🥇Rhinoceros hauv miv - tso lub firmware hauv Kopycat emulator

Raws li ib feem ntawm lub rooj sib tham 0x0A DC7831 DEF CON Nizhny Novgorod Thaum Lub Ob Hlis 16, peb tau nthuav tawm tsab ntawv tshaj tawm txog cov hauv paus ntsiab lus ntawm binary code emulation thiab peb tus kheej txoj kev loj hlob - hardware platform emulator Copycat.

Hauv tsab xov xwm no peb yuav piav qhia txog yuav ua li cas khiav lub cuab yeej firmware hauv emulator, ua kom pom kev cuam tshuam nrog tus debugger, thiab ua qhov kev soj ntsuam luv luv ntawm lub firmware.

prehistory

Lub sijhawm ntev dhau los hauv lub galaxy nyob deb

Ob peb xyoos dhau los hauv peb lub chaw kuaj mob yuav tsum tau tshawb xyuas lub firmware ntawm lub cuab yeej. Lub firmware tau compressed thiab unpacked nrog ib tug bootloader. Nws ua qhov no hauv txoj kev nyuaj heev, hloov cov ntaub ntawv hauv nco ob peb zaug. Thiab lub firmware nws tus kheej ces nquag cuam tshuam nrog cov peripheral. Thiab tag nrho cov no ntawm MIPS core.

Rau lub hom phiaj yog vim li cas, cov muaj emulators tsis haum peb, tab sis peb tseem xav khiav cov cai. Tom qab ntawd peb txiav txim siab los ua peb tus kheej emulator, uas yuav ua qhov tsawg kawg nkaus thiab tso cai rau peb tshem tawm lub ntsiab firmware. Peb sim nws thiab nws ua haujlwm. Peb xav, yuav ua li cas yog tias peb ntxiv peripherals los kuj ua lub ntsiab firmware. Nws tsis mob heev - thiab nws ua haujlwm dhau lawm. Peb rov xav dua thiab txiav txim siab los ua tus emulator puv npo.

Qhov tshwm sim yog lub computer systems emulator Copycat.

Vim li cas Kopycat?

Muaj kev ua si ntawm cov lus.

copycat (English, noun [ˈkɒpɪkæt]) - xyaum, xyaum
miv (Lus Askiv, noun [ˈkæt]) - miv, miv - tus tsiaj nyiam ntawm ib tus tsim ntawm qhov project
Tsab ntawv "K" yog los ntawm Kotlin programming lus

Copycat

Thaum tsim lub emulator, cov hom phiaj tshwj xeeb tau teeb tsa:

muaj peev xwm sai sai tsim tshiab peripherals, modules, processor cores;
muaj peev xwm sib sau ua ke ib lub tshuab virtual los ntawm ntau lub modules;
lub peev xwm los thauj cov ntaub ntawv binary (firmware) rau hauv lub cim xeeb ntawm lub tshuab virtual;
muaj peev xwm ua hauj lwm nrog snapshots (snapshots ntawm lub xeev system);
muaj peev xwm cuam tshuam nrog lub emulator los ntawm lub built-in debugger;
zoo lus niaj hnub rau kev loj hlob.

Raws li qhov tshwm sim, Kotlin tau raug xaiv rau kev siv, lub tsheb npav architecture (qhov no yog thaum cov modules sib txuas lus nrog ib leeg ntawm virtual cov ntaub ntawv tsheb npav), JSON raws li cov cuab yeej piav qhia hom, thiab GDB RSP raws tu qauv rau kev sib tham nrog tus debugger.

Txoj kev loj hlob tau mus rau me ntsis dhau ob xyoos thiab tseem ua haujlwm tsis tu ncua. Lub sijhawm no, MIPS, x86, V850ES, ARM, thiab PowerPC processor cores tau siv.

Qhov project yog loj hlob thiab nws yog lub sij hawm los nthuav qhia nws rau cov pej xeem dav. Peb yuav ua cov lus piav qhia ntxaws txog qhov project tom qab, tab sis tam sim no peb yuav tsom mus rau kev siv Kopycat.

Rau qhov ua siab ntev tshaj plaws, lub promo version ntawm lub emulator tuaj yeem rub tawm los ntawm txuas.

Rhino hauv emulator

Cia peb nco qab tias ua ntej rau SMARTRHINO-2018 lub rooj sib tham, cov cuab yeej sim "Rhinoceros" tau tsim los qhia txog kev txawj ua haujlwm rov qab. Cov txheej txheem ntawm static firmware tsom xam tau piav qhia hauv qhov no tsab xov xwm.

Tam sim no cia peb sim ntxiv "hais lus" thiab khiav lub firmware hauv emulator.

Peb yuav tsum tau:
1) Java 1.8
2) Python thiab module jep ua siv Python hauv emulator. Koj tuaj yeem tsim WHL module Jep rau Windows download tau ntawm no.

Rau Windows:
1) com0 ua
2) PuTTY

Rau Linux:
1) soj

Koj tuaj yeem siv dab noj hnub, IDA Pro lossis radare2 raws li tus neeg siv khoom GDB.

Ua li cas nws ua hauj lwm?

Txhawm rau ua firmware hauv emulator, nws yog ib qho tsim nyog yuav tsum "sib sau" ib lub cuab yeej virtual, uas yog ib qho analogue ntawm lub cuab yeej tiag.

Cov cuab yeej tiag tiag ("rhino") tuaj yeem pom hauv daim duab thaiv:

Lub emulator muaj cov qauv qauv thiab cov cuab yeej virtual kawg tuaj yeem piav qhia hauv JSON cov ntaub ntawv.

JSON 105 kab

{
  "top": true,

  // Plugin name should be the same as file name (or full path from library start)
  "plugin": "rhino",

  // Directory where plugin places
  "library": "user",

  // Plugin parameters (constructor parameters if jar-plugin version)
  "params": [
    { "name": "tty_dbg", "type": "String"},
    { "name": "tty_bt", "type": "String"},
    { "name": "firmware", "type": "String", "default": "NUL"}
  ],

  // Plugin outer ports
  "ports": [  ],

  // Plugin internal buses
  "buses": [
    { "name": "mem", "size": "BUS30" },
    { "name": "nand", "size": "4" },
    { "name": "gpio", "size": "BUS32" }
  ],

  // Plugin internal components
  "modules": [
    {
      "name": "u1_stm32",
      "plugin": "STM32F042",
      "library": "mcu",
      "params": {
        "firmware:String": "params.firmware"
      }
    },
    {
      "name": "usart_debug",
      "plugin": "UartSerialTerminal",
      "library": "terminals",
      "params": {
        "tty": "params.tty_dbg"
      }
    },
    {
      "name": "term_bt",
      "plugin": "UartSerialTerminal",
      "library": "terminals",
      "params": {
        "tty": "params.tty_bt"
      }
    },
    {
      "name": "bluetooth",
      "plugin": "BT",
      "library": "mcu"
    },

    { "name": "led_0",  "plugin": "LED", "library": "mcu" },
    { "name": "led_1",  "plugin": "LED", "library": "mcu" },
    { "name": "led_2",  "plugin": "LED", "library": "mcu" },
    { "name": "led_3",  "plugin": "LED", "library": "mcu" },
    { "name": "led_4",  "plugin": "LED", "library": "mcu" },
    { "name": "led_5",  "plugin": "LED", "library": "mcu" },
    { "name": "led_6",  "plugin": "LED", "library": "mcu" },
    { "name": "led_7",  "plugin": "LED", "library": "mcu" },
    { "name": "led_8",  "plugin": "LED", "library": "mcu" },
    { "name": "led_9",  "plugin": "LED", "library": "mcu" },
    { "name": "led_10", "plugin": "LED", "library": "mcu" },
    { "name": "led_11", "plugin": "LED", "library": "mcu" },
    { "name": "led_12", "plugin": "LED", "library": "mcu" },
    { "name": "led_13", "plugin": "LED", "library": "mcu" },
    { "name": "led_14", "plugin": "LED", "library": "mcu" },
    { "name": "led_15", "plugin": "LED", "library": "mcu" }
  ],

