📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.








Flag: Tornado! Hurricane!

 Forums >>  Target Specific - General  >>  Request help identifying embedded CPU

Topic created on: December 23, 2009 22:15 CST by louloulou .

I have a binary from an embedded application (probably a Mitsubishi chip) that I am having no luck getting Ida to disassemble. Anyone out there have any magic for finding what CPU the binary came from? I did the easy stuff, like trying a lot of CPU's in IDA - but no luck.

  A code snippet that occurs Very, Very often (must be the equivalent of a return(); c-function shows up as:00 90 20 71 00 04 24 71 00 80 D1 01
This CPU stores its floats as big endian, and appears to have 16 bit instructions. It has a flash memory of 1.5 megabytes.

  This is an automotive CPU.

  Any help would be very much appreciated. Thanks!
   --Lou

  phn1x     December 31, 2009 09:13.34 CST
If the binary image is not in a known file format that IDA supports you are not going to get disassembly even if you choose the correct CPU.

First, google the hell out of the application to discover where it came from if you don't know already. Then google the hell out of the device it came from and you should be able to determine the cpu type.

As I stated before, if you know the CPU type, but the file format is proprietary you will not get disassembly. You will have to first figure out the structure of the .bin / firmware image. Then you can either write your own loader for IDA, or adjust your loading offsets based on your findings, create segments, etc. Alternatively, you can write an idapython/idc script to create functions from a prologue (see http://eusecwest.com/esw08/esw08-muniz.pdf) for the general concept).

Reversing firmware is a pain in the ass when the format is proprietary. It is a different world from re'ing PE/ELf binaries for known OS's.

  reidmefirst   December 31, 2009 14:36.04 CST
Many automotive CPUs are MPC8xx/5xx (powerpc).  You might start by trying the file at offset 0x100, treating that as a pointer to the first instruction and making code from there with ppc as the cpu in ida.  0x9020 looks like a stw, so it maybe a function preamble (storing some regs on the stack or something).

Failing that, like phn1x says you will have to identify the CPU first, maybe get the programmer's reference manual for that cpu, and find out what the CPU does at boot/how it finds its first instruction.  Generally even if the operating system is compressed, there's going to be an uncompressed bootloader or something that executes first from flash, which should give you a hint what compression algorithm is used, and where the uncompressed data will be copied.

Here is a python script to try to auto-make-functions:

from idaapi import *
from idc import *
from idautils import *
def make_functions(pattern):
  ea = 0x00 # maybe should be minEA to deal with rebased exes
  endea = idaapi.cvar.inf.maxEA
  flags = BIN_SEARCH_FORWARD & BIN_SEARCH_CASE
  while ea != BADADDR
    newea = find_binary(ea, endea, pattern, 16, flags)
    auto_make_proc(newea)
    ea = newea + 4 # stupid kludge to advance find_binary

Call it with the hex bytes that make up a function preamble, like:

make_functions("55 89 e5")

would make functions for x86.

Note: Registration is required to post to the forums.

There are 31,328 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Question about memor...
Dec/12


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit