CHDK Forum
Canon DSLR Development (+ other development) => DSLR Hack development => Topic started by: Pelican on 26 / April / 2010, 21:13:39
-
I started to develop a tool yesterday to help ARM firmware developing.
The IDA Pro is just too expensive for a lot of people...
(https://chdk.setepontos.com/proxy.php?request=http%3A%2F%2Fpel.hu%2Fdown%2FARMu.png&hash=2e640563b760a989a0bd55b97992d712)
ARMu (at this moment) can disassemble ARM binary files, automatically generates labels for subroutines, local branches, data words. It can get names from IDC files, so you can use the previous CHDK .idc files.
It handles segments, you can load more memory area at the same time.
Feature plans:
- Assembler
- Emulator (run commands step by step)
- Firmware file generator
If you could help with testing please send me a message.
Thoughts, ideas, opinions are welcome.
pelican
pel.hu
-
@pelican
ambitious project, good luck with it, I am sure many would find this very useful.
What operating system are using, linux ?
OldGit
-
It's Windows...
-
Another attempt: http://chdk.setepontos.com/index.php/topic,3393.15.html (http://chdk.setepontos.com/index.php/topic,3393.15.html)
Some useful features would be:
- back/cross references (and jumping between them)
- support for constants (i.e. those that do not fit in an instruction)
- support for strings
- searching for byte sequences (strings and hex at least)
- being able to add/change labels (and have references use them)
- comments
- list of {strings,functions,...}
- some way to achieve the same as the IDA signatures and scripts for CHDK
I'm not so sure about the use of an assembler, emulator or firmware generator (at least w.r.t. CHDK).
Looking at the screen shot, I suggest using a fixed-width font for at least the first three columns (but why not for all of them?); that should be a bit easier on the eyes.
I don't know what your developing this in, but if you use .NET your tool might also be used on other platforms (with Mono). Something that would be worth mentioning.
-
Thank you.
1: OK
2,3: What do you mean support of strings and constants?
4: OK
5: Working
6: Yes maybe useful
7: OK
8: It reads/writes IDA idc (dump database) files. I don't know the sig structure...
The assembler is not really important, but I think an emulator can accelerate the reverse engineering or at least to understand the code.
The font is not perfect I know but I didn't find better yet, it's a semi-fixed... :)
-
2,3: What do you mean support of strings and constants?
An alternative for DCD in case of (ASCII) strings so you don't have to read across the text column:
Hello world.. | ASC "Hello world\n"
instead of
4.He | DCD 0x65481234
llo | DCD 0x206f6c6c
worl | DCD 0x6c726f77
d..Q | DCD 0x51000a64
And with constants I refer to (the c in) instructions like LDR Rn, [PC, o] that are typically written as LDR Rn, =c (with c the value at PC+o).
The assembler is not really important, but I think an emulator can accelerate the reverse engineering or at least to understand the code.
The problem with an emulator is that I don't see how you'd make it work good enough to be of use. You essentially have to implement the all the relevant hardware in software to get anything useful out of it. Or am I missing something?
-
...emulator: see also http://chdk.wikia.com/wiki/GPL_Tools (http://chdk.wikia.com/wiki/GPL_Tools) , especially http://chdk.wikia.com/wiki/GPL_Qemu (http://chdk.wikia.com/wiki/GPL_Qemu)
-
Thanks.
I've refreshed the screenshot.
-
Two things: LDR R0, =#0x1928 should be LDR R0, =0x1928 (http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0068b/Babbfdih.html) and I wonder how you deal with data that is not aligned to dword boundries.
-
Thank you! Fixed.
What do you suggest?
-
In my opinion the nicest way for the user is to have each line use as much bytes as needed for the item at that line's address. For example, 4 bytes for instructions, n(+1) bytes for strings of length n and 1 byte for an stray character or minimal padding.
If you're really fixed on the 4 bytes per line, you could also insert an extra line for offset items. Taking my previous example:
ffd29420 | 4.He | DCD 0x65481234
ffd29422 | | sHelloWorld ; "Hello world\n"
ffd29424 | llo | DCD 0x206f6c6c
ffd29428 | worl | DCD 0x6c726f77
ffd2942c | d..Q | DCD 0x51000a64
Both obviously have all kinds of consequences, but I'm afraid that's unavoidable.
-
Thanks.
The 4 bytes per line and even the number of the lines is fixed...
My questions is:
Is it worth to find the strings at any place or only at word aligned position?
I can make both version, but the code can not address it if not aligned.
As I saw IDA finds strings at aligned position... but I don' like that.
-
Fact is, the firmwares have plenty of strings at unaligned addresses. Code can access them just fine.
I agree that finding strings only at aligned positions while cutting of some bytes isn't really useful.
-
I can make both version, but the code can not address it if not aligned.
As mweerden says, this is not correct, and the firmware has many unaligned strings. Instructions that operate on words need to be word aligned, but ones that operate on bytes do not.
-
Yes, it's right.
