def test_mcu_blink_gd32vf103(self):
ql = Qiling(['../examples/rootfs/mcu/gd32vf103/blink.hex'],
archtype="riscv64",
env=gd32vf103,
verbose=QL_VERBOSE.DEFAULT)
ql.hw.create('rcu')
ql.hw.create('gpioa')
ql.hw.create('gpioc').watch()
delay_cycles_begin = 0x800015c
delay_cycles_end = 0x800018c
def skip_delay(ql):
ql.reg.pc = delay_cycles_end
count = 0
def counter():
nonlocal count
count += 1
ql.hook_address(skip_delay, delay_cycles_begin)
ql.hw.gpioc.hook_set(13, counter)
ql.run(count=20000)
self.assertTrue(count > 350)
del ql
def test_mcu_i2c_interrupt_stm32f411(self):
ql = Qiling(['../examples/rootfs/mcu/stm32f411/i2cit-lcd.elf'],
archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEFAULT)
ql.hw.create('i2c1')
ql.hw.create('rcc').watch()
ql.hw.create('gpioa')
ql.hw.create('gpiob')
class LCD:
address = 0x3f << 1
def send(self, data):
pass
def step(self):
pass
lcd = LCD()
ql.hw.i2c1.connect(lcd)
ql.hw.systick.set_ratio(100)
delay_start = 0x8002936
delay_end = 0x8002955
def skip_delay(ql):
ql.arch.regs.pc = delay_end
ql.hook_address(skip_delay, delay_start)
ql.run(count=100000)
del ql
def get_kaimendaji_password():
def my_getenv(ql, *args, **kwargs):
env = {"ID": b"000000000000000", "ethaddr": b"11:22:33:44:55:66"}
params = ql.os.resolve_fcall_params({'key': STRING})
value = env.get(params["key"], b"")
value_addr = ql.os.heap.alloc(len(value))
ql.mem.write(value_addr, value)
ql.arch.regs.r0 = value_addr
ql.arch.regs.arch_pc = ql.arch.regs.lr
def get_password(ql, *args, **kwargs):
password_raw = ql.mem.read(ql.arch.regs.r0, ql.arch.regs.r2)
password = ''
for item in password_raw:
if 0 <= item <= 9:
password += chr(item + 48)
else:
password += chr(item + 87)
print("The password is: %s" % password)
def partial_run_init(ql):
# argv prepare
ql.arch.regs.arch_sp -= 0x30
arg0_ptr = ql.arch.regs.arch_sp
ql.mem.write(arg0_ptr, b"kaimendaji")
ql.arch.regs.arch_sp -= 0x10
arg1_ptr = ql.arch.regs.arch_sp
ql.mem.write(arg1_ptr, b"000000") # arbitrary password
ql.arch.regs.arch_sp -= 0x20
argv_ptr = ql.arch.regs.arch_sp
ql.mem.write_ptr(argv_ptr, arg0_ptr)
ql.mem.write_ptr(argv_ptr + ql.arch.pointersize, arg1_ptr)
ql.arch.regs.r2 = 2
ql.arch.regs.r3 = argv_ptr
with open("../examples/rootfs/blob/u-boot.bin.img", "rb") as f:
uboot_code = f.read()
ql = Qiling(code=uboot_code[0x40:],
archtype="arm",
ostype="blob",
profile="uboot_bin.ql",
verbose=QL_VERBOSE.OFF)
image_base_addr = ql.loader.load_address
ql.hook_address(my_getenv, image_base_addr + 0x13AC0)
ql.hook_address(get_password, image_base_addr + 0x48634)
partial_run_init(ql)
ql.run(image_base_addr + 0x486B4, image_base_addr + 0x48718)
def test_uboot_arm(self):
def my_getenv(ql, *args, **kwargs):
env = {"ID": b"000000000000000", "ethaddr": b"11:22:33:44:55:66"}
params = ql.os.resolve_fcall_params({'key': STRING})
value = env.get(params["key"], b"")
value_addr = ql.os.heap.alloc(len(value))
ql.mem.write(value_addr, value)
ql.reg.r0 = value_addr
ql.reg.arch_pc = ql.reg.lr
def check_password(ql, *args, **kwargs):
passwd_output = ql.mem.read(ql.reg.r0, ql.reg.r2)
passwd_input = ql.mem.read(ql.reg.r1, ql.reg.r2)
self.assertEqual(passwd_output, passwd_input)
def partial_run_init(ql):
# argv prepare
ql.reg.arch_sp -= 0x30
arg0_ptr = ql.reg.arch_sp
ql.mem.write(arg0_ptr, b"kaimendaji")
ql.reg.arch_sp -= 0x10
arg1_ptr = ql.reg.arch_sp
ql.mem.write(arg1_ptr, b"013f1f")
ql.reg.arch_sp -= 0x20
argv_ptr = ql.reg.arch_sp
ql.mem.write(argv_ptr, ql.pack(arg0_ptr))
ql.mem.write(argv_ptr + ql.pointersize, ql.pack(arg1_ptr))
ql.reg.r2 = 2
ql.reg.r3 = argv_ptr
print("ARM uboot bin")
with open("../examples/rootfs/blob/u-boot.bin.img", "rb") as f:
uboot_code = f.read()
ql = Qiling(code=uboot_code[0x40:],
archtype="arm",
ostype="blob",
profile="profiles/uboot_bin.ql",
verbose=QL_VERBOSE.DEBUG)
image_base_addr = ql.loader.load_address
ql.hook_address(my_getenv, image_base_addr + 0x13AC0)
ql.hook_address(check_password, image_base_addr + 0x48634)
partial_run_init(ql)
ql.run(image_base_addr + 0x486B4, image_base_addr + 0x48718)
del ql
#!/usr/bin/env python3
#
# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
#
import sys
sys.path.append("../..")
from qiling.core import Qiling
from qiling.const import QL_VERBOSE
from qiling.extensions.mcu.gd32vf1 import gd32vf103
ql = Qiling(['../rootfs/mcu/gd32vf103/blink.hex'], archtype="riscv64",
env=gd32vf103, verbose=QL_VERBOSE.DEBUG)
ql.hw.create('rcu')
ql.hw.create('gpioa').watch()
ql.hw.create('gpioc').watch()
delay_cycles_begin = 0x800015c
delay_cycles_end = 0x800018c
def skip_delay(ql):
ql.reg.pc = delay_cycles_end
ql.hook_address(skip_delay, delay_cycles_begin)
ql.hw.gpioc.hook_set(13, lambda : print('Set PC13'))
ql.run(count=20000)
sys.path.append("../..")
from qiling.core import Qiling
from qiling.const import QL_VERBOSE
from qiling.extensions.mcu.stm32f4 import stm32f407
from qiling.hw.external_device.oled.ssd1306 import PyGameSSD1306Spi
ql = Qiling(["../rootfs/mcu/stm32f407/mnist.bin", 0x8000000],
archtype="cortex_m", env=stm32f407, verbose=QL_VERBOSE.DEFAULT)
ql.hw.create('rcc')
ql.hw.create('gpiod')
ql.hw.create('spi1')
ql.hw.create('crc')
oled = PyGameSSD1306Spi(dc=(ql.hw.gpiod, 5))
ql.hw.spi1.connect(oled)
ql.hw.systick.ratio = 1000
## a temporary method
def hook_smlabb(ql):
ql.reg.r3 = ql.reg.r2 + ql.reg.r1 * ql.reg.r3
ql.reg.pc = (ql.reg.pc + 4) | 1
ql.hook_address(hook_smlabb, 0x8007a12)
ql.hook_address(hook_smlabb, 0x8007b60)
ql.run()