《张银奎-自主可控的调试工具.pdf》由会员分享,可在线阅读,更多相关《张银奎-自主可控的调试工具.pdf(52页珍藏版)》请在三个皮匠报告上搜索。
1、自主可控的调试工具主讲人:张银奎演讲嘉宾介绍张银奎(Raymond Zhang)格蠹科技创始人25年编程经历格蠹科技2003.5 2016.12 INTEL软件调试作者+格蠹汇编软件简史译作21世纪机器人机器学习数据挖掘原理人工智能求解复杂问题的方法和策略观止微软创建NT和未来的夺命狂奔现代x86汇编语言程序编程苏轼:“问汝平生功业,黄州惠州儋州。”CONTENT目录2023K+01挥码枪Nano Code调试器Semihosting技术02032023K+挥码枪Part 01DP与外部调试器间的物理接口让ARM起飞的关键一步,1997年宣布的Nokia 6110和2001年推出的iPod使用
2、的都是ARM7-TDMISoC调试功能ADIeyeseesightdebuggerdebug linkCoreSightThe ADI provides access to debug functionality that is provided by debug components in an embedded SoC.Purpose of the ADI(访问SoC中的调试功能)DPJTAGSWSWJ2023K+Nano Code调试器Part 02NDINTP(Nano Target Probe)DCI(Direct Connect Interface)NDP(Nano Debug P
3、rotocol)ELK(Debug Embassy for Linux)DBGENG(Debug Engine for Windows)ETF(Debug Embassy for Trusted Firmware)EHV(Debug Embassy for Hyper-V)CapstoneNDWMARM(Machine for ARM)MRV(Machine for RISC-V)Arch ViewMetaverse Viewlk_metant_metasmm_metagrub2_metaatf_metahv_metakvm_meta#define ARMV8_BKPT(Im)(0 xD420
4、0000|(Im&0 xffff)5)#define ARMV8_HLT(Im)(0 x0D4400000|(Im&0 xffff)5)可以用专门的断点指令BKPT也可以用无效指令,目标是产生异常软件断点与安全大趋势冲突使用DPM方式写内存失败硬件断点我是泰山,请密切监视四马路100号硬件断点命令ba e1 代表执行Child-SP RetAddrCall Siteffffff800ed5bcd0 ffffff8008ea09ec lk!tcp_sendmsg+0 x8 net/ipv4/tcp.c 1458ffffff800ed5bd00 ffffff8008d5f598 lk!inet_s
5、endmsg+0 x34 net/ipv4/af_inet.c 799ffffff800ed5bd30 ffffff8008d61310 lk!sock_sendmsg+0 x50 net/socket.c 623ffffff800ed5be70 ffffff8008d613b0 lk!_sys_sendto+0 xb8 net/socket.c 1787ffffff800ed5be80 ffffff8008098ca4 lk!_arm64_sys_sendto+0 x20 net/socket.c 1795ffffff800ed5beb0 ffffff8008098de0 lk!el0_sv
6、c_common.constprop.0+0 x64./arch/arm64/include/asm/current.h 19ffffff800ed5bec0 ffffff8008083d08 lk!el0_svc_handler+0 x28 arch/arm64/kernel/syscall.c 1640000007f27ffd8f0 0000007f8d585218 lk!el0_svc+0 x8 arch/arm64/kernel/entry.S 941tcp_sendmsgChild-SP RetAddrCall Siteffffff800f08bb00 ffffff80090a060
7、c lk!_switch_to+0 x8 arch/arm64/kernel/process.c 544ffffff800f08bb90 ffffff80090a10d8 lk!_schedule+0 x2f4 kernel/sched/core.c 3437ffffff800f08bbb0 ffffff8008082fa0 lk!preempt_schedule_irq+0 x38./arch/arm64/include/asm/irqflags.h 62ffffff800f08bbb0 000000009200004f lk!el1_preempt+0 x8 arch/arm64/kern
8、el/entry.S 665dt prev-y commLocal var 0 Type task_struct*+0 x768 comm:16char Chrome_HistoryTdt next-y commLocal var 0 Type task_struct*+0 x768 comm:16char migration/0主动让出执行权Child-SP RetAddrCall Siteffffff800a313d30 ffffff80090a060c lk!cpu_switch_to arch/arm64/kernel/entry.S 1067ffffff800a313de0 ffff
9、ff80090a0c80 lk!_schedule+0 x2f4 kernel/sched/core.c 3437ffffff800a313e00 ffffff80080e5f00 lk!schedule+0 x38 kernel/sched/core.c 4171ffffff800a313e60 ffffff80080e147c lk!smpboot_thread_fn+0 x258 kernel/smpboot.c 160ffffff800a313ec0 ffffff8008085db0 lk!kthread+0 x12c kernel/kthread.c 260ffffff800a313
10、ec0 0000000000000000 lk!ret_from_fork+0 x10 arch/arm64/kernel/entry.S 1104因等待信号量而切换线程Child-SP RetAddrCall Siteffffff800d8abbb0 ffffff80090a060c lk!cpu_switch_to arch/arm64/kernel/entry.S 1067ffffff800d8abc60 ffffff80090a0c80 lk!_schedule+0 x2f4 kernel/sched/core.c 3437ffffff800d8abc80 ffffff80090a47
