Armv7: Instruction Disassembly/Lifting Completion

[plafosse]

The following is the list of instructions which we currently disassemble and lift (Fully or Partially). If you have any instructions which differ from this table, there is likely a bug or a documentation failure, please let us know (also if you could provide the opcodes that would be great).

Mnem	Disasm	Lifting
adc	Full	Full
adceq	Full	Full
adcs	Full	Full
adcseq	Full	Full
add	Full	Full
adds	Full	Full
addseq	Full	Full
adr	Full	Full
and	Full	Full
andeq	Full	Full
ands	Full	Full
andseq	Full	Full
asr	Full	Full
bfc	Full	Full
bfclo	Full	Full
bfi	Full	Full
bfine	Full	Full
bic	Full	Full
bics	Full	Full
bicseq	Full	Full
blls	Full	Full
blx	Full	Full
blxne	Full	Full
bx	Full	Full
bxne	Full	Full
clz	Full	Full
clzeq	Full	Full
cmn	Full	Full
cmp	Full	Full
eor	Full	Full
eors	Full	Full
eorseq	Full	Full
ldm	Full	Full
ldmda	Full	Full
ldmdb	Full	Full
ldmib	Full	Full
ldr	Full	Full
ldrb	Full	Full
ldrbt	Full	Full
ldrd	Full	Full
ldrh	Full	Full
ldrht	Full	Full
ldrhthi	Full	Full
ldrsb	Full	Full
ldrsbt	Full	Full
ldrsh	Full	Full
ldrsht	Full	Full
ldrt	Full	Full
lsl	Full	Full
lsr	Full	Full
mla	Full	Full
mlane	Full	Full
mlas	Full	Full
mlasne	Full	Full
mov	Full	Full
moveq	Full	Full
movs	Full	Full
movseq	Full	Full
movt	Full	Full
movteq	Full	Full
movw	Full	Full
mul	Full	Full
mulgt	Full	Full
muls	Full	Full
mulsle	Full	Full
mvn	Full	Full
mvneq	Full	Full
mvngt	Full	Full
mvns	Full	Full
mvnseq	Full	Full
mvnslt	Full	Full
nop	Full	Full
nopgt	Full	Full
orr	Full	Full
orrhs	Full	Full
orrlo	Full	Full
orrne	Full	Full
orrseq	Full	Full
orrsgt	Full	Full
orrshi	Full	Full
orrslt	Full	Full
pop	Full	Full
push	Full	Full
rsb	Full	Full
rsbgt	Full	Full
rsble	Full	Full
rsblo	Full	Full
rsbne	Full	Full
sbfx	Full	Full
sbfxgt	Full	Full
sdiv	Full	Full
str	Full	Full
strb	Full	Full
strbt	Full	Full
strh	Full	Full
strht	Full	Full
strpl	Full	Full
strt	Full	Full
sub	Full	Full
subs	Full	Full
subseq	Full	Full
sxtb	Full	Full
sxtbge	Full	Full
sxtblo	Full	Full
sxth	Full	Full
sxthle	Full	Full
sxthne	Full	Full
tst	Full	Full
ubfx	Full	Full
ubfxgt	Full	Full
udiv	Full	Full
uxtab	Full	Full
uxtablt	Full	Full
uxtb	Full	Full
uxtbge	Full	Full
uxtblo	Full	Full
uxth	Full	Full
uxthle	Full	Full
uxthne	Full	Full
svc	Full	Partial
bkpt	Full	None
bxj	Full	None
bxjne	Full	None
cdp	Full	None
cdp2	Full	None
cdpne	Full	None
clrex	Full	None
cps	Full	None
cpsid	Full	None
cpsie	Full	None
dbg	Full	None
dmb	Full	None
dsb	Full	None
fldmdbxne	Full	None
fldmiax	Full	None
fldmiaxeq	Full	None
fstmdbxne	Full	None
fstmiax	Full	None
fstmiaxeq	Full	None
hint	Full	None
hintgt	Full	None
isb	Full	None
ldc	Full	None
ldc2	Full	None
ldc2l	Full	None
ldceq	Full	None
ldcgt	Full	None
ldchi	Full	None
ldchs	Full	None
ldcl	Full	None
ldcleq	Full	None
ldclge	Full	None
ldclhi	Full	None
ldclle	Full	None
ldcllt	Full	None
ldclne	Full	None
ldclo	Full	None
ldrex	Full	None
ldrexb	Full	None
ldrexd	Full	None
ldrexh	Full	None
mcr	Full	None
mcr2	Full	None
mcrls	Full	None
mcrr	Full	None
mcrr2	Full	None
mcrrgt	Full	None
mls	Full	None
mlsne	Full	None
mrc	Full	None
mrc2	Full	None
mrceq	Full	None
mrrc	Full	None
mrrc2	Full	None
mrrclo	Full	None
mrs	Full	None
msr	Full	None
pkhbt	Full	None
pkhtb	Full	None
pld	Full	None
qadd	Full	None
qadd16	Full	None
qadd16gt	Full	None
qadd8	Full	None
qadd8le	Full	None
qaddne	Full	None
qdadd	Full	None
qdaddhi	Full	None
qdsub	Full	None
