search

mungewell / zoom-zt2

Python script to install/remove effects from the Zoom G1Four pedal
MIT License
50 stars 10 forks source link

ELF-embedded icons #54

Open nomadbyte opened 1 year ago

nomadbyte commented 1 year ago

In addition to effect's icon [ref: #52], the ELF part of the ZD2 contains several other icons: {CategoryIcon_{cat} and AddDelIcon_{cat}}

readelf -a -W SOFTEC3S.ZD2.elf | grep -e "0420" -e "0480" -e "05b8"
....
    39: 80000420    92 OBJECT  LOCAL  HIDDEN    13 picTotalDisplay_CarbonDly
    40: 800005b8    40 OBJECT  LOCAL  HIDDEN    13 CategoryIcon_Dynamics
    41: 80000480    72 OBJECT  LOCAL  HIDDEN    13 AddDelIcon_Dynamics

    54: 80000420     0 SECTION LOCAL  HIDDEN    13 .const:picTotalDisplay_CarbonDly
    55: 800005b8     0 SECTION LOCAL  HIDDEN    13 .const:CategoryIcon_Dynamics
    56: 80000480     0 SECTION LOCAL  HIDDEN    13 .const:AddDelIcon_Dynamics

References to this data could be seen from the .const block for the effectTypeImageInfo, same one that describes the effect's on-device icon:

$ readelf -a -W SOFTEC3S.ZD2.elf | grep "] \.const"
  [13] .const            PROGBITS        80000000 0018e0 00064a 00   A  0   0  8

$ readelf -a -W SOFTEC3S.ZD2.elf | grep "effectTypeImageInfo"
...
    42: 80000150   304 OBJECT  LOCAL  HIDDEN    13 effectTypeImageInfo
effectTypeImageInfo:

SOFTEC3S.ZD2.elf@0x1a30 = (0x18e0+0x150)

17 00 00 00 1e 00 00 00 20 04 00 80 14 00 00 00 0a 00 00 00 b8 05 00 80 18 00 00 00 16 00 00 00 80 04 00 80 ...

reference addresses:

0x80000420:.const:picTotalDisplay_CarbonDly  (sized: 0x17 by 0x1e px)
0x800005b8:.const:CategoryIcon_Dynamics  (sized: 0x14 by 0x0a px)
0x80000480:.const:AddDelIcon_Dynamics (sized: 0x18 by 0x16 px)

I didn't try to extract the actual images. I assume the reference addresses should translate into offsets into the .const or other section of the ELF.

This is for SOFTEC3S.ZD2 (SoftEcho) module, not sure if such layout is applicable for other modules.

mungewell commented 1 year ago

Thank you for highlighting those other icons.... I had already found the ones which were used for 'Parameter Labels' (mostly just rendered Text).

80000370 l     O .const 00000038 .hidden _PrmPic_DETCT
800003a8 l     O .const 00000036 .hidden _PrmPic_Depth
800003e0 l     O .const 00000036 .hidden _PrmPic_THRSH

I'm sure you saw my (horrible) Bash/ImageMagick script, which can be adjusted if you really want to see what these icons look like. ;-) https://github.com/mungewell/zoom-zt2/blob/master/extract_device_icon.sh

Given the number of icons it would be nice if this was clean in Python - I mentioned the 'pwntools' project in #52 which can read into the ELF without extra steps... it installs a lot of extra stuff, so I'll see if the elf.py bit can run as a standalone module.

https://github.com/Gallopsled/pwntools/tree/dev/pwnlib/elf

mungewell commented 1 year ago

Pushed a script that can read the ELF file to extract icon, or other images. https://github.com/mungewell/zoom-zt2/blob/master/extract_device_icon.py

For now it looks like pwnlib can only read from a real (on disk) file, so the ELF should be extracted first and the -e flag used. https://github.com/Gallopsled/pwntools/issues/2155

$ python3 extract_device_icon.py -e ZNR.ZD2.code
[!] Could not populate PLT: 'int' object has no attribute 'lower'
[*] '/home/simon/zoom-zt2-sdw-github/ZNR.ZD2.code'
    Arch:     140-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
Extracting symbol: picTotalDisplay_ZNR
From Address: 0x80000280 to 0x800002DC

$ python3 extract_device_icon.py -t "_PrmPic_DETCT" -s 2 -o PrmPic.png -e ZNR.ZD2.code
[!] Could not populate PLT: 'int' object has no attribute 'lower'
[*] '/home/simon/zoom-zt2-sdw-github/ZNR.ZD2.code'
    Arch:     140-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
Extracting symbol: _PrmPic_DETCT
From Address: 0x80000370 to 0x800003A8```
mungewell commented 1 year ago

Continued 'messing' and found a better/working solution with 'filebytes'. https://github.com/sashs/filebytes

$ python3 extract_device_icon.py  MDL_DOVE.ZD2 ; display icon.png 
Target matched: picTotalDisplay_AgModel
Symbol located: 0x800017e8
$ python3 extract_device_icon.py -t "_PrmPic" -s 2 MDL_DOVE.ZD2 ; display icon.png 
Target matched: _PrmPic_Treble
Symbol located: 0x80001848
zachriggle commented 1 year ago

This should probably go into upstream pyelftools