Mach-O symbol stubs (IOS) - ios

I am trying to understand how Mach-o files work, and have made a good deal of progress with the online resources available (In particular, the Apple page here: http://developer.apple.com/library/mac/#documentation/developertools/conceptual/MachORuntime/Reference/reference.html), but I have hit a roadblock on understanding how symbol stubs work.
Using "otool -l" I see the following section:
Section
sectname __symbolstub1
segname __TEXT
addr 0x00005fc0
size 0x00000040
offset 20416
align 2^2 (4)
reloff 0
nreloc 0
flags 0x80000408
However when I look at the data from the binary file in a hex editor I see the following 4 bytes repeated again and again:
00005FC0 38 F0 9F E5 38 F0 9F E5 38 F0 9F E5 38 F0 9F E5 88
00005FD0 38 F0 9F E5 38 F0 9F E5 38 F0 9F E5 38 F0 9F E5 88
00005FE0 38 F0 9F E5 38 F0 9F E5 38 F0 9F E5 38 F0 9F E5 88
00005FF0 38 F0 9F E5 38 F0 9F E5 38 F0 9F E5 38 F0 9F E5 88
This looks something like a LDR which increases the PC by a fixed amount, but I don't see why the amount is the same for each entry in the symbol table.
If someone can shed light on why this is so, or provide any resources that get this low level, please let me know.
Thanks!

I will describe the situation with the current iOS, it's somewhat different in the old versions.
The symbol stubs indeed load into the PC a function pointer. For the standard "lazy" (on-demand) imports, the pointer resides in the __lazy_symbol section and initially points to a helper routine in the __stub_helper section, e.g.:
__symbolstub1 _AudioServicesAddSystemSoundCompletion
__symbolstub1 LDR PC, _AudioServicesAddSystemSoundCompletion$lazy_ptr
__symbolstub1 ; End of function _AudioServicesAddSystemSoundCompletion
__lazy_symbol _AudioServicesAddSystemSoundCompletion$lazy_ptr DCD _AudioServicesAddSystemSoundCompletion$stubHelper
__stub_helper _AudioServicesAddSystemSoundCompletion$stubHelper
__stub_helper LDR R12, =nnn ; symbol info offset in the lazy bind table
__stub_helper B dyld_stub_binding_helper
The function dyld_stub_binding_helper is the fist one in the __stub_helper section and essentially is just a trampoline to the dyld_stub_binder function in dyld, passing to it what I call "symbol info offset" value. That value is an offset inside the lazy binding info stream (pointed to by the LC_DYLD_INFO or LC_DYLD_INFO_ONLY load command), which is a sort of bytecode stream with commands for dyld. Typical sequence for a lazy import looks like this:
72: BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB(M, 0xYYYYY)
19: BIND_OPCODE_SET_DYLIB_ORDINAL_IMM(NNNN)
40: BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM(0x00, '_AudioServicesAddSystemSoundCompletion')
90: BIND_OPCODE_DO_BIND()
here dyld would do the following:
look up function named '_AudioServicesAddSystemSoundCompletion' from
a dylib number NNNN in the list of dylibs listed in the load
commands.
look up the executable's segment number M (most likely __DATA)
write the function pointer at the offset YYYYY.
jump to the looked up address so that the actual function does its job
The address written to happens to be the _AudioServicesAddSystemSoundCompletion$lazy_ptr slot. So, the next time the _AudioServicesAddSystemSoundCompletion is called, it will jump directly to the imported function, without going via dyld.
N.B.: you should not look at the offset 05fc0 in the file right away. The addr field is the virtual address, you should look up the containing segment command and see at what VA it starts and what is its file offset, then do the math. Usually the __TEXT segment starts at 1000.
However, the actual symbol stubs do look like you pasted, probably you have a fat mach-o with the fat header taking the first 1000 bytes, so the offsets line up.

Related

Finding guid in onenote onetoc2 binary file

According to the documentation provided by Microsoft the header structure of the oncetoc2 must be at the beginning of the file and must have the value
{43FF2FA1-EFD9-4C76-9EE2-10EA5722765F}
Characters Stripped
43FF2FA1EFD94C769EE210EA5722765F
Looking through the file with a hex editor I am unable to find a match for this string, nor can I find it after stripping all the characters and flipping the string. (Endianess?)
F5672275AE012EE967C49DFE1AF2FF34
Then I attempted to find a match with the hex equivalents of the string,
7b34334646324641312d454644392d344337362d394545322d3130454135373232373635467d
This can not be right, as it is much over 16 bytes.
I have been staring at this for a while and can't see what I am missing here. Not finding a pattern match with search tools.
What am I not doing right ?
OneNote onteoc2 file structure:
https://msdn.microsoft.com/en-us/library/dd906213(v=office.12).aspx
Interesting question. I just had a look at the doc, being completely perplexed by it last time.
Here's what seems to be going on.
The first 16 bytes of the fileA1 2F FF 43 D9 EF 76 4C 9E E2 10 EA 57 22 76 5FLets break it down like this A1 2F FF 43                    flip it 43 FF 2F A1D9 EF                               flip it EF D976 4C                               flip it 4C 76
9E E2                       dont flip it 9E E210 EA 57 22 76 5F dont flip it 10 EA 57 22 76 5FAnd we get{43F2FA1-EFD9-4C76-9EE2-10EA5722765F}
If you take bytes 48 to 633F DD 9A 10 1B 91 F5 49 A5 D0 17 91 ED C8 AE D8And apply the same formula we get{109ADD3F-911B-49F5-A5D0-1791EDC8AED8} - guidFileFormat (16 bytes)I hope this helps.

Ruby Write Hex String To Binary File By Keeping Hex Values

I want to generate random bytes in Ruby, but I also want to insert some constant values into specific positions of the random bytes.
random_hex_string = SecureRandom.hex (length)
random_hex_string.insert(0,"0102")
random_hex_string.insert(30*1,"36")
So I generate random hex bytes and insert my hex values there. The problem is that I have now a string not a byte array. So when I print it:
File.open("file.txt", 'w+b') do |f|
f.write(random_hex_string)
It - not surprisingly - converts the hex string into binary then writes it. So my hex values are not kept. To be more clear, when I write my hex string to the file, and then I want to see the same hex values when I hex dump the file. How can I do this?
You can turn it into a single element array and pack it as hex. For instance, when I run your code:
require 'securerandom'
length = 2 ** 6
random_hex_string = SecureRandom.hex (length)
random_hex_string.insert(0,"0102")
random_hex_string.insert(30*1,"36")
puts random_hex_string
File.open("file.txt", 'w+b') do |file|
file.write([random_hex_string].pack('H*')) # see also 'h'
end
I get the output
010299e84e9e4541d08cb800462b6f36a87ff118d6291368e96e8907598a2dfd4090658fea1dab6ed460ab512ddc54522329f6b4ddd287e4302ef603ce60e85e631591
and then running
$ hexdump file.txt
0000000 01 02 99 e8 4e 9e 45 41 d0 8c b8 00 46 2b 6f 36
0000010 a8 7f f1 18 d6 29 13 68 e9 6e 89 07 59 8a 2d fd
0000020 40 90 65 8f ea 1d ab 6e d4 60 ab 51 2d dc 54 52
0000030 23 29 f6 b4 dd d2 87 e4 30 2e f6 03 ce 60 e8 5e
0000040 63 15 91
0000043
Unless, I'm mistaken, it matches up perfectly with the output from the script.
I've never messed with Array#pack before, and haven't done much with hex, but this seems to be giving the results you require, so should be a step in the right direction at least.
Why ask for hex when you don't actually want hex? Just do this:
random_bytes = SecureRandom.random_bytes(length)
random_bytes.insert(0, "\x01\x02")
random_bytes.insert(15, "\x36")

Unable to identify string encoding from barcode

I am tasked with decoding data stored on a Aztec barcode using an iOS device. I have access to the code that assembles the string sent to the barcode printer, but the printing itself is a black box.
As I step through the process, I can see that the string sent to the printer looks like this (note that other than the first 8 characters this is a encrypted string):
_36_30_30_30_30_34_7c_5d_49_0b_ea_f7_93_ba_89_d2_c6_c2_41_2a_d7_1c_49_8c_6d_4b_5c_07_5a_ca_7a_6a_c6_d5_d0_6c_f7_20_76_5b_e0_18_46_93_7e_2a_30_0d_14_3a_1a_e5_66_7c_05_f9_df_96_8a_f1_45_a5_4a_6e_2f_89_3f_f0_93_1f_bc_3e_77_5b_27_0c_58_df_55_37_4c_ae_8a_e7_c3_c6_16_5b_57_db_7c_2d_2c_8b_1c_e3_a4_44_1b_c4_ba_6a_c6_98_93_ae_2d_20_6e_9f_e8_0f_eb_bc_9f_2e_8a_e7_cf_da_22_96_e1_74_de_b2_f0_29_ec_b1_c1_75_43_1f_b2_e5_1f_a5_f6_06_3e_97_a1_a1_93_f4_51_4a_c4_14_9f_1a_c2_5b_ba_02_45_44_2b_b3_c2_5b_ba_02_45_44_2b_b3_c2_5b_ba_02_45_44_2b_b3_c2_5b_ba_02_45_44_2b_b3_c2_5b_ba_02_45_44_2b_b3_c2_5b_ba_02_45_44_2b_b3_06_0b_12_75_85_8b_07_fb
And the printed barcode looks like this:
However, when I use a generic iOS barcode reader to read it back (I've tried a few), I get the following:
600004|]I�ê÷ºÒÆÂA*×�ImK\�ZÊzjÆÕÐl÷ v[à�F~*0
�:�åf|�ùßñE¥Jn/?ð�¼>w['�XßU7L®çÃÆ�[WÛ|-,�ã¤D�ĺjÆ®- nè�PÐk^¡±xOS5·Óþ�ßá×D¢\���¥ö�>¡¡ôQJÄ��Â[º�ED+³Â[º�ED+³Â[º�ED+³Â[º�ED+³Â[º�ED+³Â[º�ED+³���u�û
This bares a resemblance the original string (for example the first few characters). But I have no idea what type of encoding this is, or how to translate it to the hex codes I was expecting to see.
I would love to know:
1) What am I looking at here?
2) How can I convert this string back into the original format?
Note: For clarity, what you refer to as the encrypted string, I will refer to as the hex code, to further differentiate from the random-looking string at the end of your post.
Summary
I believe the encoding you're seeing in the string is a bungled ASCII/ISO-8859-1 encoding. It is omitting some characters, making it impossible to recover your original hex code from that string. After finding a scanner that properly handles the barcode, it turns out the barcode does not match your hex code.
Encoding
Wikipedia says that by default1, byte codes in Aztec are interpreted as ASCII when between 0 and 127, and as ISO-8859-1 when between 128 and 255. So when you substitute the letters and symbols you're getting with the proper hex values from those two encodings, you get the following:
36 30 30 30 30 34 7C 5D 49 EA F7 BA D2 C6 C2 41 2A D7 49 6D 4B 5C 5A CA 7A 6A C6 D5 D0 6C F7 20 76 5B E0 46 7E 2A 30 0A 3A E5 66 7C F9 DF F1 45 A5 4A 6E 2F 3F F0 BC 3E 77 5B 27 58 DF 55 37 4C AE E7 C3 C6 5B 57 DB 7C 2D 2C E3 A4 44 C4 BA 6A C6 AE 2D 20 6E E8 50 D0 6B 5E A1 B1 78 4F 53 35 B7 D3 FE DF E1 D7 44 A2 5C
This is similar to your encrypted hex code, but with some bytes omitted, and the stuff after the bolded E8 byte is different. The omitted bytes are all from the 00 - 1F and 80 - 9F ranges. The 00 - 1F range in ASCII are control codes, most of which are rarely used and not well supported by many applications. The other range is undefined in ISO-8859-12. So any application trying to interpret these bytes as ASCII/ISO-8859-1 strings may result in unpredictable behaviour.
