root/tools/firmware_load_ng.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM


   1 #ifndef FIRMWARE_LOAD_NG_H
   2 #define FIRMWARE_LOAD_NG_H
   3 
   4 #define MIN(a,b) ((a) < (b) ? (a) : (b))
   5 #define MAX(a,b) ((a) > (b) ? (a) : (b))
   6 
   7 // Digic 2-5+ (ignoring S1)
   8 #define FW_ARCH_ARMv5       1
   9 // Digic 6
  10 #define FW_ARCH_ARMv7       2
  11 
  12 // for clarity of thumb bit manipulations
  13 #define ADR_SET_THUMB(x) ((x)|1)
  14 #define ADR_CLEAR_THUMB(x) ((x)&~1)
  15 #define ADR_IS_THUMB(x) ((x)&1)
  16 
  17 #define ADR_ALIGN4(x) ((x)&~0x3)
  18 #define ADR_ALIGN2(x) ((x)&~0x1)
  19 
  20 #define ADR_IS_ALIGN4(x) (((x)&0x3)==0)
  21 
  22 // address regions
  23 #define ADR_RANGE_INVALID   0
  24 #define ADR_RANGE_ROM       1
  25 #define ADR_RANGE_RAM_CODE  2
  26 #define ADR_RANGE_INIT_DATA 3
  27 
  28 
  29 // Stores a range of valid data in the firmware dump (used to skip over empty blocks)
  30 typedef struct bufrange {
  31     uint32_t *p;
  32     int off; // NOTE these are in 32 bit blocks, not bytes
  33     int len;
  34     struct bufrange* next;
  35 } BufRange;
  36 
  37 
  38 // TODO may want to make run-time adjustable
  39 #define ADR_HIST_SIZE 64
  40 typedef struct { 
  41     // circular buffer of previous adr values, for backtracking
  42     // use addresses rather than insn, because you might want to scan with detail off and then backtrack with on
  43     // addresses have thumb bit set when disassembling in thumb mode
  44     int cur; // index of current address, after iter
  45     int count; // total number of valid entries
  46     uint32_t adrs[ADR_HIST_SIZE]; 
  47 } adr_hist_t;
  48 
  49 // state for disassembly iteration
  50 typedef struct {
  51     const uint8_t *code; // pointer into buffer for code
  52     uint64_t adr; // firmware address - must be 64 bit for capstone iter, never has thumb bit set
  53                   // points to the next instruction to disassemble, insn->address gives the most 
  54                   // recently disassembled address
  55     size_t size; // remaining code size
  56     cs_insn *insn; // cached instruction
  57     uint32_t thumb; // thumb state
  58     uint32_t insn_min_size; // 2 or 4, depending on thumb/arm state
  59     csh cs_handle; // capstone handle to use with this state, updated for arm/thumb transitions
  60     adr_hist_t ah; // history of previous instructions
  61 }  iter_state_t;
  62 
  63 // struct for regions of ROM that are copied elsewhere
  64 typedef struct {
  65     uint8_t *buf;
  66     uint32_t start;     // copied / relocated firmware address 
  67     uint32_t src_start; // source ROM firmware address
  68     int bytes; // size in bytes
  69     int type;   // ADR_RANGE_* define
  70 } adr_range_t;
  71 
  72 #define FW_MAX_ADR_RANGES 5
  73 
  74 // loaded firmware
  75 typedef struct {
  76     union {
  77         uint8_t        *buf8;                // Firmware data
  78         uint32_t       *buf32;               // Firmware data
  79     };
  80     BufRange        *br, *last;         // Valid ranges
  81 
  82     int             arch;           // firmware CPU arch
  83     uint32_t        base;           // Base address of the firmware in the camera
  84     int             main_offs;      // Offset of main firmware from the start of the dump
  85 
  86     uint32_t        memisostart;        // Start address of the Canon heap memory (where CHDK is loaded)
  87 
  88     int             size8;          // Size of the firmware (as loaded from the dump) in bytes
  89     int             size32;         // Size of the firmware in 32 bit words
  90 
  91         int                         dryos_ver;          // DryOS version number
  92     char            *dryos_ver_str;     // DryOS version string
  93     char            *firmware_ver_str;  // Camera firmware version string
  94 
  95     // TODO duplicated with adr_range stuff below
  96     uint32_t        data_start;         // Start address of DATA section in RAM
  97     uint32_t        data_init_start;    // Start address of initialisation section for DATA in ROM
  98     int             data_len;           // Length of data section in bytes
  99     
 100     // address ranges for ROM and copied data
 101     int             adr_range_count;
 102     adr_range_t     adr_ranges[FW_MAX_ADR_RANGES];
 103     
 104     // convenience values to optimize code searching
 105     uint32_t        rom_code_search_min_adr; // minimum ROM address for normal code searches (i.e. firmware start)
 106     uint32_t        rom_code_search_max_adr; // max ROM address for normal code searches, i.e. before copied data / code if known
 107     // Values loaded from stubs & other files
 108     stub_values     *sv;
 109 
 110     uint32_t thumb_default; // 1 if initial firmware code is expected to be thumb, 0 for arm.
