Using a hex editor to look at the firmware after extracting it from the downloaded zip file, the first 0x60 (96) bytes contain some sort of firmware header. The rest of the firmware is a binary that runs on something that looks like a 32-bit RISC machine. Further examination reveals that it runs on a little Endian ARM processor because of the prevalence of the 0xe??????? instructions. It is a unique feature of the ARM: each instruction codes the condition to execute in the 4 highest bits that can make the code really compact. The condition e? means "always."
There is another unique feature about ARM. Since each instruction is exactly 32-bit wide, there is no one instruction that loads a whole 32-bit constant. Compiler often loads constant from memory relative to the program counter, and then leaps over the constant pool later (which is non-sensible instruction). This behavior is observed from the firmware as well.
The firmware initializes sp to 0x44000000. If the code is loaded at 0x40000000 like standard practice, then it means the hardware expects 64MB of ram. There also seems to be a memory mapped I/O block in the upper memory area around 0xffff????.
The next step is to look at the strings literals in the firmware and see which code references a given string. Since string literals are intertwined with code, this could help establishing the memory mapping for where the code should be loaded.
No comments:
Post a Comment