Hi,

maybe this is a stupid question , but since i'm not able to run code on the target CPU i have to be sure on how things works while disassembling the code.

I'm reversing a firmware based on MIPS CPU (i think is MIPS 5KF series).

I load the ELF kernel image on IDA and it tells me that it's MIPSB , so it must be big-endiang format.

What puzzles me is that in the code i reversed there's a SHA1 implementation , but the SHA1 algo applied treats data as it was little-endia (swapping bytes during SHA1_Transform function ).
Examining the bytecode of the ELF , all seems to be in big-endian format (for example , a LOAD UPPER IMMEDIATE instruction appears as 0x3C 0x07 0xAA 0xBB where 0xAABB is the data to be loaded in memory. If it was LE-format it would have to be 0xBB 0xAA 0x07 0x3C no ?? ) , so i think that if ROM image is big-endian the whole system is big-endian.

I'm wrong ? Am i missing something ?

Can someone help me ?

thanks in advance .

Nico.

I've done a little embedded programming but never did any disassembly on them. I can tell you that some compilers, especially if using a provided memory library, may do byte swapping how it pleases. Others, especially chips are are not 32 bits have to deal with data 16bits at a time so to a point it is up to the end user to store data how he/she feels most comfortable. Also keep in mind how brainless some programmers really are. Maybe the programmer has simply copied/pasted some code that came up on the first seach for SHA1 -- which was probably meant for an intel architecture.

String pointers! Find strings in the disassembly, and see if there are XREFs to them. If not, then you either have the ORG wrong, or your indianess is wrong.

I almost ALWAYS start with the strings.