README.md

This is a test how well ScratchABit works, taking the ESP8266 BootROM/SDK binary blobs as an example.

This directory can be browsed in 2 ways:

• At /~https://github.com/pfalcon/xtensa-subjects/tree/master/2.0.0-p20160809 , using Github's repository viewer. This is convinient because you can see repository structure and all files, but due to limitations of repository viewer, you won't be able to browse some files as expected (e.g. HTML, SVG, etc.) - they will be shown in plaintext.
• At https://pfalcon.github.io/xtensa-subjects/2.0.0-p20160809/ , via "Github pages". There're no directory listings, but you will be able to follow links to HTML, SVG, etc., with one click.

Things available in this directory:

• esp8266-sdk-2.0.0-p20160809 - ESP8266 SDK libraries linked together into a single self-contained ELF file, suitable for disassembly. (BootROM is still separate of course).
• esp8266-sdk-2.0.0-p20160809.map - link map file produced while linking the above.
• esp8266-sdk-2.0.0-p20160809.def and esp8266-sdk-2.0.0-p20160809.scratchabit/ (directory) - ScratchABit definition file and information database. See below on how to run ScratchABit.
• out.lst (~15MB) - complete plain-text disassembly listing generated by ScratchABit. Note that it represents more or less the complete ESP8266 address space, with BootROM, iRAM, FlashROM-mapped code, dRAM, and even memory-mapped IO. You probably want to search e.g. 40000000 address to start looking at the BootROM disassembly.
• out.html (~40MB) - like above, but in cross-linked HTML format. You can follow jumps or calls by clicking links, and send links to a particular address/label to other folks. E.g., ESP8266 starts execution after reset at _ResetVector, so you can follow the boot process starting from there.
• callgraph.dot and callgraph.svg is a call graph, in Graphviz .dot format and SVG respectively. Currently, generated for BootROM functions only (not complete SDK libs). For online browsing, use SVG or online .dot viewer: browse callgraph.dot (use browser page zoom in/zoom out).

While you can browse pre-generated files above, a better approach is however to use ScratchABit for browsing the code and to continue researching it. For this:

1. Install ScratchABit as described in its README.
2. Install Xtensa CPU plugin as described in the same README.
3. Make ScratchABit.py available via PATH.
4. Run start.sh from this repository to load the project.

More info available at https://groups.google.com/forum/#!topic/esp8266-re/SJicbstg5TQ and in https://groups.google.com/forum/#!forum/esp8266-re in general.

To produce a call graph of BootROM functions:

1. Install ScratchABlock, a sister project to ScratchABit, a program transformation/decompilation framework. Add it to PATH.
2. Uncomment the corresponding line in start.sh, run it once, and comment the line again. This will produce function listings in funcs/ directory.
3. Run callgraph.sh.
4. The generated callgraph is in callgraph.dot and callgraph.svg files. You can browse the latter using a web browser. But it's recommended to install xdot tool and use it to browse callgraph.dot directly. xdot is available in the popular Linux distros, but you may get more features (e.g. search) if you install the latest version from the repository: /~https://github.com/jrfonseca/xdot.py