reverse_engineering:ghidra:create_a_project
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionLast revisionBoth sides next revision | ||
reverse_engineering:ghidra:create_a_project [2022/03/12 11:59] – [Initial analysis] kitor | reverse_engineering:ghidra:create_a_project [2022/03/13 15:59] – kitor | ||
---|---|---|---|
Line 33: | Line 33: | ||
Close by clicking OK on all dialogs, and then acknowledge the import result. File will appear in a project. | Close by clicking OK on all dialogs, and then acknowledge the import result. File will appear in a project. | ||
- | ===== Initial analysis | + | ===== Project preparation |
Click twice on newly imported file. It will bring up "Code Browser" | Click twice on newly imported file. It will bring up "Code Browser" | ||
Line 51: | Line 51: | ||
=== Add other memory regions === | === Add other memory regions === | ||
- | Skip this step if you don't have a list of romcopy regions. It will result in incomplete project that may be missing important pieces (especially on Digic 6). | + | This topic has a separate Wiki section: [[reverse_engineering: |
- | + | ||
- | == Obtaining list of rom copy regions == | + | |
- | You can obtain it from QEMU (see: [[reverse_engineering: | + | |
- | + | ||
- | It can be also obtained by reading decompiled code, that will be available in incomplete | + | |
- | + | ||
- | == Obtaining list of other regions == | + | |
- | + | ||
- | As a rule of thumb: | + | |
- | * RAM starts at 0x40000000 | + | |
- | * There' | + | |
- | * Size of RAM depends on model. | + | |
- | * 0xCxxxxxxx and 0xDxxxxxxx are ranges where most devices live | + | |
- | + | ||
- | Memory map for [[https:// | + | |
- | + | ||
- | == Defining ROMCOPY regions == | + | |
- | + | ||
- | __Option a, via Memory map:__ | + | |
- | + | ||
- | In '' | + | |
- | + | ||
- | * Block Types: select "Byte mapped" | + | |
- | * Source address: self explanatory | + | |
- | * Start address: start of " | + | |
- | * Length: length of a block (note: it will accept input as decimal if you don't use '' | + | |
- | * Block name: Something meaningful, like a memory address | + | |
- | * Select Read, | + | |
- | + | ||
- | __Option B, via "Add to program": | + | |
- | + | ||
- | Go to '' | + | |
- | + | ||
- | Repeat for all regions. | + | |
- | + | ||
- | == Defining other regions == | + | |
- | + | ||
- | Other regions (notably: RAM) will overlap with ROMCOPY regions defined earlier. Unfortunately that is not possible (" | + | |
- | + | ||
- | In '' | + | |
- | + | ||
- | * Block Types: leave " | + | |
- | * Start address: start of memory block | + | |
- | * Length: length of a block (note: it will accept input as decimal if you don't use '' | + | |
- | * Block name: Something meaningful, like a memory address | + | |
- | * Select Read,Write flags | + | |
- | * Leave " | + | |
== Result == | == Result == | ||
Line 105: | Line 58: | ||
{{ : | {{ : | ||
+ | |||
+ | ===== Initial analysis ===== | ||
+ | |||
+ | Project is now ready to start disassembling. | ||
=== Run disassembly === | === Run disassembly === | ||
Line 130: | Line 87: | ||
Run the analysis - it will take a long time. After it is done, you may want to run "one shot" analysis for Embedded media and for Create Address Tables - but YMMV. | Run the analysis - it will take a long time. After it is done, you may want to run "one shot" analysis for Embedded media and for Create Address Tables - but YMMV. | ||
- | |||
- | |||
- | ===== ROMCOPY regions from static analysis ===== | ||
- | |||
- | //this may want moving to a separate wiki entry later// | ||
- | |||
- | While qemu '' | ||
- | |||
- | First of all, it includes all things - including bootloader FROMUTIL that is not needed and may mess up analysis ( it is not available after DryOS boots anyway). 2nd, it just tries to detect bulk memory moves - so a lot of "small regions" | ||
- | |||
- | QEMU result might be slightly off as compared to code, as reads/ | ||
- | |||
- | === Obtaining list of ROMCOPY regions from DryOS (2nd stage) bootloader === | ||
- | |||
- | Navigate to '' | ||
- | |||
- | Read the code, note down each source address, destination start address and destination end address. Calculate region sizes. | ||
- | |||
- | In disassembled code those may look like: | ||
- | < | ||
- | src = & | ||
- | for (dst = & | ||
- | *dst = *src; | ||
- | src = src + 1; | ||
- | } | ||
- | </ | ||
- | |||
- | Example, from SX740.102: | ||
- | ^ source | ||
- | | 0xe101ced8 | 0x4000 | ||
- | | 0xe103c648 | 0x23770 | ||
- | | - | < | ||
- | | 0xe1072dec | 0xdf002800 | ||
- | | - | < | ||
reverse_engineering/ghidra/create_a_project.txt · Last modified: 2022/04/01 17:46 by kitor