Iyadoo qayb ka ah kulanka 0x0A DC7831 Febraayo 16, waxaan soo bandhignay warbixin ku saabsan mabaadi'da aasaasiga ah ee ku dayashada code binary iyo horumarinta noo gaar ah - emulator platform ah hardware. .
Maqaalkan waxaan ku sharxi doonaa sida loo socodsiiyo qalabka firmware-ka ku jira emulator-ka, muujino isdhexgalka lala yeesho debugger, oo aan samayno falanqeyn yar oo firfircoon oo ku saabsan firmware-ka.
prehistory
Waa hore ka hor galaxyo fog
Laba sano ka hor shaybaadhkayaga waxaa jiray baahi loo qabo in la baaro firmware-ka aaladda. Firmware-ka waa la cufan oo laga saaray bootloader. Waxa uu sidan u sameeyay hab aad u adag, isaga oo xogta ku beddelay dhawr jeer. Firmware-ka laftiisa ayaa markaas si firfircoon ula falgalay xayndaabyada. Oo waxaas oo dhan waxay ku yaalaan xudunta MIPS.
Sababo ujeedo ah awgood, emulators-ka la heli karo naguma habboona, laakiin waxaan wali rabnay in aan socodsiino koodka. Ka dib waxaan go'aansanay inaan sameyno emulator noo gaar ah, kaas oo sameyn doona ugu yaraan oo noo ogolaanaya inaan furno firmware-ka ugu weyn. Waanu isku daynay wayna hirgashay. Waxaan u maleynay, ka waran haddii aan ku darno durugsan si aan sidoo kale u fulino firmware-ka ugu weyn. Wax dhib ah uma geysan - sidoo kale way shaqeysay. Mar kale ayaanu u fakarnay oo go'aansanay in aanu samayno ku dayasho dhamaystiran.
Natiijadu waxay ahayd kombiyuuter nidaamyada kombiyuutarada .
Waa maxay sababta Kopycat?
Ereyada ayaa lagu ciyaaraa.
- koobiga (Ingiriis, magac [ΛkΙpΙͺkΓ¦t]) - ku dayasho, ku dayasho
- cat (Ingiriis, magac [ΛkΓ¦t]) - bisad, bisad - xayawaanka ugu jecel mid ka mid ah abuurayaasha mashruuca
- Xarafka "K" wuxuu ka yimid luqadda barnaamijka Kotlin
Copycat
Marka la abuurayo emulator-ka, yoolal gaar ah ayaa la dejiyay:
- awood u leh in ay si deg deg ah u abuuraan durugsan cusub, modules, kombuyuutarrada processor;
- Awoodda lagu soo ururiyo qalabka casriga ah ee qaybaha kala duwan;
- awoodda lagu shubo xog kasta oo binary ah (firmware) xusuusta aaladda farsamada;
- Awoodda la shaqaynta sawir-qaadista (sawirrada xaaladda nidaamka);
- awoodda ay ula falgalaan emulator-ka iyada oo la dhisay-in debugger;
- luqad casri ah oo wanaagsan horumarinta.
Natiijo ahaan, Kotlin waxaa loo doortay hirgelinta, qaab dhismeedka baska (tani waa marka cutubyadu ay ku wada xiriiraan basaska xogta dhabta ah), JSON oo ah qaabka sharaxaadda qalabka, iyo GDB RSP oo ah nidaamka isdhexgalka ee cilladaha.
Horumarku waxa uu socday wax yar in ka badan laba sano oo si firfircoon ayuu u socdaa. Inta lagu jiro wakhtigan, MIPS, x86, V850ES, ARM, iyo koodhadhka processor-ka PowerPC ayaa la hirgeliyay.
Mashruucu wuu sii kordhayaa waxaana la joogaa waqtigii loo bandhigi lahaa dad weynaha. Waxaan sameyn doonaa sharaxaad faahfaahsan oo ku saabsan mashruuca dambe, laakiin hadda waxaan diiradda saari doonaa isticmaalka Kopycat.
Kuwa ugu dulqaadan, nooca xayeysiinta ee emulatorka waa laga soo dejisan karaa .
Wiyisha ku dayashada
Aynu dib u xasuusanno in horraantii shirka SMARTRHINO-2018, qalab tijaabo ah "Rhinoceros" loo sameeyay si loo baro xirfadaha injineernimada. Habka falanqaynta firmware static ayaa lagu sharaxay .
Hadda aan isku dayno inaan ku darno "kuwa hadla" oo aan ku wadno firmware-ka emulator-ka.
Waxaan u baahan doonaa:
1) Java 1.8
2) Python iyo module in loo isticmaalo Python gudaha emulator-ka. Waxaad u dhisi kartaa moduleka WHL Jep ee Windows .
Daaqadaha:
1)
2)
Linux:
1) sooc
Waxaad u isticmaali kartaa Eclipse, IDA Pro ama radare2 macmiil GDB ahaan.
Sidee u shaqeeyaan?
Si loo sameeyo firmware-ka emulator-ka, waxaa lagama maarmaan ah in la "ururiyo" qalab farsamo, taas oo ah analoogga qalab dhab ah.
Qalabka dhabta ah ("wiyisha") waxaa lagu muujin karaa jaantuska xannibaadda:
Kombuyuutarku wuxuu leeyahay qaab-dhismeed modular ah iyo aaladda farsamada gacanta ee ugu dambeysa waxaa lagu sifeyn karaa faylka JSON.
JSON 105 khadadka
{
"top": true,
// Plugin name should be the same as file name (or full path from library start)
"plugin": "rhino",
// Directory where plugin places
"library": "user",
// Plugin parameters (constructor parameters if jar-plugin version)
"params": [
{ "name": "tty_dbg", "type": "String"},
{ "name": "tty_bt", "type": "String"},
{ "name": "firmware", "type": "String", "default": "NUL"}
],
// Plugin outer ports
"ports": [ ],
// Plugin internal buses
"buses": [
{ "name": "mem", "size": "BUS30" },
{ "name": "nand", "size": "4" },
{ "name": "gpio", "size": "BUS32" }
],
// Plugin internal components
"modules": [
{
"name": "u1_stm32",
"plugin": "STM32F042",
"library": "mcu",
"params": {
"firmware:String": "params.firmware"
}
},
{
"name": "usart_debug",
"plugin": "UartSerialTerminal",
"library": "terminals",
"params": {
"tty": "params.tty_dbg"
}
},
{
"name": "term_bt",
"plugin": "UartSerialTerminal",
"library": "terminals",
"params": {
"tty": "params.tty_bt"
}
},
{
"name": "bluetooth",
"plugin": "BT",
"library": "mcu"
},
{ "name": "led_0", "plugin": "LED", "library": "mcu" },
{ "name": "led_1", "plugin": "LED", "library": "mcu" },
{ "name": "led_2", "plugin": "LED", "library": "mcu" },
{ "name": "led_3", "plugin": "LED", "library": "mcu" },
{ "name": "led_4", "plugin": "LED", "library": "mcu" },
{ "name": "led_5", "plugin": "LED", "library": "mcu" },
{ "name": "led_6", "plugin": "LED", "library": "mcu" },
{ "name": "led_7", "plugin": "LED", "library": "mcu" },
{ "name": "led_8", "plugin": "LED", "library": "mcu" },
{ "name": "led_9", "plugin": "LED", "library": "mcu" },
{ "name": "led_10", "plugin": "LED", "library": "mcu" },
{ "name": "led_11", "plugin": "LED", "library": "mcu" },
{ "name": "led_12", "plugin": "LED", "library": "mcu" },
{ "name": "led_13", "plugin": "LED", "library": "mcu" },
{ "name": "led_14", "plugin": "LED", "library": "mcu" },
