diy arm debugger for wi-fi chips using nexmon to … · diy arm debugger for wi-fi chips using...
TRANSCRIPT
DIY ARM Debugger for Wi-Fi ChipsUsing Nexmon to Perform Single-Step Debugging and More on Proprietary Wi-Fi Chips
Matthias Schulz
Powered by:
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 1
Debugger
ARM Cortex-R4
Broadcom FullMACWi-Fi Chips
HardwareBreakpoints
ExceptionHandling
OperationModes
Assembly
MemoryWatchpoints
Nexus 5
Firmware PatchingFramework
C-based
Monitor Mode
Frame Injection
Open Source
Lot’s ofProjects
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 2
Nexus 5
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 3
Apps
Nexus 5
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 4
Linux Kernel
Apps
Nexus 5
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 5
Linux Kernel
Apps
Wi-Fi Chip
Nexus 5
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 6
Linux Kernel
Apps
Physical Layer
Wi-Fi Chip
Nexus 5
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 7
Linux Kernel
Apps
Low Level Hardware Control
Physical Layer
Wi-Fi Chip
Nexus 5
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 8
Linux Kernel
Apps
Low Level Hardware Control
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 9
Linux Kernel
Apps
Low Level Hardware Control
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 10
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 11
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Generate TCP/UDP traffic
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 12
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Generate TCP/UDP traffic
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 13
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Generate TCP/UDP traffic
Packs data in Ethernet frames
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 14
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Generate TCP/UDP traffic
Packs data in Ethernet frames
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 15
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Generate TCP/UDP traffic
Packs data in Ethernet frames
FullMAC firmware handles Wi-Fi connectionand replaces Ethernet headers by Wi-Fi headers
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 16
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Generate TCP/UDP traffic
Packs data in Ethernet frames
FullMAC firmware handles Wi-Fi connectionand replaces Ethernet headers by Wi-Fi headers
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 17
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Generate TCP/UDP traffic
Packs data in Ethernet frames
FullMAC firmware handles Wi-Fi connectionand replaces Ethernet headers by Wi-Fi headers
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Chips in Smartphones
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 18
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Generate TCP/UDP traffic
Packs data in Ethernet frames
FullMAC firmware handles Wi-Fi connectionand replaces Ethernet headers by Wi-Fi headers
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Firmware Handling
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 19
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
Ethernet-to-Wi-Fi Bridge
Wi-Fi Firmware Handling
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 20
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
Ethernet-to-Wi-Fi Bridge
Wi-Fi Firmware Handling
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 21
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM
Ethernet-to-Wi-Fi Bridge
Wi-Fi Firmware Handling
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 22
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Ethernet-to-Wi-Fi Bridge
Wi-Fi Firmware Handling
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 23
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Ethernet-to-Wi-Fi Bridge
Wi-Fi Firmware Handling
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 24
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Ethernet-to-Wi-Fi Bridge
Firmware Analysis and Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 25
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Ethernet-to-Wi-Fi Bridge
Firmware Analysis and Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 26
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Ethernet-to-Wi-Fi Bridge
Firmware Analysis and Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 27
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Ethernet-to-Wi-Fi Bridge
Firmware Analysis and Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 28
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
Ethernet-to-Wi-Fi Bridge
Firmware Analysis and Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 29
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Ethernet-to-Wi-Fi Bridge
Firmware Analysis and Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 30
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
bcmonmonmob
Related Work
Ethernet-to-Wi-Fi Bridge
Firmware Analysis and Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 31
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Ethernet-to-Wi-Fi Bridge
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 32
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Static Analysis
Ethernet-to-Wi-Fi Bridge
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 33
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Static Analysis
What about dynamic analysis?
Ethernet-to-Wi-Fi Bridge
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 34
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Static Analysis
What about dynamic analysis?
ARM Cortex-R4
Ethernet-to-Wi-Fi Bridge
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 35
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Static Analysis
What about dynamic analysis?
ARM Cortex-R4
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Ethernet-to-Wi-Fi Bridge
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 36
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Static Analysis
What about dynamic analysis?
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Ethernet-to-Wi-Fi Bridge
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 37
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Static Analysis
What about dynamic analysis?
ARM Cortex-R4
Debug CoreJTAG
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Ethernet-to-Wi-Fi Bridge
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 38
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Static Analysis
What about dynamic analysis?
ARM Cortex-R4
Debug CoreJTAG
JTAG Debugger
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Ethernet-to-Wi-Fi Bridge
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 39
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Static Analysis
What about dynamic analysis?
ARM Cortex-R4
Debug CoreJTAG
JTAG Debugger
Pins notaccessible
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Ethernet-to-Wi-Fi Bridge
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 40
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
Loading forAnalysis
Creating Firmware Patches
PatchingFirmware
Static Analysis
What about dynamic analysis?
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Static vs. Dynamic Code Analysis
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 41
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
Wi-Fi Chip
Nexus 5
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 42
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 43
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = UNDEFR1 = UNDEF...PC = 0x50
Example Program Registers
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 44
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 10R1 = UNDEF...PC = 0x52
Example Program Registers
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 45
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 10R1 = 3...PC = 0x54
Example Program Registers
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 46
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 13R1 = 3...PC = 0x56
Example Program Registers
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 47
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 13R1 = 3...PC = 0x50
Example Program Registers
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 48
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 13R1 = 3...PC = 0x50
Example Program Registers
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 49
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 10R1 = 3...PC = 0x52
Example Program Registers
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 50
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 10R1 = 3...PC = 0x52
Example Program Registers
HaltingDebug-Mode
Control handedto external debugger
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 51
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 10R1 = 3...PC = 0x52
Example Program Registers
HaltingDebug-Mode
MonitorDebug-Mode
Control handedto external debugger
Abort Exception Execution continues
in exception handler
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 52
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 10R1 = 3...PC = 0x52
Example Program Registers
HaltingDebug-Mode
MonitorDebug-Mode
Control handedto external debugger
Abort Exception Execution continues
in exception handler
Halting vs. Monitor Debug-Mode
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 53
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
R0 = 10R1 = 3...PC = 0x52
Example Program Registers
HaltingDebug-Mode
MonitorDebug-Mode
Control handedto external debugger
Abort Exception Execution continues
in exception handler
What happens when an abort
exception occurs?
Abort Exception Handling
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 54
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
R0 = 10R1 = 3...PC = 0x52
Example Program Registers
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Abort Exception Handling
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 55
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
R0 = 10R1 = 3...PC = 0x52
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Operating Modes
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 56
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
Operating Modes
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 57
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
OperatingModes
Operating Modes
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 58
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
OperatingModes
Regular Firmware Execution
Operating Modes
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 59
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
OperatingModes
Regular Firmware Execution
For Handling Abort Exceptions
Operating Modes
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 60
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
OperatingModes
Regular Firmware Execution
For Handling Abort Exceptions
Abort ModeSystem Mode
Operating Modes
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 61
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
Abort ModeSystem Mode
Banked Registers
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 62
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
Banked Registers
Stack Pointer (SP)
Link Register (LR)
Saved Program Status Register
Abort ModeSystem Mode
Banked Registers
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 63
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
Banked Registers
Stack Pointer (SP)
Link Register (LR)
Saved Program Status Register
Abort ModeSystem Mode
Banked Registers
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 64
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
Banked Registers
Stack Pointer (SP)
Link Register (LR)
Saved Program Status Register
Abort ModeSystem Mode
Banked Registers
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 65
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
Abort ModeSystem Mode
Banked Registers
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 66
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
Abort ModeSystem Mode
SP>R13_abtLR>R14_abt
Banked Registers
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 67
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
R0 = 10R1 = 3...PC = 0x0C
Abort ModeSystem Mode
SP>R13_abtLR>R14_abt
We can call functionswithin our Abort Handler without overwriting theregluar Stack Pointer andLink Register!
Banked Registers
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 68
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x0C
Abort ModeSystem Mode
SP>R13_abtLR>R14_abt
We can call functionswithin our Abort Handler without overwriting theregluar Stack Pointer andLink Register!
Banked Registers
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 69
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x80
Abort ModeSystem Mode
SP>R13_abtLR>R14_abt
We can call functionswithin our Abort Handler without overwriting theregluar Stack Pointer andLink Register!
Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 70
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x86
Abort ModeSystem Mode
SP>R13_abtLR>R14_abt
We can call functionswithin our Abort Handler without overwriting theregluar Stack Pointer andLink Register!
SRSDB Instruction
SRSDB SP!, #0x1F
SRS Store Return State (LR, SPSR)onto a Stack
DB Decrement address beforeeach transfer
! Write final address back to SPof mode 0x1F (system mode)
Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 71
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x8C
Abort ModeSystem Mode
SP>R13_abtLR>R14_abt
We can call functionswithin our Abort Handler without overwriting theregluar Stack Pointer andLink Register!
Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 72
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x8C
Abort ModeSystem Mode
SP>R13_abtLR>R14_abt
We can call functionswithin our Abort Handler without overwriting theregluar Stack Pointer andLink Register!
