def sig_int_handler(signum, frame):
log.critical(' --- Ctrl+C Detected --- ')
from avatar.system import System
System.getInstance().stop()
log.critical(' --- Waiting for last iteration to complete --- ')
def __init__(self, bkpt_num):
from avatar.system import System
super().__init__()
self._bkpt_num = bkpt_num
self._queue = Queue()
System.getInstance().register_event_listener(self._event_receiver)
def main(args):
#TODO: Build stuff here (u-boot)
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
print("System generated")
target_runner = TargetLauncher([
LINARO_QEMU_ARM, "-M", "beagle", "-m", "256M", "-serial",
"udp:127.0.0.1:2000", "-sd",
os.path.join(UBOOT_DIR,
"sdcard.img"), "-gdb", "tcp:127.0.0.1:4444", "-S"
])
ava.init()
ava.add_monitor(RWMonitor())
time.sleep(3)
ava.start()
ava.get_emulator().cont()
def _event_receiver(self, evt):
if Event.EVENT_BREAKPOINT in evt["tags"] and \
evt["source"] == "emulator" and \
evt["properties"]["bkpt_number"] == self._bkpt_num:
if self._handler:
self._handler(System.getInstance(), self)
else:
self._queue.put(evt)
def main(args):
#TODO: Build stuff here (u-boot)
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
print("System generated")
target_runner = TargetLauncher([LINARO_QEMU_ARM,
"-M", "beagle",
"-m", "256M",
"-serial", "udp:127.0.0.1:2000",
"-sd", os.path.join(UBOOT_DIR, "sdcard.img"),
"-gdb", "tcp:127.0.0.1:4444",
"-S"])
ava.init()
ava.add_monitor(RWMonitor())
time.sleep(3)
ava.start()
ava.get_emulator().cont()
def __init__(self, s2e_configuration, qemu_configuration, output_directory, configuration_directory):
self._configuration = S2EConfiguration(s2e_configuration,
qemu_configuration,
output_directory,
configuration_directory)
self._name = "s2e"
from avatar.system import System
self._system = System.getInstance()
self._output_directory = output_directory
def __init__(self, name):
super(Emulator, self).__init__()
from avatar.system import System
self.__system = System.getInstance()
self.__name = name
self._read_handler = None
self._write_handler = None
self._set_cpu_state_handler = None
self._get_cpu_state_handler = None
self._continue_handler = None
self._get_checksum_handler = None
def main(args, env):
configuration = build_configuration(args, env)
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
qemu = env["QEMU"] if "QEMU" in env else None
if qemu is None:
print("ERROR: Qemu emulator path is not set (QEMU env variable)")
return 1
target_runner = TargetLauncher([
qemu, "-M", "versatilepb", "-m", "20M", "-serial",
"udp:127.0.0.1:2000", "-kernel", "u-boot", "-gdb",
"tcp:127.0.0.1:1234", "-S"
])
time.sleep(3)
ava.start()
bkpt_clear_bss = ava.get_emulator().set_breakpoint(0x010000b4)
ava.get_emulator().cont()
bkpt_clear_bss.wait()
print(
"==================== Arrived at clear_bss ==========================="
)
def main(args, env):
configuration = build_configuration(args, env)
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
qemu = env["QEMU"] if "QEMU" in env else None
if qemu is None:
print("ERROR: Qemu emulator path is not set (QEMU env variable)")
return 1
target_runner = TargetLauncher([qemu,
"-M", "versatilepb",
"-m", "20M",
"-serial", "udp:127.0.0.1:2000",
"-kernel", "u-boot",
"-gdb", "tcp:127.0.0.1:1234",
"-S"])
time.sleep(3)
ava.start()
bkpt_clear_bss = ava.get_emulator().set_breakpoint(0x010000b4)
ava.get_emulator().cont()
bkpt_clear_bss.wait()
print("==================== Arrived at clear_bss ===========================")
def main():
main_addr = 0x8005104
print("[!] Starting the Nucleo-L152RE demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
print("[+] Target arrived at main(). Transferring state to the emulator")
set_regs(e, get_regs(t))
#Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus.
#However, qemu still needs to know the processore mode, so we are setting the flag manually.
cpsr = e.get_register('cpsr')
cpsr |= 0x20
e.set_register('cpsr', cpsr)
print("[+] Continuing execution in the emulator!")
e.cont()
#Further analyses code goes here
while True:
pass
def main():
main_addr = 0x8005104
print("[!] Starting the Nucleo-L152RE demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
print("[+] Target arrived at main(). Transferring state to the emulator")
set_regs(e, get_regs(t))
#Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus.
