The TM32 disassembler is just about stable and the GPL’ed source tarball can be downloaded from [1].
To maximise the disassembler’s usefulness, it has been kept as flexible as possible.
For example, if the instruction pointer reaches the end of a text segment and strays into a data segment or a void, it carries on disassembling, however meaningless the output.
Since the TriMedia is largely uncharted territory for hacking, this may be more useful. And with a bit of luck, the instruction stream will be picked up again by the disassembler.
Below, the disassembler is put through its paces with the L1 bootloader for a 2Wire 2701HGV-C.
This particular device is supplied by British Telecom as the re-branded BT Business Hub (specifically, type 2 version 3 of the Hub – see Burakkucat’s comments below.)
$ ./tm32dis -h tm32dis - a disassembler for the TriMedia TM3260 five issue-slot VLIW core Version 1.19 (c) 2011 asbokid, <ballymunboy@gmail.com> -h, --help Displays this text -V, --version Version informaton -d, --debug Debug output -c, --count <n> Disassemble <n> bytes -a, --adjust <offset> Adjust offset -s, --skip <n> Skip <n> bytes -i, --input <filename> TM3260 object filename -m, --memimg Memory image (bootloader) Example usage: tm32dis -s 912 -c 64 -a 0x40000000 -m -i 2701_bootrom.bin $ ./tm32dis -V tm32dis v.1.19 copyright (C) 2011 asbokid <ballymunboy@gmail.com> This program comes with ABSOLUTELY NO WARRANTY; This is free software, and you are welcome to redistribute it under certain conditions: GNU GPL v3 License: http://www.gnu.org/licenses/gpl.html $ ./tm32dis -s 912 -c 64 -a 0x40000000 -m -i tests/2701hgv-c_bootrom.bin Skipping 912 (0x390) bytes Disassembling 64 (0x40) bytes Using 0x40000000 adjustment offset Read in 4096 (0x1000) bytes from file 'tests/2701hgv-c_bootrom.bin' Memory image transposed from bit-striped to sequential: 0000: de 03 00 00 21 14 00 0f 80 40 00 c0 00 40 00 00 0010: c0 20 80 40 80 00 61 7b 55 01 80 40 ff 03 00 a0 0020: 00 bc 5e 20 80 40 95 fb 03 ff 03 81 4f 00 20 40 0030: ff 03 ff 03 aa 02 00 00 00 00 00 00 00 00 00 00 Disassembling 64 bytes with offset adj. 0x40000000 disassembly (* instruction 0 : 224 bits (28 bytes) long *) (* offset : 0x40000000 *) (* bytes : de 03 00 00 21 14 00 0f 80 40 00 c0 00 40 00 00 c0 20 80 40 80 00 61 7b 55 01 80 40 *) (* format bytes : 0xde03 & 0xff03 = 0xde03, format in little endian bit order: 01 11 10 11 11 *) IF r1 iimm(0x40004000) -> r4, (* 42 bits: 1 02 00 21 00 00 *) IF r1 iimm(0xa00) -> r60, (* 42 bits: 0 02 00 0f 00 14 *) IF r1 isubi(1) r0 -> r61, (* 42 bits: 1 ed 84 00 40 80 *) IF r1 iclr, (* 42 bits: 0 05 57 00 40 00 *) IF r1 iimm(0x40004000) -> r3; (* 42 bits: 1 02 00 20 c0 00 *) (* instruction 1 : 88 bits (11 bytes) long *) (* offset : 0x4000001c *) (* bytes : ff 03 00 a0 00 bc 5e 20 80 40 95 *) (* format bytes : 0xff03 & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 iimm(0x40000040) -> r2, (* 42 bits: 1 02 00 00 