zoom-zt2
zoom-zt2 copied to clipboard
mungewell
ELF-embedded icons
In addition to effect's icon [ref: #52], the ELF part of the ZD2 contains several other icons: {CategoryIcon_{cat} and AddDelIcon_{cat}}
readelf -a -W SOFTEC3S.ZD2.elf | grep -e "0420" -e "0480" -e "05b8"
....
39: 80000420 92 OBJECT LOCAL HIDDEN 13 picTotalDisplay_CarbonDly
40: 800005b8 40 OBJECT LOCAL HIDDEN 13 CategoryIcon_Dynamics
41: 80000480 72 OBJECT LOCAL HIDDEN 13 AddDelIcon_Dynamics
54: 80000420 0 SECTION LOCAL HIDDEN 13 .const:picTotalDisplay_CarbonDly
55: 800005b8 0 SECTION LOCAL HIDDEN 13 .const:CategoryIcon_Dynamics
56: 80000480 0 SECTION LOCAL HIDDEN 13 .const:AddDelIcon_Dynamics
References to this data could be seen from the .const block for the effectTypeImageInfo, same one that describes the effect's on-device icon:
$ readelf -a -W SOFTEC3S.ZD2.elf | grep "] \.const"
[13] .const PROGBITS 80000000 0018e0 00064a 00 A 0 0 8
$ readelf -a -W SOFTEC3S.ZD2.elf | grep "effectTypeImageInfo"
...
42: 80000150 304 OBJECT LOCAL HIDDEN 13 effectTypeImageInfo
effectTypeImageInfo:
SOFTEC3S.ZD2.elf@0x1a30 = (0x18e0+0x150)
17 00 00 00 1e 00 00 00 20 04 00 80 14 00 00 00 0a 00 00 00 b8 05 00 80 18 00 00 00 16 00 00 00 80 04 00 80 ...
reference addresses:
0x80000420:.const:picTotalDisplay_CarbonDly (sized: 0x17 by 0x1e px)
0x800005b8:.const:CategoryIcon_Dynamics (sized: 0x14 by 0x0a px)
0x80000480:.const:AddDelIcon_Dynamics (sized: 0x18 by 0x16 px)
I didn't try to extract the actual images. I assume the reference addresses should translate into offsets into the .const or other section of the ELF.
This is for SOFTEC3S.ZD2 (SoftEcho) module, not sure if such layout is applicable for other modules.
Thank you for highlighting those other icons.... I had already found the ones which were used for 'Parameter Labels' (mostly just rendered Text).
80000370 l O .const 00000038 .hidden _PrmPic_DETCT
800003a8 l O .const 00000036 .hidden _PrmPic_Depth
800003e0 l O .const 00000036 .hidden _PrmPic_THRSH
I'm sure you saw my (horrible) Bash/ImageMagick script, which can be adjusted if you really want to see what these icons look like. ;-) https://github.com/mungewell/zoom-zt2/blob/master/extract_device_icon.sh
Given the number of icons it would be nice if this was clean in Python - I mentioned the 'pwntools' project in #52 which can read into the ELF without extra steps... it installs a lot of extra stuff, so I'll see if the elf.py bit can run as a standalone module.
https://github.com/Gallopsled/pwntools/tree/dev/pwnlib/elf
Pushed a script that can read the ELF file to extract icon, or other images. https://github.com/mungewell/zoom-zt2/blob/master/extract_device_icon.py
For now it looks like pwnlib can only read from a real (on disk) file, so the ELF should be extracted first and the -e flag used.
https://github.com/Gallopsled/pwntools/issues/2155
$ python3 extract_device_icon.py -e ZNR.ZD2.code
[!] Could not populate PLT: 'int' object has no attribute 'lower'
[*] '/home/simon/zoom-zt2-sdw-github/ZNR.ZD2.code'
Arch: 140-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
Extracting symbol: picTotalDisplay_ZNR
From Address: 0x80000280 to 0x800002DC
$ python3 extract_device_icon.py -t "_PrmPic_DETCT" -s 2 -o PrmPic.png -e ZNR.ZD2.code
[!] Could not populate PLT: 'int' object has no attribute 'lower'
[*] '/home/simon/zoom-zt2-sdw-github/ZNR.ZD2.code'
Arch: 140-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled
Extracting symbol: _PrmPic_DETCT
From Address: 0x80000370 to 0x800003A8```
Continued 'messing' and found a better/working solution with 'filebytes'. https://github.com/sashs/filebytes
$ python3 extract_device_icon.py MDL_DOVE.ZD2 ; display icon.png
Target matched: picTotalDisplay_AgModel
Symbol located: 0x800017e8
$ python3 extract_device_icon.py -t "_PrmPic" -s 2 MDL_DOVE.ZD2 ; display icon.png
Target matched: _PrmPic_Treble
Symbol located: 0x80001848
