Njengengxenye yomhlangano 0x0A DC7831 Ngomhlaka-16 February, sethule umbiko ngezimiso eziyisisekelo zokulingisa amakhodi kanambambili kanye nokuthuthukiswa kwethu - ipulatifomu yokulingisa ihadiwe. .
Kulesi sihloko sizochaza indlela yokusebenzisa i-firmware yedivayisi kusifanisi, sibonise ukusebenzisana ne-debugger, futhi senze ukuhlaziya okuncane okuguquguqukayo kwe-firmware.
prehistory
Kudala emthaleni kude kakhulu
Eminyakeni embalwa edlule, elabhorethri yethu kwakunesidingo sokuhlola i-firmware yedivayisi. I-firmware yacindezelwa futhi yakhishwa nge-bootloader. Lokhu wakwenza ngendlela eyinkimbinkimbi kakhulu, eshintsha idatha ememori izikhathi eziningana. Futhi i-firmware ngokwayo yabe isisebenzisana ngenkuthalo nama-peripherals. Futhi konke lokhu kumongo we-MIPS.
Ngezizathu eziqondile, ama-emulators atholakalayo awazange asifanele, kodwa besisafuna ukusebenzisa ikhodi. Sabe sesinquma ukwenza i-emulator yethu, ezokwenza okungenani futhi isivumele ukuthi sikhiphe i-firmware eyinhloko. Sayizama yasebenza. Sicabange ukuthi, kuthiwani uma sengeza ama-peripherals ukuze senze i-firmware eyinhloko. Akuzange kube buhlungu kakhulu - futhi kwasebenza futhi. Saphinde sacabanga futhi sanquma ukwenza i-emulator egcwele.
Umphumela waba i-emulator yezinhlelo zekhompyutha .
Kungani Kopycat?
Kudlalwa ngamagama.
- copycat (IsiNgisi, ibizo [ˈkɒpɪkæt]) - umlingisi, umlingisi
- cat (IsiNgisi, ibizo [ˈkæt]) - ikati, ikati - isilwane esiyintandokazi somunye wabadali bephrojekthi
- Uhlamvu "K" luvela olimini lokuhlela lwe-Kotlin
I-Copycat
Lapho udala i-emulator, imigomo ecaciswe kakhulu yabekwa:
- ikhono lokudala ngokushesha ama-peripherals amasha, amamojula, ama-processor cores;
- ikhono lokuhlanganisa idivayisi ebonakalayo kusuka kumamojula ahlukahlukene;
- ikhono lokulayisha noma iyiphi idatha kanambambili (i-firmware) kumemori yedivayisi ebonakalayo;
- ikhono lokusebenza ngezifinyezo (izifinyezo zombuso wesistimu);
- ikhono lokuxhumana ne-emulator nge-debugger eyakhelwe ngaphakathi;
- ulimi lwesimanje olumnandi lwentuthuko.
Ngenxa yalokho, i-Kotlin yakhethelwa ukusetshenziswa, ukwakheka kwebhasi (lokhu kulapho amamojula exhumana namanye ngamabhasi edatha ebonakalayo), i-JSON njengefomethi yencazelo yedivayisi, kanye ne-GDB RSP njengephrothokholi yokusebenzelana nesilungisi sephutha.
Intuthuko isiqhubeke isikhathi esingaphezudlwana kweminyaka emibili futhi isaqhubeka. Ngalesi sikhathi, ama-MIPS, x86, V850ES, ARM, kanye nama-PowerPC processor cores aqalisiwe.
Lo msebenzi uyakhula futhi sekuyisikhathi sokuwethula emphakathini kabanzi. Sizokwenza incazelo eningiliziwe yephrojekthi kamuva, kodwa okwamanje sizogxila ekusebenziseni i-Kopycat.
Kwabantula isineke kakhulu, inguqulo yephromo ye-emulator ingalandwa kuyo .
