ELF-embedded icons

[nomadbyte]

In addition to effect's icon [ref: #52], the ELF part of the ZD2 contains several other icons: {CategoryIcon_{cat} and AddDelIcon_{cat}}

readelf -a -W SOFTEC3S.ZD2.elf | grep -e "0420" -e "0480" -e "05b8"
....
    39: 80000420    92 OBJECT  LOCAL  HIDDEN    13 picTotalDisplay_CarbonDly
    40: 800005b8    40 OBJECT  LOCAL  HIDDEN    13 CategoryIcon_Dynamics
    41: 80000480    72 OBJECT  LOCAL  HIDDEN    13 AddDelIcon_Dynamics

    54: 80000420     0 SECTION LOCAL  HIDDEN    13 .const:picTotalDisplay_CarbonDly
    55: 800005b8     0 SECTION LOCAL  HIDDEN    13 .const:CategoryIcon_Dynamics
    56: 80000480     0 SECTION LOCAL  HIDDEN    13 .const:AddDelIcon_Dynamics

References to this data could be seen from the .const block for the effectTypeImageInfo, same one that describes the effect's on-device icon:

$ readelf -a -W SOFTEC3S.ZD2.elf | grep "] \.const"
  [13] .const            PROGBITS        80000000 0018e0 00064a 00   A  0   0  8

$ readelf -a -W SOFTEC3S.ZD2.elf | grep "effectTypeImageInfo"
...
    42: 80000150   304 OBJECT  LOCAL  HIDDEN    13 effectTypeImageInfo

effectTypeImageInfo:

SOFTEC3S.ZD2.elf@0x1a30 = (0x18e0+0x150)

17 00 00 00 1e 00 00 00 20 04 00 80 14 00 00 00 0a 00 00 00 b8 05 00 80 18 00 00 00 16 00 00 00 80 04 00 80 ...

reference addresses:

0x80000420:.const:picTotalDisplay_CarbonDly  (sized: 0x17 by 0x1e px)
0x800005b8:.const:CategoryIcon_Dynamics  (sized: 0x14 by 0x0a px)
0x80000480:.const:AddDelIcon_Dynamics (sized: 0x18 by 0x16 px)

I didn't try to extract the actual images. I assume the reference addresses should translate into offsets into the .const or other section of the ELF.

This is for SOFTEC3S.ZD2 (SoftEcho) module, not sure if such layout is applicable for other modules.

[mungewell]

Thank you for highlighting those other icons.... I had already found the ones which were used for 'Parameter Labels' (mostly just rendered Text).

80000370 l     O .const	00000038 .hidden _PrmPic_DETCT
800003a8 l     O .const	00000036 .hidden _PrmPic_Depth
800003e0 l     O .const	00000036 .hidden _PrmPic_THRSH

I'm sure you saw my (horrible) Bash/ImageMagick script, which can be adjusted if you really want to see what these icons look like. ;-)
https://github.com/mungewell/zoom-zt2/blob/master/extract_device_icon.sh

Given the number of icons it would be nice if this was clean in Python - I mentioned the 'pwntools' project in #52 which can read into the ELF without extra steps... it installs a lot of extra stuff, so I'll see if the elf.py bit can run as a standalone module.

https://github.com/Gallopsled/pwntools/tree/dev/pwnlib/elf

[mungewell]

Pushed a script that can read the ELF file to extract icon, or other images.
https://github.com/mungewell/zoom-zt2/blob/master/extract_device_icon.py

For now it looks like pwnlib can only read from a real (on disk) file, so the ELF should be extracted first and the -e flag used.
Gallopsled/pwntools#2155

$ python3 extract_device_icon.py -e ZNR.ZD2.code
[!] Could not populate PLT: 'int' object has no attribute 'lower'
[*] '/home/simon/zoom-zt2-sdw-github/ZNR.ZD2.code'
    Arch:     140-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
Extracting symbol: picTotalDisplay_ZNR
From Address: 0x80000280 to 0x800002DC

$ python3 extract_device_icon.py -t "_PrmPic_DETCT" -s 2 -o PrmPic.png -e ZNR.ZD2.code
[!] Could not populate PLT: 'int' object has no attribute 'lower'
[*] '/home/simon/zoom-zt2-sdw-github/ZNR.ZD2.code'
    Arch:     140-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX enabled
    PIE:      PIE enabled
Extracting symbol: _PrmPic_DETCT
From Address: 0x80000370 to 0x800003A8```

[mungewell]

Continued 'messing' and found a better/working solution with 'filebytes'.
https://github.com/sashs/filebytes

$ python3 extract_device_icon.py  MDL_DOVE.ZD2 ; display icon.png 
Target matched: picTotalDisplay_AgModel
Symbol located: 0x800017e8

$ python3 extract_device_icon.py -t "_PrmPic" -s 2 MDL_DOVE.ZD2 ; display icon.png 
Target matched: _PrmPic_Treble
Symbol located: 0x80001848

[zachriggle]

This should probably go into upstream pyelftools

[shooking]

hi all - I hacked a variant of this plus Elynx's work to extract icons from the older ZDLs.

https://github.com/shooking/ZoomPedalFun/blob/main/MS70CDR/DerivedData/2.10/extract_ZDL_device_icon.py

examples here
https://youtu.be/-6glw_k0LDg

I also made a docker to access ARMs toolchain on a Pi.

shookingsybase/ti6000-docker-aarch64

https://github.com/shooking/TI6000_arm

run the install then send cmds to the docker like

cd <>
export TI_FOLDER=pwd
ticmd dis6x -a -b Air.elf

Disassembly of Air.elf:

TEXT Section .text (Little Endian), 0xBE0 bytes at 0x0
00000000 Fx_REV_Air_onf_aft:
00000000 e01c LDW.D1T1 *A4[7],A1
00000002 200c LDW.D1T1 *A4[1],A0
00000004 0230a358 MVK.L1 12,A4
00000008 03333328 MVK.S1 0x6666,A6
0000000c 02003faa MVK.S2 0x007f,B4
00000010 00041362 B.S2X A1
00000014 02008078 ADD.L1 A4,A0,A4
00000018 03221868 MVKH.S1 0x44300000,A6
0000001c e0200000 .fphead n, l, W, BU, nobr, nosat, 0000001b
00000020 f603 SHL.S2 B4,0x17,B4
00000022 2c6e NOP 2
00000024 Fx_REV_Air_tone_edit:
00000024 31f7 STW.D2T2 B3,*B15--[2]
00000026 c246 || MV.L1 A4,A6
00000028 0f9be266 LDW.D1T2 *+A6[31],B31
0000002c 211c LDW.D1T1 *A6[1],A1
0000002e 014c LDW.D1T1 *A6[0],A4
00000030 10016813 || CALLP.S2 __c6xabi_call_stub,B3
00000034 6627 || MVK.L2 3,B4
00000036 0e92 MVK.S1 136,A5
00000038 c2d0 ADD.L1 A6,A5,A5
0000003a 00dc LDW.D1T1 *A5[0],A5