def make_vector(addr, name):
ida_bytes.create_dword(addr, 4)
idaapi.create_insn(addr)
idaapi.ida_funcs.add_func(addr, idaapi.ida_idaapi.BADADDR)
idaapi.add_cref(addr, addr, idaapi.fl_CF)
if len(name) > 0:
idc.set_name(addr, name)
return 1
def run_scatterload(debug=False):
# Newly identified region may have additional scatter load procedure. Thus,
# we continuously proceed until no changes left.
is_changed = True
while is_changed:
is_changed = False
tables = find_scatter_table()
scatter_funcs = find_scatter_funcs()
for start, end in tables.items():
print("Processing table: 0x%x to 0x%x" % (start, end))
while start < end:
ida_bytes.create_dword(start, 16)
ida_offset.op_offset(start, 0, idc.REF_OFF32)
src = ida_bytes.get_dword(start)
dst = ida_bytes.get_dword(start + 4)
size = ida_bytes.get_dword(start + 8)
how = ida_bytes.get_dword(start + 12)
if how not in scatter_funcs:
print("%x: no addr 0x%x in scatter_funcs" % (start, how))
start += 16
continue
func_name = scatter_funcs[how]
start += 16
print("%s: 0x%x -> 0x%x (0x%x bytes)" %
(func_name, src, dst, size))
if func_name != "__scatterload_zeroinit":
if not idc.is_loaded(src) or size == 0:
print("0x%x is not loaded." % (src))
continue
if debug:
# only show information above
continue
if func_name == "__scatterload_copy":
if add_segment(dst, size, "CODE"):
memcpy(src, dst, size)
is_changed = True
elif func_name == "__scatterload_decompress":
if add_segment(dst, size, "DATA"):
decomp(src, dst, size)
is_changed = True
# some old firmware images have this.
elif func_name == "__scatterload_decompress2":
if add_segment(dst, size, "DATA"):
decomp2(src, dst, size)
is_changed = True
elif func_name == "__scatterload_zeroinit":
# No need to further proceed for zero init.
if add_segment(dst, size, "DATA"):
memclr(dst, size)
ida_auto.auto_wait()
def make_word(ea):
info = idaapi.get_inf_structure()
if info.is_32bit():
return ida_bytes.create_dword(ea, 4)
elif info.is_64bit():
return ida_bytes.create_qword(ea, 8)
return False
for name, (addr, size) in data["peripherals"].items():
seg = ida_segment.getseg(addr)
if seg:
old_name = ida_segment.get_segm_name(seg)
ida_segment.set_segm_name(seg, "%s_%s" % (old_name, name))
else:
add_segment(addr, size, name)
for name, (addr, reg_count, reg_size, clu_count, clu_size) in data["addresses"].items():
for m in range(clu_count):
for n in range(reg_count):
reg_name = name.replace('<m>', str(m)).replace('<n>', str(n))
reg_addr = addr + m * clu_size + n * reg_size
ida_bytes.create_data(reg_addr, {
1: ida_bytes.byte_flag(),
2: ida_bytes.word_flag(),
4: ida_bytes.dword_flag()
}[reg_size], reg_size, ida_netnode.BADNODE)
ida_name.set_name(reg_addr, reg_name)
base_addr = ida_segment.get_segm_by_name("ROM").start_ea
for name, offset in data["interrupts"].items():
addr = base_addr + (16 + offset) * 4
name = "%s_%s" % ("arm" if offset < 0 else "irq", name.lower())
ida_bytes.del_items(addr, 0, 4)
ida_bytes.create_dword(addr, 4, True)
ida_name.set_name(addr, name, 0)
if ida_bytes.get_dword(addr) > 0:
ida_offset.op_plain_offset(addr, 0, 0)
def find_parse_ip(li, ea, parsecode):
# TODO check memory for SEGA SATURN string
# segaSaturn = li.read(16)
# warning(segaSaturn+' '+str(li.tell()))
ida_bytes.create_strlit(ea, 16, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(ea + 0x10, 16, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(ea + 0x20, 10, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(ea + 0x2A, 6, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(ea + 0x30, 8, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(ea + 0x38, 8, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(ea + 0x40, 10, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(ea + 0x4A, 6, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(ea + 0x50, 16, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(ea + 0x60, 0x70, ida_nalt.STRTYPE_C)
ida_bytes.create_byte(ea + 0xD0, 16)
ida_bytes.create_dword(ea + 0xE0, 4)
ida_bytes.create_dword(ea + 0xE4, 4)
ida_bytes.create_dword(ea + 0xE8, 4)
ida_bytes.create_dword(ea + 0xEC, 4)
ida_bytes.create_dword(ea + 0xF0, 4)
ida_funcs.add_func(ida_bytes.get_dword(ea + 0xF0), ida_idaapi.BADADDR)
ida_bytes.create_dword(ea + 0xF4, 4)
ida_bytes.create_dword(ea + 0xF8, 4)
ida_bytes.create_dword(ea + 0xFC, 4)
if parsecode:
ida_funcs.add_func(ea + 0x100, ida_idaapi.BADADDR)
return 1
def find_bios_funcs():
ida_bytes.create_strlit(0x06000200, 16, ida_nalt.STRTYPE_C)
ida_bytes.create_byte(0x06000210, 36)
make_vector(0x06000234, "")
make_vector(0x06000238, "")
make_vector(0x0600023C, "")
ida_bytes.create_strlit(0x06000240, 4, ida_nalt.STRTYPE_C)
ida_bytes.create_strlit(0x06000244, 4, ida_nalt.STRTYPE_C)
ida_bytes.create_dword(0x06000248, 4)
ida_bytes.create_dword(0x0600024C, 4)
make_vector(0x06000250, "")
ida_bytes.create_dword(0x06000264, 4)
make_vector(0x06000268, "")
make_vector(0x0600026C, "bios_run_cd_player")
make_vector(0x06000270, "")
make_vector(0x06000274, "bios_is_mpeg_card_present")
ida_bytes.create_dword(0x06000278, 4)
ida_bytes.create_dword(0x0600027C, 4)
make_vector(0x06000280, "")
make_vector(0x06000284, "")
make_vector(0x06000288, "")
make_vector(0x0600028C, "")
ida_bytes.create_dword(0x06000290, 4)
ida_bytes.create_dword(0x06000294, 4)
make_vector(0x06000298, "bios_get_mpeg_rom")
make_vector(0x0600029C, "")
ida_bytes.create_dword(0x060002A0, 4)
ida_bytes.create_dword(0x060002A4, 4)
ida_bytes.create_dword(0x060002A8, 4)
ida_bytes.create_dword(0x060002AC, 4)
make_vector(0x060002B0, "")
ida_bytes.create_dword(0x060002B4, 4)
ida_bytes.create_dword(0x060002B8, 4)
ida_bytes.create_dword(0x060002BC, 4)
ida_bytes.create_dword(0x060002C0, 4)
# for (i = 0x060002C4; i < 0x06000324; i+=4)
for i in range(0x060002C4, 0x06000324, 4):
make_vector(i, "")
idc.set_name(0x06000300, "bios_set_scu_interrupt")
idc.set_name(0x06000304, "bios_get_scu_interrupt")
idc.set_name(0x06000310, "bios_set_sh2_interrupt")
idc.set_name(0x06000314, "bios_get_sh2_interrupt")
idc.set_name(0x06000320, "bios_set_clock_speed")
ida_bytes.create_dword(0x06000324, 4)
idc.set_name(0x06000324, "bios_get_clock_speed")
# for (i = 0x06000328; i < 0x06000348; i+=4)
for i in range(0x06000328, 0x06000348, 4):
make_vector(i, "")
idc.set_name(0x06000340, "bios_set_scu_interrupt_mask")
idc.set_name(0x06000344, "bios_change_scu_interrupt_mask")
ida_bytes.create_dword(0x06000348, 4)
idc.set_name(0x06000348, "bios_get_scu_interrupt_mask")
make_vector(0x0600034C, "")
ida_bytes.create_dword(0x06000350, 4)
ida_bytes.create_dword(0x06000354, 4)
ida_bytes.create_dword(0x06000358, 4)
ida_bytes.create_dword(0x0600035C, 4)
for i in range(0x06000360, 0x06000380, 4):
make_vector(i, "")
ida_bytes.create_byte(0x06000380, 16)
ida_bytes.create_word(0x06000390, 16)
ida_bytes.create_dword(0x060003A0, 32)
ida_bytes.create_strlit(0x060003C0, 0x40, ida_nalt.STRTYPE_C)
ida_funcs.add_func(0x06000600, ida_idaapi.BADADDR)
ida_funcs.add_func(0x06000646, ida_idaapi.BADADDR)
ida_bytes.create_strlit(0x0600065C, 0x4, ida_nalt.STRTYPE_C)
ida_funcs.add_func(0x06000678, ida_idaapi.BADADDR)
ida_funcs.add_func(0x0600067C, ida_idaapi.BADADDR)
ida_funcs.add_func(0x06000690, ida_idaapi.BADADDR)
ida_bytes.create_dword(0x06000A80, 0x80)
return 1
import ida_ua
import ida_bytes
import ida_funcs
import ida_kernwin
from ida_idaapi import BADADDR
def read_addrs(file):
lines = []
with open(file, "r") as f:
lines = f.readlines()
for l in lines:
yield int(l.strip(), 16)
pto_file = ida_kernwin.ask_file(0, "*.fad", "Choose a function address file")
for addr in read_addrs(pto_file):
ida_ua.create_insn(addr)
ida_funcs.add_func(addr, BADADDR)
ptr_file = ida_kernwin.ask_file(0, "*.fpt", "Choose a function pointer file")
for addr in read_addrs(ptr_file):
ida_bytes.create_dword(addr, 4)
def make_ptr(ea):
# TODO: arch
ida_bytes.del_items(ea, 0, psize)
return ida_bytes.create_dword(ea, psize)
def make_word(ea):
if WORD_LEN == 4:
return ida_bytes.create_dword(ea, 4)
elif WORD_LEN == 8:
return ida_bytes.create_qword(ea, 8)
return None