def sig_int_handler(signum, frame): log.critical(' --- Ctrl+C Detected --- ') from avatar.system import System System.getInstance().stop() log.critical(' --- Waiting for last iteration to complete --- ')
def __init__(self, bkpt_num): from avatar.system import System super().__init__() self._bkpt_num = bkpt_num self._queue = Queue() System.getInstance().register_event_listener(self._event_receiver)
def main(args): #TODO: Build stuff here (u-boot) ava = System(configuration, init_s2e_emulator, init_gdbserver_target) print("System generated") target_runner = TargetLauncher([ LINARO_QEMU_ARM, "-M", "beagle", "-m", "256M", "-serial", "udp:127.0.0.1:2000", "-sd", os.path.join(UBOOT_DIR, "sdcard.img"), "-gdb", "tcp:127.0.0.1:4444", "-S" ]) ava.init() ava.add_monitor(RWMonitor()) time.sleep(3) ava.start() ava.get_emulator().cont()
def _event_receiver(self, evt): if Event.EVENT_BREAKPOINT in evt["tags"] and \ evt["source"] == "emulator" and \ evt["properties"]["bkpt_number"] == self._bkpt_num: if self._handler: self._handler(System.getInstance(), self) else: self._queue.put(evt)
def main(args): #TODO: Build stuff here (u-boot) ava = System(configuration, init_s2e_emulator, init_gdbserver_target) print("System generated") target_runner = TargetLauncher([LINARO_QEMU_ARM, "-M", "beagle", "-m", "256M", "-serial", "udp:127.0.0.1:2000", "-sd", os.path.join(UBOOT_DIR, "sdcard.img"), "-gdb", "tcp:127.0.0.1:4444", "-S"]) ava.init() ava.add_monitor(RWMonitor()) time.sleep(3) ava.start() ava.get_emulator().cont()
def __init__(self, s2e_configuration, qemu_configuration, output_directory, configuration_directory): self._configuration = S2EConfiguration(s2e_configuration, qemu_configuration, output_directory, configuration_directory) self._name = "s2e" from avatar.system import System self._system = System.getInstance() self._output_directory = output_directory
def __init__(self, name): super(Emulator, self).__init__() from avatar.system import System self.__system = System.getInstance() self.__name = name self._read_handler = None self._write_handler = None self._set_cpu_state_handler = None self._get_cpu_state_handler = None self._continue_handler = None self._get_checksum_handler = None
def main(args, env): configuration = build_configuration(args, env) ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() qemu = env["QEMU"] if "QEMU" in env else None if qemu is None: print("ERROR: Qemu emulator path is not set (QEMU env variable)") return 1 target_runner = TargetLauncher([ qemu, "-M", "versatilepb", "-m", "20M", "-serial", "udp:127.0.0.1:2000", "-kernel", "u-boot", "-gdb", "tcp:127.0.0.1:1234", "-S" ]) time.sleep(3) ava.start() bkpt_clear_bss = ava.get_emulator().set_breakpoint(0x010000b4) ava.get_emulator().cont() bkpt_clear_bss.wait() print( "==================== Arrived at clear_bss ===========================" )
def main(args, env): configuration = build_configuration(args, env) ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() qemu = env["QEMU"] if "QEMU" in env else None if qemu is None: print("ERROR: Qemu emulator path is not set (QEMU env variable)") return 1 target_runner = TargetLauncher([qemu, "-M", "versatilepb", "-m", "20M", "-serial", "udp:127.0.0.1:2000", "-kernel", "u-boot", "-gdb", "tcp:127.0.0.1:1234", "-S"]) time.sleep(3) ava.start() bkpt_clear_bss = ava.get_emulator().set_breakpoint(0x010000b4) ava.get_emulator().cont() bkpt_clear_bss.wait() print("==================== Arrived at clear_bss ===========================")
