project:arm_debugging:start
                Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| project:arm_debugging:start [2019/01/22 20:49] – [Chipwhisperer + UFO target board + STLink v2 + STM32F4] OpenOCD /QtCreator/CLion abyssal | project:arm_debugging:start [2021/06/05 19:29] (current) – [Example: Unbricking (restoring) Proxmark bootloader] Flash bootloader and fullimage from same build abyssal | ||
|---|---|---|---|
| Line 291: | Line 291: | ||
| The code halts processor, erases bootloader sectors, then writes bootloader from ''/ | The code halts processor, erases bootloader sectors, then writes bootloader from ''/ | ||
| + | If you receiving errors: | ||
| + | < | ||
| + | Info : TAP autoX.tap does not have IDCODE | ||
| + | .(some more info) | ||
| + | Warn : Unexpected idcode after end of chain: XY 0x00000000 | ||
| + | .(some more warinings) | ||
| + | Error: auto0.tap: IR capture error; saw 0x0000 not 0x0001 | ||
| + | </ | ||
| + | It's because your CPU has locked flash/JTAG. | ||
| + | To solve this connect pin 55(ERASE) of CPU to 3.3V for at least 0.5sec. It will trigger erase of flash content and enable JTAG. | ||
| + | This is happening mostly on cheap clones of proxmark3 Easy. | ||
| + | |||
| + | To debug Proxmark on newer OpenOCD >= 0.10.0, you may set fast memory access and fast DCC downloads: | ||
| + | |||
| + | < | ||
| + | openocd -c " | ||
| + | </ | ||
| + | |||
| + | Seems that flashing bootloader may not be enough, flash bootloader.elf and fullimage.elf from the same build in a single session (e.g. use '' | ||
| ===== J-link connected to Proxmark ===== | ===== J-link connected to Proxmark ===== | ||
| {{ : | {{ : | ||
| + | ===== SystemView for J-link - visualization of interrupts or other functions ===== | ||
| + | |||
| + | There is an instrumentation possible with changes to code to show how your functions and interrupts behave - [[https:// | ||
| + | |||
| + | Here is an example showing "tail chaining" | ||
| + | |||
| + | {{: | ||
| + | |||
| + | If you add extra functions, it may measure your functions as well: | ||
| + | |||
| + | {{: | ||
| + | |||
| + | As a side note, ST-link on STM32 discovery boards can be reflashed to JLink (works only on discovery boards, not on separate ST-links). | ||
| + | |||
| + | ===== ARM ETM trace - recording executed instructions ===== | ||
| + | |||
| + | ARM processors (Cortex M1+ and others) have built-in a nifty feature that you can record all instructions executed. This requires quite costly hardware (expect 2000 EUR price - JTrace, Lauterbach and uLink), but it can be handy in debugging DMA and interrupts. | ||
| + | |||
| + | An example ETM trace: | ||
| + | |||
| + | {{: | ||
| + | |||
| + | ===== ARM ITM trace - recording samples of executed instructions, | ||
| + | |||
| + | You can get code profile like this with ITM (screenshow from '' | ||
| + | |||
| + | {{: | ||
| + | To get this working, [[https:// | ||
| ====== Flyswatter connected to Proxmark ====== | ====== Flyswatter connected to Proxmark ====== | ||
| Line 355: | Line 402: | ||
| ====== Chipwhisperer + UFO target board + STLink v2 + STM32F4 ====== | ====== Chipwhisperer + UFO target board + STLink v2 + STM32F4 ====== | ||
| - | [[https:// | + | [[https:// | 
| The STM32F4 can be programmed via Chipwhisperer IDE (you need to use " | The STM32F4 can be programmed via Chipwhisperer IDE (you need to use " | ||
| + | |||
| + | There are few gotchas for [[https:// | ||
| {{: | {{: | ||
| Line 367: | Line 416: | ||
| </ | </ | ||
| - | Run OpenOCD in one terminal, or use QtCreator setup mentioned above. There is option to use [[https:// | + | ===== Fix for Ubuntu 18.04' | 
| + | |||