-
I've published the first release.
It's buggy of course, but you can see how it works.
Comments and any feedback would be much appreciated.
You can start here: http://pel.hu/armu (http://pel.hu/armu)
-
New snapshot is available.
-
Very useful tools? Thank you?
-
Hi Pelican,how can i load binfile to a specfic start address ,not 0x00000000? thanks
-
1. Load binary and change the segment address.
2. Make a .prj file where you can describe the loading address.
-
1.Where i can change the segment address?
2.save project menu disabled. So can't save a prj file.
-
1. Disassembler, Other
2. Use NotePad or any text editor to make one. See the example .prj file on the ARMu page.
These are not steps, these are alternative solutions...
-
1.OK,got it.
Load/Save database can't work well. When load database armu popup a error:access violation at 004D3858.
In debug module, Run over AND Run to also not work. popup a message:Floating point division by zero.
-
hi , Could i see the memory when debug running?
-
Sorry for asking such a fundamental question, but where can I find the IDC files. I have CHDK Shell and thought that those files might have been in the build subdirectories. It appears that they are not. I opened the binary for the SX1 2.00h. Here's a screen shot. Obviously, I don't have the CHDK memory map.
Thank you
-
HI Pel:
LDM instruction seems not implement correctly. When BL call a function it is not return correctly.
-
The download button on your web page links to ARMemu.exe instead of ARMu.exe. Also, and this could just be me, I had a hard time finding the button for some reason. Perhaps a specific download section is clearer.
Loading the binary worked fine, but locating it at the right address required some puzzling. A dialog to enter the address after selecting the binary might be an option here.
Searching didn't quite work as expected. I had to enter values in reversed byte order to find anything. And when I search for a value with an odd number of digits, it seems to simply strip the last digit. Also, although its very nice to be able to search specific columns, it is often not clear which column is actually being searched (e.g. when the selection is not visible on screen or when a specific column isn't supported). As a visual cue it might also be useful to change "Search" to something like "Stop search" instead of disabling the button; the latter suggest the search cannot be interrupted, while this doesn't seem to be the case if I change the text in the search box.
With respect to constants (as in the =0x...) it would be useful if you also mark the location of the constant itself as such. For example, I have the following:
FF8D4AC0 LDR R6, =0xFFAE1ED4 ;[FF8D4C24]
...
FF8D4C24 SWINV 11411156
A DD 0xFFAE1ED4 with both cross-refs to the places it's used and the location in memory itself (such that if I find that location first, I can find that it is referenced here) would be nicest. Also nice would be to be able to jump somewhere by clicking on a cross-ref.
Sorry for asking such a fundamental question, but where can I find the IDC files.
Those are IDA files. I don't think there are many out there.
Here's a screen shot.
Where? ;)
-
Thank you for the bug report, I'm using a newer version which is available now to download.
-
Here's a screen shot.
Where? ;)
Sorry, I was trying to figure out how to post an image. Can I add an image from my local machine, or does it have to be on a web server somewhere
-
Sorry, I was trying to figure out how to post an image. Can I add an image from my local machine, or does it have to be on a web server somewhere
You can just add it as attachment (under "Additional Options...").
-
OK, here it goes
-
First, you can modify the segment address from 0 to the real address (like FF810000 or FF010000).
Then run Database/String search and Code references search.
If you have an IDA dump database IDC file for your fw then you can load it in Database/Import IDA dump IDC.
-
A new snapshot is available.
08/02/2010 Changes for v0.13
- Bug fixes
I've also fixed the links on the site.
-
THANKS A LOT!
-
Hi,
I am a newbie. I just bought a 1300 IS (IXUS105) and would like to learn how to port it. I have some programming language but actually the disassembling part seems to damn me. :)
If I load my diskboot.bin, I am noticing the address are like: SEGO:xxxxx and in your screenshot I see ROM:xxxxx
1. What is explaining the difference?
2. I tried both suggest address higher in this thread: FF810000 or FF010000
Is it any walkthrough to learn how to do the job?
Thanks
-
Hi,
I am a newbie. I just bought a 1300 IS (IXUS105) and would like to learn how to port it. I have some programming language but actually the disassembling part seems to damn me. :)
If I load my diskboot.bin, I am noticing the address are like: SEGO:xxxxx and in your screenshot I see ROM:xxxxx
1. What is explaining the difference?
2. I tried both suggest address higher in this thread: FF810000 or FF010000
Is it any walkthrough to learn how to do the job?
Thanks
Start on armu.pel.hu
-
New snapshot is available.
03/22/2011 Changes for v0.16
- UTF8 string support (limited, missing Chinese symbols)
- Bug fixes
(https://chdk.setepontos.com/proxy.php?request=http%3A%2F%2Fpel.hu%2Fdown%2FARMu_DB2.png&hash=d883bd54dc1267e9170b8cc13194ea2d)
-
any progress towards a dryos emulator?
-
Shortly: no.
-
Dryos (updater code) can be ran using qemu.
Indy.