#However, qemu still needs to know the processore mode, so we are setting the flag manually.
cpsr = e.get_register('cpsr')
cpsr |= 0x20
e.set_register('cpsr',cpsr)
print("[+] Continuing execution in the emulator!")
e.cont()
#Further analyses code goes here
while True:
pass
log.info("Waiting for a packet to be proceesed")
cmd.wait() # block for bp trigger
# Bp was hit, remove it to avoid lockup
cmd.remove_raw_bp(s_in_data_indication_execute)
if args.verbose:
log.info("AVATAR: fetching configuration from target");
configuration = cmd.initstate(configuration)
del cmd
if args.veryverbose:
print("configuraton is : %s" % configuration)
if args.verbose:
log.info("AVATAR: loading avatar ");
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
if args.verbose:
log.info("AVATAR: inserting monitor");
ava.add_monitor(RWMonitor())
if args.verbose:
log.info("AVATAR: starting avatar ");
time.sleep(1)
ava.start()
if args.verbose:
log.info("AVATAR: avatar Started ");
log.info("transfering data section + stack from device to emulator %d Kb form %x", dataRamToTransf/1024, dataRamFrom)
log.info("Emulator is requesting write 0x%08x[%d] = 0x%x",
params["address"], params["size"], params["value"])
pass
def emulator_post_write_request(self, params):
log.info("Executed write 0x%08x[%d] = 0x%x", params["address"],
params["size"], params["value"])
pass
def stop(self):
pass
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.put_bp(0x0008a892) # cmhSMS_cpyMsgInd
cmd.wait() # block for bkpt trigger
configuration = cmd.initstate(configuration)
del cmd
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.add_monitor(RWMonitor())
time.sleep(3)
ava.start()
ava.get_emulator().cont()
set_config(configuration, __args.buggy)
hwmon = OpenocdJig(configuration)
log.debug("Openocd jig done")
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
log.debug("Openocd target done")
log.info("Loading image on device...")
# The image is on the SD card, nothing to load
cmd.raw_cmd("halt")
#cmd.initstate(configuration)
# execute from the beginning
log.info("AVATAR: loading avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
# log.info("AVATAR: inserting monitor")
# TODO
# ava.add_monitor(RWMonitor()) #??
log.info("AVATAR: starting avatar...")
time.sleep(1)
ava.start()
log.info("done -- RESUMING!!")
ava.get_emulator().cont()
def start_avatar():
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
# Configure target GDB
ava.get_target().execute_gdb_command(["set", "arm", "frame-register", "off"])
ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"])
ava.get_target().execute_gdb_command(["set", "tdesc", "filename", configuration["avatar_configuration"]["target_gdb_description"]])
return ava
def emulator_post_read_request(self, params):
log.info("Executed read 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"])
def emulator_pre_write_request(self, params):
log.info("Emulator is requesting write 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"])
pass
def emulator_post_write_request(self, params):
log.info("Executed write 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"])
pass
def stop(self):
pass
ava = System(configuration, init_s2e_emulator, init_avatarstub_target)
#ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
# target_runner = TargetLauncher(["qemu-system-arm",
# "-M", "versatilepb",
# "-m", "20M",
# "-serial", "udp:127.0.0.1:2000",
# "-kernel", "/home/zaddach/projects/eurecom-s2e/avatar/avatar/example_binaries/qemu_versatilepb/u-boot",
# "-gdb", "tcp:127.0.0.1:1234",
# "-S"])
#TODO: Start target here
ava.add_monitor(RWMonitor())
time.sleep(3)
ava.start()
def main():
if not os.path.exists(BIN_FILE):
print("[!] BIN_FILE = %s is not exists!" % BIN_FILE)
exit()
elf_file = BIN_FILE.replace(r".bin", r".elf")
main_addr = get_symbol_addr(elf_file, "main")
timeout_addr = get_symbol_addr(elf_file, "_Z3finv")
if timeout_addr < 0:
print("[!] timout_addr not set. using __libc_fini_array")
timeout_addr = get_symbol_addr(elf_file, "__libc_fini_array")
print("[*] main = %#x, timeout = %#x" % (main_addr, timeout_addr))
print("[*] Starting the GR-PEACH demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
print("first break point = %#x" % main_addr)
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
print("[+] Target arrived at main(). Transferring state to the emulator")
set_regs(e, get_regs(t))
e.set_register(
'pc',
t.get_register('pc')) # BUG: to fix emulator's $pc. Do not remove me!
e.set_register(
'lr',
t.get_register('lr')) # BUG: to fix emulator's $lr. Do not remove me!
e.set_register(
'sp',
t.get_register('sp')) # BUG: to fix emulator's $sp. Do not remove me!
reg_pc = e.get_register('pc')
print("emulator $pc = %#x" % reg_pc)
reg_sp = e.get_register('sp')
print("emulator $sp = %#x" % reg_sp)
get_regs(e)
assert (reg_pc > 0)
assert (reg_sp > 0)
print("[+] Continuing execution in the emulator!")
