brmlab

User Tools

Site Tools

You are here: Hackerspace Prague » Projects » ARM hardware debugging
project:arm_debugging:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Last revisionBoth sides next revision
project:arm_debugging:start [2019/12/18 22:56] – [Black Magic Probe] BMP build&flash abyssalproject:arm_debugging:start [2020/07/25 12:26] – ARM ITM trace HOWTO abyssal
Line 303: Line 303:
 This is happening mostly on cheap clones of proxmark3 Easy. This is happening mostly on cheap clones of proxmark3 Easy.
  
 +To debug Proxmark on newer OpenOCD >= 0.10.0, you may set fast memory access and fast DCC downloads:
  
 +<code> 
 +openocd -c "adapter_khz 4000" -f interface/jlink.cfg -c "gdb_memory_map disable" -f target/at91sam7x256.cfg -c "init; arm7_9 fast_memory_access enable; arm7_9 dcc_downloads enable" 
 +</code>
  
 ===== J-link connected to Proxmark ===== ===== J-link connected to Proxmark =====
Line 310: Line 313:
 {{ :project:proxmark-jlink.jpg?800 | }} {{ :project:proxmark-jlink.jpg?800 | }}
  
 +===== SystemView for J-link - visualization of interrupts or other functions =====
 +
 +There is an instrumentation possible with changes to code to show how your functions and interrupts behave - [[https://wiki.segger.com/Use_SystemView_without_RTOS | sample code]]
 +
 +Here is an example showing "tail chaining" of interrupts where interrupts are behind one another, and also "late arriving", where Systick interrupts USB interrupt (marked as IST #93 starting at position 2195):
 +
 +{{:project:arm_debugging:systemview_20200318_113539.png?800|}}
 +
 +If you add extra functions, it may measure your functions as well:
 +
 +{{:project:arm_debugging:systemview_20200318_100652.png?800|}}
 +
 +As a side note, ST-link on STM32 discovery boards can be reflashed to JLink (works only on discovery boards, not on separate ST-links).
 +
 +===== ARM ETM trace - recording executed instructions =====
 +
 +ARM processors (Cortex M1+ and others) have built-in a nifty feature that you can record all instructions executed. This requires quite costly hardware (expect 2000 EUR price - JTrace, Lauterbach and uLink), but it can be handy in debugging DMA and interrupts.
 +
 +An example ETM trace:
 +
 +{{:project:arm_debugging:ozone_error_shutdown_highlighted.png?800|}}
 +
 +===== ARM ITM trace - recording samples of executed instructions, interrupts =====
 +
 +You can get code profile like this with ITM (screenshow from ''orbtop''):
 +
 +{{:project:arm_debugging:orbtop_trezor_lots_of_segwit_inputs.png|}}
  
 +To get this working, [[https://github.com/hiviah/ITM-howto-JLink-STLink|follow this howto]]. It shows steps to be used with JLink/JTrace or STLink to get it moving.
 ====== Flyswatter connected to Proxmark ====== ====== Flyswatter connected to Proxmark ======
  
Line 510: Line 541:
  
 <code> <code>
-PROBE_HOST=stlink ST_BOOTLOADER=1+make PROBE_HOST=stlink ST_BOOTLOADER=1
 </code> </code>
  
Line 545: Line 576:
 #SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", ACTION=="add", RUN+="<path-to>/stlink-tool" #SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", ACTION=="add", RUN+="<path-to>/stlink-tool"
 </code> </code>
 +
 +Beware of ModemManager, sometimes even ignoring it in udev rules won't help (maybe since the device is changing USB VID:PID and descriptors? not sure)
 +
 +==== Useful GDB script for better visualization ====
 +
 +If you are reversing low-level assembler interface, catching interrupts, or doing some low-level work, this is a good interface for GDB: https://github.com/cyrus-and/gdb-dashboard
 +
 +Qt Creator can still be used though, but you might need to send the **target extended-remote /dev/ttyACM0** or **target extended-remote /dev/ttyBmpGdb** manually.
 +
 +Preview of the GDB dashboard:
 +
 +{{:project:arm_debugging:screenshot_20191219_001842.png?800|}}
 +==== Invocation inside GDB ====
 +
 +First of all, you need to use /dev/ttyACM (or the symlink /dev/ttyBmpGdb if you used udev rules above), secondly you need to scan for you target, then attach it and finally run/start/continue it.
 +
 +<code>
 +>>> target extended-remote /dev/ttyBmpGdb
 +Remote debugging using /dev/ttyBmpGdb
 +>>> monitor help
 +General commands:
 + version -- Display firmware version info
 + help -- Display help for monitor commands
 + jtag_scan -- Scan JTAG chain for devices
 + swdp_scan -- Scan SW-DP for devices
 + targets -- Display list of available targets
 + morse -- Display morse error message
 + halt_timeout -- Timeout (ms) to wait until Cortex-M is halted: (Default 2000)
 + connect_srst -- Configure connect under SRST: (enable|disable)
 + hard_srst -- Force a pulse on the hard SRST line - disconnects target
 + traceswo -- Start trace capture, NRZ mode: (baudrate)
 +>>> monitor swdp_scan
 +Target voltage: unknown
 +Available Targets:
 +No. Att Driver
 +      STM32F42x M3/M4
 +>>> attach 1
 +>>> monitor vector_catch enable mm ## example how to set breakpoint on memory fault interrupt
 +>>> continue
 +</code>
 +
 +==== Reflashing BMP back STLink v2 (possibly may work with v2.1) ====
 +
 +You either need to find the original STLink firmware somewhere (or have dumped it before) and use ''stlink-tool'' to flash it back or use [[https://www.st.com/en/development-tools/stsw-link007.html | STLink Upgrade Tool]]. If it doesn't find your device, replug it physically and try again.
 +
 +Note on v2 vs v2.1 from BMP developer:
 +
 +//To reflash ST-Link v2, un- and replug to get into the St bootloader. Stlinkv2-1 needs a warm reset to enter the bootloader, but mostly STLinkUpgrade.jar will not recognize the chip. Try with some old version of STLinkUpgrade.jar.//
 +
 +//B.t.w,BMP with git can now run some things from the command line, when PC-hosted, e.g. "blackmagic_hosted file.bin" will erase and flash file.bin at 0x08000000 . PC-hosted is not fast, maybe [[https://github.com/blacksphere/blackmagic/issues/570 | #570]] can improve by using high level commands.//
 +
 +==== Cheap Chinese STLink v2 clones ====
 +
 +Some of them can be reflashed to BMP, some can't (stlink-tool reports error). There are more versions, so the pinout on the outside and also on the board depends on the specific clone type.
 +
 +An example how to [[http://blog.linuxbits.io/2016/02/15/cheap-chinese-st-link-v-2-programmer-converted-to-black-magic-probe-debugger/ | use one cheap clone to flash other]]. The cloned STLink is STM32F1 and it has [[http://blog.linuxbits.io/wp-content/uploads/2016/02/P1160474_clipped2.jpg | SWD pins routed out on the board]]
 +
 +Original STLink (flashed with BMP with ST bootloader) using to program BMP on the cheap clone (haven't yet figure out how to restore ST bootloader, since I don't have the executable image containing the bootloader):
 +
 +{{:project:arm_debugging:stlink_clone_bmp.png|}}
 +
 +
 +==== BMP PC-hosted with BMP HW target ====
 +
 +For BMP built with ''PROBE_HOST=pc-hosted'' you can connect to an external physical BMP with:
 +
 +<code>
 +./src/blackmagic_hosted -s /dev/ttyACM0
 +</code>
 +
 +It will create port 2000 listening for GDB connection and you can use the classic BMP commands like scan and attach:
 +
 +<code>
 +>>> target extended-remote :2000
 +Remote debugging using :2000
 +>>> monitor swdp_scan
 +Target voltage: unknown
 +Available Targets:
 +No. Att Driver
 +      STM32F1 medium density M3/M4
 +>>> attach 1
 +Attaching to program: blackmagic-stlink-v2/src/blackmagic, Remote target
 +0x0800effc in st_usbfs_ep_read_packet (dev=<optimized out>, addr=<optimized out>, buf=<optimized out>, len=<optimized out>) at ../common/st_usbfs_core.c:230
 +230 USB_SET_EP_RX_STAT(addr, USB_EP_RX_STAT_VALID);
 +
 +</code>
 +
 +
 +==== BMP PC-hosted with unmodified STLink v2 target (requires firmware >= V2J32xx) ====
 +
 +Upgrade STLink fw first with the STLinkUpgrade tool mentioned before.
 +
 +With this firmware you can use external unmodified STLink with BMP (''PROBE_HOST=pc-stlinkv2''):
 +
 +<code>
 +./src/blackmagic_stlinkv2
 +</code>
 +
 +It will create port 2000 listening for GDB connection and you can use the classic BMP commands like scan and attach:
 +
 +<code>
 +>>> target extended-remote :2000
 +Remote debugging using :2000
 +>>> monitor swdp_scan
 +Target voltage: unknown
 +Available Targets:
 +No. Att Driver
 +      STM32F1 medium density M3/M4
 +>>> attach 1
 +Attaching to program: blackmagic-stlink-v2/src/blackmagic, Remote target
 +0x0800effc in st_usbfs_ep_read_packet (dev=<optimized out>, addr=<optimized out>, buf=<optimized out>, len=<optimized out>) at ../common/st_usbfs_core.c:230
 +230 USB_SET_EP_RX_STAT(addr, USB_EP_RX_STAT_VALID);
 +
 +</code>
 +
 +
 +===== Other useful tools that are specific to STM32 chips  =====
 +
 +  * [[https://www.st.com/en/development-tools/stm32cubemx.html | STM32CubeMX]] - GUI for designing MCU/board settings, shows you the options, pinout of chips, can generate code to set the configuration.
 +  * [[https://www.st.com/en/development-tools/stm32cubeprog.html | STM32CubeProg]] - GUI/CLI programmer, can change things like read/write protect, option bytes, memory contents, etc. You need Oracle Java >= 8 for this, otherwise the GUI part won't work (use JAVA_HOME env var to set the Oracle java dir, then run the program). CLI seems to work without Oracle Java.
 +  * [[https://www.st.com/en/development-tools/stsw-link007.html | STLink Upgrade Tool]] - upgrade for STLink. I think it's also part of STM32CubeMX
project/arm_debugging/start.txt · Last modified: 2021/06/05 19:29 by abyssal