Pixeldoc2000 (talk | contribs) m (added link to DryOS_Porting) |
No edit summary |
||
| (23 intermediate revisions by 14 users not shown) | |||
| Line 3: | Line 3: | ||
=== Preparing === |
=== Preparing === |
||
| − | It is assumed that you have IDA installed on your machine. |
+ | It is assumed that you have [http://en.wikipedia.org/wiki/Interactive_Disassembler IDA (Interactive Disassembler)] installed on your machine. |
| − | To semi-automate initial stage you need to download and install FLIRT-signatures and IDC-scripts. You can get them [http:// |
+ | To semi-automate initial stage you need to download and install FLIRT-signatures and IDC-scripts. You can get them [http://code.google.com/p/chdk/downloads/detail?name=CanonFW_A-Series_Signatures_for_IDA.rar&can=2&q= here] and also in the "Development" folder [http://www.tinyurl.com/chdkfiles here]. |
| + | |||
| + | *''Note for DryOS cameras:<br />'' |
||
| + | :''Since the original CHDK.idc script does not run all sub scripts correctly, there's a modified versions of the IDC scripts: [[http://tinyurl.com/chdkfiles IDA_CHDK-idc-DryOS-singlerun.7z]. The main script (<tt>CHDK.idc</tt>) runs all other scripts automatically, manual definition of the ROM_START address is not required anymore (MinEA() used instead).'' |
||
| + | |||
| + | Copy file "sig/CanonFW_A-Series.sig" from the archive to "<PATH_of_IDA_installed>/sig/arm/". Unpack the IDC folder to whatever you want. |
||
=== Running of IDA === |
=== Running of IDA === |
||
| Line 22: | Line 27: | ||
'Loading Wizard' will appear. Leave the 'Analysis options' unchecked. |
'Loading Wizard' will appear. Leave the 'Analysis options' unchecked. |
||
| + | |||
| + | '''Note:''' While attempting to port a camera using IDA 5.2, I have found that I have to check this option in order to get a good listing. ([[User:Mariush|Mariush]] 20:25, 14 February 2009 (UTC)) |
||
:[[Image:IDA_03Wizard_01.png]] |
:[[Image:IDA_03Wizard_01.png]] |
||
---- |
---- |
||
| Line 39: | Line 46: | ||
| − | You have to specify the correct 'ROM start address' and 'Loading address'. |
+ | You have to specify the correct 'ROM start address' and 'Loading address'. The address depends on the camera. Currently known cameras use 0xFF000000, 0xFF810000 or 0xFFC00000. If the firmware was dumped with the ubasic dumper the correct address will be listed in CBDUMPER.LOG. |
| + | |||
| + | The loaded size must such that 'start address' + 'size' < 2<sup>32</sup>, and the total size should be a multiple of 4. So for a camera that loads at 0xFFC00000, size should be 0x3FFFFC, not 0x400000 (C rather than F so the final address is 32 bit aligned.) If your dump is shorter, just use whatever size IDA defaults to. |
||
| + | |||
| + | '''ATTENTION: ''' For DryOS Cameras you have to use the sizes & startadresses specified here: '''[[DryOS_Porting#Load_into_IDA_and_Disassemble_code|DryOS Porting - Load into IDA and Disassemble code ]]''' |
||
:[[Image:IDA_06Address.png]] |
:[[Image:IDA_06Address.png]] |
||
---- |
---- |
||
| Line 96: | Line 107: | ||
http://tools.assembla.com/chdk/browser/trunk/tools/idc-scripts |
http://tools.assembla.com/chdk/browser/trunk/tools/idc-scripts |
||
| − | ==== scan-lib.idc ==== |
+ | ==== scan-lib.idc ==== |
'''Helper methods'''. You have to change |
'''Helper methods'''. You have to change |
||
#define ROM_START 0xFF810000 |
#define ROM_START 0xFF810000 |
||
to your f/w start address for all the scripts could work fine. |
to your f/w start address for all the scripts could work fine. |
||
| − | ==== scan-event-procedures.idc ==== |
+ | ==== scan-event-procedures.idc ==== |
'''Prerequisite''': A set of RegisterEventProcedure API should be found and named: RegisterEventProcedure, RegisterEventProcedureTable, ExportEventProcedure, RegisterEventProcedureNN, etc. |
'''Prerequisite''': A set of RegisterEventProcedure API should be found and named: RegisterEventProcedure, RegisterEventProcedureTable, ExportEventProcedure, RegisterEventProcedureNN, etc. |
||
Searches for the event procedures registration points and renames all subs to form '''eventproc_''' or '''eventproc_export_''' |
Searches for the event procedures registration points and renames all subs to form '''eventproc_''' or '''eventproc_export_''' |
||
'''Note:''' some of the event procedure tables are stored in RAM, so to find more you have to load a RAM dump from you camera. |
'''Note:''' some of the event procedure tables are stored in RAM, so to find more you have to load a RAM dump from you camera. |
||
| − | ==== scan-event-procedures-list.idc ==== |
+ | ==== scan-event-procedures-list.idc ==== |
'''Prerequisite''': scan-event-procedures.idc |
'''Prerequisite''': scan-event-procedures.idc |
||
Walks through the f/w and collects all the eventproc names. Generates '''stubs_entry_ida.S'''. |
Walks through the f/w and collects all the eventproc names. Generates '''stubs_entry_ida.S'''. |
||
| − | ==== scan-swinv.idc ==== |
+ | ==== scan-swinv.idc ==== |
Fixes some strange IDA ideas (where it thinks the data to be a code) |
Fixes some strange IDA ideas (where it thinks the data to be a code) |
||
| − | ==== scan-symbol-info.idc ==== |
+ | ==== scan-symbol-info.idc ==== |
'''Prerequisite''': DebugAssert name should be available |
'''Prerequisite''': DebugAssert name should be available |
||
Adds to the sub_xxxx names a meaningful part, basing this part on assert information: |
Adds to the sub_xxxx names a meaningful part, basing this part on assert information: |
||
| Line 120: | Line 131: | ||
Renames ~2000 subs and makes it easier to orient in the code. |
Renames ~2000 subs and makes it easier to orient in the code. |
||
| − | ==== scan-tasks.idc ==== |
+ | ==== scan-tasks.idc ==== |
'''Prerequisite''': CreateTask, CreateTaskStrictly should be available, CreateMessageQueue is optional |
'''Prerequisite''': CreateTask, CreateTaskStrictly should be available, CreateMessageQueue is optional |
||
Searches code for all tasks creation and renames task subs into '''task_Name'''. Also renames the task creation sub into taskcreate_Name. Then tries to search for the task-related message queues and rename them also. |
Searches code for all tasks creation and renames task subs into '''task_Name'''. Also renames the task creation sub into taskcreate_Name. Then tries to search for the task-related message queues and rename them also. |
||
| − | ==== resolve-tasks.idc ==== |
+ | ==== resolve-tasks.idc ==== |
'''Prerequisite''': *scan-tasks.idc* |
'''Prerequisite''': *scan-tasks.idc* |
||
Helps to understand which tasks calls the function under the cursor. |
Helps to understand which tasks calls the function under the cursor. |
||
Adds to the function comment all the tasks it'll find via up-recursive reference walk. |
Adds to the function comment all the tasks it'll find via up-recursive reference walk. |
||
| + | === Notes === |
||
| + | * By default, IDA will display some sequences of instructions as a macro, for example: |
||
| + | <source lang="asm"> |
||
| + | MOVL R3, 0x820A |
||
| + | </source> |
||
| + | :movl is not actually an ARM instruction, and is not supported by all toolchains. Instead, it is actually a user friendly way of displaying: |
||
| + | <source lang="asm"> |
||
| + | MOV R3, #0x8200 |
||
| + | ADD R3, R3, #0xA |
||
| + | </source> |
||
| + | :To switch between the two methods, go to options -> general -> analysis -> processor specific analysis options and check or uncheck 'enable macros'. Note that IDA 5.3 displays MOV, not MOVL regardless of whether it is one instruction or two. |
||
=== Links === |
=== Links === |
||
*[[DryOS Porting]] |
*[[DryOS Porting]] |
||
| + | *[http://magiclantern.wikia.com/wiki/IDA_tips Magic Lantern - IDA Tips] |
||
| − | |||
[[Category:Development]] |
[[Category:Development]] |
||
| + | [[Category:Porting]] |
||
Latest revision as of 08:21, 6 October 2013
This article describes the initial procedure of loading a dump to IDA disassembler.
Preparing
It is assumed that you have IDA (Interactive Disassembler) installed on your machine.
To semi-automate initial stage you need to download and install FLIRT-signatures and IDC-scripts. You can get them here and also in the "Development" folder here.
- Note for DryOS cameras:
- Since the original CHDK.idc script does not run all sub scripts correctly, there's a modified versions of the IDC scripts: [IDA_CHDK-idc-DryOS-singlerun.7z. The main script (CHDK.idc) runs all other scripts automatically, manual definition of the ROM_START address is not required anymore (MinEA() used instead).
Copy file "sig/CanonFW_A-Series.sig" from the archive to "<PATH_of_IDA_installed>/sig/arm/". Unpack the IDC folder to whatever you want.
Running of IDA
Start IDA application. Upon IDA loaded create a new database. You can do it by pressing NEW button on 'Welcome' window. Or through menu: 'File->New...'. Choose the dump file ('PRIMARY.BIN') to load.
Choose 'Binary/Raw File' format under 'Various files' tab.
'Loading Wizard' will appear. Leave the 'Analysis options' unchecked.
Note: While attempting to port a camera using IDA 5.2, I have found that I have to check this option in order to get a good listing. (Mariush 20:25, 14 February 2009 (UTC))
Choose 'ARM processor ARM' as target platform.
Leave the 'Start analysis now' checked. Press 'Finish' button.
You have to specify the correct 'ROM start address' and 'Loading address'. The address depends on the camera. Currently known cameras use 0xFF000000, 0xFF810000 or 0xFFC00000. If the firmware was dumped with the ubasic dumper the correct address will be listed in CBDUMPER.LOG.
The loaded size must such that 'start address' + 'size' < 232, and the total size should be a multiple of 4. So for a camera that loads at 0xFFC00000, size should be 0x3FFFFC, not 0x400000 (C rather than F so the final address is 32 bit aligned.) If your dump is shorter, just use whatever size IDA defaults to.
ATTENTION: For DryOS Cameras you have to use the sizes & startadresses specified here: DryOS Porting - Load into IDA and Disassemble code
Wait a while until IDA loaded the file.
Click on 'Open signatures window' tool-button. Or press 'Shift+F5'.
In window appeared click right mouse button and choose 'Apply new signature...' menu item.
IDA will show the list of signature files are available for current processor. If you correctly installed the signatures file, as described in the preparing section, you will see "CanonFW_A-Series Firmware" item. Choose it.
After a short analysis you will see the number of functions recognized. Then, you can close the window.
Click on 'Execute an IDC file' tool-button. Then choose the 'CHDK.idc' file saved in the preparing section.
The script will run. It can take several minutes to complete. Please do not interrupt the IDA untill it finished.
Now, the initial disassemling stage is completed. You can browse the code.
Extended IDA debug scripts
There exist a number of IDC scripts to ease the code analysis (useful when you start hating these sub_DEADBEAF ;-)
The latest versions could be checked out from SVN or taken directly from http://tools.assembla.com/chdk/browser/trunk/tools/idc-scripts
scan-lib.idc
Helper methods. You have to change
#define ROM_START 0xFF810000
to your f/w start address for all the scripts could work fine.
scan-event-procedures.idc
Prerequisite: A set of RegisterEventProcedure API should be found and named: RegisterEventProcedure, RegisterEventProcedureTable, ExportEventProcedure, RegisterEventProcedureNN, etc. Searches for the event procedures registration points and renames all subs to form eventproc_ or eventproc_export_ Note: some of the event procedure tables are stored in RAM, so to find more you have to load a RAM dump from you camera.
scan-event-procedures-list.idc
Prerequisite: scan-event-procedures.idc Walks through the f/w and collects all the eventproc names. Generates stubs_entry_ida.S.
scan-swinv.idc
Fixes some strange IDA ideas (where it thinks the data to be a code)
scan-symbol-info.idc
Prerequisite: DebugAssert name should be available Adds to the sub_xxxx names a meaningful part, basing this part on assert information: _sub_FF8145D0__SystemTime_c__156 Meaning its a some SUB in the SystemTime.c file at line 156. Renames ~2000 subs and makes it easier to orient in the code.
scan-tasks.idc
Prerequisite: CreateTask, CreateTaskStrictly should be available, CreateMessageQueue is optional Searches code for all tasks creation and renames task subs into task_Name. Also renames the task creation sub into taskcreate_Name. Then tries to search for the task-related message queues and rename them also.
resolve-tasks.idc
Prerequisite: *scan-tasks.idc* Helps to understand which tasks calls the function under the cursor. Adds to the function comment all the tasks it'll find via up-recursive reference walk.
Notes
- By default, IDA will display some sequences of instructions as a macro, for example:
MOVL R3, 0x820A
- movl is not actually an ARM instruction, and is not supported by all toolchains. Instead, it is actually a user friendly way of displaying:
MOV R3, #0x8200
ADD R3, R3, #0xA
- To switch between the two methods, go to options -> general -> analysis -> processor specific analysis options and check or uncheck 'enable macros'. Note that IDA 5.3 displays MOV, not MOVL regardless of whether it is one instruction or two.