{ "name": "led_15", "plugin": "LED", "library": "mcu" }
],
// Plugin connection between components
"connections": [
[ "u1_stm32.ports.usart1_m", "usart_debug.ports.term_s"],
[ "u1_stm32.ports.usart1_s", "usart_debug.ports.term_m"],
[ "u1_stm32.ports.usart2_m", "bluetooth.ports.usart_m"],
[ "u1_stm32.ports.usart2_s", "bluetooth.ports.usart_s"],
[ "bluetooth.ports.bt_s", "term_bt.ports.term_m"],
[ "bluetooth.ports.bt_m", "term_bt.ports.term_s"],
[ "led_0.ports.pin", "u1_stm32.buses.pin_output_a", "0x00"],
[ "led_1.ports.pin", "u1_stm32.buses.pin_output_a", "0x01"],
[ "led_2.ports.pin", "u1_stm32.buses.pin_output_a", "0x02"],
[ "led_3.ports.pin", "u1_stm32.buses.pin_output_a", "0x03"],
[ "led_4.ports.pin", "u1_stm32.buses.pin_output_a", "0x04"],
[ "led_5.ports.pin", "u1_stm32.buses.pin_output_a", "0x05"],
[ "led_6.ports.pin", "u1_stm32.buses.pin_output_a", "0x06"],
[ "led_7.ports.pin", "u1_stm32.buses.pin_output_a", "0x07"],
[ "led_8.ports.pin", "u1_stm32.buses.pin_output_a", "0x08"],
[ "led_9.ports.pin", "u1_stm32.buses.pin_output_a", "0x09"],
[ "led_10.ports.pin", "u1_stm32.buses.pin_output_a", "0x0A"],
[ "led_11.ports.pin", "u1_stm32.buses.pin_output_a", "0x0B"],
[ "led_12.ports.pin", "u1_stm32.buses.pin_output_a", "0x0C"],
[ "led_13.ports.pin", "u1_stm32.buses.pin_output_a", "0x0D"],
[ "led_14.ports.pin", "u1_stm32.buses.pin_output_a", "0x0E"],
[ "led_15.ports.pin", "u1_stm32.buses.pin_output_a", "0x0F"]
]
}U fiirso halbeegga qalabeynta qaybta params waa magaca faylka lagu shuban karo qalab dalwad ah sida firmware.
Aaladda casriga ah iyo la falgalka nidaamka hawlgalka ee ugu muhiimsan waxa lagu matali karaa jaantuskan soo socda:
Tusaalaha tijaabada hadda ee emulator-ku waxa uu ku lug leeyahay la falgalka dekedaha COM ee OS-gu weyn (debug UART iyo UART ee moduleka Bluetooth-ka). Kuwani waxay noqon karaan dekedo dhab ah oo aaladaha ay ku xiran yihiin ama dekedaha COM-da ee casriga ah (tani waxaad u baahan tahay oo keliya com0com/socat).
Hadda waxaa jira laba siyaabood oo waaweyn oo lagula falgalo emulator-ka dibadda:
- GDB RSP borotokoolka (sida waafaqsan, aaladaha taageera borotokoolkan waa Eclipse / IDA / radare2);
- Khadka taliska emulator-ka gudaha (Argparse ama Python).
Dekadaha COM Virtual
Si aad ula falgasho UART ee qalabka casriga ah ee mishiinka maxaliga ah iyada oo loo marayo terminal, waxaad u baahan tahay inaad abuurto labo ka mid ah dekedaha COM ee farsamada ah. Xaaladeena, hal deked ayaa loo isticmaalaa emulator-ka, tan labaadna waxaa isticmaala barnaamijka terminal (PuTTY ama screen):
Isticmaalka com0com
Dekadaha COM Virtual waxaa lagu habeeyey iyadoo la isticmaalayo utility dejinta ee xirmada com0com (nooca konsole - C: Files Program (x86) com0comsetupΡ.exe, ama nooca GUI - C: Faylasha barnaamijka (x86) com0comsetupg.exe):
Calaamadee sanduuqyada awood kaydinta xad dhaafka ah dhammaan dekedaha casriga ah ee la abuuray, haddii kale emulator-ku wuxuu sugi doonaa jawaabta dekedda COM.
