Table of Contents
Create a Ghidra project
Scope of this section is not to explain how to use Ghidra, but how to create a project based on pre-made ROM dump.
As time of writing, this guide can be applied to Digic 6,7,8,X models running EOS firmware variant. This includes some non-EOS cameras (like PowerShot SX740 HS) and excludes some EOS ones (eg M10) which run PowerShot firmware variant. For later, refer to CHDK Wiki.
Preparation
What you need:
- ROM dumps (see: Obtaining ROM dumps)
- Ghidra installation
Loading main ROM image into Ghidra
First, select the file that contains actual code. On Digic 6 cameras there's only “ROM1.bin”, Digic 7, 8 and X models use ROM0.bin and (in most cases) ROM1.bin, where ROM0.bin contains the code.
Simply drag and drop ROM file into a project window. Import dialog will pop up.
Following settings are required:
Language: For Digic 6 and up select ARM, v7, little endian, default compiler
Options: In this dialog we define at what memory address image will be loaded.
- Block name: as you wish, but something meaningful is recommended (eg ROM0, ROM1)
- Base Address:
- Digic 6: ROM1 loads at
0xFE000000
- Digic 7,8,x: ROM0 loads at
0xE0000000
- Leave all other options as default.
Close by clicking OK on all dialogs, and then acknowledge the import result. File will appear in a project.
Project preparation
Click twice on newly imported file. It will bring up “Code Browser” window.
Ghidra will ask if you want to perform auto analysis now - select No.
Load 2nd ROM file (where applicable)
Go to File → Add to program
. Select second ROM file. Import dialog will appear, but this time it will have language settings already in place.
Open Options
, set Block name to something meaningful and Base Address to 0xF0000000
for Digic 7,8,X
Fix memory map
Navigate to Window → Memory Map
. In rows representing loaded ROM images uncheck tick in “W” (writable) column. This may affect analysis, and affects decompiler results.
Add other memory regions
This topic has a separate Wiki section: Defining memory map in Ghidra project
Result
Initial analysis
Project is now ready to start disassembling.
Configure auto analysis
Navigate to Analysis → Auto analysis “<file_name>”
.
There's no good answer on what should be selected here (some tools may even crash Ghidra), but as a rule of thumb:
- Disable “Non-returning functions - discovered”
- Disable “Embedded Media”.
- Disable “Create Address Tables”. In worst cases this option exhausts system memory and crashes Ghidra.
Click Apply
(do not click Analyze
!). Close the window.
Run disassembly
Jump to second level (DryOS) bootloader address (press 'G' in Listing window):
CPU | Address |
---|---|
Digic 6 | 0xFE0A0000 |
Digic 7,8 | 0xE0040000 |
Digic X | 0xE0100000 |
Press F12 to disassemble in Thumb mode. Wait for Ghidra to finish a task - it will discover a lot of functions so it will take some time.
After it is done, we name that function firmware_entry
Run auto analysis
Go back to Analysis → Auto analysis “<file_name>”
.
Run the analysis - it will take a long time. After it is done, you may want to run “one shot” analysis for Embedded media and for Create Address Tables - but YMMV.