Ubhejane ku-emulator
Masikhumbule ukuthi ngaphambili kwengqungquthela ye-SMARTRHINO-2018, idivayisi yokuhlola "Rhinoceros" yakhiwe ukuze kufundiswe amakhono obunjiniyela obuhlanekezayo. Inqubo yokuhlaziywa kwe-firmware emile yachazwa ku .
Manje ake sizame ukwengeza "izipikha" futhi sisebenzise i-firmware ku-emulator.
Sizodinga:
1) Java 1.8
2) Python kanye module ukusebenzisa iPython ngaphakathi kwe-emulator. Ungakwazi ukwakha imojuli ye-WHL i-Jep ye-Windows .
OkweWindows:
1)
2)
Okwe-Linux:
1) socat
Ungasebenzisa i-Eclipse, i-IDA Pro noma i-radare2 njengeklayenti le-GDB.
Isebenza kanjani?
Ukuze wenze i-firmware ku-emulator, kuyadingeka "ukuhlanganisa" idivayisi ebonakalayo, okuyi-analogue yedivayisi yangempela.
Idivayisi yangempela (“ubhejane”) ingaboniswa kumdwebo webhlokhi:
I-emulator inesakhiwo se-modular futhi idivayisi yokugcina ebonakalayo ingachazwa kufayela le-JSON.
JSON 105 imigqa
{
"top": true,
// Plugin name should be the same as file name (or full path from library start)
"plugin": "rhino",
// Directory where plugin places
"library": "user",
// Plugin parameters (constructor parameters if jar-plugin version)
"params": [
{ "name": "tty_dbg", "type": "String"},
{ "name": "tty_bt", "type": "String"},
{ "name": "firmware", "type": "String", "default": "NUL"}
],
// Plugin outer ports
"ports": [ ],
// Plugin internal buses
"buses": [
{ "name": "mem", "size": "BUS30" },
{ "name": "nand", "size": "4" },
{ "name": "gpio", "size": "BUS32" }
],
// Plugin internal components
"modules": [
{
"name": "u1_stm32",
"plugin": "STM32F042",
"library": "mcu",
"params": {
"firmware:String": "params.firmware"
}
},
{
"name": "usart_debug",
"plugin": "UartSerialTerminal",
"library": "terminals",
"params": {
"tty": "params.tty_dbg"
}
},
{
"name": "term_bt",
"plugin": "UartSerialTerminal",
"library": "terminals",
"params": {
"tty": "params.tty_bt"
}
},
{
"name": "bluetooth",
"plugin": "BT",
"library": "mcu"
},
{ "name": "led_0", "plugin": "LED", "library": "mcu" },
{ "name": "led_1", "plugin": "LED", "library": "mcu" },
{ "name": "led_2", "plugin": "LED", "library": "mcu" },
{ "name": "led_3", "plugin": "LED", "library": "mcu" },
{ "name": "led_4", "plugin": "LED", "library": "mcu" },
{ "name": "led_5", "plugin": "LED", "library": "mcu" },
{ "name": "led_6", "plugin": "LED", "library": "mcu" },
{ "name": "led_7", "plugin": "LED", "library": "mcu" },
{ "name": "led_8", "plugin": "LED", "library": "mcu" },
{ "name": "led_9", "plugin": "LED", "library": "mcu" },
{ "name": "led_10", "plugin": "LED", "library": "mcu" },
{ "name": "led_11", "plugin": "LED", "library": "mcu" },
{ "name": "led_12", "plugin": "LED", "library": "mcu" },
{ "name": "led_13", "plugin": "LED", "library": "mcu" },
{ "name": "led_14", "plugin": "LED", "library": "mcu" },
{ "name": "led_15", "plugin": "LED", "library": "mcu" }
],
// Plugin connection between components
"connections": [
[ "u1_stm32.ports.usart1_m", "usart_debug.ports.term_s"],
[ "u1_stm32.ports.usart1_s", "usart_debug.ports.term_m"],
[ "u1_stm32.ports.usart2_m", "bluetooth.ports.usart_m"],
[ "u1_stm32.ports.usart2_s", "bluetooth.ports.usart_s"],
[ "bluetooth.ports.bt_s", "term_bt.ports.term_m"],
[ "bluetooth.ports.bt_m", "term_bt.ports.term_s"],
[ "led_0.ports.pin", "u1_stm32.buses.pin_output_a", "0x00"],
[ "led_1.ports.pin", "u1_stm32.buses.pin_output_a", "0x01"],
[ "led_2.ports.pin", "u1_stm32.buses.pin_output_a", "0x02"],
[ "led_3.ports.pin", "u1_stm32.buses.pin_output_a", "0x03"],
[ "led_4.ports.pin", "u1_stm32.buses.pin_output_a", "0x04"],
[ "led_5.ports.pin", "u1_stm32.buses.pin_output_a", "0x05"],
[ "led_6.ports.pin", "u1_stm32.buses.pin_output_a", "0x06"],
[ "led_7.ports.pin", "u1_stm32.buses.pin_output_a", "0x07"],
[ "led_8.ports.pin", "u1_stm32.buses.pin_output_a", "0x08"],
[ "led_9.ports.pin", "u1_stm32.buses.pin_output_a", "0x09"],
[ "led_10.ports.pin", "u1_stm32.buses.pin_output_a", "0x0A"],
[ "led_11.ports.pin", "u1_stm32.buses.pin_output_a", "0x0B"],
[ "led_12.ports.pin", "u1_stm32.buses.pin_output_a", "0x0C"],
[ "led_13.ports.pin", "u1_stm32.buses.pin_output_a", "0x0D"],
[ "led_14.ports.pin", "u1_stm32.buses.pin_output_a", "0x0E"],
[ "led_15.ports.pin", "u1_stm32.buses.pin_output_a", "0x0F"]
]
}Naka ipharamitha i-firmware esigabeni amapharamitha igama lefayela elingalayishwa kudivayisi ebonakalayo njenge-firmware.
Idivayisi ebonakalayo kanye nokusebenzisana kwayo nesistimu yokusebenza eyinhloko ingamelwa umdwebo olandelayo:
Isibonelo samanje sokuhlola se-emulator sihlanganisa ukusebenzisana nezimbobo ze-COM ze-OS eyinhloko (susa iphutha i-UART ne-UART yemojula ye-Bluetooth). Lawa angaba amachweba wangempela lapho amadivaysi axhumeke kuwo noma amachweba we-COM virtual (lokhu udinga nje com0com/socat).
Ukusebenzelana ne-emulator ngaphandle, kunezindlela ezimbili eziyinhloko:
- Iphrothokholi ye-GDB RSP (ngokunjalo, amathuluzi asekela le nqubo yomthetho yi-Eclipse/IDA/radare2);
- umugqa womyalo we-emulator wangaphakathi (i-Argparse noma i-Python).
Izimbobo ze-Virtual COM
Ukuze uxhumane ne-UART yedivayisi ebonakalayo emshinini wasendaweni usebenzisa itheminali, udinga ukudala ipheya yezimbobo ze-COM ezihlotshaniswayo. Esimweni sethu, ichweba elilodwa lisetshenziswa i-emulator, kanti eyesibili isetshenziswa uhlelo lokugcina (i-PuTTY noma isikrini):
Isebenzisa i-com0com
Izimbobo ze-Virtual COM zilungiswa kusetshenziswa insiza yokusetha kusuka kukhithi ye-com0com (inguqulo ye-console - C: Amafayela Ohlelo (x86) com0comsetupс.exe, noma inguqulo ye-GUI - C: Amafayela Ohlelo (x86) com0comsetupg.exe):
Hlola amabhokisi vumela ukugcwala kwebhafa kuzo zonke izimbobo ezibonakalayo ezidaliwe, ngaphandle kwalokho i-emulator izolinda impendulo evela embobeni ye-COM.