Isticmaalka socat
Nidaamyada UNIX, dekedaha casriga ah ee COM waxaa si toos ah u abuuraya emulator-ka iyadoo la adeegsanayo utility socat; si tan loo sameeyo, kaliya qeex horgalaha magaca dekeda marka la bilaabayo emulator-ka socat:.
Interface line amarka gudaha (Argparse ama Python)
Maaddaama Kopycat uu yahay konsole, emulator-ku wuxuu bixiyaa laba ikhtiyaar oo khadka taliska ah ee la falgalka walxaha iyo doorsoomayaasha: Argparse iyo Python.
Argparse waa CLI oo lagu dhisay Kopycat oo had iyo jeer diyaar u ah qof kasta.
CLI kale waa turjumaanka Python. Si aad u isticmaasho, waxaad u baahan tahay inaad rakibto moduleka Jep Python oo aad dejiso emulator-ka si uu ula shaqeeyo Python (turjumaanka Python ee lagu rakibay nidaamka ugu muhiimsan ee isticmaalaha ayaa la isticmaali doonaa).
Ku rakibida moduleka Python Jep
Under Linux Jep waxaa lagu rakibi karaa iyada oo loo marayo pip:
pip install jepSi aad Jep ugu rakibto Windows, waa inaad marka hore ku rakibtaa Windows SDK iyo Microsoft Visual Studio oo u dhigma. Waanu kuu fududaynay adiga iyo JEP ee noocyada hadda jira ee Python ee Windows, markaa moduleka waxaa lagu rakibi karaa faylka:
pip install jep-3.8.2-cp27-cp27m-win_amd64.whlSi aad u hubiso rakibaadda Jep, waxaad u baahan tahay inaad ku shaqeyso khadka taliska:
python -c "import jep"Fariinta soo socota waa in la helaa jawaab ahaan:
ImportError: Jep is not supported in standalone Python, it must be embedded in Java.Faylka dufcada emulator ee nidaamkaaga (koobiyeyn. fiid - loogu talagalay Windows, koobiyeyn - loogu talagalay Linux) liiska xuduudaha DEFAULT_JVM_OPTS ku dar qiyaas dheeraad ah Djava.library.path - waa in ay ka kooban tahay jidka loo maro moduleka Jep ee rakibay.
Natiijadu waa inay noqotaa sadar sidan oo kale ah:
set DEFAULT_JVM_OPTS="-XX:MaxMetaspaceSize=256m" "-XX:+UseParallelGC" "-XX:SurvivorRatio=6" "-XX:-UseGCOverheadLimit" "-Djava.library.path=C:/Python27/Lib/site-packages/jep"Bilaabida Kopycat
emulator-ku waa konsole codsi JVM ah. Daahfurka waxaa lagu fuliyaa qoraalka khadka taliska ee nidaamka hawlgalka (sh/cmd).
Amarka in lagu shaqeeyo Windows:
binkopycat -g 23946 -n rhino -l user -y library -p firmware=firmwarerhino_pass.bin,tty_dbg=COM26,tty_bt=COM28Amarka in lagu hoos shaqeeyo Linux iyadoo la isticmaalayo socat utility:
./bin/kopycat -g 23946 -n rhino -l user -y library -p firmware=./firmware/rhino_pass.bin, tty_dbg=socat:./COM26,tty_bt=socat:./COM28-g 23646- dekedda TCP oo u furnaan doonta gelitaanka server-ka GDB;-n rhino- magaca moduleka nidaamka ugu weyn (qalabka la isku daray);-l user- magaca maktabadda si aad u raadiso cutubka ugu muhiimsan;-y library- dariiqa raadinta cutubyada ku jira qalabka;firmwarerhino_pass.bin- jidka loo maro faylka firmware;- COM26 iyo COM28 waa dekedo COM ah oo macmal ah.