| + | Ubuntu 18.04 since has broken newlib - '' | ||
| + | |||
| + | Fix can be seen [[https:// | ||
| + | |||
| + | To fix it, download and install packages: | ||
| + | |||
| + | * https:// | ||
| + | * https:// | ||
| + | |||
| + | Install those two packages: | ||
| + | |||
| + | < | ||
| + | dpkg -i libnewlib-dev_3.0.0.20180802-2_all.deb libnewlib-arm-none-eabi_3.0.0.20180802-2_all.deb | ||
| + | </ | ||
| + | |||
| + | You need to install GDB from sources, as the gdb-multiarch seems broken. See above for building gdb for '' | ||
| + | ===== Running OpenOCD and debugger ===== | ||
| + | |||
| + | Run OpenOCD in one terminal, or use QtCreator setup mentioned above. There is option to use [[https:// | ||
| < | < | ||
| Line 373: | Line 442: | ||
| </ | </ | ||
| - | In another terminal, run gdb (modern gdb supports multiple architectures, | + | If you have different model, e.g. STM32F3 (or F2/F0), just change that parameter in openocd invocation, for F3 (the second file points to config in openocd installed configs): | 
| < | < | ||
| + | openocd -f interface/ | ||
| + | </ | ||
| + | |||
| + | |||
| + | In another terminal, run gdb (modern gdb supports multiple architectures, | ||
| + | |||
| + | < | ||
| + | GNU gdb (7.10-1ubuntu3+9) 7.10 | ||
| + | Copyright (C) 2015 Free Software Foundation, Inc. | ||
| + | License GPLv3+: GNU GPL version 3 or later < | ||
| + | This is free software: you are free to change and redistribute it. | ||
| + | There is NO WARRANTY, to the extent permitted by law.  Type "show copying" | ||
| + | and "show warranty" | ||
| + | This GDB was configured as " | ||
| + | Type "show configuration" | ||
| + | For bug reporting instructions, | ||
| + | < | ||
| + | Find the GDB manual and other documentation resources online at: | ||
| + | < | ||
| + | For help, type " | ||
| + | Type " | ||
| + | Reading symbols from hardware/ | ||
| (gdb) target extended-remote :3333 | (gdb) target extended-remote :3333 | ||
| - | Remote debugging using :3334 | + | Remote debugging using :3333 | 
| - | warning: Architecture rejected target-supplied description | + | |
| - | warning: Cannot convert floating-point register value to non-floating-point type. | + | |
| - | value has been optimized out | + | |
| 0x00000000 in ?? () | 0x00000000 in ?? () | ||
| (gdb) monitor reset halt | (gdb) monitor reset halt | ||
| + | Unable to match requested speed 1000 kHz, using 950 kHz | ||
| + | Unable to match requested speed 1000 kHz, using 950 kHz | ||
| + | adapter speed: 950 kHz | ||
| target state: halted | target state: halted | ||
| target halted due to debug-request, | target halted due to debug-request, | ||
| - | xPSR: 0x01000000 pc: 0x08001038 | + | xPSR: 0x01000000 pc: 0x080014e4 | 
| (gdb) load | (gdb) load | ||
| Loading section .isr_vector, | Loading section .isr_vector, | ||
| - | Loading section .text, size 0xf60 lma 0x8000188 | + | Loading section .text, size 0x140c | 
| - | Loading section .rodata, size 0x20 lma 0x80010e8 | + | Loading section .rodata, size 0x24 lma 0x8001594 | 
| - | Loading section .init_array, | + | Loading section .init_array, | 
| - | Loading section .fini_array, | + | Loading section .fini_array, | 
| - | Loading section .data, size 0x20c lma 0x8001110 | + | Loading section .data, size 0x20c lma 0x80015c0 | 
| - | Start address | + | Start address | 
| - | Remote connection closed | + | Transfer rate: 14 KB/sec, 1015 bytes/ | 
| + | (gdb) monitor reset init | ||
| + | Unable to match requested speed 1000 kHz, using 950 kHz | ||
| + | Unable to match requested speed 1000 kHz, using 950 kHz | ||
| + | adapter speed: 950 kHz | ||
| + | target state: halted | ||
| + | target halted due to debug-request, | ||
