ESP8266 Community Forum

- Wed Jul 01, 2015 6:42 pm #22200 I've been using the 'ScratchABit' tool by @pfalcon a bit to analyze the RTOS binary libraries.

EDIT: What I wrote here before was _not_ the right way to add plugins to scratchabit. Here's what I now understand to be the correct way:

• Clone or download the repo from https://github.com/pfalcon/ScratchABit/
• Get the ida-xtensa plugin from https://github.com/pfalcon/ida-xtensa (this fork has some additions to themadinventor's version.)
• Place the xtensa.py file from ida-xtensa into the plugins/cpu subdirectory of ScratchABit (I did this by symlinking).
• Create an esp8266.def file like this one: https://gist.github.com/projectgus/f898d5798e3e44240796

... then you can run

Code: Select allscratchabit.py esp8266.def

to run an interactive disassembler session, annotate symbols, etc. It's not the most full featured dissassembler (at least not yet) but it's 100x better than using objdump and text editors.

Last edited by projectgus on Wed Jul 01, 2015 8:25 pm, edited 3 times in total.

- Wed Jul 01, 2015 6:43 pm #22201 There are also a couple of other interesting RE projects out there. There's a wiki and mailing list here:
http://esp8266-re.foogod.com/w/index.ph ... ering_Wiki
The most interesting bit at the moment is a bit buried, that is some analysis of the RTOS SDK startup code here:
http://esp8266-re.foogod.com/w/index.ph ... K_0.9.9%29

And the same person who created the wiki has their own disassembly tool (that I haven't yet tried) here. It's non-interactive, so I'm guessing similar to objdump but with more features:
https://bitbucket.org/foogod/xtobjdis

- Wed Jul 01, 2015 9:53 pm #22211 Wow ! all those links seems really interesting !
Unfortunately, "time" is the "missing ingredient" !
I still hope to get thru those readings, trying to cut "time" eleswhere ...

- Thu Jul 02, 2015 4:31 am #22243 Thanks cal,
Appreciate your help, it works like intended and I was able with your explanation to get going.
Tricky part was the real understanding of the translation from

Code: Select all4020bf8a:   c40000           extui   a0, a0, 0, 13
4020bf8d:   3ffe87           bbsi   a14, 24, 4020bfd0 <divide+0x34>


To the address

Code: Select all3ffe87c4


Due to the (I think) disassembling sometimes "reversing" the little endian mode and display in big edian.
Solved that by looking at the objdump -s of the irom0.text ouput.
Limited the output of all -s to objdump -s -j.rodata and now up to scanning/searching the files automatic.
Herman