Ukusebenzisa i-socat
Ezinhlelweni ze-UNIX, izimbobo ze-COM ezibonakalayo zidalwa ngokuzenzakalelayo yisifanisi sisebenzisa insiza ye-socat; ukwenza lokhu, vele ucacise isiqalo esisegameni lembobo lapho uqala i-emulator. socat:.
Isixhumi esibonakalayo somugqa womyalo wangaphakathi (i-Argparse noma i-Python)
Njengoba i-Kopycat iwuhlelo lokusebenza lwekhonsoli, i-emulator inikeza izinketho ezimbili zokusebenzisa umugqa womyalo ukuze uxhumane nezinto zayo nokuguquguqukayo: i-Argparse nePython.
I-Argparse iyi-CLI eyakhelwe ku-Kopycat futhi ihlale itholakala kuwo wonke umuntu.
Enye i-CLI umhumushi wePython. Ukuze uyisebenzise, udinga ukufaka imojula ye-Jep Python futhi ulungiselele i-emulator ukuze isebenze ne-Python (umhumushi we-Python ofakwe ohlelweni oluyinhloko lomsebenzisi uzosetshenziswa).
Ukufaka i-Python module Jep
Ngaphansi kwe-Linux Jep ingafakwa nge-pip:
pip install jepUkuze ufake i-Jep ku-Windows, kufanele uqale ufake i-Windows SDK kanye ne-Microsoft Visual Studio ehambisanayo. Senze kwaba lula kuwe futhi I-JEP yezinguqulo zamanje ze-Python ye-Windows, ngakho-ke imodyuli ingafakwa kusuka kufayela:
pip install jep-3.8.2-cp27-cp27m-win_amd64.whlUkuze uhlole ukufakwa kwe-Jep, udinga ukugijima kulayini womyalo:
python -c "import jep"Umlayezo olandelayo kufanele wamukelwe njengempendulo:
ImportError: Jep is not supported in standalone Python, it must be embedded in Java.Kufayela le-emulator yeqoqo lesistimu yakho (copycat.bat - yeWindows, i-copycat - ye-Linux) ohlwini lwamapharamitha DEFAULT_JVM_OPTS engeza ipharamitha eyengeziwe Djava.library.path — kufanele iqukathe indlela eya kumojula ye-Jep efakiwe.
Umphumela weWindows kufanele ube umugqa ofana nalokhu:
set DEFAULT_JVM_OPTS="-XX:MaxMetaspaceSize=256m" "-XX:+UseParallelGC" "-XX:SurvivorRatio=6" "-XX:-UseGCOverheadLimit" "-Djava.library.path=C:/Python27/Lib/site-packages/jep"Kwethulwa i-Kopycat
I-emulator uhlelo lokusebenza lwe-console JVM. Ukwethulwa kwenziwa ngomugqa womyalo wesistimu yokusebenza (sh/cmd).
Umyalo ozosebenza ku-Windows:
binkopycat -g 23946 -n rhino -l user -y library -p firmware=firmwarerhino_pass.bin,tty_dbg=COM26,tty_bt=COM28Yala ukusebenza ngaphansi kweLinux usebenzisa i-socat utility:
./bin/kopycat -g 23946 -n rhino -l user -y library -p firmware=./firmware/rhino_pass.bin, tty_dbg=socat:./COM26,tty_bt=socat:./COM28-g 23646- Ichweba le-TCP elizovulelwa ukufinyelela kuseva ye-GDB;-n rhino- Igama lemojula yesistimu eyinhloko (idivayisi ehlanganisiwe);-l user- Igama lomtapo wolwazi ukucinga imojuli eyinhloko;-y library- indlela yokucinga amamojula afakwe ocingweni;firmwarerhino_pass.bin- indlela eya kufayela le-firmware;- I-COM26 ne-COM28 yizimbobo ze-COM ezibonakalayo.
