Differences

This shows you the differences between two versions of the page.

--- project:arm_debugging:start [2019/01/22 20:49] – [Chipwhisperer + UFO target board + STLink v2 + STM32F4] OpenOCD /QtCreator/CLion abyssal
+++ project:arm_debugging:start [2021/06/05 19:29] (current) – [Example: Unbricking (restoring) Proxmark bootloader] Flash bootloader and fullimage from same build abyssal
@@ Line 291: / Line 291: @@
 The code halts processor, erases bootloader sectors, then writes bootloader from ''/path/to/booloader.elf''. After power cycling the bootloader should be working if the elf file is correct.
+If you receiving errors:
+<code>
+Info : TAP autoX.tap does not have IDCODE
+.(some more info)
+Warn : Unexpected idcode after end of chain: XY 0x00000000
+.(some more warinings)
+Error: auto0.tap: IR capture error; saw 0x0000 not 0x0001
+</code>
+It's because your CPU has locked flash/JTAG.
+To solve this connect pin 55(ERASE) of CPU to 3.3V for at least 0.5sec. It will trigger erase of flash content and enable JTAG.
+This is happening mostly on cheap clones of proxmark3 Easy.
+To debug Proxmark on newer OpenOCD >= 0.10.0, you may set fast memory access and fast DCC downloads:
+<code>
+openocd -c "adapter_khz 4000" -f interface/jlink.cfg -c "gdb_memory_map disable" -f target/at91sam7x256.cfg -c "init; arm7_9 fast_memory_access enable; arm7_9 dcc_downloads enable"
+</code>
+Seems that flashing bootloader may not be enough, flash bootloader.elf and fullimage.elf from the same build in a single session (e.g. use ''file'' command in gdb), since mixing different branches may still result in bricked proxmark. Some bootloaders can't load fullimages built from other branches.
 ===== J-link connected to Proxmark =====
 {{ :project:proxmark-jlink.jpg?800 | }}
+===== SystemView for J-link - visualization of interrupts or other functions =====
+There is an instrumentation possible with changes to code to show how your functions and interrupts behave - [[https://wiki.segger.com/Use_SystemView_without_RTOS | sample code]]
+Here is an example showing "tail chaining" of interrupts where interrupts are behind one another, and also "late arriving", where Systick interrupts USB interrupt (marked as IST #93 starting at position 2195):
+{{:project:arm_debugging:systemview_20200318_113539.png?800|}}
+If you add extra functions, it may measure your functions as well:
+{{:project:arm_debugging:systemview_20200318_100652.png?800|}}
+As a side note, ST-link on STM32 discovery boards can be reflashed to JLink (works only on discovery boards, not on separate ST-links).
+===== ARM ETM trace - recording executed instructions =====
+ARM processors (Cortex M1+ and others) have built-in a nifty feature that you can record all instructions executed. This requires quite costly hardware (expect 2000 EUR price - JTrace, Lauterbach and uLink), but it can be handy in debugging DMA and interrupts.
+An example ETM trace:
+{{:project:arm_debugging:ozone_error_shutdown_highlighted.png?800|}}
+===== ARM ITM trace - recording samples of executed instructions, interrupts =====
+You can get code profile like this with ITM (screenshow from ''orbtop''):
+{{:project:arm_debugging:orbtop_trezor_lots_of_segwit_inputs.png|}}
+To get this working, [[https://github.com/hiviah/ITM-howto-JLink-STLink|follow this howto]]. It shows steps to be used with JLink/JTrace or STLink to get it moving.
 ====== Flyswatter connected to Proxmark ======
@@ Line 355: / Line 402: @@
 ====== Chipwhisperer + UFO target board + STLink v2 + STM32F4 ======
-[[https://wiki.newae.com/CW1173_ChipWhisperer-Lite | Chipwhisperer]] with [[https://wiki.newae.com/CW308_UFO_Target | UFO target board]] installed with STM32F4.
+[[https://wiki.newae.com/CW1173_ChipWhisperer-Lite | Chipwhisperer]] with [[https://wiki.newae.com/CW308_UFO_Target | UFO target board]] installed with STM32F4. This method will work for other STM32Fx family MCUs.
