Tutorial on firmware decompiling

[DepreTux]

Hi!

Is there any chance that you could share the process to decompile the firmware so that the uninitiated like me could start tinkering with it?

I know it's risky, but it may enable a fun learning experience and, who knows, maybe we can help make the hacktribe even more powerful.

Thanks for everything!

[bangcorrupt]

Add AM1802.pspec to Ghidra along with an entry in ARM.ldefs.

Remove the header from the firmware update file and load it into Ghidra at address 0xc0000000.

Ghidra's auto analysis will do a pretty good job identifying the code and decompiling.

I use rizin for dynamic analysis. Generally I set a watchpoint on some data or a register, then try to work out what the function accessing it does.

[DepreTux]

Thanks a lot again!

[enorrmann]

Remove the header from the firmware update file

Hi ! I'm trying to decompile this, how many bytes is the header ?
new to this
thx !

[bangcorrupt]

The header is 256 bytes. When you import a file into Ghidra you can set an offset, so you wouldn't need to edit the file.

If you want to edit the file, try this:

dd if=SYSTEM.VSB of=SYSTEM.bin bs=256 skip=1

You could check it with hexdump:

hexdump -vC SYSTEM.VSB | less

[optikfiber]

Just to chime in on this topic, I'd like to help out if I can but I'm a bit stuck. I've done some reverse engineering years ago but ARM is new to me, so if you could point out eg. where you removed the filter restriction that might be a good starting point to begin understanding how the firmware works better. I can see there's some kind of channel or voice data structure where offset 0x31c holds the filter type, but can't seem to figure out where exactly the original sampler firmware limits you to just the 3 basic types. If I can get a handle on that I can start trying to understand other parts. Probably I'll look into choke groups first since the very limited options annoy me a lot in the original firmware.

[bangcorrupt]

If your'e looking for a starting point, the recent MIDI CC hacks are much more organised. If you diff the patched firmware for commits 364fd9b and 58f6560 you should be able to see how I diverted a branch and inserted a function sending MIDI.

[bukru]

Ok thanks a lot bangcorrupt ! : )

[enorrmann]

when decompiling I encounter several
/* WARNING: Bad instruction - Truncating control flow here */
halt_baddata();

is this OK or am I missing something ?

[bangcorrupt]

I see this a lot, I don't know enough about Ghidra to tell you more about it. I think maybe it's tried to treat data as code, or some opcode is not supported.