I found many strings aligned 0x0 padded to 4, but also strings only 1x 0x0 terminated. The only thing we are missing is the insert:"GetCurrentAvValue":ffb114a1 blahblah ...
Ah, I also wrote a stubs2diss.pl Anyone wants it?
Mh, this does not answer my question ... or I must ask more precisely: What does it do? It's called from many interesting functions ... e.g. while putting acid on a diskboot.binSo IDA has no idea about "sub_FFAA4C98", too.
ffaa4c98 sub_FFAA4C98:ffaa4c98 Cond = R2 - 0x20;ffaa4c98 R2 = R2 - 0x20;ffaa4c9c /* push LR */ffaa4c9c /* push R4 */ffaa4ca0 if (Cond < 0) goto loc_FFAA4CBC;ffaa4ca4 loc_FFAA4CA4:ffaa4ca4 /* Low-level instruction of type 33 */ffaa4ca8 /* Low-level instruction of type 34 */ffaa4cac /* Low-level instruction of type 33 */ffaa4cb0 /* Low-level instruction of type 34 */ffaa4cb4 Cond = R2 - 0x20;ffaa4cb4 if (Cond < 0) goto loc_FFAA4CB8;ffaa4cb4 R2 = R2 - 0x20;ffaa4cb8 loc_FFAA4CB8:ffaa4cb8 if (Cond >= 0) goto loc_FFAA4CA4;ffaa4cbc loc_FFAA4CBC:ffaa4cbc Cond = R2 << 0x1c;ffaa4cc0 /* Low-level instruction of type 33 */ffaa4cc4 /* Low-level instruction of type 34 */ffaa4cc8 /* Low-level instruction of type 33 */ffaa4ccc /* Low-level instruction of type 34 */ffaa4cd0 Cond = R2 << 0x1e;ffaa4cd4 /* pop */ffaa4cd4 /* pop LR */ffaa4cd8 if (Cond < 0) goto loc_FFAA4CDC;ffaa4cd8 R3 = * (R1 + 4);ffaa4cdc loc_FFAA4CDC:ffaa4cdc if (Cond < 0) goto loc_FFAA4CE0;ffaa4cdc * (R0 + 4) = R3;ffaa4ce0 loc_FFAA4CE0:ffaa4ce0 if (Cond != 0) goto loc_FFAA4CE4;ffaa4ce0 R0 = LR(R0, R1, R2, R3);ffaa4ce4 loc_FFAA4CE4:ffaa4ce4 loc_FFAA4CE4:ffaa4ce4 Cond = R2 << 0x1f;ffaa4ce4 R2 = R2 << 0x1f;ffaa4ce8 if (Cond >= 0) goto loc_FFAA4CEC;ffaa4ce8 R2 = * (R1 + 1);ffaa4cec loc_FFAA4CEC:ffaa4cec if (Cond < 0) goto loc_FFAA4CF0;ffaa4cec R3 = * (R1 + 1);ffaa4cf0 loc_FFAA4CF0:ffaa4cf0 if (Cond < 0) goto loc_FFAA4CF4;ffaa4cf0 R12 = * (R1 + 1);ffaa4cf4 loc_FFAA4CF4:ffaa4cf4 if (Cond >= 0) goto loc_FFAA4CF8;ffaa4cf4 * (R0 + 1) = R2;ffaa4cf8 loc_FFAA4CF8:ffaa4cf8 if (Cond < 0) goto loc_FFAA4CFC;ffaa4cf8 * (R0 + 1) = R3;ffaa4cfc loc_FFAA4CFC:ffaa4cfc if (Cond < 0) goto loc_FFAA4D00;ffaa4cfc * (R0 + 1) = R12;
Quote from: chr on 10 / August / 2008, 13:47:02Ah, I also wrote a stubs2diss.pl Anyone wants it?umm... well... _o/
NSTUB(opendir, 0xffa0c0a8):ffa0c0a8: e92d4070 stmdb sp!, {r4, r5, r6, lr}ffa0c0ac: e1a05000 mov r5, r0ffa0c0b0: e3a00014 mov r0, #20 ; 0x14ffa0c0b4: ebf87130 bl ff82857c <PT_AllocateMemory -1981240>ffa0c0b8: e1b04000 movs r4, r0ffa0c0bc: 03a01059 moveq r1, #89 ; 0x59ffa0c0c0: 028f0e26 addeq r0, pc, #608 ; ffa0c328: (64616552) *"ReadFDir.c"ffa0c0c4: 0bf83f3b bleq ff81bdb8 <DebugAssert -2032396>ffa0c0c8: e3e00000 mvn r0, #0 ; 0x0ffa0c0cc: e5840000 str r0, [r4]ffa0c0d0: e3a00902 mov r0, #32768 ; 0x8000ffa0c0d4: ebf87155 bl ff828630 <AllocateUncacheableMemory -1981092>ffa0c0d8: e3a01902 mov r1, #32768 ; 0x8000ffa0c0dc: e9840003 stmib r4, {r0, r1}ffa0c0e0: e3a01000 mov r1, #0 ; 0x0ffa0c0e4: e3500000 cmp r0, #0 ; 0x0ffa0c0e8: e584100c str r1, [r4, #12]ffa0c0ec: e5841010 str r1, [r4, #16]ffa0c0f0: 03a01060 moveq r1, #96 ; 0x60ffa0c0f4: 028f0f8b addeq r0, pc, #556 ; ffa0c328: (64616552) *"ReadFDir.c"ffa0c0f8: 0bf83f2e bleq ff81bdb8 <DebugAssert -2032448>ffa0c0fc: e3a02f49 mov r2, #292 ; 0x124ffa0c100: e3a01000 mov r1, #0 ; 0x0ffa0c104: e1a00005 mov r0, r5ffa0c108: ebf85f47 bl ff823e2c <Open -1999580>ffa0c10c: e3700001 cmn r0, #1 ; 0x1ffa0c110: e5840000 str r0, [r4]...