11、b8 lk!schedule+0 x38 kernel/sched/core.c 4171ffffff800d8abd40 ffffff80090a30e8 lk!schedule_timeout+0 x1e0 kernel/time/timer.c 1795ffffff800d8abdc0 ffffff800811a4cc lk!_down_interruptible+0 xa0 kernel/locking/semaphore.c 221ffffff800d8abdf0 ffffff80011c1134 lk!down_interruptible+0 x54 kernel/locking/
12、semaphore.c 85ffffff800d8abe60 ffffff80080e147c bcmdhd!dhd_rxf_thread+0 x9c drivers/net/wireless/rockchip_wlan/rkwifi/bcmdhd/dhd_linux.c 6614ffffff800d8abec0 ffffff8008085db0 lk!kthread+0 x12c kernel/kthread.c 260ffffff800d8abec0 0000000000000000 lk!ret_from_fork+0 x10 arch/arm64/kernel/entry.S 1104
13、从空闲线程投入工作Child-SP RetAddrCall Siteffffff800a323e70 ffffff80090a060c lk!cpu_switch_to arch/arm64/kernel/entry.S 1067ffffff800a323f20 ffffff80090a104c lk!_schedule+0 x2f4 kernel/sched/core.c 3437ffffff800a323f40 ffffff80080f4f50 lk!schedule_idle+0 x24./include/asm-generic/bitops/non-atomic.h 106ffffff
14、800a323fb0 ffffff80080f5224 lk!do_idle+0 x168 kernel/sched/idle.c 292ffffff800a323fd0 ffffff8008097c38 lk!cpu_startup_entry+0 x24 kernel/sched/idle.c 370ffffff800a324000 0000000000000000 lk!secondary_start_kernel+0 x150 arch/arm64/kernel/smp.c 255ENTRY(cpu_switch_to)movx10,#THREAD_CPU_CONTEXTaddx8,x
15、0,x10movx9,spstpx19,x20,x8,#16/store callee-saved registersstpx21,x22,x8,#16stpx23,x24,x8,#16stpx25,x26,x8,#16stpx27,x28,x8,#16stpx29,x9,x8,#16strlr,x8addx8,x1,x10ldpx19,x20,x8,#16/restore callee-saved registersldpx21,x22,x8,#16ldpx23,x24,x8,#16ldpx25,x26,x8,#16ldpx27,x28,x8,#16ldpx29,x9,x8,#16ldrlr
16、,x8movsp,x9msrsp_el0,x1#ifdef CONFIG_SHADOW_CALL_STACKstrx18,x0,#TSK_TI_SCSldrx18,x1,#TSK_TI_SCSstrxzr,x1,#TSK_TI_SCS/limit visibility of saved SCS#endifretENDPROC(cpu_switch_to)*x0=previous task_struct(must be preserved across the switch)*x1=next task_structChild-SP RetAddrCall Siteffffff800f08bae0
17、 ffffff80090a060c lk!cpu_switch_to arch/arm64/kernel/entry.S 1067ffffff800f08bb90 ffffff80090a10d8 lk!_schedule+0 x2f4 kernel/sched/core.c 3437ffffff800f08bbb0 ffffff8008082fa0 lk!preempt_schedule_irq+0 x38./arch/arm64/include/asm/irqflags.h 62ffffff800f08bbb0 000000009200004f lk!el1_preempt+0 x8 ar
18、ch/arm64/kernel/entry.S 6652023K+Semihosting技术Part 03semihosting is a mechanism that enables code running on an ARM target to communicate and use the Input/Output facilities on a host computer that is running a debugger.Semiconductorsemihosting字典也查不到的这个词到底什么个意思?全投宿total hostingsemihosting平明发兮苍梧,夕投宿兮
19、石城。汉刘向半投宿老板,我们只借用你的水和厕所,住我们自己的帐篷IoT App喂,笔记本,我只借用你的键盘和显示器,其它用我自己的GDK3好的,欢迎半投宿珠峰大本营!来自ARM官方的semihosting原理图#条件:目标软件需要链接特殊的基础库-T C:MRS_DATAworkspacegdk3semiLDCH32F103C8T6.ld-nostartfiles-Xlinker-gc-sections-Wl,-Map,gdk3semi.map-specs=nano.specs-specs=rdimon.specsSVC 0 xABSVC 0 x123456 In ARM state for
20、all architectures.SVC 0 xAB In ARM state and Thumb state,excluding ARMv6-M and ARMv7-M.This behavior is not guaranteed on all debug targets from ARM or from third parties.BKPT 0 xAB For ARMv6-M and ARMv7-M,Thumb state only.调试器,请注意,我要跳过来了中断到调试器08001b8c:8001b8c:b530 pushr4,r5,lr8001b8e:b085 subsp,#208
21、001b90:2406 movsr4,#68001b92:e9cd 0101 strdr0,r1,sp,#48001b96:9203 strr2,sp,#128001b98:ad01 addr5,sp,#48001b9a:4620 movr0,r48001b9c:4629 movr1,r58001b9e:beabbkpt 0 x00ab8001ba0:4604 movr4,r08001ba2:4620 movr0,r48001ba4:f7ff ffe2 bl8001b6c 8001ba8:b005 addsp,#208001baa:bd30 popr4,r5,pcarm-none-eabi-o
22、bjdump.exe-d/c/nd/gdk3semi.elf /c/nd/gdk3semi.dump2.txtOpenOCD中检查Semihosting请求的代码/*Read op and param from register r0 and r1 respectively.*/semihosting-op=buf_get_u32(arm-core_cache-reg_list0.value,0,32);semihosting-param=buf_get_u32(arm-core_cache-reg_list1.value,0,32);semihosting-word_size_bytes=4
23、;entered debug state in core mode:Thread at PC 0 x8001c42,cpu in Non-Secure state,target-state:haltedaddress:0 x08001c42,value:0 xbeabop=0 xc,param=0 x2000089cfstat(0)=0*The available semihosting operation numbers passed in R0 are allocated*as follows:*-0 x00-0 x31 Used by ARM.*-0 x32-0 xFF Reserved
24、 for future use by ARM.*-0 x100-0 x1FF Reserved for user applications.These are not used by ARM.*However,if you are writing your own SVC operations,you are advised*to use a different SVC number rather than using the semihosted*SVC number and these operation type numbers.*-0 x200-0 xFFFFFFFF Undefine
25、d and currently unused.It is recommended*that you do not use these.ndb!arm semihosting enablesemihosting is enabled禁止和启用stm32f1x.cpu arm semihosting enable|disablestm32f1x.cpu arm semihosting_cmdline argumentsstm32f1x.cpu arm semihosting_fileio enable|disablestm32f1x.cpu arm semihosting_resexit enab
26、le|disable除了printf和scanf这样输入输出可以重定向到主机,semihosting还支持文件重定向更多功能/*File operations*/SYS_OPEN EQU 0 x01/Open a file or stream on the host system.SYS_ISTTY EQU 0 x09/Check whether a file handle is associated with a file or a stream/terminal such as stdout.SYS_WRITE EQU 0 x05/Write to a file or stream.SYS
27、_READ EQU 0 x06/Read from a file at the current cursor position.SYS_CLOSE EQU 0 x02/Closes a file on the host which has been opened by SYS_OPEN.SYS_FLEN EQU 0 x0C/Get the length of a file.SYS_SEEK EQU 0 x0A/Set the file cursor to a given position in a file.SYS_TMPNAM EQU 0 x0D/Get a temporary absolu
28、te file path to create a temporary file.SYS_REMOVE EQU 0 x0E/Remove a file on the host system.Possibly insecure!SYS_RENAME EQU 0 x0F/Rename a file on the host system.Possibly insecure!/*Terminal I/O operations*/SYS_WRITEC EQU 0 x03/Write one character to the debug terminal.SYS_WRITE0 EQU 0 x04/Write
29、 a 0-terminated string to the debug terminal.SYS_READC EQU 0 x07/Read one character from the debug terminal./*Time operations*/SYS_CLOCK EQU 0 x10SYS_ELAPSED EQU 0 x30SYS_TICKFREQ EQU 0 x31SYS_TIME EQU 0 x11/*System/Misc.operations*/SYS_ERRNO EQU 0 x13/Returns the value of the C library errno variab
30、le that is associated with the semihosting implementation.SYS_GET_CMDLINE EQU 0 x15/Get commandline parameters for the application to run with(argc and argv for main()SYS_HEAPINFO EQU 0 x16SYS_ISERROR EQU 0 x08SYS_SYSTEM EQU 0 x12DUI0471I_developing_for_arm_processors.pdfMeta Programmer Model与DPM相对,无限可扩展THANKS