def main(): main_addr = 0x8005104 print("[!] Starting the Nucleo-L152RE demo") print("[+] Resetting target via openocd") hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.raw_cmd("reset halt") print("[+] Initilializing avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() t = ava.get_target() e = ava.get_emulator() print("[+] Running initilization procedures on the target") main_bkt = t.set_breakpoint(main_addr) t.cont() main_bkt.wait() print("[+] Target arrived at main(). Transferring state to the emulator") set_regs(e, get_regs(t)) #Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus. #However, qemu still needs to know the processore mode, so we are setting the flag manually. cpsr = e.get_register('cpsr') cpsr |= 0x20 e.set_register('cpsr', cpsr) print("[+] Continuing execution in the emulator!") e.cont() #Further analyses code goes here while True: pass
def main(): main_addr = 0x8005104 print("[!] Starting the Nucleo-L152RE demo") print("[+] Resetting target via openocd") hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.raw_cmd("reset halt") print("[+] Initilializing avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() t = ava.get_target() e = ava.get_emulator() print("[+] Running initilization procedures on the target") main_bkt = t.set_breakpoint(main_addr) t.cont() main_bkt.wait() print("[+] Target arrived at main(). Transferring state to the emulator") set_regs(e, get_regs(t)) #Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus. #However, qemu still needs to know the processore mode, so we are setting the flag manually. cpsr = e.get_register('cpsr') cpsr |= 0x20 e.set_register('cpsr',cpsr) print("[+] Continuing execution in the emulator!") e.cont() #Further analyses code goes here while True: pass
log.info("Waiting for a packet to be proceesed") cmd.wait() # block for bp trigger # Bp was hit, remove it to avoid lockup cmd.remove_raw_bp(s_in_data_indication_execute) if args.verbose: log.info("AVATAR: fetching configuration from target"); configuration = cmd.initstate(configuration) del cmd if args.veryverbose: print("configuraton is : %s" % configuration) if args.verbose: log.info("AVATAR: loading avatar "); ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() if args.verbose: log.info("AVATAR: inserting monitor"); ava.add_monitor(RWMonitor()) if args.verbose: log.info("AVATAR: starting avatar "); time.sleep(1) ava.start() if args.verbose: log.info("AVATAR: avatar Started "); log.info("transfering data section + stack from device to emulator %d Kb form %x", dataRamToTransf/1024, dataRamFrom)
log.info("Emulator is requesting write 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"]) pass def emulator_post_write_request(self, params): log.info("Executed write 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"]) pass def stop(self): pass hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.put_bp(0x0008a892) # cmhSMS_cpyMsgInd cmd.wait() # block for bkpt trigger configuration = cmd.initstate(configuration) del cmd ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.add_monitor(RWMonitor()) time.sleep(3) ava.start() ava.get_emulator().cont()
set_config(configuration, __args.buggy) hwmon = OpenocdJig(configuration) log.debug("Openocd jig done") cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) log.debug("Openocd target done") log.info("Loading image on device...") # The image is on the SD card, nothing to load cmd.raw_cmd("halt") #cmd.initstate(configuration) # execute from the beginning log.info("AVATAR: loading avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() # log.info("AVATAR: inserting monitor") # TODO # ava.add_monitor(RWMonitor()) #?? log.info("AVATAR: starting avatar...") time.sleep(1) ava.start() log.info("done -- RESUMING!!") ava.get_emulator().cont()
def start_avatar(): ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() # Configure target GDB ava.get_target().execute_gdb_command(["set", "arm", "frame-register", "off"]) ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"]) ava.get_target().execute_gdb_command(["set", "tdesc", "filename", configuration["avatar_configuration"]["target_gdb_description"]]) return ava
