»PERCH: Adding a peripheral layer to Ghidra«
2019-11-09, 15:30–15:55, Red Day

PERCH is a tool that adds a new peripheral layer to Ghidra. The parsing of Trace32's .per files enables the augmentation of Ghidra projects with labeled MMIO mappings from thousands of different processors.

Ghidra, the recently released NSA reverse engineering tool, supports numerous processor cores allowing for the analysis of the vast majority of firmware images. However, a pain point in embedded firmware reverse engineering is identifying, and reverse engineering, peripheral interactions. Ghidra, and its commercial twin IDA, support registers in the processor core, however they do not map all of the processor’s peripheral registers. This is due to the fact that each processor has hundreds, if not thousands, of variants with different peripheral layouts. Fortunately, a debugging/emulation tool vendor Lauterbach has gone through the painstaking effort of documenting nearly every processor’s peripheral layout in a well-defined “Peripheral file”. Our contribution, PERCH (Peripheral Conversion Helper), is a utility that parses these files and allows for their integration into other tools. Its companion extension adds a peripheral register database to Ghidra. Extension features include the labeling of all peripheral registers and their accesses, enumeration of utilized peripherals, and a framework for scripting around the peripheral database. This framework allows for new scripts, e.g. a script for identifying peripheral setup functions through a reference count heuristic, to be built around the peripheral register database. In short, PERCH and its companion extension vastly improves the embedded firmware reverse engineering experience in Ghidra.