How is thumb branch calculated

Question

I have the instruction which is:

 5ff1aed4         bl         sub_5ff171d0

which assembles to:

FCF77CF9

This appears to mean that the program is branching backwards, However I can't seem to find the offset it is adding onto the PC when I try to dissassemble the instruction:

OP   H  Offset
1111 1 00101111100 // Low - 17C 
1111 0 11111111100 // High - 7FC

This is clearly incorrect because it increases the size of the program counter instead of decreasing it. Can anyone explain where I'm going wrong?

score 1 · Accepted Answer · answered Mar 15 '19 at 06:28

When you assembled it, you ended up with the bytes:

FC F7 7C F9

This is two 16-bit little endian thumb instructions:

fc f7 = 0xf7fc = 111 10 11111111100 = BL, H=10, offset_hi=0x7fc
7c f9 = 0xf97c = 111 11 00101111100 = BL, H=11, offset_lo=0x17c

For the purposes of calculating the BL's destination address, the pc is:

pc = address of first BL instruction + 4 = 0x5ff1aed8

For the calculation of the destination:

dest = pc + (sign_extend(offset_hi)<<12) + (offset_lo<<1)
     = pc + (0xfffffffc<<12) + (0x17c<<1)
     = 0x5ff1aed8 + 0xffffc000 + 0x2f8 
     = 0x5ff171d0 (result is only 32bits wide)

How is thumb branch calculated

1 Answers1