diff options
author | root <root@krebs> | 2011-09-01 02:18:42 +0200 |
---|---|---|
committer | root <root@krebs> | 2011-09-01 02:18:42 +0200 |
commit | 181ee880f53e1b10fce89e74ba429e23382809c1 (patch) | |
tree | 2f0f392274a6794f7962ec9dbd13e719e48ca5f7 /oncology/dpfhack_display/reverse/dump.py | |
parent | cdbc8c537320e3e534694311516ac398ea501600 (diff) | |
parent | 5ad8c950f59472d1d0ad21c13320024889fe2e46 (diff) |
Merge branch 'master' of github.com:/krebscode/painload
Conflicts:
.gitmodules
oncology/dpfhack_display
Diffstat (limited to 'oncology/dpfhack_display/reverse/dump.py')
-rw-r--r-- | oncology/dpfhack_display/reverse/dump.py | 470 |
1 files changed, 0 insertions, 470 deletions
diff --git a/oncology/dpfhack_display/reverse/dump.py b/oncology/dpfhack_display/reverse/dump.py deleted file mode 100644 index cbbc563b..00000000 --- a/oncology/dpfhack_display/reverse/dump.py +++ /dev/null @@ -1,470 +0,0 @@ -# DPF dump splitter -# <hackfin@section5.ch> -# -# Takes a binary dump of the DPF and splits it into the banked modules -# Usage: -# 1. First, simply run this script after having dumped your entire DPF -# into full_image.bin. It will generate a lot of dump* files. -# 2. Then analyze the addresses in dump00.asm. The code is loading more -# common code segments from other addresses. To extract this code, -# enhance or create a record in g_dpfs. Later on, we'll add some -# firmware version detection... -# - -import os -import sys -import struct -# import scantool - -IMGLEN1 = 128 * 128 / 8 -IMGLEN16 = 128 * 128 * 2 - -# menu table in code memory: -table_addr = 0x1600 - -g_dpfs = { - 'default' : [ - [], [], [], [], - ], - 'silver2' : [ - [ - (0x2f0, 0x1934, 0x19f2), - (0x3ae, 0x1003, 0x1270), - (0x6a0, 0x1280, 0x12bc), - ], - [], - [], - [], - ], - 'black' : [ - [ - (0x2e0, 0x1934, 0x19f2), - (0x39e, 0x1003, 0x1270), - (0x682, 0x1280, 0x12d0), - ], - [], - [], - [], - ], - 'white' : [ - [ - (0x2f0, 0x1934, 0x19f2), - (0x3ae, 0x1003, 0x1270), - (0x69c, 0x1280, 0x12d0), - (0x2fec, 0x1800, 0x189d), - ], - [], - [], - [], - ], - 'visualland' : [ - [ - (0x2c0, 0x1934, 0x19f2), - (0x37e, 0x1003, 0x1270), - (0x662, 0x1280, 0x12d0), - ], - [], - [], - [], - ], - 'blue' : [ - [ # special code segments: fileoffset, start, end - (0x2c0, 0x1934, 0x19f2), - (0x37e, 0x1003, 0x1270), - (0x662, 0x1280, 0x12d8), - (0x3474, 0x1800, 0x189d), - - # Dynamic jump table: - (0x0e54, 0xce7 + 0x800, 0xce7 + 0x800 + 0x2c2), - ], - [ # images: name, fileoffset, rel_start, rel_end - ("img0", 0x55bbb, 0x0, IMGLEN16), - ("img1", 0x4eb89, 0x0, IMGLEN1), - ("usb_conn", 0x4ec89, 0x0, 0x80 * 0x48), - ("menu0", 0x4e289, 0x0, IMGLEN1), - ("menu1", 0x4e389, 0x0, IMGLEN1), - ("menu2", 0x4ee89, 0x0, IMGLEN1), - ("menu3", 0x4e489, 0x0, IMGLEN1), - ("menu4", 0x4e589, 0x0, IMGLEN1), - ("menu5", 0x4e789, 0x0, IMGLEN1), - ("menu7", 0x4e989, 0x0, IMGLEN1), - ("menu8", 0x4ea89, 0x0, IMGLEN1), - ("menu9", 0x4e889, 0x0, IMGLEN1), - ("mainmenu", 0x4c7f9, 0x0, IMGLEN1), - ("mainmenu-ch", 0x4f589, 0x0, IMGLEN1), - ("jpgx", 0x4b744, 0x0, IMGLEN16), # mod13 - ("menu0", 0x4daf9, 0x0, IMGLEN1), - ], - [ # data buffers: fileoffset, start, end - (0x1b02 + 4, table_addr, table_addr + 0x28a), # Menu bitmap indices? - (0x1874 + 4, table_addr, table_addr + 0x28a), # Menu bitmap indices? - (0x53557, 0xfd7, 0xfd7 + 64), - ], - [ # Dynamic applet load: reloc, fileoffset, , size - (0x14e7, 0x0e54, 15 ) - ] - ], - 'silver' : [ - [ # special code segments: fileoffset, start, end - (0x2c0, 0x1934, 0x19f2), - (0x37e, 0x1003, 0x1270), - (0x662, 0x1280, 0x12d8), - ], - [], - [], - [], - ], - 'pink' : [ - [ # code segments: - (0x2f0, 0x1934, 0x19f2), - (0x3ae, 0x1003, 0x1270), - (0x69c, 0x1280, 0x12d1), - (0x2fc0, 0x1800, 0x189d), # USB main loop, -> mod18_145b - - (0x0e88, 0xce7 + 0x800, 0xce7 + 0x800 + 0x2c2), - ], - [ # images - ("img0", 0x5320b, 0x0, IMGLEN16), - ("img1", 0x54f4b, 0x0, IMGLEN1), - ("lowpower", 0x51a3b, 0x0, IMGLEN1), - ("img2", 0x4c244, 0x0, IMGLEN16), - ("title", 0x4f03b, 0x0, IMGLEN1), - ("title", 0x4f13b, 0x0, IMGLEN1), - ("title", 0x4f23b, 0x0, IMGLEN1), - ], - # data: - [], - # dynamic: - [ - (0x14e7, 0x0e88, 15 ) - ] - ], - 'focal' : [ - [ # code segments: - (0x2e0, 0x1934, 0x19f2), - (0x39e, 0x1003, 0x1279), - (0x682, 0x1280, 0x12f3), - (0x3056, 0x1800, 0x189d), # USB main loop, -> mod17_145b - - (0x0e88, 0xce7 + 0x800, 0xce7 + 0x800 + 0x2c2), - ], - [ # images - ("img0", 0x5320b, 0x0, IMGLEN16), - ], - # data: - [], - # dynamic: - [ - (0x14e7, 0x0e88, 15 ) - ] - ], - 'pearl' : [ - [ # code segments: - (0x2e0, 0x1934, 0x19f2), - (0x39e, 0x1003, 0x1279), - (0x682, 0x1280, 0x12f3), - (0x3056, 0x1800, 0x189d), # USB main loop, -> mod17_145b - - (0x0e88, 0xce7 + 0x800, 0xce7 + 0x800 + 0x2c2), - ], - [ # images - ("img0", 0x5320b, 0x0, IMGLEN16), - ], - # data: - [], - # dynamic: - [ - (0x14e7, 0x0e88, 15 ) - ] - ], - 'micca' : [ - [ # code segments: - (0x2e0, 0x1934, 0x19f2), - (0x39e, 0x1003, 0x1279), - (0x682, 0x1280, 0x12f3), - (0x3056, 0x1800, 0x189d), # USB main loop, -> mod17_145b - - (0x0e88, 0xce7 + 0x800, 0xce7 + 0x800 + 0x2c2), - ], - [ # images - ("img0", 0x5320b, 0x0, IMGLEN16), - ], - # data: - [], - # dynamic: - [ - (0x14e7, 0x0e88, 15 ) - ] - ], - -} - -RET = chr(0x22) -LJMP = chr(0x02) -LCALL = chr(0x12) - -bswap = lambda x: ( (x >> 8) & 0xff ) | ((x << 8) & 0xff00) - -class ProcEntry: - format = "<HHI" - - def __init__(self): - self.start = 0 - self.end = 0 - self.offset = 0 - self.size = struct.calcsize(self.format) - - def fromBuffer(self, b): - start, end, self.offset, = struct.unpack(self.format, b) - self.start = bswap(start) - self.end = bswap(end) - - - def __repr__(self): - return "< %04x, %04x, %08x >" % (self.start, self.end, self.offset) - -def extract_code(data, fname): - out = data - outf = open(fname, "w") - outf.write(out) - outf.close() - -def write_ctl(name, offset, fileoffset, size = 0): - outf = open(name, "w") - outf.write("; control file -- autogenerated\n") - outf.write("; file offset: %08x\n" % fileoffset) - outf.write("# %04x\n" % offset) - outf.write("# %04x dump file offset: %08x\n" % (offset, fileoffset)) - outf.write("o %04x\n" % offset) - if size: - outf.write("b %04x-%04x\n" % (offset, offset + size - 1)) - outf.close() - -def exists(file): - try: - a = os.stat(file) - return 1 - except: - return 0 - -def generate_ctl(which, prefix, record, entries): - fname = "%s%02d.in" % (prefix, which) - if exists(fname): - print "%s exists, not creating" % fname - return - - outf = open(fname, "w") - outf.write("; control file for %s%d.bin -- autogenerated\n" % (prefix, which)) - outf.write("; file offset: %08x\n" % int(record.offset)) - offset = 0x800 + record.start - outf.write("# %04x ----- SNIP : mod%d -----\n" % (offset, which)) - outf.write("# %04x\n" % offset) - outf.write("# %04x dump file offset: %08x\n" % (offset, int(record.offset))) - outf.write("o %04x\n" % offset) - for i in entries: - outf.write("%s\n" % i) - outf.close() - -def build_tab(data, start, end): - l = [] - - offset = start - - i = 0 - - while 1: - e = ProcEntry() - d = data[offset : offset + e.size] - e.fromBuffer(d) - if d == "-EndTbl-" or offset > end: - break - offset += e.size - l.append(e) - i += 1 - - return l - -val = lambda x: ord(x) - -# Some codes to scan for: - -scan_banksw = [ - 0x74, val, 0x90, val, val, val, 0x19, val -] - -scan_loadcode = [ - 0x90, val, val, 0x7b, val, 0x7c, val, 0x7d, val, 0x7e, val , 0x7f, val -] - - -# Stolen from scantool: -class Scanner: - def __init__(self, data, seq): - self.data = data - self.args = [] - self.scansequence = seq - - def scan(self, context, cb): - p = 0 - n = 0 - while p < len(self.data): - if type(self.scansequence[n]) == type(val): - args.append(val(data[p])) - n += 1 - elif chr(self.scansequence[n]) == data[p]: - n += 1 - else: - n = 0 - args = [] - - if n == len(self.scansequence): - cb(context, args, p) - n = 0 - args = [] - - p += 1 - -def make_symentry(context, args, p): - e, offset = context - if args[3] in [0x12, 0x02]: - e.append("x %04x mod%d_%04x" % (offset + p - 4, args[0] + 1, (args[1] << 8) + args[2])) - - -# TODO: Use scantool stuff -def analyze(data, offset): - e = [] - - scanner = Scanner(data, scan_loadcode) - scanner.scan((e, offset), make_symentry) - - return e - -def make_record(context, args, p): - e, rec = context - r = args[0] << 8 | args[1] - e.append("s %04x code_%04x" % (r, r + 0x800)) - r = args[2] << 8 | args[3] - s = (args[4] << 16) | (args[5] << 8) | args[6] - e.append("# %04x load code from %06x to xmem:%04x" % (rec.start + 0x800 + p - 9, s, r)) - - -def analyze_bootblock(data): - rec = ProcEntry() - - e = [] - s = struct.unpack(">H", data[5:7])[0] # start code in flash - reloc = struct.unpack(">H", data[2:4])[0] # relocation - - print hex(reloc), hex(s) - - rec.start = reloc - s - 0x800 - rec.offset = s - - offset = reloc - s - - e.append("b %04x-%04x" % (offset, (reloc - 1))) - e.append("l %04x start" % reloc) - e.append("l %04x jumptable" % (offset + 0x88)) - - # Just copy the scan hack -- no more scantool - scanner = Scanner(data, scan_loadcode) - scanner.scan((e, rec), make_record) - - return rec, e - - -def write_rawimage(d, fname): - outf = open(fname, "wb") - outf.write(d) - outf.close() - -try: - # Choose here which DPF to dump: - dpf = g_dpfs[sys.argv[1]] - f = open(sys.argv[2], "r") -except (KeyError, IndexError): - print "Usage: %s <frameid>" % sys.argv[0] - print "where frameid is one of:" - for i in g_dpfs.keys(): - print " ", i - print "No DPF specified given, running basic dump" - dpf = g_dpfs['default'] - f = open("full_image.bin", "r") - - -data = f.read() -f.close() - - -for i in dpf[0]: - o, start, end = i - end += 1 - d = data[o:o + end - start] - extract_code(d, "code_%04x.bin" % start) - write_ctl("code_%04x.ctl" % start, start, o) - -for i in dpf[1]: - name, o, start, end = i - end += 1 - d = data[o:o + end - start] - write_rawimage(d, "img_%s-%06x.raw" % (name, o)) - -for i in dpf[2]: - o, start, end = i - end += 1 - d = data[o:o + end - start] - extract_code(d, "data_%04x.bin" % o) - write_ctl("data_%04x.ctl" % o, start, o, end - start) - -for i in dpf[3]: - codeoffs, foffs, n = i - c0 = codeoffs - c1 = codeoffs - foffs - labels = {} - for j in range(n): - sz = [0,0] - offs = [0, 0] - o = foffs + j * 8 - d = data[o:o + 8] - - sz[0] = ord(d[0]) + (ord(d[1]) << 8) - offs[0] = foffs + ord(d[2]) + (ord(d[3]) << 8) - sz[1] = ord(d[4]) + (ord(d[5]) << 8) - offs[1] = foffs + ord(d[6]) + (ord(d[7]) << 8) - - p = (c0 + j * 8 + 7, offs[0], sz[0], offs[1], sz[1]) - print "! %04x dyn_%04x[%d], dyn_%04x[%d]" % p - labels[c1 + offs[0]] = "dyn_%04x" % offs[0] - labels[c1 + offs[1]] = "dyn_%04x" % offs[1] - for j in labels.keys(): - print "l %04x %s" % (j, labels[j]) - -format = ">HHBH" -s = struct.unpack(format, data[:7]) -imem_loadaddr, code_startaddr, dummy, startcode = s - -l = build_tab(data, 0x88, startcode) - -print 80 * "-" - -start = l[0].offset -d = data[0:start] -extract_code(d, "dump00.bin") -rec, entries = analyze_bootblock(d) -generate_ctl(0, "dump", rec, entries) - -index = 1 -for i in l: - size = i.end - i.start - d = data[i.offset: i.offset + size] - print "[dump%d] %04x %04x %08x (%d)" % (index, i.start, i.end, i.offset, size) - extract_code(d, "dump%02d.bin" % index) - entries = analyze(d, i.start + 0x800) - generate_ctl(index, "dump", i, entries) - index += 1 - - -# No scantool here. -# scantool.guess(scantool.MC8052, data, "dump") - - |