for ghidra implementing a new cpu architecture · # mov rn,rm - 0000_nnnn_mmmm_0000 define register...
TRANSCRIPT
![Page 1: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/1.jpg)
Implementing a New CPU Architecturefor Ghidra
![Page 2: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/2.jpg)
Why?
2
![Page 3: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/3.jpg)
Toshiba FlashAir W-03
3
See https://goo.gl/oijvdN
![Page 4: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/4.jpg)
My MeP & FlashAir Tools
cea-sec/miasm - MeP architecture in miasm
guedou/r2m2 - miasm plugin for radare2
guedou/flashre - tools to reverse FlashAir cards
4
![Page 5: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/5.jpg)
5
![Page 6: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/6.jpg)
Missing Tool: a Decompiler
6
![Page 7: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/7.jpg)
Open Source Decompilers
many available
architecture dependent
7
See https://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_Decompilers#Decompilers
![Page 8: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/8.jpg)
New Open-Source RE Tool
developed by the NSA
released in March 2019
many features
8
See https://ghidra-sre.org/
![Page 9: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/9.jpg)
9
See https://github.com/xyzz/ghidra-mep
![Page 10: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/10.jpg)
SLEIGH
10
![Page 11: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/11.jpg)
SLEIGH?language derived from SLED
ease defining instructions decoding & semantics
also a command-line tool11
![Page 12: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/12.jpg)
Mandatory Processor Structure
12
$ tree Ghidra/Processors/MEP_C4/Ghidra/Processors/MEP_C4/├── data│ └── languages│ ├── mep_c4.cspec│ ├── mep_c4.ldefs│ ├── mep_c4.pspec│ ├── mep_c4.sla│ └── mep_c4.slaspec└── Module.manifest
2 directories, 6 files
![Page 13: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/13.jpg)
Language Definitions - mep_c4.ldefs
13
<language_definitions> <language processor="Toshiba MeP-c4" endian="little" size="32" variant="default" version="0.1" slafile="mep_c4.sla" processorspec="mep_c4.pspec" id="MEP_C4:LE:32:default"> <description>Toshiba MeP-c4, little endian</description> <compiler name="default" spec="mep_c4.cspec" id="default"/> </language> </language_definitions>
![Page 14: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/14.jpg)
Processor Specification - mep_c4.pspec
14
<processor_spec> <programcounter register="pc"/> </processor_spec>
PC, symbols (Reset, NMI handlers...)
![Page 15: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/15.jpg)
Compiler Specification - mep_c4.cspec
15
<compiler_spec> <global> <range space="ram"/> </global> <stackpointer register="sp" space="ram"/> <default_proto> <prototype extrapop="0" stackshift="0" name="__stdcall"> <input> <pentry minsize="1" maxsize="4"> <register name="r1"/> </pentry> </input> <output> <pentry minsize="1" maxsize="4"> <register name="r0"/> </pentry> </output> </prototype> </default_proto> </compiler_spec>
![Page 16: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/16.jpg)
SLEIGH Specification File - mep_c4.slaspec
16
compiled to mep_c4.sla with sleigh
five important concepts
![Page 17: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/17.jpg)
Example #1
17
![Page 18: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/18.jpg)
18
# MOV Rn,Rm - 0000_nnnn_mmmm_0000
define register offset=0 size=4 [ r0 r1 ]; define token instr(16) major = (12, 15) rn = (8, 11) rm = (4, 7) minor = (0, 3) ; attach variables [ rn rm ] [ r0 r1 ]; :mov rn, rm is major=0b0000 & rn & rm & minor=0b0000 { rn = rm; }
![Page 19: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/19.jpg)
Example #2
19
![Page 20: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/20.jpg)
20
# MOV Rn,imm16 - 1100_nnnn_0000_0001 iiii_iiii_iiii_iiii
define token instr(16) major = (12, 15) rn = (8, 11) minor8 = (0, 7) ;
define token ext(16) imm16 = (0, 15) ;
:mov rn, imm16 is major=0b1100 & rn & minor8=0b00000001 ; imm16 { rn = imm16; }
![Page 21: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/21.jpg)
Example #3
21
![Page 22: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/22.jpg)
22
# MOVU Rn[0-7],imm24 - 1101_0nnn_IIII_IIII iiii_iiii_iiii_iiii
define token instr(16) major = (12, 15) rn = (8, 11) minor = (0, 3) ;
define token ext(16) imm16 = (0, 15) ;
:movu rn, imm24 is major=0b1101 & rn & minor ; imm16 [ imm24 = minor + (imm16 << 8); ] { rn = imm24;}
![Page 23: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/23.jpg)
Example #4
23
![Page 24: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/24.jpg)
24
# LW Rn,(Rm) - 0000_nnnn_mmmm_1110
:lw rn, "("^rm^")" is major=0b0000 & rn & rm & minor=0b1110 { rn = *[ram]:4 rm;}
![Page 25: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/25.jpg)
Ghidra/Processors/MEP_C4/data/patterns/*.xml
25
ease detecting functions prologues & epilogues
<patternlist> <pattern> <data> 0x1a 0x70 ....0000 0x6f </data> <!-- 1a70 LDC R0, LP f06f ADD SP, -4 --> <funcstart validcode="function" thunk="true"/> </pattern> </patternlist>
![Page 26: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/26.jpg)
26
![Page 27: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/27.jpg)
Perspectives
PR for ghidra-mep
automatically generate mep.sla from miasm?
27
![Page 28: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/28.jpg)
References
28
![Page 29: for Ghidra Implementing a New CPU Architecture · # MOV Rn,Rm - 0000_nnnn_mmmm_0000 define register offset=0 size=4 [ r0 r1 ]; define token instr(16)](https://reader034.vdocuments.us/reader034/viewer/2022050413/5f8a0ebc052f9a38af7904f9/html5/thumbnails/29.jpg)
Questions?Beers?
29