Ngenxa yalokho, kuzovezwa umyalo Python > (noma Argparse >):
18:07:59 INFO [eFactoryBuilder.create ]: Module top successfully created as top
18:07:59 INFO [ Module.initializeAndRes]: Setup core to top.u1_stm32.cortexm0.arm for top
18:07:59 INFO [ Module.initializeAndRes]: Setup debugger to top.u1_stm32.dbg for top
18:07:59 WARN [ Module.initializeAndRes]: Tracer wasn't found in top...
18:07:59 INFO [ Module.initializeAndRes]: Initializing ports and buses...
18:07:59 WARN [ Module.initializePortsA]: ATTENTION: Some ports has warning use printModulesPortsWarnings to see it...
18:07:59 FINE [ ARMv6CPU.reset ]: Set entry point address to 08006A75
18:07:59 INFO [ Module.initializeAndRes]: Module top is successfully initialized and reset as a top cell!
18:07:59 INFO [ Kopycat.open ]: Starting virtualization of board top[rhino] with arm[ARMv6Core]
18:07:59 INFO [ GDBServer.debuggerModule ]: Set new debugger module top.u1_stm32.dbg for GDB_SERVER(port=23946,alive=true)
Python >Ukusebenzisana ne-IDA Pro
Ukwenza ukuhlola kube lula, sisebenzisa i-firmware ye-Rhino njengefayela elingumthombo lokuhlaziywa ku-IDA ngendlela (imininingwane ye-meta igcinwa lapho).
Ungasebenzisa futhi i-firmware eyinhloko ngaphandle kolwazi lwe-meta.
Ngemuva kokwethula i-Kopycat ku-IDA Pro, kumenyu ye-Debugger iya entweni “Shintsha isilungisi sephutha..."bese ukhetha"Isilungisi sephutha se-GDB esikude". Okulandelayo, setha uxhumano: imenyu I-Debugger - Izinketho zokucubungula...
Setha amanani:
- Uhlelo lokusebenza - noma yiliphi inani
- Igama lomethuleli: 127.0.0.1 (noma ikheli le-IP lomshini wesilawuli kude lapho i-Kopycat isebenza khona)
- Imbobo: 23946
Manje inkinobho yokususa iphutha isiyatholakala (ukhiye we-F9):
Yichofoze ukuze uxhume kumojula yokususa iphutha kusifanisi. I-IDA ingena kumodi yokulungisa iphutha, amafasitela engeziwe ayatholakala: ulwazi mayelana namarejista, mayelana nesitaki.
Manje singasebenzisa zonke izici ezijwayelekile ze-debugger:
- isinyathelo ngesinyathelo sokwenza imiyalelo (Ngena ungene и Yelela ngapha - okhiye F7 no-F8, ngokulandelana);
- ukuqala nokumisa isikhashana ukwenza;
- ukudala ama-breakpoint akho kokubili ikhodi nedatha (ukhiye we-F2).
Ukuxhuma kusilungisi sephutha akusho ukusebenzisa ikhodi ye-firmware. Isikhundla samanje sokwenza kufanele kube yikheli 0x08006A74 - ukuqala komsebenzi Setha kabusha_Isibambi. Uma uskrolela phansi ohlwini, ungabona ucingo lomsebenzi main. Ungabeka ikhesa kulo mugqa (ikheli 0x08006ABE) bese wenza umsebenzi Gijimani kuze kube ikhesa (ukhiye F4).
Okulandelayo, ungacindezela u-F7 ukuze ufake umsebenzi main.
Uma ugijima umyalo Qhubeka nenqubo (Ukhiye we-F9), bese iwindi elithi “Sicela ulinde” lizovela ngenkinobho eyodwa Suspend:
Uma ucindezela Suspend ukusetshenziswa kwekhodi ye-firmware kumisiwe futhi kungaqhutshekwa ekhelini elifanayo kukhodi lapho kuphazanyiswe khona.
