ARM-console Tips / Examples - by: Coutts[]
Here are some examples of useful things that can be done with the ARM-console (written by A1ex). I am compiling this page from chat logs with Alex, with examples of tasks the arm-console can do, that aren't already documented.
Stepping through assembly code[]
Let's say you're looking at a function in a firmware dump and want to go step by step and figure out the register values at each instruction, or keep track of what's happening at each point in the program. There is a module in the console named emusym which has a function to trace code paths, and tell us what different instructions are doing. Take this code for example:
SUB R9, R10, #4 SUB R8, R10, #8 SUB R7, R10, #0xC SUB R6, R10, #0x10 SUB LR, R10, #0x14
You can use this to break things down:
In [8]: cp = range(0xff206224, 0xff206224 +4*5, 4) In [9]: emusym.resetArm() In [10]: emusym.emusym_code_path(cp) In [11]: !cat emusym.log
The output should look something like this:
******************************************* emulating from 0xFF206224: sub r9, r10, #4 ******************************************* sub r9, r10, #4 => ARM.R9 = (ARM.R10) - (4) * ARM.R9 = -4 + unk_R10 sub r8, r10, #8 => ARM.R8 = (ARM.R10) - (8) * ARM.R8 = -8 + unk_R10 sub r7, r10, #12 => ARM.R7 = (ARM.R10) - (12) * ARM.R7 = -12 + unk_R10 sub r6, r10, #16 => ARM.R6 = (ARM.R10) - (16) * ARM.R6 = -16 + unk_R10 sub r14, r10, #20 => ARM.LR = (ARM.R10) - (20) * ARM.LR = -20 + unk_R10 END OF CODE PATH
Notice R10 was not known when starting the emulation. Now let's try with some other initial condition:
In [12]: emusym.resetArm() In [13]: emusym.ARM.R10 = 5 In [14]: emusym.emusym_code_path(cp) In [15]: !cat emusym.log
******************************************* emulating from 0xFF206224: sub r9, r10, #4 ******************************************* sub r9, r10, #4 => ARM.R9 = (ARM.R10) - (4) * ARM.R9 = 1 sub r8, r10, #8 => ARM.R8 = (ARM.R10) - (8) * ARM.R8 = -3 sub r7, r10, #12 => ARM.R7 = (ARM.R10) - (12) * ARM.R7 = -7 sub r6, r10, #16 => ARM.R6 = (ARM.R10) - (16) * ARM.R6 = 0xFFFFFFF5 sub r14, r10, #20 => ARM.LR = (ARM.R10) - (20) * ARM.LR = 0xFFFFFFF1