Commit 2e72aaf5 authored by nguimfac's avatar nguimfac

linkit python and config file update

parent 4a801fb1
......@@ -22,13 +22,13 @@ from collections import OrderedDict
log = logging.getLogger(__name__)
buggy=False
##buggy=False
configuration = {
"output_directory" : os.getcwd()+"/s2e_output/",
"output_directory" : os.getcwd()+"tmp/s2e_output/",
"configuration_directory" : os.getcwd(),
"s2e" : {
#"s2e-max-processes": 4,
"s2e-max-processes": 4,
"verbose" : True,
"s2e_binary" : os.getcwd()+"/../../../../s2e-build/qemu-release/arm-s2e-softmmu/qemu-system-arm",
"klee" : {
......@@ -39,17 +39,17 @@ configuration = {
("BaseInstructions", {}),
#("InstructionPrinter", ""),
("Initializer", {}),
("ExecutionTracer", "" ),
("ArbitraryExecChecker", ""), # checking for obvious bugs
("TestCaseGenerator", "" ),
# ("ExecutionTracer", "" ),
# ("ArbitraryExecChecker", ""), # checking for obvious bugs
# ("TestCaseGenerator", "" ),
("FunctionMonitor", {}),
("MemoryInterceptorMediator", {
"verbose": True,
"interceptors": {
"RemoteMemory": {
"IOMem": {
"range_start": 0x80000000,
"range_end": 0x80030000,
"range_start": 0x0,#0x80000000,
"range_end": 0x1000,#0x80030000,
"priority": 0,
"access_type": ["read", "write", "execute", "io", "memory", "concrete_value", "concrete_address"]
}
......@@ -69,6 +69,7 @@ configuration = {
"verbose": True,
"listen_address": "localhost:9999"
}),
("RawMonitor" ,
"""
kernelStart = 0,
......@@ -164,8 +165,8 @@ configuration = {
},
{
# 96K bytes
"size": 0x18000,
#"size" : 0x31DA, # only import the txt section, ro data and data not needed here as we forward them
#"size": 0x18000,
"size" : 0x31DA, # only import the txt section, ro data and data not needed here as we forward them
"name": "SRAM",
"file": os.getcwd()+"/econotag_src/with freescale tools/My UART/Wireless UART/Debug/Exe/Wireless UART.bin_txt_only.bin",
"map": [{
......@@ -186,79 +187,6 @@ configuration = {
}
}
if buggy:
# that's for the buggy version
configuration["machine_configuration"]["memory_map"]=[{
"size": 0x14000,
"name": "rom",
"file": "/home/aurel/work/sensors/econotag/ROMDump/mc1322x_rom_0_0x14000.bin",
"map": [{
"address": 0,
"type": "code",
"permissions": "rx"
}]
},
{
# 96K bytes
"size": 0x18000,
#"size" : 0x31DA, # only import the txt section, ro data and data not needed here as we forward them
"name": "SRAM",
"file": "/home/aurel/work/sensors/econotag/with freescale tools/My buggyUart/Wireless UART/Debug/Exe/Wireless UART.bin_cut_12808",
"map": [{
"address": 0x400000,
"type": "code",
"permissions": "rwx"
}]
}]
configuration["s2e"]["plugins"]["Annotation"]="""
reset_fun = {
module = "rom_module",
active = true,
address = 0x0,
beforeInstruction = true,
instructionAnnotation = "reset",
},
undef_fun = {
module = "rom_module",
active = true,
address = 0x4,
beforeInstruction = true,
instructionAnnotation = "undef_instr",
},
symbolic_pkt = {
module = "ram_module",
active = true,
address = 0x004021a6, -- <= where we put the annotation, has to be begining of a tcb but not hte 1st one
instructionAnnotation = "make_pkt_symbolic",
beforeInstruction = true,
switchInstructionToSymbolic = true,
},
stop_state = {
module = "ram_module",
active = true,
address = 0x401E6C, -- lets now stop after the return so that we actually notice a stack based buffer overflow
--0x40224C, --0x402220, -- <= stop analysis at the end of the function
instructionAnnotation = "end_analysis_region",
beforeInstruction = true,
switchInstructionToSymbolic = true,
},
skip_uart = {
module = "ram_module",
active = false,
address = "0x40278E",
callAnnotation = "skip_uart",
beforeInstruction = true,
switchInstructionToSymbolic =true,
paramcount = 0
}
"""
configuration["s2e"]["include"]=["lua/test_buggy.lua", "lua/common.lua"]
print("\n\n")
print("%s",configuration)
print("\n\n")
class TargetLauncher(object):
def __init__(self, cmd):
......@@ -380,18 +308,11 @@ def transfer_mem_to_emulator(ava, addr, length):
# # function that recieves messages
# s_data_indication_execute = 0x402120
#s_in_data_indication_execute = 0x40219E # <= this is where we put the annotation
if buggy:
s_in_data_indication_execute = 0x40217A
dataRamFrom=0x403206
dataRamToTransf=0x404840-dataRamFrom
s_UART_TX=0x402240 # buggy firmware
else:
s_in_data_indication_execute = 0x402174 # <= this is where we put the annotation
dataRamFrom=0x4031DA
dataRamToTransf=0x404810-dataRamFrom
s_UART_TX=0x402214 # valid firmware
s_in_data_indication_execute = 0x402174 # <= this is where we put the annotation
dataRamFrom=0x4031DA
dataRamToTransf=0x404810-dataRamFrom
s_UART_TX=0x402214 # valid firmware
# function that sends messages
......@@ -435,9 +356,11 @@ if __name__ == "__main__":
#############################
#############################
# OPENOCD JIG What is it for#
#############################
##################################################
# OPENOCD JIG What is it for #
# start telnet session performs low level action #
# on the target and stop telnet session #
##################################################
if args.verbose:
log.info("OpenOcd jig");
hwmon=OpenocdJig(configuration)
......@@ -447,40 +370,27 @@ if __name__ == "__main__":
cmd = OpenocdTarget(hwmon.get_telnet_jigsock())
#############################
##########################
# should be harward reset#
##########################
# reset and load the software
if args.reset:
if args.verbose:
log.info("AVATAR: resetting the target and loading image");
cmd.raw_cmd("load_image /home/aurel/work/sensors/econotag/with\ freescale\ tools/My\ UART/Wireless\ UART/Debug/Exe/Wireless\ UART.bin 0x00400000 bin", True)
cmd.put_bp(s_Main) # run until Main
cmd.wait()
cmd.remove_bp(s_Main)
else: # attach to a running target
cmd.put_bp(s_in_data_indication_execute)
log.info("Waiting for a packet to be proceesed")
cmd.wait() # block for bp trigger
#############################
# set and remove break point#
#############################
cmd.put_bp(s_in_data_indication_execute)
log.info("Waiting for a packet to be proceesed")
cmd.wait() # block for bp trigger
# Bp was hit, remove it to avoid lockup
cmd.remove_raw_bp(s_in_data_indication_execute)
###########################
cmd.remove_raw_bp(s_in_data_indication_execute)
#############################
#########################
# AVATAR Config and run #
#########################
if args.verbose:
log.info("AVATAR: fetching configuration from target");
# dump all registers
configuration = cmd.initstate(configuration)
del cmd
if args.veryverbose:
print("configuraton is : %s" % configuration)
if args.verbose:
log.info("AVATAR: loading avatar ");
ava = System(configuration, init_s2e_emulator, init_gdbserver_target)
......@@ -512,7 +422,9 @@ if __name__ == "__main__":
#ava.get_emulator().write_typed_memory(s_UART_TX,2,0x46C0)
##############################
##############################
# GDB
##############################
if args.debug:
log.info("Launching GDB server to emulator on 127.0.0.1:5555, attach with ")
log.info("target remote 127.0.0.1:5555")
......
source [find interface/jlink.cfg] #mod enable the jlink debbug interface
#mod source [find interface/ftdi/olimex-arm-usb-ocd-h.cfg] #mod for olimex inteface
#source [find interface/jlink.cfg] #mod enable the jlink debbug interface
source /usr/local/share/openocd/scripts/interface/ftdi/olimex-arm-usb-ocd-h.cfg
#mod interface ft2232
#mod ft2232_layout axm0432_jtag
#mod ft2232_vid_pid 0x0403 0x6010
......@@ -9,17 +9,24 @@ telnet_port 4444
# GDB connects here
gdb_port 3333
# GDB can also flash my flash!
#gdb_memory_map enable
#gdb_flash_program enable
gdb_memory_map enable
gdb_flash_program enable
source [find bitsbytes.tcl]
source [find cpu/arm/arm966.tcl] #mod ****
source /usr/local/share/openocd/scripts/cpu/arm/arm966.tcl
#mod source [find cpu/arm/arm7tdmi.tcl]
source [find memory.tcl]
source [find mmr_helpers.tcl]
set CHIP_MAKER mediatek # freescale #mod not sure about that
set CHIP_FAMILY mt2502a # mc1322x #mod not sure
set CHIP_NAME mt2502a # mc13224 #mod not sure
transport select jtag
# freescale #mod not sure about that
set CHIP_MAKER mediatek
# mc1322x #mod not sure
set CHIP_FAMILY mt2502a
# mc13224 #mod not sure
set CHIP_NAME mt2502a
set N_RAM 1
set RAM(0,BASE) 0x00400000
set RAM(0,LEN) 0x18000
......@@ -46,7 +53,8 @@ set N_XMEM 0
#
set _CHIPNAME mt2502a
set _ENDIAN little
set _CPUTAPID 0x17700f0f #mod 0x1f1f001d
set _CPUTAPID 0x17700f0f
#mod 0x1f1f001d
jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x01 -irmask 0x0f -expected-id $_CPUTAPID
#jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x01 -irmask 0x03 -expected-id $_CPUTAPID # from my own file
......@@ -57,29 +65,21 @@ jtag_ntrst_delay 200
#jtag_rclk 0
#mod adapter_khz 2000
adapter_khz 2
adapter_khz 50
set _TARGETNAME [format "%s.cpu" $_CHIPNAME]
target create $_TARGETNAME arm966 -endian $_ENDIAN -chain-position $_TARGETNAME -variant arm966
#mod target create $_TARGETNAME arm7tdmi -endian $_ENDIAN -chain-position $_TARGETNAME -variant arm7tdmi
#$_TARGETNAME -variant arm7tdmi
#$_TARGETNAME configure -event reset-init {
# sleep 100
# soft_reset_halt
# mww 0x80000018 0x50000000
# mww 0x80000000 0x00000f00
# mww 0x80000008 0x00000e00
# mww 0x80005000 0x00006013
# # mww 0x80005018 0x017f270f
# # mww 0x80005008 0x55
# mww 0x80005018 0x07A9270F
# mww 0x80005008 0x55
# sleep 100
#}
target create $_TARGETNAME arm966e -endian $_ENDIAN -chain-position $_TARGETNAME
echo "linkIt_openocd.cfg INFO: target created"
# Internal sram memory
$_TARGETNAME configure -work-area-virt 0x00408000 -work-area-phys 0x00408000 -work-area-size 0x1000 -work-area-backup 1
echo "linkIt_openocd.cfg INFO: target configured"
proc run {file} {
puts "loading $file into location 0x00400000 and executing..."
soft_reset_halt
......@@ -87,11 +87,27 @@ proc run {file} {
resume 0x00400000
}
flash banks
#flash bank mc1322x 0 0 0 0 $_TARGETNAME
if { [info exists IMEMORY] && [string equal $IMEMORY true] } {
flash bank ${_CHIPNAME}_info.flash mdr 0x00000000 0x04000 \
0 0 $_TARGETNAME 1 1 4
} else {
flash bank $_CHIPNAME.flash mdr 0x00000000 0x4000 \
0 0 $_TARGETNAME 0 32 4
}
$_TARGETNAME configure -event gdb-attach my_attach_proc
$_TARGETNAME configure -event gdb-attach {
echo "gdb attaching..."
echo "linkIt_openocd.cfg INFO: gdb attaching..."
halt
#soft_reset_halt
}
echo "linkIT_openocd.cfg INFO: END OPENOCD CONFIGURATION"
source [find interface/jlink.cfg] #mod enable the jlink debbug interface
#mod source [find interface/ftdi/olimex-arm-usb-ocd-h.cfg] #mod for olimex inteface
#source [find interface/jlink.cfg] #mod enable the jlink debbug interface
source /usr/local/share/openocd/scripts/interface/ftdi/olimex-arm-usb-ocd-h.cfg
#mod interface ft2232
#mod ft2232_layout axm0432_jtag
#mod ft2232_vid_pid 0x0403 0x6010
......@@ -9,17 +9,24 @@ telnet_port 4444
# GDB connects here
gdb_port 3333
# GDB can also flash my flash!
#gdb_memory_map enable
#gdb_flash_program enable
gdb_memory_map enable
gdb_flash_program enable
source [find bitsbytes.tcl]
source [find cpu/arm/arm966.tcl] #mod ****
source /usr/local/share/openocd/scripts/cpu/arm/arm966.tcl
#mod source [find cpu/arm/arm7tdmi.tcl]
source [find memory.tcl]
source [find mmr_helpers.tcl]
set CHIP_MAKER mediatek # freescale #mod not sure about that
set CHIP_FAMILY mt2502a # mc1322x #mod not sure
set CHIP_NAME mt2502a # mc13224 #mod not sure
transport select jtag
# freescale #mod not sure about that
set CHIP_MAKER mediatek
# mc1322x #mod not sure
set CHIP_FAMILY mt2502a
# mc13224 #mod not sure
set CHIP_NAME mt2502a
set N_RAM 1
set RAM(0,BASE) 0x00400000
set RAM(0,LEN) 0x18000
......@@ -46,7 +53,8 @@ set N_XMEM 0
#
set _CHIPNAME mt2502a
set _ENDIAN little
set _CPUTAPID 0x17700f0f #mod 0x1f1f001d
set _CPUTAPID 0x17700f0f
#mod 0x1f1f001d
jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x01 -irmask 0x0f -expected-id $_CPUTAPID
#jtag newtap $_CHIPNAME cpu -irlen 4 -ircapture 0x01 -irmask 0x03 -expected-id $_CPUTAPID # from my own file
......@@ -57,10 +65,15 @@ jtag_ntrst_delay 200
#jtag_rclk 0
#mod adapter_khz 2000
adapter_khz 2
adapter_khz 50
set _TARGETNAME [format "%s.cpu" $_CHIPNAME]
target create $_TARGETNAME arm966 -endian $_ENDIAN -chain-position $_TARGETNAME -variant arm966
target create $_TARGETNAME arm966e -endian $_ENDIAN -chain-position $_TARGETNAME
echo "linkIt_openocd.cfg INFO: target created"
#-variant arm966e
#mod target create $_TARGETNAME arm7tdmi -endian $_ENDIAN -chain-position $_TARGETNAME -variant arm7tdmi
#$_TARGETNAME -variant arm7tdmi
#$_TARGETNAME configure -event reset-init {
......@@ -80,6 +93,10 @@ target create $_TARGETNAME arm966 -endian $_ENDIAN -chain-position $_TARGETNAME
# Internal sram memory
$_TARGETNAME configure -work-area-virt 0x00408000 -work-area-phys 0x00408000 -work-area-size 0x1000 -work-area-backup 1
echo "linkIt_openocd.cfg INFO: target configured"
proc run {file} {
puts "loading $file into location 0x00400000 and executing..."
soft_reset_halt
......@@ -87,11 +104,27 @@ proc run {file} {
resume 0x00400000
}
flash banks
#flash bank mc1322x 0 0 0 0 $_TARGETNAME
if { [info exists IMEMORY] && [string equal $IMEMORY true] } {
flash bank ${_CHIPNAME}_info.flash mdr 0x00000000 0x04000 \
0 0 $_TARGETNAME 1 1 4
} else {
flash bank $_CHIPNAME.flash mdr 0x00000000 0x4000 \
0 0 $_TARGETNAME 0 32 4
}
$_TARGETNAME configure -event gdb-attach my_attach_proc
$_TARGETNAME configure -event gdb-attach {
echo "gdb attaching..."
echo "linkIt_openocd.cfg INFO: gdb attaching..."
halt
#soft_reset_halt
}
echo "linkIT_openocd.cfg INFO: END OPENOCD CONFIGURATION"
......@@ -11,4 +11,4 @@ export QEMU_ARM=/home/william/avatar-pandora/s2e-build/qemu-debug/arm-s2e-softmm
export UBOOT_BINARY=u-boot
export QEMU_S2E=/home/william/avatar-pandora/s2e-build/qemu-debug/arm-s2e-softmmu/qemu-system-arm
python3 qemu_integratorcp_uboot.py
python3 linkIT_avatar.py
#!/bin/sh
# this file is a simple script to run avatar-pandora
# Set the paths the files on the system.
#PYTHONPATH=/home/william/avatar-pandora/avatar-python QEMU_S2E=/home/william/avatar-pandora/s2e-build/qemu-debug/arm-s2e-softmmu/qemu-system-arm QEMU_ARM=/home/william/avatar-pandora/s2e-build/qemu-release/arm-softmmu/qemu-system-arm UBOOT_BINARY=u-boot python3 test_system.py
export PYTHONPATH=/home/william/avatar-pandora/avatar-python
export QEMU_ARM=/home/william/avatar-pandora/s2e-build/qemu-debug/arm-s2e-softmmu/qemu-system-arm
export UBOOT_BINARY=u-boot
export QEMU_S2E=/home/william/avatar-pandora/s2e-build/qemu-debug/arm-s2e-softmmu/qemu-system-arm
python3 qemu_integratorcp_uboot.py
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment