Esp32 S2 support

[Ebiroll]

F.Y.I. I am working on ESP32-S2 flash support. I would also like to add the know functions in rom. Any ideas/suggestions on the best way to do this? https://github.com/cesanta/mongoose-os/blob/master/platforms/esp32/src/rom/rom_functions.S Or maybe it is easier to add the entire rom.elf file after loading the flash file. https://github.com/cesanta/mongoose-os/blob/master/platforms/esp32/src/rom/disasm.sh

[tslater2006]

Hey there, i'm looking at the pull request now. Thank your adding all of this.

Re: your question, we could very well create a memory block and define functions at the known addresses, but there wouldn't be any code there. If we can load the espressif delivered ELF (or at least certain sections of it) I think that would be best, though I don't know off hand how to do it

ESP32 ROM ELF: https://dl.espressif.com/dl/esp32_rom.elf

This ELF looks to be the same for the ESP32-S2: https://docs.espressif.com/projects/esp-idf/en/latest/esp32s2/api-guides/core_dump.html

[Ebiroll]

They have not yet updated the text yet, but note "The python utility does not currently support ESP32-S2." The elf on the s2 will differ, https://github.com/espressif/esp-idf/blob/master/components/esp_rom/esp32s2/ld/esp32s2.rom.ld

You probably know this but addresses below 0x40000000 is on the data bus and above is on the instruction bus. So i.e the Internal SRAM 0 is located both on address 0x3FFB0000 & 0x40020000.

The way the bootloader maps the segments is to write to the MMU table. It maps 4K (0x10000) segments of the flash on to the instruction bus and data bus (External Memory Address Mapping, in TRM)

The easiest way is probably just to use the importSymbolSript.py and then parse the esp-idf header files. https://youtu.be/u15-r5Erfnw The hardest part will be to create a proper parse configuration. To get the code at the correct location you make a dump of the rom and then, File->addToProgram But the main reason is to locate calls to known functions.

[Ebiroll]

Yes. It seems to work. Add rom dump first, Then import with importSymbolSript.py then in Data type manager apply generic-clib. I put the files here, https://github.com/Ebiroll/esp32s2_kaluga/tree/master/rom Now we only need to be able to parse the header files in esp-idf/components/esp_rom/include/esp32s2/rom

[Ebiroll]

Sucess on import, on most of the files. Just add stdint.h in the direcory. Some files did not work, so I removed them from parse I used this:

typedef unsigned char undefined;

typedef unsigned char bool; typedef unsigned char byte; typedef unsigned int dword; typedef long double longdouble; typedef long long longlong; typedef unsigned char uchar; typedef unsigned int uint; typedef unsigned long ulong; typedef unsigned long long ulonglong; typedef unsigned char undefined1; typedef unsigned int undefined3; typedef unsigned int undefined4; typedef unsigned long long undefined5; typedef unsigned long long undefined6; typedef unsigned long long undefined7; typedef unsigned long long undefined8; typedef unsigned short ushort; typedef unsigned short wchar16; typedef unsigned int wchar32; typedef unsigned short word; typedef int __int32_t;

typedef __int32_t int32_t;

typedef longlong __int64_t;

typedef __int64_t int64_t;

typedef char __int8_t;

typedef __int8_t int8_t;

typedef int __intptr_t;

typedef __intptr_t intptr_t;

typedef ushort __uint16_t;

typedef __uint16_t uint16_t;

typedef uint __uint32_t;

typedef __uint32_t uint32_t;

typedef ulonglong __uint64_t;

typedef __uint64_t uint64_t;

typedef uchar __uint8_t;

typedef uint8_t uint8_t; typedef uint uintptr_t; typedef __uintptr_t uintptr_t;

[Ebiroll]

Loading of a esp32s2 flash might load the esp32_rom.elf file as well, but I have not tested this yet. Maybe it does not happen. It also does not work with a flash built with older versions of esp-idf. Anyway. Thanks for the flashloader.

[tslater2006]

I tried finding a rom for the esp32-s2 and I couldn't find one specific for it. Just the stock esp32 rom. If you know where to find it I'd be happy to have the loader look for that one too.

Able to share a flash built with older esp idf? My current target uses some 2019 builds and they load fine.

On Mon, Aug 3, 2020, 5:43 PM Ebiroll notifications@github.com wrote:

Loading of a esp32s2 flash might load the esp32_rom.elf file as well, but I have not tested this yet. Maybe it does not happen. It also does not work with a flash built with older versions of esp-idf. Anyway. Thanks for the flashloader.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/tslater2006/esp32_flash_loader/issues/2#issuecomment-668276508, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANGZAW2QOGJQ72QNZJBZLDR644QRANCNFSM4N7OGDIA .

[Ebiroll]

Oh, OK. Thanks. Here is a dump of a really old wemos, esp32 flash. https://drive.google.com/file/d/1eC9zpwxGKMNEigx7CeQNJMFuwSMLqdaQ/view?usp=sharing It might be built with a really old esp-idf version, in china. It would be cool if it was possible to load. Also the flashloader does not support spiff-partitions? The esp32s2_rom.elf I have built myself with this script. https://github.com/Ebiroll/esp32s2_kaluga/tree/master/rom/make-elf

[Ebiroll]

You have to dump the s2-rom with esptool
esptool.py --chip esp32s2 -p /dev/ttyUSB1 --baud 115200 dump_mem 0x40000000 131072 irom.bin Also the rom is also visible on the databus 0x3ffa0000, 0x10000 Same information but with a different address. I never worked out how to add this to the elf file, but loaded it manually in ghidra.

[tslater2006]

I'll take a look at that flash and see why it's not loading. Thanks for the file.

On Mon, Aug 3, 2020, 7:08 PM Ebiroll notifications@github.com wrote:

Oh, OK. Thanks. Here is a dump of a really old wemos, esp32 flash.

https://drive.google.com/file/d/1eC9zpwxGKMNEigx7CeQNJMFuwSMLqdaQ/view?usp=sharing It might be built with a really old esp-idf version, in china. It would be cool if it was possible to load. Also the flashloader does not support spiff-partitions? The esp32s2_rom.elf I have built myself with this script. https://github.com/Ebiroll/esp32s2_kaluga/tree/master/rom/make-elf

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/tslater2006/esp32_flash_loader/issues/2#issuecomment-668300023, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANGZARQURYI7D4TBAOIET3R65GQ5ANCNFSM4N7OGDIA .

[Ebiroll]

Thanks, I got a little curious when I tried, binwalk. binwalk wemos.bin

DECIMAL HEXADECIMAL DESCRIPTION

136012 0x2134C Unix path: /dev/uart/0 1118860 0x11128C Unix path: /dev/uart/0 1157124 0x11A804 Unix path: /home/fzb/share/proj_smartconfig/SSC/components/smartconfig/./sc_sniffer.c 1175056 0x11EE10 SHA256 hash constants, little endian 1177908 0x11F934 PEM certificate 1196064 0x124020 PEM RSA private key 1196128 0x124060 PEM EC private key 1196504 0x1241D8 PEM RSA private key 1198212 0x124884 PEM certificate 1199424 0x124D40 PEM RSA private key 1201132 0x1253EC PEM certificate 1202348 0x1258AC PEM RSA private key 1204132 0x125FA4 PEM certificate 1205440 0x1264C0 PEM certificate 1221296 0x12A2B0 SHA256 hash constants, little endian

[olof@atrash qemu_esp32s2]$ strings wemos.bin | grep 2017 Dec 23 2017 10:27:52 Feb 23 2017 Aug 31 2017 Jun 12 2017 Feb 22 2017 strings wemos.bin | grep sniff E (%d) %s: %s %u wifi not start or sniffer not enabled, should start wifi or enable sniffer first I (%d) %s: ic_enable_sniffer I (%d) %s: ic_disable_sniffer /home/fzb/share/proj_smartconfig/SSC/components/smartconfig/./sc_sniffer.c D (%d) %s: T|sniffer on ch:%d,width:%d D (%d) %s: T|sniffer on ch:%d, width:%d D (%d) %s: F|sniffer on ch:%d,width:%d

[Ebiroll]

The same certificates appears on this page https://us-cert.cisa.gov/ncas/analysis-reports/ar20-045f Interestingly enough, the same PolarSSL handshake appear in the wemos binary. It is possible to run the binary in qemu. It would be cool if you could also load the bootloader with the flash_loader.

[tslater2006]

For esp32 flash dumps that have a boot partition you can load that into ghidra via options and selecting the partition to load. That is the secondary bootloader though, and not the bootrom which I believe passes off to the secondary.

On Mon, Aug 3, 2020, 7:54 PM Ebiroll notifications@github.com wrote:

The same certificates appears on this page https://us-cert.cisa.gov/ncas/analysis-reports/ar20-045f Interestingly enough, the same PolarSSL handshake appear in the wemos binary. It is possible to run the binary in qemu. It would be cool if you could also load the bootloader with the flash_loader.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/tslater2006/esp32_flash_loader/issues/2#issuecomment-668312704, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANGZAREFZPU7LKQXXDCARDR65L3JANCNFSM4N7OGDIA .

[Ebiroll]

OK. But I only see app0 and app1and both gives Selected partition is not a valid App Image when trying to load them.

[tslater2006]

Is this for that wemo bin? Or some other flash file?

On Mon, Aug 3, 2020, 9:26 PM Ebiroll notifications@github.com wrote:

OK. But I only see app0 and app1and both gives Selected partition is not a valid App Image when trying to load them.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/tslater2006/esp32_flash_loader/issues/2#issuecomment-668342814, or unsubscribe https://github.com/notifications/unsubscribe-auth/AANGZAXOVSMKQT64HNKW53TR65WURANCNFSM4N7OGDIA .