 The STM32F4 can be programmed via Chipwhisperer IDE (you need to use "slow" setting, otherwise it seems to fail) or STLink as usual with gdb+openocd.
+There are few gotchas for [[https://wiki.newae.com/CW308T-STM32F | older versions of the STM32Fx target board, like the jumper for SHUNTL and SHUNTH (SH+ and SH-) on J16 for programming]]. Though using STLink is definitely a better idea as using the built-in programmer is insanely slow.
 {{:project:arm_debugging:chipwhisperer_stlink_stm32f4.jpg?1000|}}
@@ Line 367: / Line 416: @@
 </code>
-Run OpenOCD in one terminal, or use QtCreator setup mentioned above. There is option to use [[https://blog.jetbrains.com/clion/2017/12/clion-for-embedded-development-part-ii/ | CLion]]. QtCreator is great if you want free (free as in beer) IDE, but CLion is better when it comes to code completion, especially through templates that extend classes like smart pointers.
+===== Fix for Ubuntu 18.04's broken newlib and GDB =====
+Ubuntu 18.04 since has broken newlib - ''error: /usr/lib/gcc/arm-none-eabi/6.3.1/../../../arm-none-eabi/lib/crt0.o: Conflicting CPU architectures 13/1''.
+Fix can be seen [[https://github.com/bbcmicrobit/micropython/issues/514#issuecomment-404759614 | in this github issue comment]].
+To fix it, download and install packages:
+  * https://packages.ubuntu.com/cosmic/all/libnewlib-dev/download
+  * https://packages.ubuntu.com/cosmic/all/libnewlib-arm-none-eabi/download
+Install those two packages:
+<code>
+dpkg -i libnewlib-dev_3.0.0.20180802-2_all.deb libnewlib-arm-none-eabi_3.0.0.20180802-2_all.deb
+</code>
+You need to install GDB from sources, as the gdb-multiarch seems broken. See above for building gdb for ''arm-none-eabi'' with python.
+===== Running OpenOCD and debugger =====
+Run OpenOCD in one terminal, or use QtCreator setup mentioned above. There is option to use [[https://blog.jetbrains.com/clion/2017/12/clion-for-embedded-development-part-ii/ | CLion]]. QtCreator is great if you want free (free as in beer also LGPL) IDE, but CLion is better when it comes to code completion in C++11 and later, especially through templates that extend classes like smart pointers. Though for C code, both are about the same. Maybe QtCreator can be preferrable.
 <code>
@@ Line 373: / Line 442: @@
 </code>
-In another terminal, run gdb (modern gdb supports multiple architectures, no need for arm-none-eabi-gdb) with target file, e.g. ''gdb hardware/victims/firmware/simpleserial-aes.arm-stm32f4/simpleserial-aes-CW308_STM32F4.elf''.
+If you have different model, e.g. STM32F3 (or F2/F0), just change that parameter in openocd invocation, for F3 (the second file points to config in openocd installed configs):
 <code>
+openocd -f interface/stlink-v2.cfg -f target/stm32f3x.cfg
+</code>
+In another terminal, run gdb (modern gdb supports multiple architectures, you need gdb-multiarch or such package, but compiling latest version yourself might be preferrable) with target file, e.g. ''arm-none-eabi-gdb hardware/victims/firmware/simpleserial-aes.arm-stm32f4/simpleserial-aes-CW308_STM32F4.elf''. Note that the clock setting in Chipwhisperer IDE might influence the clocks in OpenOCD configs. So far GDB seems to handle it well on its own. If you are using CW308 UFO board, there is J3 switch to select clock. Unless you want to do something special with the clock, use "HS2/OUT" jumper option. [[https://wiki.newae.com/CW308_UFO_Target#Clock_Selection | Clock selection]] is important for glitching clock, for example.
+<code>
+GNU gdb (7.10-1ubuntu3+9) 7.10
+Copyright (C) 2015 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+This is free software: you are free to change and redistribute it.
+There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
+and "show warranty" for details.
+This GDB was configured as "--host=x86_64-linux-gnu --target=arm-none-eabi".
+Type "show configuration" for configuration details.
+For bug reporting instructions, please see:
+<http://www.gnu.org/software/gdb/bugs/>.
+Find the GDB manual and other documentation resources online at:
+<http://www.gnu.org/software/gdb/documentation/>.
