wrote a disassembler for firmware blobs

Holger Schurig hs4233 at mail.mn-solutions.de
Mon Oct 8 07:20:34 EDT 2007 

Hi !

I wrote a small disassembler for Libertas' firmware blobs. Unlike 
objdump, it can cope with alternating sections of 32bit code, 
thumb code and data areas ... but one has to tell the dissambler 
about this by adding tags into the annotated disassembly:

$ adiss libertas_cs_helper.fw a.ann
$ cat a.ann
.code
00000000: ea000003 b     0x00000014
00000004: 00000000 andeq r0, r0, r0
00000008: 00000000 andeq r0, r0, r0
0000000c: 00000000 andeq r0, r0, r0
00000010: 00000000 andeq r0, r0, r0
00000014: e59f0048 ldr   r0, [pc, #72] ; 0x00000064
00000018: ee010f10 mcr   15, 0, r0, cr1, cr0, {0}
0000001c: e3e00000 mvn   r0, #0 ; 0x0
00000020: e59f1040 ldr   r1, [pc, #64] ; 0x00000068

Now I open "a.ann" in an editor and add ...

* ".data" before 00000004
* ".code" before 00000014

and rerun adiss:

$ adiss libertas_cs_helper.fw a.ann
$ head -n10 a.ann
  .code
  00000000: ea000003 b 0x00000014
  .data
  00000004: .word 0x00000000
  00000008: .word 0x00000000
  0000000c: .word 0x00000000
  00000010: .word 0x00000000
  .code
  00000014: e59f0048 ldr r0, [pc, #72] ; 0x00000064
  00000018: ee010f10 mcr 15, 0, r0, cr1, cr0, {0}


You can see, it is clearly not IDA PRO, but a usable tool. 
Because I used libopcodes as a basis, the tool is GPL.

It understands this annotations:

  .data          32 bit data
  .code          32 bit code or 32 bit "thumb32"
  .thumb         16 bit thumb code
  ; comment      any comment
  .label BLAH    any label

Every run of "adiss <blob> <annotation-file>" will keep them, so 
you can keep adding comments, sections, etc and worm your way 
throught the code. This way I found

* several Thumb-Non-Thumb trampolines
* something that might resemble a big CASE statement, maybe for 
interpreting the "CmdCode" of a command request?
* some ASCII-Strings from a C runtime


I have about 150 annotations so far. For now, I can't publish 
them, because they are directly inside the assembly listing. 
Neither the firmware blob nor the file from where I extracted 
the firmware blob bears a copyright message, so AFAIK according 
to german law I could re-publish it. But because IANAL, I won't 
publish that. Instead, I'll extend adiss so that it can "export" 
the annotations, so anybody can use fwcutter to get the 
firmware, and create his own (dis)assembly listing instead.



See http://projects.linuxtogo.org/scm/?group_id=24 for a note on 
how to get the source.

Patches welcome :-)

More information about the libertas-dev mailing list