steps for adding new loader

[docfate111]

hello i have a modem binary that is aarch32 and I can load it in ghidra with your script but I cannot use it with Firmwire - I get an error message about not finding a loader for it. On the wiki it mentions that there is a language for extending the emulator but I don't know how to extend it.

[mariusmue]

Hi.
I assume this is an exynos/shannon based image, as you reference to our Ghidra scripts?

If this is the case, you most likely will need to add SoC support, for this, you would need to extend the following file:

• https://github.com/FirmWire/FirmWire/blob/main/firmwire/vendor/shannon/soc/__init__.py

You also potentially need to add or adjust peripherals, and adjust the machine to provide relevant hooks for this SoC.

Furthermore, you may need to add/adjust patterns.

Hope that helps, but without information what kind of firmware you looking at, I cannot really say more

[docfate111]

Ok thank you.
Yes sorry I didn't give the context: yes this is a shannon LTE image.
How exactly would I find what parts of the firmware are for each part of the SoC? Is that what pattern DB is for?
What kind of information? Can I send the firmware?

[mariusmue]

To find the right information and changes for the SoC, you would usually iteratively reverse engineer the firmware and run it in firmwire, to see where it gets stuck; needs to be changed. For a better documentation of this process, you can check our paper (Section V-E) as well the according diff in the artifact repository.

Potentially, you will need to provide a new soc class, rather than adjusting an existing one, but this would mostly be copy-paste work.

You can provide the name of the firmware and I can look into it, but I can't promise that this will be timely. We do have some internal development regarding some newer shannon LTE firmware, but non of that is working well enough to be pushed yet.

[docfate111]

How do I determine CHIP_ID, SIPC_BASE, SHM_BASE, SOC_BASE , SOC_CLK_BASE, CLK_PERIPHERAL, and TIMER_BASE? I am trying to emulate r11.

Right now firmwire just says not recognized(I removed the first few bytes so the TOC is the beginning) - if I add a class with a different CHIP ID or something will it try to load? Or should I try and make a class based on the chip that is most similar to it? Or do I need to change the patternDB to add entry for it to be recognized?

[mariusmue]

Hi @docfate111,

Sorry for the delay! Usually, you would determine the addresses of peripherals via reverse engineering. You will want to add a separate class, yes. I started working on emulating the pixel watch modem myself a while ago, which required also

• additional patterns
• different task layout
• additional clock peripheral
• Minor changes here and there

Unfortunately, I never fully got support working, which is why I never upstreamed it. If you are still interested in this, I can share my patchset.

Regarding your specific question, the values in question are (according to my reverserse engineering):

    CHIP_ID = 0x03070000
    SIPC_BASE = 0x8F920000
    SHM_BASE = 0x45800000
    SOC_BASE = 0x82000000
    SOC_CLK_BASE = 0x83000000
    TIMER_BASE = SOC_BASE + 0x8000

Best