 111     csh cs_handle_thumb; // capstone handle for thumb disassembly
 112     csh cs_handle_arm; // capstone handle for arm disassembly
 113     iter_state_t* is;
 114 } firmware;
 115 
 116 /*
 117 convert firmware address to pointer, or NULL if not in valid range
 118 */
 119 uint8_t* adr2ptr(firmware *fw, uint32_t adr);
 120 
 121 // as above, but include initialized data area (NOTE may change on camera at runtime!)
 122 uint8_t* adr2ptr_with_data(firmware *fw, uint32_t adr);
 123 
 124 // return constant string describing type
 125 const char* adr_range_type_str(int type);
 126 
 127 // convert pointer into buf into firmware address
 128 // current doesn't sanity check or adjust ranges
 129 uint32_t ptr2adr(firmware *fw, uint8_t *ptr);
 130 
 131 // return address range struct for adr, or NULL if not in known range
 132 adr_range_t *adr_get_range(firmware *fw, uint32_t adr);
 133 
 134 // return true if adr is in firmware DATA or BSS
 135 int adr_is_var(firmware *fw, uint32_t adr);
 136 
 137 //
 138 // Find the index of a string in the firmware
 139 // Assumes the string starts on a 32bit boundary.
 140 // String + terminating zero byte should be at least 4 bytes long
 141 // Handles multiple string instances
 142 int find_Nth_str(firmware *fw, char *str, int N);
 143 
 144 // above, N=1
 145 int find_str(firmware *fw, char *str);
 146 
 147 // Find the index of a string in the firmware, can start at any address
 148 // returns firmware address
 149 uint32_t find_str_bytes(firmware *fw, char *str);
 150 
 151 int isASCIIstring(firmware *fw, uint32_t adr);
 152 
 153 /*
 154 return firmware address of 32 bit value, starting at address "start"
 155 */
 156 uint32_t find_u32_adr(firmware *fw, uint32_t val, uint32_t start);
 157 
 158 // return u32 value at adr
 159 uint32_t fw_u32(firmware *fw, uint32_t adr);
 160 
 161 // memcmp, but using a firmware address, returning 1 adr/size out of range
 162 int fw_memcmp(firmware *fw, uint32_t adr,const void *cmp, size_t n);
 163 
 164 // ****** address history functions ******
 165 // reset address history to empty
 166 void adr_hist_reset(adr_hist_t *ah);
 167 
 168 // return the index of current entry + i. may be negative or positive, wraps. Does not check validity
 169 int adr_hist_index(adr_hist_t *ah, int i);
 170 
 171 // add an entry to address history
 172 void adr_hist_add(adr_hist_t *ah, uint32_t adr);
 173 
 174 // return the i'th previous entry in this history, or 0 if not valid (maybe should be -1?)
 175 // i= 0 = most recently disassembled instruction, if any
 176 uint32_t adr_hist_get(adr_hist_t *ah, int i);
 177 
 178 // ****** instruction analysis utilities ******
 179 // is insn an ARM instruction?
 180 // like cs_insn_group(cs_handle,insn,ARM_GRP_ARM) but doesn't require handle and doesn't check or report errors
 181 int isARM(cs_insn *insn);
 182 
 183 /*
 184 is insn a PC relative load?
 185 */
 186 int isLDR_PC(cs_insn *insn);
 187 
 188 /*
 189 is insn a PC relative load to PC?
 190 */
 191 int isLDR_PC_PC(cs_insn *insn);
 192 
 193 // if insn is LDR Rn, [pc,#x] return pointer to value, otherwise null
 194 uint32_t* LDR_PC2valptr_thumb(firmware *fw, cs_insn *insn);
 195 uint32_t* LDR_PC2valptr_arm(firmware *fw, cs_insn *insn);
 196 uint32_t* LDR_PC2valptr(firmware *fw, cs_insn *insn);
 197 
 198 // return the address of value loaded by LDR rd, [pc, #x] or 0 if not LDR PC
 199 uint32_t LDR_PC2adr(firmware *fw, cs_insn *insn);
 200 
 201 // is insn address calculated with subw rd, pc, ...
