[*] Binary protection state of flash_unlock
Partial RELRO No Canary found NX disabled No PIE No RPATH No RUNPATH No Symbols
[*] Function printf tear down of flash_unlock
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/flash_unlock @ 0x104e0 */
| #include <stdint.h>
|
; (fcn) main () | int32_t main (int32_t argc, char ** argv) {
| int32_t var_0h;
| int32_t var_4h;
| int32_t var_ch;
| int32_t var_10h;
| int32_t var_14h;
| int32_t var_18h;
| int32_t var_20h;
| int32_t var_24h;
| int32_t var_3ch;
| r0 = argc;
| r1 = argv;
| /* [10] -r-x section size 1568 named .text */
0x000104e0 push {r4, r5, r6, r7, r8, sb, lr} |
0x000104e4 ldr sb, [pc, 0x3c0] | sb = "help";
0x000104e8 ldr r6, [pc, 0x3c0] | r6 = "help";
0x000104ec mov r4, 0 | r4 = 0;
0x000104f0 sub sp, sp, 0x3c |
0x000104f4 mov r7, r0 | r7 = r0;
0x000104f8 mov r5, r1 | r5 = r1;
0x000104fc mov r8, r4 | r8 = r4;
0x00010500 str r4, [sp, 0xc] | var_ch = r4;
| label_0:
0x00010504 str r8, [sp] | *(sp) = r8;
0x00010508 mov r3, sb | r3 = sb;
0x0001050c ldr r2, [pc, 0x3a0] | r2 = *(0x108b0);
0x00010510 mov r1, r5 | r1 = r5;
0x00010514 mov r0, r7 | r0 = r7;
0x00010518 bl 0x10468 | r0 = getopt_long ();
0x0001051c cmn r0, 1 |
| if (r0 == 1) {
0x00010520 beq 0x10594 | goto label_7;
| }
0x00010524 cmp r0, 0x69 |
| if (r0 == 0x69) {
0x00010528 beq 0x10564 | goto label_8;
| }
| if (r0 > 0x69) {
0x0001052c bgt 0x1054c | goto label_9;
| }
0x00010530 cmp r0, 0x56 |
| if (r0 == 0x56) {
0x00010534 beq 0x1057c | goto label_10;
| }
0x00010538 cmp r0, 0x68 |
| if (r0 != 0x68) {
0x0001053c moveq r0, 0 | r0 = 0;
| }
0x00010540 beq 0x10548 |
| while (r0 != 0x75) {
| label_1:
0x00010544 mov r0, 1 | r0 = 1;
0x00010548 bl 0x10a48 | r0 = fcn_00010a48 (r0);
| label_9:
0x0001054c cmp r0, 0x6c |
| if (r0 == 0x6c) {
0x00010550 beq 0x10570 | goto label_11;
| }
0x00010554 cmp r0, 0x75 |
0x00010558 bne 0x10544 |
| }
0x0001055c mov r3, 1 | r3 = 1;
0x00010560 b 0x10568 | goto label_12;
| label_8:
0x00010564 mov r3, 2 | r3 = 2;
| label_12:
0x00010568 str r3, [r6] | *(r6) = r3;
0x0001056c b 0x10574 | goto label_13;
| label_11:
0x00010570 str r8, [r6] | *(r6) = r8;
| label_13:
0x00010574 add r4, r4, 1 | r4++;
0x00010578 b 0x10504 | goto label_0;
| label_10:
0x0001057c ldr r2, [pc, 0x334] | r2 = "hiluV";
0x00010580 ldr r1, [pc, 0x334] | r1 = "2.1.0";
0x00010584 ldr r0, [pc, 0x334] | r0 = "flash_unlock";
0x00010588 bl 0x10450 | printf ("flash_unlock", "2.1.0", "hiluV")
0x0001058c mov r0, 0 | r0 = 0;
| label_4:
0x00010590 bl 0x104c8 | exit (r0);
| label_7:
0x00010594 cmp r4, 1 |
| if (r4 <= 1) {
0x00010598 ble 0x105b4 | goto label_14;
| }