If you remove bytes from these ranges in your encrypted hex code, you get essentially3 the same thing I got, up to the E8 byte. The byte you have after E8 is 0F. I've never heard of this control code before, but apparently it's called "Shift In" and its function is to "Return to regular character set after Shift Out." Since we're already having trouble with character sets, I can only assume that this control code is responsible for the interpretation errors after the E8 byte.
Edit: One of your recent edits modified the string, and it now contains a few of these characters: �. This is Unicode's replacement character, a character that often replaces others when there is character encoding issues, or a process has trouble interpreting a particular character. In this case, it is replacing many bytes from the 00 - 1F range, which are the ASCII controls. It remains impossible to recover. The 80 - 9F range is still omitted.
A better barcode reader
In order to properly interpret the barcode, you'll need a reader that does not interpret the hex code as encoded strings, but as a byte stream. At the very least, you need a reader that will still preserve the 00 - 1F and 80 - 9F ranges.
One such reader that I've found is NeoReader. It is entirely possible you've already tried it, but copy-pasting can cause errors with these special code ranges.
I scanned the code with it on an iOS 7 device, then hit the "Copy to Clipboard" button that the app provides. Then, I pasted the string at the top of this converter and hit convert. I usually use this converter for Unicode stuff, but other dedicated text to hex converters I found were not able to handle the string and its special codes. If you scroll down to the "Hexadecimal code points," you should be able to see the needed hexadecimal codes, though they are prefixed with an extra 004.
The string it produces (though take it with a grain of salt, I had some copy paste-errors and it appears the special controls were removed upon posting it):
600004|]I ê÷ºÒÆÂA*×ImK\ZÊzjÆÕÐl÷ v[àF~*0
:åf|ùßñE¥Jn/?ð¼>w[' XßU7L®çÃÆ[WÛ|-,ã¤DĺjÆ®- nèPÐk^¡±xOS5·Óþßá×D¢\¥ö>¡¡ôQJÄÂ[ºED+³Â[ºED+³Â[ºED+³Â[ºED+³Â[ºED+³Â[ºED+³ uû
Hex code comparison (differences are marked by < >):
Your hex code: 36 30 30 30 30 34 7C 5D 49 0B EA F7 93 BA 89 D2 C6 C2 41 2A D7 1C 49 8C 6D 4B 5C 07 5A CA 7A 6A C6 D5 D0 6C F7 20 76 5B E0 18 46 93 7E 2A 30 <0D> 14 3A 1A E5 66 7C 05 F9 DF 96 8A F1 45 A5 4A 6E 2F 89 3F F0 93 1F BC 3E 77 5B 27 0C 58 DF 55 37 4C AE 8A E7 C3 C6 16 5B 57 DB 7C 2D 2C 8B 1C E3 A4 44 1B C4 BA 6A C6 98 93 AE 2D 20 6E 9F E8 0F <EB BC 9F 2E 8A E7 CF DA 22 96 E1 74 DE B2 F0 29 EC B1 C1 75 43 1F B2 E5> 1F A5 F6 06 3E 97 A1 A1 93 F4 51 4A C4 14 9F 1A C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 06 0B 12 75 85 8B 07 FB
NeoReader string: 36 30 30 30 30 34 7C 5D 49 0B EA F7 93 BA 89 D2 C6 C2 41 2A D7 1C 49 8C 6D 4B 5C 07 5A CA 7A 6A C6 D5 D0 6C F7 20 76 5B E0 18 46 93 7E 2A 30 <0A> 14 3A 1A E5 66 7C 05 F9 DF 96 8A F1 45 A5 4A 6E 2F 89 3F F0 93 1F BC 3E 77 5B 27 0C 58 DF 55 37 4C AE 8A E7 C3 C6 16 5B 57 DB 7C 2D 2C 8B 1C E3 A4 44 1B C4 BA 6A C6 98 93 AE 2D 20 6E 9F E8 0F <81 50 D0 6B 5E A1 B1 78 4F 53 35 B7 D3 FE 1F DF E1 90 D7 44 A2 5C 00 19> 1F A5 F6 06 3E 97 A1 A1 93 F4 51 4A C4 14 9F 1A C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 C2 5B BA 02 45 44 2B B3 06 0B 12 75 85 8B 07 FB