qdsubhi	Full	None
qsax	Full	None
qsaxeq	Full	None
qsub	Full	None
qsub16	Full	None
qsub16gt	Full	None
qsub8	Full	None
qsub8le	Full	None
qsubne	Full	None
rbit	Full	None
rbitne	Full	None
rev	Full	None
rev16	Full	None
rev16ne	Full	None
revne	Full	None
revsh	Full	None
revshne	Full	None
rfeda	Full	None
rfedb	Full	None
rfeia	Full	None
rfeib	Full	None
ror	Full	None
rrx	Full	None
rrxs	Full	None
rsc	Full	None
rscgt	Full	None
rscle	Full	None
rsclo	Full	None
rscne	Full	None
rscs	Full	None
sadd16	Full	None
sadd16gt	Full	None
sadd8	Full	None
sadd8le	Full	None
sasx	Full	None
sasxeq	Full	None
sbc	Full	None
sel	Full	None
selne	Full	None
setend	Full	None
sev	Full	None
seveq	Full	None
shadd16	Full	None
shadd16gt	Full	None
shadd8	Full	None
shadd8gt	Full	None
shasx	Full	None
shasxgt	Full	None
shsub16	Full	None
shsub16gt	Full	None
shsub8	Full	None
shsub8gt	Full	None
smc	Full	None
smceq	Full	None
smlabb	Full	None
smlabbge	Full	None
smlabt	Full	None
smlabtle	Full	None
smlad	Full	None
smladeq	Full	None
smladx	Full	None
smladxhi	Full	None
smlal	Full	None
smlalbb	Full	None
smlalbbge	Full	None
smlalbt	Full	None
smlalbtle	Full	None
smlald	Full	None
smlaldeq	Full	None
smlaldx	Full	None
smlaldxhi	Full	None
smlaleq	Full	None
smlals	Full	None
smlalshi	Full	None
smlaltb	Full	None
smlaltbne	Full	None
smlaltt	Full	None
smlaltteq	Full	None
smlatb	Full	None
smlatbne	Full	None
smlatt	Full	None
smlatteq	Full	None
smlawb	Full	None
smlawbeq	Full	None
smlawt	Full	None
smlawthi	Full	None
smlsd	Full	None
smlsdeq	Full	None
smlsdx	Full	None
smlsdxhi	Full	None
smlsld	Full	None
smlsldeq	Full	None
smlsldx	Full	None
smlsldxhi	Full	None
smmla	Full	None
smmlalo	Full	None
smmlar	Full	None
smmlarhs	Full	None
smmls	Full	None
smmlslo	Full	None
smmlsr	Full	None
smmlsrhs	Full	None
smmul	Full	None
smmullo	Full	None
smmulr	Full	None
smmulrhs	Full	None
smuad	Full	None
smuadlt	Full	None
smuadx	Full	None
smuadxge	Full	None
smulbb	Full	None
smulbbge	Full	None
smulbt	Full	None
smulbtle	Full	None
smull	Full	None
smulleq	Full	None
smulls	Full	None
smullseq	Full	None
smultb	Full	None
smultbne	Full	None
smultt	Full	None
smultteq	Full	None
smulwb	Full	None
smulwt	Full	None
smusd	Full	None
smusdeq	Full	None
smusdx	Full	None
smusdxne	Full	None
srsda	Full	None
srsdb	Full	None
srsia	Full	None
srsib	Full	None
ssat	Full	None
ssat16	Full	None
ssax	Full	None
ssaxlt	Full	None
ssub16	Full	None
ssub16ne	Full	None
ssub8	Full	None
ssub8eq	Full	None
stc	Full	None
stc2	Full	None
stc2l	Full	None
stceq	Full	None
stcgt	Full	None
stchi	Full	None
stchs	Full	None
stcl	Full	None
stcleq	Full	None
stclge	Full	None
stclhi	Full	None
stclle	Full	None
stcllt	Full	None
stclne	Full	None
stclo	Full	None
stm	Full	None
stmda	Full	None
stmdb	Full	None
stmib	Full	None
strd	Full	None
strex	Full	None
strexb	Full	None
strexd	Full	None
strexh	Full	None
swp	Full	None
swpb	Full	None
sxtab	Full	None
sxtab16	Full	None
sxtab16eq	Full	None
sxtab16ge	Full	None
sxtablt	Full	None
sxtah	Full	None
sxtahhi	Full	None
sxtahlo	Full	None
sxtb16	Full	None
sxtb16ge	Full	None
sxtb16hs	Full	None
teq	Full	None
uadd16	Full	None
uadd16gt	Full	None
uadd8	Full	None
uadd8le	Full	None
uasx	Full	None
uasxeq	Full	None
uhadd16	Full	None
uhadd16gt	Full	None
uhadd8	Full	None
uhadd8gt	Full	None
uhasx	Full	None
uhasxgt	Full	None
uhsub16	Full	None
uhsub16gt	Full	None
uhsub8	Full	None
uhsub8gt	Full	None
umaal	Full	None
