Skip to main content

Reversing in Ghidra SRE

Ghidra SRE is used as the primary reverse engineering platform. All instructions and tools presented on the site are designed to work with Ghidra.

This guide will help you get into reverse engineering in just a few steps.

warning

Since around 2019, Ghidra SRE has had a bug: FF FF in the v5t architecture is recognized as the instruction BL 0xFFE. This causes an infinite loop during auto-analysis.

You must apply the ARMTHUMBinstructions.sinc patch if you plan to work with Siemens firmware.

What to do before you start

  1. Install the latest version of Ghidra SRE and apply the ARMTHUMBinstructions.sinc patch

  2. Obtain a fullflash from the phone and remove FFS and EEPROM from it.

    This is important for auto-analysis, because FFS and EEPROM contain ambiguous data that may be interpreted as instructions.

    You can download a collection of firmware files with FFS and EEPROM already removed: fullflashes.zip

  3. Dump RAM and SRAM from your phone.

Step 1: Load your fullflash.bin into Ghidra

Details

  1. Launch the disassembler and select File -> Import File

  2. Select the fullflash.bin file

  3. Configure the import options:

    • Format: Raw Binary
    • Language: ARM v5t 32 little
    • Options → Block Name: FULLFLASH
    • Options → Base Address: A0000000

  4. Click fullflash.bin in the project list.

  5. Ghidra will offer automatic analysis; you need to decline (click No).

Step 2: Adjust the FULLFLASH region attributes

Go to Window -> Memory Map and set the attributes for the "FULLFLASH" block:

 R   W   X    Volatile
[x] [ ] [x]     [ ]

It is very important to clear the W checkbox, as this directly affects decompilation.

Step 3: Configure auto-analysis parameters

  1. Select Analysis -> Auto Analyse

  2. Change the analysis parameters:

    Disable:

    • Embedded media
    • Non-returning functions - discovered (otherwise the disassembler may stop prematurely inside a function)
    • Create Address Tables (it is better to run this as a one-shot after the main analysis)
    • Demangler GNU

    Enable:

    • Scalar operand references
    • Shared return calls with the option [x] Allow conditional jumps

  3. Click "APPLY", but DO NOT CLICK "ANALYZE"!!!

  4. Close the analysis window.

Step 4: Memory region for IO registers

Details

  1. Go to Window -> Memory Map

  2. Add a new region with the following parameters:

    • Block Name: IO
    • Start Addr: 0xF0000000
    • Length: 0x0F000000
    • Attributes: [x] Read [x] Write [ ] Execute [x] Volatile [ ] Overlay
    • Uninitialized

Step 5: Import a RAM dump from the phone

Import all previously obtained memory dumps.

Example with RAM:

  1. File -> Add to Program

  2. Select the file, for example: C81v51_RAM_A8000000_00800000.bin

  3. Specify the parameters:

    • Block Name: RAM
    • Base Addr: 0xA8000000

    Click "OK".

  4. Go to Window -> Memory Map and set the attributes for the "RAM" block:

     R   W   X    Volatile
    [x] [x] [x]     [ ]

Step 6: Plugins for Ghidra

Details
  1. Download: ghidra_scripts.zip or clone the repository
  2. Open Window -> Script Manager
  3. Click "Manage Script Directories"
  4. Add the path to the extracted ghidra_scripts folder.

Step 7: Import C types from swilib

Details
  1. Download the appropriate swilib-types-PLATFORM.h from Swilib data types for disassembler
  2. Select File -> Parse C Source...
  3. Click Clear profile (the eraser icon)
  4. Add swilib-types-PLATFORM.h to Source files to parse
  5. Set Program architecture: ARM v5t 32 little
  6. Click Parse to Program -> Continue -> Don't use Open Archives -> OK

Step 9: Import the CPU IO register list

  1. Download the appropriate cpu-PHONE.txt or cpu-pmb887x.txt from CPU IO registers
  2. Open Window -> Script Manager -> ImportSymbolsWithDataType.java -> Run Script
  3. Select cpu-PHONE.txt or cpu-pmb887x.txt

Step 10: Import swilib symbols

Details
  1. Download the appropriate symbols-PHONE.txt from Firmware symbols for disassembler
  2. Open Window -> Script Manager -> ImportSymbolsWithDataType.java -> Run Script
  3. Select symbols-PHONE.txt

This will take some time, because auto-analysis will start.

When you see "Finished" in the script console, you can stop the analysis and move on.

Step 11: Firmware auto-analysis

Full analysis

  1. Open Analysis -> Auto Analyse 'fullflash.bin'
  2. Make sure the parameters match those specified in Step 3
  3. Click ANALYSE

This will take 10-30 minutes. The process is long, so be patient.

Run only once

  1. Select Analysis -> One-shot -> Create Address Tables

Congratulations, you did it! ✨

We look forward to your patches in the patch database at patches.kibab.com :)