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
+Reading symbols from hardware/victims/firmware/simpleserial-aes.arm-stm32f4/simpleserial-aes-CW308_STM32F4.elf...done.
 (gdb) target extended-remote :3333
-Remote debugging using :3334
+Remote debugging using :3333
-warning: Architecture rejected target-supplied description
-warning: Cannot convert floating-point register value to non-floating-point type.
-value has been optimized out
 x00000000 in ?? ()
 (gdb) monitor reset halt
+Unable to match requested speed 1000 kHz, using 950 kHz
+Unable to match requested speed 1000 kHz, using 950 kHz
+adapter speed: 950 kHz
 target state: halted
 target halted due to debug-request, current mode: Thread
-xPSR: 0x01000000 pc: 0x08001038 msp: 0x20020000
+xPSR: 0x01000000 pc: 0x080014e4 msp: 0x20003000
 (gdb) load
 Loading section .isr_vector, size 0x188 lma 0x8000000
-Loading section .text, size 0xf60 lma 0x8000188
+Loading section .text, size 0x140c lma 0x8000188
-Loading section .rodata, size 0x20 lma 0x80010e8
+Loading section .rodata, size 0x24 lma 0x8001594
-Loading section .init_array, size 0x4 lma 0x8001108
+Loading section .init_array, size 0x4 lma 0x80015b8
-Loading section .fini_array, size 0x4 lma 0x800110c
+Loading section .fini_array, size 0x4 lma 0x80015bc
-Loading section .data, size 0x20c lma 0x8001110
+Loading section .data, size 0x20c lma 0x80015c0
-Start address 0x8001039, load size 4892
+Start address 0x80014e4, load size 6092
-Remote connection closed
+Transfer rate: 14 KB/sec, 1015 bytes/write.
+(gdb) monitor reset init
+Unable to match requested speed 1000 kHz, using 950 kHz
+Unable to match requested speed 1000 kHz, using 950 kHz
+adapter speed: 950 kHz
+target state: halted
+target halted due to debug-request, current mode: Thread
+xPSR: 0x01000000 pc: 0x080014e4 msp: 0x20003000
+Unable to match requested speed 8000 kHz, using 4000 kHz
+Unable to match requested speed 8000 kHz, using 4000 kHz
+adapter speed: 4000 kHz
+(gdb) c
+Continuing.
 </code>
+===== Side channels =====
+There is a [[https://brmlab.cz/project/chipwhisperer/start | separate project for Chipwhisperer]] and its usage for side channels. Look there.
+===== JTAG supplying external clock =====
+It seems that when you desolder clocks (e.g. from crystal oscillator) the SWD/JTAG clock (SWCLK/TCK) can supply the clock to the chip which can be useful e.g. when you need glitch clock, but still would need operation via SWD/JTAG. Tested on [[https://brmlab.cz/project/chipwhisperer/start#glitching_stm32_external_board_through_ufo-board_interface | STM32F429 discovery board]].
+Doesn't seem to work with Black Magic probe without clock.
+===== Black Magic Probe =====
+[[https://github.com/blacksphere/blackmagic/wiki | Black Magic Probe]] (BMP) a replacement either for STLink firmware or usable as firmware on various ARMs to debug other ARMs.
+Pinout on the debug board is only findable in sources under src/platforms.
+Interesting features:
+. you can catch hardware ARM interrupts, e.g. "monitor vector_catch enable mm" (catches memory faults)
+. SWD and JTAG boundary scan of devices
+. you can use multiple devices connected
+Differences from OpenOCD+GDB:
+. you can't use OpenOCD flashing or other OpenOCD commands (this is since BMP created USB-UART device and not a network device)
+. commands used are different, e.g. BMP has "run"/"start" while OpenOCD+GDB has "monitor reset init"/"monitor reset halt"/"monitor reset", connecting to device is different (refer to BMP wiki)
+BMP creates /dev/ttyACM* interface that can be used without OpenOCD as extended-remote target (see BMP wiki).