umaallt	Full	None
umlal	Full	None
umlalgt	Full	None
umlals	Full	None
umlalseq	Full	None
umull	Full	None
umullgt	Full	None
umulls	Full	None
umullseq	Full	None
uqadd16	Full	None
uqadd16gt	Full	None
uqadd8	Full	None
uqadd8le	Full	None
uqasx	Full	None
uqasxhi	Full	None
uqsax	Full	None
uqsub16	Full	None
uqsub16gt	Full	None
uqsub8	Full	None
uqsub8le	Full	None
usad8	Full	None
usad8le	Full	None
usada8	Full	None
usada8gt	Full	None
usat	Full	None
usat16	Full	None
usax	Full	None
usaxne	Full	None
usub16	Full	None
usub16hi	Full	None
usub8	Full	None
usub8le	Full	None
uxtab16	Full	None
uxtab16eq	Full	None
uxtab16ge	Full	None
uxtah	Full	None
uxtahhi	Full	None
uxtahlo	Full	None
uxtb16	Full	None
uxtb16ge	Full	None
uxtb16hs	Full	None
vabsf32	Full	None
vabsf64	Full	None
vaddf32	Full	None
vaddf64	Full	None
vcmpef32	Full	None
vcmpef64	Full	None
vcvtbeqf64f16	Full	None
vcvtbf16f64	Full	None
vcvtbf64f16	Full	None
vcvtbltf16f64	Full	None
vcvtf32f64	Full	None
vcvtf32s16	Full	None
vcvtf32s32	Full	None
vcvtf32u16	Full	None
vcvtf32u32	Full	None
vcvtf64f32	Full	None
vcvtf64s16	Full	None
vcvtf64s32	Full	None
vcvtf64u16	Full	None
vcvtf64u32	Full	None
vcvtrs32f32	Full	None
vcvtrs32f64	Full	None
vcvtru32f32	Full	None
vcvtru32f64	Full	None
vcvts16f32	Full	None
vcvts16f64	Full	None
vcvts32f32	Full	None
vcvts32f64	Full	None
vcvttf16f64	Full	None
vcvttf64f16	Full	None
vcvttgef64f16	Full	None
vcvttgtf16f64	Full	None
vcvtu16f32	Full	None
vcvtu16f64	Full	None
vcvtu32f32	Full	None
vcvtu32f64	Full	None
vdivf32	Full	None
vdivf64	Full	None
vfmaf32	Full	None
vfmaf64	Full	None
vfmsf32	Full	None
vfmsf64	Full	None
vfnmaf32	Full	None
vfnmaf64	Full	None
vfnmsf32	Full	None
vfnmsf64	Full	None
vldmia	Full	None
vldr	Full	None
vmlaf32	Full	None
vmlaf64	Full	None
vmlsf32	Full	None
vmlsf64	Full	None
vmov	Full	None
vmoveq	Full	None
vmovf32	Full	None
vmovf64	Full	None
vmovi32	Full	None
vmovne	Full	None
vmrs	Full	None
vmsr	Full	None
vmulf32	Full	None
vmulf64	Full	None
vnegf32	Full	None
vnegf64	Full	None
vnegnef64	Full	None
vnmlaf32	Full	None
vnmlaf64	Full	None
vnmlsf32	Full	None
vnmlsf64	Full	None
vnmulf32	Full	None
vnmulf64	Full	None
vpop	Full	None
vpush	Full	None
vqdmulls32	Full	None
vrintrf32	Full	None
vrintrltf64	Full	None
vrintxeqf64	Full	None
vrintxvsf32	Full	None
vrintzf32	Full	None
vrintzgef64	Full	None
vsqrtf32	Full	None
vsqrtf64	Full	None
vstmia	Full	None
vstr	Full	None
vsubf32	Full	None
vsubf64	Full	None
wfe	Full	None
wfehi	Full	None
wfi	Full	None
wfilt	Full	None
yield	Full	None
yieldne	Full	None
vcvtas32f32	None	None
vcvtas32f64	None	None
vcvtau32f32	None	None
vcvtau32f64	None	None
vcvtms32f32	None	None
vcvtms32f64	None	None
vcvtmu32f32	None	None
vcvtmu32f64	None	None
vcvtns32f32	None	None
vcvtns32f64	None	None
vcvtnu32f32	None	None
vcvtnu32f64	None	None
vcvtps32f32	None	None
vcvtps32f64	None	None
vcvtpu32f32	None	None
vcvtpu32f64	None	None
vmaxnmf32	None	None
vmaxnmf64	None	None
vminnmf32	None	None
vminnmf64	None	None
vrintaf32	None	None
vrintaf64	None	None
vrintmf32	None	None
vrintmf64	None	None
vrintnf32	None	None
vrintnf64	None	None
vrintpf32	None	None
vrintpf64	None	None
vseleqf32	None	None
vseleqf64	None	None
vselgef32	None	None
vselgef64	None	None
vselgtf32	None	None
vselgtf64	None	None
vselvsf32	None	None
vselvsf64	None	None
crc32b	None	None
crc32cb	None	None
crc32ch	None	None
crc32cw	None	None
crc32h	None	None
crc32w	None	None

