I'm trying to learn skills useful in firmware modding (for which i don't have source code) These questions concern use of BX from thumb code to jump or call other existing thumb code.
- How do i use BX to JUMP to existing firmware THUMB code, from my THUMB code.
- How do i use BX to CALL an existing THUMB function (must set LR first), from my THUMB code.
My understanding is that cpu looks at lsb bit (bit 0) and i have to make sure this is set to 1 in order to keep cpu state to "thumb state".
So I guess i have to ADD 1, to set lsb bit to 1.
So ...say i want to just JUMP to 0x24000 ( in the middle of some existing THUMB code)
LDR R6, =0x24000
ADD R6, #1 @ (set lsb to 1)
BX R6
I think this is correct ?
Now say i want to CALL an existing thumb function, using BX, and i want it to return to me, so i need to set LR to where i want it to return.
Lets say the function i want to call is at 0x24000 It was suggested to me to use:
ldr r2, =0x24000
mov lr, pc
bx r2
Here comes what i don't understand:
the address in R2 doesn't have lsb bit set... so won't
bx r2switch mode to ARM mode??The LR.. The PC has the address of (begining of current instruction, + 4), i was told. In both Thumb and Arm, any instruction address has to be aligned (16 bit or 32 bit), so it won't have the LSB bit set to 1. Only odd numbers have lsb bit set to 1.
So in the code above, i'm setting LR to (PC), an address that DOESN'T have lsb bit 1 set either. So when the function i called comes to it's epilogue, and does BX LR, ... uhmmm.. how can that work to return to my THUMB code ? I must be missing something...
Normally BL is used to call functions. The manual says BL instruction sets the LR to the next line of code...
So does this mean that a (normally used) BL THUMB instruction, sets the LR to return addr + 1 automatically?