Technology
 

Loading dump to IDA

From CHDK Wiki

This article describes the initial procedure of loading a dump to IDA disassembler.

Contents

[edit] Preparing

It is assumed that you have IDA (Interactive Disassembler) installed on your machine.

To semi-automate initial stage you need to download and install FLIRT-signatures and IDC-scripts. You can get them here and also here.

  • Note for DryOS cameras:
Since the original CHDK.idc script does not run all sub scripts correctly, there's a modified versions of the IDC scripts: IDA_CHDK-idc-DryOS-singlerun.7z. The main script (CHDK.idc) runs all other scripts automatically, manual definition of the ROM_START address is not required anymore (MinEA() used instead).

Copy file "sig/CanonFW_A-Series.sig" from the archive to "<PATH_of_IDA_installed>/sig/arm/". Unpack the IDC folder to whatever you want.

[edit] Running of IDA

Start IDA application. Upon IDA loaded create a new database. You can do it by pressing NEW button on 'Welcome' window. Or through menu: 'File->New...'. Choose the dump file ('PRIMARY.BIN') to load.

Image:IDA_01OpenIDA.png


Choose 'Binary/Raw File' format under 'Various files' tab.

Image:IDA_02New.png


'Loading Wizard' will appear. Leave the 'Analysis options' unchecked.

Note: While attempting to port a camera using IDA 5.2, I have found that I have to check this option in order to get a good listing. (Mariush 20:25, 14 February 2009 (UTC))

Image:IDA_03Wizard_01.png


Choose 'ARM processor ARM' as target platform.

Image:IDA_04Wizard_02.png


Leave the 'Start analysis now' checked. Press 'Finish' button.

Image:IDA_05Wizard_03.png


You have to specify the correct 'ROM start address' and 'Loading address'. They are equal and depends on the model of camera. For A-series it is 0xFFC00000, for S-, SD-, and G- series - 0xFF810000. The loaded size must such that 'start address' + 'size' < 232, and the total size should be a multiple of 4. So for a camera that loads at 0xFFC00000, size should be 0x3FFFFC, not 0x400000 (C rather than F so the final address is 32 bit aligned.) If your dump is shorter, just use whatever size IDA defaults to.

ATTENTION: For DryOS Cameras you have to use the sizes & startadresses specified here: DryOS Porting - Load into IDA and Disassemble code

Image:IDA_06Address.png


Wait a while until IDA loaded the file.

Image:IDA_07AfterLoad.png


Click on 'Open signatures window' tool-button. Or press 'Shift+F5'.

Image:IDA_08OpenFLIRT.png


In window appeared click right mouse button and choose 'Apply new signature...' menu item.

Image:IDA_09AddFLIRT.png


IDA will show the list of signature files are available for current processor. If you correctly installed the signatures file, as described in the preparing section, you will see "CanonFW_A-Series Firmware" item. Choose it.

Image:IDA_10ChooseFLIRT.png


After a short analysis you will see the number of functions recognized. Then, you can close the window.

Image:IDA_11AppliedFLIRT.png


Click on 'Execute an IDC file' tool-button. Then choose the 'CHDK.idc' file saved in the preparing section.

Image:IDA_12LoadIDC.png


The script will run. It can take several minutes to complete. Please do not interrupt the IDA untill it finished.

Image:IDA_13WaitForFinish.png


Now, the initial disassemling stage is completed. You can browse the code.

Image:IDA_14Finish.png

[edit] Extended IDA debug scripts

There exist a number of IDC scripts to ease the code analysis (useful when you start hating these sub_DEADBEAF ;-)

The latest versions could be checked out from SVN or taken directly from http://tools.assembla.com/chdk/browser/trunk/tools/idc-scripts

[edit] scan-lib.idc

Helper methods. You have to change 

 #define ROM_START   0xFF810000

to your f/w start address for all the scripts could work fine.

[edit] scan-event-procedures.idc

Prerequisite: A set of RegisterEventProcedure API should be found and named: RegisterEventProcedure, RegisterEventProcedureTable, ExportEventProcedure, RegisterEventProcedureNN, etc. Searches for the event procedures registration points and renames all subs to form eventproc_ or eventproc_export_ Note: some of the event procedure tables are stored in RAM, so to find more you have to load a RAM dump from you camera.

[edit] scan-event-procedures-list.idc

Prerequisite: scan-event-procedures.idc Walks through the f/w and collects all the eventproc names. Generates stubs_entry_ida.S.

[edit] scan-swinv.idc

Fixes some strange IDA ideas (where it thinks the data to be a code)

[edit] scan-symbol-info.idc

Prerequisite: DebugAssert name should be available Adds to the sub_xxxx names a meaningful part, basing this part on assert information: _sub_FF8145D0__SystemTime_c__156 Meaning its a some SUB in the SystemTime.c file at line 156. Renames ~2000 subs and makes it easier to orient in the code.

[edit] scan-tasks.idc

Prerequisite: CreateTask, CreateTaskStrictly should be available, CreateMessageQueue is optional Searches code for all tasks creation and renames task subs into task_Name. Also renames the task creation sub into taskcreate_Name. Then tries to search for the task-related message queues and rename them also.

[edit] resolve-tasks.idc

Prerequisite: *scan-tasks.idc* Helps to understand which tasks calls the function under the cursor. Adds to the function comment all the tasks it'll find via up-recursive reference walk.

[edit] Notes

  • By default, IDA will display some sequences of instructions as a macro, for example: 
    MOVL    R3, 0x820A
movl is not actually an ARM instruction, and is not supported by all toolchains. Instead, it is actually a user friendly way of displaying: 
    MOV     R3, #0x8200
    ADD     R3, R3, #0xA
To switch between the two methods, go to options -> general -> analysis -> processor specific analysis options and check or uncheck 'enable macros'. Note that IDA 5.3 displays MOV, not MOVL regardless of whether it is one instruction or two.

[edit] Links

Retrieved from "http://chdk.wikia.com/wiki/Loading_dump_to_IDA"