Log in

View Full Version : MIPS reversing


visions_of_eden
December 17th, 2010, 09:40
Hi,

maybe this is a stupid question , but since i'm not able to run code on the target CPU i have to be sure on how things works while disassembling the code.

I'm reversing a firmware based on MIPS CPU (i think is MIPS 5KF series).

I load the ELF kernel image on IDA and it tells me that it's MIPSB , so it must be big-endiang format.

What puzzles me is that in the code i reversed there's a SHA1 implementation , but the SHA1 algo applied treats data as it was little-endia (swapping bytes during SHA1_Transform function ).
Examining the bytecode of the ELF , all seems to be in big-endian format (for example , a LOAD UPPER IMMEDIATE instruction appears as 0x3C 0x07 0xAA 0xBB where 0xAABB is the data to be loaded in memory. If it was LE-format it would have to be 0xBB 0xAA 0x07 0x3C no ?? ) , so i think that if ROM image is big-endian the whole system is big-endian.

I'm wrong ? Am i missing something ?

Can someone help me ?

thanks in advance .

Nico.

GoldStar611
December 17th, 2010, 20:03
I've done a little embedded programming but never did any disassembly on them. I can tell you that some compilers, especially if using a provided memory library, may do byte swapping how it pleases. Others, especially chips are are not 32 bits have to deal with data 16bits at a time so to a point it is up to the end user to store data how he/she feels most comfortable. Also keep in mind how brainless some programmers really are. Maybe the programmer has simply copied/pasted some code that came up on the first seach for SHA1 -- which was probably meant for an intel architecture.

FrankRizzo
December 17th, 2010, 21:52
String pointers! Find strings in the disassembly, and see if there are XREFs to them. If not, then you either have the ORG wrong, or your indianess is wrong.

I almost ALWAYS start with the strings.