• Ghidra / Sleigh 11.4
• Language Id: ARM:LE:32:v8-m
  • ARM8m_le.sla
  • ARMCortex.pspec

Target MCU: RP2350 Cortex-M33

Sample program: The Official Raspberry Pi Pico Examples Repo (adc_dma_capture)

Compiled ELF Image: adc_dma_capture.elf.gz

Navigate to the function generic_save_state at address 0x10001778.

The Sleigh decompiler cannot handle the mrrc2 instruction at 0x1000177c.

10001778 <$t>:
10001778 <generic_save_state>:
10001778: b086          sub sp, #0x18
1000177a: b403          push    {r0, r1}
1000177c: fc51 0408     mrrc2   p4, #0x0, r0, r1, c8
10001780: e9cd 0102     strd    r0, r1, [sp, #8]
10001784: fc51 0409     mrrc2   p4, #0x0, r0, r1, c9
10001788: e9cd 0104     strd    r0, r1, [sp, #16]
1000178c: ec51 040a     mrrc    p4, #0x0, r0, r1, c10
10001790: e9cd 0106     strd    r0, r1, [sp, #24]
10001794: bc03          pop {r0, r1}
10001796: 47f0          blx lr

I have verified that sleigh can correctly decompile all opcodes except for the mrr* opcodes.

From the RP2350 Datasheet:

Hypothesis

• ARM8m_le.slaspec:

  • defines T_VARIANT ""
  • defines CDE ""
  • includes ARM.sinc
  • includes ARM_CDE.sinc

• ARM_CDE.sinc does not define any mrr* instructions

• mrrc2 is defined in the following two files:

  • ARMinstructions.sinc
  • ARMTHUMBinstructionss.sinc

However:

• ARMTHUMBinstructions.sinc, Line 2742 is only defined if CDE is not defined (and it is)
• ARMinstructions.sinc, Line 15 enforces ARM mode, not THUMB mode, so the Cortex-M33 instruction does not get decoded.

Impact

The Cortex-M33 with coprocessor extensions is a wildly popular combination... the RP2350 is one, and the NXP MCX N94x/54x as well.

I believe the Renasas RA8 Cortex-M85 Series also use the coprocessor extensions...