search

NationalSecurityAgency / ghidra

Ghidra is a software reverse engineering (SRE) framework
https://www.nsa.gov/ghidra
Apache License 2.0
49.15k stars 5.66k forks source link

Unknown PowerPC VLE instructions #6535

Open GiGa911 opened 1 month ago

GiGa911 commented 1 month ago

While examining some firmware, I noticed that Ghidra does not recognize certain PowerPC VLE instructions that begin with 10. I wanted to report this issue. The processor in question is an MPC5777C. I tried with PowerPC:BE:64:VLEALT-32addr (1.6)

    00c61f76 b4 71           se_sth     r7,0x8(r1)
    00c61f78 58 de 00 20     e_lhz      r6,0x20(r30)
    00c61f7c b5 61           se_sth     r6,0xa(r1)
    00c61f7e 01 a4           se_mr      r4,r26
    00c61f80 01 93           se_mr      r3,r25
    00c61f82 78 07 7e 6b     e_bl       FUN_00cd9dec                                     undefined FUN_00cd9dec()
    00c61f86 70 e8 e4 7a     e_lis      r7,0x447a
    00c61f8a 10              ??         10h
    00c61f8b 63              ??         63h    c
    00c61f8c 3a c8 10 e0     e_lha      r22,DAT_000010e0(r8)
    00c61f90 e2 d0           se_bne     cr0,LAB_00c61f30
    00c61f92 10              ??         10h
    00c61f93 63              ??         63h    c
    00c61f94 3a c9 13 a0     e_lha      r22,DAT_000013a0(r9)
    00c61f98 1a d8 b6 d1     e_subfic   r22,r24,-0x2e0001
    00c61f9c 7c 98 d0 10     subfc      r4,r24,r26
    00c61fa0 7c 77 c9 10     subfe      r3,r23,r25
    00c61fa4 78 07 7e 49     e_bl       FUN_00cd9dec                                     undefined FUN_00cd9dec()
    00c61fa8 70 e8 e7 c3     e_lis      r7,0x47c3
    00c61fac 18 e7 d1 50     e_ori      r7,r7,0x5000
    00c61fb0 10              ??         10h
    00c61fb1 63              ??         63h    c
    00c61fb2 3a c8 00 ed     e_lha      r22,0xed(r8)
    00c61fb6 7c fd e1 d6     mullw      r7,r29,r28
    00c61fba 10              ??         10h
    00c61fbb e0              ??         E0h
    00c61fbc 3a d0 10 63     e_lha      r22,DAT_00001063(r16)                            = FFh
    00c61fc0 3a c9 10 60     e_lha      r22,DAT_00001060(r9)                             = FFh
    00c61fc4 1a d8 b7 31     e_subfic   r22,r24,-0xce000001
    00c61fc8 18 61 80 08     e_addi     r3,r1,0x8
    00c61fcc 78 00 89 45     e_bl       FUN_00c6a910                                     undefined FUN_00c6a910()
    00c61fd0 5b 9e 00 20     e_lhz      r28,0x20(r30)
    00c61fd4 2a 6c           se_cmpi    r28,0x6

    00981112 7c e7 32 2e     lhzx       r7,r7,r6
    00981116 b9 71           se_sth     r7,0x12(r1)
    00981118 a8 61           se_lhz     r6,0x10(r1)
    0098111a 04 76           se_add     r6,r7
    0098111c b8 61           se_sth     r6,0x10(r1)
    0098111e 52 bf 00 00     e_lwz      r21,0x0(r31)
    00981122 50 e1 00 4c     e_lwz      r7,0x4c(r1)
    00981126 10              ??         10h
    00981127 95              ??         95h
    00981128 3a cc 7a 15     e_lha      r22,0x7a15(r12)
    0098112c 00 08           se_rfi
    0098112e 56 a1 00 4c     e_stw      r21,0x4c(r1)
    00981132 c1 4f           se_lwz     r4,0x4(r31)
    00981134 c9 71           se_lwz     r7,0x24(r1)
    00981136 10 84 3a cd     vextractd  v4,v7,0x4
    0098113a 7a 15 00 06     e_bgt      cr1,LAB_00981140
    0098113e d9 41           se_stw     r4,0x24(r1)
                         LAB_00981140                                    XREF[1]:     0098113a(j)  
    00981140 50 e1 00 4c     e_lwz      r7,0x4c(r1)
    00981144 10              ??         10h
    00981145 87              ??         87h
    00981146 aa ce           se_lhz     r28,0x14(r30)
    00981148 7a 05 00 06     e_ble      cr1,LAB_0098114e
    0098114c a4 bf           se_lhz     r27,0x8(r31)

Thank you everyone.

The missing instructions are related to Vector and Scalar Floating-Point. Selecting PowerPC:BE:64:VLE-32addr (1.6) everything is ok

LukeSerne commented 1 month ago

Are you sure PowerPC:BE:64:VLEALT-32addr:default is the correct processor language for this firmware image then? From this example, it seems like you should use PowerPC:BE:64:VLE-32addr:default instead. From looking online, it seems that the MPC5777C (which actually contains two e200z7 cores) doesn't support AltiVec, so you should really be using PowerPC:BE:64:VLE-32addr:default.

GhidorahRex commented 1 month ago

See this note in the slaspec files:

# A given processor can be compliant with the PowerISA spec by including EITHER
# the embedded vector instructions (EVX) OR the AltiVec instructions
# However, these instruction sets overlap in their bit patterns, so Sleigh cannot support
# both at the same time. We have two language variants for PowerISA
# that specify which of these two vector specs is supported.

I would check the correct processor language and verify that you're using the right one. The PowerPC:BE:64:VLE-32addr:default does not support EVX