  // Plugin connection between components
  "connections": [
    [ "u1_stm32.ports.usart1_m", "usart_debug.ports.term_s"],
    [ "u1_stm32.ports.usart1_s", "usart_debug.ports.term_m"],

    [ "u1_stm32.ports.usart2_m", "bluetooth.ports.usart_m"],
    [ "u1_stm32.ports.usart2_s", "bluetooth.ports.usart_s"],

    [ "bluetooth.ports.bt_s", "term_bt.ports.term_m"],
    [ "bluetooth.ports.bt_m", "term_bt.ports.term_s"],

    [ "led_0.ports.pin",  "u1_stm32.buses.pin_output_a", "0x00"],
    [ "led_1.ports.pin",  "u1_stm32.buses.pin_output_a", "0x01"],
    [ "led_2.ports.pin",  "u1_stm32.buses.pin_output_a", "0x02"],
    [ "led_3.ports.pin",  "u1_stm32.buses.pin_output_a", "0x03"],
    [ "led_4.ports.pin",  "u1_stm32.buses.pin_output_a", "0x04"],
    [ "led_5.ports.pin",  "u1_stm32.buses.pin_output_a", "0x05"],
    [ "led_6.ports.pin",  "u1_stm32.buses.pin_output_a", "0x06"],
    [ "led_7.ports.pin",  "u1_stm32.buses.pin_output_a", "0x07"],
    [ "led_8.ports.pin",  "u1_stm32.buses.pin_output_a", "0x08"],
    [ "led_9.ports.pin",  "u1_stm32.buses.pin_output_a", "0x09"],
    [ "led_10.ports.pin", "u1_stm32.buses.pin_output_a", "0x0A"],
    [ "led_11.ports.pin", "u1_stm32.buses.pin_output_a", "0x0B"],
    [ "led_12.ports.pin", "u1_stm32.buses.pin_output_a", "0x0C"],
    [ "led_13.ports.pin", "u1_stm32.buses.pin_output_a", "0x0D"],
    [ "led_14.ports.pin", "u1_stm32.buses.pin_output_a", "0x0E"],
    [ "led_15.ports.pin", "u1_stm32.buses.pin_output_a", "0x0F"]
  ]
}

Ua tib zoo saib rau qhov parameter firmware seem params yog lub npe ntawm cov ntaub ntawv uas tuaj yeem thauj mus rau hauv lub tshuab virtual li firmware.

Cov cuab yeej virtual thiab nws cov kev cuam tshuam nrog lub luag haujlwm tseem ceeb tuaj yeem sawv cev los ntawm daim duab hauv qab no:

Qhov kev sim tam sim no ntawm lub emulator cuam tshuam nrog COM ports ntawm lub ntsiab OS (debug UART thiab UART rau Bluetooth module). Cov no tuaj yeem yog cov chaw nres nkoj tiag tiag rau cov khoom siv txuas nrog lossis virtual COM ports (rau qhov no koj tsuas yog xav tau com0 com/socat).

Tam sim no muaj ob txoj hauv kev tseem ceeb los cuam tshuam nrog lub emulator los ntawm sab nraud:

GDB RSP raws tu qauv (raws li, cov cuab yeej uas txhawb cov txheej txheem no yog dab noj hnub / IDA / radare2);
sab hauv emulator kab hais kom ua (Argparse lossis Python).

Virtual COM ports

Txhawm rau cuam tshuam nrog UART ntawm lub tshuab virtual ntawm lub tshuab hauv zos ntawm lub davhlau ya nyob twg, koj yuav tsum tsim ib khub ntawm cov chaw nres nkoj virtual COM. Hauv peb cov ntaub ntawv, ib qho chaw nres nkoj yog siv los ntawm emulator, thiab qhov thib ob yog siv los ntawm lub davhlau ya nyob twg program (PuTTY lossis npo):

Siv com0com

Virtual COM ports tau teeb tsa siv cov khoom siv teeb tsa los ntawm cov khoom siv com0com (console version - C:Program Files (x86)com0comsetupс.exe, los yog GUI version - C:Program Files (x86)com0comsetupg.exe):

Kos lub thawv pab kom tsis txhob overrun rau tag nrho cov tsim virtual ports, txwv tsis pub lub emulator yuav tos rau cov lus teb los ntawm COM chaw nres nkoj.

