finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world) - page 8 - General Discussion and Assistance - CHDK Forum

finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)

  • 77 Replies
  • 41541 Views
*

Offline reyalp

  • ******
  • 12795
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #70 on: 02 / December / 2018, 21:46:22 »
Advertisements
I have a suggestion for a capdis feature:
When disassembling a function partially, it would be nice if capdis could (optionally) add an LDR PC instruction at the end that would point to the next instruction at the routine's original location.
I added an option -jfw which does this in r5134 (yeah, I'm a slacker  :-[)
Don't forget what the H stands for.

*

Offline srsa_4c

  • ******
  • 4302
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #71 on: 08 / December / 2018, 18:17:21 »
I added an option -jfw which does this in r5134
Thanks.
While working on a completely unsupported dump, I've noticed that an unrecognized function listed in find_generic_funcs() prevents the rest of the functions from being used. Did not go as far as finding the piece of code that does this (the code is rather convoluted), but making add_generic_sig_match() return immediately when the first get_saved_sig_val() fails does seem to help.

edit:
patch below does what I wrote above plus fixes two possible memory leaks
Code: [Select]
Index: tools/finsig_thumb2.c
===================================================================
--- tools/finsig_thumb2.c (revision 5136)
+++ tools/finsig_thumb2.c (working copy)
@@ -663,10 +663,12 @@
     int k;
 
     char *s = n;
+    int mallocd = 0;
     if (suffix != 0)
     {
         s = malloc(strlen(n) + strlen(suffix) + 1);
         sprintf(s, "%s%s", n, suffix);
+        mallocd = 1;
     }
 
     for (k=0; sig_names[k].name != 0; k++)
@@ -677,10 +679,14 @@
             {
                 sig_names[k].val = eadr;
                 sig_names[k].flags |= EV_MATCH;
+                if (mallocd)
+                    free(s);
                 return;
             }
             else if (sig_names[k].val == eadr)     // same name, same address
             {
+                if (mallocd)
+                    free(s);
                 return;
             }
             else // same name, different address
@@ -2687,6 +2693,7 @@
 
     for(i=1; i<=64; i++) {
         if (!disasm_iter(fw,is)) {
+            free(blobs);
             return 0;
         }
         if (is->insn->id == ARM_INS_LDR && is->insn->detail->arm.operands[1].type == ARM_OP_MEM) {
@@ -4228,6 +4235,7 @@
     uint32_t adr=get_saved_sig_val(name);
     if(!adr) {
         printf("add_generic_sig_match: missing %s\n",name);
+        return;
     }
     add_generic_func_match(match_fns,match_fn_count,MAX_GENERIC_FUNCS,fn,adr);
     char veneer[128];
« Last Edit: 09 / December / 2018, 14:31:15 by srsa_4c »

*

Offline reyalp

  • ******
  • 12795
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #72 on: 19 / May / 2019, 00:24:13 »
While working on a completely unsupported dump, I've noticed that an unrecognized function listed in find_generic_funcs() prevents the rest of the functions from being used. Did not go as far as finding the piece of code that does this (the code is rather convoluted), but making add_generic_sig_match() return immediately when the first get_saved_sig_val() fails does seem to help.

edit:
patch below does what I wrote above plus fixes two possible memory leaks
Oops, I downloaded this when it was posted but neglected to apply it  :-[ Feel free to prod me if it seems like I'm ignoring something, it usually just means I forgot.

Having add_generic_sig_match bail if the reference function doesn't exist makes sense.

Unrelated to that, I added a generic match to find PTP handlers in r5207. They aren't useful directly as stubs, but can be for analysis and finding other functions.

A couple notes:
* Canon sometimes registers the same handler for different opcodes, which creates duplicate addresses in the funcs_by... CSV files. There are already duplicates for _FW, so this doesn't seem like a big deal. It would be kind of nice to prefer the standard name where they are registered for both a standard opcode and Canon extension.
* The names for the Canon extensions come from libgphoto2. I don't know how reliable they are.

I plan to port this to the other sig finders.
Don't forget what the H stands for.

*

Offline srsa_4c

  • ******
  • 4302
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #73 on: 19 / May / 2019, 16:05:45 »
Oops, I downloaded this when it was posted but neglected to apply it  :-[ Feel free to prod me if it seems like I'm ignoring something, it usually just means I forgot.
No problem, these were minor issues that did not really affect the output.


*

Offline srsa_4c

  • ******
  • 4302
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #74 on: 18 / November / 2020, 13:07:05 »
I have a case where capdis and objdump disagree on their disassembly. I'm trying to get a disassembly of ARM cache manipulation functions, in this example, ixus150 100c.
capdis -c=126 -s=0xFF8201BC PRIMARY.BIN 0xff810000
First 3 instructions from capdis:
Code: [Select]
    mrs     r3, apsr
    orr     r0, r3, #0xc0
    msr     cpsr_fsxc, r0
From objdump:
Code: [Select]
   mrs       r3, CPSR
   orr       r0, r3, #0xC0
   msr       CPSR_fsxc, r0
I think objdump is right, APSR would not make sense in that code. Capstone lib is probably version 4, built in May 2019. Am I having a local issue, or is this a bug?

*

Offline philmoz

  • *****
  • 3200
    • Photos
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #75 on: 18 / November / 2020, 16:26:36 »
https://developer.arm.com/documentation/dui0489/c/arm-and-thumb-instructions/miscellaneous-instructions/mrs?lang=en
CPSR deprecated synonym for APSR and for use in Debug state

GCC generates identical code for 'mrs r0, cpsr' and 'mrs r0, apsr'

Phil.

CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)

*

Offline srsa_4c

  • ******
  • 4302
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #76 on: 18 / November / 2020, 17:13:22 »
CPSR deprecated synonym for APSR and for use in Debug state
That's quite confusing to me. How could (the term) CPSR be deprecated if APSR only holds always accessible status flags. Deprecation is also not mentioned here. I guess I'm probably misunderstanding something.
Quote
GCC generates identical code for 'mrs r0, cpsr' and 'mrs r0, apsr'
If that's so, then there's probably not much that could be done (how would the disassembler know the processor mode). Of course we know that the Powershot firmware uses supervisor mode by default, but hardcoding that to a disassembler is probably not a good idea.

*

Offline philmoz

  • *****
  • 3200
    • Photos
Re: finsig and other tools for thumb2 (was Re: chdk in the DIGIC6 world)
« Reply #77 on: 18 / November / 2020, 17:29:58 »
I think it's only deprecated for the 'mrs' instruction.


The generated code is the same, the actual operation depends on processor mode at runtime.


Phil.

CHDK ports:
  sx30is (1.00c, 1.00h, 1.00l, 1.00n & 1.00p)
  g12 (1.00c, 1.00e, 1.00f & 1.00g)
  sx130is (1.01d & 1.01f)
  ixus310hs (1.00a & 1.01a)
  sx40hs (1.00d, 1.00g & 1.00i)
  g1x (1.00e, 1.00f & 1.00g)
  g5x (1.00c, 1.01a, 1.01b)
  g7x2 (1.01a, 1.01b, 1.10b)


 

Related Topics