def emulator_post_read_request(self, params): log.info("Executed read 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"]) def emulator_pre_write_request(self, params): log.info("Emulator is requesting write 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"]) pass def emulator_post_write_request(self, params): log.info("Executed write 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"]) pass def stop(self): pass ava = System(configuration, init_s2e_emulator, init_avatarstub_target) #ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() # target_runner = TargetLauncher(["qemu-system-arm", # "-M", "versatilepb", # "-m", "20M", # "-serial", "udp:127.0.0.1:2000", # "-kernel", "/home/zaddach/projects/eurecom-s2e/avatar/avatar/example_binaries/qemu_versatilepb/u-boot", # "-gdb", "tcp:127.0.0.1:1234", # "-S"]) #TODO: Start target here ava.add_monitor(RWMonitor()) time.sleep(3) ava.start()
def main(): if not os.path.exists(BIN_FILE): print("[!] BIN_FILE = %s is not exists!" % BIN_FILE) exit() elf_file = BIN_FILE.replace(r".bin", r".elf") main_addr = get_symbol_addr(elf_file, "main") timeout_addr = get_symbol_addr(elf_file, "_Z3finv") if timeout_addr < 0: print("[!] timout_addr not set. using __libc_fini_array") timeout_addr = get_symbol_addr(elf_file, "__libc_fini_array") print("[*] main = %#x, timeout = %#x" % (main_addr, timeout_addr)) print("[*] Starting the GR-PEACH demo") print("[+] Resetting target via openocd") hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.raw_cmd("reset halt") print("[+] Initilializing avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() t = ava.get_target() e = ava.get_emulator() print("[+] Running initilization procedures on the target") print("first break point = %#x" % main_addr) main_bkt = t.set_breakpoint(main_addr) t.cont() main_bkt.wait() print("[+] Target arrived at main(). Transferring state to the emulator") set_regs(e, get_regs(t)) e.set_register( 'pc', t.get_register('pc')) # BUG: to fix emulator's $pc. Do not remove me! e.set_register( 'lr', t.get_register('lr')) # BUG: to fix emulator's $lr. Do not remove me! e.set_register( 'sp', t.get_register('sp')) # BUG: to fix emulator's $sp. Do not remove me! reg_pc = e.get_register('pc') print("emulator $pc = %#x" % reg_pc) reg_sp = e.get_register('sp') print("emulator $sp = %#x" % reg_sp) get_regs(e) assert (reg_pc > 0) assert (reg_sp > 0) print("[+] Continuing execution in the emulator!") print("final break point = %#x" % timeout_addr) e_end_bp = e.set_breakpoint(timeout_addr) start = time.time() e.cont() e_end_bp.wait() duration = time.time() - start #Further analyses code goes here print("[+] analysis phase") print("elapsed time = %f sec" % duration) e.stop() # important t.stop() # important
def delete(self): System.getInstance().unregister_event_listener(self._event_receiver) System.getInstance().get_emulator()._gdb_interface.delete_breakpoint(self._bkpt_num)
log.info("Waiting for a packet to be proceesed") cmd.wait() # block for bp trigger # Bp was hit, remove it to avoid lockup cmd.remove_raw_bp(s_in_data_indication_execute) if args.verbose: log.info("AVATAR: fetching configuration from target") configuration = cmd.initstate(configuration) del cmd if args.veryverbose: print("configuraton is : %s" % configuration) if args.verbose: log.info("AVATAR: loading avatar ") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() if args.verbose: log.info("AVATAR: inserting monitor") ava.add_monitor(RWMonitor()) if args.verbose: log.info("AVATAR: starting avatar ") time.sleep(1) ava.start() if args.verbose: log.info("AVATAR: avatar Started ") log.info(
def start_avatar(): ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() # Configure target GDB ava.get_target().execute_gdb_command( ["set", "arm", "frame-register", "off"]) ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"]) ava.get_target().execute_gdb_command([ "set", "tdesc", "filename", configuration["avatar_configuration"]["target_gdb_description"] ]) return ava
print("OPENOCD: Connecting to OpenOCD Target") cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) print("OPENOCD: Re-flashing image and setting breakpoint") cmd.halt() cmd.raw_cmd("flash write_image erase /home/matthew/Workspace/COSC460/avatar-stellaris/large/firmware/Release/Large.bin", True) cmd.put_bp(0x0000179A) # Run the target until init finishes cmd.raw_cmd("reset", True) cmd.wait() print("AVATAR: Fetching configuration from target") configuration = cmd.initstate(configuration) del cmd print("AVATAR: Loading Avatar") avatar = System(configuration, init_s2e_emulator, init_gdbserver_target) avatar.init() print("AVATAR: Inserting Monitor") avatar.add_monitor(RWMonitor()) print("AVATAR: Starting Avatar") time.sleep(3) avatar.start() print("AVATAR: Transferring state from target to emulator") transfer_mem_to_emulator(avatar, 0x20000000, 0x00001000) print("AVATAR: Memory transfer complete") transfer_cpu_state_to_emulator(avatar) print("AVATAR: Register transfer complete")
#!/usr/bin/env python from avatar.system import System system = System() #Loads the configuration for all modules from the old JSON format system.load_configuration("config.json", "/tmp/1") #Starts S2E, any service neccessary for connecting to the target as specified in the configuration system.start() #Now the firmware should be loaded into S2E, and the memory be connected to the embedded device #S2E should have broken at the first instruction #You can actually send GDB commands to the emulator or the target # NOT TRUE YET
def main(): if not os.path.exists(BIN_FILE): print("[!] BIN_FILE = %s is not exists!" % BIN_FILE) exit() elf_file = BIN_FILE.replace(r".bin", r".elf") # main_addr = get_symbol_addr(elf_file, "http_main_task") main_addr = get_symbol_addr(elf_file, "_Z15HTTPServerStarti") print("[*] main = %#x" % (main_addr)) print("[*] Starting the GR-PEACH demo") print("[+] Resetting target via openocd") hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.raw_cmd("reset halt") print("[+] Initilializing avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() t = ava.get_target() e = ava.get_emulator() print("[+] Running initilization procedures on the target") print("\tEthernet Cable has connected?") print("first break point = %#x" % main_addr) main_bkt = t.set_breakpoint(main_addr) t.cont() main_bkt.wait() # ### for experiment # print("[*] waiting for mbed_die") # mbed_die_addr = get_symbol_addr(elf_file, "mbed_die") # print("[*] mbed_die = %#x" % (mbed_die_addr)) # mbed_die_bkt = t.set_breakpoint(mbed_die_addr) # t.cont() # mbed_die_bkt.wait() # print("[*] reached to mbed_die()") print("[+] Target finished initilization procedures") read_pointer_value(t, elf_file, "tcp_active_pcbs") read_pointer_value(t, elf_file, "tcp_listen_pcbs") a, v = read_pointer_value(t, elf_file, "netif_list") a, v = read_pointer_value(t, elf_file, "*netif_list", v) read_pointer_value(t, elf_file, "ram") read_pointer_value(t, elf_file, "ram_end") print("[+] copying target memory") """ K_atc% nm httpsample.elf| grep dns_table 2003acac b dns_table """ start = time.time() try: # ret = t.read_untyped_memory(0x18000000, 0x20000000 - 0x18000000) # TOO SLOW # t.read_untyped_memory(0x18000000, 0x1000) # for experiment # read_memory(t, 0x18000000, 0x1000) # for experiment memory_dump(t, BIN_FILE, [(0x20030000, 0x20050000 - 0x20030000)]) # < 5 min except Exception as e: print(e) import ipdb ipdb.set_trace() print("[+] memory read time: %f sec" % (time.time() - start)) # import ipdb; ipdb.set_trace() #Further analyses code goes here print("[+] analysis phase") e.stop() # important t.stop() # important
def post_event(self, evt): evt["source"] = "emulator" System.getInstance().post_event(evt)