NationalSecurityAgency
power PC VLE (EVX?) MPC5746R missing instructions
Dissasembly is missing instructions EFSMAX, EFSMIN, EFSSQRT. Which appears to result in
"/* WARNING: Bad instruction - Truncating control flow here */"
second issue is
" 09083fc4 79 f2 f4 dd e_bl FUN_08fb34a0 undefined FUN_08fb34a0()
-- Flow Override: CALL_RETURN (CALL_TERMINATOR)"
After ever single e_bl
Using Ghidra 11.1.2, create project and import file with
--Processor language-- "power ISA 3.0 Big Endian w/VLE, EVX and 32-bit Addressing"
--Options(Load file )--- Base address 0x8fb0000
--Registers= assume r13 = 0x40010000 assume r2 = 0x91c8000 assume vle = 0x1
--CTRL A, disassemble PPC VLE (f12)
--ANYLIZE ALL
-- GO TO 0x09084332, (I suspect) should be Opcode "efsmin r7, r7, r31"
-- GO TO 0x0908433A (I suspect) should be Opcode "efsmax r0, r0, r30" **
-- GO TO 0x08FB34D8 (I suspect) should be Opcode "efssqrt r3, r3"**
------------------------efsmin r7, r7, r31-----------------------------------------------------
0908432e 10 fb 2a c9 efsdiv r7,r27,r5
09084332 10 ?? 10h
09084333 e7 ?? E7h
09084334 fa ?? FAh
09084335 b1 ?? B1h
09084336 10 00 3a c8 efsmul r0,r0,r7
---------------- "efsmax r0, r0, r30"------------------------------------------------------------------
0908433a 10 ?? 10h
0908433b 00 ?? 00h
0908433c f2 ?? F2h
0908433d b0 ?? B0h
0908433e 70 ea e1 80 e_lis r7,0x5180
-------------------"efssqrt r3, r3"---------------------------------------------------------------------
08fb34d8 10 ?? 10h
08fb34d9 63 ?? 63h c
08fb34da 02 ?? 02h
08fb34db c7 ?? C7h
08fb34dc 00 04 se_blr
08fb34de 00 00 se_illegal
Expected behavior
B1 (1011 0001) = EFSMIN
b0 (1011 0000) = EFSMAX
c7 (1100 0111) = EFSSQRT
Environment (please complete the following information):
- OS: [windows 11]
- Java Version: [JDK 17]
- Ghidra Version: [11.1.2]
- Ghidra Origin: [e.g. official GitHub]
https://www.nxp.com/products/processors-and-microcontrollers/power-architecture/mpc5xxx-microcontrollers/ultra-reliable-mpc57xx-mcus/automotive-and-industrial-engine-management-mcu:MPC5746R
Fairly certain it is a MPC5746R, however it is stated to be proprietary
I should add that I did try to disassemble PPC VLE altivec and that did not work nearly at all.
A few notes.
These opcodes are NOT implemented in the actual Ghidra version. Perhaps it would be better to do in a separate 'language'. #4952 looks as a good candidate for it.
Good description can be found at http://www.elektronikjk.pl/elementy_czynne/IC/E200Z760N3.pdf 'e200z760n3 Power Architecture® Core Reference Manual'
Alexy, thank you for the suggestion I received the specs I had been waiting on the specs for this mcu to make this post. In my enthusiasm I failed to do more research after receiving the specs and immediately made this post. Would it be cleaner for me to delete this post and start a new one on the thread you linked or should I leave this here for now?
On Thu, Aug 29, 2024 at 5:44 AM Alexey Esaulenko @.***> wrote:
A few notes.
These opcodes are NOT implemented in the actual Ghidra version. Perhaps it would be better to do in a separate 'language'. #4952 https://github.com/NationalSecurityAgency/ghidra/pull/4952 looks as a good candidate for it.
