[*] Binary protection state of mtdinfo
Partial RELRO No Canary found NX disabled No PIE No RPATH No RUNPATH No Symbols
[*] Function strcpy tear down of mtdinfo
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/mtdinfo @ 0x15588 */
| #include <stdint.h>
|
| #define BIT_MASK(t,v) ((t)(-((v)!= 0)))&(((t)-1)>>((sizeof(t)*CHAR_BIT)-(v)))
|
; (fcn) fcn.00015588 () | void fcn_00015588 (char * arg1, int32_t arg2) {
| int32_t var_0h;
| int32_t var_4h;
| int32_t var_8h;
| int32_t var_8h_2;
| int32_t var_10h;
| int32_t var_10h_2;
| int32_t var_18h;
| int32_t var_1ch;
| int32_t var_20h;
| int32_t var_24h;
| int32_t var_28h;
| int32_t var_2ch;
| int32_t var_38h;
| int32_t var_48h;
| int32_t var_58h;
| int32_t var_58h_2;
| int32_t var_a0h;
| char * src;
| int32_t var_144h;
| r0 = arg1;
| r1 = arg2;
0x00015588 push {r4, r5, r6, r7, r8, sb, lr} |
0x0001558c sub sp, sp, 0x144 |
0x00015590 mov r2, 0 | r2 = 0;
0x00015594 mov r3, 0 | r3 = 0;
0x00015598 mov r4, r1 | r4 = r1;
0x0001559c add r1, sp, 0x38 | r1 += var_38h;
0x000155a0 mov r6, r0 | r6 = r0;
0x000155a4 strd r2, r3, [sp, 0x10] | __asm ("strd r2, r3, [var_10h]");
0x000155a8 bl 0x10a38 | r0 = stat64 ();
0x000155ac cmp r0, 0 |
| if (r0 != 0) {
0x000155b0 beq 0x15618 |
0x000155b4 bl 0x10b88 | errno_location ();
0x000155b8 ldr r8, [pc, 0x450] |
0x000155bc mov r3, r6 | r3 = r6;
0x000155c0 ldr r2, [pc, 0x44c] | r2 = stderr;
0x000155c4 ldr r1, [pc, 0x44c] | r1 = "libmtd";
0x000155c8 ldr r7, [r0] | r7 = *(r0);
0x000155cc mov r5, r0 | r5 = r0;
0x000155d0 ldr r0, [r8] | r0 = *(0x15a0c);
0x000155d4 bl 0x10abc | fprintf (r0, "libmtd", r2, r3, r4, r5);
0x000155d8 mov r0, r7 | r0 = r7;
0x000155dc ldr r8, [r8] | r8 = *(0x15a0c);
0x000155e0 bl 0x10a2c | strerror (r0);
0x000155e4 ldr r3, [pc, 0x430] | r3 = "%s: error!: cannot open \"%s\"\n";
0x000155e8 str r7, [sp] | *(sp) = r7;
0x000155ec mov r2, 8 | r2 = 8;
0x000155f0 ldr r1, [pc, 0x428] | r1 = *(0x15a1c);
0x000155f4 str r0, [sp, 4] | var_4h = r0;
0x000155f8 mov r0, r8 | r0 = r8;
0x000155fc bl 0x10abc | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n");
0x00015600 ldr r3, [r5] | r3 = *(r5);
0x00015604 cmp r3, 2 |
| if (r3 != 2) {
0x00015608 bne 0x15618 | goto label_5;
| }
0x0001560c ldr r1, [pc, 0x400] | r1 = stderr;
0x00015610 ldr r0, [pc, 0x40c] | r0 = "%*serror %d (%s)\n";
0x00015614 bl 0x10a20 | printf ("%*serror %d (%s)\n", r1);
| }
| label_5:
0x00015618 ldr r3, [sp, 0x48] | r3 = var_48h;
