Overview
Cisco Talos has a new plugin available for IDA Pro that provides a new disassembler for TileGX binaries. This tool should assist researchers in reverse-engineering threats in IDA Pro that target TileGX.
We started developing this tool after the VPNFilter campaign last year, where attackers targeted hundreds of wireless routers across the globe. During our research of this attack, Talos researchers came across several sophisticated malware samples targeting Tilera's TileGX processor architecture. Processors based on TileGX are used in many small and home office routers (SOHO), which were the primary targets in VPNFilter. The analysis toolset for this architecture is quite limited: objdump is capable of disassembling the ELF binaries but more sophisticated and easier-to-use tools such as IDA Pro and Ghidra are not.
This prompted us to look into developing an IDA Pro processor module. As libopcode —, the library powering objdump — already has support for the TileGX architecture, it seemed obvious to build the module on this library, instead of trying to write our own instruction decoder. Due to speed considerations, that also meant developing a processor module in C++, as opposed to most online available open-source processor modules written in Python. Luckily, the IDA Pro SDK has good source code examples of processor modules, which were a great help.
The resulting processor module provides a working disassembler for TileGX programs. It is not the fastest at the moment, and due to the binutils dependency, it currently only compiles on Linux, but it should help any reverse engineer who has to look into threats targeting the TileGX architecture.