Siv socat

Ntawm UNIX systems, virtual COM ports tau txais kev tsim los ntawm lub emulator siv socat utility; ua qhov no, tsuas yog qhia cov npe ua ntej hauv lub npe chaw nres nkoj thaum pib lub emulator socat:.

Sab hauv hais kom ua kab interface (Argparse lossis Python)

Txij li thaum Kopycat yog daim ntawv thov console, lub emulator muab ob txoj kab kev sib txuas lus xaiv rau kev cuam tshuam nrog nws cov khoom thiab qhov sib txawv: Argparse thiab Python.

Argparse yog CLI tsim rau hauv Kopycat thiab ib txwm muaj rau txhua tus.

Lwm qhov CLI yog tus neeg txhais lus Python. Txhawm rau siv nws, koj yuav tsum nruab Jep Python module thiab teeb tsa lub emulator ua haujlwm nrog Python (tus neeg txhais lus Python tau nruab rau ntawm tus neeg siv lub ntsiab system yuav raug siv).

Txhim kho Python module Jep

Hauv Linux Jep tuaj yeem ntsia tau ntawm pip:

pip install jep

Txhawm rau nruab Jep ntawm Windows, koj yuav tsum xub nruab Windows SDK thiab coj mus rau Microsoft Visual Studio. Peb tau ua kom yooj yim me ntsis rau koj thiab WHL tsim JEP rau tam sim no versions ntawm Python rau Windows, yog li cov module tuaj yeem ntsia tau los ntawm cov ntaub ntawv:

pip install jep-3.8.2-cp27-cp27m-win_amd64.whl

Txhawm rau txheeb xyuas lub installation ntawm Jep, koj yuav tsum tau khiav ntawm kab hais kom ua:

python -c "import jep"

Cov lus hauv qab no yuav tsum tau txais los teb:

ImportError: Jep is not supported in standalone Python, it must be embedded in Java.

Hauv cov ntaub ntawv emulator batch rau koj lub cev (copycat.bat - rau Windows, copycat - rau Linux) rau cov npe ntawm cov tsis muaj DEFAULT_JVM_OPTS ntxiv qhov parameter ntxiv Djava.library.path - nws yuav tsum muaj txoj hauv kev mus rau Jep module teeb tsa.

Cov txiaj ntsig rau Windows yuav tsum yog kab zoo li no:

set DEFAULT_JVM_OPTS="-XX:MaxMetaspaceSize=256m" "-XX:+UseParallelGC" "-XX:SurvivorRatio=6" "-XX:-UseGCOverheadLimit" "-Djava.library.path=C:/Python27/Lib/site-packages/jep"

Tua tawm Kopycat

Lub emulator yog console JVM daim ntawv thov. Lub community launch yog ua los ntawm kev khiav hauj lwm qhov system hais kom ua kab ntawv (sh / cmd).

Hais kom khiav hauv Windows:

binkopycat -g 23946 -n rhino -l user -y library -p firmware=firmwarerhino_pass.bin,tty_dbg=COM26,tty_bt=COM28

Hais kom khiav hauv Linux siv socat utility:

./bin/kopycat -g 23946 -n rhino -l user -y library -p firmware=./firmware/rhino_pass.bin, tty_dbg=socat:./COM26,tty_bt=socat:./COM28

-g 23646 - TCP chaw nres nkoj uas yuav qhib rau kev nkag mus rau GDB server;
-n rhino - lub npe ntawm lub ntsiab system module (assembled ntaus ntawv);
-l user - lub npe ntawm lub tsev qiv ntawv mus nrhiav rau lub ntsiab module;
-y library - txoj hauv kev tshawb nrhiav cov modules suav nrog hauv lub cuab yeej;
firmwarerhino_pass.bin - txoj kev mus rau cov ntaub ntawv firmware;
COM26 thiab COM28 yog virtual COM ports.

Yog li ntawd, ib qho kev ceeb toom yuav tshwm sim Python > (los yog Argparse >):

18:07:59 INFO [eFactoryBuilder.create ]: Module top successfully created as top
18:07:59 INFO [ Module.initializeAndRes]: Setup core to top.u1_stm32.cortexm0.arm for top
18:07:59 INFO [ Module.initializeAndRes]: Setup debugger to top.u1_stm32.dbg for top
18:07:59 WARN [ Module.initializeAndRes]: Tracer wasn't found in top...
18:07:59 INFO [ Module.initializeAndRes]: Initializing ports and buses...
18:07:59 WARN [ Module.initializePortsA]: ATTENTION: Some ports has warning use printModulesPortsWarnings to see it...
18:07:59 FINE [ ARMv6CPU.reset ]: Set entry point address to 08006A75
18:07:59 INFO [ Module.initializeAndRes]: Module top is successfully initialized and reset as a top cell!
18:07:59 INFO [ Kopycat.open ]: Starting virtualization of board top[rhino] with arm[ARMv6Core]
18:07:59 INFO [ GDBServer.debuggerModule ]: Set new debugger module top.u1_stm32.dbg for GDB_SERVER(port=23946,alive=true)
Python >

Kev sib tham nrog IDA Pro

Txhawm rau sim ua kom yooj yim, peb siv Rhino firmware ua cov ntaub ntawv los ntawm kev txheeb xyuas hauv IDA hauv daim ntawv ELF cov ntaub ntawv (cov ntaub ntawv meta yog khaws cia rau ntawd).

Koj tuaj yeem siv lub ntsiab firmware yam tsis muaj cov ntaub ntawv meta.

Tom qab tso Kopycat hauv IDA Pro, hauv Debugger zaub mov mus rau cov khoom "Hloov debugger…"Thiab xaiv"Tej thaj chaw deb GDB debugger". Tom ntej no, teeb tsa kev sib txuas: ntawv qhia zaub mov Debugger - Cov txheej txheem xaiv…

Teeb cov nqi:

Daim ntawv thov - txhua tus nqi
Hostname: 127.0.0.1 (los yog tus IP chaw nyob ntawm lub tshuab tej thaj chaw deb uas Kopycat tab tom khiav)
Chaw nres nkoj: 23946

Tam sim no lub pob debugging yuav muaj (F9 key):

Nyem rau nws txuas mus rau qhov debugger module hauv lub emulator. IDA nkag mus rau hauv hom kev debugging, qhov rais ntxiv tau muaj: cov ntaub ntawv hais txog kev sau npe, txog pawg.

Tam sim no peb tuaj yeem siv tag nrho cov qauv nta ntawm qhov debugger:

step-by-step ua cov lus qhia (Nqis rau hauv и Kauj ruam dhau - cov yuam sij F7 thiab F8, ntsig txog);
pib thiab ncua kev ua tiav;
tsim breakpoints rau ob qho tib si code thiab cov ntaub ntawv (F2 key).

Txuas mus rau qhov kev debugger tsis txhais hais tias khiav lub firmware code. Txoj haujlwm ua haujlwm tam sim no yuav tsum yog qhov chaw nyob 0x08006A74 - pib ua haujlwm Rov pib dua_Handler. Yog tias koj scroll cia rau hauv cov npe, koj tuaj yeem pom cov haujlwm hu ntsiab. Koj tuaj yeem tso tus cursor rau ntawm kab no (chaw nyob 0x08006ABE) thiab ua haujlwm Khiav mus rau tus cursor (tus yuam sij F4).

Tom ntej no, koj tuaj yeem nias F7 nkag mus rau qhov ua haujlwm ntsiab.

Yog tias koj khiav cov lus txib Txuas ntxiv txheej txheem (F9 tus yuam sij), ces qhov "Thov tos" qhov rai yuav tshwm sim nrog ib lub pob Tshem Tawm:

Thaum koj nias Tshem Tawm Kev ua tiav ntawm firmware code raug tshem tawm thiab tuaj yeem txuas ntxiv los ntawm tib qhov chaw nyob hauv qhov chaws uas nws tau cuam tshuam.

