[*] Binary protection state of nandwrite
Partial RELRO No Canary found NX disabled No PIE No RPATH No RUNPATH No Symbols
[*] Function strcpy tear down of nandwrite
; assembly | /* r2dec pseudo code output */
| /* /logs/firmware/unblob_extracted/firmware_extract/56048-12514271.gzip_extract/gzip.uncompressed_extract/5243916-15068666.gzip_extract/gzip.uncompressed_extract/usr/sbin/nandwrite @ 0x149cc */
| #include <stdint.h>
|
| #define BIT_MASK(t,v) ((t)(-((v)!= 0)))&(((t)-1)>>((sizeof(t)*CHAR_BIT)-(v)))
|
; (fcn) fcn.000149cc () | void fcn_000149cc (char * arg1, int32_t arg2) {
| int32_t var_0h;
| int32_t var_4h;
| int32_t var_8h;
| int32_t var_8h_2;
| int32_t var_10h;
| int32_t var_10h_2;
| int32_t var_18h;
| int32_t var_1ch;
| int32_t var_20h;
| int32_t var_24h;
| int32_t var_28h;
| int32_t var_2ch;
| int32_t var_38h;
| int32_t var_48h;
| int32_t var_58h;
| int32_t var_58h_2;
| int32_t var_a0h;
| char * src;
| int32_t var_144h;
| r0 = arg1;
| r1 = arg2;
0x000149cc push {r4, r5, r6, r7, r8, sb, lr} |
0x000149d0 sub sp, sp, 0x144 |
0x000149d4 mov r2, 0 | r2 = 0;
0x000149d8 mov r3, 0 | r3 = 0;
0x000149dc mov r4, r1 | r4 = r1;
0x000149e0 add r1, sp, 0x38 | r1 += var_38h;
0x000149e4 mov r6, r0 | r6 = r0;
0x000149e8 strd r2, r3, [sp, 0x10] | __asm ("strd r2, r3, [var_10h]");
0x000149ec bl 0x10a24 | r0 = stat64 ();
0x000149f0 cmp r0, 0 |
| if (r0 != 0) {
0x000149f4 beq 0x14a5c |
0x000149f8 bl 0x10b5c | errno_location ();
0x000149fc ldr r8, [pc, 0x450] |
0x00014a00 mov r3, r6 | r3 = r6;
0x00014a04 ldr r2, [pc, 0x44c] | r2 = stderr;
0x00014a08 ldr r1, [pc, 0x44c] | r1 = "libmtd";
0x00014a0c ldr r7, [r0] | r7 = *(r0);
0x00014a10 mov r5, r0 | r5 = r0;
0x00014a14 ldr r0, [r8] | r0 = *(0x14e50);
0x00014a18 bl 0x10ab4 | fprintf (r0, "libmtd", r2, r3, r4, r5);
0x00014a1c mov r0, r7 | r0 = r7;
0x00014a20 ldr r8, [r8] | r8 = *(0x14e50);
0x00014a24 bl 0x10a18 | strerror (r0);
0x00014a28 ldr r3, [pc, 0x430] | r3 = "_s:_error_:_cannot_open___s_";
0x00014a2c str r7, [sp] | *(sp) = r7;
0x00014a30 mov r2, 8 | r2 = 8;
0x00014a34 ldr r1, [pc, 0x428] | r1 = *(0x14e60);
0x00014a38 str r0, [sp, 4] | var_4h = r0;
0x00014a3c mov r0, r8 | r0 = r8;
0x00014a40 bl 0x10ab4 | fprintf (r0, r1, r2, "_s:_error_:_cannot_open___s_");
0x00014a44 ldr r3, [r5] | r3 = *(r5);
0x00014a48 cmp r3, 2 |
| if (r3 != 2) {
0x00014a4c bne 0x14a5c | goto label_5;
| }
0x00014a50 ldr r1, [pc, 0x400] | r1 = stderr;