 202 int isSUBW_PC(cs_insn *insn);
 203 
 204 // is insn address calculated with addw rd, pc, ...
 205 int isADDW_PC(cs_insn *insn);
 206 
 207 // is insn ADD rd, pc, #x  (only generated for ARM in capstone)
 208 int isADD_PC(cs_insn *insn);
 209 
 210 // is insn SUB rd, pc, #x  (only generated for ARM in capstone)
 211 int isSUB_PC(cs_insn *insn);
 212 
 213 // does insn look like a function return?
 214 int isRETx(cs_insn *insn);
 215 
 216 // does insn push LR (function start -ish)
 217 int isPUSH_LR(cs_insn *insn);
 218 
 219 // does insn pop LR (func end before tail call)
 220 int isPOP_LR(cs_insn *insn);
 221 
 222 // does insn pop PC
 223 int isPOP_PC(cs_insn *insn);
 224 
 225 // is the instruction ADD* rx, imm
 226 int isADDx_imm(cs_insn *insn);
 227 
 228 // is the instruction SUB* rx, imm
 229 int isSUBx_imm(cs_insn *insn);
 230 
 231 // is the instruction an ADR or ADR-like instruction?
 232 int isADRx(cs_insn *insn);
 233 
 234 // return value generated by an ADR or ADR-like instruction, or 0 (which should be rarely generated by ADR)
 235 uint32_t ADRx2adr(firmware *fw, cs_insn *insn);
 236 
 237 // return the value generated by an ADR (ie, the location of the value as a firmware address)
 238 // NOTE not checked if it is in dump
 239 uint32_t ADR2adr(firmware *fw, cs_insn *insn);
 240 
 241 // if insn is adr/ AKA ADD Rn, pc,#x return pointer to value, otherwise null
 242 uint32_t* ADR2valptr(firmware *fw, cs_insn *insn);
 243 
 244 // return value loaded by PC relative LDR instruction, or 0 if out of range
 245 uint32_t LDR_PC2val(firmware *fw, cs_insn *insn);
 246 
 247 // return the target of B instruction, or 0 if current instruction isn't B
 248 // both ARM and thumb instructions will NOT have the thumb bit set,
 249 // thumbness must be determined from current state
 250 uint32_t B_target(firmware *fw, cs_insn *insn);
 251 
 252 // return the target of CBZ / CBNZ instruction, or 0 if current instruction isn't CBx
 253 uint32_t CBx_target(firmware *fw, cs_insn *insn);
 254 
 255 // return the target of BLX instruction, or 0 if current instruction isn't BLX imm
 256 uint32_t BLXimm_target(firmware *fw, cs_insn *insn);
 257 
 258 // return the target of BL instruction, or 0 if current instruction isn't BL
 259 // both ARM and thumb instructions will NOT have the thumb bit set,
 260 // thumbness must be determined from current state
 261 uint32_t BL_target(firmware *fw, cs_insn *insn);
 262 
 263 // as above, but also including B for tail calls
 264 uint32_t B_BL_target(firmware *fw, cs_insn *insn);
 265 
 266 // as above, but also including BLX imm
 267 uint32_t B_BL_BLXimm_target(firmware *fw, cs_insn *insn);
 268 
 269 // results from get_TBx_PC_info
 270 typedef struct {
 271     uint32_t start; // address of first jumptable entry
 272     uint32_t count; // number of entries, from preceding cmp, first_target or first invalid value
 273     uint32_t first_target; // lowest jumptable target address (presumably, >= end of jump table in normal code)
 274     int bytes; // size of jump table entries: 1 = tbb, 2=tbh
 275 } tbx_info_t; // tbb/tbh info
 276 
 277 // get the (likely) range of jumptable entries from a pc relative TBB or TBH instruction
 278 // returns 0 on error or if instruction is not TBB/TBH, otherwise 1
 279 int get_TBx_PC_info(firmware *fw,iter_state_t *is, tbx_info_t *ti);
 280 
 281 // ****** disassembly iterator utilities ******
 282 // allocate a new iterator state, optionally initializing at adr (0/invalid OK)
 283 iter_state_t *disasm_iter_new(firmware *fw, uint32_t adr);
 284 
 285 // free iterator state and associated resources
 286 void disasm_iter_free(iter_state_t *is);
 287 
 288 // set iterator to adr, without clearing history (for branch following)
 289 // thumb bit in adr sets mode
 290 int disasm_iter_set(firmware *fw, iter_state_t *is, uint32_t adr);
 291 
 292 // initialize iterator state at adr, clearing history
 293 // thumb bit in adr sets mode
 294 int disasm_iter_init(firmware *fw, iter_state_t *is, uint32_t adr);
