search

mungewell / zoom-zt2

Python script to install/remove effects from the Zoom G1Four pedal
MIT License
62 stars 11 forks source link

ELF-embedded icons #54

Open nomadbyte opened 1 year ago

nomadbyte commented 1 year ago

In addition to effect's icon [ref: #52], the ELF part of the ZD2 contains several other icons: {CategoryIcon_{cat} and AddDelIcon_{cat}}

readelf -a -W SOFTEC3S.ZD2.elf | grep -e "0420" -e "0480" -e "05b8"
....
    39: 80000420    92 OBJECT  LOCAL  HIDDEN    13 picTotalDisplay_CarbonDly
    40: 800005b8    40 OBJECT  LOCAL  HIDDEN    13 CategoryIcon_Dynamics
    41: 80000480    72 OBJECT  LOCAL  HIDDEN    13 AddDelIcon_Dynamics

    54: 80000420     0 SECTION LOCAL  HIDDEN    13 .const:picTotalDisplay_CarbonDly
    55: 800005b8     0 SECTION LOCAL  HIDDEN    13 .const:CategoryIcon_Dynamics
    56: 80000480     0 SECTION LOCAL  HIDDEN    13 .const:AddDelIcon_Dynamics

References to this data could be seen from the .const block for the effectTypeImageInfo, same one that describes the effect's on-device icon:

$ readelf -a -W SOFTEC3S.ZD2.elf | grep "] \.const"
  [13] .const            PROGBITS        80000000 0018e0 00064a 00   A  0   0  8

$ readelf -a -W SOFTEC3S.ZD2.elf | grep "effectTypeImageInfo"
...
    42: 80000150   304 OBJECT  LOCAL  HIDDEN    13 effectTypeImageInfo
effectTypeImageInfo:

SOFTEC3S.ZD2.elf@0x1a30 = (0x18e0+0x150)

17 00 00 00 1e 00 00 00 20 04 00 80 14 00 00 00 0a 00 00 00 b8 05 00 80 18 00 00 00 16 00 00 00 80 04 00 80 ...

reference addresses:

0x80000420:.const:picTotalDisplay_CarbonDly  (sized: 0x17 by 0x1e px)
0x800005b8:.const:CategoryIcon_Dynamics  (sized: 0x14 by 0x0a px)
0x80000480:.const:AddDelIcon_Dynamics (sized: 0x18 by 0x16 px)

I didn't try to extract the actual images. I assume the reference addresses should translate into offsets into the .const or other section of the ELF.

This is for SOFTEC3S.ZD2 (SoftEcho) module, not sure if such layout is applicable for other modules.

mungewell commented 1 year ago

Thank you for highlighting those other icons.... I had already found the ones which were used for 'Parameter Labels' (mostly just rendered Text).

80000370 l     O .const 00000038 .hidden _PrmPic_DETCT
800003a8 l     O .const 00000036 .hidden _PrmPic_Depth
800003e0 l     O .const 00000036 .hidden _PrmPic_THRSH

I'm sure you saw my (horrible) Bash/ImageMagick script, which can be adjusted if you really want to see what these icons look like. ;-) https://github.com/mungewell/zoom-zt2/blob/master/extract_device_icon.sh

Given the number of icons it would be nice if this was clean in Python - I mentioned the 'pwntools' project in #52 which can read into the ELF without extra steps... it installs a lot of extra stuff, so I'll see if the elf.py bit can run as a standalone module.

https://github.com/Gallopsled/pwntools/tree/dev/pwnlib/elf

mungewell commented 1 year ago

Pushed a script that can read the ELF file to extract icon, or other images. https://github.com/mungewell/zoom-zt2/blob/master/extract_device_icon.py

For now it looks like pwnlib can only read from a real (on disk) file, so the ELF should be extracted first and the -e flag used. https://github.com/Gallopsled/pwntools/issues/2155

$ python3 extract_device_icon.py -e ZNR.ZD2.code
[!] Could not populate PLT: 'int' object has no attribute 'lower'
[*] '/home/simon/zoom-zt2-sdw-github/ZNR.ZD2.code'
    Arch:     140-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
Extracting symbol: picTotalDisplay_ZNR
From Address: 0x80000280 to 0x800002DC

$ python3 extract_device_icon.py -t "_PrmPic_DETCT" -s 2 -o PrmPic.png -e ZNR.ZD2.code
[!] Could not populate PLT: 'int' object has no attribute 'lower'
[*] '/home/simon/zoom-zt2-sdw-github/ZNR.ZD2.code'
    Arch:     140-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
Extracting symbol: _PrmPic_DETCT
From Address: 0x80000370 to 0x800003A8```
mungewell commented 1 year ago

Continued 'messing' and found a better/working solution with 'filebytes'. https://github.com/sashs/filebytes

$ python3 extract_device_icon.py  MDL_DOVE.ZD2 ; display icon.png 
Target matched: picTotalDisplay_AgModel
Symbol located: 0x800017e8
$ python3 extract_device_icon.py -t "_PrmPic" -s 2 MDL_DOVE.ZD2 ; display icon.png 
Target matched: _PrmPic_Treble
Symbol located: 0x80001848
zachriggle commented 1 year ago

This should probably go into upstream pyelftools

shooking commented 1 week ago

hi all - I hacked a variant of this plus Elynx's work to extract icons from the older ZDLs.

https://github.com/shooking/ZoomPedalFun/blob/main/MS70CDR/DerivedData/2.10/extract_ZDL_device_icon.py

examples here https://youtu.be/-6glw_k0LDg

I also made a docker to access ARMs toolchain on a Pi.

shookingsybase/ti6000-docker-aarch64

https://github.com/shooking/TI6000_arm

run the install then send cmds to the docker like

cd <> export TI_FOLDER=pwd ticmd dis6x -a -b Air.elf

Disassembly of Air.elf:

TEXT Section .text (Little Endian), 0xBE0 bytes at 0x0 00000000 Fx_REV_Air_onf_aft: 00000000 e01c LDW.D1T1 A4[7],A1 00000002 200c LDW.D1T1 A4[1],A0 00000004 0230a358 MVK.L1 12,A4 00000008 03333328 MVK.S1 0x6666,A6 0000000c 02003faa MVK.S2 0x007f,B4 00000010 00041362 B.S2X A1 00000014 02008078 ADD.L1 A4,A0,A4 00000018 03221868 MVKH.S1 0x44300000,A6 0000001c e0200000 .fphead n, l, W, BU, nobr, nosat, 0000001b 00000020 f603 SHL.S2 B4,0x17,B4 00000022 2c6e NOP 2 00000024 Fx_REV_Air_tone_edit: 00000024 31f7 STW.D2T2 B3,B15--[2] 00000026 c246 || MV.L1 A4,A6 00000028 0f9be266 LDW.D1T2 +A6[31],B31 0000002c 211c LDW.D1T1 A6[1],A1 0000002e 014c LDW.D1T1 A6[0],A4 00000030 10016813 || CALLP.S2 __c6xabi_call_stub,B3 00000034 6627 || MVK.L2 3,B4 00000036 0e92 MVK.S1 136,A5 00000038 c2d0 ADD.L1 A6,A5,A5 0000003a 00dc LDW.D1T1 *A5[0],A5