ESP8266 Community Forum

Posted: **Wed Jul 01, 2015 6:42 pm**

I've been using the 'ScratchABit' tool by @pfalcon a bit to analyze the RTOS binary libraries.

EDIT: What I wrote here before was _not_ the right way to add plugins to scratchabit. Here's what I now understand to be the correct way:

Clone or download the repo from https://github.com/pfalcon/ScratchABit/
Get the ida-xtensa plugin from https://github.com/pfalcon/ida-xtensa (this fork has some additions to themadinventor's version.)
Place the xtensa.py file from ida-xtensa into the plugins/cpu subdirectory of ScratchABit (I did this by symlinking).
Create an esp8266.def file like this one: https://gist.github.com/projectgus/f898d5798e3e44240796

... then you can run

Code: Select allscratchabit.py esp8266.def

to run an interactive disassembler session, annotate symbols, etc. It's not the most full featured dissassembler (at least not yet) but it's 100x better than using objdump and text editors.

Posted: **Wed Jul 01, 2015 6:43 pm**

There are also a couple of other interesting RE projects out there. There's a wiki and mailing list here:
http://esp8266-re.foogod.com/w/index.ph ... ering_Wiki
The most interesting bit at the moment is a bit buried, that is some analysis of the RTOS SDK startup code here:
http://esp8266-re.foogod.com/w/index.ph ... K_0.9.9%29

And the same person who created the wiki has their own disassembly tool (that I haven't yet tried) here. It's non-interactive, so I'm guessing similar to objdump but with more features:
https://bitbucket.org/foogod/xtobjdis

Posted: **Wed Jul 01, 2015 9:53 pm**

Wow ! all those links seems really interesting !
Unfortunately, "time" is the "missing ingredient" !

I still hope to get thru those readings, trying to cut "time" eleswhere ...

Posted: **Thu Jul 02, 2015 4:31 am**

Thanks cal,
Appreciate your help, it works like intended and I was able with your explanation to get going.
Tricky part was the real understanding of the translation from

Code: Select all

4020bf8a:   c40000           extui   a0, a0, 0, 13
4020bf8d:   3ffe87           bbsi   a14, 24, 4020bfd0 <divide+0x34>

To the address

Code: Select all

3ffe87c4

Due to the (I think) disassembling sometimes "reversing" the little endian mode and display in big edian.
Solved that by looking at the objdump -s of the irom0.text ouput.
Limited the output of all -s to objdump -s -j.rodata and now up to scanning/searching the files automatic.
Herman

ESP8266 Community Forum

Answer: How to analyze methods of the firmware ROM

Re: Answer: How to analyze methods of the firmware ROM

Re: Answer: How to analyze methods of the firmware ROM

Re: Answer: How to analyze methods of the firmware ROM

Re: Answer: How to analyze methods of the firmware ROM