a0 00 *) IF r1 nop, (* 0 bits: *) IF r1 writepcsw r60 r61, (* 34 bits: 2 54 20 5e bc *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 2 : 16 bits (2 bytes) long *) (* offset : 0x40000027 *) (* bytes : fb 03 *) (* format bytes : 0xfb03 & 0xff03 = 0xfb03, format in little endian bit order: 11 01 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 3 : 56 bits (7 bytes) long *) (* offset : 0x40000029 *) (* bytes : ff 03 81 4f 00 20 40 *) (* format bytes : 0xff03 & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 ijmpi(0x4000009f), (* 42 bits: 1 00 80 00 4f 81 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 4 : 16 bits (2 bytes) long *) (* offset : 0x40000030 *) (* bytes : ff 03 *) (* format bytes : 0xff03 & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 5 : 16 bits (2 bytes) long *) (* offset : 0x40000032 *) (* bytes : ff 03 *) (* format bytes : 0xff03 & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 6 : 16 bits (2 bytes) long *) (* offset : 0x40000034 *) (* bytes : aa 02 *) (* format bytes : 0xaa02 & 0xff03 = 0xaa02, format in little endian bit order: 01 01 01 01 01 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 0 : 224 bits (28 bytes) long *) (* offset : 0x40000036 *) (* bytes : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 *) (* format bytes : 0x0000 & 0xff03 = 0x0000, format in little endian bit order: 00 00 00 00 00 *) IF r1 nop, (* 42 bits: 0 00 00 00 00 00 *) IF r1 nop, (* 42 bits: 0 00 00 00 00 00 *) IF r1 nop, (* 42 bits: 0 00 00 00 00 00 *) IF r1 nop, (* 42 bits: 0 00 00 00 00 00 *) IF r1 nop; (* 42 bits: 0 00 00 00 00 00 *) end disassembly $ ./tm32dis -s 976 -c 256 -a 0x40000040 -m -i tests/2701hgv-c_bootrom.bin Skipping 976 (0x3d0) bytes Disassembling 256 (0x100) bytes Using 0x40000040 adjustment offset Read in 4096 (0x1000) bytes from file 'tests/2701hgv-c_bootrom.bin' Memory image transposed from bit-striped to sequential: 0000: ff ef 00 40 e0 81 42 20 00 40 e0 f0 00 40 e0 00 0010: 40 e0 57 01 55 01 57 01 57 01 57 01 ff 03 ff 03 0020: aa 02 7f 3f 00 f1 01 00 40 e0 00 40 e0 70 a4 51 0030: 00 00 40 e0 80 40 57 01 57 01 56 0b 57 01 ff 43 0040: a4 10 02 d6 fc 03 57 43 05 84 21 ff af 86 43 a0 0050: 01 81 21 88 92 e1 95 95 00 ff 03 ff 03 aa 02 2a 0060: 38 00 c0 01 00 43 81 00 a2 01 f0 0b 42 e0 09 42 0070: e0 80 f0 9f ff 9c 1b 48 f2 48 ee 2a a8 00 6c 01 0080: 10 8a 01 10 12 02 f0 05 03 e0 0a 02 fe 9c 1b 9c 0090: 1b 9c 1b 2a 04 00 40 08 13 64 01 a8 ca 48 f0 87 00a0: 02 e0 0c 82 fe 9c 1b 80 40 8d 00 28 a8 10 90 01 00b0: 10 d8 08 10 16 09 f0 23 03 e0 a1 02 e0 9c 1b 9c 00c0: 1b 9c 1b 39 20 80 67 a1 81 3f 02 01 72 09 f0 00 00d0: 04 e0 0d c2 fe 80 00 80 00 3c 0c 04 9e 08 82 64 00e0: 00 0e 02 ff c0 07 03 e0 e1 20 40 3f 7c 00 41 84 00f0: 0f 42 ff 11 c2 ff 3c f0 88 11 e0 10 82 ff aa 7e Disassembling 256 bytes with offset adj. 0x40000040 disassembly (* instruction 0 : 224 bits (28 bytes) long *) (* offset : 0x40000040 *) (* bytes : ff ef 00 40 e0 81 