[*] Binary protection state of nanddump
Partial RELRO No Canary found NX disabled No PIE No RPATH No RUNPATH No Symbols
[*] Function strcpy tear down of nanddump
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/nanddump @ 0x14850 */
| #include <stdint.h>
|
| #define BIT_MASK(t,v) ((t)(-((v)!= 0)))&(((t)-1)>>((sizeof(t)*CHAR_BIT)-(v)))
|
; (fcn) fcn.00014850 () | void fcn_00014850 (char * arg1, int32_t arg2) {
| int32_t var_0h;
| int32_t var_4h;
| int32_t var_8h;
| int32_t var_8h_2;
| int32_t var_10h;
| int32_t var_10h_2;
| int32_t var_18h;
| int32_t var_1ch;
| int32_t var_20h;
| int32_t var_24h;
| int32_t var_28h;
| int32_t var_2ch;
| int32_t var_38h;
| int32_t var_48h;
| int32_t var_58h;
| int32_t var_58h_2;
| int32_t var_a0h;
| char * src;
| int32_t var_144h;
| r0 = arg1;
| r1 = arg2;
0x00014850 push {r4, r5, r6, r7, r8, sb, lr} |
0x00014854 sub sp, sp, 0x144 |
0x00014858 mov r2, 0 | r2 = 0;
0x0001485c mov r3, 0 | r3 = 0;
0x00014860 mov r4, r1 | r4 = r1;
0x00014864 add r1, sp, 0x38 | r1 += var_38h;
0x00014868 mov r6, r0 | r6 = r0;
0x0001486c strd r2, r3, [sp, 0x10] | __asm ("strd r2, r3, [var_10h]");
0x00014870 bl 0x10a58 | r0 = stat64 ();
0x00014874 cmp r0, 0 |
| if (r0 != 0) {
0x00014878 beq 0x148e0 |
0x0001487c bl 0x10b9c | errno_location ();
0x00014880 ldr r8, [pc, 0x450] |
0x00014884 mov r3, r6 | r3 = r6;
0x00014888 ldr r2, [pc, 0x44c] | r2 = stderr;
0x0001488c ldr r1, [pc, 0x44c] | r1 = "libmtd";
0x00014890 ldr r7, [r0] | r7 = *(r0);
0x00014894 mov r5, r0 | r5 = r0;
0x00014898 ldr r0, [r8] | r0 = *(0x14cd4);
0x0001489c bl 0x10ae8 | fprintf (r0, "libmtd", r2, r3, r4, r5);
0x000148a0 mov r0, r7 | r0 = r7;
0x000148a4 ldr r8, [r8] | r8 = *(0x14cd4);
0x000148a8 bl 0x10a4c | strerror (r0);
0x000148ac ldr r3, [pc, 0x430] | r3 = "%s: error!: cannot open \"%s\"\n";
0x000148b0 str r7, [sp] | *(sp) = r7;
0x000148b4 mov r2, 8 | r2 = 8;
0x000148b8 ldr r1, [pc, 0x428] | r1 = *(0x14ce4);
0x000148bc str r0, [sp, 4] | var_4h = r0;
0x000148c0 mov r0, r8 | r0 = r8;
0x000148c4 bl 0x10ae8 | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n");
0x000148c8 ldr r3, [r5] | r3 = *(r5);
0x000148cc cmp r3, 2 |
| if (r3 != 2) {
0x000148d0 bne 0x148e0 | goto label_5;
| }
0x000148d4 ldr r1, [pc, 0x400] | r1 = stderr;
0x000148d8 ldr r0, [pc, 0x40c] | r0 = "_serror__d___s_";
0x000148dc bl 0x10a40 | printf ("_serror__d___s_", r1);
| }
| label_5:
0x000148e0 ldr r3, [sp, 0x48] | r3 = var_48h;