CPS Instruction
CPS #0x1F
CPS Change Processor State#0x1F target mode = 0x1F
(system mode)
Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 73
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x90
Abort ModeSystem Mode
SP>R13LR>R14
Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 74
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x90
Abort ModeSystem Mode
SP>R13LR>R14
Original Wi-Fi firmwarealways changes to System mode
handle_exceptionshandles all exceptions
Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 75
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x90
Abort ModeSystem Mode
SP>R13LR>R14
Original Wi-Fi firmwarealways changes to System mode
handle_exceptionshandles all exceptions
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 76
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x90
Abort ModeSystem Mode
SP>R13LR>R14
Original Wi-Fi firmwarealways changes to System mode
handle_exceptionshandles all exceptions
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 77
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x90
Abort ModeSystem Mode
Original Wi-Fi firmwarealways changes to System mode
handle_exceptionshandles all exceptions
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓SP>R13_abtLR>R14_abt
Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 78
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x90
Abort ModeSystem Mode
Original Wi-Fi firmwarealways changes to System mode
handle_exceptionshandles all exceptions
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓SP>R13_abtLR>R14_abt
✓
#0x17
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = 10R1 = 3...PC = 0x90SP>R13LR>R14SP>R13_abtLR>R14_abt
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Abort ModeSystem Mode
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 79
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = 10R1 = 3...PC = 0x90SP>R13LR>R14SP>R13_abtLR>R14_abt
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Abort ModeSystem Mode
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 80
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = UNDEFR1 = UNDEF...PC = 0x00SP>R13LR>R14SP>R13_svcLR>R14_svc
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 81
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = UNDEFR1 = UNDEF...PC = 0x00SP>R13LR>R14SP>R13_svcLR>R14_svc
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 82
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = UNDEFR1 = UNDEF...PC = 0x30SP>R13LR>R14SP>R13_svcLR>R14_svc
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 83
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x32SP>R13LR>R14SP>R13_svcLR>R14_svc
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 84
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x32SP>R13LR>R14SP>R13LR>R14
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 85
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x32SP>R13LR>R14SP>R13LR>R14
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 86
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup...0x40: Initialize processor0x42: B c_main
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x40SP>R13LR>R14SP>R13LR>R14
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 87
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup...0x40: Initialize processor0x42: B c_main
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x42SP>R13LR>R14SP>R13LR>R14
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 88
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup...0x40: Initialize processor0x42: B c_main
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x42SP>R13LR>R14SP>R13LR>R14
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 89
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup...0x40: Initialize processor0x42: B c_main
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x42SP>R13LR>R14SP>R13LR>R14
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 90
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x42SP>R13LR>R14SP>R13LR>R14
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 91
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x42SP>R13LR>R14SP>R13LR>R14
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 92
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Registers
R0 = ...R1 = ......PC = 0x42SP>R13LR>R14SP>R13LR>R14
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 93
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
0x30: Check exception vectors0x32: Change to System Mode0x34: B setup...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 94
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 95
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
uint32 stack_abt[256] = { 0x54424153 };
void __attribute__((optimize("O0")))set_abort_SP(void) {
register uint32 sp_abt asm("r0") = (uint32) &stack_abt[255];
dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);asm("mov sp, %[value]" : : [value] "r" (sp_abt));dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);
}
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 96
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
uint32 stack_abt[256] = { 0x54424153 };
void __attribute__((optimize("O0")))set_abort_SP(void) {
register uint32 sp_abt asm("r0") = (uint32) &stack_abt[255];
dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);asm("mov sp, %[value]" : : [value] "r" (sp_abt));dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);
}
Change to Abort Mode
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 97
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
uint32 stack_abt[256] = { 0x54424153 };
void __attribute__((optimize("O0")))set_abort_SP(void) {
register uint32 sp_abt asm("r0") = (uint32) &stack_abt[255];
dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);asm("mov sp, %[value]" : : [value] "r" (sp_abt));dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);
}
Change to Abort ModeSet Stack Pointer to end of stack_abt array
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 98
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
uint32 stack_abt[256] = { 0x54424153 };
void __attribute__((optimize("O0")))set_abort_SP(void) {
register uint32 sp_abt asm("r0") = (uint32) &stack_abt[255];
dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);asm("mov sp, %[value]" : : [value] "r" (sp_abt));dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);
}
Change to Abort ModeSet Stack Pointer to end of stack_abt array
Change to System Mode
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 99
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
uint32 stack_abt[256] = { 0x54424153 };
void __attribute__((optimize("O0")))set_abort_SP(void) {
register uint32 sp_abt asm("r0") = (uint32) &stack_abt[255];
dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);asm("mov sp, %[value]" : : [value] "r" (sp_abt));dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);
}✓
Change to Abort ModeSet Stack Pointer to end of stack_abt array
Change to System Mode
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 100
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
...0x40: Initialize processor0x42: B c_main c_main_hook
...0x60: Initialize the „driver“0x62: Activate interrupts0x64: Wait for interrupts
c_main
c_main_hook:0x60: PUSH {R0-R3,LR}0x62: BL set_abort_SP0x64: POP {R0-R3,LR}0x66: B c_main
uint32 stack_abt[256] = { 0x54424153 };
void __attribute__((optimize("O0")))set_abort_SP(void) {
register uint32 sp_abt asm("r0") = (uint32) &stack_abt[255];
dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);asm("mov sp, %[value]" : : [value] "r" (sp_abt));dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);
}✓
Change to Abort ModeSet Stack Pointer to end of stack_abt array
Change to System Mode
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Initialize Abort Stack Pointer
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 101
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
Supervisor ModeAbort ModeSystem Mode
✓
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x90SP>R13LR>R14
Original Wi-Fi firmwarealways changes to System mode
handle_exceptionshandles all exceptions
SP>R13_abtLR>R14_abt
#0x17
Analyzing Handle Exceptions Function
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 102
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Example Program Registers
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...0x50: MOV R0, #100x52: MOV R1, #30x54: ADD R0, R0, R10x56: B 0x50...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
pref_abt_hdl
R0 = 10R1 = 3...PC = 0x90SP>R13LR>R14
Original Wi-Fi firmwarealways changes to System mode
handle_exceptionshandles all exceptions
SP>R13_abtLR>R14_abt
#0x17
Analyzing Handle Exceptions Function
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 103
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 104
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
...0x80: MOV SP, LR...0x86: SRSDB SP!, #0x1F0x8C: CPS #0x1F...0x90: B handle_exceptions
pref_abt_hdl#0x17
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 105
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 106
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 107
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 108
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
LR = Breakpoint‘s PC Address + 4LR (new) := Breakpoint‘s PC Address
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 109
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
LR = Breakpoint‘s PC Address + 4LR (new) := Breakpoint‘s PC Address
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 110
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
LR = Breakpoint‘s PC Address + 4LR (new) := Breakpoint‘s PC AddressSRSDB Instruction
SRSDB SP!, #0x17
SRS Store Return State (LR, SPSR)onto a Stack
DB Decrement address beforeeach transfer
! Write final address back to SPof mode 0x17 (abort mode)
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 111
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
LR = Breakpoint‘s PC Address + 4LR (new) := Breakpoint‘s PC AddressSRSDB Instruction
SRSDB SP!, #0x17
SRS Store Return State (LR, SPSR)onto a Stack
DB Decrement address beforeeach transfer
! Write final address back to SPof mode 0x17 (abort mode)
Abort Stack
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 112
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
LR = Breakpoint‘s PC Address + 4LR (new) := Breakpoint‘s PC AddressSRSDB Instruction
SRSDB SP!, #0x17
SRS Store Return State (LR, SPSR)onto a Stack
DB Decrement address beforeeach transfer
! Write final address back to SPof mode 0x17 (abort mode)
Abort StackSPSR = CPSR_SYS
LR = PC_SYS
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 113
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
LR = Breakpoint‘s PC Address + 4LR (new) := Breakpoint‘s PC Address
Abort StackSPSR = CPSR_SYS
LR = PC_SYS
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 114
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
LR = Breakpoint‘s PC Address + 4LR (new) := Breakpoint‘s PC Address
Abort StackSPSR = CPSR_SYS
LR = PC_SYSR0
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 115
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
LR = Breakpoint‘s PC Address + 4LR (new) := Breakpoint‘s PC Address
Abort StackSPSR = CPSR_SYS
LR = PC_SYSR0
LR_ABT
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 116
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
LR = Breakpoint‘s PC Address + 4LR (new) := Breakpoint‘s PC Address
Abort StackSPSR = CPSR_SYS
LR = PC_SYSR0
LR_ABT
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 117
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
Abort StackSPSR = CPSR_SYS
LR = PC_SYSR0
LR_ABT
R7R6R5R4R3R2R1R0
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 118
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
Abort StackSPSR = CPSR_SYS
LR = PC_SYSR0
LR_ABT
R7R6R5R4R3R2R1R0
R0 := Exception ID (3 Prefetch Abort)
Example Program
0x00: B reset_hdl0x04: B undef_inst_hdl0x08: B sw_intr_hdl0x0C: B pref_abt_hdl0x10: B data_abt_hdl...
ResetUndef. Instr.Software Intr.Abort (prefetch)Abort (data)...
Our Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 119
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
0x80: SUB LR, LR, #40x82: SRSDB SP!, #0x170x84: PUSH {R0}0x86: PUSH {LR}0x88: SUB SP, SP, #240x8A: PUSH {R0-R7}0x8C: MOV R0, #30x8E: B handle_exceptions
Abort StackSPSR = CPSR_SYS
LR = PC_SYSR0
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
R0 := Exception ID (3 Prefetch Abort)
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 120
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
Abort StackSPSR = CPSR_SYS
LR = PC_SYSR0
LR_ABT
R7R6R5R4R3R2R1R0
Registers
0xA0: MOV R4, SP0xA2: ADD R4, R4, #640xA4: LDMIA R4!, {R1,R3}0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler
handle_exceptions
R0 = 3
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 121
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
Supervisor ModeAbort ModeSystem Mode
Abort StackSPSR = CPSR_SYS
LR = PC_SYSR0
LR_ABT
R7R6R5R4R3R2R1R0
Registers
0xA0: MOV R4, SP0xA2: ADD R4, R4, #640xA4: LDMIA R4!, {R1,R3}0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler
handle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 122
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
0xA0: MOV R4, SP0xA2: ADD R4, R4, #640xA4: LDMIA R4!, {R1,R3}0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler
handle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
✓✓
✓
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 123
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
0xA0: MOV R4, SP0xA2: ADD R4, R4, #640xA4: LDMIA R4!, {R1,R3}0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler
handle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 124
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
0xA0: MOV R4, SP0xA2: ADD R4, R4, #640xA4: LDMIA R4!, {R1,R3}0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler
handle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered✓✓
✓
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 125
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function• Implement a breakpoint handler• Activate breakpoints
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
0xA0: MOV R4, SP0xA2: ADD R4, R4, #640xA4: LDMIA R4!, {R1,R3}0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler
handle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered✓✓
✓
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 126
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
0xA0: MOV R4, SP0xA2: ADD R4, R4, #640xA4: LDMIA R4!, {R1,R3}0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler
handle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
✓✓
✓
0xA0: MOV R4, SP0xA2: ADD R4, R4, #640xA4: LDMIA R4!, {R1,R3}0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler0xC6: CPSID IF0xC8: ADD SP, SP, #480xCA: POP {R0-R6}
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 127
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registershandle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered✓✓
✓
0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler0xC6: CPSID IF0xC8: ADD SP, SP, #480xCA: POP {R0-R6}0xCC: MOV R8, R00xCE: MOV R9, R10xD0: MOV R10, R20xD2: MOV R11, R30xD4: MOV R12, R40xD6: MOV LR, R60xD8: SUB SP, SP, #600xDA: POP {R0-R7}0xDC: ADD SP, SP, #320xDE: RFEFD SP!
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 128
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registershandle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered✓✓
✓
Restores saved registers
0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler0xC6: CPSID IF0xC8: ADD SP, SP, #480xCA: POP {R0-R6}0xCC: MOV R8, R00xCE: MOV R9, R10xD0: MOV R10, R20xD2: MOV R11, R30xD4: MOV R12, R40xD6: MOV LR, R60xD8: SUB SP, SP, #600xDA: POP {R0-R7}0xDC: ADD SP, SP, #320xDE: RFEFD SP!
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 129
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registershandle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered✓✓
✓
Restores saved registers
RFEFD Instruction
RFEFD SP!
RFE Return From Exception: writesPC and CPSR back
FD Fulldescending stackSP Points at PC and CPSRSP! Write final address back to SP
0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler0xC6: CPSID IF0xC8: ADD SP, SP, #480xCA: POP {R0-R6}0xCC: MOV R8, R00xCE: MOV R9, R10xD0: MOV R10, R20xD2: MOV R11, R30xD4: MOV R12, R40xD6: MOV LR, R60xD8: SUB SP, SP, #600xDA: POP {R0-R7}0xDC: ADD SP, SP, #320xDE: RFEFD SP!
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 130
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registershandle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered✓✓
✓
Restores saved registers
RFEFD Instruction
RFEFD SP!
RFE Return From Exception: writesPC and CPSR back
FD Fulldescending stackSP Points at PC and CPSRSP! Write final address back to SP
0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler0xC6: CPSID IF0xC8: ADD SP, SP, #480xCA: POP {R0-R6}0xCC: MOV R8, R00xCE: MOV R9, R10xD0: MOV R10, R20xD2: MOV R11, R30xD4: MOV R12, R40xD6: MOV LR, R60xD8: SUB SP, SP, #600xDA: POP {R0-R7}0xDC: ADD SP, SP, #320xDE: RFEFD SP!
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 131
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registershandle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered✓✓
✓
Restores saved registers
RFEFD Instruction
RFEFD SP!
RFE Return From Exception: writesPC and CPSR back
FD Fulldescending stackSP Points at PC and CPSRSP! Write final address back to SP
After handling an exceptionwe can return to regularprogram execution
0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler0xC6: CPSID IF0xC8: ADD SP, SP, #480xCA: POP {R0-R6}0xCC: MOV R8, R00xCE: MOV R9, R10xD0: MOV R10, R20xD2: MOV R11, R30xD4: MOV R12, R40xD6: MOV LR, R60xD8: SUB SP, SP, #600xDA: POP {R0-R7}0xDC: ADD SP, SP, #320xDE: RFEFD SP!
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 132
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registershandle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered✓✓
✓
Restores saved registers
RFEFD Instruction
RFEFD SP!
RFE Return From Exception: writesPC and CPSR back
FD Fulldescending stackSP Points at PC and CPSRSP! Write final address back to SP
✓
After handling an exceptionwe can return to regularprogram execution
0xA6: MRS R2, CPSR0xA8: PUSH {R0-R3}0xAA: SUB R4, R4, #120xAC: STR R1, [R4]0xAE: AND R1, R3, #640xB0: MOV R7, SP0xB2: ADD R7, R7, #880xB4: MOV R6, R120xB6: MOV R5, R110xB8: MOV R4, R100xBA: MOV R3, R90xBC: MOV R2, R80xBE: ADD SP, SP, #720xC0: PUSH {R2-R7}0xC2: SUB SP, SP, #480xC4: BL choose_exception_handler0xC6: CPSID IF0xC8: ADD SP, SP, #480xCA: POP {R0-R6}0xCC: MOV R8, R00xCE: MOV R9, R10xD0: MOV R10, R20xD2: MOV R11, R30xD4: MOV R12, R40xD6: MOV LR, R60xD8: SUB SP, SP, #600xDA: POP {R0-R7}0xDC: ADD SP, SP, #320xDE: RFEFD SP!
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 133
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registershandle_exceptions
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8Processor state when
breakpoint was triggered✓✓
✓
Restores saved registers
✓
After handling an exceptionwe can return to regularprogram execution
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Analyzing handle_exceptions
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 134
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
choose_exception _handler
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 135
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 136
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
Check whetherException ID (R0) equals 6 (fast interrupt/FIQ)
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 137
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
Check whetherException ID (R0) equals 6 (fast interrupt/FIQ)
Handles FIQ or printsdebug informationand stops execution
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 138
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
Check whetherException ID (R0) equals 6 (fast interrupt/FIQ)
Handles FIQ or printsdebug informationand stops execution
We want tohandle ourbreakpointinstead oftriggeringthe trap
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 139
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
We want tohandle ourbreakpointinstead oftriggeringthe trap
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
0x0F0: CMP R0, #30x0F2: BEQ pref_abort
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 140
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
We want tohandle ourbreakpointinstead oftriggeringthe trap
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
0x0F0: CMP R0, #30x0F2: BEQ pref_abort
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 141
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
We want tohandle ourbreakpointinstead oftriggeringthe trap
pref_abort:0x106: MOV R0, SP0x108: PUSH {LR}0x10A: POP {LR}0x10C: B handle_pref_abort_exception
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
0x0F0: CMP R0, #30x0F2: BEQ pref_abort
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 142
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
We want tohandle ourbreakpointinstead oftriggeringthe trap
pref_abort:0x106: MOV R0, SP0x108: PUSH {LR}0x10A: POP {LR}0x10C: B handle_pref_abort_exception
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
0x0F0: CMP R0, #30x0F2: BEQ pref_abort
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 143
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
We want tohandle ourbreakpointinstead oftriggeringthe trap
pref_abort:0x106: MOV R0, SP0x108: PUSH {LR}0x10A: POP {LR}0x10C: B handle_pref_abort_exception
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
0x0F0: CMP R0, #30x0F2: BEQ pref_abort
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 144
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
We want tohandle ourbreakpointinstead oftriggeringthe trap
pref_abort:0x106: MOV R0, SP0x108: PUSH {LR}0x10A: POP {LR}0x10C: B handle_pref_abort_exception
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
0x0F0: CMP R0, #30x0F2: BEQ pref_abort
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 145
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
We want tohandle ourbreakpointinstead oftriggeringthe trap
pref_abort:0x106: MOV R0, SP0x108: PUSH {LR}0x10A: POP {LR}0x10C: B handle_pref_abort_exception
0x0F4: CMP R0, #60x0F6: BNE 0xFE0x0F8: CMP R1, #640x0FA: BEQ 0xFE0x0FC: CPSIE F0x0FE: MOV R0, SP0x100: PUSH {LR}0x102: POP {LR}0x104: B handle_FIQ_or_trigger_trap
0x0F0: CMP R0, #30x0F2: BEQ pref_abort
choose_exception _handlerMonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Calling Prefetch Abort Handler
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 146
Supervisor ModeAbort ModeSystem Mode
Abort Stack
LR_ABT
R7R6R5R4R3R2R1R0
Registers
R0 = 3
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
We want tohandle ourbreakpointinstead oftriggeringthe trap
pref_abort:0x106: MOV R0, SP0x108: PUSH {LR}0x10A: POP {LR}0x10C: B handle_pref_abort_exception
First argument points to trace
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYS
Fixing LR and SP in Trace
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 147
Supervisor ModeAbort ModeSystem Mode
LR_ABT
R7R6R5R4R3R2R1R0
CPSR_SYSCPSR_ABT
PC_SYSException ID
SP_ABTR12R11R10R9R8
✓✓
✓✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);...
}
voidfix_sp_lr(struct trace *trace){
register unsigned int sp_sys asm("r1");register unsigned int lr_sys asm("r2");
dbg_disable_monitor_mode_debugging();dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);asm("mov %[result], sp" : [result] "=r" (sp_sys));asm("mov %[result], lr" : [result] "=r" (lr_sys));dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);dbg_enable_monitor_mode_debugging();
trace->lr = lr_sys;trace->sp = sp_sys;
}
Trace
SP_ABT
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYSLR_ABT
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Fixing LR and SP in Trace
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 148
Trace
R7R6R5R4R3R2R1R0
CPSR_SYSCPSR_ABT
PC_SYSException ID
R12R11R10R9R8
✓✓
✓✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);...
}
voidfix_sp_lr(struct trace *trace){
register unsigned int sp_sys asm("r1");register unsigned int lr_sys asm("r2");
dbg_disable_monitor_mode_debugging();dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);asm("mov %[result], sp" : [result] "=r" (sp_sys));asm("mov %[result], lr" : [result] "=r" (lr_sys));dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);dbg_enable_monitor_mode_debugging();
trace->lr = lr_sys;trace->sp = sp_sys;
}
Disable debugger and enter System Mode
Supervisor ModeAbort ModeSystem Mode
SP_ABT
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYSLR_ABT
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Fixing LR and SP in Trace
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 149
Trace
R7R6R5R4R3R2R1R0
CPSR_SYSCPSR_ABT
PC_SYSException ID
R12R11R10R9R8
✓✓
✓✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);...
}
voidfix_sp_lr(struct trace *trace){
register unsigned int sp_sys asm("r1");register unsigned int lr_sys asm("r2");
dbg_disable_monitor_mode_debugging();dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);asm("mov %[result], sp" : [result] "=r" (sp_sys));asm("mov %[result], lr" : [result] "=r" (lr_sys));dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);dbg_enable_monitor_mode_debugging();
trace->lr = lr_sys;trace->sp = sp_sys;
}
Disable debugger and enter System Mode
Store SP_SYS and LR_SYS in R1 and R2
Supervisor ModeAbort ModeSystem Mode
SP_ABT
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYSLR_ABT
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Fixing LR and SP in Trace
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 150
Trace
R7R6R5R4R3R2R1R0
CPSR_SYSCPSR_ABT
PC_SYSException ID
R12R11R10R9R8
✓✓
✓✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);...
}
voidfix_sp_lr(struct trace *trace){
register unsigned int sp_sys asm("r1");register unsigned int lr_sys asm("r2");
dbg_disable_monitor_mode_debugging();dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);asm("mov %[result], sp" : [result] "=r" (sp_sys));asm("mov %[result], lr" : [result] "=r" (lr_sys));dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);dbg_enable_monitor_mode_debugging();
trace->lr = lr_sys;trace->sp = sp_sys;
}
Disable debugger and enter System Mode
Store SP_SYS and LR_SYS in R1 and R2
Return to Abort Mode and re-enable debugger
Supervisor ModeAbort ModeSystem Mode
SP_ABT
SPSR = CPSR_SYSLR = PC_SYS
R0PC_SYSLR_ABTLR_SYSSP_SYS
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Fixing LR and SP in Trace
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 151
Trace
R7R6R5R4R3R2R1R0
CPSR_SYSCPSR_ABT
PC_SYSException ID
R12R11R10R9R8
✓✓
✓✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);...
