I have updated the Xtensa related scripts.
disassemble_xtensa.pl now takes advantage of the CHDK thumb2 sigfinder's output. The scripts' usage has also been simplified.
find_zico_msg_handlers.pl only requires Perl
disassemble_xtensa.pl also needs an objdump binary with Xtensa support and 'strings'. The name and path of these utilities needs to be corrected manually in the script.
Short howto:
1) Place PRIMARY.BIN in an empty directory, cd to that directory
2) Run finsig_thumb2 on PRIMARY.BIN. It should generate stubs_entry.S, in the same directory.
finsig_thumb2 PRIMARY.BIN 0xfc000000 stubs_entry.S3) Make (rough) disassemblies of two blobs:
disassemble_xtensa.pl -exPRIMARY.BIN 0x80a00000 disassemble_xtensa.pl -exPRIMARY.BIN 0xbff200004) In the disassembly (bff20000.bin.dis or 80a00000.bin.dis), locate the first reference to "
ID Error[%d] -- msg:0x%08x".
Some Xtensa assembly knowledge is required for this step. Examples are below.
The code is likely more or less different in other models.
a) (g1x2)
Find the first 'movi' instruction backwards that has a constant operand greater than 200.
That constant is the number of messages.
Continue reading the disassembly backwards and find the first 'l32r' instruction. The constant it references
is the start of the table of message handler functions.
b) (sx280)
Find the first 'movi' instruction backwards that has a constant operand greater than 200.
80a2c1d0: b2a0e2 movi a11, 226
That constant is the maximum message index, the number of messages is (constant + 1).
Find the label the next 'bgeu' instruction points at.
80a2c1d3: 37bb63 bgeu a11, a3, loc_80a2c23a
The first 'l32r' instruction there loads the address of the message handler table (points inside the same binary, near its start).
loc_80a2c23a:
80a2c23a: 8172f4 l32r a8, 0x80a29404 ; (0x80a001d0)
5) Execute
find_zico_msg_handlers.pl 80a00000.bin.dis <decimal num> 80a00000.bin <hex offset> substituting <decimal num> with the number of messages and <hex offset> with the message handler table's offset inside the binary.