0x0001561c and r3, r3, 0xf000 | r3 &= 0xf000;
0x00015620 cmp r3, 0x2000 |
| if (r3 == 0x2000) {
0x00015624 beq 0x15654 | goto label_6;
| }
0x00015628 bl 0x10b88 | errno_location ();
0x0001562c mov r3, 0x16 | r3 = 0x16;
0x00015630 ldr r2, [pc, 0x3dc] | r2 = stderr;
0x00015634 ldr r1, [pc, 0x3ec] | r1 = "%s: MTD subsystem is old and does not support sysfs, so MTD character device nodes have to exist\n";
0x00015638 str r3, [r0] | *(r0) = r3;
0x0001563c ldr r0, [pc, 0x3cc] |
0x00015640 mov r3, r6 | r3 = r6;
0x00015644 ldr r0, [r0] | r0 = *(0x15a0c);
0x00015648 bl 0x10abc | fprintf (r0, "%s: MTD subsystem is old and does not support sysfs, so MTD character device nodes have to exist\n", r2, r3);
| do {
| label_0:
0x0001564c mvn r5, 0 | r5 = ~0;
0x00015650 b 0x15738 | goto label_4;
| label_6:
0x00015654 mov r2, 0x100 | r2 = 0x100;
0x00015658 mov r1, 0 | r1 = 0;
0x0001565c mov r0, r4 | r0 = r4;
0x00015660 bl 0x10b34 | memset (r0, r1, r2);
0x00015664 ldrd r8, sb, [sp, 0x58] | __asm ("ldrd r8, sb, [var_58h]");
0x00015668 mov r1, sb | r1 = sb;
0x0001566c mov r0, r8 | r0 = r8;
0x00015670 bl 0x10a5c | gnu_dev_major ();
0x00015674 mov r1, sb | r1 = sb;
0x00015678 mov r5, r0 | r5 = r0;
0x0001567c str r0, [r4, 4] | *((r4 + 4)) = r0;
0x00015680 mov r0, r8 | r0 = r8;
0x00015684 bl 0x10a8c | gnu_dev_minor ();
0x00015688 cmp r5, 0x5a |
0x0001568c str r0, [r4, 8] | *((r4 + 8)) = r0;
| if (r5 == 0x5a) {
0x00015690 beq 0x156cc | goto label_7;
| }
0x00015694 bl 0x10b88 | errno_location ();
0x00015698 mov r3, 0x16 | r3 = 0x16;
0x0001569c ldr r2, [pc, 0x370] | r2 = stderr;
0x000156a0 ldr r1, [pc, 0x384] | r1 = "%s: error!: \"%s\" is not a character device\n";
0x000156a4 str r3, [r0] | *(r0) = r3;
0x000156a8 mov r3, 0x5a | r3 = 0x5a;
0x000156ac str r3, [sp, 4] | var_4h = r3;
0x000156b0 ldr r0, [pc, 0x358] |
0x000156b4 ldr r3, [r4, 4] | r3 = *((r4 + 4));
0x000156b8 str r3, [sp] | *(sp) = r3;
0x000156bc mov r3, r6 | r3 = r6;
0x000156c0 ldr r0, [r0] | r0 = *(0x15a0c);
0x000156c4 bl 0x10abc | fprintf (r0, "%s: error!: \"%s\" is not a character device\n", r2, r3);
0x000156c8 b 0x1564c |
| } while (1);
| label_7:
0x000156cc add r0, r0, r0, lsr 31 | r0 += (r0 >> 31);
0x000156d0 asr r0, r0, 1 | r0 >>= 1;
0x000156d4 str r0, [r4] | *(r4) = r0;
0x000156d8 mov r1, 0 | r1 = 0;
0x000156dc mov r0, r6 | r0 = r6;
0x000156e0 bl 0x10b4c | r0 = open64 ();
0x000156e4 cmn r0, 1 |
0x000156e8 mov r5, r0 | r5 = r0;
