2013年10月30日 星期三

Decompile MIPS binary

Reverse Engineering Resources - Decompilers
http://www.backerstreet.com/decompiler/decompilers.htm

The Decompilation Wiki
http://www.program-transformation.org/Transform/DeCompilation

Boomerang Decompiler
http://boomerang.sourceforge.net/index.php

sudo apt-get install libgc-dev libcppunit-dev libexpat1-dev xutils-dev
./configure;
make remote;
make;
make install
(prebuilt binary has no MIPS support...)

REC Decompiler Home Page
http://www.backerstreet.com/rec/rec.htm

de-mips - A simple MIPS decompiler - Google Project Hosting
http://code.google.com/p/de-mips/

Source Checkout - de-mips - A simple MIPS decompiler - Google Project Hosting
http://code.google.com/p/de-mips/source/checkout

Retargetable Decompiler
http://decompiler.fit.vutbr.cz/
(Cannot take u-boot bin file)


2013年10月29日 星期二

California Marathons


California Marathons
http://marathons.ahotu.com/calendar/marathon/california

2013 Running Events in California
http://roadracerunner.com/Races/RunningCalendar.aspx?state=ca

Hiking near San Jose - Best Hikes, Guides, and Trail Maps | EveryTrail
http://www.everytrail.com/best/hiking-san-jose-california

San Jose Trails - Best San Jose camping, hiking & biking trails | AllTrails.com
http://alltrails.com/us/california/san-jose

Bike Rentals San Jose
http://www.yelp.com/search?cflt=bikerentals&find_loc=San+Jose%2C+CA

Road Bike Rental San Jose California - UDC
http://udcbikerental.com/bike-rental-san-jose.php

2013年10月28日 星期一

Create symbol table

Analysis of an unknown binary
http://old.honeynet.org/reverse/results/sol/sol-06/analysis.html

The Honeynet Project
http://old.honeynet.org/index.html

Reverse-Engineering Malware Paper by Lenny Zeltser
http://zeltser.com/reverse-malware-paper/

Create core dump file

gcore
core

debugging - Is it possible to get a core dump of a running process and it's symbol table? - Stack Overflow
http://stackoverflow.com/questions/68160/is-it-possible-to-get-a-core-dump-of-a-running-process-and-its-symbol-table

Core File Generation - Debugging with GDB
https://sourceware.org/gdb/onlinedocs/gdb/Core-File-Generation.html

gdb - Core dump file analysis - Stack Overflow
http://stackoverflow.com/questions/5115613/core-dump-file-analysis

Getting the call stack without a frame pointer

Getting the call stack without a frame pointer
http://www.yosefk.com/blog/getting-the-call-stack-without-a-frame-pointer.html

x86 bt: a script getting the call stack from a core file without relying on gdb's bt command but relying on its disassemble command.
http://yosefk.com/sw/bt



fcamel 技術隨手記: 用 python gdb 客製化 backtrace 的結果

http://fcamel-life.blogspot.tw/2013/08/python-gdb-backtrace.html

How does GDB find the symbol of a function when backtracing in MIPS Linux? - Stack Overflow
http://stackoverflow.com/questions/1051872/how-does-gdb-find-the-symbol-of-a-function-when-backtracing-in-mips-linux

2013年10月25日 星期五

12.04LTS and the Telstra AirCard 320U 4G mobile wireless modem

Ubuntu 12.04.3 LTS, 3.5.0-41-generic #64-precise1-Ubuntu SMP
Notice: My ubuntu has been updated. My LTE environment might not be completed, for it is the eNodeB that I'm testing.

Sierra Wireless - Support Center
http://mycusthelpadmin.net/SIERRAWIRELESS/_cs/AnswerDetail.aspx?sSessionID=5180C4D3AD1341438EDD065089DFC5A4QTKEYQOQ&aid=44

I have ttyUSB0-4, 1-3 is created by the adapter. And minicom can connect to ttyUSB3 and send AT command.

115200-8N1, no flow control.

Do check the /var/log/syslog with "tail -f /var/log/syslog". Sometimes I got error when the minicom halt:

[268038.108951] sierra_net 2-4:1.7: wwan0: Submit SYNC failed -32
[268038.108965] sierra_net 2-4:1.7: wwan0: Send SYNC failed, status -32
I fixed it by unplug and plug the adapter again.

"ati5" shows modem IMEI and Firmware

"at+cgdcont ?" shows created profiles
"at!scprof=<profile_id>,"",1,0,0,0" set profile to auto connect
"at+cfun=1" turn on radio
"at!scact=1,<profile_id>" manual connect
"at!scact=0,<profile_id>" manual disconnect
"at!scdftprof=<profile_id>" set default profile
"at!scpaddr=<profile_id>" shows the IP address get by profile

First, I use the AT command to have the adapter get connected. However, somehow, the network manager doesn't know that it is connected. So I get the IP by the AT command (at!scpaddr), says 192.168.1.150, and set it by ifconfig:
ifconfig wwan0 192.168.1.150



Re: 12.04LTS and the Telstra 4G mobile wireless modem
http://www.mail-archive.com/ubuntu-au@lists.ubuntu.com/msg05253.html
http://www.mail-archive.com/ubuntu-au@lists.ubuntu.com/msg05260.html

How To Get Telstra 4G Mobile Broadband Working With Linux | eigenmagic
http://www.eigenmagic.com/2012/03/14/how-to-get-telstra-4g-mobile-broadband-working-with-linux/
Forcing 4G Mode
"AT+ZSNT=6,0,0" force the modem into 4G mode
"AT+ZSNT=0,0,0" put the modem into auto-negotiate mode
Telstra 4G Mobile Broadband Setup
http://ubuntuforums.org/showthread.php?t=2074518

2013年10月20日 星期日

Disassemble u-boot.bin

This script not only disassemble u-boot.bin, but also regenerate a elf that could be used for GDB.

./disassemble.pl <offset> <binary_file>
./disassemble.pl 0xc0000000 u-boot.bin

GPL:disassemble.pl - CHDK Wiki
http://chdk.wikia.com/wiki/GPL:disassemble.pl#
#!/usr/bin/perl
 
# disassemble alien binary blobs
# look for "ldr .., [pc + #nn]" etc. 
# and add strings and values it refers to
#
# (c) 2008 chr
# GPL V3+
#
# v0.2.1:
# * create labels for branch targets
# v0.2:
# * catch unaligned strings
# * note on strings
# * check for integer overflow
 
# use Data::Dumper;
# $Data::Dumper::Sortkeys = 1;
 
# Added to support execution of disassembler.pl
# when not in the same folder as binary file to
# be disassembled.
use Cwd;
$firmware_basepath = getcwd;
 
# adjust these for your needs (note final slash):
#$path = "$ENV{'HOME'}/gcc-4.1-arm/bin/";
$path = "";
 
# note on "strings": default is a minimum length of 4 chars.
# So if u are hunting for e.g. "FI2" add -n3
# However, it gives a lot of false positive.
$strdump = "strings -t x";
$objdump = "${path}arm-elf-objdump";
$objcopy = "${path}arm-elf-objcopy";
 
if (@ARGV != 2) {
	die("Usage: $0 0x ");
}
 
$offset  = $ARGV[0];
$binfile = $ARGV[1];
$firmware_file_path = "$firmware_basepath/$ARGV[1]";
 
# check if we wrap over
die "error stat($firmware_file_path): $!" unless ($flen = (stat($firmware_file_path))[7]);
 
if ( hex($offset) + $flen - 1 > 0xffffffff) {
	die "offset + filesize - 1 > 0xffffffff. We can't wrap around!\n\ngame over"
}
 
#####
print "string dump\n";
my %strings;
open(IN, "$strdump \"$firmware_file_path\" |") or die "cannot start $strdump \"$firmware_file_path\": $!";
open(OUT,">$firmware_file_path.strings") or die "cannot write to $firmware_file_path.strings: $!";
while () {
	/^ *([[:xdigit:]]*) (.*)/;
	my $addr     = hex($1) + hex($offset);
	my $addr_str = sprintf("%08x", $addr);
	$strings{$addr_str} = $2;
 
	print OUT "$addr_str $2\n"; 
 
	# align string address so unaligned strings appears in disassemble
	$addr_str = sprintf("%08x", $addr & ~0x3);
	my $offs = $addr & 0x3;
	$strings{$addr_str} = '.' x $offs . $2;
 
}
close IN;
close OUT;
 
#$strings{'ff810164'} = "TEST test";
#$strings{'ff810420'} = "add test";
#print Dumper(\%strings);
#exit;
 
#####
print "create elf file\n";
 
`$objcopy --change-addresses=$offset -I binary -O elf32-littlearm -B arm \"$firmware_file_path\" \"$firmware_file_path.elf\"`;
`$objcopy --set-section-flags .data=code,load,alloc,content \"$firmware_file_path.elf\"`;
 
#####
print "label scan\n";
my %labels;
open(IN, "$objdump -d \"$firmware_file_path.elf\" |")
      or die "cannot start $objdump \"$firmware_file_path\": $!";
open(OUT,">$firmware_file_path.labels") or die "cannot write to $firmware_file_path.labels: $!";
 
while () {
        if (my ($addr, $dest) = $_ =~ /^ *([[:xdigit:]]+):[ \t]+[[:xdigit:]]+[ \t]+[Bb][[:alpha:]]*[ \t]+([[:xdigit:]]+)/) {
                if ($labels{$dest} lt 1) {
                        print OUT "$dest ($addr)\n";
                }
                $labels{$dest} += 1;
                print "\r0x$addr  ";
        }
}
close IN;
close OUT;
 
#####
print "\ndisassemble and string lookup\n";
 
open(IN, "$objdump -d \"$firmware_file_path.elf\" |")
      or die "cannot start $objdump \"$firmware_file_path\": $!";
open(OUT,">$firmware_file_path.dis") or die "cannot write to $firmware_file_path.dis: $!";
open(BIN, "<$firmware_file_path") or die "cannot read $firmware_file_path";
 
binmode BIN;
 
while () {
	if ($_ eq "	...\n") { print OUT $_; next;}
 
	my ($addr, $line) = $_ =~ /^ *([[:xdigit:]]*):(.*)/ or next;
 
	# ff810b98:	e51f2060 	ldr	r2, [pc, #-96]	; ff810b40 <_binary_dump_bin_start xb40="">
	# ff815dd4:	e28f10dc 	add	r1, pc, #220	; 0xdc
	if (
		($line =~ /^(.*\tldr.*\[pc, #([-\d]+).*; )/) ||
		($line =~ /^(.*\tadd.*pc, #([-\d]+).*; )/)
	) {
		$line = $1;
		my $off = hex($addr) - hex($offset) + $2 + 8;
		my $point = sprintf("%08x", hex($addr) + $2 + 8);
		my $value = &get_word($off);
		$line .= "$point: ($value) ";
		if (my $str = $strings{$point}) {
			# add pointed string
			$line .= qq| *"$str"|;
		}
		elsif (my $str = $strings{$value}) {
			# pointer to pointer ...
			$line .= qq| **"$str"|;
		}
	} 
	# ff815e1c:	e24f0090 	sub	r0, pc, #144	; 0x90
	elsif ($line =~ /^(.*\tsub.*pc, #([-\d]+).*; )/) {
		$line = $1;
		my $off = hex($addr) - hex($offset) - $2 + 8;
		my $point = sprintf("%08x", hex($addr) - $2 + 8);
		my $value = &get_word($off);
		$line .= "$point: ($value) ";
		if (my $str = $strings{$point}) {
			$line .= qq| *"$str"|;
		}
		elsif (my $str = $strings{$value}) {
			$line .= qq| **"$str"|;
		}
	}
        # ff81015c:       3afffffc        bcc     ff810154 <_binary__blah ...="">
        elsif ($line =~ /^([ \t]*[[:xdigit:]]+[ \t]+[Bb][[:alpha:]]*[ \t]+)([[:xdigit:]]+)/) {
                $line = "$1loc_$2"
        }
        # insert label
        if ($labels{$addr} gt 1) {
                print OUT "loc_$addr: ; $labels{$addr} refs\n";
        } elsif ($labels{$addr} gt 0) {
                print OUT "loc_$addr:\n";
        }
	# add string comment
	if (my $str = $strings{$addr}) {
		print OUT qq|"$str":\n|;
	}
	print OUT "$addr: $line\n"; 
	print "\r0x$addr  ";
}
close IN;
close OUT;
 
#####
print "\njob complete!\n";
 
sub get_word {
	my $off = shift;
	my $ret;
 
	seek(BIN, $off, 0);
	my $c = read(BIN, $ret, 4);# or die "off: $off $! ($ret)";
	return ($c > 0 ? sprintf("%08x", unpack("I", $ret)) : '???');
}


With the following changes:
diff --git a/disassemble.pl b/disassemble.pl
index fea0761..1a85518 100644
--- a/disassemble.pl
+++ b/disassemble.pl
@@ -27,12 +27,16 @@ $firmware_basepath = getcwd;
 #$path = "$ENV{'HOME'}/gcc-4.1-arm/bin/";
 $path = "";
  