 295 
 296 /*
 297 disassemble next instruction, recording address in history
 298 returns false if state invalid or disassembly fails
 299 if disassembly fails, is->adr is not incremented
 300 */
 301 int disasm_iter(firmware *fw, iter_state_t *is);
 302 
 303 // ***** disassembly utilities operating on the default iterator state *****
 304 // use the fw_disasm_iter functions to disassemble without setting up a new state,
 305 // but beware some other functions might change them
 306 /*
 307 initialize iter state to begin iterating at adr
 308 */
 309 int fw_disasm_iter_start(firmware *fw, uint32_t adr);
 310 
 311 // disassemble the next instruction, updating cached state
 312 int fw_disasm_iter(firmware *fw);
 313 
 314 // disassemble single instruction at given adr, updating cached values
 315 // history is cleared
 316 int fw_disasm_iter_single(firmware *fw, uint32_t adr);
 317 
 318 // ****** standalone disassembly without an iter_state ******
 319 /*
 320 disassemble up to count instructions starting at firmware address adr
 321 allocates and returns insns in insn, can be freed with cs_free(insn, count)
 322 returns actual number disassembled, less than count on error
 323 */
 324 // UNUSED for now
 325 //size_t fw_disasm_adr(firmware *fw, uint32_t adr, unsigned count, cs_insn **insn);
 326 
 327 
 328 // ***** utilities for searching disassembly over large ranges ******
 329 /*
 330 callback used by fw_search_insn, called on valid instructions
 331 _search continues iterating until callback returns non-zero.
 332 is points to the most recently disassembled instruction
 333 callback may advance is directly by calling disasm_iter
 334 v1 and udata are passed through from the call to _search
 335 */
 336 typedef uint32_t (*search_insn_fn)(firmware *fw, iter_state_t *is, uint32_t v1, void *udata);
 337 
 338 /*
 339 iterate over firmware disassembling, calling callback described above after each
 340 successful disassembly iteration.  If disassembly fails, the iter state is advanced
 341 2 bytes without calling the callback.
 342 starts at address is taken from the iter_state, which should be initialized by disasm_iter_new()
 343 disasm_iter_init(), or a previous search or iter call.
 344 end defaults to end of ram code or rom code (before init data, if known), based on start
 345 v1 and udata are provided to the callback
 346 */
 347 uint32_t fw_search_insn(firmware *fw, iter_state_t *is, search_insn_fn f,uint32_t v1, void *udata, uint32_t adr_end);
 348 
 349 // ****** callbacks for use with fw_search_insn ******
 350 // search for constant references
 351 uint32_t search_disasm_const_ref(firmware *fw, iter_state_t *is, uint32_t val, void *unused);
 352 
 353 // search for string ref
 354 uint32_t search_disasm_str_ref(firmware *fw, iter_state_t *is, uint32_t val, void *str);
 355 
 356 // search for calls/jumps to immediate addresses
 357 // thumb bit in address should be set appropriately 
 358 // returns 1 if found, address can be obtained from insn
 359 uint32_t search_disasm_calls(firmware *fw, iter_state_t *is, uint32_t val, void *unused);
 360 
 361 // callback for use with search_disasm_calls_multi
 362 // adr is the matching address
 363 typedef int (*search_calls_multi_fn)(firmware *fw, iter_state_t *is, uint32_t adr);
 364 
 365 // structure used to define functions searched for, and functions to handle matches
 366 // fn should be address with thumb bit set appropriately 
 367 typedef struct {
 368     uint32_t adr;
 369     search_calls_multi_fn fn;
 370 } search_calls_multi_data_t;
 371 
 372 // a search_calls_multi_fn that just returns 1
 373 int search_calls_multi_end(firmware *fw, iter_state_t *is, uint32_t adr);
 374 
 375 // Search for calls to multiple functions (more efficient than multiple passes)
 376 // if adr is found in null terminated search_calls_multi_data array, returns fn return value
 377 // otherwise 0
 378 uint32_t search_disasm_calls_multi(firmware *fw, iter_state_t *is, uint32_t unused, void *userdata);
 379 
 380 // ****** utilities for extracting register values ******
 381 /*
 382 backtrack through is_init state history picking up constants loaded into r0-r3
 383 return bitmask of regs with values found
 384 affects fw->is, does not affect is_init
 385 
 386 NOTE values may be inaccurate for many reasons, doesn't track all reg affecting ops,
 387 doesn't account for branches landing in the middle of inspected code
 388 doesn't account for many conditional cases
 389 */
 390 int get_call_const_args(firmware *fw, iter_state_t *is_init, int max_backtrack, uint32_t *res);
 391 
 392 /*
 393 starting from is_init, look for a direct jump, such as
 394  B <target>
 395  LDR PC, [pc, #x]
 396  movw ip, #x
 397  movt ip, #x
 398  bx ip
 399 if found, return target address with thumb bit set appropriately
 400 NOTE does not check for conditional
 401 uses fw->is
 402 does not check CBx, since it would generally be part of a function not a veneer
 403 */
 404 uint32_t get_direct_jump_target(firmware *fw, iter_state_t *is_init);
 405 
 406 /*
 407 return target of any single instruction branch or function call instruction, 
 408 with thumb bit set appropriately
 409 returns 0 if current instruction not branch/call
 410 */
 411 uint32_t get_branch_call_insn_target(firmware *fw, iter_state_t *is);
 412 
 413 /*
 414 advance is up to max_insns looking for the start of a sequence like
 415 LDR Rbase,=adr
 416 SUB Rbase,#adj // optional, may be any add/sub variant
 417 LDR Rval,[Rbase + #off]
 418 returns 1 if found, 0 if not
 419 stores registers and constants in *result if successful
 420 
 421 TODO similar code for STR would be useful, but in many cases would have to handle load or move into reg_val
 422 */
 423 typedef struct {
 424     arm_reg reg_base;
 425     arm_reg reg_val;
 426     uint32_t adr_base; // address from original LDR 
 427     uint32_t adr_adj; // address adjusted by adj if present, normally struct address useful for stubs comments
 428     uint32_t adr_final; // full address
 429     // offsets are guaranteed to be small
 430     int adj;
 431     int off;
 432 } var_ldr_desc_t;
 433 int find_and_get_var_ldr(firmware *fw,
 434                             iter_state_t *is,
 435                             int max_insns,
 436                             arm_reg match_val_reg, // ARM_REG_INVALID for any
 437                             var_ldr_desc_t *result);
 438 
 439 
 440 // ****** utilities for matching instructions and instruction sequences ******
 441 
 442 // use XXX_INVALID (=0) for don't care
 443 typedef struct {
 444     arm_op_type type; // ARM_OP_... REG, IMM, MEM support additional tests
 445     arm_reg reg1; // reg for register type operands, base for mem
 446     uint32_t flags; // 
 447     int32_t imm;  // immediate value for imm, disp for mem
 448     arm_reg reg2; // index reg form mem
 449 } op_match_t;
 450 #define MATCH_OP_FL_IMM     0x0001 // use IMM value
 451 #define MATCH_OP_FL_LAST    0x0002 // ignore all following ops, only check count
 452 // macros for initializing above
 453 //                                  type            reg1                flags               imm     reg2
 454 #define MATCH_OP_ANY                {ARM_OP_INVALID,ARM_REG_INVALID,    0,                  0,      ARM_REG_INVALID}
 455 #define MATCH_OP_REST_ANY           {ARM_OP_INVALID,ARM_REG_INVALID,    MATCH_OP_FL_LAST,   0,      ARM_REG_INVALID}
 456 #define MATCH_OP_REG_ANY            {ARM_OP_REG,    ARM_REG_INVALID,    0,                  0,      ARM_REG_INVALID}
 457 #define MATCH_OP_REG(r)             {ARM_OP_REG,    ARM_REG_##r,        0,                  0,      ARM_REG_INVALID}
 458 #define MATCH_OP_IMM_ANY            {ARM_OP_IMM,    ARM_REG_INVALID,    0,                  0,      ARM_REG_INVALID}
 459 #define MATCH_OP_IMM(imm)           {ARM_OP_IMM,    ARM_REG_INVALID,    MATCH_OP_FL_IMM,    (imm),  ARM_REG_INVALID}
 460 #define MATCH_OP_MEM_ANY            {ARM_OP_MEM,    ARM_REG_INVALID,    0,                  0,      ARM_REG_INVALID}
 461 #define MATCH_OP_MEM(rb,ri,imm)     {ARM_OP_MEM,    ARM_REG_##rb,       MATCH_OP_FL_IMM,    (imm),  ARM_REG_##ri}
 462 #define MATCH_OP_MEM_BASE(r)        {ARM_OP_MEM,    ARM_REG_##r,        0,                  0,      ARM_REG_INVALID}
 463 #define MATCH_OP_MEM_REGS(rb,ri)    {ARM_OP_MEM,    ARM_REG_##rb,       0,                  0,      ARM_REG_##ri}
 464 
 465 #define MATCH_MAX_OPS 16
 466 
 467 #define MATCH_OPCOUNT_ANY       -1 // match any operands specified in operands, without checking count
 468 #define MATCH_OPCOUNT_IGNORE    -2 // don't check ops at all
 469 
 470 #define MATCH_INS(ins,opcount)          ARM_INS_##ins,(opcount),ARM_CC_INVALID
 471 #define MATCH_INS_CC(ins,cc,opcount)    ARM_INS_##ins,(opcount),ARM_CC_##cc
 472 
 473 // use id ARM_INS_INVALID for don't care, ARM_INS_ENDING to end list of matches
 474 typedef struct {
 475     arm_insn id;
 476     int op_count; // negative = special values above
 477     arm_cc cc; // match condition code _INVALID = don't care
 478     op_match_t operands[MATCH_MAX_OPS];
 479 } insn_match_t;
 480 
 481 // some common matches for insn_match_find_next
 482 // match a B instruction
 483 extern const insn_match_t match_b[];
 484 
 485 // match B and BL
 486 extern const insn_match_t match_b_bl[];
 487 
 488 // match B and BL, and BLX with an immediate
 489 extern const insn_match_t match_b_bl_blximm[];
 490 
 491 // match only calls: BL or BLX imm
 492 extern const insn_match_t match_bl_blximm[];
 493 
 494 // match BX LR
 495 extern const insn_match_t match_bxlr[];
 496 
 497 // match LDR rx [pc, ...]
 498 extern const insn_match_t match_ldr_pc[];
 499 
 500 // check if single insn matches values defined by match
 501 int insn_match(cs_insn *insn, const insn_match_t *match);
 502 
 503 // check if single insn matches any of the provided matches
 504 int insn_match_any(cs_insn *insn,const insn_match_t *match);
 505 
 506 // iterate is until current instruction matches any of the provided matches or until limit reached
 507 int insn_match_find_next(firmware *fw, iter_state_t *is, int max_insns, const insn_match_t *match);
 508 
 509 // iterate is until current has matched any of the provided matches N times or until max_insns reached
 510 int insn_match_find_nth(firmware *fw, iter_state_t *is, int max_insns, int num_to_match, const insn_match_t *match);
 511 
 512 // iterate as long as sequence of instructions matches sequence defined in match
 513 int insn_match_seq(firmware *fw, iter_state_t *is, const insn_match_t *match);
 514 
 515 // find next matching sequence starting within max_insns
 516 int insn_match_find_next_seq(firmware *fw, iter_state_t *is, int max_insns, const insn_match_t *match);
 517 
 518 // ****** utilities for non-disasm searching ******
 519 // Search the firmware for something. The desired matching is performed using the supplied 'func' function.
 520 // Continues searching until 'func' returns non-zero - then returns 1
 521 // otherwise returns 0.
 522 // Uses the BufRange structs to speed up searching
 523 // Note: this version searches byte by byte in the firmware dump instead of by words
 524 // borrowed from finsig_dryos
 525 typedef int (*search_bytes_fn)(firmware*, int k);
 526 int fw_search_bytes(firmware *fw, search_bytes_fn func);
 527 
 528 // ****** firmware loading / initialization / de-allocation ******
 529 // add given address range
 530 void fw_add_adr_range(firmware *fw, uint32_t start, uint32_t end, uint32_t src_start, int type);
 531 
 532 // load firmware and initialize stuff that doesn't require disassembly
 533 void firmware_load(firmware *fw, const char *filename, uint32_t base_adr,int fw_arch);
 534 
 535 // initialize capstone state for loaded fw
 536 int firmware_init_capstone(firmware *fw);
 537 
 538 // init basic copied RAM code / data ranges - init_capstone must be called first
 539 void firmware_init_data_ranges(firmware *fw);
 540 
 541 // free resources associated with fw
 542 void firmware_unload(firmware *fw);
 543 #endif

/* [<][>][^][v][top][bottom][index][help] */