Pulogalamu ya ProHoster > Blog > Ulamuliro > Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Monga gawo la msonkhano 0x0A DC7831 DEF CON Nizhny Novgorod Pa February 16, tinapereka lipoti la mfundo zazikulu za kutsanzira kachidindo kakang'ono ndi chitukuko chathu - emulator ya hardware Copycat.

M'nkhaniyi tifotokoza momwe tingayendetsere fimuweya ya chipangizo mu emulator, kusonyeza kuyanjana ndi debugger, ndikuchita kusanthula kochepa kwa firmware.

prehistory

Kalekale mu mlalang'amba wakutali

Zaka zingapo zapitazo mu labotale yathu panali kufunika kofufuza firmware ya chipangizo. Firmware idapanikizidwa ndikumasulidwa ndi bootloader. Anachita izi m'njira yovuta kwambiri, kusuntha deta m'makumbukiro kangapo. Ndipo firmware yokhayo idalumikizana mwachangu ndi zotumphukira. Ndipo zonsezi pa MIPS pachimake.

Pazifukwa zomveka, ma emulators omwe analipo sanagwirizane ndi ife, komabe tinkafuna kuyendetsa ma code. Kenako tinaganiza zopanga emulator yathu, yomwe ingachite zochepa ndikutilola kuti titulutse firmware yayikulu. Tinayesa ndipo zinathandiza. Tidaganiza, bwanji ngati tiwonjezera zotumphukira kuti tichitenso firmware yayikulu. Sizinapweteke kwambiri - ndipo zinathekanso. Tinaganizanso ndipo tinaganiza zopanga emulator yodzaza.

Zotsatira zake zinali emulator yamakompyuta Copycat.

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat
Chifukwa Kopycat?

Pali sewero la mawu.

  1. copycat (Chingerezi, noun [ˈkΙ’pΙͺkΓ¦t]) - wotsanzira, wotsanzira
  2. mphaka (Chingerezi, dzina [ˈkæt]) - mphaka, mphaka - nyama yokondedwa ya m'modzi mwa omwe adayambitsa ntchitoyi
  3. Chilembo "K" chimachokera ku chinenero cha pulogalamu ya Kotlin

Copycat

Popanga emulator, zolinga zenizeni zidakhazikitsidwa:

  • kutha kupanga mwachangu zotumphukira zatsopano, ma module, ma processor cores;
  • kutha kusonkhanitsa chipangizo chenicheni kuchokera ku ma module osiyanasiyana;
  • Kutha kuyika deta iliyonse ya binary (firmware) mu kukumbukira kwa chipangizo chodziwika bwino;
  • luso logwira ntchito ndi zithunzithunzi (zithunzi za boma);
  • kuthekera kolumikizana ndi emulator kudzera pa debugger yomangidwa;
  • chilankhulo chabwino chamakono chachitukuko.

Chotsatira chake, Kotlin anasankhidwa kuti agwiritse ntchito, zomangamanga za mabasi (iyi ndi pamene ma modules amalumikizana wina ndi mzake kudzera m'mabasi a deta), JSON monga mawonekedwe a kufotokozera chipangizo, ndi GDB RSP monga ndondomeko yogwirizanitsa ndi debugger.

Chitukuko chakhala chikuchitika kwazaka zopitilira ziwiri ndipo chikupitilirabe. Panthawiyi, MIPS, x86, V850ES, ARM, ndi PowerPC processor cores idakhazikitsidwa.

Ntchitoyi ikukula ndipo ndi nthawi yoti tiwonetsere anthu ambiri. Tidzalongosola mwatsatanetsatane polojekitiyi pambuyo pake, koma pakadali pano tiyang'ana kwambiri kugwiritsa ntchito Kopycat.

Kwa osaleza mtima kwambiri, mtundu wa Promo wa emulator ukhoza kutsitsidwa kuchokera kugwirizana.

Rhino mu emulator

Tikumbukire kuti m'mbuyomu pamsonkhano wa SMARTRHINO-2018, chida choyesera "Rhinoceros" chidapangidwa kuti chiphunzitse luso la uinjiniya. Njira yowunikira ma static firmware idafotokozedwa mu nkhaniyi.

Tsopano tiyeni tiyese kuwonjezera "okamba" ndi kuthamanga fimuweya mu emulator.

Tidzafunika:
1) Java 1.8
2) Python ndi module Yep kugwiritsa ntchito Python mkati mwa emulator. Mutha kupanga gawo la WHL Jep la Windows tsitsani apa.

Pa Windows:
1) com0com
2) PuTTY

Za Linux:
1) choko

Mutha kugwiritsa ntchito Eclipse, IDA Pro kapena radare2 ngati kasitomala wa GDB.

Kodi ntchito?

Kuti mupange fimuweya mu emulator, m'pofunika "kusonkhanitsa" chipangizo chenicheni, chomwe ndi analogue ya chipangizo chenicheni.

Chipangizo chenicheni ("chipembere") chikhoza kuwonetsedwa pazithunzi:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

The emulator ali yodziyimira payokha dongosolo ndi chomaliza pafupifupi chipangizo akhoza kufotokozedwa mu JSON wapamwamba.

JSON 105 mizere

{
  "top": true,

  // Plugin name should be the same as file name (or full path from library start)
  "plugin": "rhino",

  // Directory where plugin places
  "library": "user",

  // Plugin parameters (constructor parameters if jar-plugin version)
  "params": [
    { "name": "tty_dbg", "type": "String"},
    { "name": "tty_bt", "type": "String"},
    { "name": "firmware", "type": "String", "default": "NUL"}
  ],

  // Plugin outer ports
  "ports": [  ],

  // Plugin internal buses
  "buses": [
    { "name": "mem", "size": "BUS30" },
    { "name": "nand", "size": "4" },
    { "name": "gpio", "size": "BUS32" }
  ],

  // Plugin internal components
  "modules": [
    {
      "name": "u1_stm32",
      "plugin": "STM32F042",
      "library": "mcu",
      "params": {
        "firmware:String": "params.firmware"
      }
    },
    {
      "name": "usart_debug",
      "plugin": "UartSerialTerminal",
      "library": "terminals",
      "params": {
        "tty": "params.tty_dbg"
      }
    },
    {
      "name": "term_bt",
      "plugin": "UartSerialTerminal",
      "library": "terminals",
      "params": {
        "tty": "params.tty_bt"
      }
    },
    {
      "name": "bluetooth",
      "plugin": "BT",
      "library": "mcu"
    },

    { "name": "led_0",  "plugin": "LED", "library": "mcu" },
    { "name": "led_1",  "plugin": "LED", "library": "mcu" },
    { "name": "led_2",  "plugin": "LED", "library": "mcu" },
    { "name": "led_3",  "plugin": "LED", "library": "mcu" },
    { "name": "led_4",  "plugin": "LED", "library": "mcu" },
    { "name": "led_5",  "plugin": "LED", "library": "mcu" },
    { "name": "led_6",  "plugin": "LED", "library": "mcu" },
    { "name": "led_7",  "plugin": "LED", "library": "mcu" },
    { "name": "led_8",  "plugin": "LED", "library": "mcu" },
    { "name": "led_9",  "plugin": "LED", "library": "mcu" },
    { "name": "led_10", "plugin": "LED", "library": "mcu" },
    { "name": "led_11", "plugin": "LED", "library": "mcu" },
    { "name": "led_12", "plugin": "LED", "library": "mcu" },
    { "name": "led_13", "plugin": "LED", "library": "mcu" },
    { "name": "led_14", "plugin": "LED", "library": "mcu" },
    { "name": "led_15", "plugin": "LED", "library": "mcu" }
  ],

  // Plugin connection between components
  "connections": [
    [ "u1_stm32.ports.usart1_m", "usart_debug.ports.term_s"],
    [ "u1_stm32.ports.usart1_s", "usart_debug.ports.term_m"],

    [ "u1_stm32.ports.usart2_m", "bluetooth.ports.usart_m"],
    [ "u1_stm32.ports.usart2_s", "bluetooth.ports.usart_s"],

    [ "bluetooth.ports.bt_s", "term_bt.ports.term_m"],
    [ "bluetooth.ports.bt_m", "term_bt.ports.term_s"],

    [ "led_0.ports.pin",  "u1_stm32.buses.pin_output_a", "0x00"],
    [ "led_1.ports.pin",  "u1_stm32.buses.pin_output_a", "0x01"],
    [ "led_2.ports.pin",  "u1_stm32.buses.pin_output_a", "0x02"],
    [ "led_3.ports.pin",  "u1_stm32.buses.pin_output_a", "0x03"],
    [ "led_4.ports.pin",  "u1_stm32.buses.pin_output_a", "0x04"],
    [ "led_5.ports.pin",  "u1_stm32.buses.pin_output_a", "0x05"],
    [ "led_6.ports.pin",  "u1_stm32.buses.pin_output_a", "0x06"],
    [ "led_7.ports.pin",  "u1_stm32.buses.pin_output_a", "0x07"],
    [ "led_8.ports.pin",  "u1_stm32.buses.pin_output_a", "0x08"],
    [ "led_9.ports.pin",  "u1_stm32.buses.pin_output_a", "0x09"],
    [ "led_10.ports.pin", "u1_stm32.buses.pin_output_a", "0x0A"],
    [ "led_11.ports.pin", "u1_stm32.buses.pin_output_a", "0x0B"],
    [ "led_12.ports.pin", "u1_stm32.buses.pin_output_a", "0x0C"],
    [ "led_13.ports.pin", "u1_stm32.buses.pin_output_a", "0x0D"],
    [ "led_14.ports.pin", "u1_stm32.buses.pin_output_a", "0x0E"],
    [ "led_15.ports.pin", "u1_stm32.buses.pin_output_a", "0x0F"]
  ]
}

Samalani ndi chizindikiro fimuweya gawo ma param ndi dzina la fayilo yomwe imatha kukwezedwa mu chipangizo chodziwika ngati firmware.

Chipangizo chodziwika bwino komanso kuyanjana kwake ndi makina akuluakulu ogwiritsira ntchito zitha kuimiridwa ndi chithunzi chotsatirachi:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Mayesero apano a emulator amakhudza kuyanjana ndi madoko a COM a OS yayikulu (debug UART ndi UART pagawo la Bluetooth). Awa akhoza kukhala madoko enieni omwe zida zimalumikizidwa kapena madoko a COM (chifukwa chake mukungofunika com0com/socat).

Pano pali njira ziwiri zazikulu zoyankhulirana ndi emulator kuchokera kunja:

  • GDB RSP protocol (monga momwemo, zida zomwe zimathandizira protocol iyi ndi Eclipse / IDA / radare2);
  • mzere wa lamulo la emulator wamkati (Argparse kapena Python).

Madoko a Virtual COM

Kuti mulumikizane ndi UART ya chipangizo chodziwika bwino pamakina am'deralo kudzera pa terminal, muyenera kupanga madoko awiri ogwirizana a COM. Kwa ife, doko limodzi limagwiritsidwa ntchito ndi emulator, ndipo lachiwiri ndi pulogalamu yomaliza (PuTTY kapena chophimba):

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Pogwiritsa ntchito com0com

Madoko a Virtual COM amakonzedwa pogwiritsa ntchito kukhazikitsa kuchokera pa com0com kit (mtundu wa console - C: Mafayilo a Pulogalamu (x86) com0comsetupс.exe, kapena mtundu wa GUI - C: Mafayilo a Pulogalamu (x86) com0comsetupg.exe):

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Chongani mabokosi yambitsani buffer kupitilira chifukwa madoko onse analengedwa pafupifupi, apo ayi emulator kudikira yankho ku doko COM.

Kugwiritsa ntchito socat

Pa machitidwe a UNIX, madoko a COM amapangidwa okha ndi emulator pogwiritsa ntchito zofunikira za socat, ingotchulani chiyambi cha dzina la doko pamene mukuyamba emulator socat:.

Mzere wamalamulo amkati (Argparse kapena Python)

Popeza Kopycat ndi ntchito kutonthoza, emulator amapereka awiri lamulo mzere mawonekedwe options kucheza ndi zinthu zake ndi zosintha: Argparse ndi Python.

Argparse ndi CLI yomangidwa mu Kopycat ndipo imapezeka kwa aliyense.

CLI ina ndi womasulira wa Python. Kuti mugwiritse ntchito, muyenera kukhazikitsa gawo la Jep Python ndikukonzekera emulator kuti mugwire ntchito ndi Python (womasulira wa Python woikidwa pa dongosolo lalikulu la wogwiritsa ntchito adzagwiritsidwa ntchito).

