Loading dump to IDA
From CHDK Wiki
This article describes the initial procedure of loading a dump to IDA disassembler.
Contents |
[edit] Preparing
It is assumed that you have IDA installed on your machine.
To semi-automate initial stage you need to download and install FLIRT-signatures and IDC-scripts. You can get them here. Copy file "sig/CanonFW_A-Series.sig" from the archive to "<PATH_of_IDA_insalled>/sig/arm/". Unpack the idc folder to whatever you want.
[edit] Running of IDA
Start IDA application. Upon IDA loaded create a new database. You can do it by pressing NEW button on 'Welcome' window. Or through menu: 'File->New...'. Choose the dump file ('PRIMARY.BIN') to load.
Choose 'Binary/Raw File' format under 'Various files' tab.
'Loading Wizard' will appear. Leave the 'Analysis options' unchecked.
Choose 'ARM processor ARM' as target platform.
Leave the 'Start analysis now' checked. Press 'Finish' button.
You have to specify the correct 'ROM start address' and 'Loading address'. They are equal and depends on the model of camera. For A-series it is 0xFFC00000, for S-, SD-, and G- series - 0xFF810000.
Wait a while until IDA loaded the file.
Click on 'Open signatures window' tool-button. Or press 'Shift+F5'.
In window appeared click right mouse button and choose 'Apply new signature...' menu item.
IDA will show the list of signature files are available for current processor. If you correctly installed the signatures file, as described in the preparing section, you will see "CanonFW_A-Series Firmware" item. Choose it.
After a short analysis you will see the number of functions recognized. Then, you can close the window.
Click on 'Execute an IDC file' tool-button. Then choose the 'CHDK.idc' file saved in the preparing section.
The script will run. It can take several minutes to complete. Please do not interrupt the IDA untill it finished.
Now, the initial disassemling stage is completed. You can browse the code.
[edit] Extended IDA debug scripts
There exist a number of IDC scripts to ease the code analysis (useful when you start hating these sub_DEADBEAF ;-)
The latest versions could be checked out from SVN or taken directly from http://tools.assembla.com/chdk/browser/trunk/tools/idc-scripts
[edit] scan-lib.idc
Helper methods. You have to change
#define ROM_START 0xFF810000
to your f/w start address for all the scripts could work fine.
[edit] scan-event-procedures.idc
Prerequisite: A set of RegisterEventProcedure API should be found and named: RegisterEventProcedure, RegisterEventProcedureTable, ExportEventProcedure, RegisterEventProcedureNN, etc. Searches for the event procedures registration points and renames all subs to form eventproc_ or eventproc_export_ Note: some of the event procedure tables are stored in RAM, so to find more you have to load a RAM dump from you camera.
[edit] scan-event-procedures-list.idc
Prerequisite: scan-event-procedures.idc Walks through the f/w and collects all the eventproc names. Generates stubs_entry_ida.S.
[edit] scan-swinv.idc
Fixes some strange IDA ideas (where it thinks the data to be a code)
[edit] scan-symbol-info.idc
Prerequisite: DebugAssert name should be available Adds to the sub_xxxx names a meaningful part, basing this part on assert information: _sub_FF8145D0__SystemTime_c__156 Meaning its a some SUB in the SystemTime.c file at line 156. Renames ~2000 subs and makes it easier to orient in the code.
[edit] scan-tasks.idc
Prerequisite: CreateTask, CreateTaskStrictly should be available, CreateMessageQueue is optional Searches code for all tasks creation and renames task subs into task_Name. Also renames the task creation sub into taskcreate_Name. Then tries to search for the task-related message queues and rename them also.
[edit] resolve-tasks.idc
Prerequisite: *scan-tasks.idc* Helps to understand which tasks calls the function under the cursor. Adds to the function comment all the tasks it'll find via up-recursive reference walk.