}
voidfix_sp_lr(struct trace *trace){
register unsigned int sp_sys asm("r1");register unsigned int lr_sys asm("r2");
dbg_disable_monitor_mode_debugging();dbg_change_processor_mode(DBG_PROCESSOR_MODE_SYS);asm("mov %[result], sp" : [result] "=r" (sp_sys));asm("mov %[result], lr" : [result] "=r" (lr_sys));dbg_change_processor_mode(DBG_PROCESSOR_MODE_ABT);dbg_enable_monitor_mode_debugging();
trace->lr = lr_sys;trace->sp = sp_sys;
}
Disable debugger and enter System Mode
Store SP_SYS and LR_SYS in R1 and R2
Return to Abort Mode and re-enable debugger
Update Trace
✓
Supervisor ModeAbort ModeSystem Mode
MonitorDebug-Mode
Abort Exception Execution continues
in exception handler
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 152
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);...
}
Supervisor ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 153
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
start:MOV R0, #1MOV R0, #3B start
Supervisor ModeAbort ModeSystem ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 154
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
start:MOV R0, #1MOV R0, #3B start
Supervisor ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 155
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
Check whether breakpoint is enabled
start:MOV R0, #1MOV R0, #3B start
Supervisor ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 156
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
start:MOV R0, #1MOV R0, #3B start
Supervisor ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 157
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
start:MOV R0, #1MOV R0, #3B start
Supervisor ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 158
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
start:MOV R0, #1MOV R0, #3B start
Supervisor ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 159
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
start:MOV R0, #1MOV R0, #3B start
Supervisor ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 160
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
start:MOV R0, #1MOV R0, #3B start
Supervisor ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 161
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Supervisor ModeAbort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 162
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 163
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers only once
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 164
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Simplest ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 165
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 166
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 167
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 168
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 169
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 170
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 171
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 172
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 173
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 174
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 175
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 176
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif(dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address(0, trace->pc)) {
// Handle Breakpoint:// - Print information// - Change register values in trace
dbg_disable_breakpoint(0);}
}
Simplest ImplementationBreakpoint triggers multiple times
Check whether breakpoint is enabledCheck whether breakpoint address equals the
program counter of the system mode
Write code to handle the breakpoint
Disable the breakpoint
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 177
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 178
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabled
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 179
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 180
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 181
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 182
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatch
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 183
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatch
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 184
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatch
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 185
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatch
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 186
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatch
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 187
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatch
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 188
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 189
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 190
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address matchForget that breakpoint was set
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 191
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address matchForget that breakpoint was set
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 192
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address matchForget that breakpoint was set
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 193
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address matchForget that breakpoint was set
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 194
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
We are in an endlessdebuggingloop
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address matchForget that breakpoint was set
Address Mismatch ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 195
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {dbg_set_breakpoint_type_to_instr_addr_match(0);breakpoint_hit &= ~DBGBP0;
}}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address matchForget that breakpoint was set
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 196
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 197
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabled
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 198
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 199
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 200
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 201
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatch
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 202
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatch
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 203
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatch
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 204
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatch
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 205
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatch
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 206
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatch
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 207
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 208
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 209
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 210
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 211
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 212
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 213
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 214
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 215
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 216
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 217
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 218
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
Single-Stepping ImplementationBreakpoint triggers multiple times
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
Handling Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 219
✓✓
✓✓
✓
voidhandle_pref_abort_exception(struct trace *trace) {
fix_sp_lr(trace);
...}
// Do for any of the four hardware breakpointsif (dbg_is_breakpoint_enabled(0)) {
if (dbg_triggers_on_breakpoint_address (0, trace->pc)) {
// Handle Breakpoint:
breakpoint_hit |= DBGBP0;dbg_set_breakpoint_type_to_instr_addr_mismatch(0);
} else if (breakpoint_hit & DBGBP0) {
// Handle Breakpoint
dbg_set_breakpoint_for_addr_mismatch(0, trace->pc);}
}
Check whether breakpoint is enabledCheck whether breakpoint address equals PC_SYS
Write code to handle the first breakpoint
Remember which breakpoint was hit
Continue firmware execution
✓
start:MOV R0, #1MOV R0, #3B start
Abort ModeSystem Mode
Set breakpoint to trigger on address mismatchCheck whether we remember that breakpoint was set
Set breakpoint to trigger on address match
Write code to handle the single-stepping breakpoint✓
✓
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 220
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 221
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 222
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Debug
ARM DDI 0363G Copyright © 2006-2011 ARM Limited. All rights reserved. 12-14
ID041111 Non-Confidential
12.4.5 CP14 c1, Debug Status and Control Register
The DBGDSCR Register characteristics are:
Purpose Contains status and control information about the debug unit.
Usage constraints See DTR access mode on page 12-18.
Configurations Available in all processor configurations.
Attributes See Table 12-10.
Figure 12-5 shows the DBGDSCR bit assignments.
Figure 12-5 DBGDSCR Register bit assignments
Table 12-10 shows the DBGDSCR bit assignments.
31 30 29 28 16 15 14 13 12 11 10 6 5 2 1 0
MOE
9 78
Core halted
Core restarted
26 25 24 23
PipeAdv
InstrCompl-l
22 21 20 19 18
Monitor debug-mode
Halting debug-mode
ARM
DbgAck
IntDis
Comms
Sticky imprecise abort
Sticky Undefined
Reserved
Sticky precise abort
DTR access
Discard
imprecise
abort
27
Reserved
DTRTXfull
DTRRXfull
Reserved
Reserved
Reserved
DTRTXfull-l
DTRRXfull-l
Table 12-10 DBGDSCR Register bit assignments
Bits Name Function
[31] - RAZ on reads, SBZP on writes.
[30] DTRRXfull The DTRRXfull flag:
0 = Read-DTR, DBGDTRRX is empty. This is the reset value
1 = Read-DTR, DBGDTRRX is full.
When set, this flag indicates to the processor that there is data available to read from the
DBGDTRRX. It is automatically set on writes to the DBGDTRRX by the debugger, and
is cleared when the processor reads the DBGDTRRX over the CP14 interface. If the flag
is not set, reads from the DBGDTRRX return an Unpredictable value.
[29] DTRTXfull The DTRTXfull flag:
0 = Write-DTR, DBGDTRTX is empty. This is the reset value.
1 = Write-DTR, DBGDTRTX is full.
When clear, this flag indicates to the processor that the DBGDTRTX is ready to receive
data. It is automatically cleared on reads of the DBGDTRTX by the debugger, and is set
when the processor writes to the DBGDTRTX over the CP14 interface. If this bit is set and
the processor attempts to write to the DBGDTRTX, the register contents are overwritten
and the DTRRXfull flag remains set.
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 223
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Debug
ARM DDI 0363G Copyright © 2006-2011 ARM Limited. All rights reserved. 12-14
ID041111 Non-Confidential
12.4.5 CP14 c1, Debug Status and Control Register
The DBGDSCR Register characteristics are:
Purpose Contains status and control information about the debug unit.
Usage constraints See DTR access mode on page 12-18.
Configurations Available in all processor configurations.
Attributes See Table 12-10.
Figure 12-5 shows the DBGDSCR bit assignments.
Figure 12-5 DBGDSCR Register bit assignments
Table 12-10 shows the DBGDSCR bit assignments.
31 30 29 28 16 15 14 13 12 11 10 6 5 2 1 0
MOE
9 78
Core halted
Core restarted
26 25 24 23
PipeAdv
InstrCompl-l
22 21 20 19 18
Monitor debug-mode
Halting debug-mode
ARM
DbgAck
IntDis
Comms
Sticky imprecise abort
Sticky Undefined
Reserved
Sticky precise abort
DTR access
Discard
imprecise
abort
27
Reserved
DTRTXfull
DTRRXfull
Reserved
Reserved
Reserved
DTRTXfull-l
DTRRXfull-l
Table 12-10 DBGDSCR Register bit assignments
Bits Name Function
[31] - RAZ on reads, SBZP on writes.
[30] DTRRXfull The DTRRXfull flag:
0 = Read-DTR, DBGDTRRX is empty. This is the reset value
1 = Read-DTR, DBGDTRRX is full.
When set, this flag indicates to the processor that there is data available to read from the
DBGDTRRX. It is automatically set on writes to the DBGDTRRX by the debugger, and
is cleared when the processor reads the DBGDTRRX over the CP14 interface. If the flag
is not set, reads from the DBGDTRRX return an Unpredictable value.
[29] DTRTXfull The DTRTXfull flag:
0 = Write-DTR, DBGDTRTX is empty. This is the reset value.
1 = Write-DTR, DBGDTRTX is full.
When clear, this flag indicates to the processor that the DBGDTRTX is ready to receive
data. It is automatically cleared on reads of the DBGDTRTX by the debugger, and is set
when the processor writes to the DBGDTRTX over the CP14 interface. If this bit is set and
the processor attempts to write to the DBGDTRTX, the register contents are overwritten
and the DTRRXfull flag remains set.
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 224
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Debug
ARM DDI 0363G Copyright © 2006-2011 ARM Limited. All rights reserved. 12-14
ID041111 Non-Confidential
12.4.5 CP14 c1, Debug Status and Control Register
The DBGDSCR Register characteristics are:
Purpose Contains status and control information about the debug unit.
Usage constraints See DTR access mode on page 12-18.
Configurations Available in all processor configurations.
Attributes See Table 12-10.
Figure 12-5 shows the DBGDSCR bit assignments.
Figure 12-5 DBGDSCR Register bit assignments
Table 12-10 shows the DBGDSCR bit assignments.
31 30 29 28 16 15 14 13 12 11 10 6 5 2 1 0
MOE
9 78
Core halted
Core restarted
26 25 24 23
PipeAdv
InstrCompl-l
22 21 20 19 18
Monitor debug-mode
Halting debug-mode
ARM
DbgAck
IntDis
Comms
Sticky imprecise abort
Sticky Undefined
Reserved
Sticky precise abort
DTR access
Discard
imprecise
abort
27
Reserved
DTRTXfull
DTRRXfull
Reserved
Reserved
Reserved
DTRTXfull-l
DTRRXfull-l
Table 12-10 DBGDSCR Register bit assignments
Bits Name Function
[31] - RAZ on reads, SBZP on writes.