0x000148e4 and r3, r3, 0xf000 | r3 &= 0xf000;
0x000148e8 cmp r3, 0x2000 |
| if (r3 == 0x2000) {
0x000148ec beq 0x1491c | goto label_6;
| }
0x000148f0 bl 0x10b9c | errno_location ();
0x000148f4 mov r3, 0x16 | r3 = 0x16;
0x000148f8 ldr r2, [pc, 0x3dc] | r2 = stderr;
0x000148fc ldr r1, [pc, 0x3ec] | r1 = "_s:_MTD_subsystem_is_old_and_does_not_support_sysfs__so_MTD_character_device_nodes_have_to_exist";
0x00014900 str r3, [r0] | *(r0) = r3;
0x00014904 ldr r0, [pc, 0x3cc] |
0x00014908 mov r3, r6 | r3 = r6;
0x0001490c ldr r0, [r0] | r0 = *(0x14cd4);
0x00014910 bl 0x10ae8 | fprintf (r0, "_s:_MTD_subsystem_is_old_and_does_not_support_sysfs__so_MTD_character_device_nodes_have_to_exist", r2, r3);
| do {
| label_0:
0x00014914 mvn r5, 0 | r5 = ~0;
0x00014918 b 0x14a00 | goto label_4;
| label_6:
0x0001491c mov r2, 0x100 | r2 = 0x100;
0x00014920 mov r1, 0 | r1 = 0;
0x00014924 mov r0, r4 | r0 = r4;
0x00014928 bl 0x10b54 | memset (r0, r1, r2);
0x0001492c ldrd r8, sb, [sp, 0x58] | __asm ("ldrd r8, sb, [var_58h]");
0x00014930 mov r1, sb | r1 = sb;
0x00014934 mov r0, r8 | r0 = r8;
0x00014938 bl 0x10a70 | gnu_dev_major ();
0x0001493c mov r1, sb | r1 = sb;
0x00014940 mov r5, r0 | r5 = r0;
0x00014944 str r0, [r4, 4] | *((r4 + 4)) = r0;
0x00014948 mov r0, r8 | r0 = r8;
0x0001494c bl 0x10ab8 | gnu_dev_minor ();
0x00014950 cmp r5, 0x5a |
0x00014954 str r0, [r4, 8] | *((r4 + 8)) = r0;
| if (r5 == 0x5a) {
0x00014958 beq 0x14994 | goto label_7;
| }
0x0001495c bl 0x10b9c | errno_location ();
0x00014960 mov r3, 0x16 | r3 = 0x16;
0x00014964 ldr r2, [pc, 0x370] | r2 = stderr;
0x00014968 ldr r1, [pc, 0x384] | r1 = "%s: error!: \"%s\" is not a character device\n";
0x0001496c str r3, [r0] | *(r0) = r3;
0x00014970 mov r3, 0x5a | r3 = 0x5a;
0x00014974 str r3, [sp, 4] | var_4h = r3;
0x00014978 ldr r0, [pc, 0x358] |
0x0001497c ldr r3, [r4, 4] | r3 = *((r4 + 4));
0x00014980 str r3, [sp] | *(sp) = r3;
0x00014984 mov r3, r6 | r3 = r6;
0x00014988 ldr r0, [r0] | r0 = *(0x14cd4);
0x0001498c bl 0x10ae8 | fprintf (r0, "%s: error!: \"%s\" is not a character device\n", r2, r3);
0x00014990 b 0x14914 |
| } while (1);
| label_7:
0x00014994 add r0, r0, r0, lsr 31 | r0 += (r0 >> 31);
0x00014998 asr r0, r0, 1 | r0 >>= 1;
0x0001499c str r0, [r4] | *(r4) = r0;
0x000149a0 mov r1, 0 | r1 = 0;
0x000149a4 mov r0, r6 | r0 = r6;
0x000149a8 bl 0x10b60 | r0 = open64 ();
0x000149ac cmn r0, 1 |
0x000149b0 mov r5, r0 | r5 = r0;
