def main(args, env): configuration = build_configuration(args, env) ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() qemu = env["QEMU"] if "QEMU" in env else None if qemu is None: print("ERROR: Qemu emulator path is not set (QEMU env variable)") return 1 target_runner = TargetLauncher([qemu, "-M", "versatilepb", "-m", "20M", "-gdb", "tcp:127.0.0.1:1234", "-serial", "tcp:127.0.0.1:2000,server", "-kernel", "u-boot", "-S" ]) time.sleep(3) ava.start() bkpt_clear_bss = ava.get_emulator().set_breakpoint(0x010000b4) ava.get_emulator().cont() bkpt_clear_bss.wait() print("==================== Arrived at clear_bss ===========================") bkpt_main_loop = ava.get_emulator().set_breakpoint(0x0100af34) ava.get_emulator().cont() bkpt_main_loop.wait() print("Arrived at main loop, demo is over")
def start_avatar(): ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() # Configure target GDB ava.get_target().execute_gdb_command(["set", "arm", "frame-register", "off"]) ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"]) ava.get_target().execute_gdb_command(["set", "tdesc", "filename", configuration["avatar_configuration"]["target_gdb_description"]]) return ava
def start_avatar(): ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() # Configure target GDB ava.get_target().execute_gdb_command( ["set", "arm", "frame-register", "off"]) ava.get_target().execute_gdb_command(["set", "arm", "force-mode", "thumb"]) ava.get_target().execute_gdb_command([ "set", "tdesc", "filename", configuration["avatar_configuration"]["target_gdb_description"] ]) return ava
def main(args): #TODO: Build stuff here (u-boot) ava = System(configuration, init_s2e_emulator, init_gdbserver_target) print("System generated") target_runner = TargetLauncher([ LINARO_QEMU_ARM, "-M", "beagle", "-m", "256M", "-serial", "udp:127.0.0.1:2000", "-sd", os.path.join(UBOOT_DIR, "sdcard.img"), "-gdb", "tcp:127.0.0.1:4444", "-S" ]) ava.init() ava.add_monitor(RWMonitor()) time.sleep(3) ava.start() ava.get_emulator().cont()
def main(args): #TODO: Build stuff here (u-boot) ava = System(configuration, init_s2e_emulator, init_gdbserver_target) print("System generated") target_runner = TargetLauncher([LINARO_QEMU_ARM, "-M", "beagle", "-m", "256M", "-serial", "udp:127.0.0.1:2000", "-sd", os.path.join(UBOOT_DIR, "sdcard.img"), "-gdb", "tcp:127.0.0.1:4444", "-S"]) ava.init() ava.add_monitor(RWMonitor()) time.sleep(3) ava.start() ava.get_emulator().cont()
def main(): main_addr = 0x8005104 print("[!] Starting the Nucleo-L152RE demo") print("[+] Resetting target via openocd") hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.raw_cmd("reset halt") print("[+] Initilializing avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() t = ava.get_target() e = ava.get_emulator() print("[+] Running initilization procedures on the target") main_bkt = t.set_breakpoint(main_addr) t.cont() main_bkt.wait() print("[+] Target arrived at main(). Transferring state to the emulator") set_regs(e, get_regs(t)) #Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus. #However, qemu still needs to know the processore mode, so we are setting the flag manually. cpsr = e.get_register('cpsr') cpsr |= 0x20 e.set_register('cpsr',cpsr) print("[+] Continuing execution in the emulator!") e.cont() #Further analyses code goes here while True: pass
def main(): main_addr = 0x8005104 print("[!] Starting the Nucleo-L152RE demo") print("[+] Resetting target via openocd") hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.raw_cmd("reset halt") print("[+] Initilializing avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() t = ava.get_target() e = ava.get_emulator() print("[+] Running initilization procedures on the target") main_bkt = t.set_breakpoint(main_addr) t.cont() main_bkt.wait() print("[+] Target arrived at main(). Transferring state to the emulator") set_regs(e, get_regs(t)) #Cortex-M executes only in thumb-node, so the T-flag does not need to be set on these cpus. #However, qemu still needs to know the processore mode, so we are setting the flag manually. cpsr = e.get_register('cpsr') cpsr |= 0x20 e.set_register('cpsr', cpsr) print("[+] Continuing execution in the emulator!") e.cont() #Further analyses code goes here while True: pass
def main(): if not os.path.exists(BIN_FILE): print("[!] BIN_FILE = %s is not exists!" % BIN_FILE) exit() elf_file = BIN_FILE.replace(r".bin", r".elf") # main_addr = get_symbol_addr(elf_file, "http_main_task") main_addr = get_symbol_addr(elf_file, "_Z15HTTPServerStarti") print("[*] main = %#x" % (main_addr)) print("[*] Starting the GR-PEACH demo") print("[+] Resetting target via openocd") hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.raw_cmd("reset halt") print("[+] Initilializing avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() t = ava.get_target() e = ava.get_emulator() print("[+] Running initilization procedures on the target") print("\tEthernet Cable has connected?") print("first break point = %#x" % main_addr) main_bkt = t.set_breakpoint(main_addr) t.cont() main_bkt.wait() # ### for experiment # print("[*] waiting for mbed_die") # mbed_die_addr = get_symbol_addr(elf_file, "mbed_die") # print("[*] mbed_die = %#x" % (mbed_die_addr)) # mbed_die_bkt = t.set_breakpoint(mbed_die_addr) # t.cont() # mbed_die_bkt.wait() # print("[*] reached to mbed_die()") print("[+] Target finished initilization procedures") read_pointer_value(t, elf_file, "tcp_active_pcbs") read_pointer_value(t, elf_file, "tcp_listen_pcbs") a, v = read_pointer_value(t, elf_file, "netif_list") a, v = read_pointer_value(t, elf_file, "*netif_list", v) read_pointer_value(t, elf_file, "ram") read_pointer_value(t, elf_file, "ram_end") print("[+] copying target memory") """ K_atc% nm httpsample.elf| grep dns_table 2003acac b dns_table """ start = time.time() try: # ret = t.read_untyped_memory(0x18000000, 0x20000000 - 0x18000000) # TOO SLOW # t.read_untyped_memory(0x18000000, 0x1000) # for experiment # read_memory(t, 0x18000000, 0x1000) # for experiment memory_dump(t, BIN_FILE, [(0x20030000, 0x20050000 - 0x20030000)]) # < 5 min except Exception as e: print(e) import ipdb ipdb.set_trace() print("[+] memory read time: %f sec" % (time.time() - start)) # import ipdb; ipdb.set_trace() #Further analyses code goes here print("[+] analysis phase") e.stop() # important t.stop() # important
cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) print("OPENOCD: Re-flashing image and setting breakpoint") cmd.halt() cmd.raw_cmd("flash write_image erase /home/matthew/Workspace/COSC460/avatar-stellaris/large/firmware/Release/Large.bin", True) cmd.put_bp(0x0000179A) # Run the target until init finishes cmd.raw_cmd("reset", True) cmd.wait() print("AVATAR: Fetching configuration from target") configuration = cmd.initstate(configuration) del cmd print("AVATAR: Loading Avatar") avatar = System(configuration, init_s2e_emulator, init_gdbserver_target) avatar.init() print("AVATAR: Inserting Monitor") avatar.add_monitor(RWMonitor()) print("AVATAR: Starting Avatar") time.sleep(3) avatar.start() print("AVATAR: Transferring state from target to emulator") transfer_mem_to_emulator(avatar, 0x20000000, 0x00001000) print("AVATAR: Memory transfer complete") transfer_cpu_state_to_emulator(avatar) print("AVATAR: Register transfer complete") print("AVATAR: Continuing emulation")
log.info("Emulator is requesting write 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"]) pass def emulator_post_write_request(self, params): log.info("Executed write 0x%08x[%d] = 0x%x", params["address"], params["size"], params["value"]) pass def stop(self): pass hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.put_bp(0x0008a892) # cmhSMS_cpyMsgInd cmd.wait() # block for bkpt trigger configuration = cmd.initstate(configuration) del cmd ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.add_monitor(RWMonitor()) time.sleep(3) ava.start() ava.get_emulator().cont()
set_config(configuration, __args.buggy) hwmon = OpenocdJig(configuration) log.debug("Openocd jig done") cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) log.debug("Openocd target done") log.info("Loading image on device...") # The image is on the SD card, nothing to load cmd.raw_cmd("halt") #cmd.initstate(configuration) # execute from the beginning log.info("AVATAR: loading avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() # log.info("AVATAR: inserting monitor") # TODO # ava.add_monitor(RWMonitor()) #?? log.info("AVATAR: starting avatar...") time.sleep(1) ava.start() log.info("done -- RESUMING!!") ava.get_emulator().cont()
def main(): if not os.path.exists(BIN_FILE): print("[!] BIN_FILE = %s is not exists!" % BIN_FILE) exit() elf_file = BIN_FILE.replace(r".bin", r".elf") main_addr = get_symbol_addr(elf_file, "main") timeout_addr = get_symbol_addr(elf_file, "_Z3finv") if timeout_addr < 0: print("[!] timout_addr not set. using __libc_fini_array") timeout_addr = get_symbol_addr(elf_file, "__libc_fini_array") print("[*] main = %#x, timeout = %#x" % (main_addr, timeout_addr)) print("[*] Starting the GR-PEACH demo") print("[+] Resetting target via openocd") hwmon = OpenocdJig(configuration) cmd = OpenocdTarget(hwmon.get_telnet_jigsock()) cmd.raw_cmd("reset halt") print("[+] Initilializing avatar") ava = System(configuration, init_s2e_emulator, init_gdbserver_target) ava.init() ava.start() t = ava.get_target() e = ava.get_emulator() print("[+] Running initilization procedures on the target") print("first break point = %#x" % main_addr) main_bkt = t.set_breakpoint(main_addr) t.cont() main_bkt.wait() print("[+] Target arrived at main(). Transferring state to the emulator") set_regs(e, get_regs(t)) e.set_register( 'pc', t.get_register('pc')) # BUG: to fix emulator's $pc. Do not remove me! e.set_register( 'lr', t.get_register('lr')) # BUG: to fix emulator's $lr. Do not remove me! e.set_register( 'sp', t.get_register('sp')) # BUG: to fix emulator's $sp. Do not remove me! reg_pc = e.get_register('pc') print("emulator $pc = %#x" % reg_pc) reg_sp = e.get_register('sp') print("emulator $sp = %#x" % reg_sp) get_regs(e) assert (reg_pc > 0) assert (reg_sp > 0) print("[+] Continuing execution in the emulator!") print("final break point = %#x" % timeout_addr) e_end_bp = e.set_breakpoint(timeout_addr) start = time.time() e.cont() e_end_bp.wait() duration = time.time() - start #Further analyses code goes here print("[+] analysis phase") print("elapsed time = %f sec" % duration) e.stop() # important t.stop() # important