STM32 & RT-Thread reverse entry

STM32 & RT-Thread reverse entry

Backahasten @ 0xFA

Now, a variety of MCU prices getting lower and lower, under the same conditions can buy RAM and ROM resources can have. After applying some complex logic, compared to spend a lot of time to buckle might as well use the underlying operating system, speed up development, the use of the operating system, the firmware for firmware than the reverse will not reverse os a little different.

RT-Thread is a model of domestic real-time operating system, especially my personal favorite. RT-Thread BSP can fit a lot of chips and a large number of architectures, or the use of the most common stm32 to be introduced in this paper.

Hardware I was using RT-Thread punctuality nucleus joint development boards Pandora, Pandora does not use hardware In this article, I am more lazy to use the development board supporting examples to do the reverse.

start up

I have always believed a word, there will be no security will not develop, develop the ability to determine the ceiling security capabilities. In the process of reverse STM32 & RT-Thread's also like this. We open a bin file, the first thing is to find the main function, the main function is not stm32 the main function of the operating system, but the main function. For example, in stm32 & keil development, RT-Thread use $Sub$$mainto call the operating system initialization, if the development is not with bare operating system, this function is the main function of the logic.

Details of the start-up process can be https://www.rt-thread.org/document/site/tutorial/quick-start/stm32f103-simulator/stm32f103-simulator/ be found in order to complete this article, we copied some code .

//components.c 中定义
/* re-define main function */
int $Sub$$main(void)
{
    rt_hw_interrupt_disable();
    rtthread_startup();
    return 0; }

There calls two functions, the first function closes the break, began operating system initialization.

int rtthread_startup(void) {     rt_hw_interrupt_disable();     /* board level initalization      * NOTE: please initialize heap inside board initialization.      */     rt_hw_board_init();     /* show RT-Thread version */     rt_show_version();     /* timer system initialization */     rt_system_timer_init();     /* scheduler system initialization */     rt_system_scheduler_init(); #ifdef RT_USING_SIGNALS     /* signal system initialization */     rt_system_signal_init(); #endif     /* create init_thread */     rt_application_init();     /* timer thread initialization */     rt_system_timer_thread_init();     /* idle thread initialization */     rt_thread_idle_init();     /* start scheduler */     rt_system_scheduler_start();     /* never reach here */     return 0; }

In the rtthread_startup();function, initialize the various components, other we do not control, look at the focus of which rt_application_init();function to initialize this function is used to thread a task in which we can out of the scope of the operating system code, into the real logic of the code position.

operating

We use the example of Pandora development board 29_iot_web_server, this moderately complex example, can fully analyze each point. After keil compiler with axf files and Hex file, which axf with the symbol table, and the hex file only basic organizational structure, due to the characteristics of embedded, in order to save resources, burned into the chip in the basic firmware will not with the symbol table. Save the file into the bin after the firmware to get the replica of a real situation, we use the tool to open jlink hex file. After using ida pro open.

After opening the file, load the correct reverse, shown below :( use IDA PRO reverse ARM M core method please refer to my previous article )
<ignore_js_op>

 

After the selected address 0x8000495 chip power-loaded PC address, find the address, as follows:
<ignore_js_op>

 

Since the beginning of PC hardware is set up, there is no reference to the relationship between software, ida pro does not recognize, at 0x8000494 press C, disassembly:

<ignore_js_op>

 

Discovery can be seen stm32 startup code, enter the function 0x800188:

<ignore_js_op>

 

Found at 0x800018C function does not recognize, still press C:
<ignore_js_op>

 

Discovery identified a function of the jump, continue to track, enter:

<ignore_js_op>

 

We found four functions, what is the meaning of specific function, there is no symbol table is not known.

Introduce a little trick here, we are now in God mode, we have axf file, axf file has the symbol table, and this section of the program in the operating system, all stm32 are the same, we are now disassemble axf file, and bin file reference each other, you can better analyze the boot process. Axf open the file, find the location:
<ignore_js_op>

 

The selected function, that is, the second function is related to the operating system thread settings, choose to enter:
<ignore_js_op>

 

And find that it is a bunch of functions, we still refer to axf file:

<ignore_js_op>

 

The sixth jump function is to set the task, chose to enter:

<ignore_js_op>

 

Here we can find the main function of the set task, enter the function 0x802485C
<ignore_js_op>

There are two functions, refer to axf: <ignore_js_op>

 

The above task into the setting, the following is the main function of the logic into the main function:
<ignore_js_op>

 

Press F5 converted into pseudo-code:
<ignore_js_op>

 

This is the main task of logic functions, then we can analyze the next step.

In fact, there is another method, direct search strings main:

<ignore_js_op>

 

The same can be found in the main function of the position. However, due to possible changes to the task name, from the gradual start-up code analysis is the most reliable method.

No symbol table is still very hard to accept, I am in that article also describes how to restore the symbol table, there is a need we can refer to.