| if (r0 == 1) {
0x000156ec bne 0x15744 |
0x000156f0 bl 0x10b88 | errno_location ();
0x000156f4 ldr r7, [pc, 0x314] | r7 = *(0x15a0c);
0x000156f8 mov r3, r6 | r3 = r6;
0x000156fc ldr r2, [pc, 0x310] | r2 = stderr;
0x00015700 ldr r1, [pc, 0x310] | r1 = "libmtd";
0x00015704 ldr r4, [r0] | r4 = *(r0);
0x00015708 ldr r0, [r7] | r0 = *(0x15a0c);
0x0001570c bl 0x10abc | fprintf (r0, "libmtd", r2, r3, r4);
0x00015710 mov r0, r4 | r0 = r4;
0x00015714 ldr r6, [r7] | r6 = *(0x15a0c);
0x00015718 bl 0x10a2c | strerror (r0);
0x0001571c str r4, [sp] | *(sp) = r4;
0x00015720 ldr r3, [pc, 0x2f4] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00015724 mov r2, 8 | r2 = 8;
0x00015728 ldr r1, [pc, 0x2f0] | r1 = *(0x15a1c);
0x0001572c str r0, [sp, 4] | var_4h = r0;
0x00015730 mov r0, r6 | r0 = r6;
0x00015734 bl 0x10abc | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n", r4);
| label_4:
0x00015738 mov r0, r5 | r0 = r5;
0x0001573c add sp, sp, 0x144 |
0x00015740 pop {r4, r5, r6, r7, r8, sb, pc} |
| }
0x00015744 add r2, sp, 0x18 | r2 += var_18h;
0x00015748 ldr r1, [pc, 0x2e0] | r1 = "%s: error!: \"%s\" has major number %d, MTD devices have major %d\n";
0x0001574c bl 0x10a14 | r0 = ioctl (r0, "%s: error!: \"%s\" has major number %d, MTD devices have major %d\n");
0x00015750 subs r8, r0, 0 | r8 = r0 - 0;
| if (r8 == r0) {
0x00015754 beq 0x157a8 | goto label_8;
| }
0x00015758 bl 0x10b88 | errno_location ();
0x0001575c ldr r6, [pc, 0x2ac] |
0x00015760 ldr r2, [pc, 0x2ac] | r2 = stderr;
0x00015764 ldr r1, [pc, 0x2c8] | r1 = *(0x15a30);
0x00015768 ldr r4, [r0] | r4 = *(r0);
0x0001576c ldr r0, [r6] | r0 = *(0x15a0c);
0x00015770 bl 0x10abc | fprintf (r0, r1, r2, r3, r4, r5, r6);
0x00015774 mov r0, r4 | r0 = r4;
0x00015778 ldr r6, [r6] | r6 = *(0x15a0c);
0x0001577c bl 0x10a2c | strerror (r0);
0x00015780 ldr r3, [pc, 0x294] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00015784 ldr r1, [pc, 0x294] | r1 = *(0x15a1c);
0x00015788 mov r2, 8 | r2 = 8;
0x0001578c str r4, [sp] | *(sp) = r4;
0x00015790 str r0, [sp, 4] | var_4h = r0;
0x00015794 mov r0, r6 | r0 = r6;
| do {
| label_1:
0x00015798 bl 0x10abc | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n", r4);
| label_2:
0x0001579c mov r0, r5 | r0 = r5;
0x000157a0 bl 0x10bdc | close (r0);
0x000157a4 b 0x1564c | goto label_0;
| label_8:
0x000157a8 add r2, sp, 0x10 | r2 += var_10h;