[micro500]

asr r2, r2, r8 is incorrectly lifted to r2 = r2 s>> 0
Opcode: 52 28 A0 E1

[plafosse]

asr r2, r2, r8 is incorrectly lifted to r2 = r2 s>> 0
Opcode: 52 28 A0 E1

Fixed in dev

[sprout42]

Just wondering, any idea when lifting will be finished for parsed instructions? I was looking at something that used these instructions and had a bunch of "unimplemented" warnings in the low and medium level IL view:

• 52e8001f ldrex r1, [r2]
• 42e80037 strex r7, r3, [r2]
• bff35b8f dmb ISH
• 94e9feeb rfeia r4

[ehntoo]

A few more thumb2 examples where lifting is unimplemented as of 1.1.1461-dev:
90e8000c ldm r0, {r10, r11}
bae80f00 ldm r10!, {r0, r1, r2, r3}

The corresponding stm instructions are also unimplemented.

[BwRy]

A few thumb examples where lifting is unimplemnted as of 1.1.1344:

ffb2      uxtb r7, r7
c7f30116  ubfx r6, r7, Vector35/binaryninja-api#4, Vector35/binaryninja-api#2
7eb2      sxtb r6, r7
b8fa88f8  clz r8, r8

[shane-runsafe]

Found some more armv7 examples that are not disassembled or lifted.

00 43 f0 f3 aese.8 q10,q0
c0 03 b0 f3 aesimc.8 q0,q0
84 43 b0 f3 aesmc.8 q2, q2
00 43 b0 f3 aese.8 q2, q0
02 43 b0 f3 aese.8 q2, q1
40 43 b0 f3 aesd.8 q2, q0

Digging deeper and it looks like all the aes instructions are missing, so the list above is incomplete.

Additionally, there are some vector instructions that don't show the proper disassembly (operands are missing).

8d0a42f4 vst1.32 {}, [r2]!
8d0742f4 vst1.32 {}, [r2]!
0f0a60f4 vld1.8 {}, [r0]

[korniltsev]

cbc97edc  01fb0111   mla     r1, r1, r1, r1
cbc97eea  a1fb0223   umull   r2, r3, r1, r2
cbc97ef2  02fb1311   mls     r1, r2, r3, r1

the table says mla is lifted but 1.2.1968-dev build shows it as unimplemented
also I find umull & mls very often as unimplemented

[3pidemix]

cbc97edc  01fb0111   mla     r1, r1, r1, r1
cbc97eea  a1fb0223   umull   r2, r3, r1, r2
cbc97ef2  02fb1311   mls     r1, r2, r3, r1

the table says mla is lifted but 1.2.1968-dev build shows it as unimplemented
also I find umull & mls very often as unimplemented

I can confirm, and it causes serious issues with any dataflow analysis that may be dependent on those unlifted instructions without any way to tell from IL that a dependent value may be invalid. I guess the dataflow analysis has no way to detect that there was an unlifted instruction in the dataflow somewhere, so I can't even check if this is happening without writing some architecture-specific code.

[ehntoo]

Is there any prospect of having these revisited soon? I'm starting to contemplate hacking up my own arch plugin to implement a number of these to avoid situations where looking at dataflow leads me down the wrong path due to the unlifted instructions.

[plafosse]

Could you share a binary that has missing instructions to serve as a bench mark?

[ehntoo]

When I see these, it tends to be in batches of one or two instructions per firmware I look at, so I don't have anything I'd consider a good benchmark for "completion". I'm happy to DM binaries/bndbs that I can share as I hit them, though - I just hit one that uses uxtb earlier.

[plafosse]

Priority list from 3pidemix

 192 vldr
  69 uxtb
  68 vmov.f32.F32
  67 vmul.f32.F32
  44 vstr
  32 vmrs
  32 ubfx
  24 vdiv.f32.F32
  21 vpop
  21 uxth
  20 vcvt.f32.F32.S32
  20 vcmpe.f32.F32
  20 clz
  16 vpush
  16 umull
  14 rbit
  13 vneg.f32.F32
  12 vcmp.f32.F32
   9 rrx
   6 vcvt.s32.f32
   6 udiv
   6 sxtb
   6 sbc
   5 sbcs
   4 vcvt.f32.F32.U32
   3 vldmia
   3 umlal
   3 rrxs
   2 vabs.f32.F32
   2 mla
   2 dsb
   1 vnmul.f32.F32
   1 vldmdb
   1 uxtab
   1 smull

[nshp]

PSP and MSP MSRs are incorrectly disassembled as APSR(_nzcvq) in Thumb2 mode.

.syntax unified
.thumb
_start:
    msr psp, r0
    mrs r0, psp

    msr msp, r0
    mrs r0, msp

    msr apsr_nzcvq, r0

Assemble with e.g. arm-none-eabi-as -mcpu=cortex-m33 test.s -o test.o.
Binja's output:

msr apsr_nzcvq, r0
mrs r0, apsr
msr apsr_nzcvq, r0
mrs r0, apsr
msr apsr_nzcvq, r0

Edit: Same deal for the PRIMASK register

[brinlyau]

A few of these these I've implemented lifting support by my own plugin (using Capstone as the instruction decoder as I understand the internal decoder is not exposed by the API) but I'm still missing a ton of these. (dumped essentially via grep)

I would add lifting support (obviously 100% coverage isn't needed but I prefer to have less unimplemented :P) , but I believe BN is missing support for vector instructions in #1213.

Obviously not all of them are the same priority :)

[nshp]

I would add lifting support (obviously 100% coverage isn't needed but I prefer to have less unimplemented :P) , but I believe BN is missing support for vector instructions in #1213.

At least for now, you can lift most vector operations as a series of scalar operations. e.g. a vdup.32 could just be a dest = (src << 96) | (src << 64) | (src << 32) | src. You'll likely have to create some temporary variables for more complex ones.

The simple stuff like vector-width moves/loads/stores can be lifted simply using wide registers -- binja doesn't mind if you define a 128-bit register. Some of those basic operations are lifted in x86_64 for example.

[korniltsev]

unimplemented {umull r3, r6, r2, r3}
unimplemented {mls r2, r3, r6, r2}
unimplemented {uxtb r6, r6}
unimplemented {sbcs r1, r1}
unimplemented {clz r1, r1}
unimplemented {mla r0, r0, r0, r1}

[WZ-Tong]

Still stays unimplemented for v* and few s* instructions [SAD]
What I eagerly need:
vpush
vpop
vldr
sbfx
vmov

[benjaminmordaunt]

For MRS/MSR, you could probably just convert them into some kind of intrinsic for the most part.
In other news, teq isn't getting much love here, but I'm seeing unimplemented everywhere :(