Kuyika gawo la Python Jep

Pansi pa Linux Jep ikhoza kukhazikitsidwa kudzera pa pip:

pip install jep

Kuti muyike Jep pa Windows, muyenera kukhazikitsa Windows SDK ndi Microsoft Visual Studio yofananira. Tazipangitsa kuti zikhale zosavuta kwa inu komanso WHL amamanga JEP yamitundu yamakono ya Python ya Windows, kotero gawoli likhoza kukhazikitsidwa kuchokera pafayilo:

pip install jep-3.8.2-cp27-cp27m-win_amd64.whl

Kuti muwone kuyika kwa Jep, muyenera kuthamanga pamzere wolamula:

python -c "import jep"

Uthenga wotsatirawu uyenera kulandiridwa poyankha:

ImportError: Jep is not supported in standalone Python, it must be embedded in Java.

Mu emulator batch file ya dongosolo lanu (copycat.bat -kwa Windows, kopeka - kwa Linux) pamndandanda wamagawo DEFAULT_JVM_OPTS onjezerani parameter yowonjezera Djava.library.path - iyenera kukhala ndi njira yopita ku gawo la Jep lomwe lakhazikitsidwa.

Zotsatira za Windows ziyenera kukhala mzere motere:

set DEFAULT_JVM_OPTS="-XX:MaxMetaspaceSize=256m" "-XX:+UseParallelGC" "-XX:SurvivorRatio=6" "-XX:-UseGCOverheadLimit" "-Djava.library.path=C:/Python27/Lib/site-packages/jep"

Kukhazikitsa Kopycat

The emulator ndi kutonthoza JVM ntchito. Kukhazikitsa kukuchitika kudzera mu mzere wa lamulo la opareshoni (sh/cmd).

Lamulo kuti lizigwira ntchito pa Windows:

binkopycat -g 23946 -n rhino -l user -y library -p firmware=firmwarerhino_pass.bin,tty_dbg=COM26,tty_bt=COM28

Lamulo loyendetsa pansi pa Linux pogwiritsa ntchito socat:

./bin/kopycat -g 23946 -n rhino -l user -y library -p firmware=./firmware/rhino_pass.bin, tty_dbg=socat:./COM26,tty_bt=socat:./COM28

  • -g 23646 - Doko la TCP lomwe lidzakhala lotseguka kuti lipeze seva ya GDB;
  • -n rhino - dzina la gawo lalikulu la dongosolo (chida chophatikizidwa);
  • -l user - dzina la library kuti mufufuze gawo lalikulu;
  • -y library - njira yofufuzira ma module omwe ali mu chipangizocho;
  • firmwarerhino_pass.bin - njira yopita ku fayilo ya firmware;
  • COM26 ndi COM28 ndi madoko a COM.

Zotsatira zake, chidziwitso chidzawonetsedwa Python > (kapena Argparse >):

18:07:59 INFO [eFactoryBuilder.create ]: Module top successfully created as top
18:07:59 INFO [ Module.initializeAndRes]: Setup core to top.u1_stm32.cortexm0.arm for top
18:07:59 INFO [ Module.initializeAndRes]: Setup debugger to top.u1_stm32.dbg for top
18:07:59 WARN [ Module.initializeAndRes]: Tracer wasn't found in top...
18:07:59 INFO [ Module.initializeAndRes]: Initializing ports and buses...
18:07:59 WARN [ Module.initializePortsA]: ATTENTION: Some ports has warning use printModulesPortsWarnings to see it...
18:07:59 FINE [ ARMv6CPU.reset ]: Set entry point address to 08006A75
18:07:59 INFO [ Module.initializeAndRes]: Module top is successfully initialized and reset as a top cell!
18:07:59 INFO [ Kopycat.open ]: Starting virtualization of board top[rhino] with arm[ARMv6Core]
18:07:59 INFO [ GDBServer.debuggerModule ]: Set new debugger module top.u1_stm32.dbg for GDB_SERVER(port=23946,alive=true)
Python >

Kuyanjana ndi IDA Pro

Kuti muchepetse kuyesa, timagwiritsa ntchito firmware ya Rhino monga fayilo yoyambira kusanthula mu IDA mu mawonekedwe Chithunzi cha ELF (zambiri za meta zimasungidwa pamenepo).

Mutha kugwiritsanso ntchito firmware yayikulu popanda chidziwitso cha meta.

