def start_avatar():
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
# Configure target GDB
ava.get_target().execute_gdb_command(["set", "arm", "frame-register", "off"])
ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"])
ava.get_target().execute_gdb_command(["set", "tdesc", "filename", configuration["avatar_configuration"]["target_gdb_description"]])
return ava
def main():
main_addr = 0x8005104
print("[!] Starting the Nucleo-L152RE demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
print("[+] Target arrived at main(). Transferring state to the emulator")
set_regs(e, get_regs(t))
#Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus.
#However, qemu still needs to know the processore mode, so we are setting the flag manually.
cpsr = e.get_register('cpsr')
cpsr |= 0x20
e.set_register('cpsr',cpsr)
print("[+] Continuing execution in the emulator!")
e.cont()
#Further analyses code goes here
while True:
pass
def start_avatar():
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
# Configure target GDB
ava.get_target().execute_gdb_command(
["set", "arm", "frame-register", "off"])
ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"])
ava.get_target().execute_gdb_command([
"set", "tdesc", "filename",
configuration["avatar_configuration"]["target_gdb_description"]
])
return ava
def main():
main_addr = 0x8005104
print("[!] Starting the Nucleo-L152RE demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
print("[+] Target arrived at main(). Transferring state to the emulator")
set_regs(e, get_regs(t))
#Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus.
#However, qemu still needs to know the processore mode, so we are setting the flag manually.
cpsr = e.get_register('cpsr')
cpsr |= 0x20
e.set_register('cpsr', cpsr)
print("[+] Continuing execution in the emulator!")
e.cont()
#Further analyses code goes here
while True:
pass
def main():
if not os.path.exists(BIN_FILE):
print("[!] BIN_FILE = %s is not exists!" % BIN_FILE)
exit()
elf_file = BIN_FILE.replace(r".bin", r".elf")
# main_addr = get_symbol_addr(elf_file, "http_main_task")
main_addr = get_symbol_addr(elf_file, "_Z15HTTPServerStarti")
print("[*] main = %#x" % (main_addr))
print("[*] Starting the GR-PEACH demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
print("\tEthernet Cable has connected?")
print("first break point = %#x" % main_addr)
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
# ### for experiment
# print("[*] waiting for mbed_die")
# mbed_die_addr = get_symbol_addr(elf_file, "mbed_die")
# print("[*] mbed_die = %#x" % (mbed_die_addr))
# mbed_die_bkt = t.set_breakpoint(mbed_die_addr)
# t.cont()
# mbed_die_bkt.wait()
# print("[*] reached to mbed_die()")
print("[+] Target finished initilization procedures")
read_pointer_value(t, elf_file, "tcp_active_pcbs")
read_pointer_value(t, elf_file, "tcp_listen_pcbs")
a, v = read_pointer_value(t, elf_file, "netif_list")
a, v = read_pointer_value(t, elf_file, "*netif_list", v)
read_pointer_value(t, elf_file, "ram")
read_pointer_value(t, elf_file, "ram_end")
print("[+] copying target memory")
"""
K_atc% nm httpsample.elf| grep dns_table
2003acac b dns_table
"""
start = time.time()
try:
# ret = t.read_untyped_memory(0x18000000, 0x20000000 - 0x18000000) # TOO SLOW
# t.read_untyped_memory(0x18000000, 0x1000) # for experiment
# read_memory(t, 0x18000000, 0x1000) # for experiment
memory_dump(t, BIN_FILE,
[(0x20030000, 0x20050000 - 0x20030000)]) # < 5 min
except Exception as e:
print(e)
import ipdb
ipdb.set_trace()
print("[+] memory read time: %f sec" % (time.time() - start))
# import ipdb; ipdb.set_trace()
#Further analyses code goes here
print("[+] analysis phase")
e.stop() # important
t.stop() # important
def main():
if not os.path.exists(BIN_FILE):
print("[!] BIN_FILE = %s is not exists!" % BIN_FILE)
exit()
elf_file = BIN_FILE.replace(r".bin", r".elf")
main_addr = get_symbol_addr(elf_file, "main")
timeout_addr = get_symbol_addr(elf_file, "_Z3finv")
if timeout_addr < 0:
print("[!] timout_addr not set. using __libc_fini_array")
timeout_addr = get_symbol_addr(elf_file, "__libc_fini_array")
print("[*] main = %#x, timeout = %#x" % (main_addr, timeout_addr))
print("[*] Starting the GR-PEACH demo")
print("[+] Resetting target via openocd")
hwmon = OpenocdJig(configuration)
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
cmd.raw_cmd("reset halt")
print("[+] Initilializing avatar")
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
ava.init()
ava.start()
t = ava.get_target()
e = ava.get_emulator()
print("[+] Running initilization procedures on the target")
print("first break point = %#x" % main_addr)
main_bkt = t.set_breakpoint(main_addr)
t.cont()
main_bkt.wait()
print("[+] Target arrived at main(). Transferring state to the emulator")
set_regs(e, get_regs(t))
e.set_register(
'pc',
t.get_register('pc')) # BUG: to fix emulator's $pc. Do not remove me!
e.set_register(
'lr',
t.get_register('lr')) # BUG: to fix emulator's $lr. Do not remove me!
e.set_register(
'sp',
t.get_register('sp')) # BUG: to fix emulator's $sp. Do not remove me!
reg_pc = e.get_register('pc')
print("emulator $pc = %#x" % reg_pc)
reg_sp = e.get_register('sp')
print("emulator $sp = %#x" % reg_sp)
get_regs(e)
assert (reg_pc > 0)
assert (reg_sp > 0)
print("[+] Continuing execution in the emulator!")
print("final break point = %#x" % timeout_addr)
e_end_bp = e.set_breakpoint(timeout_addr)
start = time.time()
e.cont()
e_end_bp.wait()
duration = time.time() - start
#Further analyses code goes here
print("[+] analysis phase")
print("elapsed time = %f sec" % duration)
e.stop() # important
t.stop() # important
bkpt_before_sdram_initialization = ava.get_emulator().set_breakpoint(0x1146)
ava.get_emulator().cont()
bkpt_before_sdram_initialization.wait()
print("SDRAM initialization reached")
#Transfer state from emulator to device
cpu_state = {}
for reg in ["r0", "r1", "r2", "r3",
"r4", "r5", "r6", "r7",
"r8", "r9", "r10", "r11",
"r12", "sp", "lr", "pc", "cpsr"]:
value = ava.get_emulator().get_register(reg)
cpu_state[reg] = hex(value)
ava.get_target().set_register(reg, ava.get_emulator().get_register(reg))
f = open("cpu_state.gdb", "w")
for (reg, val) in cpu_state.items():
f.write("set $%s = %s\n" % (reg, val))
f.close()
print("CPU state: %s" % cpu_state.__str__())
#At this point we have a problem:
#The DDR memory initialization function is time-critical, i.e.
#its execution fails when run in emulator, since the forwarding
#is too slow.
#So we extract that bit of code that is time-critical (0x1146-0x1218) plus
#its dependencies (0x1314-0x134c) and copy it to the VM
code_memory = ava.get_emulator().read_untyped_memory(0x1146, 0x1218 - 0x1146)
constant_pool = ava.get_emulator().read_untyped_memory(0x1314, 0x134c - 0x1314)
f = open("code_memory", "wb")
