[*] Binary protection state of flash_erase
Partial RELRO No Canary found NX disabled No PIE No RPATH No RUNPATH No Symbols
[*] Function strcpy tear down of flash_erase
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/flash_erase @ 0x14168 */
| #include <stdint.h>
|
| #define BIT_MASK(t,v) ((t)(-((v)!= 0)))&(((t)-1)>>((sizeof(t)*CHAR_BIT)-(v)))
|
; (fcn) fcn.00014168 () | void fcn_00014168 (char * arg1, int32_t arg2) {
| int32_t var_0h;
| int32_t var_4h;
| int32_t var_8h;
| int32_t var_8h_2;
| int32_t var_10h;
| int32_t var_10h_2;
| int32_t var_18h;
| int32_t var_1ch;
| int32_t var_20h;
| int32_t var_24h;
| int32_t var_28h;
| int32_t var_2ch;
| int32_t var_38h;
| int32_t var_48h;
| int32_t var_58h;
| int32_t var_58h_2;
| int32_t var_a0h;
| char * src;
| int32_t var_144h;
| r0 = arg1;
| r1 = arg2;
0x00014168 push {r4, r5, r6, r7, r8, sb, lr} |
0x0001416c sub sp, sp, 0x144 |
0x00014170 mov r2, 0 | r2 = 0;
0x00014174 mov r3, 0 | r3 = 0;
0x00014178 mov r4, r1 | r4 = r1;
0x0001417c add r1, sp, 0x38 | r1 += var_38h;
0x00014180 mov r6, r0 | r6 = r0;
0x00014184 strd r2, r3, [sp, 0x10] | __asm ("strd r2, r3, [var_10h]");
0x00014188 bl 0x10a18 | r0 = stat64 ();
0x0001418c cmp r0, 0 |
| if (r0 != 0) {
0x00014190 beq 0x141f8 |
0x00014194 bl 0x10b5c | errno_location ();
0x00014198 ldr r8, [pc, 0x450] |
0x0001419c mov r3, r6 | r3 = r6;
0x000141a0 ldr r2, [pc, 0x44c] | r2 = stderr;
0x000141a4 ldr r1, [pc, 0x44c] | r1 = "libmtd";
0x000141a8 ldr r7, [r0] | r7 = *(r0);
0x000141ac mov r5, r0 | r5 = r0;
0x000141b0 ldr r0, [r8] | r0 = *(0x145ec);
0x000141b4 bl 0x10aa8 | fprintf (r0, "libmtd", r2, r3, r4, r5);
0x000141b8 mov r0, r7 | r0 = r7;
0x000141bc ldr r8, [r8] | r8 = *(0x145ec);
0x000141c0 bl 0x10a0c | strerror (r0);
0x000141c4 ldr r3, [pc, 0x430] | r3 = "%s: error!: cannot open \"%s\"\n";
0x000141c8 str r7, [sp] | *(sp) = r7;
0x000141cc mov r2, 8 | r2 = 8;
0x000141d0 ldr r1, [pc, 0x428] | r1 = *(0x145fc);
0x000141d4 str r0, [sp, 4] | var_4h = r0;
0x000141d8 mov r0, r8 | r0 = r8;
0x000141dc bl 0x10aa8 | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n");
0x000141e0 ldr r3, [r5] | r3 = *(r5);
0x000141e4 cmp r3, 2 |
| if (r3 != 2) {
0x000141e8 bne 0x141f8 | goto label_5;
| }
0x000141ec ldr r1, [pc, 0x400] | r1 = stderr;
0x000141f0 ldr r0, [pc, 0x40c] | r0 = "%*serror %d (%s)\n";
0x000141f4 bl 0x10a00 | printf ("%*serror %d (%s)\n", r1);
| }
| label_5:
0x000141f8 ldr r3, [sp, 0x48] | r3 = var_48h;
0x000141fc and r3, r3, 0xf000 | r3 &= 0xf000;
0x00014200 cmp r3, 0x2000 |
| if (r3 == 0x2000) {
0x00014204 beq 0x14234 | goto label_6;
| }
0x00014208 bl 0x10b5c | errno_location ();
0x0001420c mov r3, 0x16 | r3 = 0x16;
0x00014210 ldr r2, [pc, 0x3dc] | r2 = stderr;
0x00014214 ldr r1, [pc, 0x3ec] | r1 = "%s: MTD subsystem is old and does not support sysfs, so MTD character device nodes have to exist\n";
0x00014218 str r3, [r0] | *(r0) = r3;
0x0001421c ldr r0, [pc, 0x3cc] |
0x00014220 mov r3, r6 | r3 = r6;
0x00014224 ldr r0, [r0] | r0 = *(0x145ec);
0x00014228 bl 0x10aa8 | fprintf (r0, "%s: MTD subsystem is old and does not support sysfs, so MTD character device nodes have to exist\n", r2, r3);
| do {
| label_0:
0x0001422c mvn r5, 0 | r5 = ~0;
0x00014230 b 0x14318 | goto label_4;
| label_6:
0x00014234 mov r2, 0x100 | r2 = 0x100;
0x00014238 mov r1, 0 | r1 = 0;
0x0001423c mov r0, r4 | r0 = r4;
0x00014240 bl 0x10b14 | memset (r0, r1, r2);
0x00014244 ldrd r8, sb, [sp, 0x58] | __asm ("ldrd r8, sb, [var_58h]");
0x00014248 mov r1, sb | r1 = sb;
0x0001424c mov r0, r8 | r0 = r8;
0x00014250 bl 0x10a3c | gnu_dev_major ();
0x00014254 mov r1, sb | r1 = sb;
0x00014258 mov r5, r0 | r5 = r0;
0x0001425c str r0, [r4, 4] | *((r4 + 4)) = r0;
0x00014260 mov r0, r8 | r0 = r8;
0x00014264 bl 0x10a78 | gnu_dev_minor ();
0x00014268 cmp r5, 0x5a |
0x0001426c str r0, [r4, 8] | *((r4 + 8)) = r0;
| if (r5 == 0x5a) {
0x00014270 beq 0x142ac | goto label_7;
| }
0x00014274 bl 0x10b5c | errno_location ();
0x00014278 mov r3, 0x16 | r3 = 0x16;
0x0001427c ldr r2, [pc, 0x370] | r2 = stderr;
0x00014280 ldr r1, [pc, 0x384] | r1 = "_s:_error_:___s__is_not_a_character_device";
0x00014284 str r3, [r0] | *(r0) = r3;
0x00014288 mov r3, 0x5a | r3 = 0x5a;
0x0001428c str r3, [sp, 4] | var_4h = r3;
0x00014290 ldr r0, [pc, 0x358] |
0x00014294 ldr r3, [r4, 4] | r3 = *((r4 + 4));
0x00014298 str r3, [sp] | *(sp) = r3;
0x0001429c mov r3, r6 | r3 = r6;
0x000142a0 ldr r0, [r0] | r0 = *(0x145ec);
0x000142a4 bl 0x10aa8 | fprintf (r0, "_s:_error_:___s__is_not_a_character_device", r2, r3);
0x000142a8 b 0x1422c |
| } while (1);
| label_7:
0x000142ac add r0, r0, r0, lsr 31 | r0 += (r0 >> 31);
0x000142b0 asr r0, r0, 1 | r0 >>= 1;
0x000142b4 str r0, [r4] | *(r4) = r0;
0x000142b8 mov r1, 0 | r1 = 0;
0x000142bc mov r0, r6 | r0 = r6;
0x000142c0 bl 0x10b20 | r0 = open64 ();
0x000142c4 cmn r0, 1 |
0x000142c8 mov r5, r0 | r5 = r0;
