def main(args, env):
configuration = build_configuration(args, env)
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
qemu = env["QEMU"] if "QEMU" in env else None
if qemu is None:
print("ERROR: Qemu emulator path is not set (QEMU env variable)")
return 1
target_runner = TargetLauncher([qemu,
"-M", "versatilepb",
"-m", "20M",
"-gdb", "tcp:127.0.0.1:1234",
"-serial", "tcp:127.0.0.1:2000,server",
"-kernel", "u-boot",
"-S"
])
time.sleep(3)
ava.start()
bkpt_clear_bss = ava.get_emulator().set_breakpoint(0x010000b4)
ava.get_emulator().cont()
bkpt_clear_bss.wait()
print("==================== Arrived at clear_bss ===========================")
bkpt_main_loop = ava.get_emulator().set_breakpoint(0x0100af34)
ava.get_emulator().cont()
bkpt_main_loop.wait()
print("Arrived at main loop, demo is over")
def start_avatar():
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
# Configure target GDB
ava.get_target().execute_gdb_command(["set", "arm", "frame-register", "off"])
ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"])
ava.get_target().execute_gdb_command(["set", "tdesc", "filename", configuration["avatar_configuration"]["target_gdb_description"]])
return ava
def start_avatar():
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
# Configure target GDB
ava.get_target().execute_gdb_command(
["set", "arm", "frame-register", "off"])
ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"])
ava.get_target().execute_gdb_command([
"set", "tdesc", "filename",
configuration["avatar_configuration"]["target_gdb_description"]
])
return ava
def main(args):
#TODO: Build stuff here (u-boot)
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
print("System generated")
target_runner = TargetLauncher([
LINARO_QEMU_ARM, "-M", "beagle", "-m", "256M", "-serial",
"udp:127.0.0.1:2000", "-sd",
os.path.join(UBOOT_DIR,
"sdcard.img"), "-gdb", "tcp:127.0.0.1:4444", "-S"
])
ava.init()
ava.add_monitor(RWMonitor())
time.sleep(3)
ava.start()
ava.get_emulator().cont()
def main(args):
#TODO: Build stuff here (u-boot)
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
print("System generated")
target_runner = TargetLauncher([LINARO_QEMU_ARM,
"-M", "beagle",
"-m", "256M",
"-serial", "udp:127.0.0.1:2000",
"-sd", os.path.join(UBOOT_DIR, "sdcard.img"),
"-gdb", "tcp:127.0.0.1:4444",
"-S"])
ava.init()
ava.add_monitor(RWMonitor())
time.sleep(3)
ava.start()
ava.get_emulator().cont()
def main():
main_addr = 0x8005104
print("[!] Starting the Nucleo-L152RE demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
print("[+] Target arrived at main(). Transferring state to the emulator")
set_regs(e, get_regs(t))
#Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus.
#However, qemu still needs to know the processore mode, so we are setting the flag manually.
cpsr = e.get_register('cpsr')
cpsr |= 0x20
e.set_register('cpsr',cpsr)
print("[+] Continuing execution in the emulator!")
e.cont()
#Further analyses code goes here
while True:
pass
def main():
main_addr = 0x8005104
print("[!] Starting the Nucleo-L152RE demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
print("[+] Target arrived at main(). Transferring state to the emulator")
set_regs(e, get_regs(t))
#Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus.
#However, qemu still needs to know the processore mode, so we are setting the flag manually.
cpsr = e.get_register('cpsr')
cpsr |= 0x20
e.set_register('cpsr', cpsr)
print("[+] Continuing execution in the emulator!")
e.cont()
#Further analyses code goes here
while True:
pass
def main():
if not os.path.exists(BIN_FILE):
print("[!] BIN_FILE = %s is not exists!" % BIN_FILE)
exit()
elf_file = BIN_FILE.replace(r".bin", r".elf")
# main_addr = get_symbol_addr(elf_file, "http_main_task")
main_addr = get_symbol_addr(elf_file, "_Z15HTTPServerStarti")
print("[*] main = %#x" % (main_addr))
print("[*] Starting the GR-PEACH demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
print("\tEthernet Cable has connected?")