The difference explained
It turns out, that the barcode does not actually match your hex code. Where our two codes diverge, at that 0F byte, the barcode actually follows what NeoReader suggests. This is shown in the image below, which is zoomed in on the bottom-right quadrant of the barcode (the blue lines indicate parts that do not encode data, they are to help orient the scanner).
I managed to manually5 decode that section of barcode, with help from this video tutorial. Your barcode, however, does not use the string encoding method shown there, as it uses a binary shift escape to work with 8-bit values. From there I believe the one 0A <-> 0D difference is due to a copy paste error on my part.
Unfortunately, since the printer is a black box to you, it does not appear as though you can fix this problem yourself.
Footnotes
I could not find an Aztec Code specification, but the behaviour seems to be relatively consistent with the default.
ISO-8859-1 is essentially a superset of ASCII, but it technically leaves the ASCII control code range undefined. This is usually ignored in practice.
The only difference is the italicized 0A character I have, which is a new line character. Your string has 0D, another new line character. Different systems handle new lines differently, and its not uncommon for them to automatically change the new line characters. Unlike most other ASCII control codes, new line characters are usually well supported.
The reason for this is complicated. Glossing over a few details, I believe that upon hitting the convert button, it is first converted to UTF-16 (Javascript's native string encoding). The byte values for the ASCII/ISO-8859-1 characters are the same in UTF-16. However, UTF-16 is a 16-bit encoding rather than an 8-bit encoding, hence, the extra 00.
That was painful.
First of all, I've tried the following online barcode reader:
intbusoft : server error
onlinebarcodereader : no code found
datasymbol : code different from yours
pqscan : no code found
zxing : code longer than your.
This makes me think that your bar-code may be not so well construct...
Here's your output:
600004|]Iê÷ºÒÆÂA*×ImK\ZÊzjÆÕÐl÷ v[àF~*0
:åf|ùßñE¥Jn/?ð¼>w['XßU7L®çÃÆ[WÛ|-,ã¤DĺjÆ®- nèPÐk^¡±xOS5·Óþßá×D¢\
and here's the one from zxing:
600004|]I�ê÷ºÒÆÂA*×�ImK\�ZÊzjÆÕÐl÷ v[à�F~*0
�:�åf|�ùßñE¥Jn/?ð�¼>w['�XßU7L®çÃÆ�[WÛ|-,�ã¤D�ĺjÆ®- nè�PÐk^¡±xOS5·Óþ�ßá×D¢\���¥ö�>¡¡ôQJÄ��Â[º�ED+³Â[º�ED+³Â[º�ED+³Â[º�ED+³Â[º�ED+³Â[º�ED+³���u�û
(maybe this difference is due to a copy/paste manipulation on your side)
This is the matching that I was able to find:
6 0 0 0 0 4 | ] I � ê ÷ º Ò Æ Â
36 30 30 30 30 34 7c 5d 49 0b ea f7 93 ba 89 d2 c6 c2
A * × � I m K \ � Z Ê z j Æ Õ Ð l
41 2a d7 1c 49 8c 6d 4b 5c 07 5a ca 7a 6a c6 d5 d0 6c
÷ v [ à � F ~ * 0 � : � å f |
f7 20 76 5b e0 18 46 93 7e 2a 30 0d 14 3a 1a e5 66 7c
� ù ß ñ E ¥ J n / ? ð � ¼ >
05 f9 df 96 8a f1 45 a5 4a 6e 2f 89 3f f0 93 1f bc 3e
w [ ' � X ß U 7 L ® ç Ã Æ � [ W Û
77 5b 27 0c 58 df 55 37 4c ae 8a e7 c3 c6 16 5b 57 db
| - , � ã ¤ D � Ä º j Æ ® -
7c 2d 2c 8b 1c e3 a4 44 1b c4 ba 6a c6 98 93 ae 2d 20
n è � P
6e 9f e8 0f eb
And this seems to be some Unicode UCS-2 encoding.
After this, I can't explain the difference between output and expected hexadecimal values

