Differences

This shows you the differences between two versions of the page.

--- reverse_engineering:ghidra:create_a_project [2022/03/12 11:34] – kitor
+++ reverse_engineering:ghidra:create_a_project [2022/03/12 14:28] – [ROMCOPY regions from static analysis] kitor
@@ Line 33: / Line 33: @@
 Close by clicking OK on all dialogs, and then acknowledge the import result. File will appear in a project.
-===== Initial analysis =====
+===== Project preparation =====
 Click twice on newly imported file. It will bring up "Code Browser" window.
 Ghidra will ask if you want to perform auto analysis now - select **No**.
+=== Load 2nd ROM file (where applicable) ===
+Go to ''File -> Add to program''. Select second ROM file. Import dialog will appear, but this time it will have language settings already in place.
+Open ''Options'', set Block name to something meaningful and Base Address to ''0xF0000000'' for Digic 7,8,X
 === Fix memory map ===
-Navigate to ''Window -> Memory Map''. In the only existing row (representing loaded ROM image) __uncheck__ tick in "W" (writable) column. This may affect analysis, and affects decompiler results.
+Navigate to ''Window -> Memory Map''. In rows representing loaded ROM images __uncheck__ tick in "W" (writable) column. This may affect analysis, and affects decompiler results.
 === Add other memory regions ===
@@ Line 47: / Line 53: @@
 Skip this step if you don't have a list of romcopy regions. It will result in incomplete project that may be missing important pieces (especially on Digic 6).
+== Obtaining list of rom copy regions ==
 You can obtain it from QEMU (see: [[reverse_engineering:qemu:run_firmware|Running firmware in QEMU]]).
 It can be also obtained by reading decompiled code, that will be available in incomplete project.
+== Obtaining list of other regions ==
+As a rule of thumb:
+  * RAM starts at ''0x40000000''
+  * There's a mirror of RAM available at ''0x00000000''
+  * Size of RAM depends on model.
+  * ''0xCxxxxxxx'' and ''0xDxxxxxxx'' are ranges where most devices live
+Memory map for [[https://www.magiclantern.fm/forum/index.php?topic=19737.msg212603#msg212603|Digic 7]] [[https://www.magiclantern.fm/forum/index.php?topic=22770.msg212090#msg212090|Digic 8]] [[https://www.magiclantern.fm/forum/index.php?topic=24827.msg230859#msg230859|Digic X]]
+== Defining ROMCOPY regions ==
+__Option a, via Memory map:__
+In ''Window -> Memory Map'' click green "+" symbol. This will open ''Add Memory Block'' panel.
+  * Block Types: select "Byte mapped"
+  * Source address: self explanatory
+  * Start address: start of "destination" block"
+  * Length: length of a block (note: it will accept input as decimal if you don't use ''0x'' prefix
+  * Block name: Something meaningful, like a memory address
+  * Select Read,Write,Execute flags.
+__Option B, via "Add to program":__
+Go to ''File -> Add to program''. Select file extracted from ROM (eg with ''romcpy.sh''). Proceed like in case of adding 2nd ROM.
+Repeat for all regions.
+== Defining other regions ==
+Other regions (notably: RAM) will overlap with ROMCOPY regions defined earlier. Unfortunately that is not possible ("overlay" option does not apply for that case), so you will need to split continous blocks to fill around romcpy ones.
+In ''Window -> Memory Map'' click green "+" symbol. This will open ''Add Memory Block'' panel.
+  * Block Types: leave "Default"
+  * Start address: start of memory block
+  * Length: length of a block (note: it will accept input as decimal if you don't use ''0x'' prefix
+  * Block name: Something meaningful, like a memory address
+  * Select Read,Write flags
+  * Leave "Uninitialized"
+== Result ==
+Complete memory map for EOS R 1.8.0 (internal 7.3.9) firmware:
+{{ :reverse_engineering:ghidra:ghidra_r180_memory.jpg|}}
+===== Initial analysis =====
+Project is now ready to start disassembling.
 === Run disassembly ===
@@ Line 78: / Line 137: @@
 ===== ROMCOPY regions from static analysis =====
+//this may want moving to a separate wiki entry later//
 While qemu ''-d romcpy'' is (arguably) the easiest way to obtain list of all chunks moved from ROM to RAM, it is imperfect.
@@ Line 93: / Line 154: @@
 In disassembled code those may look like:
 <code>
+// src holds address of data source in rom
 src = &DAT_e101ced8;
+// loop reads src, writes to dst and increases both pointers by 1
+// as long as "end" destination address is reached
 for (dst = &DAT_00004000; dst < &DAT_00023770; dst = dst + 1) {
   *dst = *src;
@@ Line 102: / Line 167: @@
 Example, from SX740.102:
 ^ source     ^ to:start              ^ to:end                ^ size                 ^
-| 0xe101ced8 | 0x4000                | 0x23770               | 0x1F770              |
+| ''0xe101ced8'' | ''0x4000''                | ''0x23770''               | ''0x1F770''              |
-| 0xe103c648 | 0x23770               | 0x59f14               | 0x367A4              |
+| ''0xe103c648'' | ''0x23770''               | ''0x59f14''               | ''0x367A4''              |
-| -          | <del>0x59f14</del>    | <del>0xddd1c</del>    | <del>ram erase</del> |
+| -              | <del>''0x59f14''</del>    | <del>''0xddd1c''</del>    | <del>ram erase</del>     |
-| 0xe1072dec | 0xdf002800            | 0xdf00339c            | 0xB9C                |
+| ''0xe1072dec'' | ''0xdf002800''            | ''0xdf00339c''            | ''0xB9C''                |
-| -          | <del>0xdf00339c</del> | <del>0xdf0033a8</del> | <del>ram erase</del> |
+| -              | <del>''0xdf00339c''</del> | <del>''0xdf0033a8''</del> | <del>ram erase</del>     |