FAQs
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

STM32 disassembler

adaniel
Associate III

‎2010-08-30 06:24 AM

Posted on August 30, 2010 at 15:24

STM32 disassembler

#cortex-disassembler
0 Kudos
15 REPLIES 15
daviddavid92
Associate II

‎2011-05-17 05:04 AM

Posted on May 17, 2011 at 14:04

Interesting stuff!!

As a side point - where does the bootloader read the Boot0 pin?, and can we read it in our code?

Chris.

0 Kudos
Tesla DeLorean
Guru

‎2011-05-17 05:04 AM

Posted on May 17, 2011 at 14:04

Attached is my rough disassembly and annotation of the boot loader from my STM32.

Personally I think it is small enough that it would be easier just to recode it, or a better one dealing with S-Records, Intel Hex, or X/Y Modem. If you start jumping into specific ROM addresses you need to be concerned about chip/stepping issues with assorted versions of the loader.

>>As a side point - where does the bootloader read the Boot0 pin?, and can we read it in our code?

Hard to say, mostly done in hardware initialization in order to pick the appropriate boot vector address, and memory mapping. The primary boot loader code does not read the pin, but does look at the ROP state and disables certain functions. Want to see how it booted? check the memory which is mapped/shadowed at zero. In the ROP state code running in FLASH/ROM can read data in FLASH/RAM/ROM. Code running in FLASH/ROM can copy and execute code in RAM which can also access all the memory. Code booted from RAM in the ROP state cannot however touch or execute code in FLASH/ROM. Technically, I think it can execute, but it can't read values from the PC relative literal pool so you are basically SOL.

There is some conjecture that the STM32 might execute some hidden code, or copy something to RAM or other shadowed memory at zero during initial startup. Weird things happen with a RAM boot, don't assume it reads the boot vector. Different STM32 variants start execution of user code at 0x140 and 0x1E0 when you boot into RAM.

Tips, Buy me a coffee, or three.. PayPal Venmo
Up vote any posts that you find helpful, it shows what's working..
0 Kudos
damh
Associate II

‎2011-05-17 05:04 AM

Posted on May 17, 2011 at 14:04

I have reengineered it for a while.

I agree with clive. Rewrite the bootloader. The code isn't very clever and you cannot know, where to jump. The addresses of all functions aren't constant.

The bootloader has only one advantage. It cannot be destroyed by dumb code, bugs, ...

0 Kudos
adaniel
Associate III

‎2011-05-17 05:04 AM

Posted on May 17, 2011 at 14:04

Thanks guys to all of you! This has been of great help. I finally got the bootloader disassembly by 3 different ways:

 1 - Thanks Clive1 for your attachment. That is all what I needed.

 2 - Keil's RealView debugger with Keil's Ulink. STmicro's STlink doesn't show the bootloader.

 3 - Keil's simulator doesn't show the bootloader, but I could load its intel HEX file in the disassembly window! (I generated the HEX file from the binary download).

So far I didn't succed to achieve what I wanted: finding an entry point bypassing the ports setup. Clive1 I tend to accept your suggestion that it would be much easier to re-write a new bootloader from scratch.
0 Kudos
adaniel
Associate III

‎2011-05-17 05:04 AM

Posted on May 17, 2011 at 14:04

I absolutely agree with you and Clive1.

Meanwhile, I found a very stupid hardware turnaround: a pullup resistor solved the problem...

So I'm dropping the whole idea, but the discussion here was very interesting.

0 Kudos
cortex
Associate

‎2011-05-17 05:04 AM

Posted on May 17, 2011 at 14:04

I've created simple M0/M3 disassembler just for those situations where you need to quickly disassemble binary file or dump.

You can get it here 

http://digital.codewaves.com/

0 Kudos
Top