reverse_engineering:ghidra:create_a_project
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
reverse_engineering:ghidra:create_a_project [2022/03/12 10:38] – kitor | reverse_engineering:ghidra:create_a_project [2022/03/12 14:28] – [ROMCOPY regions from static analysis] kitor | ||
---|---|---|---|
Line 27: | Line 27: | ||
* Block name: as you wish, but something meaningful is recommended (eg ROM0, ROM1) | * Block name: as you wish, but something meaningful is recommended (eg ROM0, ROM1) | ||
* Base Address: | * Base Address: | ||
- | * Digic 6: ROM1 loads at 0xF0000000 | + | * Digic 6: ROM1 loads at '' |
- | * Digic 7,8,x: ROM0 loads at 0xE0000000 | + | * Digic 7,8,x: ROM0 loads at '' |
* Leave all other options as default. | * Leave all other options as default. | ||
Close by clicking OK on all dialogs, and then acknowledge the import result. File will appear in a project. | Close by clicking OK on all dialogs, and then acknowledge the import result. File will appear in a project. | ||
- | ===== Run disassembly | + | ===== Project preparation |
- | Jump to second level (DryOS) bootloader address (press ' | + | Click twice on newly imported file. It will bring up "Code Browser" |
- | * Digic 6: 0xF0 | + | |
- | * Digic 7,8: 0xE0040000 | + | |
- | * Digic X: 0xE0100000 | + | |
- | Press F12 to disassemble | + | Ghidra will ask if you want to perform auto analysis now - select **No**. |
+ | |||
+ | === Load 2nd ROM file (where applicable) === | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Open '' | ||
+ | |||
+ | === Fix memory map === | ||
+ | |||
+ | Navigate | ||
+ | |||
+ | === Add other memory regions === | ||
+ | |||
+ | Skip this step if you don't have a list of romcopy regions. It will result in incomplete project that may be missing important pieces (especially on Digic 6). | ||
+ | |||
+ | == Obtaining list of rom copy regions == | ||
+ | You can obtain it from QEMU (see: [[reverse_engineering: | ||
+ | |||
+ | It can be also obtained by reading decompiled code, that will be available in incomplete project. | ||
+ | |||
+ | == Obtaining list of other regions == | ||
+ | |||
+ | As a rule of thumb: | ||
+ | * RAM starts at '' | ||
+ | * There' | ||
+ | * Size of RAM depends on model. | ||
+ | * '' | ||
+ | |||
+ | Memory map for [[https:// | ||
+ | |||
+ | == Defining ROMCOPY regions == | ||
+ | |||
+ | __Option | ||
+ | |||
+ | In '' | ||
+ | |||
+ | * Block Types: select "Byte mapped" | ||
+ | * Source address: self explanatory | ||
+ | * Start address: start of " | ||
+ | * Length: length of a block (note: | ||
+ | * Block name: Something meaningful, like a memory address | ||
+ | * Select Read, | ||
+ | |||
+ | __Option B, via "Add to program": | ||
+ | |||
+ | Go to '' | ||
+ | |||
+ | Repeat for all regions. | ||
+ | |||
+ | == Defining other regions == | ||
+ | |||
+ | Other regions (notably: RAM) will overlap with ROMCOPY regions defined earlier. Unfortunately that is not possible (" | ||
+ | |||
+ | In '' | ||
+ | |||
+ | * Block Types: leave " | ||
+ | * Start address: start of memory block | ||
+ | * Length: length of a block (note: | ||
+ | * Block name: Something meaningful, like a memory address | ||
+ | * Select Read,Write flags | ||
+ | * Leave " | ||
+ | |||
+ | == Result == | ||
+ | |||
+ | Complete memory map for EOS R 1.8.0 (internal 7.3.9) firmware: | ||
- | After it is done, we name that function `firmware_entry` | + | {{ : |
===== Initial analysis ===== | ===== Initial analysis ===== | ||
- | Click twice on newly imported file. It will bring up "Code Browser" | + | Project is now ready to start disassembling. |
- | Ghidra will ask if you want to perform auto analysis now - select **No**. | + | === Run disassembly === |
- | === Fix memory map === | + | Jump to second level (DryOS) bootloader address (press ' |
- | Navigate | + | ^ CPU ^ Address |
+ | | Digic 6 | '' | ||
+ | | Digic 7,8 | '' | ||
+ | | Digic X | '' | ||
+ | |||
+ | Press F12 to disassemble | ||
+ | |||
+ | After it is done, we name that function '' | ||
=== Run auto analysis === | === Run auto analysis === | ||
- | Navigate to Analysis -> Auto analysis "< | + | Navigate to '' |
There' | There' | ||
Line 64: | Line 133: | ||
* Disable " | * Disable " | ||
- | Run the analysis - it will take a long time. After it is done, you may want to run "one shot" analysis for Embedded media and for Create Address Tables - but YRMV. | + | Run the analysis - it will take a long time. After it is done, you may want to run "one shot" analysis for Embedded media and for Create Address Tables - but YMMV. |
+ | |||
+ | |||
+ | ===== ROMCOPY regions from static analysis ===== | ||
+ | |||
+ | //this may want moving to a separate wiki entry later// | ||
+ | |||
+ | While qemu '' | ||
+ | |||
+ | First of all, it includes all things - including bootloader FROMUTIL that is not needed and may mess up analysis ( it is not available after DryOS boots anyway). 2nd, it just tries to detect bulk memory moves - so a lot of "small regions" | ||
+ | |||
+ | QEMU result might be slightly off as compared to code, as reads/ | ||
+ | |||
+ | === Obtaining list of ROMCOPY regions from DryOS (2nd stage) bootloader === | ||
+ | |||
+ | Navigate to '' | ||
+ | |||
+ | Read the code, note down each source address, destination start address and destination end address. Calculate region sizes. | ||
+ | |||
+ | In disassembled code those may look like: | ||
+ | < | ||
+ | // src holds address of data source in rom | ||
+ | src = & | ||
+ | |||
+ | // loop reads src, writes to dst and increases both pointers by 1 | ||
+ | // as long as " | ||
+ | for (dst = & | ||
+ | *dst = *src; | ||
+ | src = src + 1; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | Example, from SX740.102: | ||
+ | ^ source | ||
+ | | '' | ||
+ | | '' | ||
+ | | - | < | ||
+ | | '' | ||
+ | | - | < | ||
reverse_engineering/ghidra/create_a_project.txt · Last modified: 2022/04/01 17:46 by kitor