🥇Rhinoceros i totonu o se pusi - faʻalauiloa le firmware i le Kopycat emulator

O se vaega o le fonotaga 0x0A DC7831 DEF CON Nizhny Novgorod I le aso 16 o Fepuari, na matou tuʻuina atu ai se lipoti e uiga i mataupu faavae o le faʻataʻitaʻiga o le binary code ma a matou lava atinaʻe - o se hardware platform emulator Copycat.

I lenei tusiga o le a tatou faʻamatalaina pe faʻafefea ona faʻaogaina le firmware masini i le emulator, faʻaalia fegalegaleaiga ma le debugger, ma faia se suʻesuʻega faʻamalosi laʻititi o le firmware.

prehistory

I se taimi ua leva i se aniva mamao mamao

I nai tausaga talu ai i totonu o la matou fale suesue sa i ai se manaʻoga e suʻesuʻe le firmware o se masini. O le firmware na faʻapipiʻiina ma tatalaina i se bootloader. Na ia faia lenei mea i se auala sili ona faigata, fesuiaʻi faʻamaumauga i le mafaufau i le tele o taimi. Ma o le firmware lava ia na fegalegaleai malosi ma peripherals. Ma o nei mea uma i luga ole MIPS autu.

Mo mafuaaga faʻamoemoe, o emulators avanoa e le fetaui ma i matou, ae matou te manaʻo pea e faʻatautaia le code. Ona matou filifili lea e fai a matou lava emulator, lea o le a faia le mea aupito maualalo ma mafai ai ona matou tatalaina le firmware autu. Sa matou taumafai ma sa aoga. Matou te mafaufau, faʻafefea pe a matou faʻaopoopoina peripherals e faʻatino ai foi le firmware autu. E leʻi tiga tele - ma sa manuia foʻi. Sa matou toe mafaufau ma filifili e fai se emulator atoatoa.

O le taunuuga o se emulator faiga komepiuta Copycat.

Aisea Kopycat?

O lo'o i ai se ta'aloga i upu.

kopi kopi (Igilisi, nauna [ˈkɒpɪkæt]) - fa'aa'oa'o, fa'aa'oa'o
pusi (Igilisi, nauna [ˈkæt]) - pusi, pusi - manu e sili ona fiafia i ai se tasi na faia le poloketi
O le mataitusi “K” e mai le gagana polokalame Kotlin

Copycat

I le fatuina o le emulator, na faʻatulagaina sini faʻapitoa:

le mafai ona vave fausia ni peripherals fou, modules, cores processor;
le mafai ona faʻapipiʻi se masini komepiuta mai modules eseese;
le mafai ona utaina soʻo se faʻamatalaga binary (firmware) i le manatua o se masini komepiuta;
mafai ona galue faʻatasi ma snapshots (snapshots of the system state);
le mafai ona fegalegaleai ma le emulator e ala i le debugger fausia;
manaia gagana fa'aonaponei mo le atina'e.

O le iʻuga, na filifilia Kotlin mo le faʻatinoga, o le fale pasi (o le taimi lea e fesoʻotaʻi ai le tasi i le isi e ala i pasi faʻamaumauga), JSON o le faʻamatalaga faʻamatalaga o masini, ma le GDB RSP e fai ma faʻasalalauga mo fegalegaleaiga ma le debugger.

O atina'e ua silia la'ititi ma le lua tausaga o fa'agasolo ma o lo'o fa'aauau pea. I le taimi lea, na faʻatinoina ai le MIPS, x86, V850ES, ARM, ma le PowerPC processor cores.

O loʻo faʻatupulaia le poloketi ma ua oʻo i le taimi e tuʻuina atu ai i le lautele lautele. O le a matou faia se faʻamatalaga auiliili o le poloketi mulimuli ane, ae mo le taimi nei o le a matou taulai atu i le faʻaaogaina o Kopycat.

Mo le sili ona le onosaʻi, o se faʻasalalauga faʻasalalauga o le emulator e mafai ona sii mai fesoʻotaʻiga.

Rhino i le emulator

Sei o tatou manatua muamua mo le SMARTHINO-2018 konafesi, o se masini suʻega "Rhinoceros" na faia mo le aʻoaʻoina o tomai faʻainisinia. O le faʻagasologa o suʻesuʻega firmware static na faʻamatalaina i lenei tusiga.

Sei o tatou taumafai e faʻaopoopo "speakers" ma faʻatautaia le firmware i le emulator.

Matou te manaʻomia:
1) Java 1.8
2) Python ma le module jep e faʻaaoga le Python i totonu o le emulator. E mafai ona e fausia le WHL module Jep mo Windows download iinei.

Mo faʻamalama:
1) com0com
2) PUTI

Mo Linux:
1) socat

E mafai ona e fa'aogaina le Eclipse, IDA Pro po'o le radare2 e fai ma GDB client.

E faapefea ona galulue?

Ina ia mafai ona fai firmware i le emulator, e tatau ona "faʻapipiʻi" se masini komepiuta, o se faʻatusa o se masini moni.

O le masini moni ("rhino") e mafai ona faʻaalia i le poloka poloka:

O le emulator o loʻo i ai se fausaga faʻapitoa ma o le masini komepiuta mulimuli e mafai ona faʻamatalaina i se faila JSON.

JSON 105 laina

{
  "top": true,

  // Plugin name should be the same as file name (or full path from library start)
  "plugin": "rhino",

  // Directory where plugin places
  "library": "user",

  // Plugin parameters (constructor parameters if jar-plugin version)
  "params": [
    { "name": "tty_dbg", "type": "String"},
    { "name": "tty_bt", "type": "String"},
    { "name": "firmware", "type": "String", "default": "NUL"}
  ],

  // Plugin outer ports
  "ports": [  ],

  // Plugin internal buses
  "buses": [
    { "name": "mem", "size": "BUS30" },
    { "name": "nand", "size": "4" },
    { "name": "gpio", "size": "BUS32" }
  ],

  // Plugin internal components
  "modules": [
    {
      "name": "u1_stm32",
      "plugin": "STM32F042",
      "library": "mcu",
      "params": {
        "firmware:String": "params.firmware"
      }
    },
    {
      "name": "usart_debug",
      "plugin": "UartSerialTerminal",
      "library": "terminals",
      "params": {
        "tty": "params.tty_dbg"
      }
    },
    {
      "name": "term_bt",
      "plugin": "UartSerialTerminal",
      "library": "terminals",
      "params": {
        "tty": "params.tty_bt"
      }
    },
    {
      "name": "bluetooth",
      "plugin": "BT",
      "library": "mcu"
    },

    { "name": "led_0",  "plugin": "LED", "library": "mcu" },
    { "name": "led_1",  "plugin": "LED", "library": "mcu" },
    { "name": "led_2",  "plugin": "LED", "library": "mcu" },
    { "name": "led_3",  "plugin": "LED", "library": "mcu" },
    { "name": "led_4",  "plugin": "LED", "library": "mcu" },
    { "name": "led_5",  "plugin": "LED", "library": "mcu" },
    { "name": "led_6",  "plugin": "LED", "library": "mcu" },
    { "name": "led_7",  "plugin": "LED", "library": "mcu" },
    { "name": "led_8",  "plugin": "LED", "library": "mcu" },
    { "name": "led_9",  "plugin": "LED", "library": "mcu" },
    { "name": "led_10", "plugin": "LED", "library": "mcu" },
    { "name": "led_11", "plugin": "LED", "library": "mcu" },
    { "name": "led_12", "plugin": "LED", "library": "mcu" },
    { "name": "led_13", "plugin": "LED", "library": "mcu" },
    { "name": "led_14", "plugin": "LED", "library": "mcu" },
    { "name": "led_15", "plugin": "LED", "library": "mcu" }
  ],

  // Plugin connection between components
  "connections": [
    [ "u1_stm32.ports.usart1_m", "usart_debug.ports.term_s"],
    [ "u1_stm32.ports.usart1_s", "usart_debug.ports.term_m"],

    [ "u1_stm32.ports.usart2_m", "bluetooth.ports.usart_m"],
    [ "u1_stm32.ports.usart2_s", "bluetooth.ports.usart_s"],

    [ "bluetooth.ports.bt_s", "term_bt.ports.term_m"],
    [ "bluetooth.ports.bt_m", "term_bt.ports.term_s"],

    [ "led_0.ports.pin",  "u1_stm32.buses.pin_output_a", "0x00"],
    [ "led_1.ports.pin",  "u1_stm32.buses.pin_output_a", "0x01"],
    [ "led_2.ports.pin",  "u1_stm32.buses.pin_output_a", "0x02"],
    [ "led_3.ports.pin",  "u1_stm32.buses.pin_output_a", "0x03"],
    [ "led_4.ports.pin",  "u1_stm32.buses.pin_output_a", "0x04"],
    [ "led_5.ports.pin",  "u1_stm32.buses.pin_output_a", "0x05"],
    [ "led_6.ports.pin",  "u1_stm32.buses.pin_output_a", "0x06"],
    [ "led_7.ports.pin",  "u1_stm32.buses.pin_output_a", "0x07"],
    [ "led_8.ports.pin",  "u1_stm32.buses.pin_output_a", "0x08"],
    [ "led_9.ports.pin",  "u1_stm32.buses.pin_output_a", "0x09"],
    [ "led_10.ports.pin", "u1_stm32.buses.pin_output_a", "0x0A"],
    [ "led_11.ports.pin", "u1_stm32.buses.pin_output_a", "0x0B"],
    [ "led_12.ports.pin", "u1_stm32.buses.pin_output_a", "0x0C"],
    [ "led_13.ports.pin", "u1_stm32.buses.pin_output_a", "0x0D"],
    [ "led_14.ports.pin", "u1_stm32.buses.pin_output_a", "0x0E"],
    [ "led_15.ports.pin", "u1_stm32.buses.pin_output_a", "0x0F"]
  ]
}

Faʻalogo i le parakalafa firmware o le fuaiupu palama o le igoa o se faila e mafai ona utaina i totonu o se masini komepiuta e pei o firmware.

O le masini komepiuta ma ana fegalegaleaiga ma le faiga faʻaoga autu e mafai ona faʻatusalia e le ata lenei:

O le fa'ata'ita'iga fa'ata'ita'iga o lo'o iai nei o le emulator e aofia ai fegalegaleai ma ports COM o le OS autu (debug UART ma UART mo le Bluetooth module). O nei mea e mafai ona avea ma pusa moni e fesoʻotaʻi ai masini poʻo pusa COM virtual (mo lenei mea e te manaʻomia com0com/socat).

O loʻo i ai nei auala autu e lua e fegalegaleai ai ma le emulator mai fafo:

GDB RSP protocol (e tusa ai, o mea faigaluega e lagolagoina lenei feagaiga o Eclipse / IDA / radare2);
laina o le emulator i totonu (Argparse poʻo Python).

Taulaga COM Virtual

Ina ia mafai ona fegalegaleai ma le UART o se masini mataʻutia i luga o le masini faʻapitonuʻu e ala i se faʻamau, e tatau ona e fatuina se pea o vaʻa fesoʻotaʻiga COM. I la matou tulaga, e tasi le taulaga e faʻaaogaina e le emulator, ma le lona lua e ala i se polokalame faʻamau (PuTTY poʻo le mata):

Faʻaaogaina com0com

O pusa COM faʻapitoa e faʻapipiʻiina e faʻaaoga ai le faʻaoga faʻaoga mai le com0com kit (console version - C: Polokalama Faila (x86)com0comsetupс.exe, po'o le GUI version - C: Polokalama Faila (x86)com0comsetupg.exe):

Siaki pusa fa'ataga le fa'ato'a fa'atosina mo mea uma na faia ports virtual, a leai o le a faatali le emulator mo se tali mai le taulaga COM.

Faʻaaogaina socat

I luga o faiga UNIX, virtual COM ports e otometi lava ona fatuina e le emulator e faʻaaoga ai le socat aoga e fai ai lenei mea, naʻo le faʻamaonia o le prefix i le igoa o le taulaga pe a amata le emulator socat:.

Fa'asinomaga laina fa'atonu i totonu (Argparse po'o le Python)

Talu ai o Kopycat o se faʻamafanafanaga talosaga, e tuʻuina atu e le emulator ni filifiliga faʻaogaina laina e lua mo le fegalegaleai ma ana mea faitino ma fesuiaiga: Argparse ma Python.

Argparse o se CLI fausia i Kopycat ma e avanoa i taimi uma i tagata uma.

O le isi CLI o le fa'aliliu upu Python. Ina ia faʻaaogaina, e tatau ona e faʻapipiʻi le Jep Python module ma faʻapipiʻi le emulator e galue ma Python (o le faʻaliliuga Python faʻapipiʻi i luga o le polokalama autu a le tagata faʻaoga o le a faʻaaogaina).

Faʻapipiʻi le Python module Jep

I lalo ole Linux Jep e mafai ona faʻapipiʻi e ala ile pip:

pip install jep

Ina ia faʻapipiʻi Jep i luga o Windows, e tatau ona e faʻapipiʻi muamua le Windows SDK ma le Microsoft Visual Studio talafeagai. Ua matou faafaigofieina teisi mo oe ma WHL fausia JEP mo lomiga lata mai o Python mo Windows, o lea e mafai ai ona faʻapipiʻi le module mai le faila:

pip install jep-3.8.2-cp27-cp27m-win_amd64.whl

Ina ia siaki le faʻapipiʻiina o Jep, e tatau ona e tamoe i luga o le laina faʻatonu:

python -c "import jep"

O le savali lenei e tatau ona maua e tali atu ai:

ImportError: Jep is not supported in standalone Python, it must be embedded in Java.

I le faila faila emulator mo lau faiga (copycat.bat - mo Windows, pusi kopi - mo Linux) i le lisi o tapulaʻa DEFAULT_JVM_OPTS fa'aopoopo se fa'ailoga fa'aopoopo Djava.library.path - e tatau ona i ai le ala i le faʻapipiʻiina Jep module.

O le taunuuga mo Windows e tatau ona i ai se laina e pei o lenei:

set DEFAULT_JVM_OPTS="-XX:MaxMetaspaceSize=256m" "-XX:+UseParallelGC" "-XX:SurvivorRatio=6" "-XX:-UseGCOverheadLimit" "-Djava.library.path=C:/Python27/Lib/site-packages/jep"

Tatalaina Kopycat

O le emulator o se faʻamafanafanaga JVM talosaga. O le faʻalauiloaina o loʻo faʻatinoina e ala i le faʻaogaina o le system command line script (sh/cmd).

Poloaiga e tamoe i lalo o Windows:

binkopycat -g 23946 -n rhino -l user -y library -p firmware=firmwarerhino_pass.bin,tty_dbg=COM26,tty_bt=COM28

Poloaiga e tamoe i lalo o Linux e faʻaaoga ai le socat utility:

./bin/kopycat -g 23946 -n rhino -l user -y library -p firmware=./firmware/rhino_pass.bin, tty_dbg=socat:./COM26,tty_bt=socat:./COM28

-g 23646 - TCP port o le a tatalaina mo le avanoa i le GDB server;
-n rhino - igoa ole faiga autu module (mea faʻapipiʻi);
-l user - igoa ole faletusi e su'e ai le vaega autu;
-y library - auala e suʻe ai modules o loʻo aofia i totonu o le masini;
firmwarerhino_pass.bin - ala i le faila firmware;
O le COM26 ma le COM28 o pusa COM faʻapitoa.

O se taunuuga, o le a faʻaalia se faʻamatalaga Python > (po o Argparse >):

18:07:59 INFO [eFactoryBuilder.create ]: Module top successfully created as top
18:07:59 INFO [ Module.initializeAndRes]: Setup core to top.u1_stm32.cortexm0.arm for top
18:07:59 INFO [ Module.initializeAndRes]: Setup debugger to top.u1_stm32.dbg for top
18:07:59 WARN [ Module.initializeAndRes]: Tracer wasn't found in top...
18:07:59 INFO [ Module.initializeAndRes]: Initializing ports and buses...
18:07:59 WARN [ Module.initializePortsA]: ATTENTION: Some ports has warning use printModulesPortsWarnings to see it...
18:07:59 FINE [ ARMv6CPU.reset ]: Set entry point address to 08006A75
18:07:59 INFO [ Module.initializeAndRes]: Module top is successfully initialized and reset as a top cell!
18:07:59 INFO [ Kopycat.open ]: Starting virtualization of board top[rhino] with arm[ARMv6Core]
18:07:59 INFO [ GDBServer.debuggerModule ]: Set new debugger module top.u1_stm32.dbg for GDB_SERVER(port=23946,alive=true)
Python >

Fegalegaleaiga ma IDA Pro

Ina ia faʻafaigofie suʻega, matou te faʻaogaina le Rhino firmware e fai ma faila faila mo suʻesuʻega i le IDA i le fomu ELF faila (meta faamatalaga o loʻo teuina iina).

E mafai foi ona e faʻaogaina le firmware autu e aunoa ma faʻamatalaga meta.

A maeʻa ona faʻalauiloa Kopycat i le IDA Pro, i le Debugger menu alu i le mea "Su'e le fa'apalapala..."ma filifili"GDB debugger mamao". Le isi, seti le fesoʻotaʻiga: menu Debugger - Fa'agasologa filifiliga...

Seti tau:

Fa'aoga - so'o se tau
Hostname: 127.0.0.1 (poʻo le tuatusi IP o le masini mamao o loʻo tamoe ai Kopycat)
Taulaga: 23946

O lea la ua avanoa le fa'amau fa'amau (F9 key):

Kiliki e fa'afeso'ota'i i le fa'aoga fa'apipi'i i le emulator. O le IDA e alu i le faʻaogaina o le faʻaogaina, faʻaopoopo faʻamalama e maua: faʻamatalaga e uiga i resitala, e uiga i le faaputuga.

Ole taimi nei e mafai ona tatou faʻaogaina uma tulaga masani o le debugger:

la'asaga ta'itasi le fa'atinoina o fa'atonuga (Laasaga i totonu и Laa i luga — ki F7 ma F8, faasologa);
amata ma taofi le faatinoga;
fatuina o vaeluaga mo le code ma faʻamaumauga (F2 key).

O le fa'afeso'ota'i i se mea fa'a-debugger e le o lona uiga o le fa'aogaina o le firmware code. O le tulaga o lo'o iai nei e tatau ona avea ma tuatusi 0x08006A74 - amataga o galuega Toe seti_Handler. Afai e te taʻavale i lalo le lisi, e mafai ona e vaʻai i le valaʻau galuega tele. E mafai ona e tu'u le pupuni i luga ole laina lea (tuatusi 0x08006ABE) ma fai le taotoga Tamomoe seia oo i le fetuu (ki F4).

Le isi, e mafai ona e oomi F7 e ulufale i le galuega tele.

Esli vypolnit poloaiga Fa'aauau faiga (F9 key), ona fa'aalia lea o le fa'amalama "Fa'amolemole fa'atali" ma se fa'amau e tasi Totogi:

A e fetaomi Totogi o le faʻatinoina o le firmware code ua taofia ma e mafai ona faʻaauau mai le tuatusi tutusa i le code lea na faʻalavelaveina.

Afai e te faʻaauau pea le faʻatinoina o le code, o le a e vaʻai i laina nei i faʻamau e fesoʻotaʻi atu i ports COM virtual:

O le i ai o le laina "setete bypass" o loʻo faʻaalia ai ua suia le module Bluetooth virtual i le faiga o le mauaina o faʻamatalaga mai le COM port a le tagata faʻaoga.

I le taimi nei i le Bluetooth terminal (COM29 i le ata) e mafai ona e ulufale i poloaiga e tusa ai ma le Rhino protocol. Mo se faʻataʻitaʻiga, o le "MEOW" poloaiga o le a toe faʻafoʻi le manoa "mur-mur" i le laina Bluetooth:

Aua le faaa'oa'o atoatoa ia te a'u

Pe a fausia se emulator, e mafai ona e filifilia le maualuga o auiliiliga / faʻataʻitaʻiga o se masini faapitoa. Mo se faʻataʻitaʻiga, o le Bluetooth module e mafai ona faʻataʻitaʻiina i auala eseese:

o le masini e faʻataʻitaʻiina atoa ma se seti atoa o poloaiga;
O faʻatonuga AT e faʻataʻitaʻiina, ma o faʻamaumauga faʻamaumauga e maua mai le COM port o le faiga autu;
o le masini komepiuta e maua ai faʻamatalaga atoatoa redirection i le masini moni;
e pei o se atigipusa faigofie e toe foi mai i taimi uma "Ua lelei".

O le faʻasologa o loʻo i ai nei o le emulator e faʻaaogaina le auala lona lua - o le faʻaogaina o le Bluetooth module e faʻatino ai le faʻatulagaina, a maeʻa ona sui i le faiga o le "proxying" faʻamatalaga mai le COM port o le faiga autu i le UART port o le emulator.

Sei o tatou mafaufau i le avanoa o meafaigaluega faigofie o le code pe a fai o nisi vaega o le pito e le o faʻatinoina. Mo se faʻataʻitaʻiga, afai e leʻi faia se taimi e nafa ma le puleaina o le fesiitaiga o faʻamatalaga i le DMA (o le siaki e faia i le galuega ws2812b_faatalitali, raspolojennoy po adresu 0x08006840), ona faʻatali lea o le firmware i taimi uma mo le fuʻa e toe setiina pisio lo'o i 0x200004C4lea e fa'aalia ai le nofoia o le laina fa'amaumauga DMA:

E mafai ona tatou foia lenei tulaga e ala i le toe setiina ma le lima o le fuʻa pisi ina ua uma ona faapipiiina. I le IDA Pro, e mafai ona e fatuina se galuega Python ma valaʻau i se vaeluaga, ma tuʻu le vaeluaga lava ia i le code pe a uma ona tusia le tau 1 i le fuʻa. pisi.

Tagata fa'amavae

Muamua, sei o tatou fatuina se galuega Python i le IDA. Menu File - Fa'atonu tusitusiga...

Fa'aopoopo se snippet fou i le lisi i le agavale, tu'u i ai se igoa (mo se fa'ata'ita'iga, PPT),
I totonu o le vaega o tusitusiga i le itu taumatau, ulufale i le code function:

def skip_dma():
    print "Skipping wait ws2812..."
    value = Byte(0x200004C4)
    if value == 1:
        PatchDbgByte(0x200004C4, 0)
return False

A uma lena, kiliki momoʻe ma tapuni le faamalama o tusitusiga.

Sei o tatou o i le code i 0x0800688A, seti se mea e momotu ai (K2 FXNUMX), fa'asa'o (tulaga autu Fa'asa'o le va'aiga...), aua nei galo e seti le ituaiga tusitusiga i le Python:

Afai o le tau o le fu'a nei pisi tutusa 1, ona tatau lea ona e faʻatinoina le galuega skip_dma i le laina tusi:

Afai e te faʻatautaia le firmware mo le faʻatinoga, e mafai ona e vaʻai i le faʻaosoina o le code handler breakpoint i le faamalama IDA gaosiga i le laina Skipping wait ws2812.... O le taimi nei o le a le faʻatali le firmware mo le fuʻa e toe setiina pisi.

Fegalegaleaiga ma le emulator

O faʻataʻitaʻiga mo le faʻataʻitaʻiga e foliga mai e le mafua ai le fiafia ma le fiafia. E sili atu le manaia pe a fesoasoani le emulator i le tagata suʻesuʻe e vaʻai i faʻamaumauga i le mafaufau pe faʻavaeina le fegalegaleaiga o filo.

Matou te faʻaali atu ia te oe pe faʻafefea ona faʻavaeina faʻamalosi fegalegaleaiga i le va o galuega RTOS. E tatau ona e taofi muamua le faʻatinoina o le code pe a fai o loʻo tamoe. Afai e te alu i le galuega bluetooth_task_entry i le lala gaosi o le "LED" poloaiga (tuatusi 0x080057B8), ona mafai lea ona e vaʻai i le mea na muamua faia ona tuʻuina atu lea i le faʻasologa o mea ledControlQueueHandle nisi savali.

E tatau ona e setiina se vaeluaga e maua ai le fesuiaiga ledControlQueueHandle, raspolojennoy po adresu 0x20000624 ma faʻaauau le faʻatinoina o le code:

O se taunuuga, o le taofi o le a muamua ona tupu i le tuatusi 0x080057CA a'o le'i vala'au le galuega osMailAlloc, ona sosoo ai lea ma le tuatusi 0x08005806 a'o le'i vala'au le galuega osMailPut, ona mavae ai lea o sina taimi - i le tuatusi 0x08005BD4 (aʻo leʻi valaʻau i le galuega osMailGet), lea e patino i le galuega leds_task_entry (LED-task), o lona uiga, ua fesuiai galuega, ma o lea ua maua le pule o le LED-galuega.

I lenei auala faigofie e mafai ona e faʻatuina pe faʻafefea ona fegalegaleai galuega RTOS ma isi.

O le mea moni, o le mea moni, o le fegalegaleaiga o galuega e mafai ona sili atu ona faigata, ae o le faʻaaogaina o se emulator, o le siakiina o lenei fegalegaleaiga e faʻaitiitia ai le galue.

iinei E mafai ona e matamata i se vitio puupuu o le emulator fa'alauiloa ma fegalegaleai ma IDA Pro.

Tatala ma Radare2

E le mafai ona e le amanaiaina se meafaigaluega lautele e pei o Radare2.

Ina ia faʻafesoʻotaʻi i le emulator e faʻaaoga ai le r2, o le poloaiga e pei o lenei:

radare2 -A -a arm -b 16 -d gdb://localhost:23946 rhino_fw42k6.elf

Tatala avanoa nei (dc) ma taofi le faatinoga (Ctrl+C).

Ae paga lea, i le taimi nei, o le r2 o loʻo i ai faʻafitauli pe a galue ma le hardware gdb server ma le faʻatulagaina o mafaufauga ona o lenei mea, e le mafai ona faʻaogaina tulaga ma Laasaga (poloaiga ds). Matou te faʻamoemoe o le a vave ona faʻaleleia.

Tamomoe ma Eclipse

O se tasi o filifiliga mo le faʻaaogaina o le emulator o le debug le firmware o le masini o loʻo atiaʻe. Mo le manino, o le a matou faʻaogaina foi le Rhino firmware. E mafai ona e sii maia punaoa firmware mai iinei.

Matou te faʻaaogaina Eclipse mai le seti o se IDE System Workbench mo STM32.

