Reverse Engineering Asked on February 6, 2021
Recently I work on TMS320C6xx Arch and when I reverse this firmware I saw functions graph nodes are separated. I have shown in below:
As you see, BRANCH OCCURS wrote at the end of each node. I guess this is the reason of separation.
1- How I can correct this problem?
2- what is the problem? Explanation if possible
Thanks in advance.
There is no problem, the comment is simply informational.
The TMS320C6 is a DSP and like many DSPs the architecture is optimized for fast data processing. In particular, it has a very deep pipeline and the branches have not one or two, but up to five delay slots. You can see that after the B .S2X A3
instruction there are five other instructions before the comment “BRANCH OCCURS” (in one case the fifth instruction is parallel/dual which is denoted by the ||
symbol). All these instructions are executed before the execution begins at the destination (A3 register value).
Because the register can in theory have any value, IDA did not print the destination address unlike the other cases.
BTW I would recommend looking at the disassembly for this processor in text (flat) mode since graphs may not always look nice with such deep delay slots.
Answered by Igor Skochinsky on February 6, 2021
To add to Igor's excellent reply. Unfortunately IDA Pro up until now does not handle TMS320C6 properly. TI DSP common pattern for the calls is to load up call address into 32 bit register and do the register branching (it has direct branching with immediate offsets as well but compiler seems to use it only for local branches within the function). IDA seems to handle only immediate branches and not the register calls. There are a number fo other issues (like IDA not handling ADDKPC properly or not working properly with TI produced COFF files in big endian format). The most important one is that return from a function call is also implemented as branching command which is indistinguishable (in theory) from call to a function and uses register sp IDA Pro analysis of the assembly would generally stoop at the first register branching and declare it end of function after branching point occurs if there are no more subsequent instructions to that.
I encountered that when I was working on reversing Kodak camera firmware that uses TI DSP and written patch to IDA TMS320C6 CPU module - see here https://github.com/Alexey-Danilchenko/Kodak-DCS-Tools/tree/master/sources/IDA/DSP/processor
That is not perfect still during CPU analysis stage so that Github archive has plugins as well to perform function call discovery and substitution in MVK/MVKH commands) as well as DP offset substitution.
Answered by Alexey Danilchenko on February 6, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP