I am ideally looking for someone who would be interested in working on reverse engineering a vxworks image.

I am doing something similar to what is described at:

It is a vxworks binary flash image running on a powerpc. I have a rom dump (binary) I dumped 4mB which seems to be everything (It
works if reloaded, I don't know what the real code size is). the application is about 645kB

I would like to be able to extract the application binary, make modifications, and then re-pack it back into the image.

I have gotten as far as using deezee and extracting the actual running binary. But I haven't gone beyond that.

I have a second rom image (there are two embedded boards), so we can use it to see what is consistent as far as headers and crcs if necessary.

What I would like someone to do in order of importance.

1: give me a way to repack the binary image into the flash. (zip, crc, put back in e.g. 'Rezee').
Possibly integrate Dezee and the new 'Rezee' into a windows app for convenience.

The trick is there is probably a crc stored with the image in the ROM and we will have to find it.

2: help me figure out the addresses of the running image. If end comes to end, I can just put a call to the embedded monitor/debugger as a first step into the program and see where things are when it starts to run.

Additional resources:
I have a copy of a vxworks BSP package for the hardware.(not necessarily the same version)

The target hardware has a real time debugger. Unfortunately, the board configuration is "either the debugger" or "the application flash". The debugger runs out of its flash and I haven't been able to debug and watch it load the application from flash in to memory.

I have a real time debugger disassembler output of the start of the code.
I know where the boot code is located in flash e.g. and I have initial memory maps for the board.


I found that this morning. Still looking for someone interested in either taking on the project or helping out.


I ran the strings program.. on the extracted image. I could use some suggestions on how to find the offsets so that IDA or REC to make some sense of the code. I decided to start with extracted code before i got too tied up with getting it back into the bootloader.

Here it is and the code image too.

your board is MCP750 PPC Board. You could find MCP750 VxWorks BSP ..

I changed your filename to "trdump.img.0.bin" and I load IDA

I changed processor to PPC

I created ROM segment, start: 0x00000000, end: 0x000A052C

I created RAM segment, start 0x00100000, end: 00800000

and I pressed "C" for changing undefined data bytes to "CODE"

your firmware code like below:


ROM:00000000 # Segment type: Pure code
ROM:00000000 .section "ROM"
ROM:00000000 94 21 FF F8 stwu r1, -8(r1)
ROM:00000004 7C 08 02 A6 mflr r0
ROM:00000008 90 01 00 0C stw r0, 0xC(r1)
ROM:0000000C 48 00 6B 85 bl sub_6B90
ROM:00000010 80 01 00 0C lwz r0, 0xC(r1)
ROM:00000014 7C 08 03 A6 mtlr r0
ROM:00000018 38 21 00 08 addi r1, r1, 8
ROM:0000001C 4E 80 00 20 blr
ROM:00000020 # ---------------------------------------------------------------------------
ROM:00000020 /* disable external interrupts */
ROM:00000020 sysInit:
ROM:00000020 7C 63 1A 78 xor r3, r3, r3
ROM:00000024 7C 60 01 24 mtmsr r3 # /* disable external interrupts */
ROM:00000028 /* Zero-out registers: r0 & SPRGs */
ROM:00000028 7C 00 02 78 xor r0, r0, r0
ROM:0000002C 7C 10 43 A6 mtsprg0 r0
ROM:00000030 7C 11 43 A6 mtsprg1 r0
ROM:00000034 7C 12 43 A6 mtsprg2 r0
ROM:00000038 7C 13 43 A6 mtsprg3 r0
ROM:0000003C /*
ROM:0000003C * Set MPU/MSR to a known state
ROM:0000003C * Turn on FP
ROM:0000003C */
ROM:0000003C 70 63 00 00 andi. r3, r3, 0
ROM:00000040 60 63 20 00 ori r3, r3, 0x2000
ROM:00000044 7C 00 04 AC sync
ROM:00000048 7C 60 01 24 mtmsr r3
ROM:0000004C 4C 00 01 2C isync
ROM:00000050 /* Init the floating point control/status register */
ROM:00000050 FF 80 01 0C mtfsfi 7, 0
ROM:00000054 loc_54: # DATA XREF: sub_7C+2E8o
ROM:00000054 # sub_7C+2ECo ...
ROM:00000054 FF 00 01 0C mtfsfi 6, 0
ROM:00000058 FE 80 01 0C mtfsfi 5, 0
ROM:0000005C FE 00 01 0C mtfsfi 4, 0
ROM:00000060 FD 80 01 0C mtfsfi 3, 0
ROM:00000064 FD 00 01 0C mtfsfi 2, 0
ROM:00000068 FC 80 01 0C mtfsfi 1, 0
ROM:0000006C FC 00 01 0C mtfsfi 0, 0

I added some extra comments

I labeled "sysInit" function which is included "sysALib.s" BSP file..

Maybe this info helpful for you..

I'm sorry my bad English..