0

I have an Aarch64 *.ko file that contains a structure (struct drm_display_mode) which I want to extract its values from. Sadly, the *.ko does not have debugging information.

However, I know some values of the structure and can reverse engineer the rest of the structure by myself. The problem is, aarch64-linux-gnu-objdump, aarch64-linux-gnu-readelf and gdb-multiarch do not report the correct location of the structure.

aarch64-linux-gnu-readelf --wide --all ./panel.ko tells me, that the struct I'm looking for is at address 0x3b8:

Symbol table '.symtab' contains 97 entries:
   Num:    Value          Size Type    Bind   Vis      Ndx Name
     0: 0000000000000000     0 NOTYPE  LOCAL  DEFAULT  UND 
     1: 0000000000000000     0 SECTION LOCAL  DEFAULT    1 .text
    [...]
    39: 00000000000003b8   120 OBJECT  LOCAL  DEFAULT    8 panel_default_mode

gdb-multiarch tells me the same story:

(gdb) p &panel_default_mode 
$1 = (<data variable, no debug info> *) 0x3b8 <panel_prepare+232>

Because I have the source and build environment panel.ko was compiled with (but with other values) I compiled the module again (with debugging enabled) and loaded it with gdb to pretty print the values from the original panel.ko. However, the values are complete garbage.

(gdb) add-symbol-file panel-debug.o
add symbol table from file "panel-debug.o"
(y or n) y
Reading symbols from panel-debug.o...
(gdb) p (struct drm_display_mode) panel_default_mode
$1 = {clock = 1, hdisplay = 3170, hsync_start = 0, hsync_end = 1, htotal = 0, hskew = 99, vdisplay = 0, vsync_start = 1, vsync_end = 0, vtotal = 160, vscan = 0, flags = 1, crtc_clock = 5025, crtc_hdisplay = 1, crtc_hblank_start = 0, crtc_hblank_end = 9122, crtc_hsync_start = 0, crtc_hsync_end = 1, crtc_htotal = 0, crtc_hskew = 5283, crtc_vdisplay = 0, crtc_vblank_start = 1, crtc_vblank_end = 0, crtc_vsync_start = 5796, 
  crtc_vsync_end = 0, crtc_vtotal = 1, width_mm = 0, height_mm = 10661, type = 0 '\000', expose_to_userspace = false, head = {next = 0x1ea600000001, prev = 0x1da700000001}, name = "\001\000\000\000\250\206\000\000\001\000\000\000\251\036\000\000\001\000\000\000\252)\000\000\001\000\000\000\253t\000", status = MODE_HSYNC, picture_aspect_ratio = 6572}

I know that the values are garbage because .clock should be > 60000, .vdisplay=1280, .vsync_start=1290, .vsync_start=1300 and .hdisplay=800.

Now I did manually scan the panel.ko with hexedit and found that the values I know and I'm looking for are not placed at 0x3b8 but placed at address 0x9c8.

I do not quite understand what has happened. Why do all the debugging tools report a seemingly wrong address? Do I misinterpret the output? Or do I do something completely wrong?

bam
  • 862
  • 7
  • 23
  • byte order shouldn't be a problem as long as you are staying within similar endian environments from create to read. [packing alignment](https://stackoverflow.com/questions/3318410/pragma-pack-effect) between environments is another factor to consider. one system might be set in such a way that may result in padding between members (eg. `pragma pack(4)`) another may be set to allow none. (i.e. `#pragma pack(1)`). If these settings are not the same between environments, then struct size will be different between the two. – ryyker Aug 11 '21 at 13:10

0 Answers0