def make_func(func, name):
t_reg = func & 1 # 0 = ARM, 1 = THUMB
func -= t_reg
for i in range(4):
idc.SetReg(func + i, "T", t_reg)
idc.MakeFunction(func)
if name:
idc.MakeName(func, name)
def setCodeType(self, ea_start, ea_end, code_type):
"""Set the code type for the given address range.
Args:
ea_start (int): effective address for the start of the range
ea_end (int): effective address for the end of the range
code_type (int): wanted code type for the code range
"""
for offset in xrange(ea_end - ea_start):
idc.SetReg(ea_start + offset, 'T', code_type)
def load_file(li, neflags, fmt):
# Assume BCM20734 == cortex-m3
idaapi.set_processor_type('arm:armv7-m', idaapi.SETPROC_ALL | idaapi.SETPROC_FATAL)
parser = FwParser(li)
fw_index = parser.active_fw
if len(parser.fw) > 1:
msg = ['SPI dump has more than one PatchRAM image.\n\nEnter the index of the one to load:']
for i in range(len(parser.fw)):
if parser.fw_present(i):
msg.append('%i @ 0x%08x %s' % (i, parser.fw_offsets[i],
'[active]' if i == parser.active_fw else ''))
fw_index = ida_kernwin.asklong(parser.active_fw, '\n'.join(msg))
# Create known memory regions
make_seg([0x0, 0xC8000], 1)
make_seg([0x260000, 0x26C000], 1)
make_seg([0xD0000, 0xE0000])
make_seg([0x200000, 0x248000])
load_bin_file(0x0, "Choose ROM 1 (@0x000000)")
load_bin_file(0x260000, "Choose ROM 2 (@0x260000)")
load_bin_file(0xD0000, "Choose RAM_LO (@0x0D0000)")
load_bin_file(0x200000, "Choose RAM_HI (@0x200000)")
# The PatchRAM changes will show up as patched bytes
load_rampatch = 0
if ram_loaded == 0:
load_rampatch = ida_kernwin.askbuttons_c('Yes', 'No', 'Not sure', 1,'Do you want to patch ROM 1 and RAM regions with the provided PatchRAM?\n\n')
if load_rampatch == 1:
print('Patching ROM1, RAM_LO and RAM_HI:')
parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data), 0x0a : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index)
print('ROM 1, RAM_LO and RAM_HI regions were patched.')
elif ram_loaded == 1:
print('Patching ROM1:')
parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index)
print('Only one RAM region loaded. ROM 1 was patched.')
elif ram_loaded == 2:
load_rampatch = ida_kernwin.askbuttons_c('Yes', 'No', 'Not sure', 0,'RAM_LO and RAM_HI were loaded.\n\nDo you want to patch them with the provided PatchRAM?\n\n')
if load_rampatch == -1 or load_rampatch == 0:
print('Patching ROM1:')
parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index)
print('RAM_LO and RAM_HI loaded. ROM 1 was patched.')
elif load_rampatch == 1:
print('Patching ROM1, RAM_LO and RAM_HI:')
parser.process({0x08 : lambda r: idaapi.patch_many_bytes(r.addr, r.data), 0x0a : lambda r: idaapi.patch_many_bytes(r.addr, r.data)}, fw_index)
print('RAM_LO and RAM_HI loaded. ROM 1 and both RAM regions were patched.')
# Code is THUMB only
idc.SetReg(0x0, 't', 1)
return 1
def load_dbg_file(fn):
with open(fn, "rb") as fin:
magic = fin.read(4)
if magic != FILE_MAGIC:
print "[ERROR] File magic is incorrect: " + magic + ", provide valid DBG file!"
return -1
junk = fin.read(8)
dump_info(fin)
junk = fin.read(8)
i = 0
pMode = THUMB
idc.SetReg(0x0, "T", THUMB)
while i < 10:
fname, begin, end, mode = get_symbol(fin)
if "/" in fname:
print "[#] End of symbol region is reached. We are done!"
break
if DBG:
print "[*] Name: " + fname + " Start: " + hex(
begin) + " End: " + hex(end) + " ARM mode: " + str(mode)
i += 1
# if pMode != mode:
# ret = idc.SetReg(begin, "T", mode)
# if not ret:
# print "[ERROR] Failed to set segment register"
# continue
# else:
# pMode = mode
ret = idc.SetReg(begin, "T", mode)
if not ret:
print "[ERROR] Failed to set segment register"
continue
create_function(fname, begin, end, mode)
print_stat()
def make_func (self, ea):
"""
creates a function starting at address ea
any existing functions/code will be undefined at this address
"""
funcEA = idaapi.get_func (ea)
if funcEA:
DelFunction (funcEA.startEA)
# FIXME
if (isArm):
ea = ea & -2 # make sure it is aligned
MakeUnknown (ea, self.maxInsCnt, idc.DOUNK_EXPAND)
for i in range (ea, ea+self.maxInsCnt):
idc.SetReg(i, "T", 1) # set thumb mode
AnalyzeArea (ea, ea+self.maxInsCnt)
return MakeCode (ea)
else:
MakeUnknown (ea, 100, idc.DOUNK_EXPAND)
AnalyzeArea (ea, ea+100)
MakeCode (ea)
return MakeFunction (ea, BADADDR)
def set_breakpoint(ea, isthumb=1):
idc.SetReg(ea, "T", 1)
idc.MakeCode(ea)
idc.add_bpt(ea)