42 20 00 40 e0 f0 00 40 e0 00 40 e0 57 01 55 01 57 01 57 01 57 01 *) (* format bytes : 0xffef & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 42 bits: 0 05 5f e0 40 00 *) IF r1 ijmpt r1 r5, (* 42 bits: 0 05 56 20 42 81 *) IF r1 nop, (* 42 bits: 0 05 5f e0 40 00 *) IF r1 nop, (* 42 bits: 0 05 5f e0 40 00 *) IF r1 nop; (* 42 bits: 0 05 5f e0 40 00 *) (* instruction 1 : 16 bits (2 bytes) long *) (* offset : 0x4000005c *) (* bytes : ff 03 *) (* format bytes : 0xff03 & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 2 : 16 bits (2 bytes) long *) (* offset : 0x4000005e *) (* bytes : ff 03 *) (* format bytes : 0xff03 & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 3 : 16 bits (2 bytes) long *) (* offset : 0x40000060 *) (* bytes : aa 02 *) (* format bytes : 0xaa02 & 0xff03 = 0xaa02, format in little endian bit order: 01 01 01 01 01 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 0 : 224 bits (28 bytes) long *) (* offset : 0x40000062 *) (* bytes : 7f 3f 00 f1 01 00 40 e0 00 40 e0 70 a4 51 00 00 40 e0 80 40 57 01 57 01 56 0b 57 01 *) (* format bytes : 0x7f3f & 0xff03 = 0x7f03, format in little endian bit order: 11 11 11 10 11 *) IF r1 iimm(0x40000062) -> r7, (* 42 bits: 1 02 00 01 f1 00 *) IF r1 nop, (* 42 bits: 0 05 5f e0 40 00 *) IF r1 nop, (* 42 bits: 0 05 5f e0 40 00 *) IF r1 ld32r r36 r35 -> r5, (* 42 bits: 0 2d 59 00 51 a4 *) IF r1 nop; (* 42 bits: 0 05 5f e0 40 00 *) (* instruction 1 : 48 bits (6 bytes) long *) (* offset : 0x4000007e *) (* bytes : ff 43 a4 10 02 d6 *) (* format bytes : 0xff43 & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 ld32r r36 r33 -> r8, (* 34 bits: 3 59 02 10 a4 *) IF r1 nop; (* 0 bits: *) (* instruction 2 : 16 bits (2 bytes) long *) (* offset : 0x40000084 *) (* bytes : fc 03 *) (* format bytes : 0xfc03 & 0xff03 = 0xfc03, format in little endian bit order: 00 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 3 : 40 bits (5 bytes) long *) (* offset : 0x40000086 *) (* bytes : 57 43 05 84 21 *) (* format bytes : 0x5743 & 0xff03 = 0x5703, format in little endian bit order: 11 10 10 10 11 *) IF r1 lsri(8) r5 -> r6, (* 26 bits: 1 21 84 05 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 4 : 112 bits (14 bytes) long *) (* offset : 0x4000008b *) (* bytes : ff af 86 43 a0 01 81 21 88 92 e1 95 95 00 *) (* format bytes : 0xffaf & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 ijmpf r6 r7, (* 34 bits: 2 56 a0 43 86 *) IF r6 ijmpt r1 r2, (* 34 bits: 2 56 21 81 01 *) IF r6 h_st32d(0) r8 r37, (* 34 bits: 0 03 e1 92 88 *) IF r1 nop; (* 0 bits: *) (* instruction 5 : 16 bits (2 bytes) long *) (* offset : 0x40000099 *) (* bytes : ff 03 *) (* format bytes : 0xff03 & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 6 : 16 bits (2 bytes) long *) (* offset : 0x4000009b *) (* bytes : ff 03 *) (* format bytes : 0xff03 & 0xff03 = 0xff03, format in little endian bit order: 11 11 11 11 11 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 7 : 16 bits (2 bytes) long *) (* offset : 0x4000009d *) (* bytes : aa 02 *) (* format bytes : 0xaa02 & 0xff03 = 0xaa02, format in little endian bit order: 01 01 01 01 01 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop; (* 0 bits: *) (* instruction 0 : 224 bits (28 bytes) long *) (* offset : 0x4000009f *) (* bytes : 2a 38 00 c0 01 00 43 81 00 a2 01 f0 0b 42 e0 09 42 e0 80 f0 9f ff 9c 1b 48 f2 48 ee *) (* format bytes : 0x2a38 & 0xff03 = 0x2a00, format in little endian bit order: 01 01 01 00 00 *) IF r1 iimm(0xf0000000) -> r7, (* 42 bits: 3 c2 00 01 c0 00 *) IF r1 iimm(0xffff0006) -> r5, (* 42 bits: 3 fe 7f 81 43 00 *) IF r1 iimm(0x1be40044) -> r6, (* 42 bits: 0 6e 72 01 a2 00 *) IF r1 h_st32d(-28) r11 r4, (* 42 bits: 3 c9 23 e0 42 0b *) IF r1 h_st32d(-36) r9 r4; (* 42 bits: 3 b9 23 e0 42 09 *) (* instruction 1 : 192 bits (24 bytes) long *) (* offset : 0x400000bb *) (* bytes : 2a a8 00 6c 01 10 8a 01 10 12 02 f0 05 03 e0 0a 02 fe 9c 1b 9c 1b 9c 1b *) (* format bytes : 0x2aa8 & 0xff03 = 0x2a00, format in little endian bit order: 01 01 01 00 00 *) IF r1 iimm(0x1be40058) -> r5, (* 42 bits: 0 6e 72 01 6c 00 *) IF r1 iimm(0x1be40814) -> r6, (* 42 bits: 0 6e 72 01 8a 10 *) IF r1 iimm(0x1be40824) -> r8, (* 42 bits: 0 6e 72 02 12 10 *) IF r1 h_st32d(0) r5 r6, (* 26 bits: 3 e0 03 05 *) IF r1 h_st32d(-32) r10 r4; (* 26 bits: 3 fe 02 0a *) (* instruction 2 : 192 bits (24 bytes) long *) (* offset : 0x400000d3 *) (* bytes : 2a 04 00 40 08 13 64 01 a8 ca 48 f0 87 02 e0 0c 82 fe 9c 1b 80 40 8d 00 *) (* format bytes : 0x2a04 & 0xff03 = 0x2a00, format in little endian bit order: 01 01 01 00 00 *) IF r1 iimm(0x1be00000) -> r33, (* 42 bits: 0 6e 70 08 40 00 *) IF r1 iimm(0x400009c8) -> r5, (* 42 bits: 1 02 00 01 64 13 *) IF r1 iimm(0x6a9415) -> r35, (* 42 bits: 0 02 35 48 ca a8 *) IF r1 h_st32d(0) r7 r5, (* 26 bits: 3 e0 02 87 *) IF r1 h_st32d(-24) r12 r4; (* 26 bits: 3 fe 82 0c *) (* instruction 3 : 192 bits (24 bytes) long *) (* offset : 0x400000eb *) (* bytes : 28 a8 10 90 01 10 d8 08 10 16 09 f0 23 03 e0 a1 02 e0 9c 1b 9c 1b 9c 1b *) (* format bytes : 0x28a8 & 0xff03 = 0x2800, format in little endian bit order: 00 01 01 00 00 *) IF r1 iimm(0x1be40820) -> r6, (* 42 bits: 0 6e 72 01 90 10 *) IF r1 iimm(0x1be40830) -> r35, (* 42 bits: 0 6e 72 08 d8 10 *) IF r1 iimm(0x1be4082c) -> r36, (* 42 bits: 0 6e 72 09 16 10 *) IF r1 h_st32d(0) r35 r6, (* 26 bits: 3 e0 03 23 *) IF r1 h_st32d(0) r33 r5; (* 26 bits: 3 e0 02 a1 *) (* instruction 4 : 176 bits (22 bytes) long *) (* offset : 0x40000103 *) (* bytes : 39 20 80 67 a1 81 3f 02 01 72 09 f0 00 04 e0 0d c2 fe 80 00 80 00 *) (* format bytes : 0x3920 & 0xff03 = 0x3900, format in little endian bit order: 10 01 11 00 00 *) IF r1 iaddi(79) r0 -> r5, (* 26 bits: 0 a1 67 80 *) IF r1 iimm(0x400ff) -> r8, (* 42 bits: 0 02 02 02 3f 81 *) IF r1 iimm(0xe4) -> r37, (* 42 bits: 0 02 00 09 72 01 *) IF r1 h_st32d(0) r0 r8, (* 26 bits: 3 e0 04 00 *) IF r1 h_st32d(-20) r13 r4; (* 26 bits: 3 fe c2 0d *) (* instruction 5 : 144 bits (18 bytes) long *) (* offset : 0x40000119 *) (* bytes : 3c 0c 04 9e 08 82 64 00 0e 02 ff c0 07 03 e0 e1 20 40 *) (* format bytes : 0x3c0c & 0xff03 = 0x3c00, format in little endian bit order: 00 11 11 00 00 *) IF r34 isubi(60) r4 -> r34, (* 34 bits: 3 84 08 9e 04 *) IF r1 ijmpi(0x40000149), (* 42 bits: 1 00 80 00 64 82 *) IF r1 nop, (* 0 bits: *) IF r1 h_st32d(-16) r14 r4, (* 26 bits: 3 ff 02 0e *) IF r1 h_st32d(0) r7 r6; (* 26 bits: 3 e0 03 07 *) (* instruction 6 : 88 bits (11 bytes) long *) (* offset : 0x4000012b *) (* bytes : 3f 7c 00 41 84 0f 42 ff 11 c2 ff *) (* format bytes : 0x3f7c & 0xff03 = 0x3f00, format in little endian bit order: 11 11 11 00 00 *) IF r1 iadd r0 r2 -> r17, (* 26 bits: 1 84 41 00 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 h_st32d(-12) r15 r4, (* 26 bits: 3 ff 42 0f *) IF r1 h_st32d(-4) r17 r4; (* 26 bits: 3 ff c2 11 *) (* instruction 7 : 64 bits (8 bytes) long *) (* offset : 0x40000136 *) (* bytes : 3c f0 88 11 e0 10 82 ff *) (* format bytes : 0x3cf0 & 0xff03 = 0x3c00, format in little endian bit order: 00 11 11 00 00 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 h_st32d(0) r8 r35, (* 26 bits: 3 e0 11 88 *) IF r1 h_st32d(-8) r16 r4; (* 26 bits: 3 ff 82 10 *) (* instruction 8 : 88 bits (11 bytes) long *) (* offset : 0x4000013e *) (* bytes : aa 7e 00 00 00 00 00 00 00 00 00 *) (* format bytes : 0xaa7e & 0xff03 = 0xaa02, format in little endian bit order: 01 01 01 01 01 *) IF r1 uld8d(0) r0 -> r0, (* 26 bits: 1 00 00 00 *) IF r1 nop, (* 0 bits: *) IF r1 nop, (* 0 bits: *) IF r1 imax r0 r0 -> r0, (* 26 bits: 3 00 00 00 *) IF r1 imax r0 r0 -> r0; (* 26 bits: 3 00 00 00 *) end disassembly $
In the archive, there’s a ready-built Windows 32 executable which was cross-compiled with gcc from mingw. [2]
All feedback welcomed..
UPDATE: During the disassembly of the 2Wire L1 bootloader, it was noticed that the register predicates for (some?) zeroary resultless operations, such as the ‘dcb’ operation to flush the data cache appear to be incorrectly interpreted. This will be patched shortly.
[1] https://docs.google.com/leaf?id=0B6wW18mYskvBMmIwMGJjOTQtZDMxNS00MzNiLThkYzgtMGE4N2ZiNTEwMGM3&hl=en_US
[2] http://www.mingw.org/
“This particular device is supplied by British Telecom as the re-branded BT Business Hub v.3″
A quick note on nomenclature.
According to my analysis, the “Type 1 BT Business Hub” was the 2Wire 1800HG, the “Type 2 BT Business Hub, V1.0″ and the “Type 2 BT Business Hub, V2.0″ were the 2Wire 2700HGV, whilst the current “Type 2 BT Business Hub, V3.0″ is the 2Wire 2701HGV-C.
Rumour has it that British Telecommunications PLC are now planning to release a “Type 3 BT Business Hub”, manufacturer and model as yet unknown. Hence it is important that the BT Business Hub Type is not confused with the version number (in the case of the Type 2 Hubs).
Thank you, burakkucat, for yet another correction!