Ina ia mafai e le emulator ona utaina le firmware tuusaʻo tuʻufaʻatasia i Eclipse, e tatau ona e faʻaopoopo le parakalafa firmware=null i le emulator launch command:

binkopycat -g 23946 -n rhino -l user -y modules -p firmware=null,tty_dbg=COM26,tty_bt=COM28

Fa'atūina le fa'asologa o le debug

I le Eclipse, filifili le lisi Run - Debug Configuration... I le faamalama e matala, i le vaega GDB Meafaigaluega Debugging e te manaʻomia le faʻaopoopoina o se faʻatulagaga fou, ona i luga o le "Main" faʻamaufaʻailoga le poloketi o loʻo i ai nei ma le talosaga mo le faʻaogaina:

I luga o le "Debugger" tab e te manaʻomia e faʻamaonia ai le GDB poloaiga:
${openstm32_compiler_path}arm-none-eabi-gdb

Ma faʻapipiʻi foʻi laina mo le faʻafesoʻotaʻi i le GDB server (host and port):

I luga o le "Amata" faʻamau, e tatau ona e faʻamaonia mea nei:

fa'aaga le pusa siaki uta ata (ina ia faʻapipiʻiina le ata firmware faʻapipiʻi i totonu o le emulator);
fa'aaga le pusa siaki Fa'ailoga uta;
fa'aopoopo le fa'atonuga fa'alauiloa: set $pc = *0x08000004 (seti le resitala PC i le tau mai le manatua ile tuatusi 0x08000004 - o le tuatusi o loʻo teuina iina Toe Fa'atonu).

Faʻalogo lelei, afai e te le manaʻo e sii mai le faila firmware mai Eclipse, ona fai lea o filifiliga uta ata и Fa'atonu poloaiga e le tau faailoa atu.

A uma ona kiliki Debug, e mafai ona e galue i le faʻaogaina o le faʻaogaina:

la'asaga ma lea laasaga code execution
fegalegaleai ma breakpoints

mataʻi. Eclipse ei ai, hmm ... nisi o uiga ... ma e tatau ona e ola faatasi ma i latou. Mo se faʻataʻitaʻiga, afai e amata le debugger le savali "Leai se puna avanoa mo" 0x0 "" faʻaalia, ona faʻatino lea o le Step command (F5)

Nai lo o se faaiuga

O le fa'ata'ita'iina o tulafono fa'ale-aganu'u o se mea manaia tele. E mafai e se tagata faʻapipiʻi masini ona faʻapipiʻi le firmware e aunoa ma se masini moni. Mo se tagata suʻesuʻe, o se avanoa e faʻatautaia ai suʻesuʻega tulafono faʻamalosi, lea e le mafai i taimi uma e oʻo lava i se masini.

Matou te mananaʻo e tuʻuina atu i tagata faʻapitoa se meafaigaluega e faigofie, faigofie ma e le manaʻomia ai le tele o taumafaiga ma le taimi e faʻatutu ai ma tamoe.

Tusi i faʻamatalaga e uiga i lou poto masani i le faʻaogaina o masini emulators. Matou te valaaulia oe e talanoa ma o le a fiafia e tali fesili.

Na'o tagata fa'aigoaina e mafai ona auai i le su'esu'ega. Saini ese j, faʻamolemole.

O le a le mea e te fa'aogaina ai le emulator?

Ou te atiina ae (debug) firmware
O lo'o ou su'esu'eina le firmware
Ou te tatalaina taaloga (Dendi, Sega, PSP)
se isi mea (tusi i faʻamatalaga)

7 tagata fa'aoga na palota. 2 tagata fa'aoga na fa'amama.

O le a le polokalame e te fa'aogaina e fa'ata'ita'i ai tulafono fa'ale-aganu'u?

UPU
afi unicorn
Proteus
se isi mea (tusi i faʻamatalaga)

6 tagata fa'aoga na palota. 2 tagata fa'aoga na fa'amama.

O le a le mea e te manaʻo e faʻaleleia i le emulator o loʻo e faʻaaogaina?

Ou te manao i le saoasaoa
Ou te manaʻo i le faigofie o le seti / faʻalauiloa
Ou te manaʻo i nisi filifiliga mo le fegalegaleai ma le emulator (API, matau)
Ua ou fiafia i mea uma
se isi mea (tusi i faʻamatalaga)

8 tagata fa'aoga na palota. 1 tagata fa'aoga fa'ate'aina.

puna: www.habr.com

Rhinoceros i totonu o se pusi - faʻatautaia le firmware i le Kopycat emulator