# Notes about GhidraCan Ghidra be used as an alternative to IDA?- yes: whi

1. # Notes about Ghidra
2.  
3. Can Ghidra be used as an alternative to IDA?
4. - yes: while lacking a debugger it is otherwise very similar in features to a combination of IDA Pro + Hex-Rays Decompiler, which would cost around $4000.
5.  
6. ## Installation
7.  
8. Download from https://ghidra-sre.org
9.  
10. Install it on the host machine. Java 11 is required.
11.  
12. Change MAXMEM setting in ghidraRun command (shell script or .bat) to 4G or more.
13. 2GB (default on 8GB machine) can result in OutOfMemory errors.
14.  
15. ## Get the ROM files
16.  
17. Follow the instructions here https://www.magiclantern.fm/forum/index.php?topic=6785.msg187436#msg187436
18. to create the copied ROM files:
19.  
20. ```./run_canon_fw.sh 77D,firmware="boot=0" -d romcpy```
21.  
22. Stop the emulator with Ctrl-C. A file ```77D/romcpy.sh``` will be created which can be used to create the copies of the ROM0.BIN file.
23.  
24. ## Start Ghidra and create first project
25.  
26. - Execute ```ghidrarun```
27. - Create new project "77D"
28. - Run the CodeBrowser tool
29. - Import ROM0.BIN (or ROM1.BIN - whichever has the main code for your camera)
30. - Format is "RAW Binary"
31. - Select the correct "language": this is the processor architecture
32. - For Digic 7 cameras: ARM Cortex 32 little endian
33. - In options enter name ```rom0``` and base address ```0xe0000000```
34. - This address varies on different models
35. - Magiclantern confusingly uses ROMBASEADDR but this is _not_ a base address,
36. it is the entrypoint.
37. - You can find the base address by looking in ```platform/200D.101/Makefile.platform.default```
38. for a line like ```ROMBASEADDR = 0xE0040000``` and masking out the low bits
39. - _Important_ Do not run the analyzer yet!
40. - It seems obvious to repeat this for the other ROM files, but this is wrong.
41. A Ghidra "file" represents one memory space, and separate files cannot eg, call code in other files, which we require.
42. - Instead, in the listing for your main ROM, use File -> Add To Program and use Options to set the
43. correct base address for each new file, eg:
44. - ```77D.0x4000.bin``` to 0x4000
45. - ```77D.0xDF002800.bin``` to 0xdf002800
46. - This loads the files into the same address space
47. - Addresses in the 0x40000000 region are mirrored to a lower address with a fixed offset,
48. so these should be imported twice, one at each offset.
49. - ```77D.0x40100000.bin``` to address 0x00100000 and again to 0x40100000
50. - more as required if any of the referenced addresses are missing
51. - TODO: can this be scripted in Ghidra? (yes; Ghidra supports scripting in Java and Python)
52. - You can auto-analyze the file now, but it is very slow and not that reliable (can crash after 8 hours, or never finish)
53. - Finding strings seems useful however, so, select Analysis -> One Shot
54. - -> ASCII Strings
55. - -> Embedded Media
56. - After the analysis is done save the project: File -> Save All
57. - You can now start disassembling
58.  
59. ## Basic Ghidra commands
60.  
61. - "D" disassembles at your cursor. This tries to guess if it's standard ARM or Thumb, and is normally good
62. - "F12" forces Thumb mode, "F11" forces standard ARM
63. - You can "Ctrl-Z" to undo your guess
64. - So if "D" looks bad, you can undo and try both modes manually
65. - "C" unsets code to unknown; this is useful if you notice Ghidra has mistakenly disassembled something
66. that is not code, eg, an array of pointers, or an ASCII string. You can select a region then "C"
67. - "G" jumps to an address or label
68. - "Ctrl-Alt-U" goes to the next undefined byte; useful if "D" worked on a big block and you want to check
69. the end of it
70. - "Alt-leftarrow" goes backwards in your movement history, "Alt-rightarrow" goes forward
71.  
72. ## Start disassembling the bootloader
73.  
74. - Go to address ```0xE0000000```
75. - Press "L" to enter the label "bootloader" to make it easier to return here (e. g. with GoTo command on key "G")
76. - Press "F11" or right click and select "Disassemble ARM"
77.  
78. - Go to address ```0x40100000```
79. - Press "F12" or right click and select "Disassemble Thumb"
80.  
81. - Go to address ```0x00100000```
82. - Press "F12" or right click and select "Disassemble Thumb"
83.  
84. ## Start disassembling the firmware
85.  
86. - Go to address ```0xE0040000``` (or whatever the entrypoint "ROMBASEADDR" is for your camera)
87. - Press "L" to enter the label "firmware_entry", this is the name the ML code uses
88. - Press "D"
89. - Ghidra will analyze all referenced code that it can find, so this will take a while.
90. - Find the stubs.S for your camera, and for every address that looks like a code address,
91. do G, L (set label to stubs name), D
92. - eg for 200D, stubs.S has this line:
93. - NSTUB(0xE00400FD, cstart)
94. - So G 0xe00400fd, L "cstart", D
95. - (this is about 200 labels, so I should really script this...)