| if (r0 == 1) {
0x000149b4 bne 0x14a0c |
0x000149b8 bl 0x10b9c | errno_location ();
0x000149bc ldr r7, [pc, 0x314] | r7 = *(0x14cd4);
0x000149c0 mov r3, r6 | r3 = r6;
0x000149c4 ldr r2, [pc, 0x310] | r2 = stderr;
0x000149c8 ldr r1, [pc, 0x310] | r1 = "libmtd";
0x000149cc ldr r4, [r0] | r4 = *(r0);
0x000149d0 ldr r0, [r7] | r0 = *(0x14cd4);
0x000149d4 bl 0x10ae8 | fprintf (r0, "libmtd", r2, r3, r4);
0x000149d8 mov r0, r4 | r0 = r4;
0x000149dc ldr r6, [r7] | r6 = *(0x14cd4);
0x000149e0 bl 0x10a4c | strerror (r0);
0x000149e4 str r4, [sp] | *(sp) = r4;
0x000149e8 ldr r3, [pc, 0x2f4] | r3 = "%s: error!: cannot open \"%s\"\n";
0x000149ec mov r2, 8 | r2 = 8;
0x000149f0 ldr r1, [pc, 0x2f0] | r1 = *(0x14ce4);
0x000149f4 str r0, [sp, 4] | var_4h = r0;
0x000149f8 mov r0, r6 | r0 = r6;
0x000149fc bl 0x10ae8 | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n", r4);
| label_4:
0x00014a00 mov r0, r5 | r0 = r5;
0x00014a04 add sp, sp, 0x144 |
0x00014a08 pop {r4, r5, r6, r7, r8, sb, pc} |
| }
0x00014a0c add r2, sp, 0x18 | r2 += var_18h;
0x00014a10 ldr r1, [pc, 0x2e0] | r1 = "_s:_error_:___s__has_major_number__d__MTD_devices_have_major__d";
0x00014a14 bl 0x10a34 | r0 = ioctl (r0, "_s:_error_:___s__has_major_number__d__MTD_devices_have_major__d");
0x00014a18 subs r8, r0, 0 | r8 = r0 - 0;
| if (r8 == r0) {
0x00014a1c beq 0x14a70 | goto label_8;
| }
0x00014a20 bl 0x10b9c | errno_location ();
0x00014a24 ldr r6, [pc, 0x2ac] |
0x00014a28 ldr r2, [pc, 0x2ac] | r2 = stderr;
0x00014a2c ldr r1, [pc, 0x2c8] | r1 = *(0x14cf8);
0x00014a30 ldr r4, [r0] | r4 = *(r0);
0x00014a34 ldr r0, [r6] | r0 = *(0x14cd4);
0x00014a38 bl 0x10ae8 | fprintf (r0, r1, r2, r3, r4, r5, r6);
0x00014a3c mov r0, r4 | r0 = r4;
0x00014a40 ldr r6, [r6] | r6 = *(0x14cd4);
0x00014a44 bl 0x10a4c | strerror (r0);
0x00014a48 ldr r3, [pc, 0x294] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00014a4c ldr r1, [pc, 0x294] | r1 = *(0x14ce4);
0x00014a50 mov r2, 8 | r2 = 8;
0x00014a54 str r4, [sp] | *(sp) = r4;
0x00014a58 str r0, [sp, 4] | var_4h = r0;
0x00014a5c mov r0, r6 | r0 = r6;
| do {
| label_1:
0x00014a60 bl 0x10ae8 | fprintf (r0, r1, r2, "%s: error!: cannot open \"%s\"\n", r4);
| label_2:
0x00014a64 mov r0, r5 | r0 = r5;
0x00014a68 bl 0x10bf0 | close (r0);
0x00014a6c b 0x14914 | goto label_0;
| label_8:
0x00014a70 add r2, sp, 0x10 | r2 += var_10h;
0x00014a74 ldr r1, [pc, 0x284] | r1 = "%s: error!: MEMGETINFO ioctl request failed\n";
