This is an old revision of the document!
Table of Contents
Create a Ghidra project
Scope of this section is not to explain how to use Ghidra, but how to create a project based on pre-made ROM dump.
As time of writing, this guide can be applied to Digic 6,7,8,X models running EOS firmware variant. This includes some non-EOS cameras (like PowerShot SX740 HS) and excludes some EOS ones (eg M10) which run PowerShot firmware variant. For later, refer to CHDK Wiki.
Preparation
What you need:
- ROM dumps (see: Obtaining ROM dumps)
- Ghidra installation
Loading main ROM image into Ghidra
First, select the file that contains actual code. On Digic 6 cameras there's only “ROM1.bin”, Digic 7, 8 and X models use ROM0.bin and (in most cases) ROM1.bin, where ROM0.bin contains the code.
Simply drag and drop ROM file into a project window. Import dialog will pop up.
Following settings are required:
Language: For Digic 6 and up select ARM, v7, little endian, default compiler
Options: In this dialog we define at what memory address image will be loaded.
- Block name: as you wish, but something meaningful is recommended (eg ROM0, ROM1)
- Base Address:
- Digic 6: ROM1 loads at
0xFE000000
- Digic 7,8,x: ROM0 loads at
0xE0000000
- Leave all other options as default.
Close by clicking OK on all dialogs, and then acknowledge the import result. File will appear in a project.
Project preparation
Click twice on newly imported file. It will bring up “Code Browser” window.
Ghidra will ask if you want to perform auto analysis now - select No.
Load 2nd ROM file (where applicable)
Go to File → Add to program
. Select second ROM file. Import dialog will appear, but this time it will have language settings already in place.
Open Options
, set Block name to something meaningful and Base Address to 0xF0000000
for Digic 7,8,X
Fix memory map
Navigate to Window → Memory Map
. In rows representing loaded ROM images uncheck tick in “W” (writable) column. This may affect analysis, and affects decompiler results.
Add other memory regions
This topic has a separate Wiki section: Defining memory map in Ghidra project
Result
Initial analysis
Project is now ready to start disassembling.
Run disassembly
Jump to second level (DryOS) bootloader address (press 'G' in Listing window):
CPU | Address |
---|---|
Digic 6 | 0xFE0A0000 |
Digic 7,8 | 0xE0040000 |
Digic X | 0xE0100000 |
Press F12 to disassemble in Thumb mode. Wait for Ghidra to finish a task - it will discover a lot of functions so it will take some time.
After it is done, we name that function firmware_entry
Run auto analysis
Navigate to Analysis → Auto analysis “<file_name>”
.
There's no good answer on what should be selected here (some tools may even crash Ghidra), but as a rule of thumb:
- Disable “Non-returning functions - discovered”
- Disable “Embedded Media”.
- Disable “Create Address Tables”. In worst cases this option exhausts system memory and crashes Ghidra.
Run the analysis - it will take a long time. After it is done, you may want to run “one shot” analysis for Embedded media and for Create Address Tables - but YMMV.