| if (r0 == 1) {
0x000142cc bne 0x14324 |
0x000142d0 bl 0x10b5c | errno_location ();
0x000142d4 ldr r7, [pc, 0x314] | r7 = *(0x145ec);
0x000142d8 mov r3, r6 | r3 = r6;
0x000142dc ldr r2, [pc, 0x310] | r2 = stderr;
0x000142e0 ldr r1, [pc, 0x310] | r1 = "libmtd";
0x000142e4 ldr r4, [r0] | r4 = *(r0);
0x000142e8 ldr r0, [r7] | r0 = *(0x145ec);
0x000142ec bl 0x10aa8 | fprintf (r0, "libmtd", r2, r3, r4);
0x000142f0 mov r0, r4 | r0 = r4;
0x000142f4 ldr r6, [r7] | r6 = *(0x145ec);
0x000142f8 bl 0x10a0c | strerror (r0);
0x000142fc str r4, [sp] | *(sp) = r4;
0x00014300 ldr r3, [pc, 0x2f4] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00014304 mov r2, 8 | r2 = 8;
0x00014308 ldr r1, [pc, 0x2f0] | r1 = *(0x145fc);
0x0001430c str r0, [sp, 4] | var_4h = r0;
0x00014310 mov r0, r6 | r0 = r6;
0x00014314 bl 0x10aa8 | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n", r4);
| label_4:
0x00014318 mov r0, r5 | r0 = r5;
0x0001431c add sp, sp, 0x144 |
0x00014320 pop {r4, r5, r6, r7, r8, sb, pc} |
| }
0x00014324 add r2, sp, 0x18 | r2 += var_18h;
0x00014328 ldr r1, [pc, 0x2e0] | r1 = "%s: error!: \"%s\" has major number %d, MTD devices have major %d\n";
0x0001432c bl 0x109f4 | r0 = ioctl (r0, "%s: error!: \"%s\" has major number %d, MTD devices have major %d\n");
0x00014330 subs r8, r0, 0 | r8 = r0 - 0;
| if (r8 == r0) {
0x00014334 beq 0x14388 | goto label_8;
| }
0x00014338 bl 0x10b5c | errno_location ();
0x0001433c ldr r6, [pc, 0x2ac] |
0x00014340 ldr r2, [pc, 0x2ac] | r2 = stderr;
0x00014344 ldr r1, [pc, 0x2c8] | r1 = *(0x14610);
0x00014348 ldr r4, [r0] | r4 = *(r0);
0x0001434c ldr r0, [r6] | r0 = *(0x145ec);
0x00014350 bl 0x10aa8 | fprintf (r0, r1, r2, r3, r4, r5, r6);
0x00014354 mov r0, r4 | r0 = r4;
0x00014358 ldr r6, [r6] | r6 = *(0x145ec);
0x0001435c bl 0x10a0c | strerror (r0);
0x00014360 ldr r3, [pc, 0x294] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00014364 ldr r1, [pc, 0x294] | r1 = *(0x145fc);
0x00014368 mov r2, 8 | r2 = 8;
0x0001436c str r4, [sp] | *(sp) = r4;
0x00014370 str r0, [sp, 4] | var_4h = r0;
0x00014374 mov r0, r6 | r0 = r6;
| do {
| label_1:
0x00014378 bl 0x10aa8 | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n", r4);
| label_2:
0x0001437c mov r0, r5 | r0 = r5;
0x00014380 bl 0x10ba4 | close (r0);
0x00014384 b 0x1422c | goto label_0;
| label_8:
0x00014388 add r2, sp, 0x10 | r2 += var_10h;
