICR |0xF48000FC||0x00001000| 0xA0895868|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895878|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895888|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895938|I2C |RTB |0xF4800018||0x00004262| 0xA0895940|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895950|I2C |SYSCON |0xF4800010||0x04880000| 0xA0895964|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA0895970|I2C |WHBSYSCON|0xF4800020||0x00100000| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895388|I2C |SYSCON |0xF4800010||0x04980230| 0xA089539C|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895420|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895438|I2C |SYSCON |0xF4800010||0x00980230| 0xA0895444|I2C |RTB |0xF4800018||0x00000008| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895388|I2C |SYSCON |0xF4800010||0x00980130| 0xA089539C|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895590|I2C |SYSCON |0xF4800010||0x00980130| 0xA08955A8|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955B4|I2C |WHBSYSCON|0xF4800020||0x00080000| 0xA08955BC|I2C |SYSCON |0xF4800010||0x008800A0| 0xA08955DC|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955E8|I2C |WHBSYSCON|0xF4800020||0x00000080| 0xA08955F0|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955FC|I2C |WHBSYSCON|0xF4800020||0x00000020| 0xA0895530|I2C |ICR |0xF48000FC||0x00004000| 0xA07EDF94|I2C |BUSCON |0xF4800014||0x00000000| 0xA07EDF9C|I2C |CLC |0xF4800000||0x00000001| 0xA07EE064|I2C |CLC |0xF4800000||0x00000100| 0xA07EE06C|I2C |BUSCON |0xF4800014||0xA0007E11| 0xA07EE070|I2C |SYSCON |0xF4800010||0x00880000| 0xA07EE07C|I2C |SYSCON |0xF4800010||0x00880000| 0xA089550C|I2C |ICR |0xF48000FC||0x00000000| 0xA0895514|I2C |ICR |0xF48000FC||0x00004000| 0xA0895518|I2C |ICR |0xF48000FC||0x00000000| 0xA0895520|I2C |ICR |0xF48000FC||0x00001000| 0xA0895868|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895878|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895888|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895938|I2C |RTB |0xF4800018||0x00004462| 0xA0895940|I2C |SYSCON |0xF4800010||0x00880000| 0xA0895950|I2C |SYSCON |0xF4800010||0x04880000| 0xA0895964|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA0895970|I2C |WHBSYSCON|0xF4800020||0x00100000| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895388|I2C |SYSCON |0xF4800010||0x04980230| 0xA089539C|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895420|I2C |SYSCON |0xF4800010||0x04980230| 0xA0895438|I2C |SYSCON |0xF4800010||0x00980230| 0xA0895444|I2C |RTB |0xF4800018||0x00000062| 0xA0895540|I2C |ICR |0xF48000FC||0x00003000| 0xA0895548|I2C |ICR |0xF48000FC||0x00007000| 0xA0895374|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895388|I2C |SYSCON |0xF4800010||0x00980130| 0xA089539C|I2C |SYSCON |0xF4800010||0x00980130| 0xA0895590|I2C |SYSCON |0xF4800010||0x00980130| 0xA08955A8|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955B4|I2C |WHBSYSCON|0xF4800020||0x00080000| 0xA08955BC|I2C |SYSCON |0xF4800010||0x008800A0| 0xA08955DC|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955E8|I2C |WHBSYSCON|0xF4800020||0x00000080| 0xA08955F0|I2C |WHBSYSCON|0xF4800020||0x00000000| 0xA08955FC|I2C |WHBSYSCON|0xF4800020||0x00000020| 0xA0895530|I2C |ICR |0xF48000FC||0x00004000| 0xA07EDF94|I2C |BUSCON |0xF4800014||0x00000000| 0xA07EDF9C|I2C |CLC |0xF4800000||0x00000001|

And here is the transfer of an 8-byte file (guess the contents) habr.txt via infrared

from a Siemens CF75 phone (there is a sniffer on it) to the Siemens CX75 .

We catch only data registers:

USART1: IR transfer file habr.txt

 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF C0 FF 3F 01 10 ?.. 64 77 01 FF FF FF FF 01 00 00 06 7C C1 C1 dw.....| 0xA07F1BC0|USART1 |RXB |0xF1800024|| C1 FF FF FF FF FF FF FF FF FF FF C0 FE BF 01 40 ї.@ 90 81 09 10 64 77 01 01 00 00 B1 24 00 53 49 45 ђЃ..dw....±$.SIE 4D 45 4E 53 20 43 58 37 35 3E 35 C1 MENS CX75>5 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF C0 FF 3F 01 10 ?.. 64 77 01 FF FF FF FF 01 01 00 DE 65 C1 C1 dw....e 0xA07F1BC0|USART1 |RXB |0xF1800024|| C1  0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF C0 FF 3F 01 10 ?.. 64 77 01 FF FF FF FF 01 02 00 B6 4F C1 C1 FF FF dw....¶O FF FF FF FF FF FF FF FF FF C0 FF 3F 01 10 64 77 ?..dw 01 FF FF FF FF 01 03 00 6E 56 C1 C1 FF FF FF FF ....nV FF FF FF FF FF FF FF C0 FF 3F 01 10 64 77 01 FF ?..dw. FF FF FF 01 04 00 66 1B C1 C1 FF FF FF FF FF FF ...f. FF FF FF FF FF C0 FF 3F 01 10 64 77 01 FF FF FF ?..dw. FF 01 05 00 BE 02 C1 C1 FF FF FF FF FF FF FF FF ...ѕ. FF FF FF C0 FF 3F 01 10 64 77 01 FF FF FF FF 01 ?..dw.. FF 00 B1 24 00 53 49 45 4D 45 4E 53 20 43 46 37 .±$.SIEMENS CF7 35 51 CD C1 C1 FF FF FF FF FF FF FF FF FF FF FF 5Q C0 FF 93 10 64 77 01 40 90 81 09 B4 01 01 3E 82 “.dw.@ђЃ.ґ..>‚ 01 07 83 01 0F 84 01 01 85 01 04 86 01 07 08 01 ..ѓ..„..…..†.... FF 25 82 C1 C1 %‚ 0xA07F1BC0|USART1 |RXB |0xF1800024|| C1 FF FF FF FF FF FF FF FF FF FF C0 B4 73 40 90 ґs@ђ 81 09 10 64 77 01 01 01 3E 82 01 07 83 01 0F 84 Ѓ..dw...>‚..ѓ..„ 01 01 85 01 04 86 01 07 08 01 FF 60 18 C1 ..…..†....`. 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 J C1 C1  0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 11 41 ґ.A 53 C1 S 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 10 µ. 80 02 01 00 34 14 C1 C1 Ђ...4. 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 31 43 ґ1C 72 C1 r 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 30 82 ґ0‚ 00 81 00 8C 70 C1 .Ѓ.Њp 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 32 µ2 00 02 84 04 4F 42 45 58 13 49 72 44 41 3A 54 69 ..„.OBEX.IrDA:Ti 6E 79 54 50 3A 4C 73 61 70 53 65 6C 04 AF C1 C1 nyTP:LsapSel.Ї 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 31 µ1 9B 6B C1 C1 ›k 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 52 02 ґR. 00 84 00 00 01 00 02 01 00 00 00 04 8D AF C1 .„..........ЌЇ 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 54 µT 84 04 01 00 04 18 B5 C1 C1 „.....µ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 51 µQ 9D 08 C1 C1 ќ. 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 74 84 ґt„ 04 81 00 04 41 A3 C1 .Ѓ..AЈ 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 џ) C1 C1  0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 71 47 ґqG 30 C1 0 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 76 µv 04 04 00 80 00 07 10 00 02 0B 92 AC C1 C1 ...Ђ......'¬ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 91 49 ґ'I D7 C1  0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 71 µq 9F 29 C1 C1 џ) 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 96 04 ґ–. 04 01 A0 00 07 10 00 02 0B 6F 76 C1 .. ......ov 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 98 µ˜ 04 04 01 02 00 1D 01 00 15 00 68 00 61 00 62 00 ..........hab 72 00 2E 00 74 00 78 00 74 00 00 C3 00 00 00 08 r...txt..... 8C 02 C1 C1 Њ. 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 B1 4B ґ±K F6 C1  0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 91 µ' 91 CE C1 C1 ' 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 B8 04 ґ. 04 01 90 00 03 99 A7 C1 ..ђ..§ 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 BA µє 04 04 01 02 00 0E 48 00 0B 48 41 42 52 48 41 42 ......H..HABRHAB 52 96 88 C1 C1 R–€ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 D1 4D ґM 95 C1 • 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 B1 µ± 93 EF C1 C1 “ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 D1 4D ґM 95 C1 • 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 B1 µ± 93 EF C1 C1 “ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 D1 4D ґM 95 C1 • 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 B1 µ± 93 EF C1 C1 “ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 D1 4D ґM 95 C1 • 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 B1 µ± 93 EF C1 C1 “ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 D1 4D ґM 95 C1 • 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 B1 µ± 93 EF C1 C1 “ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 D1 4D ґM 95 C1 • 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 B1 µ± 93 EF C1 C1 “ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 D1 4D ґM 95 C1 • 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 B1 µ± 93 EF C1 C1 “ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 DA 04 ґ. 04 01 90 00 03 A7 34 C1 ..ђ..§4 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 DC µ 04 04 01 82 00 06 49 00 03 DD A5 C1 C1 ...‚..I..Ґ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 F1 4F ґO B4 C1 ґ 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 D1 µ 95 8C C1 C1 •Њ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 FC 04 ґ. 04 01 A0 00 03 47 89 C1 .. ..G‰ 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 FE µ 04 04 01 81 00 03 A4 66 C1 C1 ...Ѓ..¤f 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 11 41 ґ.A 53 C1 S 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 F1 µ 97 AD C1 C1 — 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 1E 04 ґ.. 04 01 A0 00 03 64 9C C1 .. ..dњ 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 11 41 ґ.A 53 C1 S 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 11 41 ґ.A 53 C1 S 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 10 µ. 84 04 02 01 E0 8B C1 C1 „...‹ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 31 43 ґ1C 72 C1 r 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 31 43 ґ1C 72 C1 r 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 12 µ. 80 02 02 01 5D 39 C1 C1 Ђ...]9 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 11 µ. 99 4A C1 C1 J 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 51 45 ґQE 11 C1 . 0xA0A3F3B0|USART1 |TXB |0xF1800020|| FF FF FF FF FF FF FF FF FF FF FF FF FF C0 B5 53 µS 8F 2B C1 C1 Џ+ 0xA07F1BC0|USART1 |RXB |0xF1800024|| FF FF FF FF FF FF FF FF FF FF FF FF C0 B4 73 40 ґs@ 90 81 09 10 64 77 01 3C 38 C1 ђЃ..dw.<8

Let's go back to I2C . Put the filter so that only data transfer is tracked.

When clicking, service sounds, changing the backlight, volume and vibration, we will see that something happens:

Files

IOSniffer_CPPBuilder_XE5.rar

IOSniffer_IAR42.rar

IOSniffer_I2C.avi

Source: https://habr.com/ru/post/226575/

All Articles