| + | xPSR: 0x01000000 pc: 0x080014e4 msp: 0x20003000 | ||
| + | Unable to match requested speed 8000 kHz, using 4000 kHz | ||
| + | Unable to match requested speed 8000 kHz, using 4000 kHz | ||
| + | adapter speed: 4000 kHz | ||
| + | (gdb) c | ||
| + | Continuing. | ||
| </ | </ | ||
| + | ===== Side channels ===== | ||
| + | |||
| + | There is a [[https:// | ||
| + | |||
| + | ===== JTAG supplying external clock ===== | ||
| + | |||
| + | It seems that when you desolder clocks (e.g. from crystal oscillator) the SWD/JTAG clock (SWCLK/TCK) can supply the clock to the chip which can be useful e.g. when you need glitch clock, but still would need operation via SWD/JTAG. Tested on [[https:// | ||
| + | |||
| + | Doesn' | ||
| + | |||
| + | ===== Black Magic Probe ===== | ||
| + | |||
| + | [[https:// | ||
| + | |||
| + | Pinout on the debug board is only findable in sources under src/ | ||
| + | |||
| + | Interesting features: | ||
| + | |||
| + | 1. you can catch hardware ARM interrupts, e.g. " | ||
| + | 2. SWD and JTAG boundary scan of devices | ||
| + | 3. you can use multiple devices connected | ||
| + | |||
| + | |||
| + | Differences from OpenOCD+GDB: | ||
| + | |||
| + | 1. you can't use OpenOCD flashing or other OpenOCD commands (this is since BMP created USB-UART device and not a network device) | ||
| + | 2. commands used are different, e.g. BMP has " | ||
| + | |||
| + | BMP creates / | ||
| + | |||
| + | Some interesting features compared to old OpenOCD+gdb should be tracing support, but after discussions on the BMP discord channel it **doesn' | ||
| + | |||
| + | * https:// | ||
| + | * https:// | ||
| + | |||
| + | Note that you have to disable memory protections in order to read some memory (**set mem inaccessible-by-default off**), even then some parts that are accessible via STLink are not with BMP. | ||
| + | |||
| + | ==== Building and flashing Black Magic Probe on STLink v2 device ==== | ||
| + | |||
| + | In the build directory: | ||
| + | |||
| + | < | ||
| + | make PROBE_HOST=stlink ST_BOOTLOADER=1 | ||
| + | </ | ||
| + | |||
| + | Get the stlink-tool and build it in a directory different from blackmagic sources: | ||
| + | |||
| + | < | ||
| + | git clone https:// | ||
| + | cd stlink-tool | ||
| + | git submodule init | ||
| + | git submodule update | ||
| + | make | ||
| + | </ | ||
| + | |||
| + | Flash the built BMP with STLink bootloader (you may need to replug the STLink): | ||
| + | |||
| + | < | ||
| + | ./ | ||
| + | </ | ||
| + | |||
| + | After each replug of STLink, you need to run '' | ||
| + | |||
| + | < | ||
| + | ./ | ||
| + | </ | ||
| + | |||
| + | After this, ''/ | ||
| + | |||
| + | < | ||
| + | # Black Magic Probe | ||
| + | # there are two connections, | ||
| + | SUBSYSTEM==" | ||
| + | SUBSYSTEM==" | ||
| + | # Automatic running of stlink-tool, | ||
| + | # | ||
| + | </ | ||
| + | |||
| + | Beware of ModemManager, | ||
| + | |||
| + | ==== Useful GDB script for better visualization ==== | ||
| + | |||
| + | If you are reversing low-level assembler interface, catching interrupts, or doing some low-level work, this is a good interface for GDB: https:// | ||
| + | |||
| + | Qt Creator can still be used though, but you might need to send the **target extended-remote / | ||
| + | |||
| + | Preview of the GDB dashboard: | ||
| + | |||
| + | {{: | ||
| + | ==== Invocation inside GDB ==== | ||
| + | |||
| + | First of all, you need to use /dev/ttyACM (or the symlink / | ||
| + | |||
| + | < | ||
| + | >>> | ||
| + | Remote debugging using / | ||
| + | >>> | ||
| + | General commands: | ||
| + | version -- Display firmware version info | ||
