SuperH, often abbreviated as SH, is a RISC ISA developed by Hitachi. SuperH went through several iterations, starting from SH-1 and moving up to SH-4. The more recent SH-5 has two modes of operation, one of which is identical to the user-mode instructions of SH-4, while another, SHmedia, is quite different. Each family takes its own market niche:

• SH-1: Home appliances
• SH-2: Car controllers and video game consoles such as Sega Saturn
• SH-3: Mobile applications such as car navigators
• SH-4: Car multimedia terminals and video game consoles such as Sega Dreamcast
• SH-5: High-end multimedia applications

Microcontrollers and CPUs implementing it are currently produced by Renesas Electronics, a joint venture of the Hitachi and Mitsubishi Semiconductor groups. As IoT malware mainly targets SH-4-based systems, we will focus on this SuperH family.

In terms of registers, SH-4 offers the following:

• 16 general registers R0-R15 (32-bit)
• 7 control registers (32-bit):
  • Global Base Register (GBR)
  • Status Register (SR)
  • Saved Status Register (SSR)
  • Saved Program Counter (SPC)
  • Vector Base Counter (VBR)
  • Saved General Register (SGR) 15 
  • Debug Base Register (DBR) (only from the privileged mode)
• 4 system registers (32-bit):
  • MACH/MACL: Multiply-and-accumulate registers
  • PR: Procedure register
  • PC
  • FPSCR: Floating-point status/control register
• 32 FPU registers FR0-FR15 (also known as DR0/2/4/... or FV0/4/...) and XF0-XF15 (also known as XD0/2/4/... or XMTRX); two banks of either 16 single-precision (32-bit) or eight double-precision (64-bit) FPRs and FPUL (floating-point communication register) (32-bit)

Usually, R4-R7 are used to pass arguments to a function with the result returned in R0. R8-R13 are saved across multiple function calls. R14 serves as the frame pointer and R15 as a stack pointer.

Regarding the data formats, in SH-4, a word takes 16 bits, a long word takes 32 bits, and a quad word takes 64 bits.

Two processor modes are supported: user mode and privileged mode. SH-4 generally operates in the user mode and switches to the privileged mode in case of an exception or an interrupt.

The SH-4 features instruction set is upward-compatible with the SH-1, SH-2, and SH-3 families. It uses 16-bit fixed length instructions in order to reduce the program code size. Except for BF and BT, all branch instructions and the RTE (return from exception instruction) implement so-called delayed branches, where the instruction following the branch is executed before the branch destination instruction.

All instructions are split into the following categories (with some examples):

• Fixed-point transfer instructions:
  • MOV: Move data (or particular data types specified)
  • SWAP: Swap register halves
• Arithmetic operation instructions:
  • SUB: Subtract binary numbers
  • CMP/EQ: Compare conditionally (in this case on equal to)

• Logic operation instructions:
  • AND: AND logical
  • XOR: Exclusive or logical
• Shift instructions:
  • ROTL: Rotate left
  • SHLL: Shift logical left
• Branch instructions:
  • BF: Branch if false
  • JMP: Jump (unconditional branch)
• System control instructions:
  • LDC: Load to control register
  • STS: Store system register
• Floating-point single-precision instructions:
  • FMOV: Floating-point move
• Floating-point double-precision instructions:
  • FABS: Floating-point absolute value
• Floating-point control instructions:
  • LDS: Load to FPU system register
• Floating-point graphics acceleration instructions
  • FIPR: Floating-point inner product