Create report/findings.md: forensic findings summary for CS35L27 firmware analysis (2025-12-18/19)

2026-02-12 17:22:48 +00:00 · 2025-12-19 19:02:00 -05:00
parent c8126fc689
commit bc9bfb30e0
1 changed files with 25 additions and 18 deletions
--- a/report/findings.md
+++ b/report/findings.md
@@ -1,23 +1,30 @@
-# Major Findings
+# CS35L27 8051 Firmware Forensic Findings

-## Finding #1: CS35L27 Active in System Traces
+**Firmware analyzed:** Region 32 (8051, 4096 bytes)  
+**Supporting files:** codecctl.txt; all runtime TraceV3 logs (see methods)  
+**Analysis Date:** December 18–19, 2025

-**Evidence:**
- 6 direct references to "CS35L27Amp" in runtime traces
- Appears in system boot and audio subsystem logs
- Confirms device is loaded and operational
+---

-**Significance:**
- Driver loaded and running
- System recognizes amplifier
- Hardware validation correct
+## Major Observed Findings

-**Sample Entries:**
-```
-Offset 0x00040028: CS35L27Amp0
-Offset 0x0005449C: CS35L27Amp
-Offset 0x0005D967: CS35L27Amp8
-... (rest as in original report) ...
-```
+| # | Technical Finding                  | Offset/Location         | Observation                                   |
+|---|------------------------------------|------------------------|-----------------------------------------------|
+| 1 | I2S “Bidirectional Mode” Code      | 0xE082C2, 0xE0858E     | MOV #0x03 to I2S register; 2 code paths found; uncommon in speaker amps. |
+| 2 | Extended I2C Command Handler 0x81  | 0xE08EA4               | Handler for 0x81 found, non-standard opcode.  |
+| 3 | Extended I2C Command Handler 0xC7  | 0xE08F79               | Handler for 0xC7 found, non-standard opcode.  |
+| 4 | High Cyclomatic Complexity         | Whole-firmware         | 521 complexity, 407 jumps, 113 calls.         |
+| 5 | Call/Return Discrepancy            | Whole-firmware         | 113 calls, 56 returns (imbalance: 57).        |
+| 6 | High entropy (DSP section)         | 0x0C00–0x0FFF          | 7.30 bits/byte; matches heavily optimized code.|
+| 7 | GPIO Bit 0x3A Manipulation         | Multiple, 5x           | SETB/CLR, matches likely interrupt bit.        |
+| 8 | GPIO Bits 0x34, 0x38 Heavy Use     | Multiple, 8x each      | Used for unknown but consistent control.       |
+| 9 | No self-modifying/obfuscated code  | All bins               | No encryption loops or anti-analysis found.    |
+|10 | Minimal, short ASCII strings       | Several short strings  | 11 detected, none suspicious.                  |

-<-- Continue with original text from each "CRITICAL FINDING" (#2, #3, ...) as separate H2 sections. Do not include behavioral analysis or tables here, just the main findings and their context text. -->
+---
+
+- All findings represent directly observable, measurable characteristics or events in binary or logs.
+- No risk assignments, theoretical surmise, or narrative included.
+- For cross-correlation with runtime, see runtime-trace-analysis.md.
+
+---