Author Topic: Mega328 Bin file (Read 4497 times)

giumma59 · « **on:** March 21, 2021, 07:53:17 am »

I extracted the software from the atmega328 from my Victor Vc2002 signal generator. now I see it in .bin format. I wonder if there is a way to be able to decode it and understand how the software was written.

Psi · « **Reply #1 on:** March 21, 2021, 08:11:37 am »

This may help, but be prepared to learn assembly code.
Assembly programming isn't all that hard if you know normal programming, but it is very, well.. 'raw'.
https://stackoverflow.com/questions/5141177/atmel-avr-disassembler

Ian.M · « **Reply #2 on:** March 21, 2021, 08:55:32 am »

Turning raw machine code back into high level language sourcecode is near impossible. Its like trying to turn an over-cooked 'mystery meat' burger back into a living animal. If you know the processor and external peripherals (and their connections), and the exact compiler version used, and have reverse engineered that compiler's code generator its a little easier - more like cloning a cow from a raw beefburger.

The odds are fairly high that any ATmega328 firmware written in the last decade or so was written in C/C++ and there's a reasonable chance it was compiled with AVR GCC. However, even knowing the processor and suspecting your firmware dump *MAY* originally be a C program you are in for a long, steep learning curve and a massive amount of work, that even an experienced AVR developer would balk at. It would be far easier to reverse engineer the hardware, then recreate the software from scratch, based on the specifications and observed UI of the sample unit.

Siwastaja · « **Reply #3 on:** March 21, 2021, 09:47:32 am »

What helps is the relative simplicity of the AVR architecture and its instruction set, and relatively large number of registers. So code usually isn't excessively long and it's quite linear.

But deducing the programmer's intent from the disassembly is very tedious and time-consuming because you are left without any high-level code structures, variable and function names, let alone comments.

If the disassembler can automatically detect IO port memory addresses and replace them with the datasheet names (like USART1_CR and so on), it will help, but you can search&replace it manually. Still, it's hard to see why the programmer reads memory from address 1234, increases it by 1, then stores back to address 1234; the original code might have had: millisecond_counter++;

Syntax Error · « **Reply #4 on:** March 21, 2021, 10:19:52 am »

For assembler geeks and compiler nerds playing at home,

https://onlinedisassembler.com/odaweb/

DavidAlfa · « **Reply #5 on:** March 21, 2021, 05:45:07 pm »

Tried with guidra...didn't like it, only half of the program was decompiled. It only supports AVR8, while the atmega328p is AVR5...
IDA Pro doesn't support the 328p, but has the 128p (same architecture). However it doesn't support decompiling.

Small writeup that coudl be interesting:
https://github.com/nononovak/otwadvent2019-ctfwriteup/blob/master/day9_grinchnet.md

Here you have a nice script for decompiling binaries:
https://electronics.stackexchange.com/questions/16670/avr-disassembler-with-named-register-support

However it seems you'll be stuck with asssembly. That will take a lot of time, breaking the code in subroutines and figuring out what they do.

ali_asadzadeh · « **Reply #6 on:** March 21, 2021, 10:22:40 pm »

Maybe try IDA from hex-rays
https://www.hex-rays.com/products/decompiler/

Ian.M · « **Reply #7 on:** March 21, 2021, 10:32:16 pm »

Quote from: ali_asadzadeh on March 21, 2021, 10:22:40 pm

Maybe try IDA from hex-rays
https://www.hex-rays.com/products/decompiler/

Unfortunately there's no AVR processor support, so that's a hard *NO*.

Quote from: Hex-Rays webpage

Currently the decompiler supports compiler generated code for the x86, x64, ARM32, ARM64, and PowerPC processors. We plan to port it to other platforms in the future.

ozcar · « **Reply #8 on:** March 22, 2021, 12:27:34 am »

Quote from: giumma59 on March 21, 2021, 07:53:17 am

I extracted the software from the atmega328 from my Victor Vc2002 signal generator. now I see it in .bin format. I wonder if there is a way to be able to decode it and understand how the software was written.

How did you extract the bin file?

I note it only contains 4k bytes, a fairly large part of which is filled with 0xff. So, there does not seem to be much code there (I'm not familiar with the VC2002 though, maybe it is a very simple device).

It also does not appear to contain a valid interrupt vector area, not even a jump for reset.

ve7xen · « **Reply #9 on:** March 23, 2021, 12:35:45 am »

Quote from: DavidAlfa on March 21, 2021, 05:45:07 pm

Tried with guidra...didn't like it, only half of the program was decompiled. It only supports AVR8, while the atmega328p is AVR5...

ATmega328P is AVR8. Ghidra would like it just fine, if your dump were valid. Disassembly is only the first and quickest of many steps toward understanding the firmware. I don't know what you're trying to accomplish, but just getting a somewhat valid disassembly is the easy part.

As ozcar has pointed out, your dump seems to be incomplete / invalid.


EEVblog Main Site	EEVblog on Youtube	EEVblog on Twitter	EEVblog on Facebook	EEVblog on Odysee

EEVblog Electronics Community Forum

Author Topic: Mega328 Bin file (Read 4497 times)

giumma59

Mega328 Bin file

Psi

Re: Mega328 Bin file

Ian.M

Re: Mega328 Bin file

Siwastaja

Re: Mega328 Bin file

Syntax Error

Re: Mega328 Bin file

DavidAlfa

Re: Mega328 Bin file

ali_asadzadeh

Re: Mega328 Bin file

Ian.M

Re: Mega328 Bin file

ozcar

Re: Mega328 Bin file

ve7xen

Re: Mega328 Bin file

Share me