+#$cross = "arm-elf-";
+$cross = "mips64-octeon-linux-gnu-";
 # note on "strings": default is a minimum length of 4 chars.
 # So if u are hunting for e.g. "FI2" add -n3
 # However, it gives a lot of false positive.
 $strdump = "strings -t x";
-$objdump = "${path}arm-elf-objdump";
-$objcopy = "${path}arm-elf-objcopy";
+$objdump = "${path}${cross}objdump";
+$objcopy = "${path}${cross}objcopy";
+#$objcopy_param = " -I binary -O elf32-littlearm -B arm ";
+$objcopy_param = "-I binary -O elf32-ntradbigmips -B mips:octeon2 ";
  
 if (@ARGV != 2) {
        die("Usage: $0 0x ");
@@ -79,7 +83,7 @@ close OUT;
 #####
 print "create elf file\n";
  
-`$objcopy --change-addresses=$offset -I binary -O elf32-littlearm -B arm \"$firmware_file_path\" \"$firmware_file_path.elf\"`;
+`$objcopy --change-addresses=$offset ${objcopy_param} \"$firmware_file_path\" \"$firmware_file_path.elf\"`;
 `$objcopy --set-section-flags .data=code,load,alloc,content \"$firmware_file_path.elf\"`;
  
 #####





Linux下如何反汇编arm raw binary文件 - ZhengKarl的专栏 - 博客频道 - CSDN.NET
http://blog.csdn.net/zhengkarl/article/details/5663042


GPL Disassembling - CHDK Wiki
http://chdk.wikia.com/wiki/GPL_Disassembling

linux下的arm反汇编-CPU与编译器-ChinaUnix.net
http://bbs.chinaunix.net/thread-1948607-1-1.html

The following works:
mips64-octeon-linux-gnu-objdump  u-boot.bin -b binary -D -m mips:octeon2 -M reg-names=n32,reg-names=octeon2 -EB | head

u-boot.bin:     file format binary


Disassembly of section .data:

0000000000000000 <.data>:
       0:    1000013f     b    0x500
       4:    00000000     nop
       8:    424f4f54     c0    0x4f4f54


Emulating Digicam with QEMU - page 4 - General Discussion and Assistance - CHDK Forum
http://chdk.setepontos.com/index.php/topic,1918.msg20065.html#msg20065
Emulating Digicam with QEMU - page 5 - General Discussion and Assistance - CHDK Forum
http://chdk.setepontos.com/index.php?topic=1918.msg28546#msg28546
disassemble_with_stubs_funcs-v1.0.zip 
http://chdk.setepontos.com/index.php?action=dlattach;topic=1918.0;attach=2786


2013年10月18日 星期五

Debugging Octeon u-boot with GDB+BDI2000

You can use GDB either in Octeon SDK (mips64-octeon-linux-gnu-gdb) or Linux multiarch version GDB (gdb-multiarch).

Do the following In GDB shell, or, edit .gdbinit at directory that you run gdb
# Give -nx will prevent prevent .gdbinit from executed

set architecture mips:octeon2
set heur 0
set remoteti 10
set mips abi n64
set os none
set endian big

target remote [BDI2000_IP]:2001


x/i $pc

n(next)
c(conti)
bt(backtrace)
br(break)



ddd --debugger mips64-octeon-linux-gnu-gdb



 GDB: Error: Remote 'g' packet reply is too long:
  1. Mismatch of architecture. To show supported architectures:
    set architecture
  2. (?) --with-expat 
  3. (?)gdb-multiarch
  4. (?)modifying gdbstub.c (in qemu sources) to send 64bit registers

qt4 - Problem gdb remote debugging - Remote 'g' packet reply is too long - Stack Overflow
http://stackoverflow.com/questions/4896316/problem-gdb-remote-debugging-remote-g-packet-reply-is-too-long

gdb - Remote 'g' packet reply is too long - Stack Overflow
http://stackoverflow.com/questions/8662468/remote-g-packet-reply-is-too-long

Question #193249 : Questions : GCC ARM Embedded
https://answers.launchpad.net/gcc-arm-embedded/+question/193249


gdb-remote
http://www.cs.sfu.ca/~fedorova/Tech/simics-guides-3.0.26/simics-reference-manual-public-all/topic96.html