Natiijo ahaan, degdeg ayaa la soo bandhigi doonaa Python > (ama Argparse >):
18:07:59 INFO [eFactoryBuilder.create ]: Module top successfully created as top
18:07:59 INFO [ Module.initializeAndRes]: Setup core to top.u1_stm32.cortexm0.arm for top
18:07:59 INFO [ Module.initializeAndRes]: Setup debugger to top.u1_stm32.dbg for top
18:07:59 WARN [ Module.initializeAndRes]: Tracer wasn't found in top...
18:07:59 INFO [ Module.initializeAndRes]: Initializing ports and buses...
18:07:59 WARN [ Module.initializePortsA]: ATTENTION: Some ports has warning use printModulesPortsWarnings to see it...
18:07:59 FINE [ ARMv6CPU.reset ]: Set entry point address to 08006A75
18:07:59 INFO [ Module.initializeAndRes]: Module top is successfully initialized and reset as a top cell!
18:07:59 INFO [ Kopycat.open ]: Starting virtualization of board top[rhino] with arm[ARMv6Core]
18:07:59 INFO [ GDBServer.debuggerModule ]: Set new debugger module top.u1_stm32.dbg for GDB_SERVER(port=23946,alive=true)
Python >Isdhexgalka IDA Pro
Si loo fududeeyo tijaabada, waxaan u isticmaalnaa qalabka Rhino sida faylka isha ee falanqaynta IDA ee foomka (macluumaadka meta halkaas ayaa lagu kaydiyaa).
Waxa kale oo aad isticmaali kartaa firmware-ka ugu weyn adiga oo aan haysan macluumaadka meta.
Ka dib markii la bilaabay Kopycat gudaha IDA Pro, gudaha menu Debugger tag shayga "Beddel cilladahaβ¦"oo dooro"Qalabiyaha fog ee GDB" Marka xigta, deji xiriirka: menu Debugger - Habraaca doorashooyinka...
Deji qiimayaasha:
- Codsiga - qiimo kasta
- Magaca martida: 127.0.0.1 (ama ciwaanka IP-ga ee mashiinka fog ee uu Kopycat ku shaqeeyo)
- Dekadda: 23946
Hadda badhanka wax-ka-hortagga wuxuu noqonayaa mid diyaar ah (furaha F9):
Guji si aad ugu xidho moduleka cilladaha ku jira emulatorka. IDA waxay gashaa habka wax-ka-daridda, daaqado dheeraad ah ayaa la heli karaa: macluumaadka ku saabsan diiwaannada, ku saabsan xirmada.
Hadda waxaan isticmaali karnaa dhammaan sifooyinka caadiga ah ee cilladaha:
- tallaabo-tallaabo fulinta tilmaamaha (Talaabada gal ΠΈ Ka gudub - furayaasha F7 iyo F8, siday u kala horreeyaan;
- bilaabista iyo joojinta fulinta;
- abuurista meelaha goynta ee koodka iyo xogta labadaba (F2 furaha).
Ku xidhidhiyaha cilladaha macnaheedu maaha in la wado koodhka firmware-ka. Goobta fulinta hadda waa in ay noqotaa ciwaanka 0x08006A74 - bilawga shaqada Dib u dajin_Handler. Haddii aad hoos ugu dhaadhacdo liiska, waxaad arki kartaa wicitaanka shaqada ugu weyn ee. Waxaad ku dhejin kartaa cursor laynkan (cinwaanka 0x08006ABE) oo uu qalliinka sameeyo Orod ilaa cursor (furaha F4).
Marka xigta, waxaad riixi kartaa F7 si aad u gasho shaqada ugu weyn ee.
Haddii aad maamusho amarka Sii wad hawsha (F9 furaha), ka dib daaqadda "Fadlan sug" ayaa la soo bixi doonta hal badhan Ka jooji:
Markaad riixdo Ka jooji fulinta koodka firmware-ka waa la hakiyay waxaana laga sii wadi karaa isla cinwaanka koodka meesha uu ka go'ay.
Haddii aad sii waddo fulinta koodka, waxaad ku arki doontaa khadadka soo socda terminaalka ku xiran dekedaha COM-da ee casriga ah:
Joogitaanka khadka "gobolka bypass" wuxuu muujinayaa in moduleka casriga ah ee Bluetooth uu u wareegay qaabka xogta laga helayo dekedda COM ee isticmaalaha.
Hadda ku jira terminaalka Bluetooth (COM29 ee sawirka) waxaad geli kartaa amarrada si waafaqsan nidaamka Wiyisha. Tusaale ahaan, amarka "MEOW" wuxuu ku soo celin doonaa xarigga "mur-mur" terminalka Bluetooth:
Si buuxda ha ii dayan
Markaad dhiseyso emulator, waxaad dooran kartaa heerka tafatirka/kudayashada qalab gaar ah. Tusaale ahaan, moduleka Bluetooth-ka waxaa lagu dayan karaa siyaabo kala duwan:
- Qalabka waxaa si buuxda loogu dayday amarro buuxa;
- Amarrada AT waa lagu daydaa, xogta xogta waxaa laga helaa dekedda COM ee nidaamka ugu weyn;
- qalabka casriga ah wuxuu bixiyaa xog dhamaystiran oo dib u habeyn ah oo loogu talagalay qalabka dhabta ah;
- sida suunka fudud oo had iyo jeer soo noqda "OK".
Nooca hadda ee emulator-ku wuxuu adeegsadaa habka labaad - moduleka farsamada casriga ah ee Bluetooth wuxuu sameeyaa qaabeynta, ka dib wuxuu u beddelaa qaabka xogta "proxying" ee dekedda COM ee nidaamka ugu weyn ee dekedda UART ee emulator.
Aynu tixgelinno suurtogalnimada qalabaynta fudud ee koodhka haddii ay dhacdo qayb ka mid ah hareeraha aan la hirgelin. Tusaale ahaan, haddii wakhti-meeraha ka mas'uulka ah xakameynta wareejinta xogta DMA aan la abuurin (jeegta waxaa lagu sameeyaa shaqada ws2812b_sugku yaal 0x08006840), ka dibna firmware-ku had iyo jeer wuxuu sugi doonaa calanka in dib loo dajiyo mashquulku yaal 0x200004C4kaas oo tusinaya deganaanshaha khadka xogta DMA:
Waxaan xaaladan ku maarayn karnaa innagoo gacanta dib u dejinaya calanka mashquul isla markiiba ka dib markii la rakibo. Gudaha IDA Pro, waxaad abuuri kartaa shaqo Python oo waxaad ugu yeeri kartaa barta jebinta, oo waxaad geli kartaa barta jabinta lafteeda koodhka ka dib markaad u qorto qiimaha 1 calanka mashquul.
Maamule Breakpoint
Marka hore, aan ku abuurno shaqada Python gudaha IDA. Menu File - Amarka qoraalka...
Ku dar qayb cusub liiska bidix, magac u bixi (tusaale ahaan, BPT),
Goobta qoraalka ee dhanka midig, geli code-ka shaqada:
def skip_dma():
print "Skipping wait ws2812..."
value = Byte(0x200004C4)
if value == 1:
PatchDbgByte(0x200004C4, 0)
return False
Intaa ka dib waanu riixnaa Run oo xidh daaqada qoraalka.
Hadda aan tagno koodhka at 0x0800688A, deji barta goynta (furaha F2), tafatir (tusaale menu Wax ka beddel barta goynta...), ha ilaawin inaad dejiso nooca qoraalka Python:
Haddii calanka hadda jira uu qiimeeyo mashquul waxay la mid tahay 1, markaas waa inaad fulisaa shaqada ka bood_dma ee xariiqda qoraalka:
Haddii aad ku socodsiiso firmware-ka fulinta, waxaad arki kartaa kicinta koodhka maamulaha barta IDA ee daaqada IDA. Output khadka Skipping wait ws2812.... Hadda firmware-ku ma sugi doono calanka in dib loo dajiyo mashquul.