Pambuyo poyambitsa Kopycat mu IDA Pro, mu menyu ya Debugger pitani ku chinthucho "Sinthani chowongolera…"ndi kusankha"GDB debugger yakutali". Kenako, khazikitsani kulumikizana: menyu Debugger - Njira zosankha…

Khazikitsani mayendedwe:

  • Kugwiritsa ntchito - mtengo uliwonse
  • Dzina la alendo: 127.0.0.1 (kapena adilesi ya IP ya makina akutali komwe Kopycat ikugwira ntchito)
  • Port: 23946

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Tsopano batani lowongolera likupezeka (kiyi F9):

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Dinani kuti mulumikizane ndi gawo la debugger mu emulator. IDA imalowa muzowonongeka, mazenera owonjezera amapezeka: zambiri za zolembera, za stack.

Tsopano titha kugwiritsa ntchito mawonekedwe onse a debugger:

  • kutsatira pang'onopang'ono malangizo (Lowani ΠΈ Wolokerani - makiyi F7 ndi F8, motero;
  • kuyambira ndi kuyimitsa ntchito;
  • kupanga ma breakpoint a code ndi data (F2 key).

Kulumikizana ndi debugger sikutanthauza kuyendetsa firmware code. Malo omwe akuphedwera pano ayenera kukhala adilesi 0x08006A74 - chiyambi cha ntchito Bwezeretsani_Handler. Ngati mutayika pamndandanda, mutha kuwona kuyimba kwa ntchito waukulu. Mutha kuyika cholozera pamzerewu (adilesi 0x08006ABE) ndikugwira ntchitoyo Thamangani mpaka cholozera (kiyi F4).

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Kenako, mukhoza kukanikiza F7 kulowa ntchito waukulu.

Ngati muthamanga lamulo Pitirizani ndondomeko (F9 key), ndiye zenera la "Chonde dikirani" lidzawoneka ndi batani limodzi Sungani:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Mukasindikiza Sungani kuchitidwa kwa firmware code kuyimitsidwa ndipo kutha kupitilizidwa kuchokera ku adilesi yomweyi mu code yomwe idasokonezedwa.

Ngati mupitiliza kuyika code, mudzawona mizere yotsatirayi m'malo olumikizidwa ndi madoko a COM:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Kukhalapo kwa mzere wa "boma bypass" kukuwonetsa kuti gawo la Bluetooth lasintha kupita ku njira yolandirira deta kuchokera ku doko la COM la wogwiritsa ntchito.

Tsopano mu Bluetooth terminal (COM29 pachithunzichi) mutha kuyika malamulo molingana ndi protocol ya Rhino. Mwachitsanzo, lamulo la "MEOW" libwezera chingwe "mur-mur" ku terminal ya Bluetooth:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Nditsanzireni osati kwathunthu

Pomanga emulator, mutha kusankha mulingo watsatanetsatane / kutsanzira kwa chipangizo china. Mwachitsanzo, gawo la Bluetooth limatha kutsanzira m'njira zosiyanasiyana:

  • chipangizocho chikutsatiridwa mokwanira ndi malamulo onse;
  • Malamulo a AT amatsatiridwa, ndipo mtsinje wa data umalandiridwa kuchokera ku doko la COM la dongosolo lalikulu;
  • chipangizo pafupifupi amapereka wathunthu deta kubwerera ku chipangizo chenicheni;
  • monga stub yosavuta yomwe nthawi zonse imabwerera "Chabwino".

Mtundu wamakono wa emulator umagwiritsa ntchito njira yachiwiri - gawo la Bluetooth limachita kasinthidwe, kenako limasinthira ku data ya "proxying" kuchokera padoko la COM la dongosolo lalikulu kupita ku doko la UART la emulator.

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Tiyeni tiganizire za kuthekera kwa zida zosavuta za kachidindo ngati gawo lina la periphery silinakwaniritsidwe. Mwachitsanzo, ngati chowerengera chomwe chili ndi udindo wowongolera kusamutsa kwa data ku DMA sichinapangidwe (chekecho chimachitika muntchitoyo. ws2812b_dikirani, raspolojennoy po adresu 0x08006840), ndiye firmware imadikirira nthawi zonse kuti mbendera ikhazikitsidwe tanganidwaili pa 0x200004C4zomwe zikuwonetsa kukhala kwa mzere wa data wa DMA:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Titha kuthana ndi vutoli pokhazikitsanso mbendera pamanja tanganidwa atangoyiyika. Mu IDA Pro, mutha kupanga ntchito ya Python ndikuyitcha pamalo opumira, ndikuyika chopumiracho mu code mutalemba mtengo 1 ku mbendera. tanganidwa.

