Is Xtensa the main architecture of DRYOS?

t26959839

4

Is Xtensa the main architecture of DRYOS?

« on: 14 / May / 2020, 13:20:12 »

Advertisements

I access DRYOS of the printer shell(Serial port UART)

Use command XD to get binary code(00000000-00ffffff & ff000000-ffffffff & f8400000-f8700000)

Did not find some keyword strings, such as gaonisoyP

If the ROM address cannot be determined, I directly use ghidra arm v7 reverse engineering
(00000000-00ffffff & ff000000-ffffffff & f8400000-f8700000)

I downloaded the firmware update files Disassemble into srecode

The firmware update file is found and the data is stored in 0XF8400000-0XF8700000

I want to find the signal communication between the ink cartridge and the printer

Some USB transfers currently known are transferred to the computer at 0x000358b4(INK status)

Currently using ADI reverse Xtensa 0x00000000-0X00ffffff

Is Xtensa the main architecture of DRYOS?

If not, does anyone currently know what he is doing

If there is something that is not doing well, please tell me I will improve it

binary is too big to upload, if you need it, please tell me that I can send it to you
(0X00000000-0x00FFFFFF 16.384KB )
(0xf8400000-f8700000 4096KB)
(0XFF000000-0xFFFFFFFF 16.384KB )

STR_UART_CMD_mkcfg.rar (573.93 kB - downloaded 38 times.)

Logged

srsa_4c

4451

Re: Is Xtensa the main architecture of DRYOS?

« Reply #1 on: 14 / May / 2020, 19:13:02 »

DryOS is an operating system (RTOS) that is ported to several processor architectures.
I'm afraid the only common point between our cameras and your printer is that both run DryOS. Every other software part is developed by different teams. gaonisoy is a "magic" used in DryOS based Powershots.

Whether the ASIC/chipset in your printer contains one or more CPUs is up to you to find out. One of your strings is DRYOS version 2.3, release #0049+SMP, so you might have more than one Xtensa cores in a symmetric multiprocessing setup, running the same DryOS instance.
If you can find more such strings in the firmware, then there's a good chance that there are other CPUs.
You can share files via https://filebin.net/ for example.

Here's another printer reversing effort.

Note that "ADI" only has a dumb disassembler that does not know what's data and what's code. If you see code and string references in disassembly, then you likely have the right blobs loaded to the right addresses.

Logged

t26959839

4

Re: Is Xtensa the main architecture of DRYOS?

« Reply #2 on: 17 / May / 2020, 05:03:09 »

Now I use ghidra for Xtensa analysis, which is convenient for my work.

Thank you for your help. The information is very useful to me and I am trying.

I uploaded the binary code here.

https://filebin.net/bftpgd9z4om2kn4e

If you are interested in this information, please analyze it.

thank you all .

Logged

srsa_4c

4451

Re: Is Xtensa the main architecture of DRYOS?

« Reply #3 on: 17 / May / 2020, 08:25:25 »

Quote from: t26959839 on 17 / May / 2020, 05:03:09

I uploaded the binary code here.

That shows more.
I see lots of ARM/Thumb code in those blobs. In fact, all of them start with such code, which makes me think that the main core is ARM. The Xtensa part is most likely in one or more blobs. I'd guess the main ARM core loads them to appropriate parts of RAM then it starts the Xtensa core(s).
I see startup code on the ARM side that I've encountered before, in a phone firmware's scatter loader. So, it would seem that only the Xtensa processor(s) run DryOS, the rest is something else.

edit, edit2:
ARM starts at 0xffff0000 and is likely an ARMv5T variant, possibly with MMU. It appears to run a variant of the ITRON RTOS. Do the ARM/Thumb disassembly first then get dumps from memory ranges that are referenced from ARM.
Note that whereever the Xtensa code/data is located in the - presumably - common address space, the Xtensa side likely uses different addressing for its code/data areas.

Quote

Now I use ghidra for Xtensa analysis, which is convenient for my work.

Have you found Xtensa processor module for Ghidra that targets cores more advanced than the lx106 (the one in esp8266)? The Xtensa in your printer is definitely not lx106.

« Last Edit: 18 / May / 2020, 11:51:07 by srsa_4c »

Logged

t26959839

4

Re: Is Xtensa the main architecture of DRYOS?

« Reply #4 on: 19 / May / 2020, 12:41:54 »

srsa_4c Thank you very much for your analysis

I see startup code on the ARM side that I've encountered before, in a phone firmware's scatter loader. So, it would seem that only the Xtensa processor(s) run DryOS, the rest is something else.

I know this is wrong, but I still want to know the address of the area
If you can, please tell me the beginning of the area
thanks

ARM starts at 0xffff0000 and is likely an ARMv5T variant, possibly with MMU. It appears to run a variant of the ITRON RTOS. Do the ARM/Thumb disassembly first then get dumps from memory ranges that are referenced from ARM.

Yes, there is a string ITRON4.0 inside, but I do n’t know where he works.
I will try to analyze the address ffff0000 and dump.

Have you found Xtensa processor module for Ghidra that targets cores more advanced than the lx106 (the one in esp8266)? The Xtensa in your printer is definitely not lx106.

I searched ghidra xtensa from google, but I think it should not be what you want
I downloaded ghidra Xtensa here

Logged

srsa_4c

4451

Re: Is Xtensa the main architecture of DRYOS?

« Reply #5 on: 19 / May / 2020, 17:38:31 »

Quote from: t26959839 on 19 / May / 2020, 12:41:54

I know this is wrong, but I still want to know the address of the area

I don't see it. I see Xtensa code starting around 0x2a36ec (look for hex byte sequences 1d f0 00, 36 41 00), but the start of that Xtensa code blob is somewhat earlier. These blobs often have pointers at their start (32 bit ones, little endian, 32-bit aligned). Functions (as far as I recall) also start at 32-bit aligned addresses. Some of those pointers can be function pointers. Candidate areas are 0x40000000... and possibly more, look backwards from 0x2a36ec.
0x2a36ec is very likely not the Xtensa-side address.

Quote

I will try to analyze the address ffff0000 and dump.

Include the other binaries in the project as all have ARM/Thumb code.

Quote

I searched ghidra xtensa from google, but I think it should not be what you want
I downloaded ghidra Xtensa here

Link is wrong, but if you used one of the first google hits, those are likely lx106-specific and will probably not recognize instructions like retw.n, call8, callx8, entry, ... .

Logged

t26959839

4

Re: Is Xtensa the main architecture of DRYOS?

« Reply #6 on: 19 / May / 2020, 22:25:29 »

srsa_4c

I updated the link
https://github.com/yath/ghidra-xtensa

Thank you for your reply

Logged

Subject / Started by	Replies	Last post
What's your main CHDK camera? Started by a710is General Chat	8 Replies 7406 Views	by a710is
Ability to increase main menu font size included in a build Started by bob c Feature Requests	2 Replies 7700 Views	by bob c
increase the window a main menu Started by alexkur Feature Requests	1 Replies 4123 Views	by PhyrePhoX
Using SD Override from Main Menu. Started by stagdriver General Discussion and Assistance	7 Replies 4543 Views	by stagdriver
Need help: SX530HS, loaded CHDK 1.5.0, main screen keeps flickering Started by ju1234 General Help and Assistance on using CHDK stable releases	6 Replies 5849 Views	by reyalp