No edit summary |
|||
| Line 69: | Line 69: | ||
</pre> |
</pre> |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| + | FUNC(ExitTask, 0xff81be48): |
||
| + | ff81be48: e51f0070 ldr r0, [pc, #-112] ; ff81bde0: (ff810214) |
||
| + | ff81be4c: e92d4010 stmdb sp!, {r4, lr} |
||
| + | ff81be50: e5900000 ldr r0, [r0] |
||
| + | ff81be54: e5900000 ldr r0, [r0] |
||
| + | ff81be58: e3500000 cmp r0, #0 ; 0x0 |
||
| + | ff81be5c: c59f1028 ldrgt r1, [pc, #40] ; ff81be8c: (00000219) |
||
| + | ff81be60: c24f0084 subgt r0, pc, #132 ; ff81bde4: (5472654b) *"KerTask.c" |
||
| + | ff81be64: cb000089 blgt ff81c090 <DebugAssert +556> |
||
| ⚫ | |||
| + | |||
| ⚫ | |||
[[http://chdk.setepontos.com/index.php/topic,1918.msg20065.html#msg20065 forum] |
[[http://chdk.setepontos.com/index.php/topic,1918.msg20065.html#msg20065 forum] |
||
This one is very good for gdb ;) |
This one is very good for gdb ;) |
||
| ⚫ | |||
| ⚫ | |||
| − | ff936a40: e59f12e8 ldr r1, [pc, #744] ; ff936d30: (ff81d88c) |
||
| − | ff936a44: e28f0fba add r0, pc, #744 ; ff936d34: (63727473) *"strcpy" |
||
| ⚫ | |||
Revision as of 11:08, 19 August 2008
Meanwhile I wrote a perl script, which does all the jobs. Also it lookup references and add this to the disassemble output.
Disassembling with GNU/GPL tools
The gnu/gpl tools are not made for analysing alien binary dumps because we usually have the source code if we need to debug. This is not really an replacement for IDA but for me it's was sufficient.
Installing software is not explained in this tutorials.
Prerequisites:
- U have a raw binary firmware dump to look at. I'll use here "dump.bin"
- U have set up arm-gcc/binutils toolchain. (Get it from GNUARM.org , download: http://www.gnuarm.com/bu-2.15_gcc-3.4.3-c-c++-java_nl-1.12.0_gi-6.1.tar.bz2 for example)
In this toybox we have:
arm-elf-objcopy | arm-linux-gnu-objcopy arm-elf-objdump | arm-linux-gnu-objdump
Here we go:
strings -t x dump.bin > dump.strings hexdump -C dump.bin > dump.hex arm-linux-gnu-objdump -m arm -b binary -D dump.bin > dump.dis
However, theres a problem: all files start with an offset of 0x00. Here comes my renumber.pl script:
strings -t x dump.bin | ./renumber.pl 0xff810000 > dump.strings hexdump -C dump.bin |./renumber.pl 0xff810000 > dump.hex
Before we disassemble the dump, we pack it into elf format. This meat is good for feeding gdb and the IDA demo version ;)
arm-linux-gnu-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf arm-linux-gnu-objcopy --set-section-flags .data=code dump.elf
Verify the elf file:
arm-linux-gnu-objdump -x dump.elf
Disassemble:
arm-linux-gnu-objdump -d dump.elf > dump.dis
So finally we have 3 ascii files to stare at:
- dump.dis
- dump.strings
- dump.hex
and
- dump.elf for gdb and qemu
Putting all together
Meanwhile I wrote GPL:disassemble.pl perl script, which does all the jobs. Also it lookup references and add this to the disassemble output.
disassemble.pl 0xff810000 dump.bin
e.g. output:
FUNC(ExitTask, 0xff81be48):
ff81be48: e51f0070 ldr r0, [pc, #-112] ; ff81bde0: (ff810214)
ff81be4c: e92d4010 stmdb sp!, {r4, lr}
ff81be50: e5900000 ldr r0, [r0]
ff81be54: e5900000 ldr r0, [r0]
ff81be58: e3500000 cmp r0, #0 ; 0x0
ff81be5c: c59f1028 ldrgt r1, [pc, #40] ; ff81be8c: (00000219)
ff81be60: c24f0084 subgt r0, pc, #132 ; ff81bde4: (5472654b) *"KerTask.c"
ff81be64: cb000089 blgt ff81c090 <DebugAssert +556>
Another way to create an elf file with symbols from chdk's stub files: [forum This one is very good for gdb ;)
Next lesson: run the dump in Qemu