0x00014a78 mov r0, r5 | r0 = r5;
0x00014a7c bl 0x10a34 | r0 = ioctl (r0, "%s: error!: MEMGETINFO ioctl request failed\n");
0x00014a80 cmn r0, 1 |
| if (r0 == 1) {
0x00014a84 ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if (r0 == 1) {
0x00014a88 orrne r3, r3, 2 | r3 |= 2;
| }
| if (r0 != 1) {
0x00014a8c bne 0x14ae8 | goto label_9;
| }
0x00014a90 bl 0x10b9c | r0 = errno_location ();
0x00014a94 ldr r7, [r0] | r7 = *(r0);
0x00014a98 cmp r7, 0x5f |
| if (r7 != 0x5f) {
0x00014a9c streq r8, [r0] | *(r0) = r8;
| }
| if (r7 != 0x5f) {
0x00014aa0 ldrbeq r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
0x00014aa4 biceq r3, r3, 2 | __asm ("biceq r3, r3, 2");
| if (r7 == 0x5f) {
0x00014aa8 beq 0x14ae8 | goto label_9;
| }
0x00014aac ldr r4, [pc, 0x224] |
0x00014ab0 ldr r2, [pc, 0x224] | r2 = stderr;
0x00014ab4 ldr r1, [pc, 0x248] | r1 = *(0x14d00);
0x00014ab8 ldr r0, [r4] | r0 = *(0x14cd4);
0x00014abc bl 0x10ae8 | fprintf (r0, r1, r2, r3, r4);
0x00014ac0 mov r0, r7 | r0 = r7;
0x00014ac4 ldr r4, [r4] | r4 = *(0x14cd4);
0x00014ac8 bl 0x10a4c | strerror (r0);
0x00014acc str r7, [sp] | *(sp) = r7;
0x00014ad0 ldr r3, [pc, 0x20c] | r3 = "%s: error!: cannot open \"%s\"\n";
0x00014ad4 mov r2, 8 | r2 = 8;
0x00014ad8 ldr r1, [pc, 0x208] | r1 = *(0x14ce4);
0x00014adc str r0, [sp, 4] | var_4h = r0;
0x00014ae0 mov r0, r4 | r0 = r4;
0x00014ae4 b 0x14a60 |
| } while (1);
| label_9:
0x00014ae8 strb r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
0x00014aec ldr r3, [sp, 0x28] | r3 = var_28h;
0x00014af0 ldrb r7, [sp, 0x18] | r7 = var_18h;
0x00014af4 ldr r0, [sp, 0x20] | r0 = var_20h;
0x00014af8 ldr r2, [sp, 0x24] | r2 = var_24h;
0x00014afc ldr ip, [sp, 0x2c] | ip = var_2ch;
0x00014b00 mov r1, 0 | r1 = 0;
0x00014b04 cmp r3, 0 |
0x00014b08 str r7, [r4, 0xc] | *((r4 + 0xc)) = r7;
0x00014b0c strd r0, r1, [r4, 0xd8] | __asm ("strd r0, r1, [r4, 0xd8]");
0x00014b10 str r2, [r4, 0xe4] | *((r4 + 0xe4)) = r2;
0x00014b14 str r3, [r4, 0xe8] | *((r4 + 0xe8)) = r3;
0x00014b18 str ip, [r4, 0xf0] | *((r4 + 0xf0)) = ip;
| if (r3 > 0) {
0x00014b1c bgt 0x14b40 | goto label_10;
| }
0x00014b20 str r3, [sp, 4] | var_4h = r3;
0x00014b24 str r6, [sp] | *(sp) = r6;
0x00014b28 ldr r2, [pc, 0x1ac] | r2 = stderr;
0x00014b2c ldr r3, [r4] | r3 = *(r4);
0x00014b30 ldr r1, [pc, 0x1d0] | r1 = "_s:_error_:_MEMGETBADBLOCK_ioctl_failed";
| do {
0x00014b34 ldr r0, [pc, 0x19c] |
0x00014b38 ldr r0, [r0] | r0 = *(0x14cd4);
0x00014b3c b 0x14a60 | goto label_1;
| label_10:
0x00014b40 cmp r2, r3 |
0x00014b44 cmpge r2, 0 | __asm ("cmpge r2, 0");
| if (r2 > r3) {
0x00014b48 bgt 0x14b64 | goto label_11;
| }
0x00014b4c str r2, [sp, 4] | var_4h = r2;
0x00014b50 str r6, [sp] | *(sp) = r6;
0x00014b54 ldr r2, [pc, 0x180] | r2 = stderr;
0x00014b58 ldr r3, [r4] | r3 = *(r4);
0x00014b5c ldr r1, [pc, 0x1a8] | r1 = "%s: error!: mtd%d (%s) has insane min. I/O unit size %d\n";
0x00014b60 b 0x14b34 |
| } while (1);
| label_11:
0x00014b64 orrs r3, r0, r1 | r3 = r0 | r1;
| if (r3 != r0) {
0x00014b68 beq 0x14b7c |
0x00014b6c asr r3, r2, 0x1f | r3 = r2 >> 0x1f;
0x00014b70 cmp r0, r2 |
0x00014b74 sbcs ip, r1, r3 | __asm ("sbcs ip, r1, r3");
| if (r0 >= r2) {
0x00014b78 bge 0x14ba0 | goto label_12;
| }
| }
0x00014b7c strd r0, r1, [sp, 8] | __asm ("strd r0, r1, [var_8h]");
0x00014b80 ldr r0, [pc, 0x150] |
0x00014b84 str r6, [sp] | *(sp) = r6;
0x00014b88 ldr r2, [pc, 0x14c] | r2 = stderr;
0x00014b8c ldr r3, [r4] | r3 = *(r4);
0x00014b90 ldr r1, [pc, 0x178] | r1 = "_s:_error_:_mtd_d___s__has_insane_eraseblock_size__d";
0x00014b94 ldr r0, [r0] | r0 = *(0x14cd4);
0x00014b98 bl 0x10ae8 | fprintf (r0, "_s:_error_:_mtd_d___s__has_insane_eraseblock_size__d", r2, r3, r4, r5, r6);
0x00014b9c b 0x14a64 | goto label_2;
| label_12:
0x00014ba0 bl 0x14f34 | fcn_00014f34 (r0);
0x00014ba4 str r0, [r4, 0xe0] | *((r4 + 0xe0)) = r0;
0x00014ba8 cmp r7, 8 |
| if (r7 > 8) {
| /* switch table (9 cases) at 0x14bb4 */
0x00014bac ldrls pc, [pc, r7, lsl 2] | offset_0 = r7 << 2;
| pc = *((pc + offset_0));
| }
0x00014bb0 b 0x14a64 | goto label_2;
0x00014bd8 ldr r0, [pc, 0xf8] |
0x00014bdc str r6, [sp] | *(sp) = r6;
0x00014be0 ldr r2, [pc, 0xf4] | r2 = stderr;
0x00014be4 ldr r3, [r4] | r3 = *(r4);
0x00014be8 ldr r1, [pc, 0x124] | r1 = "_s:_error_:_mtd_d___s__has_insane_size__lld";
0x00014bec ldr r0, [r0] | r0 = *(0x14cd4);
0x00014bf0 bl 0x10ae8 | fprintf (r0, "_s:_error_:_mtd_d___s__has_insane_size__lld", r2, r3, r4, r5, r6);
0x00014bf4 b 0x14a64 | goto label_2;
0x00014bf8 ldr r1, [pc, 0x118] | r1 = "%s: error!: mtd%d (%s) is removable and is not present\n";
| label_3:
0x00014bfc add r0, r4, 0x10 | r0 = r4 + 0x10;
0x00014c00 bl 0x10a28 | strcpy (r0, "%s: error!: mtd%d (%s) is removable and is not present\n")
0x00014c04 ldr r3, [sp, 0x1c] | r3 = var_1ch;
0x00014c08 mov r0, r5 | r0 = r5;
