Magic Lantern Firmware Wiki
Advertisement

ARM-console Tips / Examples - by: Coutts[]

Here are some examples of useful things that can be done with the ARM-console (written by A1ex). I am compiling this page from chat logs with Alex, with examples of tasks the arm-console can do, that aren't already documented.


Stepping through assembly code[]

Let's say you're looking at a function in a firmware dump and want to go step by step and figure out the register values at each instruction, or keep track of what's happening at each point in the program. There is a module in the console named emusym which has a function to trace code paths, and tell us what different instructions are doing. Take this code for example:

SUB     R9, R10, #4
SUB     R8, R10, #8
SUB     R7, R10, #0xC
SUB     R6, R10, #0x10
SUB     LR, R10, #0x14

You can use this to break things down:

In [8]: cp = range(0xff206224, 0xff206224 +4*5, 4)

In [9]: emusym.resetArm()

In [10]: emusym.emusym_code_path(cp)

In [11]: !cat emusym.log

The output should look something like this:

*******************************************
emulating from 0xFF206224: sub   r9, r10, #4
*******************************************
sub   r9, r10, #4
  => ARM.R9 = (ARM.R10) - (4)
  * ARM.R9 = -4 + unk_R10
sub   r8, r10, #8
  => ARM.R8 = (ARM.R10) - (8)
  * ARM.R8 = -8 + unk_R10
sub   r7, r10, #12
  => ARM.R7 = (ARM.R10) - (12)
  * ARM.R7 = -12 + unk_R10
sub   r6, r10, #16
  => ARM.R6 = (ARM.R10) - (16)
  * ARM.R6 = -16 + unk_R10
sub   r14, r10, #20
  => ARM.LR = (ARM.R10) - (20)
  * ARM.LR = -20 + unk_R10
END OF CODE PATH

Notice R10 was not known when starting the emulation. Now let's try with some other initial condition:

In [12]: emusym.resetArm()

In [13]: emusym.ARM.R10 = 5

In [14]: emusym.emusym_code_path(cp)

In [15]: !cat emusym.log
*******************************************
emulating from 0xFF206224: sub   r9, r10, #4
*******************************************
sub   r9, r10, #4
  => ARM.R9 = (ARM.R10) - (4)
  * ARM.R9 = 1
sub   r8, r10, #8
  => ARM.R8 = (ARM.R10) - (8)
  * ARM.R8 = -3
sub   r7, r10, #12
  => ARM.R7 = (ARM.R10) - (12)
  * ARM.R7 = -7
sub   r6, r10, #16
  => ARM.R6 = (ARM.R10) - (16)
  * ARM.R6 = 0xFFFFFFF5
sub   r14, r10, #20
  => ARM.LR = (ARM.R10) - (20)
  * ARM.LR = 0xFFFFFFF1
Advertisement