+Some interesting features compared to old OpenOCD+gdb should be tracing support, but after discussions on the BMP discord channel it **doesn't fucking work** with BMP:
+  * https://github.com/blacksphere/blackmagic/wiki/Serial-Wire-Debug-TRACESWO-support (this shit doesn't work no matter what the docs say, confirmed from the main developer)
+  * https://github.com/orbcode/orbuculum (you need the specific FPGA to make this work, or spend time porting it to different FPGA
+Note that you have to disable memory protections in order to read some memory (**set mem inaccessible-by-default off**), even then some parts that are accessible via STLink are not with BMP.
+==== Building and flashing Black Magic Probe on STLink v2 device ====
+In the build directory:
+<code>
+make PROBE_HOST=stlink ST_BOOTLOADER=1
+</code>
+Get the stlink-tool and build it in a directory different from blackmagic sources:
+<code>
+git clone https://github.com/jeanthom/stlink-tool
+cd stlink-tool
+git submodule init
+git submodule update
+make
+</code>
+Flash the built BMP with STLink bootloader (you may need to replug the STLink):
+<code>
+./stlink-tool /path/to/src/blackmagic.bin
+</code>
+After each replug of STLink, you need to run ''stlink-tool'' without arguments to activate it:
+<code>
+./stlink-tool
+</code>
+After this, ''/dev/ttyACM*'' appears. You can use script like this to a) symlink the devices and b) run the stlink-tool automatically. Automatic run means you can't upgrade until you disable it. Here are the udev rules:
+<code>
+# Black Magic Probe
+# there are two connections, one for GDB and one for uart debugging
+  SUBSYSTEM=="tty", ATTRS{interface}=="Black Magic GDB Server", SYMLINK+="ttyBmpGdb"
+  SUBSYSTEM=="tty", ATTRS{interface}=="Black Magic UART Port", SYMLINK+="ttyBmpTarg"
+# Automatic running of stlink-tool, not recommended, uncomment following line and fill in the path to stlink-tool if you need it
+#SUBSYSTEM=="usb", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="3748", ACTION=="add", RUN+="<path-to>/stlink-tool"
+</code>
+Beware of ModemManager, sometimes even ignoring it in udev rules won't help (maybe since the device is changing USB VID:PID and descriptors? not sure)
+==== Useful GDB script for better visualization ====
+If you are reversing low-level assembler interface, catching interrupts, or doing some low-level work, this is a good interface for GDB: https://github.com/cyrus-and/gdb-dashboard
+Qt Creator can still be used though, but you might need to send the **target extended-remote /dev/ttyACM0** or **target extended-remote /dev/ttyBmpGdb** manually.
+Preview of the GDB dashboard:
+{{:project:arm_debugging:screenshot_20191219_001842.png?800|}}
+==== Invocation inside GDB ====
+First of all, you need to use /dev/ttyACM (or the symlink /dev/ttyBmpGdb if you used udev rules above), secondly you need to scan for you target, then attach it and finally run/start/continue it.
+<code>
+>>> target extended-remote /dev/ttyBmpGdb
+Remote debugging using /dev/ttyBmpGdb
+>>> monitor help
+General commands:
+	version -- Display firmware version info
+	help -- Display help for monitor commands
+	jtag_scan -- Scan JTAG chain for devices
+	swdp_scan -- Scan SW-DP for devices
+	targets -- Display list of available targets
+	morse -- Display morse error message
+	halt_timeout -- Timeout (ms) to wait until Cortex-M is halted: (Default 2000)
+	connect_srst -- Configure connect under SRST: (enable|disable)
+	hard_srst -- Force a pulse on the hard SRST line - disconnects target
+	traceswo -- Start trace capture, NRZ mode: (baudrate)
+>>> monitor swdp_scan
+Target voltage: unknown
+Available Targets:
+No. Att Driver
+      STM32F42x M3/M4
+>>> attach 1
+>>> monitor vector_catch enable mm ## example how to set breakpoint on memory fault interrupt
+>>> continue
+</code>
+==== Reflashing BMP back STLink v2 (possibly may work with v2.1) ====
+You either need to find the original STLink firmware somewhere (or have dumped it before) and use ''stlink-tool'' to flash it back or use [[https://www.st.com/en/development-tools/stsw-link007.html | STLink Upgrade Tool]]. If it doesn't find your device, replug it physically and try again.
+Note on v2 vs v2.1 from BMP developer:
+//To reflash ST-Link v2, un- and replug to get into the St bootloader. Stlinkv2-1 needs a warm reset to enter the bootloader, but mostly STLinkUpgrade.jar will not recognize the chip. Try with some old version of STLinkUpgrade.jar.//
+//B.t.w,BMP with git can now run some things from the command line, when PC-hosted, e.g. "blackmagic_hosted file.bin" will erase and flash file.bin at 0x08000000 . PC-hosted is not fast, maybe [[https://github.com/blacksphere/blackmagic/issues/570 | #570]] can improve by using high level commands.//
+==== Cheap Chinese STLink v2 clones ====
+Some of them can be reflashed to BMP, some can't (stlink-tool reports error). There are more versions, so the pinout on the outside and also on the board depends on the specific clone type.
+An example how to [[http://blog.linuxbits.io/2016/02/15/cheap-chinese-st-link-v-2-programmer-converted-to-black-magic-probe-debugger/ | use one cheap clone to flash other]]. The cloned STLink is STM32F1 and it has [[http://blog.linuxbits.io/wp-content/uploads/2016/02/P1160474_clipped2.jpg | SWD pins routed out on the board]]
+Original STLink (flashed with BMP with ST bootloader) using to program BMP on the cheap clone (haven't yet figure out how to restore ST bootloader, since I don't have the executable image containing the bootloader):
+{{:project:arm_debugging:stlink_clone_bmp.png|}}
+==== BMP PC-hosted with BMP HW target ====
+For BMP built with ''PROBE_HOST=pc-hosted'' you can connect to an external physical BMP with:
+<code>
+./src/blackmagic_hosted -s /dev/ttyACM0
+</code>
+It will create port 2000 listening for GDB connection and you can use the classic BMP commands like scan and attach:
+<code>
+>>> target extended-remote :2000
+Remote debugging using :2000
+>>> monitor swdp_scan
+Target voltage: unknown
+Available Targets:
+No. Att Driver
+      STM32F1 medium density M3/M4
+>>> attach 1
+Attaching to program: blackmagic-stlink-v2/src/blackmagic, Remote target
+x0800effc in st_usbfs_ep_read_packet (dev=<optimized out>, addr=<optimized out>, buf=<optimized out>, len=<optimized out>) at ../common/st_usbfs_core.c:230
+			USB_SET_EP_RX_STAT(addr, USB_EP_RX_STAT_VALID);
+</code>
+==== BMP PC-hosted with unmodified STLink v2 target (requires firmware >= V2J32xx) ====
+Upgrade STLink fw first with the STLinkUpgrade tool mentioned before.
+With this firmware you can use external unmodified STLink with BMP (''PROBE_HOST=pc-stlinkv2''):
+<code>
+./src/blackmagic_stlinkv2
+</code>
+It will create port 2000 listening for GDB connection and you can use the classic BMP commands like scan and attach:
+<code>
+>>> target extended-remote :2000
+Remote debugging using :2000
+>>> monitor swdp_scan
+Target voltage: unknown
+Available Targets:
+No. Att Driver
+      STM32F1 medium density M3/M4
+>>> attach 1
+Attaching to program: blackmagic-stlink-v2/src/blackmagic, Remote target
+x0800effc in st_usbfs_ep_read_packet (dev=<optimized out>, addr=<optimized out>, buf=<optimized out>, len=<optimized out>) at ../common/st_usbfs_core.c:230
+			USB_SET_EP_RX_STAT(addr, USB_EP_RX_STAT_VALID);
+</code>
+===== Other useful tools that are specific to STM32 chips  =====
+  * [[https://www.st.com/en/development-tools/stm32cubemx.html | STM32CubeMX]] - GUI for designing MCU/board settings, shows you the options, pinout of chips, can generate code to set the configuration.
+  * [[https://www.st.com/en/development-tools/stm32cubeprog.html | STM32CubeProg]] - GUI/CLI programmer, can change things like read/write protect, option bytes, memory contents, etc. You need Oracle Java >= 8 for this, otherwise the GUI part won't work (use JAVA_HOME env var to set the Oracle java dir, then run the program). CLI seems to work without Oracle Java.
+  * [[https://www.st.com/en/development-tools/stsw-link007.html | STLink Upgrade Tool]] - upgrade for STLink. I think it's also part of STM32CubeMX