finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)

  • 71 Replies
  • 32692 Views
*

Offline axman

  • ***
  • 143
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #40 on: 31 / May / 2017, 14:13:59 »
Advertisements
Sorry, I really don't understand what you are trying to do.
Sorry for taking your time with this.  I'm trying to verify that the capstone I've patched, built and installed works correctly.  I'm poking around trying to understand why firmware_load_ng (thanks for tip where to look) returns the warnings it does.  Something to do with

    int r=(insn[0].detail->arm.operands[0].imm == insn[2].detail->arm.operands[0].imm);

In any case, when using capdis to read ixus160 firmware, I do not get the error "do_blx_check: disassembly failed" -

So, now I have some belief my capstone is patched correctly.  I've screwed up capstone so many times, I just want to know it's good, so I can move on and not get bit by this down the road.

However, using capdis, I do get the "WARNING! Incorrect disassembly is likely" when reading ixus160 firmware.

Same is true when reading M10 firmware, I do not get blx error.  I do get WARNING.

Quick test of M10 disassembly using capdis seems ok, there are thumb2 instructions visible.

Sorry again for taking your time.

*

Offline reyalp

  • ******
  • 11586
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #41 on: 31 / May / 2017, 15:57:57 »
Sorry, I really don't understand what you are trying to do.
Something to do with

    int r=(insn[0].detail->arm.operands[0].imm == insn[2].detail->arm.operands[0].imm);

In any case, when using capdis to read ixus160 firmware, I do not get the error "do_blx_check: disassembly failed" -

So, now I have some belief my capstone is patched correctly. 
NO. The "disassembly failed" message a sanity check not related to the test, sorry if this wasn't clear.

If you get the "WARNING! Incorrect disassembly is likely" either your capstone is broken, or my test case is broken. The test case is pretty simple and works for me, so I think it's right, but I've certainly made my share of mistakes...

Quote
Quick test of M10 disassembly using capdis seems ok, there are thumb2 instructions visible.
Again, the bug only affects a few specific cases, and the result is that addresses in those cases are off by a small amount, e.g. what should be
blx sub_ff123450
is disassembled as
blx sub_ff123454

See discussion starting at: https://chdk.setepontos.com/index.php?topic=12714.msg126341#msg126341

You will not be able to tell whether the bug is present by visually inspecting the output, you will only see if you compare with the output of a non-broken disassembler, or calculate the actual address by hand using the rules in the arm documentation.

How the test case works:
There are two thumb blx instructions that call the same arm function. Since they call the same function, the calculated address for each call (insn[...].detail->arm.operands[0].imm) is the same. The warning is printed if the calculated addresses are not the same.

The source code for the test case is shown in the comment. I compiled this manually using the command at the bottom of the comment and copied the first 3 instructions of the resulting machine code into the "code" variable.
Don't forget what the H stands for.

*

Offline reyalp

  • ******
  • 11586
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #42 on: 03 / June / 2017, 17:48:19 »
Belated note:
Trunk 4816 greatly speeds up capdis disassembly. On my system, a full g7x dump takes ~2 minutes, where it previously took the better part of an hour.
Don't forget what the H stands for.

*

Offline reyalp

  • ******
  • 11586
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #43 on: 02 / July / 2017, 18:00:26 »
I added a match for _nrflag in trunk r4838. This should probably work for the cameras it's found on, if they follow the same approach as g7x (USE_STUBS_NRFLAG 1, NR_AUTO (-1), hook in equivalent location).

The variable used is from NRTBL.SetDarkSubType (as used on M10). My impression is that this function and its associated variable are a Canon development tool, not used in normal operation. It appears to accept many more values than just on/off/auto (~14 allowed on G7x). The meaning of the other values are unclear (handled in g7x 100d sub_fc38374c)

It's not matched on sx280, because the firmware NRTBL.SetDarkSubType code is very different.
Don't forget what the H stands for.


Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #44 on: 03 / July / 2017, 09:21:50 »
I added a match for _nrflag in trunk r4838. This should probably work for the cameras it's found on, if they follow the same approach as g7x (USE_STUBS_NRFLAG 1, NR_AUTO (-1), hook in equivalent location).
Works for the G16 (finds the same addresses that I had located manually).
Ported :   A1200    SD940   G10    Powershot N    G16

*

Offline reyalp

  • ******
  • 11586
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #45 on: 09 / July / 2017, 02:45:26 »
In trunk 4862 I gave capdis the ability to annotate GetPropertyCase and SetPropertyCase calls.  To use it, include -props=<propset id> on the command line. -stubs must also be used.

With this, you will see things like
Code: [Select]
fc114b80: 2035      movs r0, #0x35
fc114b82: 4669      mov r1, sp
fc114b84: f235 fdf7 bl GetPropertyCase ;  PROPCASE_SHOOTING_MODE (53)
in the disassembly for calls involving known propcases, which makes it much easier to see where particular propcases are used.

Of course, the IDs are only as good as you propsetN.h file, so it should used for reverse engineering, not the initial stages of a port.

I'm thinking about giving finsig_thumb2 the ability to identify propcase IDs
Don't forget what the H stands for.

*

Offline reyalp

  • ******
  • 11586
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #46 on: 23 / July / 2017, 17:45:14 »
I added some developer documentation for finsig_thumb2 http://chdk.wikia.com/wiki/Finsig_thumb2

It also covers many of the firmware_load_ng functions used by capdis. This isn't done, there are several more areas I plan to cover, including more functions and some general information about how I develop and test matches.

Please let me know if it seems helpful or not, or if there are other areas that would be helpful to document.

I'd like for to get to the point where I'm not the only one who can add stuff to finsig_thumb2, but if documentation like this isn't useful, I'll spend my time elsewhere.

IMO really understanding something like this requires actually working with the code, but my hope is that some documentation will make it easier to pick up the basics.
Don't forget what the H stands for.

*

Offline srsa_4c

  • ******
  • 3728
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #47 on: 24 / July / 2017, 21:18:48 »
Please let me know if it seems helpful
It does seem useful, thanks for writing it.


Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #48 on: 24 / July / 2017, 23:51:22 »
I'd like for to get to the point where I'm not the only one who can add stuff to finsig_thumb2, but if documentation like this isn't useful, I'll spend my time elsewhere.
FWIW, I spent quite a bit of time understanding the logic behind the original finsig code when I was working on chdk-pt. I created functions that could be invoked with a button push to let the user find signature matches in the disassembly of their new port. Cool stuff that made me feel good about the code. 

I'm pretty much sure nobody used it other than me.

Having said that (depressing) statement,  the future of CHDK will probably be a function of one or two new devs getting onboard and starting work on new things.  So any docs you can create for the rest of us to follow (even if it's only a few of us) are most appreciated.

 
Ported :   A1200    SD940   G10    Powershot N    G16

*

Offline srsa_4c

  • ******
  • 3728
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #49 on: 06 / August / 2017, 11:15:16 »
Attached patch adds the ability to identify the Zico blobs (and the function that references them). It's not finished, because I wasn't sure how the info about those blobs should be stored. There's already an array that keeps blob properties, but that seems mostly for blobs that can actually be used for identifying stuff (some utility functions use that array).
The goal would be a list of blobs (and their known properties), extending the existing list in stubs_entry.S. Some software (khm) could then read that list and let the user easily import the blobs appearing there.
Some other blobs might be added later - second ARM, audio/video codec blob(s), etc.

@reyalp
Can you take a look at it and spot if I'm doing anything incorrectly? Those two iter states are somewhat confusing (there's one in fw and there's also 'is').
« Last Edit: 06 / August / 2017, 11:22:54 by srsa_4c »

 

Related Topics