Uma uqhubeka nokusebenzisa ikhodi, uzobona imigqa elandelayo kumatheminali axhunywe ezimbobeni ze-COM ezibonakalayo:
Ukuba khona komugqa "we-state bypass" kubonisa ukuthi imojula ye-Bluetooth ebonakalayo ishintshele kumodi yokwamukela idatha kusuka kumbobo ye-COM yomsebenzisi.
Manje kutheminali ye-Bluetooth (COM29 esithombeni) ungafaka imiyalo ngokuhambisana ne-Rhino protocol. Isibonelo, umyalo othi “MEOW” uzobuyisela iyunithi yezinhlamvu ethi “mur-mur” kutheminali ye-Bluetooth:
Ngilingise hhayi ngokuphelele
Lapho wakha i-emulator, ungakhetha izinga lemininingwane/ukulingisa kwedivayisi ethile. Isibonelo, imojuli ye-Bluetooth ingalingiswa ngezindlela ezahlukene:
- idivayisi ilingiswe ngokugcwele ngesethi egcwele yemiyalo;
- Imiyalo ye-AT ilingisiwe, futhi ukusakazwa kwedatha kutholwa echwebeni le-COM lohlelo oluyinhloko;
- idivayisi ebonakalayo inikeza ukuqondisa kabusha kwedatha okuphelele kudivayisi yangempela;
- njengetshe elilula elibuyisela njalo "KULUNGILE".
Inguqulo yamanje ye-emulator isebenzisa indlela yesibili - imojula ye-Bluetooth ebonakalayo yenza ukucushwa, ngemva kwalokho ishintshela kumodi yedatha "ye-proxying" isuka echwebeni le-COM yesistimu enkulu iye echwebeni le-UART le-emulator.
Ake sicabangele ukuthi kungenzeka yini ukusebenzisa ikhodi elula uma kwenzeka ingxenye ethile ye-periphery ingasetshenziswa. Isibonelo, uma isibali sikhathi esinesibopho sokulawula ukudluliswa kwedatha ku-DMA singakakhiwa (ukuhlola kwenziwa emsebenzini. ws2812b_lindaetholakala e 0x08006840), khona-ke i-firmware izohlala ilinde ukuthi ifulegi limiswe kabusha umatasaetholakala e 0x200004C4okubonisa ukuhlala kolayini wedatha ye-DMA:
Singakwazi ukubhekana nalesi simo ngokusetha kabusha ifulegi mathupha umatasa ngokushesha ngemva kokuyifaka. Ku-IDA Pro, ungakha umsebenzi wePython futhi uwubize endaweni yokuphumula, bese ubeka i-breakpoint ngokwayo kukhodi ngemuva kokubhala inani elingu-1 efulegini. umatasa.
Isibambi se-Breakpoint
Okokuqala, ake sakhe umsebenzi wePython ku-IDA. Imenyu Ifayela - Umyalo Weskripthi...
Engeza amazwibela amasha ohlwini olungakwesokunxele, unikeze igama (ngokwesibonelo, I-BPT),
Enkambini yombhalo kwesokudla, faka ikhodi yokusebenza:
def skip_dma():
print "Skipping wait ws2812..."
value = Byte(0x200004C4)
if value == 1:
PatchDbgByte(0x200004C4, 0)
return False
Ngemva kwalokho, chofoza Qalisa bese uvala iwindi lombhalo.
Manje ake siye kukhodi ethi 0x0800688A, setha i-breakpoint (ukhiye we-F2), yihlele (imenyu yokuqukethwe Hlela i-breakpoint...), ungakhohlwa ukusetha uhlobo lombhalo kuPython:
Uma inani lefulegi lamanje umatasa ilingana no-1, kufanele wenze umsebenzi yeqa_dma emgqeni wombhalo:
Uma usebenzisa i-firmware ukuze isebenze, ukuqalisa kwekhodi yesibambi se-breakpoint kungabonakala efasiteleni le-IDA. Okukhiphayo ngomugqa Skipping wait ws2812.... Manje i-firmware ngeke ilinde ukuthi ifulegi limiswe kabusha umatasa.
