2

I want to extract machine code from XBee DigiMesh firmware (Cortex-M3, EM357), so I have SREC file with 3 sections inside. I suppose that one of these sections is a code section, but arm-none-eabi-objdump reports "unknown instruction" very often. Does anyone know why this happens?

This is how I try to do this:

arm-none-eabi-objcopy --input-target=srec --output-target=binary -j .sec2 xbp24-dm_8073.ehx2.dec sec2.bin
arm-none-eabi-objdump -D -bbinary -marm -Mforce-thumb sec2.bin

Update: I converted ehx2 to ehx2.dec by http://git.nazaryev.ru/xctu-decoder.git/

Sergey Nazaryev
  • 23
  • 5
  • The firmware from freescale consists of 3 file an ehx an ehx2 and an mix file the zip doesnt contain an ehx2.dec how did you convert the ehx2 into ehx2.dec google doesnt seem to know of a convertor can you edit in an explanation – blabb Apr 02 '17 at 05:00
  • 1
    Thanks for the update in the meanwhile i found another for presumably series 1 .ehx file here ,,,https://github.com/roysjosh/xbee-comm/blob/master/src/bin/ehx2srec.c – blabb Apr 06 '17 at 04:53

2 Answers2

2

The code in file is not ARM. In the binary the following string can be seen:

HW Part #: MC13213

Googling for it leads to this page which says:

The MC13213 System in Package (SiP) integrates the MC9S08GT MCU with the MC1320x transceiver into a single 9x9mm LGA package.

and

40 MHz HCS08 low-voltage, low-power core

And indeed, choosing HCS08 in IDA leads to reasonably-looking disassembly

seg000:1893 start:
seg000:1893
seg000:1893 ; FUNCTION CHUNK AT seg000:23BC SIZE 0000009F BYTES
seg000:1893
seg000:1893                 ldhx    #$F2E
seg000:1896                 txs
seg000:1897                 ldhx    #$E02
seg000:189A                 sthx    $177
seg000:189D                 bra     loc_18AD
seg000:189F ; ---------------------------------------------------------------------------
seg000:189F
seg000:189F loc_189F:                               ; CODE XREF: start+20j
seg000:189F                 lda     #$A5 ; 'Ñ'
seg000:18A1                 ldhx    $177
seg000:18A4                 sta     , x
seg000:18A5                 ldhx    #$177
seg000:18A8                 inc     1, x
seg000:18AA                 bne     loc_18AD
seg000:18AC                 inc     , x
seg000:18AD
seg000:18AD loc_18AD:                               ; CODE XREF: start+Aj
seg000:18AD                                         ; start+17j
seg000:18AD                 ldhx    $177
seg000:18B0                 cphx    #$F2E
seg000:18B3                 bcs     loc_189F
seg000:18B5                 jsr     sub_182C
seg000:18B8                 jmp     loc_23BC

 

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
1

the firmware file hash

E:\zigb>rahash2 -a md5 xbp24-dm_8073.ehx2.dec
xbp24-dm_8073.ehx2.dec: 0x00000000-0x00022bcd md5: 971f71b674af2d5edb670a5ce4b0371f

the version mingw objcopy in my windows box

E:\zigb>objcopy -V
GNU objcopy (GNU Binutils) 2.25.1
Copyright (C) 2014 Free Software Foundation, Inc.
This program is free software; you may redistribute it under the terms of
the GNU General Public License version 3 or (at your option) any later version.
This program has absolutely no warranty.

duplicated the file 

E:\zigb>copy xbp24-dm_8073.ehx2.dec test.dec
        1 file(s) copied.

now i objcopy it 

E:\zigb>objcopy -I srec -O binary -S  test.dec

E:\zigb>ls -l
total 200
-rw-rw-rw-  1 HP 0  60800 2017-03-30 03:25 test.dec
-rw-rw-rw-  1 HP 0 142286 2017-03-30 02:43 xbp24-dm_8073.ehx2.dec

dumping 32 bytes from the file 

E:\zigb>xxd -g 1 -l 32 test.dec
0000000: 43 54 02 d1 47 10 36 43 4e 00 d1 31 00 00 41 43  CT..G.6CN..1..AC
0000010: 00 d1 12 00 00 56 52 02 9c 1d fd 46 46 52 00 d1  .....VR....FFR..

dumping the first two lines from original file

E:\zigb>head -n 2 xbp24-dm_8073.ehx2.dec
S0260000433A5C446576656C6F706D656E745C646D32345C62696E5C584232342D444D2E70726DBE
S1231080435402D1471036434E00D1310000414300D11200005652029C1DFD46465200D14C

Deciphering the first s0 record (header) and the second line an S1 data record

E:\zigb>rax2 -s 433A5C446576656C6F706D656E745C646D32345C62696E5C584232342D444D2E70726D
C:\Development\dm24\bin\XB24-DM.prm

E:\zigb>rax2 -s 435402D1471036434E00D1310000414300D11200005652029C1DFD46465200D1
CT☻╤G►6CN ╤1  AC ╤↕  VR☻£↔²FFR ╤

it appears to be correct conversion by objcopy

btw objdump can use srec as target so no objconv is required i think

:\>arm-none-eabi-objdump.exe -D -bsrec -marm  -Mforce-thumb --start-address=0x1893 --stop-address=0x
18a3 e:\zigb\xbp24-dm_8073.ehx2.dec

e:\zigb\xbp24-dm_8073.ehx2.dec:     file format srec


Disassembly of section .sec2:

00001893 <.sec2+0x67>:
    1893:       0f45            lsrs    r5, r0, #29
    1895:       942e            str     r4, [sp, #184]  ; 0xb8
    1897:       0e45            lsrs    r5, r0, #25
    1899:       9602            str     r6, [sp, #8]
    189b:       7701            strb    r1, [r0, #28]
    189d:       0e20            lsrs    r0, r4, #24
    189f:       a5a6            add     r5, pc, #664    ; (adr r5, 0x1b38)
    18a1:       0132            lsls    r2, r6, #4

:\>

Strings inside binary xbee-pro digimesh v24 and mc13213 a hcs08 compatible cpu it seems

blabb
  • 16,376
  • 1
  • 15
  • 30