0x0001438c ldr r1, [pc, 0x284] | r1 = "_s:_error_:_MEMGETINFO_ioctl_request_failed";
0x00014390 mov r0, r5 | r0 = r5;
0x00014394 bl 0x109f4 | r0 = ioctl (r0, "_s:_error_:_MEMGETINFO_ioctl_request_failed");
0x00014398 cmn r0, 1 |
| if (r0 == 1) {
0x0001439c ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if (r0 == 1) {
0x000143a0 orrne r3, r3, 2 | r3 |= 2;
| }
| if (r0 != 1) {
0x000143a4 bne 0x14400 | goto label_9;
| }
0x000143a8 bl 0x10b5c | r0 = errno_location ();
0x000143ac ldr r7, [r0] | r7 = *(r0);
0x000143b0 cmp r7, 0x5f |
| if (r7 != 0x5f) {
0x000143b4 streq r8, [r0] | *(r0) = r8;
| }
| if (r7 != 0x5f) {
0x000143b8 ldrbeq r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
0x000143bc biceq r3, r3, 2 | __asm ("biceq r3, r3, 2");
| if (r7 == 0x5f) {
0x000143c0 beq 0x14400 | goto label_9;
| }
0x000143c4 ldr r4, [pc, 0x224] |
0x000143c8 ldr r2, [pc, 0x224] | r2 = stderr;
0x000143cc ldr r1, [pc, 0x248] | r1 = *(0x14618);
0x000143d0 ldr r0, [r4] | r0 = *(0x145ec);
0x000143d4 bl 0x10aa8 | fprintf (r0, r1, r2, r3, r4);
0x000143d8 mov r0, r7 | r0 = r7;
0x000143dc ldr r4, [r4] | r4 = *(0x145ec);
0x000143e0 bl 0x10a0c | strerror (r0);
0x000143e4 str r7, [sp] | *(sp) = r7;
0x000143e8 ldr r3, [pc, 0x20c] | r3 = "%s: error!: cannot open \"%s\"\n";
0x000143ec mov r2, 8 | r2 = 8;
0x000143f0 ldr r1, [pc, 0x208] | r1 = *(0x145fc);
0x000143f4 str r0, [sp, 4] | var_4h = r0;
0x000143f8 mov r0, r4 | r0 = r4;
0x000143fc b 0x14378 |
| } while (1);
| label_9:
0x00014400 strb r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
0x00014404 ldr r3, [sp, 0x28] | r3 = var_28h;
0x00014408 ldrb r7, [sp, 0x18] | r7 = var_18h;
0x0001440c ldr r0, [sp, 0x20] | r0 = var_20h;
0x00014410 ldr r2, [sp, 0x24] | r2 = var_24h;
0x00014414 ldr ip, [sp, 0x2c] | ip = var_2ch;
0x00014418 mov r1, 0 | r1 = 0;
0x0001441c cmp r3, 0 |
0x00014420 str r7, [r4, 0xc] | *((r4 + 0xc)) = r7;
0x00014424 strd r0, r1, [r4, 0xd8] | __asm ("strd r0, r1, [r4, 0xd8]");
0x00014428 str r2, [r4, 0xe4] | *((r4 + 0xe4)) = r2;
0x0001442c str r3, [r4, 0xe8] | *((r4 + 0xe8)) = r3;
0x00014430 str ip, [r4, 0xf0] | *((r4 + 0xf0)) = ip;
| if (r3 > 0) {
0x00014434 bgt 0x14458 | goto label_10;
| }
0x00014438 str r3, [sp, 4] | var_4h = r3;
0x0001443c str r6, [sp] | *(sp) = r6;
0x00014440 ldr r2, [pc, 0x1ac] | r2 = stderr;
0x00014444 ldr r3, [r4] | r3 = *(r4);
0x00014448 ldr r1, [pc, 0x1d0] | r1 = "%s: error!: MEMGETBADBLOCK ioctl failed\n";
| do {
0x0001444c ldr r0, [pc, 0x19c] |
