August 03, 2004 (technical)
PDD Day 4
The fourth day (Day 1 Day 2 Day 3) of using pdd was more focused in an analysis of the images created by pdd, both RAM and ROM images. The images which were analysed were the images created when not performing a soft-reset, the images created when performing a soft-reset, and also images after the contacts and memos have been deleted from the palm.
Analysing images which were created from pdd when set to not soft-reset the device - 040803 12.20pm
Using an evaluation copy of WinHex 11.6 SR-18, the RAM files, 040803-01.out and 040803-02.out, were opened up. Going to the "View" menu, "Synchronise & Compare" was ticked, which then highlighted all the hexidecimal characters (and their equivalent ASCII characters) which were different in the files. Counting manually, there were 144 differences, some were a single character which was different, all the way up to one case where there was 512 characters which were different (where a character is 8 bits, or a byte - represented by 2 hexidecimal characters). In total there were 1013 characters(bytes) which were different between the two images.
A quick examination of the ASCII text revealed only a few of those differences which were accountable for the palm's clock. The memory range used for the palms clock went from 0x00002922 to 0x00002929, which on the first run contained the values "31 32 3A 31 34 20 70 6D" which translated to "12:14 pm" and on the second run contained the values "31 3A 30 32 20 70 6D 00" which translated to "1:02 pm".
The range from 0x000383D6 to 0x000385D5, where there was exactly 512 characters which were different, is assumed to be the dynamic heap for running applications.
Between the last change in the image, 0x000400FF, to the beginning of where no more data is kept (a repetitive string of 0x55 characters) at 0x000514C4, is where most of the readable ASCII text is stored, a quick search through this section of the image reveals some of the contacts and memos. This area of the image was roughly 70KB's.
Performing a quick search for ".com" in ASCII, in the goal of finding any URLs or emails, returned 8 positive results. One of these included the email added to the contacts (see Day 1) for Pete. Just scanning over the area between 0x000417C7 and 0x000433D1 a lot of english words are visible in the ASCII code, slowly scrolling through this section i come across the memo i made about the container ship (see Day 1).
Analysing images which were created from pdd when set to soft-reset the device - 040805 6.20pm
Firstly the palm was soft-reset (by pressing the reset button on the back) then the images were acquired one after the other, except this time with a soft-reset in between. Due to the palm being soft-reset between the acquisitions, the stylus had to be re-aligned and the console mode had to be re-initiated.
Like before, both the image files (040805-01.out and 040805-02.out) were opened up in WinHex to see the differences between the images.
Before making the 2nd image - i had to re-align the stylus - and re-enter the palm into console mode.
In total there were 310 differences between the two images, but in those 310 differences, there was only 977 characters(bytes) which were different. At first these results looked wrong, especially considering that the number of bytes which differed between the images when the palm was not soft-reset was higher, at 1013 bytes of difference.
Inspecting the range from 0x000383D6 to 0x000385D5, which was where there was exactly 512 bytes of difference in the above test, did not yield the same results. In fact, there was no change in the two images at this range, which might mean that the range is not in fact the dynamic heap, unless it's starting offset can change.
Like the above test, the clock information still resided from 0x00002922 to 0x00002929.
Analysing images after contacts and memos were deleted - 040808 1.00pm
After the palm was soft-reset, re-aligned, and entered into console mode the base image was acquired with pdd "pdd of=040808-01.out" allowing the device to be soft-reset once the acquisition was finished.
Enter console debug mode [
pdd process beginning.
Resetting Palm OS device.
pdd successful. Exiting.
After this image was acquired successfully, the stylus was re-aligned and then the memo and the contact (see Day 1) were deleted from the palm device. Immediately following their deletion the palm was put into console mode and then an image was acquired for the second time "pdd of=040808-02.out". The palm once again was soft-reset by pdd automatically.
Enter console debug mode [
pdd process beginning.
Resetting Palm OS device.
pdd successful. Exiting.
To test if a soft-reset on the palm would wipe the deleted information, the palm was acquired for a third time after the stylus was re-aligned and the palm was put into console mode - "pdd of=040808-03.out".
Enter console debug mode [
pdd process beginning.
Resetting Palm OS device.
pdd successful. Exiting.
To test if a hard-reset on the palm would wipe the deleted information, the palm was acquired for a fourth time, after the device was hard reset (holding down the power button whilst pressing the reset button), the stylus re-aligned and the palm put into console mode - "pdd of=040808-04.out".
Enter console debug mode [
pdd process beginning.
Resetting Palm OS device.
pdd successful. Exiting.
1. Searching for information immediately after deletion
Using a hexeditor to perform ASCII searches of the 040808-02.out image showed that the contact details for Pete were still available within the image. This included the mobile number, the email and his full name.
Performing a search for "December" also showed that the memo that was made was also still available within the image.
These results showed that similar to regular file-systems, which don't actually delete the information but the links to the information, the palm os doesn't delete information when it is deleted. Under the assumption that the way data is stored on a palm device is similar to that of desktop filesystems it is also safe to assume that after sufficient use of the palm device, this unallocated space would eventually be over-written.
2. Searching for information immediately after deletion and a soft-reset
Using a hexeditor to perform ASCII searches of the 040808-03.out image did not reveal the contact information or the memo that was used to exist on the palm. Using the successful searches from earlier to find where the information used to be stored on the palm did not help either. From this you can assume that even though a soft-reset doesn't wipe the RAM on the palm, it does re-set (almost like a defrag) the RAM image.
3. Searching for information immediately after deletion, a soft-reset then a hard-reset
Using a hexeditor to perform ASCII searches of the 040808-04.out image did not reveal any of the information that was deleted. This was the expected result for this test as the hard-reset wipes the RAM of the device.
Posted by xntrik at August 3, 2004 01:04 PM | TrackBack