Good description can be found at http://www.elektronikjk.pl/elementy_czynne/IC/E200Z760N3.pdf 'e200z760n3 Power Architecture® Core Reference Manual'
— Reply to this email directly, view it on GitHub https://github.com/NationalSecurityAgency/ghidra/issues/6863#issuecomment-2317548507, or unsubscribe https://github.com/notifications/unsubscribe-auth/AYPNSPPKYDNDAXDHEUM4SALZT4JSHAVCNFSM6AAAAABNJULWS6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJXGU2DQNJQG4 . You are receiving this because you authored the thread.Message ID: @.***>
Since I'm not in the Ghidra team, I have no ideas, whether that change will be approved or not. From my perspective, it's a good improvement, as it introduses a 32-bit variant of Power CPU. When I worked with a similar chips (it's very popular as a vehicle brains), 64-bit variables sometime makes some mess.
So, let's leave this issue as is, it's another bug in Ghidra. It was just some thoughts how it may be done. I won't promise that I will do this improvemnt.
Alexey, I would be interested in maybe getting a group together and start a bounty for this processor. I am sure you are busy, but if you have a minute maybe send my an email. [email protected]
A few notes.
These opcodes are NOT implemented in the actual Ghidra version. Perhaps it would be better to do in a separate 'language'. #4952 looks as a good candidate for it.
Good description can be found at http://www.elektronikjk.pl/elementy_czynne/IC/E200Z760N3.pdf 'e200z760n3 Power Architecture® Core Reference Manual'
Do you think it would be beneficial to add in these instructions?
Having issues with these efscfsi. ex 10 E0 3A D1 However, I see this instruction here https://github.com/NationalSecurityAgency/ghidra/blob/master/Ghidra/Processors/PowerPC/data/languages/Scalar_SPFP.sinc
Working on a MPC5777C and appears to be combo vle/32b and that's handled fine so far.
Also seeing problems with efscmpgt opcode 10 9E 32 CC, again appearing in that scalar_SPFP.sinc. Is it reasonable to move these instructions into the core ppc sinc?
I've got a version I'm working on that has the efs instructions, and adds support for the 64-bit SPE. It needs a lot of tweaking, but I'm noticing there's still several missing instructions that I haven't been able to track down.
09180050 bytes 7e 00 04 6c 090cbd58 bytes 7c 07 00 9e 08fb0a80 bytes 7f e6 f4 06 for example. These don't appear to be SPE instrucitons, and they don't seem to match the VLE ones either. I couldn't find the opcodes in the Power ISA opcode maps, but I may not have the right version.
I've got a version I'm working on that has the efs instructions, and adds support for the 64-bit SPE. It needs a lot of tweaking, but I'm noticing there's still several missing instructions that I haven't been able to track down.
09180050 bytes 7e 00 04 6c 090cbd58 bytes 7c 07 00 9e 08fb0a80 bytes 7f e6 f4 06 for example. These don't appear to be SPE instrucitons, and they don't seem to match the VLE ones either. I couldn't find the opcodes in the Power ISA opcode maps, but I may not have the right version.
7e 00 04 6c - mpusync 7c 07 00 9e - iseleq 7f e6 f4 06 - lbdx
my version also needs a lot of work, but i did pull these from IDA Pro
isel is known issue. I can probably just roll the fix in to support the e200.mpusync is a new one. Looks like there's a set of 3 instructions that seem unique to specific e200 variants. Those are easy enough to handle.
lbdx is tricky. We have that instruction, so I need to figure out why it's not matching.
I can probably just roll the fix in to support the e200
@GhidorahRex could you do it, please? It looks like a good starting point for the others improvements.
@esaulenka I'm working on it. The PowerPC module makes a lot of assumptions about register sizes, and there's a lot of instructions that I think are in the wrong locations. I'm working on getting everything moved around to make sure that the e200 support is as close to complete as possible for now.
Great, thanks a lot. On my side, I tried to use it on a real binary (from vehicle controller with a e200z4 core), and it works good enough.
This is what I have been working with lately, and it appears to be working. I am not well versed at all with this deaper level stuff though. https://github.com/daskey/ghidra_MPC5746R
@GhidrAuto I think the biggest issue here is that they're defining it as a 64-bit architecture, when the e200z4 is a 32-bit architecture. I imagine that's because of the significant issues in ppc_isa.sinc, and the fact that for VLE and SPE instructions it actually is 64-bit.