0x00014a54 ldr r0, [pc, 0x40c] | r0 = "_serror__d___s_";
0x00014a58 bl 0x10a0c | printf ("_serror__d___s_", r1);
| }
| label_5:
0x00014a5c ldr r3, [sp, 0x48] | r3 = var_48h;
0x00014a60 and r3, r3, 0xf000 | r3 &= 0xf000;
0x00014a64 cmp r3, 0x2000 |
| if (r3 == 0x2000) {
0x00014a68 beq 0x14a98 | goto label_6;
| }
0x00014a6c bl 0x10b5c | errno_location ();
0x00014a70 mov r3, 0x16 | r3 = 0x16;
0x00014a74 ldr r2, [pc, 0x3dc] | r2 = stderr;
0x00014a78 ldr r1, [pc, 0x3ec] | r1 = "%s: MTD subsystem is old and does not support sysfs, so MTD character device nodes have to exist\n";
0x00014a7c str r3, [r0] | *(r0) = r3;
0x00014a80 ldr r0, [pc, 0x3cc] |
0x00014a84 mov r3, r6 | r3 = r6;
0x00014a88 ldr r0, [r0] | r0 = *(0x14e50);
0x00014a8c bl 0x10ab4 | fprintf (r0, "%s: MTD subsystem is old and does not support sysfs, so MTD character device nodes have to exist\n", r2, r3);
| do {
| label_0:
0x00014a90 mvn r5, 0 | r5 = ~0;
0x00014a94 b 0x14b7c | goto label_4;
| label_6:
0x00014a98 mov r2, 0x100 | r2 = 0x100;
0x00014a9c mov r1, 0 | r1 = 0;
0x00014aa0 mov r0, r4 | r0 = r4;
0x00014aa4 bl 0x10b14 | memset (r0, r1, r2);
0x00014aa8 ldrd r8, sb, [sp, 0x58] | __asm ("ldrd r8, sb, [var_58h]");
0x00014aac mov r1, sb | r1 = sb;
0x00014ab0 mov r0, r8 | r0 = r8;
0x00014ab4 bl 0x10a3c | gnu_dev_major ();
0x00014ab8 mov r1, sb | r1 = sb;
0x00014abc mov r5, r0 | r5 = r0;
0x00014ac0 str r0, [r4, 4] | *((r4 + 4)) = r0;
0x00014ac4 mov r0, r8 | r0 = r8;
0x00014ac8 bl 0x10a78 | gnu_dev_minor ();
0x00014acc cmp r5, 0x5a |
0x00014ad0 str r0, [r4, 8] | *((r4 + 8)) = r0;
| if (r5 == 0x5a) {
0x00014ad4 beq 0x14b10 | goto label_7;
| }
0x00014ad8 bl 0x10b5c | errno_location ();
0x00014adc mov r3, 0x16 | r3 = 0x16;
0x00014ae0 ldr r2, [pc, 0x370] | r2 = stderr;
0x00014ae4 ldr r1, [pc, 0x384] | r1 = "_s:_error_:___s__is_not_a_character_device";
0x00014ae8 str r3, [r0] | *(r0) = r3;
0x00014aec mov r3, 0x5a | r3 = 0x5a;
0x00014af0 str r3, [sp, 4] | var_4h = r3;
0x00014af4 ldr r0, [pc, 0x358] |
0x00014af8 ldr r3, [r4, 4] | r3 = *((r4 + 4));
0x00014afc str r3, [sp] | *(sp) = r3;
0x00014b00 mov r3, r6 | r3 = r6;
0x00014b04 ldr r0, [r0] | r0 = *(0x14e50);
0x00014b08 bl 0x10ab4 | fprintf (r0, "_s:_error_:___s__is_not_a_character_device", r2, r3);
0x00014b0c b 0x14a90 |
| } while (1);
| label_7:
0x00014b10 add r0, r0, r0, lsr 31 | r0 += (r0 >> 31);
0x00014b14 asr r0, r0, 1 | r0 >>= 1;
0x00014b18 str r0, [r4] | *(r4) = r0;
0x00014b1c mov r1, 0 | r1 = 0;