[30] DTRRXfull The DTRRXfull flag:
0 = Read-DTR, DBGDTRRX is empty. This is the reset value
1 = Read-DTR, DBGDTRRX is full.
When set, this flag indicates to the processor that there is data available to read from the
DBGDTRRX. It is automatically set on writes to the DBGDTRRX by the debugger, and
is cleared when the processor reads the DBGDTRRX over the CP14 interface. If the flag
is not set, reads from the DBGDTRRX return an Unpredictable value.
[29] DTRTXfull The DTRTXfull flag:
0 = Write-DTR, DBGDTRTX is empty. This is the reset value.
1 = Write-DTR, DBGDTRTX is full.
When clear, this flag indicates to the processor that the DBGDTRTX is ready to receive
data. It is automatically cleared on reads of the DBGDTRTX by the debugger, and is set
when the processor writes to the DBGDTRTX over the CP14 interface. If this bit is set and
the processor attempts to write to the DBGDTRTX, the register contents are overwritten
and the DTRRXfull flag remains set.
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 225
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Debug
ARM DDI 0363G Copyright © 2006-2011 ARM Limited. All rights reserved. 12-14
ID041111 Non-Confidential
12.4.5 CP14 c1, Debug Status and Control Register
The DBGDSCR Register characteristics are:
Purpose Contains status and control information about the debug unit.
Usage constraints See DTR access mode on page 12-18.
Configurations Available in all processor configurations.
Attributes See Table 12-10.
Figure 12-5 shows the DBGDSCR bit assignments.
Figure 12-5 DBGDSCR Register bit assignments
Table 12-10 shows the DBGDSCR bit assignments.
31 30 29 28 16 15 14 13 12 11 10 6 5 2 1 0
MOE
9 78
Core halted
Core restarted
26 25 24 23
PipeAdv
InstrCompl-l
22 21 20 19 18
Monitor debug-mode
Halting debug-mode
ARM
DbgAck
IntDis
Comms
Sticky imprecise abort
Sticky Undefined
Reserved
Sticky precise abort
DTR access
Discard
imprecise
abort
27
Reserved
DTRTXfull
DTRRXfull
Reserved
Reserved
Reserved
DTRTXfull-l
DTRRXfull-l
Table 12-10 DBGDSCR Register bit assignments
Bits Name Function
[31] - RAZ on reads, SBZP on writes.
[30] DTRRXfull The DTRRXfull flag:
0 = Read-DTR, DBGDTRRX is empty. This is the reset value
1 = Read-DTR, DBGDTRRX is full.
When set, this flag indicates to the processor that there is data available to read from the
DBGDTRRX. It is automatically set on writes to the DBGDTRRX by the debugger, and
is cleared when the processor reads the DBGDTRRX over the CP14 interface. If the flag
is not set, reads from the DBGDTRRX return an Unpredictable value.
[29] DTRTXfull The DTRTXfull flag:
0 = Write-DTR, DBGDTRTX is empty. This is the reset value.
1 = Write-DTR, DBGDTRTX is full.
When clear, this flag indicates to the processor that the DBGDTRTX is ready to receive
data. It is automatically cleared on reads of the DBGDTRTX by the debugger, and is set
when the processor writes to the DBGDTRTX over the CP14 interface. If this bit is set and
the processor attempts to write to the DBGDTRTX, the register contents are overwritten
and the DTRRXfull flag remains set.
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 226
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Debug
ARM DDI 0363G Copyright © 2006-2011 ARM Limited. All rights reserved. 12-14
ID041111 Non-Confidential
12.4.5 CP14 c1, Debug Status and Control Register
The DBGDSCR Register characteristics are:
Purpose Contains status and control information about the debug unit.
Usage constraints See DTR access mode on page 12-18.
Configurations Available in all processor configurations.
Attributes See Table 12-10.
Figure 12-5 shows the DBGDSCR bit assignments.
Figure 12-5 DBGDSCR Register bit assignments
Table 12-10 shows the DBGDSCR bit assignments.
31 30 29 28 16 15 14 13 12 11 10 6 5 2 1 0
MOE
9 78
Core halted
Core restarted
26 25 24 23
PipeAdv
InstrCompl-l
22 21 20 19 18
Monitor debug-mode
Halting debug-mode
ARM
DbgAck
IntDis
Comms
Sticky imprecise abort
Sticky Undefined
Reserved
Sticky precise abort
DTR access
Discard
imprecise
abort
27
Reserved
DTRTXfull
DTRRXfull
Reserved
Reserved
Reserved
DTRTXfull-l
DTRRXfull-l
Table 12-10 DBGDSCR Register bit assignments
Bits Name Function
[31] - RAZ on reads, SBZP on writes.
[30] DTRRXfull The DTRRXfull flag:
0 = Read-DTR, DBGDTRRX is empty. This is the reset value
1 = Read-DTR, DBGDTRRX is full.
When set, this flag indicates to the processor that there is data available to read from the
DBGDTRRX. It is automatically set on writes to the DBGDTRRX by the debugger, and
is cleared when the processor reads the DBGDTRRX over the CP14 interface. If the flag
is not set, reads from the DBGDTRRX return an Unpredictable value.
[29] DTRTXfull The DTRTXfull flag:
0 = Write-DTR, DBGDTRTX is empty. This is the reset value.
1 = Write-DTR, DBGDTRTX is full.
When clear, this flag indicates to the processor that the DBGDTRTX is ready to receive
data. It is automatically cleared on reads of the DBGDTRTX by the debugger, and is set
when the processor writes to the DBGDTRTX over the CP14 interface. If this bit is set and
the processor attempts to write to the DBGDTRTX, the register contents are overwritten
and the DTRRXfull flag remains set.
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 227
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Debug
ARM DDI 0363G Copyright © 2006-2011 ARM Limited. All rights reserved. 12-14
ID041111 Non-Confidential
12.4.5 CP14 c1, Debug Status and Control Register
The DBGDSCR Register characteristics are:
Purpose Contains status and control information about the debug unit.
Usage constraints See DTR access mode on page 12-18.
Configurations Available in all processor configurations.
Attributes See Table 12-10.
Figure 12-5 shows the DBGDSCR bit assignments.
Figure 12-5 DBGDSCR Register bit assignments
Table 12-10 shows the DBGDSCR bit assignments.
31 30 29 28 16 15 14 13 12 11 10 6 5 2 1 0
MOE
9 78
Core halted
Core restarted
26 25 24 23
PipeAdv
InstrCompl-l
22 21 20 19 18
Monitor debug-mode
Halting debug-mode
ARM
DbgAck
IntDis
Comms
Sticky imprecise abort
Sticky Undefined
Reserved
Sticky precise abort
DTR access
Discard
imprecise
abort
27
Reserved
DTRTXfull
DTRRXfull
Reserved
Reserved
Reserved
DTRTXfull-l
DTRRXfull-l
Table 12-10 DBGDSCR Register bit assignments
Bits Name Function
[31] - RAZ on reads, SBZP on writes.
[30] DTRRXfull The DTRRXfull flag:
0 = Read-DTR, DBGDTRRX is empty. This is the reset value
1 = Read-DTR, DBGDTRRX is full.
When set, this flag indicates to the processor that there is data available to read from the
DBGDTRRX. It is automatically set on writes to the DBGDTRRX by the debugger, and
is cleared when the processor reads the DBGDTRRX over the CP14 interface. If the flag
is not set, reads from the DBGDTRRX return an Unpredictable value.
[29] DTRTXfull The DTRTXfull flag:
0 = Write-DTR, DBGDTRTX is empty. This is the reset value.
1 = Write-DTR, DBGDTRTX is full.
When clear, this flag indicates to the processor that the DBGDTRTX is ready to receive
data. It is automatically cleared on reads of the DBGDTRTX by the debugger, and is set
when the processor writes to the DBGDTRTX over the CP14 interface. If this bit is set and
the processor attempts to write to the DBGDTRTX, the register contents are overwritten
and the DTRRXfull flag remains set.
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 228
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Debug
ARM DDI 0363G Copyright © 2006-2011 ARM Limited. All rights reserved. 12-14
ID041111 Non-Confidential
12.4.5 CP14 c1, Debug Status and Control Register
The DBGDSCR Register characteristics are:
Purpose Contains status and control information about the debug unit.
Usage constraints See DTR access mode on page 12-18.
Configurations Available in all processor configurations.
Attributes See Table 12-10.
Figure 12-5 shows the DBGDSCR bit assignments.
Figure 12-5 DBGDSCR Register bit assignments
Table 12-10 shows the DBGDSCR bit assignments.
31 30 29 28 16 15 14 13 12 11 10 6 5 2 1 0
MOE
9 78
Core halted
Core restarted
26 25 24 23
PipeAdv
InstrCompl-l
22 21 20 19 18
Monitor debug-mode
Halting debug-mode
ARM
DbgAck
IntDis
Comms
Sticky imprecise abort
Sticky Undefined
Reserved
Sticky precise abort
DTR access
Discard
imprecise
abort
27
Reserved
DTRTXfull
DTRRXfull
Reserved
Reserved
Reserved
DTRTXfull-l
DTRRXfull-l
Table 12-10 DBGDSCR Register bit assignments
Bits Name Function
[31] - RAZ on reads, SBZP on writes.
[30] DTRRXfull The DTRRXfull flag:
0 = Read-DTR, DBGDTRRX is empty. This is the reset value
1 = Read-DTR, DBGDTRRX is full.
When set, this flag indicates to the processor that there is data available to read from the
DBGDTRRX. It is automatically set on writes to the DBGDTRRX by the debugger, and
is cleared when the processor reads the DBGDTRRX over the CP14 interface. If the flag
is not set, reads from the DBGDTRRX return an Unpredictable value.
[29] DTRTXfull The DTRTXfull flag:
0 = Write-DTR, DBGDTRTX is empty. This is the reset value.
1 = Write-DTR, DBGDTRTX is full.
When clear, this flag indicates to the processor that the DBGDTRTX is ready to receive
data. It is automatically cleared on reads of the DBGDTRTX by the debugger, and is set
when the processor writes to the DBGDTRTX over the CP14 interface. If this bit is set and
the processor attempts to write to the DBGDTRTX, the register contents are overwritten
and the DTRRXfull flag remains set.
