有一個arm elf文件經過objcopy -O binary 命令處理生成bin文件

進行反匯編:

指令1：

arm_v5t_le-objdump??-b binary -m armv5te -D??u-boot.bin|head

指令2：

arm-linux-objdump? -D -b binary test.bin --architecture=arm? > /tmp/raw.txt

http://linux.chinaunix.net/bbs/thread-1145255-1-1.html

http://chdk.wikia.com/wiki/GPL_Disassembling

Meanwhile I wrote a perl script, which does all the jobs. Also it lookup references and add this to the disassemble output.

Disassembling with GNU/GPL tools

The gnu/gpl tools are not made for analysing alien binary dumps because we usually have the source code if we need to debug. This is not really an replacement for IDA but for me it's was sufficient.

Installing software is not explained in this tutorials.

Prerequisites:

You have a raw binary firmware dump to look at. I'll use here "dump.bin"

In this toybox we have:

arm-elf-objcopy | arm-linux-gnu-objcopy

arm-elf-objdump | arm-linux-gnu-objdump

Here we go:

strings -t x dump.bin > dump.strings

hexdump -C dump.bin > dump.hex

arm-linux-gnu-objdump -m arm -b binary -D dump.bin > dump.dis

However, theres a problem: all files start with an offset of 0x00. Here comes my renumber.pl script:

strings -t x dump.bin | ./renumber.pl 0xff810000 > dump.strings

hexdump -C dump.bin |./renumber.pl 0xff810000 > dump.hex

Before we disassemble the dump, we pack it into elf format. This meat is good for feeding gdb and the IDA demo version?;)

arm-linux-gnu-objcopy --change-addresses=0xff810000 -I binary -O elf32-littlearm -B arm dump.bin dump.elf

arm-linux-gnu-objcopy --set-section-flags .data=code dump.elf

Verify the elf file:

arm-linux-gnu-objdump -x dump.elf

Disassemble:

arm-linux-gnu-objdump -d dump.elf > dump.dis

So finally we have 3 ascii files to stare at:

dump.dis

dump.strings

dump.hex

and

dump.elf for gdb and qemu

Putting all together

Meanwhile I wrote GPL:disassemble.pl perl script, which does all the jobs. Also it lookup references and add this to the disassemble output.

disassemble.pl 0xff810000 dump.bin

e.g. output:

NSTUB(Capture.Create, 0xff938368):

ff938368: e92d4010 stmdbsp!, {r4, lr}

ff93836c: e59f0020 ldrr0, [pc, #32]; ff938394: (ffac13cc)

ff938370: ebfcc3fd blff86936c <_binary_dump_bin_start>

ff938374: eb01cf03 blff9abf88 <_binary_dump_bin_start>

ff938378: e3a00000 movr0, #0; 0x0

ff93837c: e8bd8010 ldmiasp!, {r4, pc}

// this is obviously an entry point, because ^^ is a "return"

ff938380: e24f1020 subr1, pc, #32; ff938368: (e92d4010)

ff938384: e28f000c addr0, pc, #12; ff938398: (74706143) *"Capture.Create"

ff938388: eafcc355 bff8690e4 <_binary_dump_bin_start>

// another

ff93838c: e28f0004 addr0, pc, #4; ff938398: (74706143) *"Capture.Create"

ff938390: eafcc355 bff8690ec <_binary_dump_bin_start>

// this is data, referenced from 0xff93836c followed by some text

ff938394: ffac13cc undefined instruction 0xffac13cc

"Capture.Create":

ff938398: 74706143 ldrvcbtr6, [r0], #-323

ff93839c: 2e657275 mcrcs2, 3, r7, cr5, cr5, {3}

ff9383a0: 61657243 cmnvsr5, r3, asr #4

ff9383a4: 00006574 andeqr6, r0, r4, ror r5

Note: The entire disassembled file is shown as instructions, including strings and numeric constants. Strings are identified where referenced, as shown above, but the corresponding address still has disassembled (nonsense) instructions. If the instructions you are looking at don't make any sense, they are probably data.

using gcc/gas

Another way to create an elf file with symbols from chdk's stub files: forum However, the disassemble script makes a better format but this one is very good for gdb+qemu?;)