0x000157ac ldr r1, [pc, 0x284] | r1 = "_s:_error_:_MEMGETINFO_ioctl_request_failed";
0x000157b0 mov r0, r5 | r0 = r5;
0x000157b4 bl 0x10a14 | r0 = ioctl (r0, "_s:_error_:_MEMGETINFO_ioctl_request_failed");
0x000157b8 cmn r0, 1 |
| if (r0 == 1) {
0x000157bc ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if (r0 == 1) {
0x000157c0 orrne r3, r3, 2 | r3 |= 2;
| }
| if (r0 != 1) {
0x000157c4 bne 0x15820 | goto label_9;
| }
0x000157c8 bl 0x10b88 | r0 = errno_location ();
0x000157cc ldr r7, [r0] | r7 = *(r0);
0x000157d0 cmp r7, 0x5f |
| if (r7 != 0x5f) {
0x000157d4 streq r8, [r0] | *(r0) = r8;
| }
| if (r7 != 0x5f) {
0x000157d8 ldrbeq r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
0x000157dc biceq r3, r3, 2 | __asm ("biceq r3, r3, 2");
| if (r7 == 0x5f) {
0x000157e0 beq 0x15820 | goto label_9;
| }
0x000157e4 ldr r4, [pc, 0x224] |
0x000157e8 ldr r2, [pc, 0x224] | r2 = stderr;
0x000157ec ldr r1, [pc, 0x248] | r1 = *(0x15a38);
0x000157f0 ldr r0, [r4] | r0 = *(0x15a0c);
0x000157f4 bl 0x10abc | fprintf (r0, r1, r2, r3, r4);
0x000157f8 mov r0, r7 | r0 = r7;
0x000157fc ldr r4, [r4] | r4 = *(0x15a0c);
0x00015800 bl 0x10a2c | strerror (r0);
0x00015804 str r7, [sp] | *(sp) = r7;
0x00015808 ldr r3, [pc, 0x20c] | r3 = "%s: error!: cannot open \"%s\"\n";
0x0001580c mov r2, 8 | r2 = 8;
0x00015810 ldr r1, [pc, 0x208] | r1 = *(0x15a1c);
0x00015814 str r0, [sp, 4] | var_4h = r0;
0x00015818 mov r0, r4 | r0 = r4;
0x0001581c b 0x15798 |
| } while (1);
| label_9:
0x00015820 strb r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
0x00015824 ldr r3, [sp, 0x28] | r3 = var_28h;
0x00015828 ldrb r7, [sp, 0x18] | r7 = var_18h;
0x0001582c ldr r0, [sp, 0x20] | r0 = var_20h;
0x00015830 ldr r2, [sp, 0x24] | r2 = var_24h;
0x00015834 ldr ip, [sp, 0x2c] | ip = var_2ch;
0x00015838 mov r1, 0 | r1 = 0;
0x0001583c cmp r3, 0 |
0x00015840 str r7, [r4, 0xc] | *((r4 + 0xc)) = r7;
0x00015844 strd r0, r1, [r4, 0xd8] | __asm ("strd r0, r1, [r4, 0xd8]");
0x00015848 str r2, [r4, 0xe4] | *((r4 + 0xe4)) = r2;
0x0001584c str r3, [r4, 0xe8] | *((r4 + 0xe8)) = r3;
0x00015850 str ip, [r4, 0xf0] | *((r4 + 0xf0)) = ip;
| if (r3 > 0) {
0x00015854 bgt 0x15878 | goto label_10;
| }
0x00015858 str r3, [sp, 4] | var_4h = r3;
0x0001585c str r6, [sp] | *(sp) = r6;
0x00015860 ldr r2, [pc, 0x1ac] | r2 = stderr;
0x00015864 ldr r3, [r4] | r3 = *(r4);
0x00015868 ldr r1, [pc, 0x1d0] | r1 = "%s: error!: MEMGETBADBLOCK ioctl failed\n";
| do {
0x0001586c ldr r0, [pc, 0x19c] |
