3

There are some processors out there that don't have commercially released documents explaining what its instruction set is. Is there any way to find the instruction set through tampering or an external device if you have access to the processor?

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
KrisSodroski
  • 2,796
  • 3
  • 24
  • 39
  • I guess you also don't have a toolchain for it? – dbrank0 Jun 19 '12 at 15:06
  • 2
    It's been done. It's a tremendous amount of work. Do you have binaries for the device? A statistical analysis of the binary could reveal a lot. There are a lot of OEM labeled versions of commercial products out there, how sure are you that it is not one of those? Lately, the venerable 6502 was reversed using image analysis on the etched layers. This seems to offer excellent opportunities to automate the process. – starbolin Jun 19 '12 at 15:13
  • Its easiest to ask somebody who knows :-} – Ira Baxter Jun 19 '12 at 16:57

3 Answers3

1

In general no, simply looking at bits is not going to get you very far. Imagine one of those jumble puzzles but you have many more than 26 characters (the alphabet). You can do some analysis on bit patterns, but what will that give you, not knowing the architecture that could be an unconditional branch or some other popular instruction, without any knowledge you dont know what the popular instructions are. With a jumble puzzle assuming english for example you have inside knowledge what letters and words are common a can try to start from there, you have no inside knowledge in instruction width, etc.

If it happens to resemble a known instruction set you still have the same problem, have the modified the instructions, if the have taken undefines and made them new instructions you likely wont be able to tell what they are without inside the chip visibility (which jtag wont really give you at this level as the info jtag would give also requires internal information).

old_timer
  • 69,149
  • 8
  • 89
  • 168
  • So then, how would we find the Instruction Set, of say, the Xenon processor (which doesn't have a commercially documented Instruction set). Any thoughts or ideas? The wii uses the Broadway PPC processor, which also isn't documented, but they were somehow able to find the Instruction Set, weren't they? – KrisSodroski Jun 21 '12 at 17:44
  • Its not always done blind, there is some info, either someone was leaked a document or someone got access to compilers or it is known that it is similar or based on some other processor and you reverse engineer from there. Blindly staring at a box of bits is a waste of time, you want to hack something you use social engineering and whatever other tools or information you can come up with. The huge leaps come from everything but staring at the bits. The polish at the end comes from staring at the bits. – old_timer Jun 22 '12 at 00:06
  • You answered one question yourself, the broadway ppc, it is a powerpc, that is a HUGE piece of information, if you are able to gain access to modify programs you can sort out any undocumented instructions, etc. three seconds of typing the xenon is also ppc based, huge step forward. no reason to stare at the bits in a binary in isolation. – old_timer Jun 22 '12 at 00:08
  • basically your examples do not match your question, your question is if there are no released documents, those two have released documents containing information about the processor. a few phone calls if you dont know already would tell you how ppc processors are marketed to know if it is sold as ip if so can the instruction set be modified, if not what can other than peripherals, etc? All that info you can get from sales is also considered commercially available information or documentation, which doesnt fall into what your question stated. – old_timer Jun 22 '12 at 00:10
1

"through tampering"? Sure. Pry the lid off the chip. Take a snapshot of the chip layout (you can do this with various kinds of scanning electron microscopes). Infer the digital circuit (some special devices will tell you what the state of the chip elements as it runs; Schlumberger's ATE gear did this). Decode what it does. Having source code will help.

You may have a hard time guessing what an opcode does; imagine an instruction that does a partial polynomial evalution used to compute transcendentals, or worse one that does a butterfly step in a fast fourier transformation.

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341
0

You might check JTAG. It's a protocol used to debug CPUs.

Another option is to check if the architecture is based on another public one and try to compare to find differences.

EDIT: Also, there's no debugger for that architecture? A C compiler? This is very rare. If you have a debugger and/or C compiler you can check assembly and compare with resulting binary. A debugger should also allow you to disassemble an already existing binary.

m0skit0
  • 25,268
  • 11
  • 79
  • 127
  • There's the small problem of understanding what the JTAG is telling you, which presupposes you already know what the chip does. I don't believe this is a useful answer. – Ira Baxter Jun 19 '12 at 18:00
  • You're right, I've added another possible solution. EDIT: just read dbrank0 comment... – m0skit0 Jun 19 '12 at 20:13