ff85f0ac: e3100001 tst r0, #1 ; 0x1ff85f0b0: 0a000004 beq ff85f0c8 <_binary_dump_bin_start+0x4f0c8 +24>ff85f0b4: e59f1290 ldr r1, [pc, #656] ; ff85f34c: (00000186) ff85f0b8: e28f0e27 add r0, pc, #624 ; ff85f330: (6f4d7353) *"SsMovieRec.c"ff85f0bc: ebfef33d bl ff81bdb8 <DebugAssert -275204>ff85f0c0: e28dd038 add sp, sp, #56 ; 0x38ff85f0c4: e8bd81f0 ldmia sp!, {r4, r5, r6, r7, r8, pc}ff85f0c8: e5940004 ldr r0, [r4, #4]ff85f0cc: e3a03004 mov r3, #4 ; 0x4ff85f0d0: e28d2030 add r2, sp, #48 ; 0x30ff85f0d4: e3a0102b mov r1, #43 ; 0x2bff85f0d8: eb003851 bl ff86d224 <_binary_dump_bin_start+0x5d224 +57676>ff85f0dc: eb0082a0 bl ff87fb64 <_binary_dump_bin_start+0x6fb64 +133768>ff85f0e0: e1dd13d4 ldrsb r1, [sp, #52]ff85f0e4: e1500001 cmp r0, r1ff85f0e8: 03a07000 moveq r7, #0 ; 0x0ff85f0ec: 0a00000a beq ff85f11c <_binary_dump_bin_start+0x4f11c +48>
"tst r0, #1 \n" // ; 0x1 "BEQ loc_FF85F0C8 \n" "ldr r1, =0x00000186 \n" "loc_FF85F0B8:\n" "ldr r0, =0xff85f330 \n" // ; (6f4d7353) *"SsMovieRec.c" "BL sub_FF81BDB8 \n" // <DebugAssert -275204> "loc_FF85F0C0:\n" "add sp, sp, #56 \n" // ; 0x38 "ldmia sp!, {r4, r5, r6, r7, r8, pc} \n" "loc_FF85F0C8:\n" "ldr r0, [r4, #4] \n" "mov r3, #4 \n" // ; 0x4 "add r2, sp, #48 \n" // ; 0x30 "mov r1, #43 \n" // ; 0x2b "BL sub_FF86D224 \n" "BL sub_FF87FB64 \n" "ldrsb r1, [sp, #52] \n" "cmp r0, r1 \n" "moveq r7, #0 \n" // ; 0x0 "BEQ loc_FF85F11C \n"
at GPL Qemu - CHDK Wiki Dissass (chr ?) wrote "Prerequisites: have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here."How do i create / convert binary firmware dump to elf? i've never used qemu before... Sorry.
Ups, sorry! I bugfixed the wiki:GPL Qemu - CHDK Wiki
(gdb) symbol-file dump.bin.elfReading symbols from /home/foo/canon_ixus900_sd900_100c/dump.bin.elf...(no debugging symbols found)...done.No function contains program counter for selected frame.
dump.bin.elf: file format elf32-littlearmdump.bin.elfarchitecture: arm, flags 0x00000010:HAS_SYMSstart address 0xff810000private flags = 0: [APCS-32] [FPA float format]Sections:Idx Name Size VMA LMA File off Algn 0 .data 0036a640 ff810000 ff810000 00000034 2**0 CONTENTS, CODESYMBOL TABLE:ff810000 l d .data 00000000 ff810000 g .data 00000000 _binary_dump_bin_startffb7a640 g .data 00000000 _binary_dump_bin_end0036a640 g *ABS* 00000000 _binary_dump_bin_size
Code: [Select](gdb) symbol-file dump.bin.elfSections:Idx Name Size VMA LMA File off Algn 0 .data 0036a640 ff810000 ff810000 00000034 2**0 CONTENTS, CODE
(gdb) symbol-file dump.bin.elfSections:Idx Name Size VMA LMA File off Algn 0 .data 0036a640 ff810000 ff810000 00000034 2**0 CONTENTS, CODE
whats does "No function contains program counter for selected frame." means?