0x00014450 ldr r0, [r0] | r0 = *(0x145ec);
0x00014454 b 0x14378 | goto label_1;
| label_10:
0x00014458 cmp r2, r3 |
0x0001445c cmpge r2, 0 | __asm ("cmpge r2, 0");
| if (r2 > r3) {
0x00014460 bgt 0x1447c | goto label_11;
| }
0x00014464 str r2, [sp, 4] | var_4h = r2;
0x00014468 str r6, [sp] | *(sp) = r6;
0x0001446c ldr r2, [pc, 0x180] | r2 = stderr;
0x00014470 ldr r3, [r4] | r3 = *(r4);
0x00014474 ldr r1, [pc, 0x1a8] | r1 = "_s:_error_:_mtd_d___s__has_insane_min._I_O_unit_size__d";
0x00014478 b 0x1444c |
| } while (1);
| label_11:
0x0001447c orrs r3, r0, r1 | r3 = r0 | r1;
| if (r3 != r0) {
0x00014480 beq 0x14494 |
0x00014484 asr r3, r2, 0x1f | r3 = r2 >> 0x1f;
0x00014488 cmp r0, r2 |
0x0001448c sbcs ip, r1, r3 | __asm ("sbcs ip, r1, r3");
| if (r0 >= r2) {
0x00014490 bge 0x144b8 | goto label_12;
| }
| }
0x00014494 strd r0, r1, [sp, 8] | __asm ("strd r0, r1, [var_8h]");
0x00014498 ldr r0, [pc, 0x150] |
0x0001449c str r6, [sp] | *(sp) = r6;
0x000144a0 ldr r2, [pc, 0x14c] | r2 = stderr;
0x000144a4 ldr r3, [r4] | r3 = *(r4);
0x000144a8 ldr r1, [pc, 0x178] | r1 = "%s: error!: mtd%d (%s) has insane eraseblock size %d\n";
0x000144ac ldr r0, [r0] | r0 = *(0x145ec);
0x000144b0 bl 0x10aa8 | fprintf (r0, "%s: error!: mtd%d (%s) has insane eraseblock size %d\n", r2, r3, r4, r5, r6);
0x000144b4 b 0x1437c | goto label_2;
| label_12:
0x000144b8 bl 0x1484c | fcn_0001484c (r0, r1);
0x000144bc str r0, [r4, 0xe0] | *((r4 + 0xe0)) = r0;
0x000144c0 cmp r7, 8 |
| if (r7 > 8) {
| /* switch table (9 cases) at 0x144cc */
0x000144c4 ldrls pc, [pc, r7, lsl 2] | offset_0 = r7 << 2;
| pc = *((pc + offset_0));
| }
0x000144c8 b 0x1437c | goto label_2;
0x000144f0 ldr r0, [pc, 0xf8] |
0x000144f4 str r6, [sp] | *(sp) = r6;
0x000144f8 ldr r2, [pc, 0xf4] | r2 = stderr;
0x000144fc ldr r3, [r4] | r3 = *(r4);
0x00014500 ldr r1, [pc, 0x124] | r1 = "%s: error!: mtd%d (%s) has insane size %lld\n";
0x00014504 ldr r0, [r0] | r0 = *(0x145ec);
0x00014508 bl 0x10aa8 | fprintf (r0, "%s: error!: mtd%d (%s) has insane size %lld\n", r2, r3, r4, r5, r6);
0x0001450c b 0x1437c | goto label_2;
0x00014510 ldr r1, [pc, 0x118] | r1 = "_s:_error_:_mtd_d___s__is_removable_and_is_not_present";
| label_3:
0x00014514 add r0, r4, 0x10 | r0 = r4 + 0x10;
0x00014518 bl 0x109e8 | strcpy (r0, "_s:_error_:_mtd_d___s__is_removable_and_is_not_present")
0x0001451c ldr r3, [sp, 0x1c] | r3 = var_1ch;
0x00014520 mov r0, r5 | r0 = r5;
0x00014524 tst r3, 0x400 |
| if ((r3 & 0x400) == 0) {
0x00014528 ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if ((r3 & 0x400) == 0) {
0x0001452c orrne r3, r3, 1 | r3 |= 1;
| }
| if ((r3 & 0x400) == 0) {
0x00014530 strbne r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
| }
0x00014534 ldr r3, [r4, 0xe8] | r3 = *((r4 + 0xe8));
0x00014538 str r3, [r4, 0xec] | *((r4 + 0xec)) = r3;
0x0001453c bl 0x10ba4 | close (r0);
0x00014540 mov r0, r6 | r0 = r6;
0x00014544 bl 0x13f9c | r0 = fcn_00013f9c (r0);
0x00014548 bic r0, r0, r0, asr 31 | r0 = BIT_MASK (r0, r0);
0x0001454c str r0, [r4, 0xf4] | *((r4 + 0xf4)) = r0;
0x00014550 add r0, sp, 0xa0 | r0 += var_a0h;
0x00014554 bl 0x13cc0 | fcn_00013cc0 (r0);
0x00014558 subs r5, r0, 0 | r5 -= var_a0h;
| if (r5 != var_a0h) {
0x0001455c bne 0x1422c | goto label_0;
| }
| do {
0x00014560 add r0, sp, 0xa0 | r0 += var_a0h;
0x00014564 bl 0x13b5c | r0 = fcn_00013b5c (r0);
0x00014568 cmp r0, 0 |
| if (r0 == 0) {
0x0001456c bne 0x145d0 |
0x00014570 ldr r3, [pc, 0xbc] | r3 = *(0x14630);
0x00014574 ldr r0, [pc, 0x74] |
0x00014578 str r3, [sp] | *(sp) = r3;
0x0001457c ldr r2, [pc, 0x70] | r2 = stderr;
0x00014580 ldr r3, [r4] | r3 = *(r4);
0x00014584 ldr r1, [pc, 0xac] | r1 = "_proc_mtd";
0x00014588 ldr r0, [r0] | r0 = *(0x145ec);
0x0001458c bl 0x10aa8 | r0 = fprintf (r0, "_proc_mtd", r2, r3);
0x00014590 bl 0x10b5c | errno_location ();
0x00014594 mov r3, 2 | r3 = 2;
0x00014598 str r3, [r0] | *(r0) = r3;
0x0001459c b 0x1422c | goto label_0;
0x000145a0 ldr r1, [pc, 0x94] | r1 = "_s:_error_:_mtd_d_not_found_in___s_";
0x000145a4 b 0x14514 | goto label_3;
0x000145a8 ldr r1, [pc, 0x90] | r1 = "rom";
0x000145ac b 0x14514 | goto label_3;
0x000145b0 ldr r1, [pc, 0x8c] | r1 = "nor";
0x000145b4 b 0x14514 | goto label_3;
0x000145b8 ldr r1, [pc, 0x88] | r1 = *(0x14644);
0x000145bc b 0x14514 | goto label_3;
0x000145c0 ldr r1, [pc, 0x84] | r1 = "mlc-nand";
0x000145c4 b 0x14514 | goto label_3;
0x000145c8 ldr r1, [pc, 0x80] | r1 = "dataflash";
0x000145cc b 0x14514 | goto label_3;
| }
0x000145d0 ldr r3, [r4] | r3 = *(r4);
0x000145d4 ldr r2, [sp, 0xa0] | r2 = var_a0h;
0x000145d8 cmp r2, r3 |
0x000145dc bne 0x14560 |
| } while (r2 != r3);
0x000145e0 add r1, sp, 0xb0 | r1 += src;
0x000145e4 add r0, r4, 0x51 | r0 = r4 + 0x51;
0x000145e8 bl 0x109e8 | strcpy (r0, r1)
0x000145ec b 0x14318 | goto label_4;
| }
[*] Function strcpy used 3 times flash_erase
