Matt J. Gumbley | Website: http://www.gumbley.me.uk
Blog: On The Edge of Occam's Razor

disarm - a simple-minded EPOC disassembler

Table Of Contents



1 Introduction

disarm is a simple-minded disassembler and memory investigation tool for EPOC. It is an extension of ArLo, the loader program for the Linux-7110 project. It probably won't run properly on a Series 5mx, since the logical device driver module I use (LILO.LDD) won't load on EPOC release 5.

disarm also provides a simple ARM disassembler.

I wrote disarm to aid me in investigating EPOC's memory: for my GDB Remote Debug Stub project, I need to revector the ARM's exception handler. Unfortunately, it looks like this won't be possible. disarm is still useful, though.


2 Project Status

This project is active, although I might not do much more work on it. (See EPOC Projects for the Big Picture).

3 Download disarm

You may download disarm here. (Approx 56KB).

4 The README File

The README.TXT file that comes with disarm reads as follows...
disarm, a simple-minded disassembler and memory snooper for EPOC
----------------------------------------------------------------
(C) 2000 Matt J. Gumbley. See README.disarm for details of the disassembler
source code. 

This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.*

The GNU General Public License is also available on the World Wide Web
at http://www.gnu.org/copyleft/gpl.html


WARNING
=======
It's very possible that use of this program will crash your Series 5. I take
absolutely no responsibility for any damage/data loss you may suffer as a
result of using this. If you don't take a backup before running it, then sorry,
it's your fault.



Acknowledgements
================
Kevin F. Quinn for the disassembler source code.
Otfried Cheong for Arlo, and lilo.ldd.


Installing
==========
Before installing disarm, you need to install the standard C library. This is
available in the EPOC C++ SDK, \EPOC32\Release\Marm\Rel\stdlib.sis.

Copy disarm.sis to c:\ on your Psion, and run it. This will install the
necessary components. You'll then see disarm.exe in c:\ which you may run.


Usage
=====
disarm is like DOS' debug, except that it isn't as advanced :-(

You can use disarm to view memory contents as words, half-words or bytes. You
may also disassemble memory. There are some commands for conversion between
linear and physical memory, and vice-versa. You may view memory/disassemble
based on either linear or physical addresses by switching PHYS mode on or off. 

disarm retains the commands present in ArLo for booting Linux kernels, but I
haven't tested these. Note that disarm does not load lilo.ldd automatically: you
have to use the 'L' command to do this. (Hopefully someone will tell me if the
non-Physical stuff works on a 5mx?)

Use 'help' and 'help1' for help screens.
A sample session might use the 'L' (load LDD), 'P' (read physical addresses, not
linear ones) commands to get started, then use 'dw', 'u', 'db' to dump words,
disassemble, or dump bytes.

e.g.
Where's the exception vector routine?
ARM processors have an exception vector table at linear address 0x00000000. So:

> L
Loading logical device
Opening the channel
Option buffer at address d14764b8
Memory description at address c001402c
> p 0     # convert linear address 0x00000000 to physical
00000000 -> Physical 00002000
> P
PHYS mode enabled
> dw 2000 8
00002000 E59FF018 E59FF018 E59FF018 E59FF018
00002010 E59FF018 E59FF018 E59FF018 E59FF018

Now you'd think you could do:
> u e59ff018 8
And disassemble the first 8 instructions of the exception handler, but it
doesn't work. If you dump the words at that address, you'll see as above: lots
of E59FF018's. 

I have no explanation for this... yet. Possibly something to do with supervisor
mode...

Is this really the address of the exception handler? Well, take a look in your 
Psion's ROM, near the start of EKERN.EXE...


EPOC Memory Model
=================
See \sysdoc\cpp\e32\eumem-002.html for details.
Data linear address range: 00400000 -> 3FFFFFFF
Static data always at 00400000.
Code chunk for RAM processes: 20000000...
Code chunk for ROM processes: 50000000 -> 5FFFFFFF
Home section: 80000000 -> FFFFFFFF

EPOC's layout of physical memory is:
00000000 -> 0FFFFFFF 4MByte ROM; 32bit access, real domain 00000000 -> 003FFFFF
10000000 -> 1FFFFFFF 2MByte ROM; 16bit access, real domain 00000000 -> 001FFFFF
20000000 -> 2FFFFFFF 8bit access
40000000 -> 4FFFFFFF CF disk
80000000 -> 80000FFF Internal registers
C0000000 -> CFFFFFFF 4MByte DRAM
C0000000 -> C00012BF LCD RAM
C0001300 -> C0001C00 MMU memory; main TLB access point @ C0001800
D0000000 -> DFFFFFFF 4MByte DRAM

When running in non-PHYS mode, you can dump the contents of the data chunk,
although there are only 0x1000 bytes from 400000 -> 400fff. disarm will crash
after that. Similarly for the code section, from 20000000 -> 20000fff.

Investigations of low addresses in physical memory suggest that at 00000100,
there's a large table of words pointing into the home section (plus a couple of
other places). This ends around 00000B10. There's a little more stuff at
00001000, then lots of FF's.

00002000 in physical memory is where I reckon the exception vector table lives.
00000000 linear is mapped to this. There are more pointers into ROM processes
and Home section pointers after this. DLL member function pointers or memory
corruption caused by passing gamma radiation? Who knows....


Crash!
======
OK, so you crashed disarm or EPOC itself. A disarm crash is not a problem:
you'll get an EPOC "Program closed" dialog on the system screen. Re-run disarm,
and use the 'U' option to unload the LDD before carrying on.

You'll know if you crash EPOC as you'll get a complete reboot with three beeps,
descending in pitch. I've not had this reset the RAMdisk, but you may have just
tromped on something you shouldn't have; I've been careful. Take a backup!


Build notes
===========
You can build disarm itself, but not the LILO Logical Device Driver. Source is
supplied for this, but it requires the EPOC Device Driver Kit, and I don't have
that - I'm repackaging (with permission) from Otfried's ArLo boot loader, from
the Linux-7k project.

To build:
makmake /makework disarm marm
makmake disarm marm
nmake -f disarm.marm
makesis disarm.pkg

--
Matt J. Gumbley

(C) Matt J. Gumbley 1998-2019 - All Tights Reversed