La falgalka emulator-ka
Ku dayashada ku dayashada awgeed uma badna inay keento farxad iyo raynrayn. Aad bay u xiiso badan tahay haddii emulator-ku uu ka caawiyo cilmi-baaraha si uu u arko xogta ku jirta xusuusta ama la dhiso isdhexgalka dunta.
Waxaan ku tusi doonaa sida aad si firfircoon ugu abuurto isdhexgalka u dhexeeya hawlaha RTOS. Waa inaad marka hore joojisaa fulinta koodka haddii uu socdo. Haddii aad tagto shaqada bluetooth_task_entry laanta habaynta ee amarka "LED" (cinwaanka 0x080057B8), ka dibna waxaad arki kartaa waxa marka hore la abuuray ka dibna loo diro nidaamka safka hogaamintaControlQueueHandle fariinta qaar
Waa in aad dhigataa meel go'an si aad u gasho doorsoomaha hogaamintaControlQueueHandleku yaal 0x20000624 oo sii wad fulinta koodka:
Natiijo ahaan, joogsiga ayaa marka hore ka dhici doona cinwaanka 0x080057CA ka hor inta aanad wicin shaqada osMailAlloc, ka dibna cinwaanka 0x08005806 ka hor inta aanad wicin shaqada osMailPut, ka dibna muddo ka dib - ciwaanka 0x08005BD4 (kahor intaadan wicin shaqada osMailGet), taas oo ka tirsan shaqada leds_task_gelid (LED-task), taas oo ah, hawlihii beddelmay, oo hadda hawsha LED-ku waxay heshay xakamaynta.
Habkan fudud waxaad ku xaqiijin kartaa sida hawlaha RTOS ay isula falgalaan.
Dabcan, dhab ahaantii, isdhexgalka hawluhu wuxuu noqon karaa mid aad u dhib badan, laakiin isticmaalka emulator-ka, la socodka isdhexgalka ayaa noqda mid dhib yar.
Waxaad daawan kartaa muuqaal gaaban oo ku saabsan emulator-ka oo bilaabaya lana falgalaya IDA Pro.
Ku bilow Radare2
Ma iska indho tiri kartid qalabka caalamiga ah sida Radare2.
Si aad ugu xirto emulator-ka adigoo isticmaalaya r2, amarku wuxuu u ekaan lahaa sidan:
radare2 -A -a arm -b 16 -d gdb://localhost:23946 rhino_fw42k6.elfBilaw hadda waa la heli karaa (dc) oo jooji fulinta (Ctrl+C).
Nasiib darro, xilligan, r2 waxay leedahay dhibaatooyin marka ay la shaqeyneyso gdb server-ka hardware iyo qaabka xusuusta; Sababtaas awgeed, dhibcooyinka iyo tillaabooyinka ma shaqeeyaan (amarka ds). Waxaan rajaynaynaa in arrintan la xalin doono dhawaan.
Eclipse ku ordaya
Mid ka mid ah fursadaha loo isticmaalo emulator-ka ayaa ah in la tirtiro firmware-ka aaladda la soo saarayo. Si loo caddeeyo, waxaanu sidoo kale isticmaali doonaa qalabka wiyisha. Waxaad soo dejisan kartaa ilaha firmware-ka .
Waxaan u isticmaali doonaa Eclipse ka set-ka IDE ahaan .
