ESP8266 Community Forum

- Wed Jul 01, 2015 11:19 am #22171

Sorry to bother you again but I tried to understand and follow your advice and got stuck again.
1/ You can follow your way through the symbols using objdump on the lib.

What would be the way to : follow through the symbols ?

Using a mixture of objdump and nm making your way through the symbol definitions while having the elf specification open. I avoid that.

If there is a document/location where that is described, I be happy to go from there.

2/ do the objdump on the elf image of the firmware
Do you mean with the elf image of the firmware the output of the linker ?
In my case the linker output file is app.out.
When I do the objdump -d -z on that and look for the <system_get_sdk_version> I get

Code: Select all4020bf8a:   c40000           extui   a0, a0, 0, 13
4020bf8d:   3ffe87           bbsi   a14, 24, 4020bfd0 <divide+0x34>

4020bf90 <system_get_sdk_version>:
4020bf90:   ffff21           l32r   a2, 4020bf8c <system_uart_de_swap+0x34>
4020bf93:   f00d         ret.n
4020bf95:   000000           ill
4020bf98:   e268         l32i.n   a6, a2, 56
4020bf9a:   5d4000           excw


would then the location of the string 003ffe87, the value of 420bf8c ?
But that address is nowhere in the output of objdump and you mentioned hexdump.
Is this the way you suggested ? and in which file should I then be looking for the string ?

Herman

No. Its 3ffe87c4. The values are little endian.

I did it on some nodemcu firmware image and get:

Code: Select all3ffe9440

Thats a value in data ram.

Code: Select allobjdump -h

tells us:

Code: Select allIdx Name          Size      VMA       LMA       File off  Algn
  0 .irom0.text   00057bd2  40210000  40210000  0000cea0  2**4
                  CONTENTS, ALLOC, LOAD, CODE
  1 .text         00007597  40100000  40100000  00005900  2**8
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 .data         00000b68  3ffe8000  3ffe8000  000000e0  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  3 .rodata       00004be8  3ffe8b70  3ffe8b70  00000c50  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .bss          00009aa0  3ffed758  3ffed758  00005838  2**4
                  ALLOC


That means our data is in section

Code: Select all.rodata

at offset

Code: Select all3ffe9440 - 3ffe8b70 = 0x8d0

Code: Select allobjdump -s

shows us all sections

Code: Select all...
3ffe9440 302e392e 35000000 4a616e20 33302032  0.9.5...Jan 30 2
...


Cal

Get your modules here:

https://www.banggood.com/custlink/KvGGhGF4wG

- Wed Jul 01, 2015 6:42 pm #22200 I've been using the 'ScratchABit' tool by @pfalcon a bit to analyze the RTOS binary libraries.

EDIT: What I wrote here before was _not_ the right way to add plugins to scratchabit. Here's what I now understand to be the correct way:

• Clone or download the repo from https://github.com/pfalcon/ScratchABit/
• Get the ida-xtensa plugin from https://github.com/pfalcon/ida-xtensa (this fork has some additions to themadinventor's version.)
• Place the xtensa.py file from ida-xtensa into the plugins/cpu subdirectory of ScratchABit (I did this by symlinking).
• Create an esp8266.def file like this one: https://gist.github.com/projectgus/f898d5798e3e44240796

... then you can run

Code: Select allscratchabit.py esp8266.def

to run an interactive disassembler session, annotate symbols, etc. It's not the most full featured dissassembler (at least not yet) but it's 100x better than using objdump and text editors.

Last edited by projectgus on Wed Jul 01, 2015 8:25 pm, edited 3 times in total.

- Wed Jul 01, 2015 6:43 pm #22201 There are also a couple of other interesting RE projects out there. There's a wiki and mailing list here:
http://esp8266-re.foogod.com/w/index.ph ... ering_Wiki
The most interesting bit at the moment is a bit buried, that is some analysis of the RTOS SDK startup code here:
http://esp8266-re.foogod.com/w/index.ph ... K_0.9.9%29

And the same person who created the wiki has their own disassembly tool (that I haven't yet tried) here. It's non-interactive, so I'm guessing similar to objdump but with more features:
https://bitbucket.org/foogod/xtobjdis

- Wed Jul 01, 2015 9:53 pm #22211 Wow ! all those links seems really interesting !
Unfortunately, "time" is the "missing ingredient" !
I still hope to get thru those readings, trying to cut "time" eleswhere ...