print("first break point = %#x" % main_addr)
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
# ### for experiment
# print("[*] waiting for mbed_die")
# mbed_die_addr = get_symbol_addr(elf_file, "mbed_die")
# print("[*] mbed_die = %#x" % (mbed_die_addr))
# mbed_die_bkt = t.set_breakpoint(mbed_die_addr)
# t.cont()
# mbed_die_bkt.wait()
# print("[*] reached to mbed_die()")
print("[+] Target finished initilization procedures")
read_pointer_value(t, elf_file, "tcp_active_pcbs")
read_pointer_value(t, elf_file, "tcp_listen_pcbs")
a, v = read_pointer_value(t, elf_file, "netif_list")
a, v = read_pointer_value(t, elf_file, "*netif_list", v)
read_pointer_value(t, elf_file, "ram")
read_pointer_value(t, elf_file, "ram_end")
print("[+] copying target memory")
"""
K_atc% nm httpsample.elf| grep dns_table
2003acac b dns_table
"""
start = time.time()
try:
# ret = t.read_untyped_memory(0x18000000, 0x20000000 - 0x18000000) # TOO SLOW
# t.read_untyped_memory(0x18000000, 0x1000) # for experiment
# read_memory(t, 0x18000000, 0x1000) # for experiment
memory_dump(t, BIN_FILE,
[(0x20030000, 0x20050000 - 0x20030000)]) # < 5 min
except Exception as e:
print(e)
import ipdb
ipdb.set_trace()
print("[+] memory read time: %f sec" % (time.time() - start))
# import ipdb; ipdb.set_trace()
#Further analyses code goes here
print("[+] analysis phase")
e.stop() # important
t.stop() # important
cmd.wait()
print("AVATAR: Fetching configuration from target")
configuration = cmd.initstate(configuration)
del cmd
print("AVATAR: Loading Avatar")
avatar = System(configuration, init_s2e_emulator, init_gdbserver_target)
avatar.init()
print("AVATAR: Inserting Monitor")
avatar.add_monitor(RWMonitor())
print("AVATAR: Starting Avatar")
time.sleep(3)
avatar.start()
print("AVATAR: Transferring state from target to emulator")
transfer_mem_to_emulator(avatar, 0x20000000, 0x00001000)
print("AVATAR: Memory transfer complete")
transfer_cpu_state_to_emulator(avatar)
print("AVATAR: Register transfer complete")
print("AVATAR: Continuing emulation")
avatar.get_emulator().cont()
print("AVATAR: Completed firmware analysis")
print("Press enter to begin exploit generation")
keyboard = input ()
log.info("Emulator is requesting write 0x%08x[%d] = 0x%x",
params["address"], params["size"], params["value"])
pass
def emulator_post_write_request(self, params):
log.info("Executed write 0x%08x[%d] = 0x%x", params["address"],
params["size"], params["value"])
pass
def stop(self):
pass
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.put_bp(0x0008a892) # cmhSMS_cpyMsgInd
cmd.wait() # block for bkpt trigger
configuration = cmd.initstate(configuration)
del cmd
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.add_monitor(RWMonitor())
time.sleep(3)
ava.start()
ava.get_emulator().cont()
set_config(configuration, __args.buggy)
hwmon = OpenocdJig(configuration)
log.debug("Openocd jig done")
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
log.debug("Openocd target done")
log.info("Loading image on device...")
# The image is on the SD card, nothing to load
cmd.raw_cmd("halt")
#cmd.initstate(configuration)
# execute from the beginning
log.info("AVATAR: loading avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
# log.info("AVATAR: inserting monitor")
# TODO
# ava.add_monitor(RWMonitor()) #??
log.info("AVATAR: starting avatar...")
time.sleep(1)
ava.start()
log.info("done -- RESUMING!!")
ava.get_emulator().cont()
#!/usr/bin/env python
from avatar.system import System
system = System()
#Loads the configuration for all modules from the old JSON format
system.load_configuration("config.json", "/tmp/1")
#Starts S2E, any service neccessary for connecting to the target as specified in the configuration
system.start()
#Now the firmware should be loaded into S2E, and the memory be connected to the embedded device
#S2E should have broken at the first instruction
#You can actually send GDB commands to the emulator or the target
# NOT TRUE YET
def main():
if not os.path.exists(BIN_FILE):
print("[!] BIN_FILE = %s is not exists!" % BIN_FILE)
exit()
elf_file = BIN_FILE.replace(r".bin", r".elf")
main_addr = get_symbol_addr(elf_file, "main")
timeout_addr = get_symbol_addr(elf_file, "_Z3finv")
if timeout_addr < 0:
print("[!] timout_addr not set. using __libc_fini_array")
timeout_addr = get_symbol_addr(elf_file, "__libc_fini_array")
print("[*] main = %#x, timeout = %#x" % (main_addr, timeout_addr))
print("[*] Starting the GR-PEACH demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
print("first break point = %#x" % main_addr)
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
print("[+] Target arrived at main(). Transferring state to the emulator")
set_regs(e, get_regs(t))
e.set_register(
'pc',
t.get_register('pc')) # BUG: to fix emulator's $pc. Do not remove me!
e.set_register(
'lr',
t.get_register('lr')) # BUG: to fix emulator's $lr. Do not remove me!
e.set_register(
'sp',
t.get_register('sp')) # BUG: to fix emulator's $sp. Do not remove me!
reg_pc = e.get_register('pc')
print("emulator $pc = %#x" % reg_pc)
reg_sp = e.get_register('sp')
print("emulator $sp = %#x" % reg_sp)
get_regs(e)
assert (reg_pc > 0)
assert (reg_sp > 0)
print("[+] Continuing execution in the emulator!")
print("final break point = %#x" % timeout_addr)
e_end_bp = e.set_breakpoint(timeout_addr)
start = time.time()
e.cont()
e_end_bp.wait()
duration = time.time() - start
#Further analyses code goes here
print("[+] analysis phase")
print("elapsed time = %f sec" % duration)
e.stop() # important
t.stop() # important
