Flag: Tornado!
Hurricane!
|
|
 Error: Authentication required to access requested resource.
Topic created on: by  .
If the binary image is not in a known file format that IDA supports you are not going to get disassembly even if you choose the correct CPU.
First, google the hell out of the application to discover where it came from if you don't know already. Then google the hell out of the device it came from and you should be able to determine the cpu type.
As I stated before, if you know the CPU type, but the file format is proprietary you will not get disassembly. You will have to first figure out the structure of the .bin / firmware image. Then you can either write your own loader for IDA, or adjust your loading offsets based on your findings, create segments, etc. Alternatively, you can write an idapython/idc script to create functions from a prologue (see http://eusecwest.com/esw08/esw08-muniz.pdf) for the general concept).
Reversing firmware is a pain in the ass when the format is proprietary. It is a different world from re'ing PE/ELf binaries for known OS's.
|
Many automotive CPUs are MPC8xx/5xx (powerpc). You might start by trying the file at offset 0x100, treating that as a pointer to the first instruction and making code from there with ppc as the cpu in ida. 0x9020 looks like a stw, so it maybe a function preamble (storing some regs on the stack or something).
Failing that, like phn1x says you will have to identify the CPU first, maybe get the programmer's reference manual for that cpu, and find out what the CPU does at boot/how it finds its first instruction. Generally even if the operating system is compressed, there's going to be an uncompressed bootloader or something that executes first from flash, which should give you a hint what compression algorithm is used, and where the uncompressed data will be copied.
Here is a python script to try to auto-make-functions:
from idaapi import *
from idc import *
from idautils import *
def make_functions(pattern):
ea = 0x00 # maybe should be minEA to deal with rebased exes
endea = idaapi.cvar.inf.maxEA
flags = BIN_SEARCH_FORWARD & BIN_SEARCH_CASE
while ea != BADADDR
newea = find_binary(ea, endea, pattern, 16, flags)
auto_make_proc(newea)
ea = newea + 4 # stupid kludge to advance find_binary
Call it with the hex bytes that make up a function preamble, like:
make_functions("55 89 e5")
would make functions for x86.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 28,225 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}