SHARE
TWEET

Untitled

a guest Apr 3rd, 2019 74 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # Notes about Ghidra
  2.  
  3. Can Ghidra be used as an alternative to IDA?
  4. - yes: while lacking a debugger it is otherwise very similar in features to a combination of IDA Pro + Hex-Rays Decompiler, which would cost around $4000.
  5.  
  6. ## Installation
  7.  
  8. Download from https://ghidra-sre.org
  9.  
  10. Install it on the host machine. Java 11 is required.
  11.  
  12. Change MAXMEM setting in ghidraRun command (shell script or .bat) to 4G or more.
  13. 2GB (default on 8GB machine) can result in OutOfMemory errors.
  14.  
  15. ## Get the ROM files
  16.  
  17. Follow the instructions here https://www.magiclantern.fm/forum/index.php?topic=6785.msg187436#msg187436
  18. to create the copied ROM files:
  19.  
  20. ```./run_canon_fw.sh 77D,firmware="boot=0" -d romcpy```
  21.  
  22. Stop the emulator with Ctrl-C. A file ```77D/romcpy.sh``` will be created which can be used to create the copies of the ROM0.BIN file.
  23.  
  24. ## Start Ghidra and create first project
  25.  
  26. - Execute ```ghidrarun```
  27. - Create new project "77D"
  28. - Run the CodeBrowser tool
  29. - Import ROM0.BIN (or ROM1.BIN - whichever has the main code for your camera)
  30.   - Format is "RAW Binary"
  31.   - Select the correct "language": this is the processor architecture
  32.     - For Digic 7 cameras: ARM Cortex 32 little endian
  33.   - In options enter name ```rom0``` and base address ```0xe0000000```
  34.     - This address varies on different models
  35.     - Magiclantern confusingly uses ROMBASEADDR but this is _not_ a base address,
  36.       it is the entrypoint.
  37.     - You can find the base address by looking in ```platform/200D.101/Makefile.platform.default```
  38.       for a line like ```ROMBASEADDR     = 0xE0040000``` and masking out the low bits
  39.   - _Important_ Do not run the analyzer yet!
  40. - It seems obvious to repeat this for the other ROM files, but this is wrong.
  41.   A Ghidra "file" represents one memory space, and separate files cannot eg, call code in other files, which we require.
  42. - Instead, in the listing for your main ROM, use File -> Add To Program and use Options to set the
  43.   correct base address for each new file, eg:
  44.   - ```77D.0x4000.bin``` to 0x4000
  45.   - ```77D.0xDF002800.bin``` to 0xdf002800
  46. - This loads the files into the same address space
  47. - Addresses in the 0x40000000 region are mirrored to a lower address with a fixed offset,
  48.   so these should be imported twice, one at each offset.
  49.   - ```77D.0x40100000.bin``` to address 0x00100000 and again to 0x40100000
  50.   - more as required if any of the referenced addresses are missing
  51.   - TODO: can this be scripted in Ghidra? (yes; Ghidra supports scripting in Java and Python)
  52. - You can auto-analyze the file now, but it is very slow and not that reliable (can crash after 8 hours, or never finish)
  53. - Finding strings seems useful however, so, select Analysis -> One Shot
  54.   - -> ASCII Strings
  55.   - -> Embedded Media
  56. - After the analysis is done save the project: File -> Save All
  57. - You can now start disassembling
  58.  
  59. ## Basic Ghidra commands
  60.  
  61. - "D" disassembles at your cursor.  This tries to guess if it's standard ARM or Thumb, and is normally good
  62. - "F12" forces Thumb mode, "F11" forces standard ARM
  63. - You can "Ctrl-Z" to undo your guess
  64.   - So if "D" looks bad, you can undo and try both modes manually
  65. - "C" unsets code to unknown; this is useful if you notice Ghidra has mistakenly disassembled something
  66.   that is not code, eg, an array of pointers, or an ASCII string.  You can select a region then "C"
  67. - "G" jumps to an address or label
  68. - "Ctrl-Alt-U" goes to the next undefined byte; useful if "D" worked on a big block and you want to check
  69.   the end of it
  70. - "Alt-leftarrow" goes backwards in your movement history, "Alt-rightarrow" goes forward
  71.  
  72. ## Start disassembling the bootloader
  73.  
  74. - Go to address ```0xE0000000```
  75. - Press "L" to enter the label "bootloader" to make it easier to return here (e. g. with GoTo command on key "G")
  76. - Press "F11" or right click and select "Disassemble ARM"
  77.  
  78. - Go to address ```0x40100000```
  79. - Press "F12" or right click and select "Disassemble Thumb"
  80.  
  81. - Go to address ```0x00100000```
  82. - Press "F12" or right click and select "Disassemble Thumb"
  83.  
  84. ## Start disassembling the firmware
  85.  
  86. - Go to address ```0xE0040000``` (or whatever the entrypoint "ROMBASEADDR" is for your camera)
  87. - Press "L" to enter the label "firmware_entry", this is the name the ML code uses
  88. - Press "D"
  89. - Ghidra will analyze all referenced code that it can find, so this will take a while.
  90. - Find the stubs.S for your camera, and for every address that looks like a code address,
  91.   do G, L (set label to stubs name), D
  92. - eg for 200D, stubs.S has this line:
  93.   - NSTUB(0xE00400FD,  cstart)
  94.   - So G 0xe00400fd, L "cstart", D
  95. - (this is about 200 labels, so I should really script this...)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top