Yog tias koj txuas ntxiv ua tiav cov cai, koj yuav pom cov kab hauv qab no hauv cov terminals txuas nrog virtual COM ports:

Lub xub ntiag ntawm "lub xeev bypass" kab qhia tias lub virtual Bluetooth module tau hloov mus rau hom kev txais cov ntaub ntawv los ntawm tus neeg siv lub COM chaw nres nkoj.

Tam sim no hauv Bluetooth davhlau ya nyob twg (COM29 hauv daim duab) koj tuaj yeem nkag mus rau cov lus txib raws li Rhino raws tu qauv. Piv txwv li, cov lus txib "MEOW" yuav rov qab txoj hlua "mur-mur" mus rau lub davhlau ya nyob twg Bluetooth:

Emulate kuv tsis tag

Thaum tsim ib lub emulator, koj tuaj yeem xaiv qib ntawm kev nthuav dav / emulation ntawm ib qho cuab yeej tshwj xeeb. Piv txwv li, Bluetooth module tuaj yeem ua raws li ntau txoj hauv kev:

lub cuab yeej yog tag nrho emulated nrog tag nrho cov lus txib;
AT commands yog emulated, thiab cov ntaub ntawv kwj tau txais los ntawm COM chaw nres nkoj ntawm lub ntsiab system;
lub tshuab virtual muab cov ntaub ntawv ua tiav redirection rau lub cuab yeej tiag;
raws li ib qho yooj yim stub uas ib txwm rov qab "OK".

Tam sim no version ntawm lub emulator siv qhov thib ob mus kom ze - lub virtual Bluetooth module ua kev teeb tsa, tom qab uas nws hloov mus rau hom "proxying" cov ntaub ntawv los ntawm COM chaw nres nkoj ntawm lub ntsiab system mus rau UART chaw nres nkoj ntawm lub emulator.

Cia peb xav txog qhov ua tau yooj yim instrumentation ntawm cov cai nyob rau hauv rooj plaub ib feem ntawm lub periphery tsis siv. Piv txwv li, yog lub timer lub luag hauj lwm rau kev tswj cov ntaub ntawv hloov mus rau DMA tsis tau raug tsim (cov kos yog ua nyob rau hauv lub functionality. ws2812 wbnyob ntawm 0x08006840), ces lub firmware yuav ib txwm tos kom tus chij rov pib dua tibneeg hu tauj coobnyob ntawm 0x200004C4uas qhia txog kev nyob ntawm DMA cov ntaub ntawv kab:

Peb tuaj yeem tau txais ib ncig ntawm qhov xwm txheej no los ntawm manually resetting tus chij tibneeg hu tauj coob tam sim ntawd tom qab nruab nws. Hauv IDA Pro, koj tuaj yeem tsim Python muaj nuj nqi thiab hu rau nws hauv qhov chaw tawg, thiab muab qhov tawg ntawm nws tus kheej hauv tus lej tom qab sau tus nqi 1 rau tus chij. tibneeg hu tauj coob.

Breakpoint handler

Ua ntej, cia peb tsim Python muaj nuj nqi hauv IDA. Ntawv qhia zaub mov File - Script command...

Ntxiv ib daim ntawv tshiab hauv cov npe ntawm sab laug, muab nws lub npe (piv txwv li, BPT),
Hauv cov ntawv teb ntawm sab xis, sau cov lej ua haujlwm:

def skip_dma():
    print "Skipping wait ws2812..."
    value = Byte(0x200004C4)
    if value == 1:
        PatchDbgByte(0x200004C4, 0)
return False

Tom qab ntawd peb nias khiav thiab kaw lub qhov rais tsab ntawv.

Tam sim no cia peb mus rau lub code ntawm 0x0800688A, teem caij so (F2 tus yuam sij), kho nws (cov ntsiab lus ntawv qhia zaub mov Kho kom raug breakpoint...), tsis txhob hnov qab teeb hom ntawv rau Python:

Yog tam sim no tus nqi chij tibneeg hu tauj coob sib npaug 1, ces koj yuav tsum ua haujlwm hla_dma hauv kab ntawv sau:

Yog tias koj khiav lub firmware rau kev ua tiav, qhov tshwm sim ntawm tus neeg ua haujlwm breakpoint code tuaj yeem pom hauv IDA qhov rai tso zis los ntawm kab Skipping wait ws2812.... Tam sim no lub firmware yuav tsis tos kom tus chij rov pib dua tibneeg hu tauj coob.

Kev sib tham nrog lub emulator

Emulation rau lub hom phiaj ntawm emulation tsis zoo li yuav ua rau kev zoo siab thiab kev xyiv fab. Nws yog qhov nthuav ntau dua yog tias tus emulator pab tus kws tshawb fawb pom cov ntaub ntawv hauv kev nco lossis tsim kev sib cuam tshuam ntawm cov xov.

Peb yuav qhia koj yuav ua li cas txhawm rau tsim kev sib cuam tshuam ntawm RTOS cov haujlwm. Koj yuav tsum xub ncua qhov kev ua tiav ntawm cov cai yog tias nws tab tom khiav. Yog tias koj mus rau qhov ua haujlwm bluetooth_task_entry mus rau lub chaw ua haujlwm ntawm "LED" hais kom ua (chaw nyob 0x080057B8), ces koj tuaj yeem pom dab tsi yog thawj zaug tsim thiab xa mus rau qhov system queue ledControlQueueHandle ib co lus.

Koj yuav tsum tau teem caij rau kev nkag mus rau qhov sib txawv ledControlQueueHandlenyob ntawm 0x20000624 thiab txuas ntxiv ua qhov code:

Yog li ntawd, qhov nres yuav xub tshwm sim ntawm qhov chaw nyob 0x080057CA ua ntej hu rau lub luag haujlwm osMailAlloc, ces ntawm qhov chaw nyob 0x08005806 ua ntej hu rau lub luag haujlwm osMailPut, ces tom qab ib pliag - mus rau qhov chaw nyob 0x08005BD4 (ua ntej hu rau lub luag haujlwm osMailGet), uas belongs rau lub luag haujlwm leds_task_entry (LED-task), uas yog, cov dej num hloov pauv, thiab tam sim no LED-ua haujlwm tau txais kev tswj hwm.

Hauv txoj kev yooj yim no koj tuaj yeem tsim kom tau li cas RTOS cov dej num cuam tshuam nrog ib leeg.

Tau kawg, hauv kev muaj tiag, kev sib cuam tshuam ntawm kev ua haujlwm yuav nyuaj dua, tab sis siv lub emulator, taug qab qhov kev sib cuam tshuam no ua haujlwm tsawg.

no Koj tuaj yeem saib cov yeeb yaj kiab luv luv ntawm lub emulator launching thiab cuam tshuam nrog IDA Pro.

Tua tawm nrog Radare2

Koj tsis tuaj yeem tsis quav ntsej cov cuab yeej thoob ntiaj teb li Radare2.

Txhawm rau txuas rau emulator siv r2, cov lus txib yuav zoo li no:

radare2 -A -a arm -b 16 -d gdb://localhost:23946 rhino_fw42k6.elf

Launch muaj tam sim no (dc) thiab ncua kev ua haujlwm (Ctrl + C).

Hmoov tsis zoo, tam sim no, r2 muaj teeb meem thaum ua haujlwm nrog hardware gdb server thiab nco layout; vim qhov no, breakpoints thiab cov kauj ruam tsis ua hauj lwm (hais kom. ds). Peb vam tias qhov no yuav raug kho sai sai.

Khiav nrog dab noj hnub

Ib qho ntawm cov kev xaiv rau kev siv lub emulator yog debug lub firmware ntawm lub cuab yeej tsim. Txhawm rau kom pom tseeb, peb tseem yuav siv Rhino firmware. Koj tuaj yeem rub tawm cov ntaub ntawv firmware ntawm no.

Peb yuav siv dab noj hnub los ntawm lub teeb ua ib qho IDE System Workbench rau STM32.

Txhawm rau kom lub emulator thauj khoom firmware ncaj qha tso ua ke hauv dab noj hnub, koj yuav tsum tau ntxiv qhov ntsuas. firmware=null mus rau emulator launch command:

binkopycat -g 23946 -n rhino -l user -y modules -p firmware=null,tty_dbg=COM26,tty_bt=COM28

Kev teeb tsa debug configuration

Hauv dab noj hnub, xaiv cov ntawv qhia zaub mov Khiav - Debug Configurations... Hauv qhov rai uas qhib, hauv ntu GDB Hardware Debugging koj yuav tsum tau ntxiv ib tug tshiab configuration, ces nyob rau hauv lub "Main" tab qhia qhov tam sim no qhov project thiab daim ntawv thov kev debugging:

Ntawm qhov "Debugger" tab koj yuav tsum qhia meej GDB hais kom ua:
${openstm32_compiler_path}arm-none-eabi-gdb

Thiab tseem nkag mus rau qhov tsis sib txuas rau GDB server (tus tswv thiab chaw nres nkoj):

Nyob rau hauv "Startup" tab, koj yuav tsum qhia cov nram qab no tsis:

qhib checkbox Thauj duab (kom cov duab firmware sib sau ua ke rau hauv lub emulator);
qhib checkbox Load cim;
add launch command: set $pc = *0x08000004 (Tsim lub PC rau npe rau tus nqi ntawm lub cim xeeb ntawm qhov chaw nyob 0x08000004 - qhov chaw nyob yog khaws cia rau ntawd ResetHandler).

Tshem nyiaj, yog tias koj tsis xav rub tawm cov ntaub ntawv firmware los ntawm Dab Ntxwg Nyoog, ces cov kev xaiv Thauj duab и Khiav cov lus txib tsis tas yuav qhia.

Tom qab txhaj Debug, koj tuaj yeem ua haujlwm hauv hom kev debugger:

step by step code ua
interacting nrog breakpoints

Примечание. Dab noj hnub muaj, hmm... qee qhov quirks... thiab koj yuav tsum nyob nrog lawv. Piv txwv li, yog tias thaum pib qhov kev debugger cov lus "Tsis muaj qhov muaj rau "0x0" tshwm, ces ua raws li cov lus txib (F5)

Es tsis txhob ib tug xaus

Emulating haiv neeg code yog ib qho nthuav heev. Nws dhau los ua tau rau tus tsim khoom siv los daws qhov firmware yam tsis muaj lub cuab yeej tiag. Rau ib tus kws tshawb fawb, nws yog lub sijhawm los ua qhov kev soj ntsuam cov lej dynamic, uas tsis yog ib txwm ua tau txawm tias nrog lub cuab yeej.

Peb xav muab cov kws tshaj lij nrog cov cuab yeej uas yooj yim, nruab nrab yooj yim thiab tsis siv zog ntau thiab siv sijhawm los teeb tsa thiab khiav.

Sau rau hauv cov lus hais txog koj qhov kev paub siv hardware emulators. Peb caw koj los tham thiab yuav zoo siab los teb cov lus nug.

Tsuas yog cov neeg siv sau npe tuaj yeem koom nrog hauv daim ntawv ntsuam xyuas. Kos npe rau hauvthov.

Koj siv lub emulator rau dab tsi?

Kuv tsim (debug) firmware
Kuv tab tom tshawb nrhiav firmware
Kuv tso ua si (Dendi, Sega, PSP)
lwm yam (sau hauv cov lus)

7 cov neeg siv pov npav. 2 cov neeg siv tau txwv.

Dab tsi software koj siv los ua raws li haiv neeg code?

QEMU
Unicorn cav
Cuam Tshuam
lwm yam (sau hauv cov lus)

6 cov neeg siv pov npav. 2 cov neeg siv tau txwv.

Koj xav txhim kho dab tsi hauv emulator koj siv?

Kuv xav tau ceev
Kuv xav tau yooj yim ntawm kev teeb tsa / qhib
Kuv xav tau ntau txoj kev xaiv rau kev cuam tshuam nrog lub emulator (API, hooks)
Kuv zoo siab nrog txhua yam
lwm yam (sau hauv cov lus)

Voted los ntawm 8 cov neeg siv. 1 tus neeg siv abstained.

Tau qhov twg los: www.hab.com

Rhinoceros hauv miv - khiav lub firmware hauv Kopycat emulator