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 229
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Debug
ARM DDI 0363G Copyright © 2006-2011 ARM Limited. All rights reserved. 12-14
ID041111 Non-Confidential
12.4.5 CP14 c1, Debug Status and Control Register
The DBGDSCR Register characteristics are:
Purpose Contains status and control information about the debug unit.
Usage constraints See DTR access mode on page 12-18.
Configurations Available in all processor configurations.
Attributes See Table 12-10.
Figure 12-5 shows the DBGDSCR bit assignments.
Figure 12-5 DBGDSCR Register bit assignments
Table 12-10 shows the DBGDSCR bit assignments.
31 30 29 28 16 15 14 13 12 11 10 6 5 2 1 0
MOE
9 78
Core halted
Core restarted
26 25 24 23
PipeAdv
InstrCompl-l
22 21 20 19 18
Monitor debug-mode
Halting debug-mode
ARM
DbgAck
IntDis
Comms
Sticky imprecise abort
Sticky Undefined
Reserved
Sticky precise abort
DTR access
Discard
imprecise
abort
27
Reserved
DTRTXfull
DTRRXfull
Reserved
Reserved
Reserved
DTRTXfull-l
DTRRXfull-l
Table 12-10 DBGDSCR Register bit assignments
Bits Name Function
[31] - RAZ on reads, SBZP on writes.
[30] DTRRXfull The DTRRXfull flag:
0 = Read-DTR, DBGDTRRX is empty. This is the reset value
1 = Read-DTR, DBGDTRRX is full.
When set, this flag indicates to the processor that there is data available to read from the
DBGDTRRX. It is automatically set on writes to the DBGDTRRX by the debugger, and
is cleared when the processor reads the DBGDTRRX over the CP14 interface. If the flag
is not set, reads from the DBGDTRRX return an Unpredictable value.
[29] DTRTXfull The DTRTXfull flag:
0 = Write-DTR, DBGDTRTX is empty. This is the reset value.
1 = Write-DTR, DBGDTRTX is full.
When clear, this flag indicates to the processor that the DBGDTRTX is ready to receive
data. It is automatically cleared on reads of the DBGDTRTX by the debugger, and is set
when the processor writes to the DBGDTRTX over the CP14 interface. If this bit is set and
the processor attempts to write to the DBGDTRTX, the register contents are overwritten
and the DTRRXfull flag remains set.
To which addresses arethe debugging registersmapped?
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 230
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 231
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 232
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 233
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
RAM
0x00180000
0x00240000
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 234
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
RAM
0x00180000
0x00240000
Memory MappedPeripherals
0x18000000
0x????????
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 235
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
RAM
0x00180000
0x00240000
Memory MappedPeripherals
0x18000000
0x????????
0x????????
0x????????
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 236
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
RAM
0x00180000
0x00240000
Memory MappedPeripherals
0x18000000
0x????????
0x????????
0x????????
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 237
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
RAM
0x00180000
0x00240000
Memory MappedPeripherals
0x18000000
0x????????
0x????????
0x????????
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 238
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
RAM
0x00180000
0x00240000
Memory MappedPeripherals
0x18000000
0x????????
0x????????
0x????????
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 239
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
RAM
0x00180000
0x00240000
Memory MappedPeripherals
0x18000000
0x????????
0x18007000
0x18007FFC
✓
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 240
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
RAM
0x00180000
0x00240000
Memory MappedPeripherals
0x18000000
0x????????
0x18007000
0x18007FFC
✓
Memory Map
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 241
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
To which addresses arethe debugging registersmapped?
ROM
0x00000000
0x000A0000
RAM
0x00180000
0x00240000
Memory MappedPeripherals
0x18000000
0x????????
0x18007000
0x18007FFC
✓Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 242
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
Firmware Execution Events
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 243
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 244
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution
Enable Interrupts
Events
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 245
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution
Enable Interrupts
Go to SleepWait for Interrupts
Events
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 246
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution
Enable Interrupts
Go to SleepWait for Interrupts
Events
Send IOCTL
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 247
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution
Enable Interrupts
Go to SleepWait for Interrupts
Events
Send IOCTL
Wake up to handle IOCTL
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 248
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution
Enable Interrupts
Go to SleepWait for Interrupts
Events
Send IOCTL
Wake up to handle IOCTL
Handle Response
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 249
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution
Enable Interrupts
Go to SleepWait for Interrupts
Events
Send IOCTL
Wake up to handle IOCTL
Handle Response
Send IOCTL
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 250
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution
Enable Interrupts
Go to SleepWait for Interrupts
Events
Send IOCTL
Wake up to handle IOCTL
Handle Response
Send IOCTL
Wake up to handle IOCTL:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 251
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution
Enable Interrupts
Go to SleepWait for Interrupts
Events
Send IOCTL
Wake up to handle IOCTL
Handle Response
Send IOCTL
Wake up to handle IOCTL:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 252
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution
Enable Interrupts
Go to SleepWait for Interrupts
Events
Send IOCTL
Wake up to handle IOCTL
Handle Response
Send IOCTL
Wake up to handle IOCTL:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Reminder: We need tounlock debug registers!
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 253
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Reminder: We need tounlock debug registers!
Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 254
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 255
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 256
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 257
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 258
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 259
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 260
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 261
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 262
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 263
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 264
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 265
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 266
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 267
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
✓Reminder: We need tounlock debug registers! Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 268
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
This instruction disabledthe debugging core
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 269
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreaks
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 270
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreakssub_184968(v2, 5, 16, 0);
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 271
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware crashes
Somewhenin betweenaccess todebug corebreakssub_184968(v2, 5, 16, 0);
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 272
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Why can‘t we accessthe debug registers?Is the debug coreeven available?
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Somewhenin betweenaccess todebug corebreakssub_184968(v2, 5, 16, 0);
Firmware keeps running
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 273
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Somewhenin betweenaccess todebug corebreakssub_184968(v2, 5, 16, 0);
Firmware keeps running
We managed toreactivate accessto the debuggingcore.
Accessing Debug Core
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 274
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference ManualInitialize Hardware
Firmware Execution Events
Initialize Hardware
Hook c_main call:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware keeps running
Add code before enabling interrupts:DBGLAR = 0xC5ACCE55;
// unlock debug registers
Firmware Crashes
Somewhenin betweenaccess todebug corebreakssub_184968(v2, 5, 16, 0);
Firmware keeps running
We managed toreactivate accessto the debuggingcore.
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
// Called by c_main_hookvoid set_debug_registers(void) {
dbg_unlock_debug_registers();dbg_disable_breakpoint(0);dbg_disable_breakpoint(1);dbg_disable_breakpoint(2);dbg_disable_breakpoint(3);dbg_enable_monitor_mode_debugging();
dbg_set_breakpoint_for_addr_match(0, 0x126f0);
dbg_set_watchpoint_for_addr_match(0, 0x1FC2A4);}
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 275
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 276
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
// Called by c_main_hookvoid set_debug_registers(void) {
dbg_unlock_debug_registers();dbg_disable_breakpoint(0);dbg_disable_breakpoint(1);dbg_disable_breakpoint(2);dbg_disable_breakpoint(3);dbg_enable_monitor_mode_debugging();
dbg_set_breakpoint_for_addr_match(0, 0x126f0);
dbg_set_watchpoint_for_addr_match(0, 0x1FC2A4);}
Unlock access to debugging registers
/* DBGLAR - Lock Access Register */#define DBGLAR (*(volatile int *) (DBGBASE + 0xFB0))#define DBGLAR_UNLOCK_CODE (0xC5ACCE55)
#define dbg_unlock_debug_registers() do { \DBGLAR = DBGLAR_UNLOCK_CODE; \
} while (0)
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 277
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
// Called by c_main_hookvoid set_debug_registers(void) {
dbg_unlock_debug_registers();dbg_disable_breakpoint(0);dbg_disable_breakpoint(1);dbg_disable_breakpoint(2);dbg_disable_breakpoint(3);dbg_enable_monitor_mode_debugging();
dbg_set_breakpoint_for_addr_match(0, 0x126f0);
dbg_set_watchpoint_for_addr_match(0, 0x1FC2A4);}
Unlock access to debugging registers
#define dbg_disable_breakpoint(number) do { \DBGBCR ## number = UPDATE_DBG_REG(DBGBCR ## number, \GET_DBG_MASK(DBGBCR_E), SET_DBG_VALUE(DBGBCR_E, \DBGBCR_E_DISABLED)); \
} while (0)
Disable all four hardware breakpoints
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 278
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
// Called by c_main_hookvoid set_debug_registers(void) {
dbg_unlock_debug_registers();dbg_disable_breakpoint(0);dbg_disable_breakpoint(1);dbg_disable_breakpoint(2);dbg_disable_breakpoint(3);dbg_enable_monitor_mode_debugging();
dbg_set_breakpoint_for_addr_match(0, 0x126f0);
dbg_set_watchpoint_for_addr_match(0, 0x1FC2A4);}
Unlock access to debugging registers
#define dbg_enable_monitor_mode_debugging() do { \DBGDSCR = UPDATE_DBG_REG(DBGDSCR, \GET_DBG_MASK(DBGDSCR_MDBGen), \SET_DBG_VALUE(DBGDSCR_MDBGen, \DBGDSCR_MDBGen_ENABLED)); \
} while (0)
Disable all four hardware breakpoints
Enable monitor-debug mode
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 279
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
// Called by c_main_hookvoid set_debug_registers(void) {
dbg_unlock_debug_registers();dbg_disable_breakpoint(0);dbg_disable_breakpoint(1);dbg_disable_breakpoint(2);dbg_disable_breakpoint(3);dbg_enable_monitor_mode_debugging();
dbg_set_breakpoint_for_addr_match(0, 0x126f0);
dbg_set_watchpoint_for_addr_match(0, 0x1FC2A4);}
Unlock access to debugging registers
#define dbg_set_breakpoint_for_addr_match(number, address) do { \DBGBCR ## number = 0x0; \DBGBVR ## number = (address) & DBGBVR_ADDRMASK; \DBGBCR ## number = \
SET_DBG_VALUE(DBGBCR_BT, DBGBCR_BT_UNLINKED_INSTR_ADDR_MATCH) | \SET_DBG_VALUE(DBGBCR_MASK, DBGBCR_MASK_NO_MASK) | \SET_DBG_VALUE(DBGBCR_E, DBGBCR_E_ENABLED) | \SET_DBG_VALUE(DBGBCR_SSC_HMC_PMC, DBGBCR_SSC_HMC_PMC__PL0_SUP_SYS) | \SET_DBG_VALUE(DBGBCR_BAS, GET_BAS_FOR_THUMB_ADDR(address)); \
} while (0)
Disable all four hardware breakpoints
Enable monitor-debug mode
Set breakpoint at beginning of printf function
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 280
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
Copyright © 2006-2011 ARM Limited. All rights reserved.
