Differences

This shows you the differences between two versions of the page.

--- reverse_engineering:ghidra:create_a_project [2022/03/12 10:22] – created kitor
+++ reverse_engineering:ghidra:create_a_project [2022/04/01 17:46] (current) – [Initial analysis] kitor
@@ Line 8: / Line 8: @@
 What you need:
-  * ROM dumps (see: [[reverse_engineering:rom_dump|Obtaining ROM dumps]]
+  * ROM dumps (see: [[reverse_engineering:rom_dump|Obtaining ROM dumps]])
   * Ghidra installation
-==== Loading main ROM image into Ghidra ====
+===== Loading main ROM image into Ghidra =====
 {{:reverse_engineering:ghidra:ghidra_import.jpg|}} {{:reverse_engineering:ghidra:ghidra_options.jpg|}}
@@ Line 18: / Line 18: @@
 Simply drag and drop ROM file into a project window. Import dialog will pop up.
 Following settings are required:
@@ Line 29: / Line 27: @@
   * Block name: as you wish, but something meaningful is recommended (eg ROM0, ROM1)
   * Base Address:
-    * Digic 6: ROM1 loads at 0xF0000000
+    * Digic 6: ROM1 loads at ''0xFE000000''
-    * Digic 7,8,x: ROM0 loads at 0xE0000000
+    * Digic 7,8,x: ROM0 loads at ''0xE0000000''
   * Leave all other options as default.
 Close by clicking OK on all dialogs, and then acknowledge the import result. File will appear in a project.
+===== Project preparation =====
+Click twice on newly imported file. It will bring up "Code Browser" window.
+Ghidra will ask if you want to perform auto analysis now - select **No**.
+=== Load 2nd ROM file (where applicable) ===
+Go to ''File -> Add to program''. Select second ROM file. Import dialog will appear, but this time it will have language settings already in place.
+Open ''Options'', set Block name to something meaningful and Base Address to ''0xF0000000'' for Digic 7,8,X
+=== Fix memory map ===
+Navigate to ''Window -> Memory Map''. In rows representing loaded ROM images __uncheck__ tick in "W" (writable) column. This may affect analysis, and affects decompiler results.
+=== Add other memory regions ===
+This topic has a separate Wiki section: [[reverse_engineering:ghidra:memory_map|Defining memory map in Ghidra project]]
+== Result ==
+Complete memory map for EOS R 1.8.0 (internal 7.3.9) firmware:
+{{ :reverse_engineering:ghidra:ghidra_r180_memory.jpg|}}
+===== Initial analysis =====
+Project is now ready to start disassembling.
+=== Configure auto analysis ===
+Navigate to ''Analysis -> Auto analysis "<file_name>"''.
+There's no good answer on what should be selected here (some tools may even crash Ghidra), but as a rule of thumb:
+  * Disable "Non-returning functions - discovered"
+  * Disable "Embedded Media".
+  * Disable "Create Address Tables". In worst cases this option exhausts system memory and crashes Ghidra.
+Click ''Apply'' (do not click ''Analyze''!). Close the window.
+=== Run disassembly ===
+Jump to second level (DryOS) bootloader address (press 'G' in Listing window):
+^ CPU       ^ Address        ^
+| Digic 6   | ''0xFE0A0000'' |
+| Digic 7,8 | ''0xE0040000'' |
+| Digic X   | ''0xE0100000'' |
+Press F12 to disassemble in Thumb mode. Wait for Ghidra to finish a task - it will discover a lot of functions so it will take some time.
+After it is done, we name that function ''firmware_entry''
+=== Run auto analysis ===
+Go back to ''Analysis -> Auto analysis "<file_name>"''.
+Run the analysis - it will take a long time. After it is done, you may want to run "one shot" analysis for Embedded media and for Create Address Tables - but YMMV.