Breakpoint handler

Choyamba, tiyeni tipange ntchito ya Python ku IDA. Menyu Fayilo - Lamulo la Script...

Onjezani kachidutswa katsopano pamndandanda kumanzere, perekani dzina (mwachitsanzo, Mtengo wa BPT),
M'gawo lakumanja, lowetsani nambala yantchito:

def skip_dma():
    print "Skipping wait ws2812..."
    value = Byte(0x200004C4)
    if value == 1:
        PatchDbgByte(0x200004C4, 0)
return False

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Pambuyo pake, dinani Thamangani ndikutseka zenera la script.

Tsopano tiyeni tipite ku code 0x0800688A, khazikitsani chopumira (kiyi F2), sinthani (menyu yamkati Konzani breakpoint...), musaiwale kukhazikitsa mtundu wa script ku Python:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat
Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Ngati mtengo wamakono wa mbendera tanganidwa ikufanana ndi 1, ndiye muyenera kuchita ntchitoyi skip_dma mu mzere wa script:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Ngati muthamangitsa firmware kuti muphedwe, mutha kuwona kuyambitsa kwa code breakpoint handler pawindo la IDA. linanena bungwe pa mzere Skipping wait ws2812.... Tsopano firmware sidikira kuti mbendera ikhazikitsidwenso tanganidwa.

Kuyanjana ndi emulator

Kutsanzira chifukwa chongotengera chabe sikungabweretse chisangalalo ndi chisangalalo. Ndizosangalatsa kwambiri ngati emulator imathandizira wofufuzayo kuti awone zomwe zili m'makumbukidwe kapena kukhazikitsa kulumikizana kwa ulusi.

Tikuwonetsani momwe mungakhazikitsire kulumikizana pakati pa ntchito za RTOS. Muyenera kuyimitsa kaye kachitidwe ka code ngati ikugwira ntchito. Ngati mupita ku ntchito bluetooth_task_entry ku nthambi yokonza ya "LED" lamulo (adilesi 0x080057B8), ndiye mutha kuwona zomwe zidapangidwa koyamba ndikutumizidwa pamzere wamakina LedControlQueueHandle uthenga wina.

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Muyenera kukhazikitsa breakpoint kuti mupeze variable LedControlQueueHandle, raspolojennoy po adresu 0x20000624 ndipo pitilizani kupanga code:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Zotsatira zake, kuyimitsa kudzachitika koyamba pa adilesi 0x080057CA musanayitane ntchito osMailAlloc, kenako pa adilesi 0x08005806 musanayitane ntchito osMailPut, ndiye patapita kanthawi - ku adiresi 0x08005BD4 (Musanayitane ntchito osMailGet), yomwe ndi ya ntchitoyi leds_task_entry (LED-task), ndiye kuti, ntchito zinasinthidwa, ndipo tsopano ntchito ya LED idalandira ulamuliro.

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Mwanjira yosavuta iyi mutha kukhazikitsa momwe ntchito za RTOS zimalumikizirana.

Zachidziwikire, kuyanjana kwa ntchito kumatha kukhala kovuta kwambiri, koma kugwiritsa ntchito emulator, kutsatira izi kumakhala kovuta kwambiri.

apa Mutha kuwona kanema wachidule wa emulator akuyambitsa ndikulumikizana ndi IDA Pro.

Kukhazikitsa ndi Radare2

Simungathe kunyalanyaza chida chapadziko lonse lapansi monga Radare2.

Kuti mulumikizane ndi emulator pogwiritsa ntchito r2, lamulo limawoneka motere:

radare2 -A -a arm -b 16 -d gdb://localhost:23946 rhino_fw42k6.elf

Kukhazikitsa kulipo pano (dc) ndi kuyimitsa kaye (Ctrl + C).

Tsoka ilo, pakali pano, r2 ili ndi mavuto pogwira ntchito ndi seva ya gdb ya hardware ndi masanjidwe a kukumbukira; ds). Tikukhulupirira kuti izi zidzakonzedwa posachedwa.

Kuthamanga ndi Eclipse

Mmodzi wa options ntchito emulator ndi debug fimuweya chipangizo kupangidwa. Kuti timveke bwino, tidzagwiritsanso ntchito firmware ya Rhino. Mutha kutsitsa magwero a firmware kuchokera pano.

Tidzagwiritsa ntchito Eclipse kuchokera pa seti ngati IDE System Workbench ya STM32.

Kuti emulator ikhazikitse firmware yomwe idapangidwa mwachindunji mu Eclipse, muyenera kuwonjezera gawo firmware=null ku lamulo loyambitsa emulator:

binkopycat -g 23946 -n rhino -l user -y modules -p firmware=null,tty_dbg=COM26,tty_bt=COM28

Kukhazikitsa kasinthidwe ka debug

Mu Eclipse, sankhani menyu Thamangani - Kusintha Zosintha... Pazenera lomwe limatsegulidwa, mu gawo GDB Hardware Debugging muyenera kuwonjezera kasinthidwe kwatsopano, ndiye pa "Main" tabu tchulani pulojekiti yamakono ndi ntchito yochotsa zolakwika:

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Pa "Debugger" tabu muyenera kufotokoza lamulo la GDB:
${openstm32_compiler_path}arm-none-eabi-gdb

Komanso lowetsani magawo olumikizirana ndi seva ya GDB (host ndi doko):

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Pa tabu "Startup", muyenera kufotokoza magawo otsatirawa:

  • yambitsani checkbox Kwezani chithunzi (kotero kuti anasonkhana fimuweya fano yodzaza mu emulator);
  • yambitsani checkbox Zizindikiro za katundu;
  • yonjezerani lamulo loyambitsa: set $pc = *0x08000004 (khazikitsani kaundula wa PC pamtengo kuchokera pamtima pa adilesi 0x08000004 - adilesi imasungidwa pamenepo ResetHandler).

Samalani, ngati simukufuna kutsitsa fayilo ya firmware kuchokera ku Eclipse, ndiye zosankha Kwezani chithunzi ΠΈ Thamangani malamulo palibe chifukwa chowonetsa.

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

Mukadina Debug, mutha kugwiritsa ntchito njira yosinthira:

  • sitepe ndi sitepe code kuphedwa
    Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat
  • kukumana ndi breakpoints
    Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

ndemanga. Eclipse ali ndi, hmm ... zina zovuta ... ndipo muyenera kukhala nazo. Mwachitsanzo, ngati poyambitsa debugger uthenga "Palibe gwero la "0x0"" likuwonekera, ndiye perekani lamulo la Step (F5)

Chipembere mkati mwa mphaka - yendetsani firmware mu emulator ya Kopycat

M'malo mapeto

Kutengera ma code achibadwidwe ndichinthu chosangalatsa kwambiri. Zimakhala zotheka kwa wopanga chipangizo kuti athetse vuto la firmware popanda chipangizo chenicheni. Kwa wofufuza, ndi mwayi wochita kusanthula kwamakhodi amphamvu, zomwe sizingatheke ngakhale ndi chipangizo.

Tikufuna kupatsa akatswiri chida chomwe chili chosavuta, chosavuta komanso chosatenga khama komanso nthawi kuti akhazikitse ndikuyendetsa.

Lembani ndemanga za zomwe mwakumana nazo pogwiritsa ntchito ma emulators a hardware. Tikukupemphani kuti mukambirane ndipo mudzakhala okondwa kuyankha mafunso.

Ogwiritsa ntchito olembetsedwa okha ndi omwe angatenge nawo gawo pa kafukufukuyu. Lowani muakauntichonde.

Kodi emulator mukugwiritsa ntchito chiyani?

  • Ndimapanga (debug) firmware

  • Ndikafufuza za firmware

  • Ndimayambitsa masewera (Dendi, Sega, PSP)

  • china (lembani mu ndemanga)

Ogwiritsa ntchito 7 adavota. Ogwiritsa 2 adakana.

Ndi pulogalamu yanji yomwe mumagwiritsa ntchito kutengera ma code awo?

  • QEMU

  • Injini ya Unicorn

  • Proteus

  • china (lembani mu ndemanga)

Ogwiritsa ntchito 6 adavota. Ogwiritsa 2 adakana.

Kodi mukufuna kusintha chiyani mu emulator yomwe mukugwiritsa ntchito?

  • Ndikufuna liwiro

  • Ndikufuna kukhazikitsa / kukhazikitsa mosavuta

  • Ndikufuna zosankha zambiri zolumikizirana ndi emulator (API, mbedza)

  • Ndine wokondwa ndi chirichonse

  • china (lembani mu ndemanga)

Ogwiritsa 8 adavota. Wogwiritsa m'modzi adasala.

Source: www.habr.com

Kuwonjezera ndemanga