 Whenever BDI2000 get connected,  the PC get reset.
- TARGET: processing power-up delay
- TARGET: processing user reset request
- Core#0: ID code is 0x19400399
- Core#0: IMP reg is 0xA1404001
- TARGET: resetting target passed
- TARGET: processing target startup ....
- TARGET: processing target startup passed
cnMIPS#0>info
    Core state        : debug mode
    Debug entry cause : JTAG break request
    Current PC        : 0xffffffffbfc00000
    Current SR        : 0x505000e4
    Current LR  (r31) : 0xffffffffc003c86c
    Current SP  (r29) : 0xffffffffffff9710
FIX: check the BDI cfg file, which might be tftped from your tftp server, under [TARGET] section, and see if there is a command "RESET JTAG". If so, comment the line. (If not, god bless you.....)


gdb + BDI2000
Home - Abatron AG
http://www.abatron.ch
Older Products - Abatron AG
http://www.abatron.ch/products/bdi-family/older-products.html
GNU Support - Abatron AG
http://www.abatron.ch/products/debugger-support/gnu-support.html
JTAG debug interface for GNU Debugger
http://www.abatron.ch/fileadmin/user_upload/products/pdf/ManGdb55xx-3000.pdf

bdiGDB
http://www.ultsol.com/index.php/component/content/article/8/31-bdigdb

Kernel Debugging with GDB
http://dslab.lzu.edu.cn:8080/docs/publications/kernel_gdb.pdf

USI AN#02-001a: Using the Abatron BDI2000 to Debug a Linux Kernel
http://www.recipes4linux.com/recipes/bdi2000/kerneldebug/Tool%20Talk%2002-001a-Debug-Linux%20Kernel.pdf

USI AN#03-001: Installing, Configuring and Using GDB for the PowerPC
http://www.ultsol.com/pdfs/Tool_Talk_03-001-Using-GDB-for-PowerPC.pdf

BDI2000Usage < Training < DENX
http://www.denx.de/wiki/view/Training/BDI2000Usage

DebuggingUBoot < DULG < DENX 
http://www.denx.de/wiki/DULG/DebuggingUBoot

BDI2000和GDB联合调试mips_智慧居_百度空间
http://hi.baidu.com/whvyawpbmtanove/item/b772c4a548d397f614329b13

Debugging on DaVinci using BDI2000 - Texas Instruments Wiki
http://processors.wiki.ti.com/index.php/Debugging_on_DaVinci_using_BDI2000








MIPS64


MIPS64™ Architecture For Programmers Volume I:
Introduction to the MIPS64™ Architecture
http://www.ece.lsu.edu/ee4720/mips64v1.pdf

4.1 CPU Instructions, Grouped By Function
(.....................)
Each instruction is 32 bits long
MIPS64® Architecture For Programmers Volume II:
The MIPS64® Instruction Set
http://scc.ustc.edu.cn/zlsc/lxwycj/200910/W020100308600769158777.pdf

MIPS IV Instruction Set
http://math-atlas.sourceforge.net/devel/assembly/mips-iv.pdf

CS4617 Computer Architecture Lecture 4: Instruction Set Architectures 2
http://www.cs.ucc.ie/~jvaughan/cs4617/slides/lecture4.pdf

[wiki] MIPS architecture
http://en.wikipedia.org/wiki/MIPS_architecture#cite_note-2
http://en.wikipedia.org/wiki/MIPS_architecture#Compiler_register_usage

MIPS Quick Tutorial
http://logos.cs.uic.edu/366/notes/mips%20quick%20tutorial.htm


assembly - MIPS stack frame (and "addiu" instruction confusion) - Stack Overflow
http://stackoverflow.com/questions/6835724/mips-stack-frame-and-addiu-instruction-confusion

MIPS Assembly/Instruction Formats - Wikibooks, open books for an open world
http://en.wikibooks.org/wiki/MIPS_Assembly/Instruction_Formats

(MIPS)指令表示法
http://www.cis.nctu.edu.tw/~info27/ch3/repre.htm

Register Usage in MIPS ABI
http://www.inf.ed.ac.uk/teaching/courses/car/Notes/slide03.pdf

MIPS $gp register - Stack Overflow
http://stackoverflow.com/questions/2618790/mips-gp-register

The rules for MIPS call convention
http://www.cs.umb.edu/cs641/MIPscallconvention.html
http://www.cs.ucsb.edu/~franklin/30/spim/BookCallConvention.htm

[wiki] MIPS architecture - Compiler register usage
http://en.wikipedia.org/wiki/MIPS_architecture#Compiler_register_usage