Now we can get to work on reverse engineering. A quick search of the chip name confirmed it was ARM Cortex. Ghidra analyzes the file and the disassembled functions will appear in the left side of the Code Browser window.Īlthough this was decompiling it with a decent number of functions, there appeared to be a lot of errors in the C code on the right side of the window such as the one seen below:Īfter loading and reloading finder_plus.hex into Ghidra and trying various architectures, we found that ARM Cortex seemed to work the best and was confirmed later when we opened up the printer and identified the correct chip. We select “yes,” and keep all the analyze options as default as they’re sane values. We select ARM v5 little endian in the Language field and Ghidra will ask us if we want to analyze it. Since we know the main board is ARMv5LE, we’ll start with that. The more functions and fewer errors, the more likely the architecture is accurate. One way to do this is to load the file in various architectures that seem most likely, then seeing how many functions Ghidra is able to sniff out and how many errors Ghidra mentions in the decompiled C code. Open up the printer and try to guess which chip on the board is the chip we’re flashing.But this hex file is flashing a microcontroller on the main board and we don’t know its architecture. We know the main board in the printer is ARMv5t little endian thanks to flashforge_init.sh. First, since we’re importing a hex file and not a binary, change the Format field to “Intel Hex.” Second is the Language field, which is harder. There are two fields that need to be adjusted. You should be at a screen similar to below: Hit File > Import File and select the finder_plus.hex firmware we identified in the previous post. Click on your project directory that was just created in the Ghidra window, then click the green dragon head right above it. Now you’re ready to import a file for disassembly. Go to File > New project > Non-shared project, then give it a project name. Click the New button on the right side of the window and type or paste in the JDK bin path, which would be C:\Program Files\Java\jdk-12.0.1\bin if you installed the 64bit JDK to the default path.Inside of the box that says “User variables for ” select Path, then click the Edit button.Click the best match result, “Edit the system environment variables”. ![]() In your Windows search bar type, “path”.By default it will install itself to C:\Programs Files\Java\jdk-12.0.1\ making the bin path C:\Program Files\Java\jdk-12.0.1\bin.Add the Java bin folder to your local user’s PATH environment variable.Go to and download the latest version of JDK for your computer’s architecture.If a command prompt opens that starts with the message, “Java runtime not found,” you will need to install Java’s JDK and add it to your local path:.There will be two files within this folder, one named ghidraRun.bat and one named ghidraRun Since we have installed this in Windows, we will double click ghidraRun.bat.Navigate to the extracted folder, which as of this writing was named ghidra_9.0.2.Extract the folder from the downloaded zip file to somewhere on your computer.Go to and click “Download Ghidra” in the middle of the page.In this post, we will delve into reverse engineering and patching the software using the new open source NSA tool Ghidra, which rivals its expensive competitors such as IDA Pro in value and ease of use. In the first installment of our three-part blog series here we learned how to root the Flashforge Finder 3D printer and acquire its firmware.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |