rizin icon indicating copy to clipboard operation
rizin copied to clipboard
verified publisher icon rizinorg

Add a binary loader for Apples C4000 firmware

Open Rot127 opened this issue 1 month ago • 5 comments

Here is a script parsing it. https://github.com/nlitsme/AppleC4000/pull/1

With the little information about the firmware layout, this task is rather simple.

To cite from the scripts:

Decodes an apple C4000 baseband GNS1.bin firmware file

known info: file starts with a segment list:

[size, address, offset] * (32-bit LE numbers) terminated with 0 entry

for example: <0x154C4, 0x12000000, 0x64> <0x3AD4, 0x120154C8, 0x15528> <0x3B8, 0x12018FA0, 0x18FFC> <0x100, 0x12019358, 0x193B4> <0x58CA8, 0x15000000, 0x194B4> <0x10, 0x15058CA8, 0x7215C> <0xB28, 0x15058CB8, 0x7216C> <0x100, 0x150597E0, 0x72C94> <0>

0x12000000 and 0x15000000 seem to correspond to two cores(?) each mapped internally at 0x10000000

Heuristics he uses there to identify GNS1 binary is:

simple heuristic: dword at 0xC (offset of first chunk) is >=0x64 and dword before it is 0 (end of list)

Parser: https://github.com/nlitsme/AppleC4000/blob/master/loadgns.py

Rot127 avatar Nov 04 '25 10:11 Rot127

Hey, @Rot127, I will be working on this issue.

Ayushd785 avatar Nov 15 '25 19:11 Ayushd785

I'd like to implement the parser script for this. My approach will be to:

  1. Verify the file using the dword at 0xC > 0x64 heuristic.
  2. Read the 32-bit LE (size, address, offset) triplets.
  3. Stop parsing when the size is 0.
  4. Output all segments and note the special two-core mapping.

Does this plan align with what you're looking for? I can open a PR with the initial Python parser soon.

mudassirl6 avatar Nov 16 '25 17:11 mudassirl6

hii @Rot127 , i wanna work over this issue can you please guide me with the repository and otherr details necessary !

devlopharsh avatar Dec 01 '25 16:12 devlopharsh

Please start with https://github.com/rizinorg/rizin/blob/dev/CONTRIBUTING.md and https://github.com/rizinorg/rizin/blob/dev/DEVELOPERS.md.

@mudassirl6 Sorry for the late reply. A Python script is not what we are looking for. It needs to be a RzBin plugin.

Rot127 avatar Dec 02 '25 13:12 Rot127

@Rot127 hey there , i have raised a PR against this issue , please review it and guide me further regarding this ... here is the link : https://github.com/rizinorg/rizin/pull/5573

devlopharsh avatar Dec 05 '25 14:12 devlopharsh

Based on the reference implementation and the format description, here is what i could decipher and think is the right way to approach this :

First:

  • Segment table at file start: [size, address, offset] entries (32-bit LE)
  • Terminated with zero entry
  • Two memory regions: 0x12000000 and 0x15000000 (mapped to 0x10000000)

Detection heuristic:

  • Check dword at 0xC >= 0x64 (first chunk offset)
  • Check dword at 0x8 == 0 (end of list marker)

Approach :

  1. Create format parser in librz/bin/format/gns1/ with segment table parsing
  2. Implement bin plugin in librz/bin/p/bin_gns1.c
  3. Add sections/maps generation for each segment
  4. Handle dual-core memory mapping (0x12000000/0x15000000 → 0x10000000)
  5. Add tests in test/db/formats/gns1

I'll follow the existing MBN plugin structure as a reference since it has similar segment-based loading.

Zapper9982 avatar Dec 15 '25 07:12 Zapper9982