0x00014c0c tst r3, 0x400 |
| if ((r3 & 0x400) == 0) {
0x00014c10 ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if ((r3 & 0x400) == 0) {
0x00014c14 orrne r3, r3, 1 | r3 |= 1;
| }
| if ((r3 & 0x400) == 0) {
0x00014c18 strbne r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
| }
0x00014c1c ldr r3, [r4, 0xe8] | r3 = *((r4 + 0xe8));
0x00014c20 str r3, [r4, 0xec] | *((r4 + 0xec)) = r3;
0x00014c24 bl 0x10bf0 | close (r0);
0x00014c28 mov r0, r6 | r0 = r6;
0x00014c2c bl 0x14684 | r0 = fcn_00014684 (r0);
0x00014c30 bic r0, r0, r0, asr 31 | r0 = BIT_MASK (r0, r0);
0x00014c34 str r0, [r4, 0xf4] | *((r4 + 0xf4)) = r0;
0x00014c38 add r0, sp, 0xa0 | r0 += var_a0h;
0x00014c3c bl 0x143a8 | fcn_000143a8 (r0);
0x00014c40 subs r5, r0, 0 | r5 -= var_a0h;
| if (r5 != var_a0h) {
0x00014c44 bne 0x14914 | goto label_0;
| }
| do {
0x00014c48 add r0, sp, 0xa0 | r0 += var_a0h;
0x00014c4c bl 0x14244 | r0 = fcn_00014244 (r0);
0x00014c50 cmp r0, 0 |
| if (r0 == 0) {
0x00014c54 bne 0x14cb8 |
0x00014c58 ldr r3, [pc, 0xbc] | r3 = "ram";
0x00014c5c ldr r0, [pc, 0x74] |
0x00014c60 str r3, [sp] | *(sp) = r3;
0x00014c64 ldr r2, [pc, 0x70] | r2 = stderr;
0x00014c68 ldr r3, [r4] | r3 = *(r4);
0x00014c6c ldr r1, [pc, 0xac] | r1 = "/proc/mtd";
0x00014c70 ldr r0, [r0] | r0 = *(0x14cd4);
0x00014c74 bl 0x10ae8 | r0 = fprintf (r0, "/proc/mtd", r2, "ram");
0x00014c78 bl 0x10b9c | errno_location ();
0x00014c7c mov r3, 2 | r3 = 2;
0x00014c80 str r3, [r0] | *(r0) = r3;
0x00014c84 b 0x14914 | goto label_0;
0x00014c88 ldr r1, [pc, 0x94] | r1 = "%s: error!: mtd%d not found in \"%s\"\n";
0x00014c8c b 0x14bfc | goto label_3;
0x00014c90 ldr r1, [pc, 0x90] | r1 = *(0x14d24);
0x00014c94 b 0x14bfc | goto label_3;
0x00014c98 ldr r1, [pc, 0x8c] | r1 = *(0x14d28);
0x00014c9c b 0x14bfc | goto label_3;
0x00014ca0 ldr r1, [pc, 0x88] | r1 = "nand";
0x00014ca4 b 0x14bfc | goto label_3;
0x00014ca8 ldr r1, [pc, 0x84] | r1 = "mlc_nand";
0x00014cac b 0x14bfc | goto label_3;
0x00014cb0 ldr r1, [pc, 0x80] | r1 = "dataflash";
0x00014cb4 b 0x14bfc | goto label_3;
| }
0x00014cb8 ldr r3, [r4] | r3 = *(r4);
0x00014cbc ldr r2, [sp, 0xa0] | r2 = var_a0h;
0x00014cc0 cmp r2, r3 |
0x00014cc4 bne 0x14c48 |
| } while (r2 != r3);
0x00014cc8 add r1, sp, 0xb0 | r1 += src;
0x00014ccc add r0, r4, 0x51 | r0 = r4 + 0x51;
0x00014cd0 bl 0x10a28 | strcpy (r0, r1)
0x00014cd4 b 0x14a00 | goto label_4;
| }
[*] Function strcpy used 3 times nanddump
