I am trying to reverse engineer the MIPS firmware. The firmware has a large encoded end for the 32-bit r4kec processor.
I parsed (using objdump) the binary to see what the assembly looks like and everything looks like valid code, but right at the beginning of the code I see the following two commands:
bfc00220 152a0001 bne t1, t2, 0xbfc00228 bfc00224 10000009 b 0xbfc0024c
The first command checks the values โโof the registers t1 and t2 and jumps to the address if they are not equal. The second instruction apparently handles the pass-through case to go directly to the next address. So far, so good or not?
As far as I know, this is not legal. All the available MIPS documentation that I read indicates that an instruction immediately following any branch / branch instruction is considered a transition delay period, the instruction of which is always (except for the slave instruction class) executed before the actual branch is executed.
The key issue here is that another transition / transition is not allowed in the transition delay slot, and this will leave the processor in an undefined state.
So what should I do from this code? I do not believe that this is a manual assembly (although not too high for it) for a processor that handles this situation in a known deterministic way. I also cannot believe that the compiler will consciously create such code. Another possibility is that I am using the wrong decompiler for binary, or that I have an infidelity, or something else ...
Can someone explain what is going on here?
assembly mips embedded reverse-engineering firmware
user3290882
source share