0x00015870 ldr r0, [r0] | r0 = *(0x15a0c);
0x00015874 b 0x15798 | goto label_1;
| label_10:
0x00015878 cmp r2, r3 |
0x0001587c cmpge r2, 0 | __asm ("cmpge r2, 0");
| if (r2 > r3) {
0x00015880 bgt 0x1589c | goto label_11;
| }
0x00015884 str r2, [sp, 4] | var_4h = r2;
0x00015888 str r6, [sp] | *(sp) = r6;
0x0001588c ldr r2, [pc, 0x180] | r2 = stderr;
0x00015890 ldr r3, [r4] | r3 = *(r4);
0x00015894 ldr r1, [pc, 0x1a8] | r1 = "_s:_error_:_mtd_d___s__has_insane_min._I_O_unit_size__d";
0x00015898 b 0x1586c |
| } while (1);
| label_11:
0x0001589c orrs r3, r0, r1 | r3 = r0 | r1;
| if (r3 != r0) {
0x000158a0 beq 0x158b4 |
0x000158a4 asr r3, r2, 0x1f | r3 = r2 >> 0x1f;
0x000158a8 cmp r0, r2 |
0x000158ac sbcs ip, r1, r3 | __asm ("sbcs ip, r1, r3");
| if (r0 >= r2) {
0x000158b0 bge 0x158d8 | goto label_12;
| }
| }
0x000158b4 strd r0, r1, [sp, 8] | __asm ("strd r0, r1, [var_8h]");
0x000158b8 ldr r0, [pc, 0x150] |
0x000158bc str r6, [sp] | *(sp) = r6;
0x000158c0 ldr r2, [pc, 0x14c] | r2 = stderr;
0x000158c4 ldr r3, [r4] | r3 = *(r4);
0x000158c8 ldr r1, [pc, 0x178] | r1 = "%s: error!: mtd%d (%s) has insane eraseblock size %d\n";
0x000158cc ldr r0, [r0] | r0 = *(0x15a0c);
0x000158d0 bl 0x10abc | fprintf (r0, "%s: error!: mtd%d (%s) has insane eraseblock size %d\n", r2, r3, r4, r5, r6);
0x000158d4 b 0x1579c | goto label_2;
| label_12:
0x000158d8 bl 0x15c6c | fcn_00015c6c (r0);
0x000158dc str r0, [r4, 0xe0] | *((r4 + 0xe0)) = r0;
0x000158e0 cmp r7, 8 |
| if (r7 > 8) {
| /* switch table (9 cases) at 0x158ec */
0x000158e4 ldrls pc, [pc, r7, lsl 2] | offset_0 = r7 << 2;
| pc = *((pc + offset_0));
| }
0x000158e8 b 0x1579c | goto label_2;
0x00015910 ldr r0, [pc, 0xf8] |
0x00015914 str r6, [sp] | *(sp) = r6;
0x00015918 ldr r2, [pc, 0xf4] | r2 = stderr;
0x0001591c ldr r3, [r4] | r3 = *(r4);
0x00015920 ldr r1, [pc, 0x124] | r1 = "%s: error!: mtd%d (%s) has insane size %lld\n";
0x00015924 ldr r0, [r0] | r0 = *(0x15a0c);
0x00015928 bl 0x10abc | fprintf (r0, "%s: error!: mtd%d (%s) has insane size %lld\n", r2, r3, r4, r5, r6);
0x0001592c b 0x1579c | goto label_2;
0x00015930 ldr r1, [pc, 0x118] | r1 = "_s:_error_:_mtd_d___s__is_removable_and_is_not_present";
| label_3:
0x00015934 add r0, r4, 0x10 | r0 = r4 + 0x10;
0x00015938 bl 0x10a08 | strcpy (r0, "_s:_error_:_mtd_d___s__is_removable_and_is_not_present")
0x0001593c ldr r3, [sp, 0x1c] | r3 = var_1ch;
0x00015940 mov r0, r5 | r0 = r5;
0x00015944 tst r3, 0x400 |
| if ((r3 & 0x400) == 0) {
0x00015948 ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if ((r3 & 0x400) == 0) {
0x0001594c orrne r3, r3, 1 | r3 |= 1;
| }
| if ((r3 & 0x400) == 0) {
0x00015950 strbne r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
| }
0x00015954 ldr r3, [r4, 0xe8] | r3 = *((r4 + 0xe8));
0x00015958 str r3, [r4, 0xec] | *((r4 + 0xec)) = r3;
0x0001595c bl 0x10bdc | close (r0);
0x00015960 mov r0, r6 | r0 = r6;
0x00015964 bl 0x153bc | r0 = fcn_000153bc (r0);
0x00015968 bic r0, r0, r0, asr 31 | r0 = BIT_MASK (r0, r0);
0x0001596c str r0, [r4, 0xf4] | *((r4 + 0xf4)) = r0;
0x00015970 add r0, sp, 0xa0 | r0 += var_a0h;
0x00015974 bl 0x150e0 | fcn_000150e0 (r0);
0x00015978 subs r5, r0, 0 | r5 -= var_a0h;
| if (r5 != var_a0h) {
0x0001597c bne 0x1564c | goto label_0;
| }
| do {
0x00015980 add r0, sp, 0xa0 | r0 += var_a0h;
0x00015984 bl 0x14f7c | r0 = fcn_00014f7c (r0);
0x00015988 cmp r0, 0 |
| if (r0 == 0) {
0x0001598c bne 0x159f0 |
0x00015990 ldr r3, [pc, 0xbc] | r3 = "ram";
0x00015994 ldr r0, [pc, 0x74] |
0x00015998 str r3, [sp] | *(sp) = r3;
0x0001599c ldr r2, [pc, 0x70] | r2 = stderr;
0x000159a0 ldr r3, [r4] | r3 = *(r4);
0x000159a4 ldr r1, [pc, 0xac] | r1 = "_proc_mtd";
0x000159a8 ldr r0, [r0] | r0 = *(0x15a0c);
0x000159ac bl 0x10abc | r0 = fprintf (r0, "_proc_mtd", r2, "ram");
0x000159b0 bl 0x10b88 | errno_location ();
0x000159b4 mov r3, 2 | r3 = 2;
0x000159b8 str r3, [r0] | *(r0) = r3;
0x000159bc b 0x1564c | goto label_0;
0x000159c0 ldr r1, [pc, 0x94] | r1 = "_s:_error_:_mtd_d_not_found_in___s_";
0x000159c4 b 0x15934 | goto label_3;
0x000159c8 ldr r1, [pc, 0x90] | r1 = *(0x15a5c);
0x000159cc b 0x15934 | goto label_3;
0x000159d0 ldr r1, [pc, 0x8c] | r1 = *(0x15a60);
0x000159d4 b 0x15934 | goto label_3;
0x000159d8 ldr r1, [pc, 0x88] | r1 = "nand";
0x000159dc b 0x15934 | goto label_3;
0x000159e0 ldr r1, [pc, 0x84] | r1 = "mlc_nand";
0x000159e4 b 0x15934 | goto label_3;
0x000159e8 ldr r1, [pc, 0x80] | r1 = "dataflash";
0x000159ec b 0x15934 | goto label_3;
| }
0x000159f0 ldr r3, [r4] | r3 = *(r4);
0x000159f4 ldr r2, [sp, 0xa0] | r2 = var_a0h;
0x000159f8 cmp r2, r3 |
0x000159fc bne 0x15980 |
| } while (r2 != r3);
0x00015a00 add r1, sp, 0xb0 | r1 += src;
0x00015a04 add r0, r4, 0x51 | r0 = r4 + 0x51;
0x00015a08 bl 0x10a08 | strcpy (r0, r1)
0x00015a0c b 0x15738 | goto label_4;
| }
[*] Function strcpy used 3 times mtdinfo
