Skip to content
/ Ghidra_TELink_TC32 Public
forked from rgov/Ghidra_TELink_TC32

Ghidra processor specification for the Telink TC32

14 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

trust1995/Ghidra_TELink_TC32

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
Telink_TC32
Telink_TC32
 
 
toolchain
toolchain
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
generate_sleigh.py
generate_sleigh.py
 
 

Repository files navigation

Telink TC32 Processor Specification for Ghidra

This repository contains a fairly complete processor specification for the Telink TC32 architecture, used by all of Telink's System-On-Chips. The work herein is based on Ryan Govostes' work and extended with various fix-ups and actual P-code implementation.

Right now decompilation is working well with several tested TC32 ELFs.

Usage

Copy the Telink_TC32 repository to Ghidra/Processors. Restart Ghidra. Afterwards, when importing a TC32 binary, when prompted for the binary's "Language", select the "Telink_TC32" processor.

For analysing Telink ELFs, I use the following process (using some plugins from my GhidraPlugins repo):

  1. Import the binary, do not Auto-Analyse
  2. Run the fix_funcnames.py plugin
  3. Run the disas_symbols.py plugin
  4. Run the Auto-Analysis, without call convention identification
  5. Parse the register header file into the Data Type Manager (Grab the Telink SDK, redefine the REG_ADDR%X macros in register_82XX.h as integers instead of as pointers)
  6. Export the register/defines values just imported from the Data Type Manager
  7. Re-Import them as labels using the exptoimp.py plugin
  8. Define a new memory region via the Memory Map. For the 826x SoCs, registers are at 0x00800000, length 0x8000.

At this point the decompilation should be fairly accurate and resolve references very nicely.

Architecture Notes

The TC32 is fairly similar to 16-bit ARM9 Thumb instruction set.

ELF binaries for TC32 use the machine type identifier 58.

Development Notes

As said, I used RGov's work as a basis and continued from there. The Telink SDK contains the binutils readelf and objdump, Ryan reverse engineered the compiled objdump and found it mostly used the Thumb disassembler from ['arm-dis.c']. The opcode masks and values and the assembler format strings for each instruction were extracted.

He then made the generate_sleigh.py script which uses the extracted opcode table to create sleigh instruction symbols and added some sensible defaults for register, RAM definitions and so on.

From here I made several improvements:

  1. Fixed incorrect jump offsets
  2. Defined register lists for push, pop, store, load commands ( for example tpush {r1, r2, lr} )
  3. Added the 32-bit jump and link instruction
  4. Added calling conventions and full P-Code implementation of the instruction set, to support the decompiler engine.

Most of the work was done by using the arm-dis.c file and the Ghidra Thumb processor specification, making adjustments when needed.

About

Ghidra processor specification for the Telink TC32

Resources

Readme
Activity

Stars

14 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Roff 50.1%
  • C 38.3%
  • C++ 5.2%
  • Shell 3.3%
  • Python 1.7%
  • XC 0.7%
  • XS 0.7%