def test_mcu_blink_gd32vf103(self): ql = Qiling(['../examples/rootfs/mcu/gd32vf103/blink.hex'], archtype="riscv64", env=gd32vf103, verbose=QL_VERBOSE.DEFAULT) ql.hw.create('rcu') ql.hw.create('gpioa') ql.hw.create('gpioc').watch() delay_cycles_begin = 0x800015c delay_cycles_end = 0x800018c def skip_delay(ql): ql.reg.pc = delay_cycles_end count = 0 def counter(): nonlocal count count += 1 ql.hook_address(skip_delay, delay_cycles_begin) ql.hw.gpioc.hook_set(13, counter) ql.run(count=20000) self.assertTrue(count > 350) del ql
def test_mcu_i2c_interrupt_stm32f411(self): ql = Qiling(['../examples/rootfs/mcu/stm32f411/i2cit-lcd.elf'], archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEFAULT) ql.hw.create('i2c1') ql.hw.create('rcc').watch() ql.hw.create('gpioa') ql.hw.create('gpiob') class LCD: address = 0x3f << 1 def send(self, data): pass def step(self): pass lcd = LCD() ql.hw.i2c1.connect(lcd) ql.hw.systick.set_ratio(100) delay_start = 0x8002936 delay_end = 0x8002955 def skip_delay(ql): ql.arch.regs.pc = delay_end ql.hook_address(skip_delay, delay_start) ql.run(count=100000) del ql
def get_kaimendaji_password(): def my_getenv(ql, *args, **kwargs): env = {"ID": b"000000000000000", "ethaddr": b"11:22:33:44:55:66"} params = ql.os.resolve_fcall_params({'key': STRING}) value = env.get(params["key"], b"") value_addr = ql.os.heap.alloc(len(value)) ql.mem.write(value_addr, value) ql.arch.regs.r0 = value_addr ql.arch.regs.arch_pc = ql.arch.regs.lr def get_password(ql, *args, **kwargs): password_raw = ql.mem.read(ql.arch.regs.r0, ql.arch.regs.r2) password = '' for item in password_raw: if 0 <= item <= 9: password += chr(item + 48) else: password += chr(item + 87) print("The password is: %s" % password) def partial_run_init(ql): # argv prepare ql.arch.regs.arch_sp -= 0x30 arg0_ptr = ql.arch.regs.arch_sp ql.mem.write(arg0_ptr, b"kaimendaji") ql.arch.regs.arch_sp -= 0x10 arg1_ptr = ql.arch.regs.arch_sp ql.mem.write(arg1_ptr, b"000000") # arbitrary password ql.arch.regs.arch_sp -= 0x20 argv_ptr = ql.arch.regs.arch_sp ql.mem.write_ptr(argv_ptr, arg0_ptr) ql.mem.write_ptr(argv_ptr + ql.arch.pointersize, arg1_ptr) ql.arch.regs.r2 = 2 ql.arch.regs.r3 = argv_ptr with open("../examples/rootfs/blob/u-boot.bin.img", "rb") as f: uboot_code = f.read() ql = Qiling(code=uboot_code[0x40:], archtype="arm", ostype="blob", profile="uboot_bin.ql", verbose=QL_VERBOSE.OFF) image_base_addr = ql.loader.load_address ql.hook_address(my_getenv, image_base_addr + 0x13AC0) ql.hook_address(get_password, image_base_addr + 0x48634) partial_run_init(ql) ql.run(image_base_addr + 0x486B4, image_base_addr + 0x48718)
def test_uboot_arm(self): def my_getenv(ql, *args, **kwargs): env = {"ID": b"000000000000000", "ethaddr": b"11:22:33:44:55:66"} params = ql.os.resolve_fcall_params({'key': STRING}) value = env.get(params["key"], b"") value_addr = ql.os.heap.alloc(len(value)) ql.mem.write(value_addr, value) ql.reg.r0 = value_addr ql.reg.arch_pc = ql.reg.lr def check_password(ql, *args, **kwargs): passwd_output = ql.mem.read(ql.reg.r0, ql.reg.r2) passwd_input = ql.mem.read(ql.reg.r1, ql.reg.r2) self.assertEqual(passwd_output, passwd_input) def partial_run_init(ql): # argv prepare ql.reg.arch_sp -= 0x30 arg0_ptr = ql.reg.arch_sp ql.mem.write(arg0_ptr, b"kaimendaji") ql.reg.arch_sp -= 0x10 arg1_ptr = ql.reg.arch_sp ql.mem.write(arg1_ptr, b"013f1f") ql.reg.arch_sp -= 0x20 argv_ptr = ql.reg.arch_sp ql.mem.write(argv_ptr, ql.pack(arg0_ptr)) ql.mem.write(argv_ptr + ql.pointersize, ql.pack(arg1_ptr)) ql.reg.r2 = 2 ql.reg.r3 = argv_ptr print("ARM uboot bin") with open("../examples/rootfs/blob/u-boot.bin.img", "rb") as f: uboot_code = f.read() ql = Qiling(code=uboot_code[0x40:], archtype="arm", ostype="blob", profile="profiles/uboot_bin.ql", verbose=QL_VERBOSE.DEBUG) image_base_addr = ql.loader.load_address ql.hook_address(my_getenv, image_base_addr + 0x13AC0) ql.hook_address(check_password, image_base_addr + 0x48634) partial_run_init(ql) ql.run(image_base_addr + 0x486B4, image_base_addr + 0x48718) del ql
#!/usr/bin/env python3 # # Cross Platform and Multi Architecture Advanced Binary Emulation Framework # import sys sys.path.append("../..") from qiling.core import Qiling from qiling.const import QL_VERBOSE from qiling.extensions.mcu.gd32vf1 import gd32vf103 ql = Qiling(['../rootfs/mcu/gd32vf103/blink.hex'], archtype="riscv64", env=gd32vf103, verbose=QL_VERBOSE.DEBUG) ql.hw.create('rcu') ql.hw.create('gpioa').watch() ql.hw.create('gpioc').watch() delay_cycles_begin = 0x800015c delay_cycles_end = 0x800018c def skip_delay(ql): ql.reg.pc = delay_cycles_end ql.hook_address(skip_delay, delay_cycles_begin) ql.hw.gpioc.hook_set(13, lambda : print('Set PC13')) ql.run(count=20000)
sys.path.append("../..") from qiling.core import Qiling from qiling.const import QL_VERBOSE from qiling.extensions.mcu.stm32f4 import stm32f407 from qiling.hw.external_device.oled.ssd1306 import PyGameSSD1306Spi ql = Qiling(["../rootfs/mcu/stm32f407/mnist.bin", 0x8000000], archtype="cortex_m", env=stm32f407, verbose=QL_VERBOSE.DEFAULT) ql.hw.create('rcc') ql.hw.create('gpiod') ql.hw.create('spi1') ql.hw.create('crc') oled = PyGameSSD1306Spi(dc=(ql.hw.gpiod, 5)) ql.hw.spi1.connect(oled) ql.hw.systick.ratio = 1000 ## a temporary method def hook_smlabb(ql): ql.reg.r3 = ql.reg.r2 + ql.reg.r1 * ql.reg.r3 ql.reg.pc = (ql.reg.pc + 4) | 1 ql.hook_address(hook_smlabb, 0x8007a12) ql.hook_address(hook_smlabb, 0x8007b60) ql.run()