0x0001059c ldr r2, [pc, 0x318] | r2 = "2.1.0";
0x000105a0 ldr r1, [pc, 0x31c] | r1 = "%s (mtd-utils) %s\n";
| do {
| label_2:
0x000105a4 ldr r3, [pc, 0x31c] | r3 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x000105a8 ldr r0, [r3] | r0 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x000105ac bl 0x1048c | fprintf ("_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option", "%s (mtd-utils) %s\n", "2.1.0", "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option")
0x000105b0 b 0x10544 | goto label_1;
| label_14:
0x000105b4 ldr r3, [pc, 0x310] |
0x000105b8 ldr r3, [r3] | r3 = stderr;
0x000105bc sub r2, r7, r3 | r2 = r7 - r3;
0x000105c0 cmp r2, 0 |
| if (r2 > 0) {
0x000105c4 ldrle r2, [pc, 0x2f0] | r2 = "flash_unlock";
| }
| if (r2 > 0) {
0x000105c8 ldrle r1, [pc, 0x300] | r1 = "_s:_error_:_too_few_arguments";
| }
0x000105cc ble 0x105a4 |
| } while (r2 <= 0);
0x000105d0 cmp r2, 3 |
| if (r2 <= 3) {
0x000105d4 ldrgt r2, [pc, 0x2e0] | r2 = "flash_unlock";
| }
| if (r2 > 3) {
0x000105d8 ldrgt r1, [pc, 0x2f4] | r1 = "%s: error!: too many arguments\n";
| goto label_15;
| }
| if (r2 > 3) {
| label_15:
0x000105dc bgt 0x105a4 | goto label_2;
| }
0x000105e0 ldr r0, [r5, r3, lsl 2] | offset_0 = r3 << 2;
| r0 = *((r5 + offset_0));
0x000105e4 ldr r4, [pc, 0x2ec] | r4 = "%s: error!: too many arguments\n";
0x000105e8 add r1, r3, 1 | r1 = r3 + 1;
0x000105ec cmp r7, r1 |
0x000105f0 lsl r2, r3, 2 | r2 = r3 << 2;
0x000105f4 str r0, [r4] | *(r4) = r0;
| if (r7 <= r1) {
0x000105f8 ble 0x10678 | goto label_16;
| }
0x000105fc add r5, r5, r2 | r5 += r2;
0x00010600 ldr r2, [r5, 4] | r2 = *((r5 + 4));
0x00010604 add r3, r3, 2 | r3 += 2;
0x00010608 cmp r7, r3 |
0x0001060c str r2, [r4, 4] | *((r4 + 4)) = r2;
| if (r7 <= r3) {
0x00010610 ldrgt r3, [r5, 8] | r3 = *((r5 + 8));
| }
0x00010614 bgt 0x1061c |
| while (1) {
0x00010618 mov r3, 0 | r3 = 0;
0x0001061c mov r1, 2 | r1 = 2;
0x00010620 str r3, [r4, 8] | *((r4 + 8)) = r3;
0x00010624 bl 0x104b0 | r0 = open64 ();
0x00010628 subs r7, r0, 0 | r7 = r0 - 0;
| if (r7 >= r0) {
0x0001062c bge 0x10680 | goto label_17;
| }
0x00010630 bl 0x104bc | errno_location ();
0x00010634 ldr r6, [pc, 0x28c] | r6 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x00010638 ldr r3, [r4] | r3 = *(r4);
0x0001063c ldr r2, [pc, 0x278] | r2 = "2.1.0";
0x00010640 ldr r1, [pc, 0x294] | r1 = *(0x108d8);
0x00010644 ldr r5, [r0] | r5 = *(r0);
| label_3:
0x00010648 ldr r0, [r6] | r0 = *(r6);
0x0001064c bl 0x1048c | fprintf (r0, r1, "2.1.0", r3, r4, r5, "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option")
0x00010650 mov r0, r5 | r0 = r5;
0x00010654 ldr r4, [r6] | r4 = *(r6);
