My Analysis of the VC4 Assembly Code from the RPI4

Overview

Use the Ghidra Language Definition in this Pull Request: https://github.com/NationalSecurityAgency/ghidra/pull/1147 - it works for the rpi-eeprom images and using ghidra is a much better approach than using the results in this repository. Thanks @mumbel

Raspberry Pi 4 Bootloader Analysis

This repository contains my "processed" disassembly of the contents of the Raspberry Pi4 bootloader. This is the contents of the rpi-eeprom package, and the files are available on Github here.

I disassembled the various rpi-eeprom.bin files using vc4-toolchain. I also referenced an open-source project that aim{s,ed} for a libre firmware that can be flashed in place of the stock firmware. I referenced this firmware to get an understanding of the load addresses and some of the important memory locations, as well as to try to figure out when the VC4 code starts up the ARM core(s). rpi-open-firmware targets Raspberry Pi 3, meaning its a replacement for bootcode.bin and not rpi-eeprom.bin. Thus, there are surely some differences in the implementation that I am simply not aware of. I'll think about looking at bootcode.bin and doing some comparative analysis between it and rpi-eeprom.bin. Duplicates have been removed, in case you see some files that are in rpi-eeprom but not in this project.

Great?

The disassembly files have some super basic, fairly crappy "analysis" applied to them. Basically I wrote some scripts that compare the strings output to the objdump output and try to match things up. It is definitely prone to error and inaccuracy, but I was aiming for best effort. I also attempted to mark where addresses are branched from with the BREF annotation. This repository contains the original disassembly (*.disassembly.bin) as well as my mapped disassembly (*.map.bin) so you can reference both of them if you want to do some analysis.

Why?

I built these disassembly files and applied my "analysis" to them to help guide me in reverse engineering the RPi4 bootloader. I want to:

  • Understand how the bootloader works, especially the new Secure Boot capabilities and the networking capabilities.
  • Manually diff the various versions of the rpi-eeprom.bin releases to identify fixes from the release notes. This is a precursor for identifying silently patched security issues.
  • Find new security issues, particularly in the Secure Boot capabilities and the networking capabilities.

This seems like a really bad solution?

You're right! The real solution is a Ghidra SLEIGH language definition so we can do real reverse engineering. I unfortunately cannot make the time commitment right now to learn both the ins and the outs of the VC4 assembly language (assuming enough details exist to even feasibly attempt to write a Ghidra language definition) and the process by which to create a new Ghidra language definition. If that wasn't enough, on top of that I'm just not very smart.

Your python and shell scripts are terribly written

Yep.

How can I learn VC4 assembly language?

You can start by reading everything in this wiki entry.

Can I Contribute?

Yes.

How?

Some of the STRING and XREF annotations in the *.map.txt files are invalid. Feel free to remove some of those from the results if you want and submit a PR. Also if you could update the scripts to ensure that a given false positive will not happen again, that would be swell.

Also, please do not create issues saying some part of my annotations are incorrect. If you know they are incorrect and it bothers you enough to want to create an issue, please just submit a pull request fixing the annotation.

You might also like...
Some usefull scripts for the Nastran's 145 solution (Flutter Analysis) using the pyNastran package.
Some usefull scripts for the Nastran's 145 solution (Flutter Analysis) using the pyNastran package.

nastran-aero-flutter This project is intended to analyse the Supersonic Panel Flutter using the NASTRAN software. The project uses the pyNastran and t

Analysis of ROM image for Norsk Data VDU 301 S
Analysis of ROM image for Norsk Data VDU 301 S

This repository is meant to analyze the ROM images from Norsk Data VDU 301 S as provided at by Torfinn. To combine the two ROM image halves and extrac

A Snakemake workflow for standardised sc/snRNAseq analysis

single_snake_sequencing - sc/snRNAseq Snakemake Workflow A Snakemake workflow for standardised sc/snRNAseq analysis. Every single cell analysis is sli

Multifunctional Analysis of Regions through Input-Output

MARIO Multifunctional Analysis of Regions through Input-Output. (Documents) What is it MARIO is a python package for handling input-output tables and

Our Ping Pong Project of numerical analysis, 2nd year IC B2 INSA Toulouse

Ping Pong Project The objective of this project was to determine the moment of impact of the ball with the ground. To do this, we used different model

Ningyu Jia(nj2459)/Mengyin Ma(mm5937) Call Analysis group project(Group 36)

Group and Section Group 36 Section 001 name and UNI Name UNI Ningyu Jia nj2459 Mengyin Ma mm5937 code explanation Parking.py (1) Calculate the rate of

Student Enrollment Analysis System

SEAS Student Enrollment Analysis System Steps to start working: create a user name "seas", host name: local, password: seas, mark all checkbox - go C

Slientruss3d : Python for stable truss analysis tool
Slientruss3d : Python for stable truss analysis tool

slientruss3d : Python for stable truss analysis tool Desciption slientruss3d is a python package which can solve the resistances, internal forces and

A simple and efficient computing package for Genshin Impact gacha analysis

GGanalysisLite计算包 这个版本的计算包追求计算速度,而GGanalysis包有着更多计算功能。 GGanalysisLite包通过卷积计算分布列,通过FFT和快速幂加速卷积计算。 测试玩家得到的排名值rank的数学意义是:与抽了同样数量五星的其他玩家相比,测试玩家花费的抽数大于等于比例

Owner
Nicholas Starke
Keep it away from the fire unless you want it to burn
Nicholas Starke
These are the scripts used for the project of ‘Assembly of a pan-genome for global cattle reveals missing sequence and novel structural variation, providing new insights into their diversity and evolution history’

script-SV-genotyping These are the scripts used for the project of ‘Assembly of a pan-genome for global cattle reveals missing sequence and novel stru

null 2 Aug 26, 2022
pythonOS: An operating system kernel made in python and assembly

pythonOS An operating system kernel made in python and assembly Wait what? It uses a custom compiler called snek that implements a part of python3.9 (

Abbix 69 Dec 23, 2022
Snek-test - An operating system kernel made in python and assembly

pythonOS An operating system kernel made in python and assembly Wait what? It us

TechStudent10 2 Jan 25, 2022
A simple assembly- and brainfuck-inspired stack-based language

asm-stackfuck A simple assembly- and brainfuck-inspired stack-based language. The language has a few goals: Be stack-based Look like assembly Have a s

Nils Trinity 1 Feb 6, 2022
Code needed for hybrid land cover change analysis for NASA IDS project

Documentation for the NASA IDS change analysis Poley 10/21/2021 Required python packages: whitebox numpy rasterio rasterio.mask os glob math itertools

Andrew Poley 2 Nov 12, 2021
TickerRain is an open-source web app that stores and analysis Reddit posts in a transparent and semi-interactive manner.

TickerRain is an open-source web app that stores and analysis Reddit posts in a transparent and semi-interactive manner

GonVas 180 Oct 8, 2022
Socorro is the Mozilla crash ingestion pipeline. It accepts and processes Breakpad-style crash reports. It provides analysis tools.

Socorro Socorro is a Mozilla-centric ingestion pipeline and analysis tools for crash reports using the Breakpad libraries. Support This is a Mozilla-s

Mozilla Services 552 Dec 19, 2022
frida-based ceserver. iOS analysis is possible with Cheat Engine.

frida-ceserver frida-based ceserver. iOS analysis is possible with Cheat Engine. Original by Dark Byte. Usage Install frida on iOS. python main.py Cyd

KenjiroIchise 89 Jan 8, 2023
This is an online course where you can learn and master the skill of low-level performance analysis and tuning.

Performance Ninja Class This is an online course where you can learn to find and fix low-level performance issues, for example CPU cache misses and br

Denis Bakhvalov 1.2k Dec 30, 2022
Cross-platform MachO/ObjC Static binary analysis tool & library. class-dump + otool + lipo + more

ktool Static Mach-O binary metadata analysis tool / information dumper pip3 install k2l Development is currently taking place on the @python3.10 branc

Kritanta 301 Dec 28, 2022