print("final break point = %#x" % timeout_addr)
e_end_bp = e.set_breakpoint(timeout_addr)
start = time.time()
e.cont()
e_end_bp.wait()
duration = time.time() - start
#Further analyses code goes here
print("[+] analysis phase")
print("elapsed time = %f sec" % duration)
e.stop() # important
t.stop() # important
def delete(self):
System.getInstance().unregister_event_listener(self._event_receiver)
System.getInstance().get_emulator()._gdb_interface.delete_breakpoint(self._bkpt_num)
log.info("Waiting for a packet to be proceesed")
cmd.wait() # block for bp trigger
# Bp was hit, remove it to avoid lockup
cmd.remove_raw_bp(s_in_data_indication_execute)
if args.verbose:
log.info("AVATAR: fetching configuration from target")
configuration = cmd.initstate(configuration)
del cmd
if args.veryverbose:
print("configuraton is : %s" % configuration)
if args.verbose:
log.info("AVATAR: loading avatar ")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
if args.verbose:
log.info("AVATAR: inserting monitor")
ava.add_monitor(RWMonitor())
if args.verbose:
log.info("AVATAR: starting avatar ")
time.sleep(1)
ava.start()
if args.verbose:
log.info("AVATAR: avatar Started ")
log.info(
def start_avatar():
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
# Configure target GDB
ava.get_target().execute_gdb_command(
["set", "arm", "frame-register", "off"])
ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"])
ava.get_target().execute_gdb_command([
"set", "tdesc", "filename",
configuration["avatar_configuration"]["target_gdb_description"]
])
return ava
print("OPENOCD: Connecting to OpenOCD Target")
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
print("OPENOCD: Re-flashing image and setting breakpoint")
cmd.halt()
cmd.raw_cmd("flash write_image erase /home/matthew/Workspace/COSC460/avatar-stellaris/large/firmware/Release/Large.bin", True)
cmd.put_bp(0x0000179A) # Run the target until init finishes
cmd.raw_cmd("reset", True)
cmd.wait()
print("AVATAR: Fetching configuration from target")
configuration = cmd.initstate(configuration)
del cmd
print("AVATAR: Loading Avatar")
avatar = System(configuration, init_s2e_emulator, init_gdbserver_target)
avatar.init()
print("AVATAR: Inserting Monitor")
avatar.add_monitor(RWMonitor())
print("AVATAR: Starting Avatar")
time.sleep(3)
avatar.start()
print("AVATAR: Transferring state from target to emulator")
transfer_mem_to_emulator(avatar, 0x20000000, 0x00001000)
print("AVATAR: Memory transfer complete")
transfer_cpu_state_to_emulator(avatar)
print("AVATAR: Register transfer complete")
#!/usr/bin/env python
from avatar.system import System
system = System()
#Loads the configuration for all modules from the old JSON format
system.load_configuration("config.json", "/tmp/1")
#Starts S2E, any service neccessary for connecting to the target as specified in the configuration
system.start()
#Now the firmware should be loaded into S2E, and the memory be connected to the embedded device
#S2E should have broken at the first instruction
#You can actually send GDB commands to the emulator or the target
# NOT TRUE YET
def main():
if not os.path.exists(BIN_FILE):
print("[!] BIN_FILE = %s is not exists!" % BIN_FILE)
exit()
elf_file = BIN_FILE.replace(r".bin", r".elf")
# main_addr = get_symbol_addr(elf_file, "http_main_task")
main_addr = get_symbol_addr(elf_file, "_Z15HTTPServerStarti")
print("[*] main = %#x" % (main_addr))
print("[*] Starting the GR-PEACH demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
print("\tEthernet Cable has connected?")
print("first break point = %#x" % main_addr)
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
# ### for experiment
# print("[*] waiting for mbed_die")
# mbed_die_addr = get_symbol_addr(elf_file, "mbed_die")
# print("[*] mbed_die = %#x" % (mbed_die_addr))
# mbed_die_bkt = t.set_breakpoint(mbed_die_addr)
# t.cont()
# mbed_die_bkt.wait()
# print("[*] reached to mbed_die()")
print("[+] Target finished initilization procedures")
read_pointer_value(t, elf_file, "tcp_active_pcbs")
read_pointer_value(t, elf_file, "tcp_listen_pcbs")
a, v = read_pointer_value(t, elf_file, "netif_list")
a, v = read_pointer_value(t, elf_file, "*netif_list", v)
read_pointer_value(t, elf_file, "ram")
read_pointer_value(t, elf_file, "ram_end")
print("[+] copying target memory")
"""
K_atc% nm httpsample.elf| grep dns_table
2003acac b dns_table
"""
start = time.time()
try:
# ret = t.read_untyped_memory(0x18000000, 0x20000000 - 0x18000000) # TOO SLOW
# t.read_untyped_memory(0x18000000, 0x1000) # for experiment
# read_memory(t, 0x18000000, 0x1000) # for experiment
memory_dump(t, BIN_FILE,
[(0x20030000, 0x20050000 - 0x20030000)]) # < 5 min
except Exception as e:
print(e)
import ipdb
ipdb.set_trace()
print("[+] memory read time: %f sec" % (time.time() - start))
# import ipdb; ipdb.set_trace()
#Further analyses code goes here
print("[+] analysis phase")
e.stop() # important
t.stop() # important
def post_event(self, evt):
evt["source"] = "emulator"
System.getInstance().post_event(evt)