| + | help -- Display help for monitor commands | ||
| + | jtag_scan -- Scan JTAG chain for devices | ||
| + | swdp_scan -- Scan SW-DP for devices | ||
| + | targets -- Display list of available targets | ||
| + | morse -- Display morse error message | ||
| + | halt_timeout -- Timeout (ms) to wait until Cortex-M is halted: (Default 2000) | ||
| + | connect_srst -- Configure connect under SRST: (enable|disable) | ||
| + | hard_srst -- Force a pulse on the hard SRST line - disconnects target | ||
| + | traceswo -- Start trace capture, NRZ mode: (baudrate) | ||
| + | >>> | ||
| + | Target voltage: unknown | ||
| + | Available Targets: | ||
| + | No. Att Driver | ||
| + |  | ||
| + | >>> | ||
| + | >>> | ||
| + | >>> | ||
| + | </ | ||
| + | |||
| + | ==== Reflashing BMP back STLink v2 (possibly may work with v2.1) ==== | ||
| + | |||
| + | You either need to find the original STLink firmware somewhere (or have dumped it before) and use '' | ||
| + | |||
| + | Note on v2 vs v2.1 from BMP developer: | ||
| + | |||
| + | //To reflash ST-Link v2, un- and replug to get into the St bootloader. Stlinkv2-1 needs a warm reset to enter the bootloader, but mostly STLinkUpgrade.jar will not recognize the chip. Try with some old version of STLinkUpgrade.jar.// | ||
| + | |||
| + | //B.t.w,BMP with git can now run some things from the command line, when PC-hosted, e.g. " | ||
| + | |||
| + | ==== Cheap Chinese STLink v2 clones ==== | ||
| + | |||
| + | Some of them can be reflashed to BMP, some can't (stlink-tool reports error). There are more versions, so the pinout on the outside and also on the board depends on the specific clone type. | ||
| + | |||
| + | An example how to [[http:// | ||
| + | |||
| + | Original STLink (flashed with BMP with ST bootloader) using to program BMP on the cheap clone (haven' | ||
| + | |||
| + | {{: | ||
| + | |||
| + | |||
| + | ==== BMP PC-hosted with BMP HW target ==== | ||
| + | |||
| + | For BMP built with '' | ||
| + | |||
| + | < | ||
| + | ./ | ||
| + | </ | ||
| + | |||
| + | It will create port 2000 listening for GDB connection and you can use the classic BMP commands like scan and attach: | ||
| + | |||
| + | < | ||
| + | >>> | ||
| + | Remote debugging using :2000 | ||
| + | >>> | ||
| + | Target voltage: unknown | ||
| + | Available Targets: | ||
| + | No. Att Driver | ||
| + |  | ||
| + | >>> | ||
| + | Attaching to program: blackmagic-stlink-v2/ | ||
| + | 0x0800effc in st_usbfs_ep_read_packet (dev=< | ||
| + | 230			USB_SET_EP_RX_STAT(addr, | ||
| + | |||
| + | </ | ||
| + | |||
| + | |||
| + | ==== BMP PC-hosted with unmodified STLink v2 target (requires firmware >= V2J32xx) ==== | ||
| + | |||
| + | Upgrade STLink fw first with the STLinkUpgrade tool mentioned before. | ||
| + | |||
| + | With this firmware you can use external unmodified STLink with BMP ('' | ||
| + | |||
| + | < | ||
| + | ./ | ||
| + | </ | ||
| + | |||
| + | It will create port 2000 listening for GDB connection and you can use the classic BMP commands like scan and attach: | ||
| + | |||
| + | < | ||
| + | >>> | ||
| + | Remote debugging using :2000 | ||
| + | >>> | ||
| + | Target voltage: unknown | ||
| + | Available Targets: | ||
| + | No. Att Driver | ||
| + |  | ||
| + | >>> | ||
| + | Attaching to program: blackmagic-stlink-v2/ | ||
| + | 0x0800effc in st_usbfs_ep_read_packet (dev=< | ||
| + | 230			USB_SET_EP_RX_STAT(addr, | ||
| + | |||
| + | </ | ||
| + | |||
| + | |||
| + | ===== Other useful tools that are specific to STM32 chips ===== | ||
| + | * [[https:// | ||
| + | * [[https:// | ||
| + | * [[https:// | ||
project/arm_debugging/start.1548190153.txt.gz · Last modified: 2019/01/22 20:49 by abyssal
                
                