0x00010658 bl 0x1045c | strerror (r0);
0x0001065c str r5, [sp] | *(sp) = r5;
0x00010660 str r0, [sp, 4] | var_4h = r0;
| label_6:
0x00010664 ldr r3, [pc, 0x274] | r3 = "%s: error!: could not open: %s\n";
0x00010668 mov r2, 0xe | r2 = 0xe;
0x0001066c ldr r1, [pc, 0x270] | r1 = *(0x108e0);
0x00010670 mov r0, r4 | r0 = r4;
0x00010674 b 0x10794 | goto label_18;
| label_16:
0x00010678 str r8, [r4, 4] | *((r4 + 4)) = r8;
0x0001067c b 0x10618 |
| }
| label_17:
0x00010680 add r2, sp, 0x18 | r2 += var_18h;
0x00010684 ldr r1, [pc, 0x25c] | r1 = "%*serror %d (%s)\n";
0x00010688 bl 0x10444 | r0 = ioctl (r0, "%*serror %d (%s)\n");
0x0001068c cmp r0, 0 |
| if (r0 != 0) {
0x00010690 beq 0x106b0 |
0x00010694 bl 0x104bc | errno_location ();
0x00010698 ldr r6, [pc, 0x228] | r6 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x0001069c ldr r3, [r4] | r3 = *(r4);
0x000106a0 ldr r2, [pc, 0x214] | r2 = "2.1.0";
0x000106a4 ldr r1, [pc, 0x240] | r1 = *(0x108e8);
0x000106a8 ldr r5, [r0] | r5 = *(r0);
0x000106ac b 0x10648 | goto label_3;
| }
0x000106b0 ldr r0, [r4, 4] | r0 = *((r4 + 4));
0x000106b4 cmp r0, 0 |
| if (r0 == 0) {
0x000106b8 beq 0x106ec | goto label_19;
| }
0x000106bc add r1, sp, 0xc | r1 += var_ch;
0x000106c0 bl 0x10a88 | fcn_00010a88 (r0, r1);
0x000106c4 ldr r3, [sp, 0xc] | r3 = var_ch;
0x000106c8 cmp r3, 0 |
0x000106cc str r0, [sp, 0x10] | var_10h = r0;
| if (r3 == 0) {
0x000106d0 beq 0x106f0 | goto label_20;
| }
0x000106d4 ldr r2, [pc, 0x1e0] | r2 = "2.1.0";
0x000106d8 ldr r1, [pc, 0x210] | r1 = "%s: error!: could not get mtd info: %s\n";
| do {
0x000106dc ldr r3, [pc, 0x1e4] | r3 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x000106e0 ldr r0, [r3] | r0 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x000106e4 bl 0x1048c | fprintf ("_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option", "%s: error!: could not get mtd info: %s\n", "2.1.0", "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option")
0x000106e8 b 0x10718 | goto label_5;
| label_19:
0x000106ec str r0, [sp, 0x10] | var_10h = r0;
| label_20:
0x000106f0 ldr r3, [sp, 0x10] | r3 = var_10h;
0x000106f4 ldr r2, [sp, 0x20] | r2 = var_20h;
0x000106f8 cmp r3, r2 |
| if (r3 > r2) {
0x000106fc blo 0x10720 |
0x00010700 ldr r0, [pc, 0x1c0] |
0x00010704 str r2, [sp] | *(sp) = r2;
0x00010708 ldr r1, [pc, 0x1e4] | r1 = "%s: error!: bad offset\n";
0x0001070c ldr r2, [pc, 0x1a8] | r2 = "2.1.0";
0x00010710 ldr r0, [r0] | r0 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x00010714 bl 0x1048c | fprintf ("_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option", "%s: error!: bad offset\n", r2)