Ukusebenzisana ne-emulator
Ukulingisa ngenxa yokulingisa cishe ngeke kubangele injabulo nenjabulo. Kuyathakazelisa kakhulu uma i-emulator isiza umcwaningi ukuthi abone idatha enkumbulweni noma asungule ukuxhumana kwemicu.
Sizokukhombisa ukuthi ungasungula kanjani ukuxhumana phakathi kwemisebenzi ye-RTOS. Kufanele uqale umise kancane ukusetshenziswa kwekhodi uma isebenza. Uma uya emsebenzini bluetooth_task_entry egatsheni lokucubungula lomyalo "we-LED" (ikheli 0x080057B8), khona-ke ungabona ukuthi yini edalwe kuqala bese ithunyelwa kulayini wesistimu I-ledControlQueueHandle umyalezo othile.
Kufanele usethe i-breakpoint ukuze ufinyelele okuguquguqukayo I-ledControlQueueHandleetholakala e 0x20000624 bese uqhubeka nokwenza ikhodi:
Ngenxa yalokho, ukuma kuzoqala ukwenzeka ekhelini 0x080057CA ngaphambi kokubiza umsebenzi osMailAlloc, bese kuba ekhelini 0x08005806 ngaphambi kokubiza umsebenzi osMailPut, emva kwesikhashana - ekhelini 0x08005BD4 (ngaphambi kokubiza umsebenzi osMailGet), okuyingxenye yomsebenzi i-leds_task_entry (I-LED-task), okungukuthi, imisebenzi ishintshiwe, futhi manje isilawuli se-LED-umsebenzi wathola.
Ngale ndlela elula ungakwazi ukuthola ukuthi imisebenzi ye-RTOS isebenzisana kanjani.
Yiqiniso, empeleni, ukusebenzisana kwemisebenzi kungase kube nzima kakhulu, kodwa usebenzisa i-emulator, ukulandelela lokhu kusebenzisana kuba nzima kakhulu.
Ungabuka ividiyo emfushane ye-emulator yethula futhi ixhumana ne-IDA Pro.
Yethula nge-Radare2
Awukwazi ukuziba ithuluzi elinjalo jikelele njenge-Radare2.
Ukuze uxhume ku-emulator usebenzisa i-r2, umyalo ungabukeka kanje:
radare2 -A -a arm -b 16 -d gdb://localhost:23946 rhino_fw42k6.elfUkwethulwa kuyatholakala manje (dc) bese umisa okwesikhashana ukwenza (Ctrl+C).
Ngeshwa, okwamanje, i-r2 inezinkinga lapho isebenza ne-hardware gdb iseva kanye nesakhiwo sememori; ngenxa yalokhu, ama-breakpoints kanye nezinyathelo azisebenzi (umyalo). ds). Sithemba ukuthi lokhu kuzolungiswa maduze.
Ukugijima nge-Eclipse
Enye yezinketho zokusebenzisa i-emulator ukulungisa iphutha i-firmware yedivayisi ethuthukiswayo. Ukucacisa, sizosebenzisa i-firmware ye-Rhino. Ungalanda imithombo ye-firmware .
Sizosebenzisa i-Eclipse kusukela kusethi njenge-IDE .