0x00014b20 mov r0, r6 | r0 = r6;
0x00014b24 bl 0x10b20 | r0 = open64 ();
0x00014b28 cmn r0, 1 |
0x00014b2c mov r5, r0 | r5 = r0;
| if (r0 == 1) {
0x00014b30 bne 0x14b88 |
0x00014b34 bl 0x10b5c | errno_location ();
0x00014b38 ldr r7, [pc, 0x314] | r7 = *(0x14e50);
0x00014b3c mov r3, r6 | r3 = r6;
0x00014b40 ldr r2, [pc, 0x310] | r2 = stderr;
0x00014b44 ldr r1, [pc, 0x310] | r1 = "libmtd";
0x00014b48 ldr r4, [r0] | r4 = *(r0);
0x00014b4c ldr r0, [r7] | r0 = *(0x14e50);
0x00014b50 bl 0x10ab4 | fprintf (r0, "libmtd", r2, r3, r4);
0x00014b54 mov r0, r4 | r0 = r4;
0x00014b58 ldr r6, [r7] | r6 = *(0x14e50);
0x00014b5c bl 0x10a18 | strerror (r0);
0x00014b60 str r4, [sp] | *(sp) = r4;
0x00014b64 ldr r3, [pc, 0x2f4] | r3 = "_s:_error_:_cannot_open___s_";
0x00014b68 mov r2, 8 | r2 = 8;
0x00014b6c ldr r1, [pc, 0x2f0] | r1 = *(0x14e60);
0x00014b70 str r0, [sp, 4] | var_4h = r0;
0x00014b74 mov r0, r6 | r0 = r6;
0x00014b78 bl 0x10ab4 | fprintf (r0, r1, r2, "_s:_error_:_cannot_open___s_", r4);
| label_4:
0x00014b7c mov r0, r5 | r0 = r5;
0x00014b80 add sp, sp, 0x144 |
0x00014b84 pop {r4, r5, r6, r7, r8, sb, pc} |
| }
0x00014b88 add r2, sp, 0x18 | r2 += var_18h;
0x00014b8c ldr r1, [pc, 0x2e0] | r1 = "%s: error!: \"%s\" has major number %d, MTD devices have major %d\n";
0x00014b90 bl 0x10a00 | r0 = ioctl (r0, "%s: error!: \"%s\" has major number %d, MTD devices have major %d\n");
0x00014b94 subs r8, r0, 0 | r8 = r0 - 0;
| if (r8 == r0) {
0x00014b98 beq 0x14bec | goto label_8;
| }
0x00014b9c bl 0x10b5c | errno_location ();
0x00014ba0 ldr r6, [pc, 0x2ac] |
0x00014ba4 ldr r2, [pc, 0x2ac] | r2 = stderr;
0x00014ba8 ldr r1, [pc, 0x2c8] | r1 = *(0x14e74);
0x00014bac ldr r4, [r0] | r4 = *(r0);
0x00014bb0 ldr r0, [r6] | r0 = *(0x14e50);
0x00014bb4 bl 0x10ab4 | fprintf (r0, r1, r2, r3, r4, r5, r6);
0x00014bb8 mov r0, r4 | r0 = r4;
0x00014bbc ldr r6, [r6] | r6 = *(0x14e50);
0x00014bc0 bl 0x10a18 | strerror (r0);
0x00014bc4 ldr r3, [pc, 0x294] | r3 = "_s:_error_:_cannot_open___s_";
0x00014bc8 ldr r1, [pc, 0x294] | r1 = *(0x14e60);
0x00014bcc mov r2, 8 | r2 = 8;
0x00014bd0 str r4, [sp] | *(sp) = r4;
0x00014bd4 str r0, [sp, 4] | var_4h = r0;
0x00014bd8 mov r0, r6 | r0 = r6;
| do {
| label_1:
0x00014bdc bl 0x10ab4 | fprintf (r0, r1, r2, "_s:_error_:_cannot_open___s_", r4);
| label_2:
0x00014be0 mov r0, r5 | r0 = r5;
0x00014be4 bl 0x10bbc | close (r0);
0x00014be8 b 0x14a90 | goto label_0;
| label_8:
0x00014bec add r2, sp, 0x10 | r2 += var_10h;
0x00014bf0 ldr r1, [pc, 0x284] | r1 = "_s:_error_:_MEMGETINFO_ioctl_request_failed";
0x00014bf4 mov r0, r5 | r0 = r5;
0x00014bf8 bl 0x10a00 | r0 = ioctl (r0, "_s:_error_:_MEMGETINFO_ioctl_request_failed");
0x00014bfc cmn r0, 1 |
| if (r0 == 1) {
0x00014c00 ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if (r0 == 1) {
0x00014c04 orrne r3, r3, 2 | r3 |= 2;
| }
| if (r0 != 1) {
0x00014c08 bne 0x14c64 | goto label_9;
| }
0x00014c0c bl 0x10b5c | r0 = errno_location ();
0x00014c10 ldr r7, [r0] | r7 = *(r0);
0x00014c14 cmp r7, 0x5f |
| if (r7 != 0x5f) {
0x00014c18 streq r8, [r0] | *(r0) = r8;
| }
| if (r7 != 0x5f) {
0x00014c1c ldrbeq r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
0x00014c20 biceq r3, r3, 2 | __asm ("biceq r3, r3, 2");
| if (r7 == 0x5f) {
0x00014c24 beq 0x14c64 | goto label_9;
| }
0x00014c28 ldr r4, [pc, 0x224] |
0x00014c2c ldr r2, [pc, 0x224] | r2 = stderr;
0x00014c30 ldr r1, [pc, 0x248] | r1 = *(0x14e7c);
0x00014c34 ldr r0, [r4] | r0 = *(0x14e50);
0x00014c38 bl 0x10ab4 | fprintf (r0, r1, r2, r3, r4);
0x00014c3c mov r0, r7 | r0 = r7;
0x00014c40 ldr r4, [r4] | r4 = *(0x14e50);
0x00014c44 bl 0x10a18 | strerror (r0);
0x00014c48 str r7, [sp] | *(sp) = r7;
0x00014c4c ldr r3, [pc, 0x20c] | r3 = "_s:_error_:_cannot_open___s_";
0x00014c50 mov r2, 8 | r2 = 8;
0x00014c54 ldr r1, [pc, 0x208] | r1 = *(0x14e60);
0x00014c58 str r0, [sp, 4] | var_4h = r0;
0x00014c5c mov r0, r4 | r0 = r4;
0x00014c60 b 0x14bdc |
| } while (1);
| label_9:
0x00014c64 strb r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
0x00014c68 ldr r3, [sp, 0x28] | r3 = var_28h;
0x00014c6c ldrb r7, [sp, 0x18] | r7 = var_18h;
0x00014c70 ldr r0, [sp, 0x20] | r0 = var_20h;
0x00014c74 ldr r2, [sp, 0x24] | r2 = var_24h;
0x00014c78 ldr ip, [sp, 0x2c] | ip = var_2ch;
0x00014c7c mov r1, 0 | r1 = 0;
0x00014c80 cmp r3, 0 |
0x00014c84 str r7, [r4, 0xc] | *((r4 + 0xc)) = r7;
0x00014c88 strd r0, r1, [r4, 0xd8] | __asm ("strd r0, r1, [r4, 0xd8]");
0x00014c8c str r2, [r4, 0xe4] | *((r4 + 0xe4)) = r2;
0x00014c90 str r3, [r4, 0xe8] | *((r4 + 0xe8)) = r3;
0x00014c94 str ip, [r4, 0xf0] | *((r4 + 0xf0)) = ip;
| if (r3 > 0) {
0x00014c98 bgt 0x14cbc | goto label_10;
| }
0x00014c9c str r3, [sp, 4] | var_4h = r3;
0x00014ca0 str r6, [sp] | *(sp) = r6;
0x00014ca4 ldr r2, [pc, 0x1ac] | r2 = stderr;
0x00014ca8 ldr r3, [r4] | r3 = *(r4);
0x00014cac ldr r1, [pc, 0x1d0] | r1 = "%s: error!: MEMGETBADBLOCK ioctl failed\n";
| do {
0x00014cb0 ldr r0, [pc, 0x19c] |
0x00014cb4 ldr r0, [r0] | r0 = *(0x14e50);
0x00014cb8 b 0x14bdc | goto label_1;
| label_10:
0x00014cbc cmp r2, r3 |
0x00014cc0 cmpge r2, 0 | __asm ("cmpge r2, 0");
| if (r2 > r3) {
0x00014cc4 bgt 0x14ce0 | goto label_11;
| }
0x00014cc8 str r2, [sp, 4] | var_4h = r2;
0x00014ccc str r6, [sp] | *(sp) = r6;
0x00014cd0 ldr r2, [pc, 0x180] | r2 = stderr;
0x00014cd4 ldr r3, [r4] | r3 = *(r4);
0x00014cd8 ldr r1, [pc, 0x1a8] | r1 = "_s:_error_:_mtd_d___s__has_insane_min._I_O_unit_size__d";
0x00014cdc b 0x14cb0 |
| } while (1);
| label_11:
0x00014ce0 orrs r3, r0, r1 | r3 = r0 | r1;
| if (r3 != r0) {
0x00014ce4 beq 0x14cf8 |
0x00014ce8 asr r3, r2, 0x1f | r3 = r2 >> 0x1f;
0x00014cec cmp r0, r2 |
0x00014cf0 sbcs ip, r1, r3 | __asm ("sbcs ip, r1, r3");
| if (r0 >= r2) {
0x00014cf4 bge 0x14d1c | goto label_12;
| }
| }
0x00014cf8 strd r0, r1, [sp, 8] | __asm ("strd r0, r1, [var_8h]");
0x00014cfc ldr r0, [pc, 0x150] |
0x00014d00 str r6, [sp] | *(sp) = r6;
0x00014d04 ldr r2, [pc, 0x14c] | r2 = stderr;
0x00014d08 ldr r3, [r4] | r3 = *(r4);
0x00014d0c ldr r1, [pc, 0x178] | r1 = "%s: error!: mtd%d (%s) has insane eraseblock size %d\n";
0x00014d10 ldr r0, [r0] | r0 = *(0x14e50);
0x00014d14 bl 0x10ab4 | fprintf (r0, "%s: error!: mtd%d (%s) has insane eraseblock size %d\n", r2, r3, r4, r5, r6);
0x00014d18 b 0x14be0 | goto label_2;
| label_12:
0x00014d1c bl 0x150b0 | fcn_000150b0 (r0);
0x00014d20 str r0, [r4, 0xe0] | *((r4 + 0xe0)) = r0;
0x00014d24 cmp r7, 8 |
| if (r7 > 8) {
| /* switch table (9 cases) at 0x14d30 */
0x00014d28 ldrls pc, [pc, r7, lsl 2] | offset_0 = r7 << 2;
| pc = *((pc + offset_0));
| }
0x00014d2c b 0x14be0 | goto label_2;
0x00014d54 ldr r0, [pc, 0xf8] |
0x00014d58 str r6, [sp] | *(sp) = r6;
0x00014d5c ldr r2, [pc, 0xf4] | r2 = stderr;
0x00014d60 ldr r3, [r4] | r3 = *(r4);
0x00014d64 ldr r1, [pc, 0x124] | r1 = "%s: error!: mtd%d (%s) has insane size %lld\n";
0x00014d68 ldr r0, [r0] | r0 = *(0x14e50);
0x00014d6c bl 0x10ab4 | fprintf (r0, "%s: error!: mtd%d (%s) has insane size %lld\n", r2, r3, r4, r5, r6);
0x00014d70 b 0x14be0 | goto label_2;
0x00014d74 ldr r1, [pc, 0x118] | r1 = "_s:_error_:_mtd_d___s__is_removable_and_is_not_present";
| label_3:
0x00014d78 add r0, r4, 0x10 | r0 = r4 + 0x10;
0x00014d7c bl 0x109f4 | strcpy (r0, "_s:_error_:_mtd_d___s__is_removable_and_is_not_present")
0x00014d80 ldr r3, [sp, 0x1c] | r3 = var_1ch;
