Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unknown PowerPC VLE instructions #6535

Open
GiGa911 opened this issue May 17, 2024 · 2 comments
Open

Unknown PowerPC VLE instructions #6535

GiGa911 opened this issue May 17, 2024 · 2 comments
Assignees
@GhidorahRex
Labels
Feature: Processor/PowerPC Status: Waiting on customer Waiting for customer feedback

Comments

@GiGa911
Copy link

GiGa911 commented May 17, 2024
edited

While examining some firmware, I noticed that Ghidra does not recognize certain PowerPC VLE instructions that begin with 10. I wanted to report this issue. The processor in question is an MPC5777C. I tried with PowerPC:BE:64:VLEALT-32addr (1.6)

    00c61f76 b4 71           se_sth     r7,0x8(r1)
    00c61f78 58 de 00 20     e_lhz      r6,0x20(r30)
    00c61f7c b5 61           se_sth     r6,0xa(r1)
    00c61f7e 01 a4           se_mr      r4,r26
    00c61f80 01 93           se_mr      r3,r25
    00c61f82 78 07 7e 6b     e_bl       FUN_00cd9dec                                     undefined FUN_00cd9dec()
    00c61f86 70 e8 e4 7a     e_lis      r7,0x447a
    00c61f8a 10              ??         10h
    00c61f8b 63              ??         63h    c
    00c61f8c 3a c8 10 e0     e_lha      r22,DAT_000010e0(r8)
    00c61f90 e2 d0           se_bne     cr0,LAB_00c61f30
    00c61f92 10              ??         10h
    00c61f93 63              ??         63h    c
    00c61f94 3a c9 13 a0     e_lha      r22,DAT_000013a0(r9)
    00c61f98 1a d8 b6 d1     e_subfic   r22,r24,-0x2e0001
    00c61f9c 7c 98 d0 10     subfc      r4,r24,r26
    00c61fa0 7c 77 c9 10     subfe      r3,r23,r25
    00c61fa4 78 07 7e 49     e_bl       FUN_00cd9dec                                     undefined FUN_00cd9dec()
    00c61fa8 70 e8 e7 c3     e_lis      r7,0x47c3
    00c61fac 18 e7 d1 50     e_ori      r7,r7,0x5000
    00c61fb0 10              ??         10h
    00c61fb1 63              ??         63h    c
    00c61fb2 3a c8 00 ed     e_lha      r22,0xed(r8)
    00c61fb6 7c fd e1 d6     mullw      r7,r29,r28
    00c61fba 10              ??         10h
    00c61fbb e0              ??         E0h
    00c61fbc 3a d0 10 63     e_lha      r22,DAT_00001063(r16)                            = FFh
    00c61fc0 3a c9 10 60     e_lha      r22,DAT_00001060(r9)                             = FFh
    00c61fc4 1a d8 b7 31     e_subfic   r22,r24,-0xce000001
    00c61fc8 18 61 80 08     e_addi     r3,r1,0x8
    00c61fcc 78 00 89 45     e_bl       FUN_00c6a910                                     undefined FUN_00c6a910()
    00c61fd0 5b 9e 00 20     e_lhz      r28,0x20(r30)
    00c61fd4 2a 6c           se_cmpi    r28,0x6

    00981112 7c e7 32 2e     lhzx       r7,r7,r6
    00981116 b9 71           se_sth     r7,0x12(r1)
    00981118 a8 61           se_lhz     r6,0x10(r1)
    0098111a 04 76           se_add     r6,r7
    0098111c b8 61           se_sth     r6,0x10(r1)
    0098111e 52 bf 00 00     e_lwz      r21,0x0(r31)
    00981122 50 e1 00 4c     e_lwz      r7,0x4c(r1)
    00981126 10              ??         10h
    00981127 95              ??         95h
    00981128 3a cc 7a 15     e_lha      r22,0x7a15(r12)
    0098112c 00 08           se_rfi
    0098112e 56 a1 00 4c     e_stw      r21,0x4c(r1)
    00981132 c1 4f           se_lwz     r4,0x4(r31)
    00981134 c9 71           se_lwz     r7,0x24(r1)
    00981136 10 84 3a cd     vextractd  v4,v7,0x4
    0098113a 7a 15 00 06     e_bgt      cr1,LAB_00981140
    0098113e d9 41           se_stw     r4,0x24(r1)
                         LAB_00981140                                    XREF[1]:     0098113a(j)  
    00981140 50 e1 00 4c     e_lwz      r7,0x4c(r1)
    00981144 10              ??         10h
    00981145 87              ??         87h
    00981146 aa ce           se_lhz     r28,0x14(r30)
    00981148 7a 05 00 06     e_ble      cr1,LAB_0098114e
    0098114c a4 bf           se_lhz     r27,0x8(r31)

Thank you everyone.

The missing instructions are related to Vector and Scalar Floating-Point. Selecting PowerPC:BE:64:VLE-32addr (1.6) everything is ok
@LukeSerne
Copy link
Contributor

Are you sure PowerPC:BE:64:VLEALT-32addr:default is the correct processor language for this firmware image then? From this example, it seems like you should use PowerPC:BE:64:VLE-32addr:default instead. From looking online, it seems that the MPC5777C (which actually contains two e200z7 cores) doesn't support AltiVec, so you should really be using PowerPC:BE:64:VLE-32addr:default.

@ryanmkurtz ryanmkurtz added Feature: Processor/PowerPC Status: Triage Information is being gathered labels May 21, 2024
@GhidorahRex
Copy link
Collaborator

See this note in the slaspec files:

# A given processor can be compliant with the PowerISA spec by including EITHER
# the embedded vector instructions (EVX) OR the AltiVec instructions
# However, these instruction sets overlap in their bit patterns, so Sleigh cannot support
# both at the same time. We have two language variants for PowerISA
# that specify which of these two vector specs is supported.

I would check the correct processor language and verify that you're using the right one. The PowerPC:BE:64:VLE-32addr:default does not support EVX

@ryanmkurtz ryanmkurtz added Status: Waiting on customer Waiting for customer feedback and removed Status: Triage Information is being gathered labels May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GhidorahRex GhidorahRex

Labels
Feature: Processor/PowerPC Status: Waiting on customer Waiting for customer feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ryanmkurtz @GiGa911 @LukeSerne @GhidorahRex