ihex:// does not work properly on ARMv7 LE?

[brainstorm]

Work environment

Questions	Answers
OS/arch/bits (mandatory)	OSX 10.14.6
File format of the file you reverse (mandatory)	ihex
Architecture/bits of the file (mandatory)	ARMv7 LE (STM32F103)
r2 -v full output, not truncated (mandatory)	radare2 4.0.0-git 22923 @ darwin-x86-64 git.3.2.1-2373-g1baa5ac48 commit: 1baa5ac build: 2019-10-06__23:45:38

Expected behavior

Sweet, valid 32-bit ARMv7 code and plenty of functions appearing in my lovely r2 console.

Actual behavior

Steps to reproduce the behavior

$ wget "http://www.minidso.com/forum.php?mod=attachment&aid=ODEyNHxlNGViOGYwOHwxNTcwMzY2NTg0fDB8MzY5Ng%3D%3D" -O MDP_M01_v1.20.zip && unzip MDP_M01_v1.20.zip && r2 -aarm -b32 -A ihex://MDP_M01_v1.20/MDP_M01.hex

Additional information

Entry point seems to be 0x0801c6a4.

[0x0801c6a4]> e asm.bits
32
[0x0801c6a4]> afl
0x0800d68c    2 16           fcn.0800d68c
0x0800d720    1 12           fcn.0800d720
0x08015eb4    1 12           fcn.08015eb4
0x0800f22c    1 12           fcn.0800f22c
0x080163c0    1 16           fcn.080163c0
0x08012090    1 24           fcn.08012090
0x08014534    1 12           fcn.08014534
0x080105f4    1 12           fcn.080105f4
0x08013b48    3 2553336 -> 24   fcn.08013b48
0x08017284    1 24           fcn.08017284
0x0801479c    1 16           fcn.0801479c
0x08015d2c    1 28           fcn.08015d2c
0x08018868    1 12           fcn.08018868
0x0801a0e0    1 8            fcn.0801a0e0
0x0801a0a0    1 8            fcn.0801a0a0
0x0801c6a4    1 12           fcn.0801c6a4
[0x0801c6a4]> afl | wc -l
      16
[0x0801c6a4]> iS
[Sections]
Nm Paddr       Size Vaddr      Memsz Perms Name

[0x0801c6a4]> i
fd       4
file     ihex://MDP_M01_v1.20/MDP_M01.hex
size     0x801cd3f
humansz  128.1M
mode     r-x
format   any
iorw     false
blksz    0x0
block    0x100
[0x0801c6a4]> !ls -alh *.hex
-rw-r--r--   1 romanvg  staff   234K Jul 12 17:59 MDP_M01.hex
[0x0801c6a4]> e cfg.bigendian
false

And my .radare2rc looks like:

#eco defragger
eco solarized
e asm.emu=true
e io.va=true
e bin.dbginfo=true
e cmd.pdc=r2dec
#e anal.a2f=true
e scr.utf8.curvy=true
e scr.utf8=true
e prj.git=true
e anal.bb.maxsize=4096
e io.unalloc=true
e scr.prompt.popup=true
aeim ; Analyze ESIL Initialize Memory

[brainstorm]

I guess that loading the right SVD for this IC and getting anal.to/anal.from right would shorten the analysis time since r2 doesn't have to go through all those fake 128MiB of memory space:

Perhaps related issues: #1843, https://github.com/radareorg/radare2/issues/8467

[radare]

you have to define anal.from and anal.to, otherwise its trying to analyze 64GB of code, which obv takes some time, so please, if r2 takes more than 5 mminutes to analyze something stop it because there's something wrong for sure.

You can check this with aae only.

[brainstorm]

[0x00000000]> e anal.from=0x08008000
[0x00000000]> e anal.to=0x0801ab89

Still very few functions for this :/

[brainstorm]

Giving it a try to r2svd:

[0x00000000]> s 0x08008000
[0x08008000]> !r2svd
Traceback (most recent call last):
  File "/Users/romanvg/.local/share/radare2/prefix/bin/r2svd", line 9, in <module>
    from cmsis_svd.parser import SVDParser
ModuleNotFoundError: No module named 'cmsis_svd'

[radare]

try installing this module :P

[brainstorm]

I know, but it should work out of the r2pm -i box, right? ;)

[brainstorm]

After installing and flaggin all the things:

[0x00000000]> !r2svd STMicro STM32F103xx.svd
CC Flexible static memory controller @ 0xa0000000
f FSMC 512 0xa0000000
f FSMC.BCR2 512 0xa0000001
f FSMC.BTR2 512 0xa0000001
f FSMC.BCR3 512 0xa0000002
f FSMC.BTR3 512 0xa0000002
f FSMC.BCR4 512 0xa0000003
(...)

The aae command does not pick up a single function :_/

[0x00000000]> s 0x08008000
[0x08008000]> aae
[0x08008000]> afl

[radare]

he flags loaded with r2svd dont specify code or functions at all, it just maps the devices.. well just create flags to point at them.totally unrelated to aa , etc.. just use afr with anal.hasnext

…

On 25 Feb 2020, at 12:59, Roman Valls Guimera ***@***.***> wrote: After installing and flaggin all the things: [0x00000000]> !r2svd STMicro STM32F103xx.svd CC Flexible static memory controller @ 0xa0000000 f FSMC 512 0xa0000000 f FSMC.BCR2 512 0xa0000001 f FSMC.BTR2 512 0xa0000001 f FSMC.BCR3 512 0xa0000002 f FSMC.BTR3 512 0xa0000002 f FSMC.BCR4 512 0xa0000003 (...) The aae command does not pick up a single function :_/ [0x00000000]> s 0x08008000 [0x08008000]> aae [0x08008000]> afl — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#15211?email_source=notifications&email_token=AAG75FQU3MSZ6V47C2EXQZLREUBZZA5CNFSM4I55Y22KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEM3WEBY#issuecomment-590832135>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAG75FTHSB5TWR3KOTAMQC3REUBZZANCNFSM4I55Y22A>.

[brainstorm]

[0x00000000]> e anal.hasnext=true
[0x00000000]> afr
[0x00000000]> afl
[0x00000000]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] find and analyze function preludes (aap)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Finding xrefs in noncode section with anal.in=io.maps
[x] Analyze value pointers (aav)
[x] Value from 0x08008000 to 0x0801ab89 (aav)
[x] 0x08008000-0x0801ab89 in 0x8008000-0x801ab89 (aav)
[x] Emulate code to find computed references (aae)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00000000]> afl | wc -l
     572
[0x00000000]> Vvjjj
   0x0801a036  114 fcn.0801a036
   0x0801a0a8   90 fcn.0801a0a8
   0x0801a102   18 fcn.0801a102
...
Segmentation fault: 11

[radare]

cant repro, mho you have a broken r2 installation

…

On 3 Mar 2020, at 12:16, Roman Valls Guimera ***@***.***> wrote: [0x00000000]> e anal.hasnext=true [0x00000000]> afr [0x00000000]> afl [0x00000000]> aaa [x] Analyze all flags starting with sym. and entry0 (aa) [x] Analyze function calls (aac) [x] find and analyze function preludes (aap) [x] Analyze len bytes of instructions for references (aar) [x] Check for objc references [x] Check for vtables [x] Finding xrefs in noncode section with anal.in=io.maps [x] Analyze value pointers (aav) [x] Value from 0x08008000 to 0x0801ab89 (aav) [x] 0x08008000-0x0801ab89 in 0x8008000-0x801ab89 (aav) [x] Emulate code to find computed references (aae) [x] Type matching analysis for all functions (aaft) [x] Propagate noreturn information [x] Use -AA or aaaa to perform additional experimental analysis. [0x00000000]> afl | wc -l 572 [0x00000000]> Vvjjj 0x0801a036 114 fcn.0801a036 0x0801a0a8 90 fcn.0801a0a8 0x0801a102 18 fcn.0801a102 ... Segmentation fault: 11 — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#15211?email_source=notifications&email_token=AAG75FW6PWHJNU7UXSIHFY3RFTRI3A5CNFSM4I55Y22KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENTDEMQ#issuecomment-593900082>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAG75FVJZ7THPTMBJQKE5HLRFTRI3ANCNFSM4I55Y22A>.

[brainstorm]

(base) brainstorm:MDP_M01_v1.20 romanvg$ r2 -version
radare2 4.3.0-git 24003 @ darwin-x86-64 git.4.1.1-404-gf74dd3144
commit: f74dd31440fe90491c51420abc22edfb4d079958 build: 2020-03-03__22:32:06
(base) brainstorm:MDP_M01_v1.20 romanvg$ r2 -aarm -b32 ihex://MDP_M01.hex
Warning: r_bin_file_hash: file exceeds bin.hashlimit
 -- Log On. Hack In. Go Anywhere. Get Everything.
[0x00000000]> e anal.from=0x08008000
[0x00000000]> e anal.to=0x0801ab89
[0x00000000]> e anal.hasnext=true
[0x00000000]> afr
[0x00000000]> afl
[0x00000000]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] find and analyze function preludes (aap)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Finding xrefs in noncode section with anal.in=io.maps
[x] Analyze value pointers (aav)
[x] Value from 0x08008000 to 0x0801ab89 (aav)
[x] 0x08008000-0x0801ab89 in 0x8008000-0x801ab89 (aav)
[x] Emulate code to find computed references (aae)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00000000]> Vvjjjjjj
jjj
...
Segmentation fault: 11

Kabooom!!

[brainstorm]

Possibly related to #15093 ?

[brainstorm]

[brainstorm]

   0x08019e14   20 fcn.08019..
   0x08019e28   20 fcn.08019..
...
Process 94433 stopped
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x000000010a932ae5 libclang_rt.asan_osx_dynamic.dylib`wrap_strcmp + 85
libclang_rt.asan_osx_dynamic.dylib`wrap_strcmp:
->  0x10a932ae5 <+85>: movzbl (%r14,%rbx), %r13d
    0x10a932aea <+90>: addq   $0x1, %rbx
    0x10a932aee <+94>: testb  %r12b, %r12b
    0x10a932af1 <+97>: je     0x10a932af8               ; <+104>
Target 0: (r2) stopped.
(lldb) up
frame #1: 0x0000000107ec27f6 libr_anal.dylib`var_generate_list(a=0x000061a000000080, fcn=0x00006110001d1e00, kind=114, dynamicVars=false) at var.c:958:13
   955 							int i;
   956 							int arg_max = fcn->cc ? r_anal_cc_max_arg (a, fcn->cc) : 0;
   957 							for (i = 0; i < arg_max; i++) {
-> 958 								if (!strcmp (reg->name, r_anal_cc_arg (a, fcn->cc, i))) {
   959 									if (delta != reg->index) {
   960 										delta = reg->index;
   961 									}
(lldb)    0x08019e14   20 fcn.08019..
(lldb) up
frame #2: 0x0000000107eb2385 libr_anal.dylib`r_anal_var_list(a=0x000061a000000080, fcn=0x00006110001d1e00, kind=114) at var.c:1007:9
   1004	}
   1005
   1006	R_API RList *r_anal_var_list(RAnal *a, RAnalFunction *fcn, int kind) {
-> 1007		return var_generate_list (a, fcn, kind, false);
   1008	}
   1009
   1010	R_API RList *r_anal_var_list_dynamic(RAnal *a, RAnalFunction *fcn, int kind) {
(lldb) up
frame #3: 0x0000000107ec84e4 libr_anal.dylib`r_anal_fcn_vars_cache_init(anal=0x000061a000000080, cache=0x00007ffeefbe3ac0, fcn=0x00006110001d1e00) at var.c:1183:17
   1180
   1181	R_API void r_anal_fcn_vars_cache_init(RAnal *anal, RAnalFcnVarsCache *cache, RAnalFunction *fcn) {
   1182		cache->bvars = r_anal_var_list (anal, fcn, R_ANAL_VAR_KIND_BPV);
-> 1183		cache->rvars = r_anal_var_list (anal, fcn, R_ANAL_VAR_KIND_REG);
   1184		cache->svars = r_anal_var_list (anal, fcn, R_ANAL_VAR_KIND_SPV);
   1185		r_list_sort (cache->bvars, (RListComparator)var_comparator);
   1186		r_list_sort (cache->rvars, (RListComparator)regvar_comparator);
(lldb) up
frame #4: 0x0000000104f3fa22 libr_core.dylib`ds_show_functions(ds=0x000062000004d080) at disasm.c:1861:2
   1858		}
   1859		ds->stackptr = core->anal->stackptr;
   1860		RAnalFcnVarsCache vars_cache;
-> 1861		r_anal_fcn_vars_cache_init (core->anal, &vars_cache, f);
   1862
   1863		int o_varsum = ds->show_varsum;
   1864		if (ds->interactive && !o_varsum) {
(lldb) up
frame #5: 0x0000000104ee9161 libr_core.dylib`r_core_print_disasm(p=0x0000618000000080, core=0x000000010e701800, addr=134272668, buf="\x02\x91\x14FA\x8a\x03\x91", len=8, l=8, invbreak=0, cbytes=1, json=false, pj=0x0000000000000000, pdf=0x00006110001d1e00) at disasm.c:5414:3
   5411			ds_control_flow_comments (ds);
   5412			ds_adistrick_comments (ds);
   5413			/* XXX: This is really cpu consuming.. need to be fixed */
-> 5414			ds_show_functions (ds);
   5415
   5416			if (ds->show_comments && !ds->show_comment_right) {
   5417				ds_show_refs (ds);

And backtrace:

(lldb) bt
* thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
    frame #0: 0x000000010a932ae5 libclang_rt.asan_osx_dynamic.dylib`wrap_strcmp + 85
    frame #1: 0x0000000107ec27f6 libr_anal.dylib`var_generate_list(a=0x000061a000000080, fcn=0x00006110001d1e00, kind=114, dynamicVars=false) at var.c:958:13
    frame #2: 0x0000000107eb2385 libr_anal.dylib`r_anal_var_list(a=0x000061a000000080, fcn=0x00006110001d1e00, kind=114) at var.c:1007:9
    frame #3: 0x0000000107ec84e4 libr_anal.dylib`r_anal_fcn_vars_cache_init(anal=0x000061a000000080, cache=0x00007ffeefbe3ac0, fcn=0x00006110001d1e00) at var.c:1183:17
    frame #4: 0x0000000104f3fa22 libr_core.dylib`ds_show_functions(ds=0x000062000004d080) at disasm.c:1861:2
  * frame #5: 0x0000000104ee9161 libr_core.dylib`r_core_print_disasm(p=0x0000618000000080, core=0x000000010e701800, addr=134272668, buf="\x02\x91\x14FA\x8a\x03\x91", len=8, l=8, invbreak=0, cbytes=1, json=false, pj=0x0000000000000000, pdf=0x00006110001d1e00) at disasm.c:5414:3
    frame #6: 0x0000000104919281 libr_core.dylib`cmd_print(data=0x000000010e701800, input="df") at cmd_print.c:5768:26
    frame #7: 0x0000000104e210b2 libr_core.dylib`r_cmd_call(cmd=0x0000620000000080, input="pdf") at cmd_api.c:248:10
    frame #8: 0x000000010499856d libr_core.dylib`r_core_cmd_subst_i(core=0x000000010e701800, cmd="pdf", colon=0x0000000000000000, tmpseek=0x00007ffeefbf1560) at cmd.c:3603:11
    frame #9: 0x0000000104848a6b libr_core.dylib`r_core_cmd_subst(core=0x000000010e701800, cmd="pdf") at cmd.c:2614:9
    frame #10: 0x00000001048451cd libr_core.dylib`run_cmd_depth(core=0x000000010e701800, cmd="pdf @ 0x800d69c") at cmd.c:5595:9
    frame #11: 0x000000010482264e libr_core.dylib`r_core_cmd(core=0x000000010e701800, cstr="pdf @ 0x800d69c", log=0) at cmd.c:5677:8
    frame #12: 0x0000000104833b0c libr_core.dylib`r_core_cmd_str(core=0x000000010e701800, cmd="pdf @ 0x800d69c") at cmd.c:5917:6
    frame #13: 0x0000000105009275 libr_core.dylib`r_core_visual_anal_refresh_column(core=0x000000010e701800, colpos=30) at vmenus.c:2867:17
    frame #14: 0x0000000104ff4262 libr_core.dylib`r_core_visual_anal_refresh(core=0x000000010e701800) at vmenus.c:2946:2
    frame #15: 0x0000000104ff0dae libr_core.dylib`r_core_visual_anal(core=0x000000010e701800, input=0x0000000000000000) at vmenus.c:3158:10
    frame #16: 0x0000000104c77621 libr_core.dylib`r_core_visual_cmd(core=0x000000010e701800, arg="v") at visual.c:2908:4
    frame #17: 0x0000000104cb8929 libr_core.dylib`r_core_visual(core=0x000000010e701800, input="v") at visual.c:4212:8
    frame #18: 0x0000000104960dac libr_core.dylib`cmd_visual(data=0x000000010e701800, input="v") at cmd.c:1884:9
    frame #19: 0x0000000104e210b2 libr_core.dylib`r_cmd_call(cmd=0x0000620000000080, input="Vv") at cmd_api.c:248:10
    frame #20: 0x0000000104999dd7 libr_core.dylib`r_core_cmd_subst_i(core=0x000000010e701800, cmd="Vv", colon=0x0000000000000000, tmpseek=0x00007ffeefbfc2c0) at cmd.c:3657:8
    frame #21: 0x0000000104848a6b libr_core.dylib`r_core_cmd_subst(core=0x000000010e701800, cmd="Vv") at cmd.c:2614:9
    frame #22: 0x00000001048451cd libr_core.dylib`run_cmd_depth(core=0x000000010e701800, cmd="Vv") at cmd.c:5595:9
    frame #23: 0x000000010482264e libr_core.dylib`r_core_cmd(core=0x000000010e701800, cstr="Vv", log=1) at cmd.c:5677:8
    frame #24: 0x00000001047b2395 libr_core.dylib`r_core_prompt_exec(r=0x000000010e701800) at core.c:3043:12
    frame #25: 0x00000001047b16f5 libr_core.dylib`r_core_prompt_loop(r=0x000000010e701800) at core.c:2894:14
    frame #26: 0x000000010a89bfd3 libr_main.dylib`r_main_radare2(argc=4, argv=0x00007ffeefbfef90) at radare2.c:1350:4
    frame #27: 0x0000000100001463 r2`main + 195
    frame #28: 0x00007fff720997fd libdyld.dylib`start + 1

[brainstorm]

This whole issue had little to do about the casual segfault I found along the way, but ok... :)

[brainstorm]

In fact, can you reopen it? I'm getting 572 funcs now... vs the 396 that Ghidra finds ... but Vv looks very broken now:

$ r2 -version
radare2 4.3.0-git 24022 @ darwin-x86-64 git.4.1.1-423-gbd1cad9b3
commit: bd1cad9b382a1b9a10b6f750688f8653207e697f build: 2020-03-04__11:05:18