0x00014d84 mov r0, r5 | r0 = r5;
0x00014d88 tst r3, 0x400 |
| if ((r3 & 0x400) == 0) {
0x00014d8c ldrbne r3, [r4, 0xfc] | r3 = *((r4 + 0xfc));
| }
| if ((r3 & 0x400) == 0) {
0x00014d90 orrne r3, r3, 1 | r3 |= 1;
| }
| if ((r3 & 0x400) == 0) {
0x00014d94 strbne r3, [r4, 0xfc] | *((r4 + 0xfc)) = r3;
| }
0x00014d98 ldr r3, [r4, 0xe8] | r3 = *((r4 + 0xe8));
0x00014d9c str r3, [r4, 0xec] | *((r4 + 0xec)) = r3;
0x00014da0 bl 0x10bbc | close (r0);
0x00014da4 mov r0, r6 | r0 = r6;
0x00014da8 bl 0x14800 | r0 = fcn_00014800 (r0);
0x00014dac bic r0, r0, r0, asr 31 | r0 = BIT_MASK (r0, r0);
0x00014db0 str r0, [r4, 0xf4] | *((r4 + 0xf4)) = r0;
0x00014db4 add r0, sp, 0xa0 | r0 += var_a0h;
0x00014db8 bl 0x14524 | fcn_00014524 (r0);
0x00014dbc subs r5, r0, 0 | r5 -= var_a0h;
| if (r5 != var_a0h) {
0x00014dc0 bne 0x14a90 | goto label_0;
| }
| do {
0x00014dc4 add r0, sp, 0xa0 | r0 += var_a0h;
0x00014dc8 bl 0x143c0 | r0 = fcn_000143c0 (r0);
0x00014dcc cmp r0, 0 |
| if (r0 == 0) {
0x00014dd0 bne 0x14e34 |
0x00014dd4 ldr r3, [pc, 0xbc] | r3 = *(0x14e94);
0x00014dd8 ldr r0, [pc, 0x74] |
0x00014ddc str r3, [sp] | *(sp) = r3;
0x00014de0 ldr r2, [pc, 0x70] | r2 = stderr;
0x00014de4 ldr r3, [r4] | r3 = *(r4);
0x00014de8 ldr r1, [pc, 0xac] | r1 = "_proc_mtd";
0x00014dec ldr r0, [r0] | r0 = *(0x14e50);
0x00014df0 bl 0x10ab4 | r0 = fprintf (r0, "_proc_mtd", r2, r3);
0x00014df4 bl 0x10b5c | errno_location ();
0x00014df8 mov r3, 2 | r3 = 2;
0x00014dfc str r3, [r0] | *(r0) = r3;
0x00014e00 b 0x14a90 | goto label_0;
0x00014e04 ldr r1, [pc, 0x94] | r1 = "_s:_error_:_mtd_d_not_found_in___s_";
0x00014e08 b 0x14d78 | goto label_3;
0x00014e0c ldr r1, [pc, 0x90] | r1 = "rom";
0x00014e10 b 0x14d78 | goto label_3;
0x00014e14 ldr r1, [pc, 0x8c] | r1 = "nor";
0x00014e18 b 0x14d78 | goto label_3;
0x00014e1c ldr r1, [pc, 0x88] | r1 = *(0x14ea8);
0x00014e20 b 0x14d78 | goto label_3;
0x00014e24 ldr r1, [pc, 0x84] | r1 = "mlc-nand";
0x00014e28 b 0x14d78 | goto label_3;
0x00014e2c ldr r1, [pc, 0x80] | r1 = "dataflash";
0x00014e30 b 0x14d78 | goto label_3;
| }
0x00014e34 ldr r3, [r4] | r3 = *(r4);
0x00014e38 ldr r2, [sp, 0xa0] | r2 = var_a0h;
0x00014e3c cmp r2, r3 |
0x00014e40 bne 0x14dc4 |
| } while (r2 != r3);
0x00014e44 add r1, sp, 0xb0 | r1 += src;
0x00014e48 add r0, r4, 0x51 | r0 = r4 + 0x51;
0x00014e4c bl 0x109f4 | strcpy (r0, r1)
0x00014e50 b 0x14b7c | goto label_4;
| }
[*] Function strcpy used 3 times nandwrite
