BIOS ida pro LoadProcConfig by Alex Hide

[Storm Shadow]

Overview

LoadProcConfig is an IDA Plugin to load processor configuration files.
With just a couple of clicks configuration files can turn this: Into this, adding memory regions, entries and registers/ports: By default IDA is shipped with configuration files for many processors in IDA/cfg folder. These configuration files are loaded automatically when corresponding processor module is loaded.
However, this approach has some disadvantages:

1. You have to keep your own configuration files inside IDA
2. There is no easy way to load and apply configuration file on existing database
3. Most important, ARM processor module doesn't have configuration file

Current plugin was implemented to address all these issues.
Installation

Just copy LoadProcConfig.pmc and LoadProcConfig.pmc64 to IDA plugins folder.
Usage

From Edit / Plugins menu choose Load Processor Config.
Then open configuration file using the file dialog. IDA will parse this file and display all available devices.
Pick your device and press OK.
Choose what do you want to load from this configuration file. Plugin will reanalyse entire database using device description and create additional memory regions.
Configuration files

There are many configuration files in IDA/cfg folder. While the format has no proper documentation, we can get some ideas by looking into idasdk/module/iocommon.cpp
Every configuration includes following parts:
; Default device in current configuration file
.default MYDEVICE

; Device description
.MYDEVICE

; RAM/FLASH specification
RAM=512
ROM=8192
EEPROM=512

; Memory Map
area DATA I_SRAM 0x00060:0x00260 Internal SRAM
area DATA E_SRAM 0x00260:0x10000 External SRAM

; Interrupts and reset vector assignments
entry RESET 0x0000 External Reset, Power-on Reset and Watchdog Reset
entry UART_RX 0x0009 UART, Rx Complete

; Registers (with bit fields)
USR 0x000B UART Status Register
USR.RXC 7 UART Receive Complete
USR.TXC 6 UART Transmit Complete
USR.UDRE 5 UART Data Register Empty
USR.FE 4 Framing Error
USR.OR 3 Overrun

You can find example for STM32F40x in Configurations folder

source
https://github.com/alexhude/LoadProcConfig

 

[Fuzuli]

Super plugin indeed. Thanks man. You are the best. Could you build windows versions? Please.

 

[Fuzuli]

I compiled it for windows by the way.

 

[Fuzuli]

Hi;
I recompiled plugin for v7.0. If anyone interested the files are attached.
Is anyone have time to make this plugin compatible to parse SVD files for ARM Cortex-M series MCUs ?

 

[Storm Shadow]

Is anyone have time to make this plugin compatible to parse SVD files for ARM Cortex-M series MCUs ?

Do you have a test file you could attach also?

 

[Fuzuli]

NOTE: The files i sent before only recompiled version of original plugin !!!

I attached some files if anyone interested to work on SVD. There is an DISCO.HEX file if you want to test original plugin i sent above. Just open it with IDA, set processor to ARM little endian. After IDA finish analyzing use LoadProcConfig and load STM32F407VG config from original plugin pack to see it works.

if you want to compare why it is important. Load DISCO.axf to IDA and you will see that there is no MCU related memory address space registers but tons of usefull other kind of debug information. .HEX is for production .AXF is for development.

What is CMSIS SVD ?
The CMSIS System View Description format(CMSIS-SVD) formalizes the description of the system contained in ARM Cortex-M processor-based microcontrollers, in particular, the memory mapped registers of peripherals. The detail contained in system view descriptions is comparable to the data in device reference manuals. The information ranges from high level functional descriptions of a peripheral all the way down to the definition and purpose of an individual bit field in a memory mapped register.

STM32F40x.svd - CMSIS SVD Compatible MCU Hardware Descripition File
DISCO.hex - An example firmware for STM32F407-DISCOVERY Evaluation kit.
DISCO.axf - ELF ARM Binary of firmware above. I attached it for further examination. It has lots of debugging info but not predefined MCU registers of peripheral address space of MCU.
Check thirdparty Python library to parse SVD files below.
https://github.com/posborne/cmsis-svd
SVD mostly used for define MCU hardware address space as you see above. When we are debugging code in MCU via a JTAG probe like Jlink, we can see all peripheral registers, SRAM, Flash via information SVD provided. IDA support Jlink debugger via GDB but it is non HW aware. IDA work only on core of MCU as here Cortex-M4(ARMv7-M) but it cant tell us which address is what (mostly). So we need to manually define this address space as in LoadProcConfig to describe peripherals, IO, memory, etc.
If IDA could use information in SVD files. it will be very handy for embedded firmware security testing and reversing of course .
CMSIS is an ARM platform to support all IPs including Cortex-M, Cortex-A, Cortex-R. So as you may know nearly all tablet, phone, etc. hardware include one of theese today.