Magic Lantern Forum

Developing Magic Lantern => Reverse Engineering => Topic started by: names_are_hard on April 07, 2019, 03:17:37 AM

Title: Ghidra scripts
Post by: names_are_hard on April 07, 2019, 03:17:37 AM
Ghidra is a free tool similar to IDA Pro.
You can extend it with scripts, in Java or Python.  I thought we could make some useful ones and collect them here.  I'm going to assume everyone wanting to run scripts has already got Ghidra working and loaded the rom dumps and extra memory regions (eg, parts of the rom that get copied to different locations at runtime).

Here's my first useful script, - you give it a stubs.S file and it names and disassembles the stubs in your listing:
In Linux, copy to /home/<your_user>/ghidra_scripts/, then it will be visible under Magiclantern when you open "Display Script Manager" (white triangle in green circle icon in button bar).

 - it doesn't define a function at the address, because not all stub addresses are at function starts so I didn't want to force this.  Often Ghidra will work out it's a function due to xrefs etc, but sometimes it doesn't.  Could be made better by inspecting the disassembly, detecting common function starts, only then defining a function?
 - the NSTUB address extraction only handles the simplest case.  If it's a computed address, it will fail (and report this in Ghidra console so you can manually define it)
Title: Re: Ghidra scripts
Post by: calle2010 on April 07, 2019, 09:24:23 AM
Thank you for this!

Have you seen the latest change to stub.h from A1ex?

No guesswork required to know whether it is a data pointer or a function and Thumb or ARM. Also the Thumb bit is handled correctly which removes a source of error.

Would be nice if we could have this in contrib/ghidra or similar.
Title: Re: Ghidra scripts
Post by: names_are_hard on April 07, 2019, 09:51:23 AM
I was aware he'd made those changes, but they're not in the code I'm working from, so, didn't bother.  Easy to add, but see "cstart" in stubs: this is listed as THUMB_FN, but it's not a function.  Perhaps it should be named THUMB_CODE?  I guessed the thumb bit wouldn't cause problems for disassembly, since Ghidra knows that ARM functions must be even-aligned - have you seen problems?

EDIT: I take it back, cstart is a function.  Pretty sure I've seen some names that aren't, ones that point into middle of functions at useful places.
Title: Re: Ghidra scripts
Post by: names_are_hard on June 09, 2019, 06:10:07 PM
Added a named-functions.idc -> Ghidra importer script.
Title: Re: Ghidra scripts
Post by: reyalp on December 29, 2019, 10:28:48 PM
FWIW, I wrote some ghidra scripts for CHDK that may have useful bits for ML development too.

set_tmode_reg_at from can be used to set the arm/thumb state on an address before disassembling. iterates over Ghidra generated error bookmarks and attempts to fix some common issues I noticed working with thumb2 firmware.

I also wrote some notes on using the version tracking tool, which I've found very useful for porting:
Title: Re: Ghidra scripts
Post by: names_are_hard on January 04, 2020, 06:53:46 PM
@reyalp - these look really nice, thank you!  Much more sophisticated than my hack scripts.