An incomplete list of open items. Mostly to get my own thoughts in order, but if anyone has suggestions or wants to work on a particular part feel free to chime in. I will have less time to work on this with the ending, but will continue to chip away on it as I work on the g7x port.
ARM support/thumb:
Currently, the firmware_load_ng.c only operates in either ARM or Thumb mode. findsig_thumb2 essentially assumes everything is thumb. Following calls requires supporting both. As far as I can tell, capstone requires separate handles for ARM and thumb.
Matching:
I stripped out a lot of stuff just to get something running
* Unlike the old sig finder, finsig_thumb2 has not concept of multiple or partial matches. It just stuffs the most recent one in func_names. It also doesn't report the match method
* Finding things the current match depends on. In the old sig finder, get_saved_sig will run the find func for for the named function if there it isn't already found.
* Better finding of code refs. Because disassembly is relatively expensive, scanning the whole firmware multiple times for e.g. branches targets constant refs isn't viable. I've been thinking about an initial scan that looks for all the b, bl, blx, adr, ldr etc and puts them in easily searchable arrays. For backtracking this would need to store some address or instruction size history, or some way of syncing up disassembly e.g backtrack X words, try to disassemble, see if you get valid instructions and end up on the same thing the references was from, if not adjust by half word, try again.
Find more stuff:
Enough code should be in place to write matches for specific functions and useful constants.
Mode map checking etc should be re-added.
Test / add support for additional cameras.
* I made a zip with a dummy platform trees for the D6 cams I have dumps for, and script to run the new sig finder on all of them
https://app.box.com/s/v4y9wn172drai63lx76gkliw9it3rq8p (note I've assumed all the ROMs start at FC000000). I haven't spent much time looking at the results yet.
* The additional copied RAM area srsa noted looks like it might be important, e.g. for g5x
add_event_proc: CreateCountingSemaphore disassembly failed at 0xbfe15351
At this point should probably have generic way of dealing with multiple RAM/ROM regions
capdis
* Load known function names from csv, use in listing
* Show string refs
* Eventually get it to the point where it can be used on a whole firmware, like thumb2dis.pl
codegen:
It should be possible to re-use a lot of the capdis code. Would be nice to refactor the processing / parsing code such that old and new codgen don't duplicate too much. I will probably hold off working on this until the firmware_load and capdis code are more mature.