| label_5:
0x00010718 mvn r0, 0 | r0 = ~0;
0x0001071c b 0x10590 | goto label_4;
| }
0x00010720 ldr r0, [r4, 8] | r0 = *((r4 + 8));
0x00010724 cmp r0, 0 |
| if (r0 == 0) {
0x00010728 beq 0x1079c | goto label_21;
| }
0x0001072c add r1, sp, 0xc | r1 += var_ch;
0x00010730 bl 0x10a88 | fcn_00010a88 (r0, r1);
0x00010734 ldr r3, [sp, 0xc] | r3 = var_ch;
0x00010738 cmp r3, 0 |
0x0001073c mov r2, r0 | r2 = r0;
| if (r3 == 0) {
0x00010740 ldrne r2, [pc, 0x174] | r2 = "flash_unlock";
| }
| if (r3 == 0) {
0x00010744 ldrne r1, [pc, 0x1ac] | r1 = "%s: error!: bad count\n";
| }
0x00010748 bne 0x106dc |
| } while (r3 != 0);
0x0001074c cmn r0, 1 |
| if (r0 == 1) {
0x00010750 ldrne r3, [sp, 0x24] | r3 = var_24h;
| }
| if (r0 != 1) {
0x00010754 ldreq r3, [sp, 0x20] | r3 = var_20h;
| }
| if (r0 == 1) {
0x00010758 mulne r0, r3, r2 | r0 = r3 * r2;
| }
| if (r0 != 1) {
0x0001075c streq r3, [sp, 0x14] | var_14h = r3;
| }
0x00010760 strne r0, [sp, 0x14] | var_14h = r0;
| while (1) {
0x00010764 ldr r3, [sp, 0x10] | r3 = var_10h;
0x00010768 ldr r2, [sp, 0x14] | r2 = var_14h;
0x0001076c ldr r1, [sp, 0x20] | r1 = var_20h;
0x00010770 add r0, r3, r2 | r0 = r3 + r2;
0x00010774 cmp r0, r1 |
| if (r0 < r1) {
0x00010778 bls 0x107a4 | goto label_22;
| }
0x0001077c ldr r0, [pc, 0x144] |
0x00010780 str r1, [sp, 4] | var_4h = r1;
0x00010784 str r2, [sp] | *(sp) = r2;
0x00010788 ldr r1, [pc, 0x16c] | r1 = "%s: error!: bad count\n";
0x0001078c ldr r2, [pc, 0x128] | r2 = "2.1.0";
0x00010790 ldr r0, [r0] | r0 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
| label_18:
0x00010794 bl 0x1048c | fprintf ("_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option", r1, r2)
0x00010798 b 0x10718 | goto label_5;
| label_21:
0x0001079c str r2, [sp, 0x14] | var_14h = r2;
0x000107a0 b 0x10764 |
| }
| label_22:
0x000107a4 ldr r5, [r6] | r5 = *(r6);
0x000107a8 cmp r5, 1 |
| if (r5 == 1) {
0x000107ac beq 0x10840 | goto label_23;
| }
| if (r5 > 1) {
0x000107b0 blo 0x107dc |
0x000107b4 cmp r5, 2 |
| if (r5 != 2) {
0x000107b8 ldreq r1, [pc, 0x140] | r1 = *(0x00010900);
| }
| if (r5 == 2) {
0x000107bc beq 0x107e0 | goto label_24;
| }
0x000107c0 ldr r0, [pc, 0x100] |
0x000107c4 mov r3, r5 | r3 = r5;
0x000107c8 ldr r2, [pc, 0xec] | r2 = "2.1.0";
0x000107cc ldr r1, [pc, 0x130] | r1 = *(0x10900);
0x000107d0 ldr r0, [r0] | r0 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x000107d4 bl 0x1048c | fprintf ("_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option", r1, "2.1.0", r3)
0x000107d8 b 0x10718 | goto label_5;
| }
0x000107dc ldr r1, [pc, 0x124] | r1 = "_s:_error_:_unknown_request_type:__d";