Ukuze i-emulator ilayishe i-firmware ehlanganiswe ngokuqondile ku-Eclipse, udinga ukwengeza ipharamitha firmware=null kumyalo wokuqalisa we-emulator:
binkopycat -g 23946 -n rhino -l user -y modules -p firmware=null,tty_dbg=COM26,tty_bt=COM28Isetha ukulungiselelwa kokususa iphutha
Ku-Eclipse, khetha imenyu Qalisa - Ukulungiselela Ukulungisa... Efasiteleni elivulekayo, esigabeni GDB Hardware Debugging udinga ukungeza ukumisa okusha, bese kuthebhu ethi “Okukhulu” ucacise iphrojekthi yamanje kanye nesicelo sokususa iphutha:
Kuthebhu ethi “Debugger” udinga ukucacisa umyalo we-GDB:
${openstm32_compiler_path}arm-none-eabi-gdb
Futhi faka nemingcele yokuxhuma kuseva ye-GDB (umsingathi kanye nechweba):
Kuthebhu ethi "Ukuqalisa", kufanele ucacise amapharamitha alandelayo:
- vumela ibhokisi lokuhlola Layisha isithombe (ukuze isithombe se-firmware esihlanganisiwe silayishwe ku-emulator);
- vumela ibhokisi lokuhlola Layisha izimpawu;
- engeza umyalo wokuqalisa:
set $pc = *0x08000004(setha irejista ye-PC enanini elisuka kumemori ekhelini0x08000004- ikheli ligcinwe lapho Setha kabusha iHandler).
Nakani, uma ungafuni ukulanda ifayela le-firmware ku-Eclipse, khona-ke izinketho Layisha isithombe и Qalisa imiyalo asikho isidingo sokubonisa.
Ngemva kokuchofoza Susa iphutha, ungasebenza kumodi yokususa iphutha:
- isinyathelo ngesinyathelo ikhodi ukubulawa
- ukuxhumana nama-breakpoints
Ukubhala. I-Eclipse ine, hmm... ezinye izinselele... futhi kufanele uhlale nazo. Isibonelo, uma uma uqala ukulungisa iphutha umlayezo othi “Awukho umthombo otholakalayo we-“0x0″” uvela, bese ukhipha umyalo wesinyathelo (F5)
Esikhundleni isiphetho
Ukulingisa ikhodi yomdabu kuyinto ejabulisa kakhulu. Kunjiniyela wedivayisi, kuyenzeka ukuthi ulungise iphutha le-firmware ngaphandle kwedivayisi yangempela. Kumcwaningi, kuyithuba lokwenza ukuhlaziywa kwekhodi okuguquguqukayo, okungenakwenzeka ngaso sonke isikhathi ngisho nangedivayisi.
Sifuna ukunikeza ochwepheshe ithuluzi elifaneleka, elilula ngokulingene futhi elingathathi umzamo omkhulu nesikhathi ukuze lisethwe futhi lisebenze.
Bhala kumazwana mayelana nolwazi lwakho usebenzisa ama-emulators wehadiwe. Sikumema ukuthi uxoxe futhi uzokujabulela ukuphendula imibuzo.
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo. , wamukelekile.
Uyisebenzisela ini i-emulator?
-
Ngithuthukisa (susa iphutha) i-firmware
-
Ngicwaninga i-firmware
-
Ngethula imidlalo (Dendi, Sega, PSP)
-
okunye (bhala kumazwana)
Bangu-7 abasebenzisi abavotile. Abasebenzisi abangu-2 bayenqaba.
Iyiphi isofthiwe oyisebenzisayo ukulingisa ikhodi yomdabu?
-
QEMU
-
Injini ye-Unicorn
-
I-Proteus
-
okunye (bhala kumazwana)
Bangu-6 abasebenzisi abavotile. Abasebenzisi abangu-2 bayenqaba.
Yini ongathanda ukuyithuthukisa kusifanisi osisebenzisayo?
-
Ngifuna isivinini
-
Ngifuna ukusetha/ukwethula kalula
-
Ngifuna izinketho eziningi zokuxhumana ne-emulator (API, izingwegwe)
-
Ngijabule ngakho konke
-
okunye (bhala kumazwana)
Bangu-8 abasebenzisi abavotile. Umsebenzisi ongu-1 ugobile.
Source: www.habr.com