What is this most likely if not Lua bytecode?

I considered posting this in reverse engineering but because of the brevity of the question and general irrelevance I decided to post it here.
This may be a really easy question but I haven't been able to find an answer - I should probably read a bit of Lua's source before asking this, but here goes: in a program that has integrated Lua, this is the first few bytes of the buffer being executed:
11 16 A5 F1 9E A8 8B 64 78 8E 2F EA 1C 31 D3 B6 D3 D5 77 23 77 79 1B 73
I've never understood Lua very well, but that doesn't look like byte code. Is there anything else it could be or is it just certainly something custom? I'm pretty sure actual Lua opcodes haven't been modified.
if possible put whole file somewhere. Lua bytecode usualy starts with 1B 4C 75 61 and then some debug infos however there are zeros for spliting of the informations which your sample doesnt have
other way is asking on http://forum.xentax.com/
Put this into a file and try running luac -l filename on it. This will disassemble the binary to the VM instructions.
If it is Lua code you'll get some meaningful output.

I9300 sboot.bin 256-Byte signatures, or checksum?

Some time ago I started trying to mod my Samsung Galaxy S3 (International edition (I9300)), and I ended up with the Bootlogo, this is the FIRST image that you see when you turn on the Galaxy S3. I wanted to change it, as it is quite easy on other devices.
This is where I ran into troubles, I asked around on XDA-developes [link 1] (http://forum.xda-developers.com/galaxy-s3/help/removal-bootlogo-t2662444) and [link 2] (http://forum.xda-developers.com/showthread.php?t=2317694) but most of the answers led me nowhere. I ended up with the sboot.bin which is the secondary boot program (I guess this is how you can call it). To open it was quite difficult for a noob like me, but with hexadecimal editor HxD I opened it and actually found the bootlogo! (I copied the bytes into a jpg and it showed up normally.) I changed the bytes with another jpg image I made myself, and tried to flash it to the phone, but it failed. everything I tried afterwards failed, and I wondered why.
I downloaded a couple of sboot.bin for the i9300, but different countries, and I compared the hex code. There seemed to be subtle changes: one was in the compile date and serie nr. And there rest was a jumble of random character 256 bytes long.
I found that there are 4 sequences of 256 bytes long throughout the sboot.bin. An example of one:
EA E9 0C 62 B0 E0 68 86 5A 7B BD CA 50 3D 21 02
17 2C AC 10 09 49 62 E1 DA EB F4 94 B6 74 68 15
E6 90 2F CA 2F 75 67 C6 34 AE A3 A0 8F BC 60 62
63 87 8C C4 6C 8A 39 AA 7C 8A C7 E1 14 A3 C1 37
51 43 85 C0 09 97 05 AF 32 86 32 8C 58 7D C1 8F
91 A1 5E F1 9F D7 24 DF 08 82 1B AD FA C7 72 24
BC 35 34 6F 0F 42 C9 4E 7F AB FC 72 BC 64 71 84
DC 30 BB D5 AD D4 DE 01 9A E9 FB AA 1F 69 6F 52
3D E9 2A 52 6B 7E 9B 79 DE BD 7C 55 31 51 D6 99
BE 74 4F 22 6F 23 2F BF 7A 81 EF 5B 20 BF 75 03
D3 84 61 37 81 50 ED 71 66 4F 3D 34 0E 5A 33 4D
86 E2 E7 D0 8F 2B 48 5E 85 B5 E6 3F 56 51 70 74
CE 87 52 2D 47 D0 39 F6 CD 50 EE 76 F4 8E 79 7C
90 CF 4C 07 D5 47 AF 86 3D 33 3B A1 2A 70 74 4F
D1 60 9F 9E 28 96 C9 6E 9D DA 12 CB E1 8C 5B A5
CA AC 84 E2 26 1E 6F FD 4E EE B8 53 6E 7B 30 19
Maybe because it is helpful: one block is somewhat in the beginning, one is almost in the end, and the last two are at the real end of the file. So maybe the last two blocks are actually one big 512 byte block...
So I have come as far as to think that it might be a checksum or signature. But I am not sure how to find out what kind it is and how to generate one my self. searching for it hasn't helped me, because I cannot seem to find anything this long (256 bytes) only 256 bits long...
I was wondering if maybe someone could see what kind of siganture/checksum this is (Is this possible?) or how I can find out myself. or what I should do next...
[Edit on 25-08]
Alright, Since nobody has been able to answer the question yet, I was thinking of offering an incentive. I am willing to pay 1000 USD to whoever can help me alter the BOOTLOGO of the I9300!!!
Frank
Bootlogo is in the tar package /PARAMS and is called as logo.jpg, it should be writable via adb shell in twrp with this command:
cat /dev/block/platform/sdio_mmc/by-name/PARAMS > /sdcard/PARAMS.tar
Please note that PARAMS partition has stored SBOOT params at the end of the file. Just count 512 bytes from the last one, this is the last param, 512 bytes above is the next, until end of tar package.
Seems to be a checksum, though I cant be sure. One thing is certain, you've gone extremely deep in stuff. It could help to ask the guys at samsung, or somebody with great knowledge of kernels.
The first and second bootloader are signed.
A first bootloader that don't check the signatures of the second bootloader exist, so if you install that, you can then use u-boot as second bootloader.
See https://blog.forkwhiletrue.me/posts/an-almost-fully-libre-galaxy-s3/ for more details.

Resources