Flatten


Flatten is a Win32 utility for extracting executable code out of Android ELF files. It operates in two distinct modes for xbl and abl.

Usage: flatten elf [bin low high] /v verbose

XBL and Firehose Loader Files

Most ELF files have sections. Qualcomm files only have programs in the program table. Each is a chunk that will be mapped to memory. Some disassemblers can not handle these separate chunks. The point of flatten in this case is to convert the separate chunks to a contiguous binary file. First we look at what is in the file.

C:\>flatten xbl 64 bit ELF 14015000 - 1406a73c 2 1407a000 - 14081c64 4 14098000 - 140b2218 9 14699000 - 146ac180 12 146ae000 - 146b0e30 7 146b1000 - 146b1b64 8 85e35000 - 85e5ee10 13 85ea8000 - 85ea9909 14 9fc00000 - 9fdb5800 11 9fdb6000 - 9fdb7b28 1

Some of these programs are even embedded ELF files! But let's say that we are interested in the first six programs.

C:\>flatten xbl out 14015000 14700000

Now we have a single binary file with the load address of 14015000. We can dissasemble it.

ABL Files

ABL files have only three programs. The third program is an embedded UEFI file system. It contains an LZMA chunk which has further UEFI structure. All we're interested in is the part of the uncompressed LZMA chunk. In most cases there is Secure Boot enabled and we have no possibility of modding the image and putting it back together. Mostly we're looking in ABL to see if there are hidden or missing fastboot commands. flatten in this case just extracts the single block of executable code without any of the MZ or PE headers.

C:\>flatten abl out

Since there is no explicit load address, you can just decrypt it with the fictitious address of zero.

Download the executable.