ARM DDI 0363G (ID041111)
Cortex™
-R4 and Cortex-R4F
Revision: r1p4
Technical Reference Manual
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
// Called by c_main_hookvoid set_debug_registers(void) {
dbg_unlock_debug_registers();dbg_disable_breakpoint(0);dbg_disable_breakpoint(1);dbg_disable_breakpoint(2);dbg_disable_breakpoint(3);dbg_enable_monitor_mode_debugging();
dbg_set_breakpoint_for_addr_match(0, 0x126f0);
dbg_set_watchpoint_for_addr_match(0, 0x1FC2A4);}
Unlock access to debugging registers
#define dbg_set_watchpoint_for_addr_match(number, address) do { \DBGWCR ## number = 0x0; \DBGWVR ## number = (address) & DBGWVR_ADDRMASK; \DBGWCR ## number = \
SET_DBG_VALUE(DBGWCR_WT, DBGWCR_WT_UNLINKED_DATA_ADDR_MATCH) | \SET_DBG_VALUE(DBGWCR_MASK, DBGWCR_MASK_NO_MASK) | \SET_DBG_VALUE(DBGWCR_E, DBGWCR_E_ENABLED) | \SET_DBG_VALUE(DBGWCR_SSC_HMC_PAC, DBGWCR_SSC_HMC_PAC__ALL) | \SET_DBG_VALUE(DBGWCR_LSC, DBGWCR_LSC_MATCH_ALL) | \SET_DBG_VALUE(DBGWCR_BAS_4BIT, 0xF); \
} while (0)
Disable all four hardware breakpoints
Enable monitor-debug mode
Set breakpoint at beginning of printf function
Set memory watchpoint on address of“%s: Broadcom SDPCMD CDC driver“
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 281
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
Set breakpoint at beginning of printf function
Set memory watchpoint on address of“%s: Broadcom SDPCMD CDC driver“
RTE (USB-SDIO-CDC) 6.37.32.RC23.34.43 (r639704) on BCM4339 r1 @ 37.4/161.3/161.3MHz000000.010 WP hit pc=00012b3a000000.013 WP hit pc=00012b3a000000.010 sdpcmdcdc0: Broadcom SDPCMD CDC driver000000.141 reclaim section 0: Returned 31688 bytes to the heap000000.189 nexmon_ver: 63fb-dirty-14000000.192 wl_nd_ra_filter_init: Enter..000000.196 TCAM: 256 used: 198 exceed:0000000.200 WP hit pc=000126c2000000.203 reclaim section 1: Returned 71844 bytes to the heap000000.208 BP0 step 0: pc=000126f0 *r1=sdpcmd_dpc000000.213 BP0 step 1: pc=000126f2000000.216 BP0 step 2: pc=000126f4000000.219 BP0 step 3: pc=000126f6000000.223 BP0 step 4: pc=000126fa000000.226 BP0 single-stepping done000000.229 sdpcmd_dpc: Enable000000.234 wl0: wlc_bmac_ucodembss_hwcap: Insuff mem for MBSS: templ memblks 192 fifo ...000000.249 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.295 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.303 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 282
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
Set breakpoint at beginning of printf function
Set memory watchpoint on address of“%s: Broadcom SDPCMD CDC driver“
RTE (USB-SDIO-CDC) 6.37.32.RC23.34.43 (r639704) on BCM4339 r1 @ 37.4/161.3/161.3MHz000000.010 WP hit pc=00012b3a000000.013 WP hit pc=00012b3a000000.010 sdpcmdcdc0: Broadcom SDPCMD CDC driver000000.141 reclaim section 0: Returned 31688 bytes to the heap000000.189 nexmon_ver: 63fb-dirty-14000000.192 wl_nd_ra_filter_init: Enter..000000.196 TCAM: 256 used: 198 exceed:0000000.200 WP hit pc=000126c2000000.203 reclaim section 1: Returned 71844 bytes to the heap000000.208 BP0 step 0: pc=000126f0 *r1=sdpcmd_dpc000000.213 BP0 step 1: pc=000126f2000000.216 BP0 step 2: pc=000126f4000000.219 BP0 step 3: pc=000126f6000000.223 BP0 step 4: pc=000126fa000000.226 BP0 single-stepping done000000.229 sdpcmd_dpc: Enable000000.234 wl0: wlc_bmac_ucodembss_hwcap: Insuff mem for MBSS: templ memblks 192 fifo ...000000.249 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.295 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.303 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 283
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
Set breakpoint at beginning of printf function
Set memory watchpoint on address of“%s: Broadcom SDPCMD CDC driver“
RTE (USB-SDIO-CDC) 6.37.32.RC23.34.43 (r639704) on BCM4339 r1 @ 37.4/161.3/161.3MHz000000.010 WP hit pc=00012b3a000000.013 WP hit pc=00012b3a000000.010 sdpcmdcdc0: Broadcom SDPCMD CDC driver000000.141 reclaim section 0: Returned 31688 bytes to the heap000000.189 nexmon_ver: 63fb-dirty-14000000.192 wl_nd_ra_filter_init: Enter..000000.196 TCAM: 256 used: 198 exceed:0000000.200 WP hit pc=000126c2000000.203 reclaim section 1: Returned 71844 bytes to the heap000000.208 BP0 step 0: pc=000126f0 *r1=sdpcmd_dpc000000.213 BP0 step 1: pc=000126f2000000.216 BP0 step 2: pc=000126f4000000.219 BP0 step 3: pc=000126f6000000.223 BP0 step 4: pc=000126fa000000.226 BP0 single-stepping done000000.229 sdpcmd_dpc: Enable000000.234 wl0: wlc_bmac_ucodembss_hwcap: Insuff mem for MBSS: templ memblks 192 fifo ...000000.249 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.295 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.303 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 284
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
Set breakpoint at beginning of printf function
Set memory watchpoint on address of“%s: Broadcom SDPCMD CDC driver“
RTE (USB-SDIO-CDC) 6.37.32.RC23.34.43 (r639704) on BCM4339 r1 @ 37.4/161.3/161.3MHz000000.010 WP hit pc=00012b3a000000.013 WP hit pc=00012b3a000000.010 sdpcmdcdc0: Broadcom SDPCMD CDC driver000000.141 reclaim section 0: Returned 31688 bytes to the heap000000.189 nexmon_ver: 63fb-dirty-14000000.192 wl_nd_ra_filter_init: Enter..000000.196 TCAM: 256 used: 198 exceed:0000000.200 WP hit pc=000126c2000000.203 reclaim section 1: Returned 71844 bytes to the heap000000.208 BP0 step 0: pc=000126f0 *r1=sdpcmd_dpc000000.213 BP0 step 1: pc=000126f2000000.216 BP0 step 2: pc=000126f4000000.219 BP0 step 3: pc=000126f6000000.223 BP0 step 4: pc=000126fa000000.226 BP0 single-stepping done000000.229 sdpcmd_dpc: Enable000000.234 wl0: wlc_bmac_ucodembss_hwcap: Insuff mem for MBSS: templ memblks 192 fifo ...000000.249 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.295 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.303 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 285
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
Set breakpoint at beginning of printf function
Set memory watchpoint on address of“%s: Broadcom SDPCMD CDC driver“
RTE (USB-SDIO-CDC) 6.37.32.RC23.34.43 (r639704) on BCM4339 r1 @ 37.4/161.3/161.3MHz000000.010 WP hit pc=00012b3a000000.013 WP hit pc=00012b3a000000.010 sdpcmdcdc0: Broadcom SDPCMD CDC driver000000.141 reclaim section 0: Returned 31688 bytes to the heap000000.189 nexmon_ver: 63fb-dirty-14000000.192 wl_nd_ra_filter_init: Enter..000000.196 TCAM: 256 used: 198 exceed:0000000.200 WP hit pc=000126c2000000.203 reclaim section 1: Returned 71844 bytes to the heap000000.208 BP0 step 0: pc=000126f0 *r1=sdpcmd_dpc000000.213 BP0 step 1: pc=000126f2000000.216 BP0 step 2: pc=000126f4000000.219 BP0 step 3: pc=000126f6000000.223 BP0 step 4: pc=000126fa000000.226 BP0 single-stepping done000000.229 sdpcmd_dpc: Enable000000.234 wl0: wlc_bmac_ucodembss_hwcap: Insuff mem for MBSS: templ memblks 192 fifo ...000000.249 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.295 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.303 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 286
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
Set breakpoint at beginning of printf function
Set memory watchpoint on address of“%s: Broadcom SDPCMD CDC driver“
RTE (USB-SDIO-CDC) 6.37.32.RC23.34.43 (r639704) on BCM4339 r1 @ 37.4/161.3/161.3MHz000000.010 WP hit pc=00012b3a000000.013 WP hit pc=00012b3a000000.010 sdpcmdcdc0: Broadcom SDPCMD CDC driver000000.141 reclaim section 0: Returned 31688 bytes to the heap000000.189 nexmon_ver: 63fb-dirty-14000000.192 wl_nd_ra_filter_init: Enter..000000.196 TCAM: 256 used: 198 exceed:0000000.200 WP hit pc=000126c2000000.203 reclaim section 1: Returned 71844 bytes to the heap000000.208 BP0 step 0: pc=000126f0 *r1=sdpcmd_dpc000000.213 BP0 step 1: pc=000126f2000000.216 BP0 step 2: pc=000126f4000000.219 BP0 step 3: pc=000126f6000000.223 BP0 step 4: pc=000126fa000000.226 BP0 single-stepping done000000.229 sdpcmd_dpc: Enable000000.234 wl0: wlc_bmac_ucodembss_hwcap: Insuff mem for MBSS: templ memblks 192 fifo ...000000.249 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.295 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.303 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 287
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
Set breakpoint at beginning of printf function
Set memory watchpoint on address of“%s: Broadcom SDPCMD CDC driver“
RTE (USB-SDIO-CDC) 6.37.32.RC23.34.43 (r639704) on BCM4339 r1 @ 37.4/161.3/161.3MHz000000.010 WP hit pc=00012b3a000000.013 WP hit pc=00012b3a000000.010 sdpcmdcdc0: Broadcom SDPCMD CDC driver000000.141 reclaim section 0: Returned 31688 bytes to the heap000000.189 nexmon_ver: 63fb-dirty-14000000.192 wl_nd_ra_filter_init: Enter..000000.196 TCAM: 256 used: 198 exceed:0000000.200 WP hit pc=000126c2000000.203 reclaim section 1: Returned 71844 bytes to the heap000000.208 BP0 step 0: pc=000126f0 *r1=sdpcmd_dpc000000.213 BP0 step 1: pc=000126f2000000.216 BP0 step 2: pc=000126f4000000.219 BP0 step 3: pc=000126f6000000.223 BP0 step 4: pc=000126fa000000.226 BP0 single-stepping done000000.229 sdpcmd_dpc: Enable000000.234 wl0: wlc_bmac_ucodembss_hwcap: Insuff mem for MBSS: templ memblks 192 fifo ...000000.249 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.295 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.303 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
Why did it not triggeron other printf calls?
