Page 1 of 9 123 ... LastLast
Results 1 to 15 of 126

Thread: Mips disassembler v0.1

  1. #1
    Join Date
    Jul 2003
    Posts
    35

    Mips disassembler v0.1

    This is a post-processor for objdump output from MIPS ELF binaries to make it readable by mere mortals. I used it on tivoapp.

    # tmesis MIPS linux disassembler 2003-09-15, v.0.1 #
    # 1. Finds procedure entry points. #
    # 2. Resolves string references. #
    # 3. Resolves syscalls. #
    # 4. Resolves calls to dynamically linked prcoedures. #
    # 5. Resolves addresses obtained from GOT. #

    To run it:
    -- Make sure that unistd.h is present in the same directory (needed for resolving syscalls).
    -- Make sure that mips-TiVo-linux-objdump is present on your path.

    Run

    ./mips.dasm.pl <executable>

    The results will be in <executable>.S. Enjoy.

  2. #2
    Join Date
    Sep 2001
    Location
    West of Bermuda
    Posts
    1,017
    Code:
    Possible reference to string: "TivoApp: Ack!  I don't support program %s"
    cute...

    ronny

  3. #3
    Join Date
    Jan 2002
    Posts
    1,777
    Nice work, tmesis.

    So, now that we are examining tivoapp, it would be helpful to start looking for "entry points" that help us understand what various parts of the code do. Obviously we already have the strings that are built into tivoapp, but there are numerous other "external" events we can observe which will help explain different areas of the tivoapp codebase.

    Here are my initial thoughts:
    • Strings in MFS. Tivo stores a lot of informational and error messages in MFS; they are indexed by number. We can devise a way to correlate each of these strings with the code that pulls it up if we can find the function(s) that are used for this purpose.
    • Incoming and outgoing EventSwitcher events. This will point us to tivoapp's handlers for these events, and potentially show us where its own events are generated.
    • Incoming and outgoing oslink messages. These will describe tivoapp's interaction with the tuner subsystem on combo boxes. This will allow us to understand the filtering of APG data, and possibly help us solve issues related to locals reception and "28% problems." This is something I am working on from the other end.
    • The tivosh interface. This is certain to be really nasty but it might be the easiest way to start exploring Tivo's C MFS interface.


    What else are we interested in learning?

  4. #4
    Join Date
    Jun 2001
    Posts
    3,108
    please keep this topic in the clear by not discussing dssapp hacks. as with the btl on the s1, the file is strictly dtv related, and as such, is not an appropriate topic for this board. tivoapp is fair game, as are many of the other binaries on the unit.
    Step one: search button!
    Silly Wabbit, guides are for kids

  5. #5
    Join Date
    Jun 2003
    Posts
    55
    is this all done on the tivo itself or on a linux workstation with the executable in question just copied over?

    Also.. if it's not run on the tivo itself but it's a perl script can it be run in a windows environment?

  6. #6
    Join Date
    Sep 2001
    Location
    West of Bermuda
    Posts
    1,017
    fletch, it's run on a linux box, not on the tivo. you also have to have the objdump program built for mips on the machine you're running on, so you'd have to do cygwin or something for that.

    ronny

  7. #7
    Join Date
    Feb 2002
    Posts
    345
    Originally posted by alldeadhomiez


    • Incoming and outgoing oslink messages. These will describe tivoapp's interaction with the tuner subsystem on combo boxes. This will allow us to understand the filtering of APG data, and possibly help us solve issues related to locals reception and "28% problems." This is something I am working on from the other end.
    Looking forward to seeing what you guys have from this end.

  8. #8
    Join Date
    Jul 2003
    Posts
    35

    A new version

    Here is a new version 0.2.

    Improvements:
    -- Can use symbolic function names from a file <executable name>.proc. A small file tivoapp.proc is included for tivoapp 3.1.
    -- Recognizes a common function call pattern: lui/addu/lw/jalr.
    -- Works on executables containing debug info.

    Enjoy.

  9. #9
    Join Date
    Jan 2002
    Posts
    1,777
    Here's a thought to improve readability:

    The gcc MIPS backend has an annoying habit of taking small blocks of code (such as "then" and "else" clauses) and moving them to the end of a function. At the end of the block it jumps back into the middle of the function. This often causes the flow to skip all over the place and makes things hard to read.

    If we could develop an algorithm that rearranges these blocks and inverts the conditional branches, we could make it a bit easier to follow the program flow. It would be nice if each function ended with jr $ra instead of a dozen tiny blocks of code that the compiler deemed unlikely to execute.

    Anyone want to give it a shot?

  10. #10
    Join Date
    Jul 2003
    Posts
    35

    MIPS disassembler v0.3

    This is a bugfix release:

    1. Fixed infinite loop when a symbol table is missing.
    2. Fixed LALJ pattern handling when the first instruction is "lui t9,0x1".
    3. Major refactoring of code to improve readability: 4 modes (default, syscall, LAJ, LALJ).

    Future plans:
    -- Create crossreference for procedure calls, jumps.
    -- Visually separate jump branches, procedure returns.
    -- Output html hyperlinks to click-and-jump to an address; will not be useful for huge disassemblies, such as tivoapp though.

  11. #11
    Join Date
    Jul 2003
    Posts
    35

    Call tree utility v0.1

    This is a helper utility that scans the annotated dump from MIPS disassembler and prints out the tree of procedure calls:

    Code:
    0x00D05464
      0x00D51BB8
        0x00D51844
          0x00D4FE98
            0x00D7BCD0
              0x00DA1420, size_t strlen(const char *s);
              0x00DA1630
          0x00DAA538
            0x00DB0D50
              0x00DB0D28
    etc.

    Run it as follows:

    calltree.pl <annotated dump file> <start address>

  12. #12
    Join Date
    May 2002
    Posts
    314
    Nifty scripts. If even just a few people put a coordinated effort into this, you could come up with quite an impressive tivoapp.proc list.

  13. #13
    Join Date
    Jul 2003
    Posts
    35
    How would you suggest going about mapping procedures?

    I can find C runtime library functions by matching tivoapp code to my test executable compiled with symbols, but that's about it.

    Beyond that, it's just trying to understand the logic and guessing what each procedure does, isn't it?

  14. #14
    Join Date
    May 2002
    Posts
    314
    Originally posted by tmesis
    How would you suggest going about mapping procedures? ... it's just trying to understand the logic and guessing what each procedure does, isn't it?
    Yep, pretty much. Obviously the strings help out there...especially those error message strings (the ones that identify the procedure names). Also, code spatial locality often holds; related procedures are often found back-to-back, just before or after the constructor and destructor code for each class.

  15. #15
    Join Date
    Jul 2003
    Posts
    35

    MIPS disassembler v0.4

    No major changes in mips.dasm.pl.

    -- New script xrefs.pl, finds all procedures that call each given procedure and puts that info in its header. Run like this:

    ./xrefs.pl <file created by mips.dasm.pl> <output file name>

    -- More than 1000 procedure addresses in tivoapp.proc (tivoapp 3.1).

    Enjoy!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •