1 changed files with 118 additions and 0 deletions
Split View
Diff Options
+ 118
- 0
content/2014/03/ctf-armeb-debugging.html
View File
| @@ -0,0 +1,118 @@ | |||
| --- | |||
| title: "CTF + ARMeb + debugging" | |||
| description: > | |||
| CTF + ARMeb + debugging | |||
| created: !!timestamp '2014-03-05' | |||
| time: 7:21 PM | |||
| tags: | |||
| - ctf | |||
| - debugging | |||
| --- | |||
| I've been working on making the AVILA board work again with FreeBSD. | |||
| Thanks to Jim from Netgate for sending me a board to do this work. | |||
| I still have a pending patch waiting to go through bde to fix an | |||
| unaligned off_t store which gets things farther, but with the patch I'm | |||
| getting a: `panic: vm_page_alloc: page 0xc0805db0 is wired` shortly after | |||
| the machine launches the daemons. | |||
| I did work to get cross gdb working for armeb (committed in r261787 and | |||
| r261788), but that didn't help as there is no kernel gdb support on | |||
| armeb. As I'm doing this debugging over the network, I can't dump a | |||
| core. | |||
| I didn't feel like hand decoding a struct vm_page, so I thought of other | |||
| methods, and one way is to use CTF to parse the data type and decode the | |||
| data. I know python and ctypes, so I decided to wrap libctf and see | |||
| what I could do. | |||
| Getting the initial python wrapper working was easy, but my initial test | |||
| data was the kernel on my amd64 box that I am developing on. Now I | |||
| needed to use real armeb CTF data. I point it to my kernel, and I get: | |||
| "`File uses more recent ELF version than libctf`". Ok, extract the CTF | |||
| data from the kernel (ctf data is stored in a section named `.SUNW_ctf`) | |||
| and work on that directly: | |||
| ``` | |||
| $ objcopy -O binary --set-section-flags optfiles=load,alloc -j .SUNW_ctf /tftpboot/kernel.avila.avila /dev/null | |||
| objcopy: /tftpboot/kernel.avila.avila: File format not recognized | |||
| ``` | |||
| Well, ok, that's not too surprising since it's an ARMEB binary, lets try: | |||
| ``` | |||
| $ /usr/obj/arm.armeb/usr/src.avila/tmp/usr/bin/objcopy -O binary --set-section-flags optfiles=load,alloc -j .SUNW_ctf /tftpboot/kernel.avila.avila /tmp/test.avila.ctf | |||
| $ ls -l /tmp/test.avila.ctf | |||
| -rwxr-xr-x 1 jmg wheel 0 Mar 5 17:59 /tmp/test.avila.ctf | |||
| ``` | |||
| Hmm, that didn't work too well, ok, lets just use dd to extract the data | |||
| using info from `objdump -x`. | |||
| Ok, now that I've done that, I get: | |||
| ``` | |||
| ValueError: '/tmp/avila.ctf': File is not in CTF or ELF format | |||
| ``` | |||
| Hmm, why is that? Well, it turns out that the endian of the CTF data | |||
| is wrong. The magic is `cf f1`, but the magic on amd64 is f1 cf, it's | |||
| endian swapped. That's annoying. After spending some time trying to | |||
| build an cross shared version of libctf, I find that it has the same | |||
| issue. | |||
| After a bit of looking around, I discover the CTF can only ever read | |||
| native endianness, but `ctfmerge` has a magic option that will write out | |||
| endian swapped data if necessary depending upon the ELF file it's | |||
| putting in. This means that the CTF data in an armeb object file will | |||
| be different depending upon the endian you compiled it on, so the object | |||
| file isn't cross compatible. But, this does mean that the data in the | |||
| object files will be readable by libctf, just not the data written into | |||
| the kernel. | |||
| So, I create a sacrificial amd64 binary: | |||
| ``` | |||
| $ echo 'int main() {}' | cc -o /tmp/avila2.ctf -x c - | |||
| ``` | |||
| And use `ctfmerge` to put the data in it: | |||
| ``` | |||
| $ ctfmerge -L fldkj -o /tmp/avila2.ctf /usr/obj/arm.armeb/usr/src.avila/sys/AVILA/*.o | |||
| ``` | |||
| and again use `dd` to extract the `.SUNW_ctf` section into a separate file. | |||
| With all this work, I finally have the CTF data in a format that libctf | |||
| can parse, so, I try to parse some data. Now the interesting thing is | |||
| that the CTF data does encode sizes of integers, but it uses the native | |||
| arch's pointer sizes for `CTF_K_POINTER` types, which means that pointers | |||
| appear to be 8 bytes in size instead of the correct 4 bytes. A little | |||
| more hacking on the ctf.py script to force all pointers to be 4 bytes, | |||
| and a little help to convert ddb output to a string and finally, I have | |||
| a dump of the struct vm_page that I was trying to get all along: | |||
| ``` | |||
| {'act_count': '\x00', | |||
| 'aflags': '\x00', | |||
| 'busy_lock': 1, | |||
| 'dirty': '\xff', | |||
| 'flags': 0, | |||
| 'hold_count': 0, | |||
| 'listq': {'tqe_next': 0xc0805e00, 'tqe_prev': 0xc06d18a0}, | |||
| 'md': {'pv_kva': 3235856384, | |||
| 'pv_list': {'tqh_first': 0x0, 'tqh_last': 0xc0805de0}, | |||
| 'pv_memattr': '\x00', | |||
| 'pvh_attrs': 0}, | |||
| 'object': 0xc06d1878, | |||
| 'oflags': '\x04', | |||
| 'order': '\t', | |||
| 'phys_addr': 17776640, | |||
| 'pindex': 3572, | |||
| 'plinks': {'memguard': {'p': 0, 'v': 3228376932}, | |||
| 'q': {'tqe_next': 0x0, 'tqe_prev': 0xc06d1f64}, | |||
| 's': {'pv': 0xc06d1f64, 'ss': {'sle_next': 0x0}}}, | |||
| 'pool': '\x00', | |||
| 'queue': '\xff', | |||
| 'segind': '\x01', | |||
| 'valid': '\xff', | |||
| 'wire_count': 1} | |||
| ``` | |||
| So, the above was produced w/ the final [ctf.py](https://www.funkthat.com/~jmg/ctf.py) script. | |||