Hello,

Sorry for taking so long to respond...

There are a couple issues:

1) You need to use dwarfump from
http://reality.sgiweb.org/davea/dwarf.html , not the os x supplied
dwarfdump for Linux support.

2) You can get System.map values from a few places. First, check if
the source distributed for your kernel has it. Second, see if the
phone exports /proc/kallsyms. If neither of those work then we will
have to find another solution.

Thanks,
Andrew

On Sat, Feb 16, 2013 at 7:46 AM, Pasquale Stirparo <pstirparo@gmail.com> wrote:
> Thanks again Andrew for the assistance and for the Makefile. So here a brief
> summary for creating the Android profile, following the  linux example here
> (https://code.google.com/p/volatility/wiki/LinuxMemoryForensics):
>
> DISCLAIMER: I'm using a Mac OS X system.
>
> - I modified the Makefile sent by Andrew, placed under
> volatility/tools/linux/Makefile, adding the options for cross-compiling as
> from the LiME kernel module. Basically the modifications are the following:
>
> CCPATH :=
> /path/to/android-ndk/toolchains/arm-linux-androideabi-4.4.3/prebuilt/darwin-x86/bin
>
> dwarf: module.c
> $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- -C $(KDIR)
> CONFIG_DEBUG_INFO=y M=$(PWD) modules
>
>
> - The last instruction of the makefile "dwarfdump -di module.ko >
> module.dwarf" was originally with -di option. But -d appears to be not a
> valid option anymore. Checking the man page, the alternatives for debugging
> options are the following
> --debug-abbrev, --debug-aranges, --debug-frame[=OFFSET],
>       --debug-info[=OFFSET], --debug-inlined, --debug-line[=OFFSET],
>       --debug-macinfo[=OFFSET], --debug-pubnames[=PATTERN],
>       --debug-pubtypes[=PATTERN], --debug-str
> debug-info is the default (which looking at the output of "head
> module.dwarf" seems to be the correct one), so i tried just to remove the -d
> and also to put --debug-info without any offset value, but this is what I
> get as content of the module.dwarf file
> hydra:linux paco$ cat module.dwarf
> ----------------------------------------------------------------------
>  File: module.ko (arm)
> ----------------------------------------------------------------------
> .debug_info contents:
> < EMPTY >
>
> - The last step to make the profile is to zip the module.dwarf file and the
> System.map of the kernel. After searching around, I found that System.map
> file for android is /proc/kallsyms (probably you all already knew it, but I
> didn't know this :) ).
>
>
> Attached the make file I used, if all the rest of the steps I did are right,
> it's missing the right debug option for the dwarfdump command. I've tried
> also the others but no one seems to give the right output. Any tips on this?
> Thanks
>
> P.
>
>
>
> On Fri, Feb 15, 2013 at 5:41 PM, Andrew Case <atcuno@gmail.com> wrote:
>>
>> Hello,
>>
>> We are currently testing a stripped down Makefile to help people
>> compiling for different kernels than the one for the system they are
>> on (which includes Android). Can you please try the attached makefile?
>> You will need to change the KDIR varabile to point to your kernel
>> headers or source.
>>
>> On Fri, Feb 15, 2013 at 5:55 AM, Pasquale Stirparo <pstirparo@gmail.com>
>> wrote:
>> > Hi All,
>> >
>> > I'm trying to make a profile for android device.
>> > I did a memory dump with LiME of an HTC One X (Android 4.0.3, HTC Sense
>> > 4.0,
>> > kernel 2.6.39.4-g6b459dc).
>> >
>> > Now, following the instruction here
>> > https://code.google.com/p/volatility/wiki/LinuxMemoryForensics , I was
>> > trying to understand how to modify the makefile under
>> > volatility/tools/linux/ , in order to point to my kernel source. The
>> > thing
>> > is that in from my kernel source folder I couldn't find a proper value
>> > for
>> > KDIR and KVER (although they should be pretty straightforward according
>> > to
>> > their name) that would fit with the path for make command as from the
>> > following source code:
>> >
>> > pmem: pmem.c
>> >         $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) modules
>> >
>> > dwarf: module.c
>> >         $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build CONFIG_DEBUG_INFO=y
>> > M=$(PWD) modules
>> >         dwarfdump -di module.ko > module.dwarf
>> >         $(MAKE) -C $(KDIR)/lib/modules/$(KVER)/build M=$(PWD) clean
>> >
>> >
>> > Did anyone ever created an android profile? Any hint?
>> > I've seen in the mailing list archive a thread "Profile (ZIP) for
>> > Android
>> > 4.0.3" from Mike (in Cc), any news about that?
>> >
>> > Thank you
>> >
>> > P.
>> >
>> > --
>> > Pasquale Stirparo, MEng
>> > GCFA, OPST, OWSE, ECCE
>> >
>> > European Commission - JRC Joint Research Centre
>> > Institute for the Protection and Security of the Citizen (IPSC)
>> > Digital Citizen Security Unit
>> > Via E. Fermi, 2749 - TP 361
>> > 21027 Ispra (VA) - Italy
>> >
>> > PGP Key: 0x4C589FB2
>> > Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
>> >
>> > Disclaimer: The views expressed are purely those of the writer and may
>> > not
>> > in any circumstance be regarded as stating an official position of the
>> > European Commission.
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users@volatilesystems.com
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>
>
>
>
> --
> Pasquale Stirparo, MEng
> GCFA, OPST, OWSE, ECCE
>
> European Commission - JRC Joint Research Centre
> Institute for the Protection and Security of the Citizen (IPSC)
> Digital Citizen Security Unit
> Via E. Fermi, 2749 - TP 361
> 21027 Ispra (VA) - Italy
>
> PGP Key: 0x4C589FB2
> Fingerprint: 776D F072 3F43 D5DE CB55 86D2 55FF 14A7 4C58 9FB2
>
> Disclaimer: The views expressed are purely those of the writer and may not
> in any circumstance be regarded as stating an official position of the
> European Commission.