| do {
| label_24:
0x000107e0 add r2, sp, 0x10 | r2 += var_10h;
0x000107e4 mov r0, r7 | r0 = r7;
0x000107e8 bl 0x10444 | r0 = ioctl (r0, r1);
0x000107ec cmp r0, 0 |
0x000107f0 str r0, [sp, 0xc] | var_ch = r0;
| if (r0 >= 0) {
0x000107f4 bge 0x10848 | goto label_25;
| }
0x000107f8 bl 0x104bc | errno_location ();
0x000107fc ldr r3, [pc, 0xa8] | r3 = *(0x108a8);
0x00010800 ldr r7, [pc, 0xc0] | r7 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x00010804 add r5, r3, r5, lsl 2 | r5 = r3 + (r5 << 2);
0x00010808 ldr r3, [r4] | r3 = *(r4);
0x0001080c ldr r2, [pc, 0xa8] | r2 = "2.1.0";
0x00010810 ldr r1, [pc, 0xf4] | r1 = *(0x10908);
0x00010814 ldr r6, [r0] | r6 = *(r0);
0x00010818 str r3, [sp] | *(sp) = r3;
0x0001081c ldr r3, [r5, 0x68] | r3 = *((r5 + 0x68));
0x00010820 ldr r0, [r7] | r0 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x00010824 bl 0x1048c | fprintf ("_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option", r1, "2.1.0", r3, r4, r5, r6)
0x00010828 mov r0, r6 | r0 = r6;
0x0001082c ldr r4, [r7] | r4 = "_s:_error_:_cannot_specify_more_than_one_lock_unlock_islocked_option";
0x00010830 bl 0x1045c | strerror (r0);
0x00010834 str r6, [sp] | *(sp) = r6;
0x00010838 str r0, [sp, 4] | var_4h = r0;
0x0001083c b 0x10664 | goto label_6;
| label_23:
0x00010840 ldr r1, [pc, 0xc8] | r1 = "_s:_error_:_could_not__s_device:__s";
0x00010844 b 0x107e0 |
| } while (1);
| label_25:
0x00010848 cmp r5, 2 |
| if (r5 == 2) {
0x0001084c bne 0x108a0 |
0x00010850 ldr r1, [r4] | r1 = *(r4);
0x00010854 ldr r0, [pc, 0xb8] | r0 = *(0x10910);
0x00010858 bl 0x10450 | printf (r0, r1)
0x0001085c ldr r1, [sp, 0x10] | r1 = var_10h;
0x00010860 ldr r0, [pc, 0xb0] | r0 = "Device:__s";
0x00010864 bl 0x10450 | printf ("Device:__s", r1)
0x00010868 ldr r1, [sp, 0x14] | r1 = var_14h;
0x0001086c ldr r0, [pc, 0xa8] | r0 = "Start:__0x";
0x00010870 bl 0x10450 | printf ("Start:__0x", r1)
0x00010874 ldr r1, [sp, 0xc] | r1 = var_ch;
0x00010878 ldr r2, [pc, 0xa0] | r2 = "Len: %#0x\n";
0x0001087c ldr r3, [pc, 0xa0] | r3 = "unlocked";
0x00010880 cmp r1, 0 |
| if (r1 != 0) {
0x00010884 moveq r1, r2 | r1 = r2;
| }
| if (r1 == 0) {
0x00010888 movne r1, r3 | r1 = r3;
| }
0x0001088c ldr r0, [pc, 0x94] | r0 = "locked";
0x00010890 bl 0x10450 | printf ("locked", r1, "Len: %#0x\n", "unlocked")
0x00010894 ldr r1, [sp, 0xc] | r1 = var_ch;
0x00010898 ldr r0, [pc, 0x8c] | r0 = "Lock_status:__s";
0x0001089c bl 0x10450 | printf ("Lock_status:__s", r1)
| }
0x000108a0 mov r0, 0 | r0 = 0;
0x000108a4 add sp, sp, 0x3c |
0x000108a8 pop {r4, r5, r6, r7, r8, sb, pc} |
| }
[*] Function printf used 14 times flash_unlock