(gdb) restore ../chdk.trunk/bin/DISKBOOT.BIN binary 0x1900Restoring binary file ../chdk.trunk/bin/DISKBOOT.BIN into memory (0x1900 to 0x2ec04)(gdb) b *0x1900Breakpoint 2 at 0x1900(gdb) j *0x1900Continuing at 0x1900.No function contains program counter for selected frame.(gdb) add-symbol-file ../chdk.trunk/loader/ixus80_sd1100/main.elf 0x1900add symbol table from file "../chdk.trunk/loader/ixus80_sd1100/main.elf" at .text_addr = 0x1900(y or n)Reading symbols from /home/turboB/Softw/ixus/chdk.trunk/loader/ixus80_sd1100/main.elf...(no debugging symbols found)...done.(gdb) x/16i $pc0x1900 <link_text_start>: ldr r3, [pc, #32] ; 0x1928 <link_text_start+40>0x1904 <link_text_start+4>: mov r2, #68 ; 0x440x1908 <link_text_start+8>: str r2, [r3]0x190c <link_text_start+12>: mov r3, #32768 ; 0x80000x1910 <link_text_start+16>: sub r3, r3, #1 ; 0x10x1914 <link_text_start+20>: cmp r3, #0 ; 0x00x1918 <link_text_start+24>: bne 0x1910 <link_text_start+16>0x191c <link_text_start+28>: mov sp, #6400 ; 0x19000x1920 <link_text_start+32>: mov r11, #0 ; 0x00x1924 <link_text_start+36>: b 0x192c <my_restart>0x1928 <link_text_start+40>: eorgt r0, r2, r8, asr #320x192c <my_restart>: mov r0, #0 ; 0x00x1930 <my_restart+4>: mov r1, r0---Type <return> to continue, or q <return> to quit---b *0x50000 <- RERESTARTcBreakpoint 2, 0x00050000 in ?? ()add-symbol-file ../chdk.trunk/loader/ixus80_sd1100/resetcode/main.elf 0x50000add symbol table from file "../chdk.trunk/loader/ixus80_sd1100/resetcode/main.elf" at .text_addr = 0x50000(y or n)Reading symbols from /home/turboB/Softw/ixus/chdk.trunk/loader/ixus80_sd1100/resetcode/main.elf...(no debugging symbols found)...done.(gdb) x/16i 0x500000x50000 <link_text_start>: mov sp, #6400 ; 0x19000x50004 <link_text_start+4>: mov r11, #0 ; 0x00x50008 <link_text_start+8>: b 0x5000c <copy_and_restart>0x5000c <copy_and_restart>: cmp r1, r00x50010 <copy_and_restart+4>: mov r12, r00x50014 <copy_and_restart+8>: bcs 0x50054 <copy_and_restart+72>0x50018 <copy_and_restart+12>: add r3, r1, r20x5001c <copy_and_restart+16>: cmp r0, r30x50020 <copy_and_restart+20>: movcc r0, r30x50024 <copy_and_restart+24>: addcc r1, r12, r20x50028 <copy_and_restart+28>: bcc 0x50038 <copy_and_restart+44>0x5002c <copy_and_restart+32>: b 0x50054 <copy_and_restart+72>0x50030 <copy_and_restart+36>: ldrb r3, [r0, #-1]!
(gdb) restore ../chdk.trunk/core/main.elfRestoring section .text (0xbff60 to 0xeb8a4)Restoring section .data (0xeb8a4 to 0xed0a8)(gdb) add-symbol-file ../chdk.trunk/core/main.elf 0xbff60(gdb) p boot$5 = {<text variable, no debug info>} 0xd5974 <boot>(gdb) j boot
Mh, I compared with my file. I got:CONTENTS, ALLOC, LOAD, CODE
print "create elf file\n";`$objcopy --change-addresses=$offset -I binary -O elf32-littlearm -B arm $binfile $binfile.elf`;`$objcopy --set-section-flags .data=load $binfile.elf`; <--- ADDED THIS`$objcopy --set-section-flags .data=code $binfile.elf`;
Pain in the ase!
You are going to run the chdk boot in qemu?
Started by Daniel Moore Feature Requests
Started by Hardware_Hacker General Discussion and Assistance
Started by pigeonhill Creative Uses of CHDK