Si uu emulator-ku ugu shubo firmware si toos ah loogu soo ururiyey Eclipse, waxaad u baahan tahay inaad ku darto cabbirka firmware=null Ku dir amarka bilowga emulator:
binkopycat -g 23946 -n rhino -l user -y modules -p firmware=null,tty_dbg=COM26,tty_bt=COM28Dejinta qaabeynta cilladaha
In Eclipse, dooro liiska Orod - Debug Configurations... Daaqada furan, qaybta Qalabaynta GDB Hardware waxaad u baahan tahay inaad ku darto qaabayn cusub, ka dibna tabka "Main" ku qeex mashruuca hadda jira iyo codsiga wax-ka-hortagga:
Tabka "Debugger" waxaad u baahan tahay inaad qeexdo amarka GDB:
${openstm32_compiler_path}arm-none-eabi-gdb
Oo sidoo kale geli cabbirrada isku xirka server-ka GDB (martigeliyaha iyo dekedda):
Tabka "Startup", waa inaad qeexdaa xuduudaha soo socda:
- awood u yeelo sanduuqa hubinta Soo rar sawirka (si markaa sawirka firmware-ka la soo ururiyey loogu dhejiyo emulator);
- awood u yeelo sanduuqa hubinta Calamadaha rarka;
- ku dar amarka bilaabista:
set $pc = *0x08000004(Diiwaanka PC ka dhig qiimaha xusuusta ee cinwaanka0x08000004- cinwaanka halkaas ayaa lagu kaydiyaa Dib u dajinHandler).
Feejignow, haddii aadan rabin inaad ka soo dejiso feylka firmware-ka Eclipse, markaa xulashooyinka Soo rar sawirka ΠΈ Orod amarrada looma baahna in la tilmaamo.
Kadib markaad gujiso Debug, waxaad ku shaqayn kartaa qaabka debugger:
- tallaabo tallaabo code fulinta
- la falgalka meelaha jabinta
tacliiq. Dayax madoobaadku wuxuu leeyahay, hmm... xoogaa qallafsanaan ah... waana inaad la nooshahay. Tusaale ahaan, haddii marka aad bilaabayso debugger-ka fariinta "Ma jiro il laga heli karo" 0x0 ", ka dibna fuli amarka Tallaabada (F5)
Halkii gabagabo
Ku dayashada koodka hooyo waa shay aad u xiiso badan. Waxa ay suurtogal u noqotaa soo-saare aaladaha in uu ka saaro firmware-ka iyada oo aan lahayn qalab dhab ah. Cilmi-baaraha, waa fursad uu ku sameeyo falanqaynta koodhka firfircoon, taas oo aan had iyo jeer suurtogal ahayn xitaa qalab.
Waxaan rabnaa inaan siino khabiiro leh qalab ku habboon, dhexdhexaad ah oo aan ku qaadanayn dadaal iyo waqti badan si loo dejiyo loona shaqeeyo.
Ku qor faallooyinka ku saabsan waayo-aragnimadaada addoo isticmaalaya emulators hardware. Waxaan kugu martiqaadeynaa inaad ka hadasho oo aad ku farxi doonto inaad ka jawaabto su'aalaha.
Isticmaalayaasha diiwaangashan oo keliya ayaa ka qaybqaadan kara sahanka. , soo dhawoow.
Maxaad u isticmaalaysaa emulator-ka?
-
Waxaan horumariyaa (debug) firmware
-
Waxaan baarayaa firmware
-
Waxaan bilaabay ciyaaraha (Dendi, Sega, PSP)
-
wax kale (ku qor faallooyinka)
7 isticmaale ayaa codeeyay. 2 isticmaale ayaa ka aamusay.
Waa maxay software-ka aad isticmaasho si aad ugu dayato koodka hooyo?
-
QEMU
-
mishiinka Unicorn
-
Proteus
-
wax kale (ku qor faallooyinka)
6 isticmaale ayaa codeeyay. 2 isticmaale ayaa ka aamusay.
Maxaad jeclaan lahayd inaad ku hagaajiso emulator-ka aad isticmaalayso?
-
Waxaan rabaa xawaare
-
Waxaan rabaa fududaan dejinta/furitaanka
-
Waxaan rabaa doorashooyin badan oo aan kula falgalo emulator-ka (API, hooks)
-
Wax walba waan ku faraxsanahay
-
wax kale (ku qor faallooyinka)
8 isticmaale ayaa codeeyay. 1 isticmaale waa ka aamusay.
Source: www.habr.com