Activating Breakpoints
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 288
Ethernet-to-Wi-Fi Bridge
Linux Kernel
Apps
Low Level Hardware Control
Interface to Host
MAC Sublayer Management Entity (MLME)
Physical Layer
ARM Microcontroller
ROM RAM
ARM Cortex-R4
Debug Core
ToDos to Create DIY Debugger
• Stay in Abort Mode• Save Register State to Abort Mode Stack
• Initialize ABT Stack Pointer• Analyze handle_exceptions function
• Fix LR/SP_ABT LR/SP_SYS• Implement a breakpoint handler
• Handle and reset breakpoints• Perform Single-Stepping
• Activate breakpoints
✓✓
✓✓
✓✓✓
✓
Set breakpoint at beginning of printf function
Set memory watchpoint on address of“%s: Broadcom SDPCMD CDC driver“
RTE (USB-SDIO-CDC) 6.37.32.RC23.34.43 (r639704) on BCM4339 r1 @ 37.4/161.3/161.3MHz000000.010 WP hit pc=00012b3a000000.013 WP hit pc=00012b3a000000.010 sdpcmdcdc0: Broadcom SDPCMD CDC driver000000.141 reclaim section 0: Returned 31688 bytes to the heap000000.189 nexmon_ver: 63fb-dirty-14000000.192 wl_nd_ra_filter_init: Enter..000000.196 TCAM: 256 used: 198 exceed:0000000.200 WP hit pc=000126c2000000.203 reclaim section 1: Returned 71844 bytes to the heap000000.208 BP0 step 0: pc=000126f0 *r1=sdpcmd_dpc000000.213 BP0 step 1: pc=000126f2000000.216 BP0 step 2: pc=000126f4000000.219 BP0 step 3: pc=000126f6000000.223 BP0 step 4: pc=000126fa000000.226 BP0 single-stepping done000000.229 sdpcmd_dpc: Enable000000.234 wl0: wlc_bmac_ucodembss_hwcap: Insuff mem for MBSS: templ memblks 192 fifo ...000000.249 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.295 wl0: wlc_enable_probe_req: state down, deferring setting of host flags000000.303 wl0: wlc_enable_probe_req: state down, deferring setting of host flags
Why did it not triggeron other printf calls?
✓
Run the Debugger on Your Own!
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 289
.org
Run the Debugger on Your Own!
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 290
Clone repository
.org
• buildtools (e.g., compiler)• firmwares (e.g., for BCM4339)• patches
• <chip>• bcm4339
• <firmware version>• 6_37_34_43
• <patch name>• nexmon (monitormode + frame injection)• …
• Makefile• setup_env.sh• …
Run the Debugger on Your Own!
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 291
Clone repository
.org
• buildtools (e.g., compiler)• firmwares (e.g., for BCM4339)• patches
• <chip>• bcm4339
• <firmware version>• 6_37_34_43
• <patch name>• nexmon (monitormode + frame injection)• …
• Makefile• setup_env.sh• …
.org/debugger
Run the Debugger on Your Own!
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 292
Clone repository
.org
• buildtools (e.g., compiler)• firmwares (e.g., for BCM4339)• patches
• <chip>• bcm4339
• <firmware version>• 6_37_34_43
• <patch name>• nexmon (monitormode + frame injection)• …
• Makefile• setup_env.sh• …
.org/debugger
• src• patch.c (basic nexmon initialization)• debugger_base.c (common patches)• debugger.c (particular implementation)• …
• Makefile (build and install patch)• patch.ld (linker file to place patches)• …
Clone repository
Run the Debugger on Your Own!
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 293
Clone repository
.org
• buildtools (e.g., compiler)• firmwares (e.g., for BCM4339)• patches
• <chip>• bcm4339
• <firmware version>• 6_37_34_43
• <patch name>• nexmon (monitormode + frame injection)• …
• Makefile• setup_env.sh• …
.org/debugger
• src• patch.c (basic nexmon initialization)• debugger_base.c (common patches)• debugger.c (particular implementation)• …
• Makefile (build and install patch)• patch.ld (linker file to place patches)• …
Clone repository
nexmon> make && source setup_env.shnexmon> cd patches/bcm4339/ 6_37_34_43/debuggernexmon> make install-firmware
Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 294
patch.asmcontains patches written in ARM assembler
Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 295
patch.asmcontains patches written in ARM assembler
Assemblerassembles source files
patch.bincontains machine code binary files of patches
Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 296
patch.asmcontains patches written in ARM assembler
Assemblerassembles source files
patch.bincontains machine code binary files of patches
firmware.bincontains original firmware for Wi-Fi chip
Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 297
patch.asmcontains patches written in ARM assembler
Assemblerassembles source files
patch.bincontains machine code binary files of patches
Patching ToolsPython based collection of firmware patching tools
patched_firmware.bincontains patched firmware for Wi-Fi chip
firmware.bincontains original firmware for Wi-Fi chip
Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 298
patch.asmcontains patches written in ARM assembler
Assemblerassembles source files
patch.bincontains machine code binary files of patches
Patching ToolsPython based collection of firmware patching tools
patched_firmware.bincontains patched firmware for Wi-Fi chip
firmware.bincontains original firmware for Wi-Fi chip
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 299
C filescontain source code for patches
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 300
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 301
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 302
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
C
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 303
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
C
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 304
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
C
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 305
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
__attribute__((at(0x2220A, ”flashpatch”, CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
C
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 306
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
__attribute__((at(0x2220A, ”flashpatch”, CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
C
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 307
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
__attribute__((at(0x2220A, ”flashpatch”, CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
C
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 308
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 309
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
Linker filescontain address information to place functions
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 310
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
Linker filescontain address information to place functions
Makefiles filescontain commands to extract functions and variables from linker output and insert them into the firmware
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 311
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
Linker filescontain address information to place functions
Makefiles filescontain commands to extract functions and variables from linker output and insert them into the firmware
Linker
patch.elf filecontains placed functions and variables with resolved symbols
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 312
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
Linker filescontain address information to place functions
Makefiles filescontain commands to extract functions and variables from linker output and insert them into the firmware
Linker
patch.elf filecontains placed functions and variables with resolved symbols
firmware.binoriginal firmware file
C Based Firmware Patching
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 313
C filescontain source code for patches
Compiler
Object filescontain compiled functions and variables with partially unresolved symbols
NexmonGCCPlugin
nexmon.precontains extracted address information
Linker filescontain address information to place functions
Makefiles filescontain commands to extract functions and variables from linker output and insert them into the firmware
Linker
patch.elf filecontains placed functions and variables with resolved symbols
firmware.binoriginal firmware file
patched_fw.binmodified firmware file
Makefile
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 314
C
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 315
C
RAM of a BCM4339 in Nexus 5:
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 316
C
RAM of a BCM4339 in Nexus 5:
free
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 317
C
RAM of a BCM4339 in Nexus 5:
free
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 318
C
RAM of a BCM4339 in Nexus 5:
free
RAM of most other BCM chips:
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 319
C
RAM of a BCM4339 in Nexus 5:
free
RAM of most other BCM chips:
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 320
C
RAM of a BCM4339 in Nexus 5:
free
RAM of most other BCM chips:
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 321
C
RAM of a BCM4339 in Nexus 5:
free
RAM of most other BCM chips:
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
D11 firmware
D11 firmware
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 322
C
RAM of a BCM4339 in Nexus 5:
free
RAM of most other BCM chips:
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
D11 firmware
D11 firmware
D11 comp. fw
D11 comp. fw
free
free
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 323
C
RAM of a BCM4339 in Nexus 5:
free
RAM of most other BCM chips:
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
D11 firmware
D11 firmware
D11 comp. fw
D11 comp. fw
free
free
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 324
C
RAM of a BCM4339 in Nexus 5:
free
RAM of most other BCM chips:
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
D11 firmware
D11 firmware
D11 comp. fw
D11 comp. fw
free
free
generally assigned to heap
Patch Placement
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 325
C
RAM of a BCM4339 in Nexus 5:
free
RAM of most other BCM chips:
#pragma NEXMON targetregion "patch"
void target_function_name(int a) {so_something(a);
}
__attribute__((at(0x2220A, ”flashpatch", CHIP_..., FW_...)))BLPatch(hook_name, target_function_name);
D11 firmware
D11 firmware
D11 comp. fw
D11 comp. fw
free
free
generally assigned to heap
Applications using Nexmon
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 326
Massive Reactive Smartphone-Based
Jamming using Arbitrary Waveforms and Adaptive
Power Control,Best Paper at WiSec’17
Nexmon Penetration Testing App with Monitor Mode, Frame
Injection, Airodump View and Wireshark Dissection,
Google Play Store
Compressive Millimeter-Wave Sector Selection in
Off-the-Shelf IEEE 802.11ad Devices,
CoNEXT’17
SourceCode and
Results availableat https://nexmon.org
Third-Party Applications using Nexmon
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 327
Reversing IoT: Xiaomi EcosystemGain cloud independence and
additional functionality by firmware modification,
Recon BRX ‘18
Breaking Fitness Records without Moving:Reverse Engineering and Spoofing Fitbit,
RAID‘18
100 stepsat a time
More Exciting Nexmon Results
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 328
My PhD defenseFebruary 26, 2018 at 1 pm@ TU Darmstadt, Germany
Matthias Schulz | SEEMOO | TU Darmstadt | DIY ARM Debugger for Wi-Fi Chips 329
Matthias SchulzDepartment of Computer Science
SEEMOOMornewegstr. 3264293 Darmstadt/[email protected]
Twitter @nexmon_devPhone +49 6151 16-25478Fax +49 6151 16-25471www.seemoo.tu-darmstadt.de