search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
49.3k stars 5.67k forks source link

Support for ST231 #5535

Open GerdGattuso opened 1 year ago

GerdGattuso commented 1 year ago

Is your feature request related to a problem? Please describe. I try to reverse a firmware for the ST231 processor (ST200 family). But didn't find a disassembler yet. Can you add support for ST231 to ghidra?

Describe the solution you'd like It would be nice if you can add the ST231 processor

Describe alternatives you've considered unfortunaly none

Additional context I attached the instruction set for the ST231. Here also two links:

http://www.audentia-gestion.fr/STMicroelectronics/PDF/en.CD17645929.pdf https://www.st.com/resource/en/technical_note/tn0614-high-performance-vliw-processor-core-stmicroelectronics.pdf

mumbel commented 11 months ago

build tools or sample binaries? This looks like a pretty complex ISA due to the bundles. Instruction decoding is trivia, they're all fairly simple instructions to do in SLEIGH, but implementing the SLEIGH where flow control is involved wont be straight forward

GerdGattuso commented 10 months ago

Build tools I unfortunately do not have. But I try to get the ST200 toolset. I have attached a sample binary. audio-firmware-38.3.0.24-4.zip

mumbel commented 10 months ago

Every time I look at this ISA I think I hate it more than the last time.

All of the instruction patterns need to track the stop bit for the bundles. With up to 4 instructions in a bundle, with the last instruction having the the bit set. op31=0 -> delayslot(1) op31=1 -> delayslot(0)

It seems the options then are:

  1. if/goto 
    if (op31:1 == 1) goto <no_delay>;
delayslot(1);
<no_delay>
  2. attach bit pattern 
    attach value [ op31 ] [ 1 0 ];
...
delayslot(op31);
  3. table 
    stop: is op31=1 {}
stop: is op31=0 { delayslot(1); }

It doesn't look like any approach really works that well:

extension immediate values are just awful. An instruction can use a signed 9-bit immediate, but if after immr or before imml in a bundle, that becomes an unsigned and added to the 23-bit extension (shifted 9 bits). Getting the extension seems to be just a case of where the delayslot(1) is called (before or after reading the extension operand); but changing the signed to unsigned 9-bit immediate does not appear to be straight forward.

mumbel commented 10 months ago

https://github.com/mumbel/ST200

I don't intend on any further development, but figured I'd post my attempt. Bundles don't seem to work with the current delayslot() from the things I've tried.

GerdGattuso commented 10 months ago

Okay. Thank you for your commitment. I try to get the ST200 Toolset. Maybe the Toolset (with compiler) will be helpful.