mirror of
https://github.com/JGoyd/CS35L27-Covert-Channel-Analysis.git
synced 2026-02-12 17:22:48 +00:00
Add analysis-methods.md: describes all objective binary and trace analysis methods used in this investigation.
This commit is contained in:
Joseph Goydish II
@@ -1,35 +1,25 @@
|
||||
# Analysis Methods
|
||||
|
||||
This document details only the objective methods and data sources used in the analysis of CS35L27 firmware. All narrative, interpretative, or speculative commentary has been excluded.
|
||||
This document describes only the data sources and factual binary/trace analysis techniques used in this forensic investigation.
|
||||
|
||||
## Primary Data Sources
|
||||
- Official CS35L27 firmware binary images.
|
||||
- Publicly available datasheets and documentation from Cirrus Logic.
|
||||
- Vendor-provided utilities for extracting firmware contents, where publicly redistributable.
|
||||
- Open-source reverse engineering tools (e.g., Ghidra, Binwalk).
|
||||
## Data Sources
|
||||
- CS35L27 8051 firmware binary (Region 32, 4096 bytes) extracted from hardware.
|
||||
- `codecctl.txt`: Registry and configuration dump obtained via device utilities; used for register offset and initialization value analysis.
|
||||
- TraceV3 files:
|
||||
- logdata_LiveData.tracev3 (3.3 MB)
|
||||
- 00000000000076e4.tracev3 (7.6 MB)
|
||||
- 000000000000442d.tracev3 (870 KB)
|
||||
- 00000000000012fa.tracev3 (643 KB)
|
||||
- 0000000000000005.timesync (46 KB)
|
||||
|
||||
## Objective Methods
|
||||
### 1. Firmware Extraction
|
||||
- Direct extraction of binary images from hardware or distribution files.
|
||||
- Verification of image integrity through checksums or hashes.
|
||||
## Objective Analysis Techniques
|
||||
|
||||
### 2. Binary Analysis
|
||||
- Use of Ghidra and Binwalk for static analysis of binary structure.
|
||||
- Identification and separation of code, data, and metadata sections.
|
||||
- Static code analysis of 8051 binaries using Ghidra and Binwalk.
|
||||
- String and pattern search via `strings`, regex, and custom scripts.
|
||||
- Use of `codecctl.txt` for mapping register use and initialization state.
|
||||
- Function boundary, call/return and jump/dispatch analysis via 8051 disassembly.
|
||||
- Entropy mapping of binary regions for obfuscation/encryption checks.
|
||||
- Systematic cross-check of firmware code/constant addresses with observed runtime behaviors in TraceV3 (hex and ASCII context).
|
||||
- Counting and cataloging of event types including extended I2C commands, GPIO toggling, and I2S register values.
|
||||
|
||||
### 3. Strings and Pattern Search
|
||||
- Systematic use of `strings` and regular expressions to locate text and code patterns in binaries.
|
||||
|
||||
### 4. Function Identification
|
||||
- Automated function boundary detection via Ghidra.
|
||||
- Cross-referencing documented routines with observed binary segments.
|
||||
|
||||
### 5. Data Extraction
|
||||
- Extraction of configuration tables and constant data from designated binary offsets using custom scripts.
|
||||
|
||||
### 6. Comparative Analysis
|
||||
- Byte-wise and structural comparisons between multiple firmware images using `cmp`, `diff`, and custom tooling.
|
||||
|
||||
---
|
||||
|
||||
All steps above use only publicly available tools and verifiable methods. No conclusions, narrative interpretations, or speculative extrapolations are included in this document.
|
||||
No non-public sources, inference, or speculation beyond direct result of binary/runtime/config file examination are recorded here.
|
||||
|
||||
Reference in New Issue
Block a user