Differences

This shows you the differences between two versions of the page.

--- reverse_engineering:ghidra:create_a_project [2022/03/12 10:38] – kitor
+++ reverse_engineering:ghidra:create_a_project [2022/03/13 15:59] – kitor
@@ Line 27: / Line 27: @@
   * Block name: as you wish, but something meaningful is recommended (eg ROM0, ROM1)
   * Base Address:
-    * Digic 6: ROM1 loads at 0xF0000000
+    * Digic 6: ROM1 loads at ''0xFE000000''
-    * Digic 7,8,x: ROM0 loads at 0xE0000000
+    * Digic 7,8,x: ROM0 loads at ''0xE0000000''
   * Leave all other options as default.
 Close by clicking OK on all dialogs, and then acknowledge the import result. File will appear in a project.
-===== Run disassembly =====
+===== Project preparation =====
-Jump to second level (DryOS) bootloader address (press 'G' in Listing window):
+Click twice on newly imported file. It will bring up "Code Browser" window.
-  * Digic 6: 0xF0
-  * Digic 7,8: 0xE0040000
-  * Digic X: 0xE0100000
-Press F12 to disassemble in Thumb mode. Wait for Ghidra to finish a task - it will discover a lot of functions so it will take some time.
+Ghidra will ask if you want to perform auto analysis now - select **No**.
-After it is done, we name that function `firmware_entry`
+=== Load 2nd ROM file (where applicable) ===
+Go to ''File -> Add to program''. Select second ROM file. Import dialog will appear, but this time it will have language settings already in place.
+Open ''Options'', set Block name to something meaningful and Base Address to ''0xF0000000'' for Digic 7,8,X
+=== Fix memory map ===
+Navigate to ''Window -> Memory Map''. In rows representing loaded ROM images __uncheck__ tick in "W" (writable) column. This may affect analysis, and affects decompiler results.
+=== Add other memory regions ===
+This topic has a separate Wiki section: [[reverse_engineering:ghidra:memory_map|Defining memory map in Ghidra project]]
+== Result ==
+Complete memory map for EOS R 1.8.0 (internal 7.3.9) firmware:
+{{ :reverse_engineering:ghidra:ghidra_r180_memory.jpg|}}
 ===== Initial analysis =====
-Click twice on newly imported file. It will bring up "Code Browser" window.
+Project is now ready to start disassembling.
-Ghidra will ask if you want to perform auto analysis now - select **No**.
+=== Run disassembly ===
-=== Fix memory map ===
+Jump to second level (DryOS) bootloader address (press 'G' in Listing window):
+^ CPU       ^ Address        ^
+| Digic 6   | ''0xFE0A0000'' |
+| Digic 7,8 | ''0xE0040000'' |
+| Digic X   | ''0xE0100000'' |
+Press F12 to disassemble in Thumb mode. Wait for Ghidra to finish a task - it will discover a lot of functions so it will take some time.
-Navigate to Window -> Memory Map. In the only existing row (representing loaded ROM image) __uncheck__ tick in "W" (writable) column. This may affect analysis, and affects decompiler results.
+After it is done, we name that function ''firmware_entry''
 === Run auto analysis ===
-Navigate to Analysis -> Auto analysis "<file_name">.
+Navigate to ''Analysis -> Auto analysis "<file_name>"''.
 There's no good answer on what should be selected here (some tools may even crash Ghidra), but as a rule of thumb:
@@ Line 64: / Line 86: @@
   * Disable "Create Address Tables". In worst cases this option exhausts system memory and crashes Ghidra.
-Run the analysis - it will take a long time. After it is done, you may want to run "one shot" analysis for Embedded media and for Create Address Tables - but YRMV.
+Run the analysis - it will take a long time. After it is done, you may want to run "one shot" analysis for Embedded media and for Create Address Tables - but YMMV.