I created a Function ID database, but it doesn't seem to match anything

[dlenski]

I am trying to analyze a firmware for a device based on the ESP32 SoC (Xtensa ISA).

I've converted the firmware to ELF format, loaded it in Ghidra 11.3, and after some initial work I've discovered that it extensively uses the mbedtls library. I've been able to identify some of the mbedtls functions manually, but it's quite tedious.

As I understand it, I should be able to use the Function ID feature to identify mbedtls functions more quickly, if I had a database containing labeled representations of these functions.

Fortunately, precompiled libraries of mbedtls 3.6.2 for this SoC already exist, over in https://github.com/esp-rs/esp-mbedtls/tree/main/esp-mbedtls-sys/libs/xtensa-esp32-none-elf for example, so I have been trying to build and use a Function ID database of mbedtls built for this SoC to match against.

This is what I've tried:

• Creating a new project called ESP32-mbedtls, and loading xtensa-esp32-none-elf/libmbedtls.a
  • All of the expected mbedtls functions show up in the symbol table
• Then, I "Create new empty FidDb database..."
• Then, I "Populate FidDb from Programs..."
  
• For reasons I don't understand, the output window doesn't show the function names from the symbol tables: 🤔
  
• … but if I run the ListFunctions.java script on the newly-created .fidb, I get the expected list of functions in the output, so this looks good: 👍

  /mbedtls/3.6.2/default/libmbedcrypto.a/pk_wrap.c.obj rsa_debug
  /mbedtls/3.6.2/default/libmbedtls.a/ssl_tls13_keys.c.obj ssl_tls13_calc_finished_core
  /mbedtls/3.6.2/default/libmbedcrypto.a/psa_crypto.c.obj psa_sign_hash_start
  /mbedtls/3.6.2/default/libmbedx509.a/x509write_crt.c.obj mbedtls_x509write_crt_set_ext_key_usage
  /mbedtls/3.6.2/default/libmbedcrypto.a/aria.c.obj mbedtls_aria_self_test
  …
  /mbedtls/3.6.2/default/libmbedcrypto.a/dhm.c.obj mbedtls_dhm_parse_dhm
  /mbedtls/3.6.2/default/libmbedcrypto.a/ecjpake.c.obj mbedtls_ecjpake_set_point_format
  /mbedtls/3.6.2/default/libmbedcrypto.a/ecdsa.c.obj mbedtls_ecdsa_free
  /mbedtls/3.6.2/default/libmbedx509.a/x509_crt.c.obj mbedtls_x509_crt_free
  /mbedtls/3.6.2/default/libmbedx509.a/x509.c.obj mbedtls_x509_info_cert_type
  

• I then close the ESP32-mbedtls project, restart Ghidra entirely because of the bug (?) described in I can't find the Function ID option #2796 (reply in thread), and reload the project for the "target" firmware.
• I verify that the .fidb for mbedtls is attached:
  
• I run the Function ID analyzer and…
• … I get nothing. No log output, no newly-labelled functions, no obvious change whatsoever. 🤷‍♂️

What am I doing wrong?

Can anyone give me any tips on what am missing here, and need to be doing differently in order for Function ID matching to work? (And, ideally, to get some kind of output showing what it is doing?)

[gemesa]

I assume you dont know what compiler version and what compiler and linker options were used to build that firmware. Ideally you need to use the same setup to build a FID DB, otherwise if there is even a slight difference (e.g. because of different optimization levels), your functions wont match. The compiler version is especially important in case of Rust binaries, as different rustc versions may generate significantly different machine code.

If you want tools resistant to changes, either use BSim:

• https://github.com/NationalSecurityAgency/ghidra/blob/master/GhidraDocs/GhidraClass/BSim/README.md

or BinDiff:

• https://github.com/google/bindiff
• https://github.com/google/binexport
• https://github.com/ubfx/BinDiffHelper

[dlenski]

I assume you dont know what compiler version and what compiler and linker options were used to build that firmware.

Right. Although my educated guess is that it's the customized version of Clang distributed by Espressif.

I did look compare disassembly for some of the functions that I've been able to identify "by hand" and they're extremely similar though not 100% identical.

if there is even a slight difference (e.g. because of different optimization levels), your functions wont match.

Is there any way to see debug output from the FID matcher, to verify that it's at least doing something?