![]() Or search for references to some names / values:įf20cbc8: e59f019c ldr r0, 0xff20cd6c: pointer to 0x15094 (additional_version)įf20cbf8: e59f116c ldr r1, 0xff20cd6c: pointer to 0x15094 (additional_version)įf1ff22c:đ59f0118 ldrne r0, 0xff1ff34c: pointer to 0x15094 (additional_version)įf3f229c: e59f01f0 ldr r0, 0xff3f2494: pointer to 0x1234įrom now on, TAB completion and quick help are your friends:Ĭontains all the info about a dump: ROM contents, disassembly, references, function names. You may search for strings using a regex:įf541dd0: '***** DlgMnPictureStyleDetail.c SetDataToStorage IDC_DPM_FILTER(%d)'įf541ee0: '***** DlgMnPictureUserDetail.c SetDataToStorage IDC_DPM_FILTER(%d)'įf1aa558: 'mvrSetDeblockingFilter (alpha = %d, beta = %d)'įf1aab24: 'mvrSetDefDBFilter (A = %d, B = %d)' Main advantage over HTML: easy full-text search.īrowsing the firmware: IPython console įor quick browsing, use the g magic command, which works somewhat like the G key in IDA:įf0534cc:đ59f2108 ldrne r2, 0xff0535dc: pointer to 0x4ceįf0534d0:đ28f10dc addne r1, pc, #220 *'SoundDevice\\SoundDevice_CODEC.c'įf0534d4:đ28f0f41 addne r0, pc, #260 *'!IS_ERROR( TakeSemaphore( m_hSemTask, FOREVER ))'įf0673f0: e92d41f0 push įf0673f4: e59f812c ldr r8, 0xff067528: pointer to 0x2b6cįf067400: e24dd088 sub sp, sp, #136 0x88 The format is somewhat similar to the one obtained with from CHDK (it uses objcopy/objdump). If you prefer to browse the disassembly in your favorite text editor, just export the disassembly to a file: ![]() Of course, if you disassemble the Magic Lantern firmware (autoexec.bin), no Canon code will be in the output files. !!! THE HTML FILES WILL CONTAIN CANON COPYRIGHTED MATERIAL !!! If you can leave the computer on for a week, just run this to analyze all your dumps: The same analyses for the 550D firmware takes around 1 day, or less if you help me optimize the algorithms :) If you want a more thorough analysis of the firmware, like this one, run:Ī full analysis of ML firmware takes 1-2 minutes. Run this to create a browseable HTML like this example:Īnd when it's ready, open index.html in a webkit-based browser (firefox is too slow, sorry!) I prefer to run it before generating the HTML. This will try to find function calls and identify functions inside the firmware. You'll have to load stubs (*.S) files manually: The script will auto-detect IDC files with similar filenames, and load some info from them. Hint: they are sorted after the bin's file name. You will want to assign a short name for each dump. You can select the dumps to load with a regex: If you know how to change it to hex for integers, please leave a message. If you are new to IPython, be sure to skim this tutorial: This is the IPython prompt here you can browse the dumps, find/verify matches between firmware versions, and lots of other cool stuff. Try to give them names similar to the dumps, to help the autodetection.Įxample of contents of the working folder: Some databases, in IDC or Stubs (*.S) format.Include the load address in the dump name. Prepare a working directory where you will put the input files. Step by step setting up on OS X 10.6.7 (by coutts). (This is the reason my scripts run 10-100 times faster than in IDAPython: because I've cached lots of stuff in Python dictionaries.) at least 4 GB of RAM (or skills to optimize the script).IPython version 0.11 and 0.12 are not compatible current ARM-console, downgrade to 0.10.2.arm-elf-gcc in your PATH (see Build instructions/550D for how to do that). ![]() ![]() Sympy 0.7.1 causes problems when decompiling. Sudo easy_install pydot easygui cheetah ahocorasick profilestats Sudo apt-get install python-setuptools python-matplotlib Sudo apt-get install python python-dev python-scipy python-tk python-profiler graphviz libpng12-dev
0 Comments
Leave a Reply. |