Get best of the week

MitM-like RTOS support in GDB

I thought for a long time whether it is possible to republish an article on HabrΓ©, I studied the rules, it seems like now it is not forbidden. If I made a mistake, I will correct it :)


So...


Some time ago, I wrote the firmware code for the Epiphan grabbers of the AV.io line:


  • AV.io HD - our pilot, on which much has been debugged and formed architecture
  • AV.io SDI - fixing positions
  • AV.io 4K - already new hardware and new approaches, now we launch almost instantly
  • KVM2USB 3.0 - A deep rethinking of AV.io HD . In fact, thanks to the potential for modernization in the base model, with virtually no modification of iron, they were able to make a new product purely software.

Cypress FX3 was involved there , and the SDK was built on top of ThreadX. You can use Olimex ARM-USB-OCD-H in conjunction with OpenOCD as a JTAG debugger . Unfortunately, OpenOCD knows nothing about threads in RTOS, and although basic support is present in the code, specifically for our processor we used a register stacking scheme that was different from what was already implemented. I had to understand and modify . Profits from using JTAG for development can hardly be overestimated, at least in the case of distributed work .


So time is running out. Now it’s the turn of Xilinx’s FPGA and its MicroBlaze software processor, where you can run the ported FreeRTOS version 10.x. But the problem is exactly the same: there is no support for threads in the debugger!


XSDK


Xilinx ARM Cortex-A53, ARM Cortex-R5 MicroBlaze. MicroBlaze β€” , FPGA. .


( CPU, FPGA, β€” Vivado) β€” XSDK ( 2020 Vitis), Eclipse. FPGA . , JTAG ( OpenOCD!) , . : , , .


, Eclipse, , β€” XSTC. . .


.


JTAG hw_server. TCP , β€” 3121, , , 3000 β€” GDB :


  • N+0 (3000) β€” ARM Cortex-A53
  • N+1 (3001) β€” ARM Cortex-R5
  • N+2 (3002) β€” MicroBlaze ( )

-, .


, . , . , ( !) β€” System Debugger GDB. MicroBlaze GDB β€” mb-gdb.


System Debugger . , Xilinx GDB β€” .


,


, RTOS OpenOCD, , , :


  1. RTOS TCB (Thread Control Block), , . . ( ) β€” Reverse Engineering! : , , .
  2. RTOS β€” . , , . , , β€” . .. . β€” .
  3. 1 β€” TCB ( β€” RTOS).

, GDB GDB , info threads info registers thread N bt.


, RTOS , , RTOS ( , SDK , ). , .


: . . p , , . , ThreadX Cypress FX3. , . β€” .


… GDB-client GDB-server , , , MitM ""? , , , , ?


, : . gdbproxy , .


β€” . C++ ( , , ), Asio, C++17 , , C++2a β€” , , , 100%, 90% !


,


, β€” . . Asio , . . .


: . TCB, . … GDB- . . … ! β€” . , , ( β€” ) : qSymbol::, : - ? β€” . β€” , . qSymbol:NAME, qSymbol:ADDR:NAME qSymbol::NAME , nullptr. - ( , β€” ) , .


. , , , , β€” … , !


.. , .


, : , . .


, . . (SMP , ) β€” . GDB ( ) β€” : . .


, GDB-client . , . : - , - SP (Stack Pointer) FP (Frame Pointer) . , .


: Set Current Thread ( OK EXX β€” XX β€” , ), . RTOS, , , . , β€” . β€” Current Execution? : β€” . , . ! . Set Current Thread Set Current Thread , xxxxxxxx , β€” ! , RTOS , Set Current Thread , Set Current Thread . : . .


, SP : TCB . SP , .


, . . Stop Reply Packets. , . , breakpoint, watchpoint Break ( , , 0x03 Stop Reply Packet). , , . Stop Reply Packet, . . Stop Reply Packets : vCont c β€” Continue s β€” Step ( ).


. , , .


, , . : . β€” . GDB. MicroBlaze GDB microblaze-tdep.h enum microblaze_regnum:


enum microblaze_regnum
{
  MICROBLAZE_R0_REGNUM,
  MICROBLAZE_R1_REGNUM, MICROBLAZE_SP_REGNUM = MICROBLAZE_R1_REGNUM,
  MICROBLAZE_R2_REGNUM,
  MICROBLAZE_R3_REGNUM, MICROBLAZE_RETVAL_REGNUM = MICROBLAZE_R3_REGNUM,
  MICROBLAZE_R4_REGNUM,
  MICROBLAZE_R5_REGNUM, MICROBLAZE_FIRST_ARGREG = MICROBLAZE_R5_REGNUM,
  MICROBLAZE_R6_REGNUM,
  MICROBLAZE_R7_REGNUM,
  MICROBLAZE_R8_REGNUM,
  MICROBLAZE_R9_REGNUM,
  MICROBLAZE_R10_REGNUM, MICROBLAZE_LAST_ARGREG = MICROBLAZE_R10_REGNUM,
  MICROBLAZE_R11_REGNUM,
  MICROBLAZE_R12_REGNUM,
  MICROBLAZE_R13_REGNUM,
  MICROBLAZE_R14_REGNUM,
  MICROBLAZE_R15_REGNUM,
  MICROBLAZE_R16_REGNUM,
  MICROBLAZE_R17_REGNUM,
  MICROBLAZE_R18_REGNUM,
  MICROBLAZE_R19_REGNUM,
  MICROBLAZE_R20_REGNUM,
  MICROBLAZE_R21_REGNUM,
  MICROBLAZE_R22_REGNUM,
  MICROBLAZE_R23_REGNUM,
  MICROBLAZE_R24_REGNUM,
  MICROBLAZE_R25_REGNUM,
  MICROBLAZE_R26_REGNUM,
  MICROBLAZE_R27_REGNUM,
  MICROBLAZE_R28_REGNUM,
  MICROBLAZE_R29_REGNUM,
  MICROBLAZE_R30_REGNUM,
  MICROBLAZE_R31_REGNUM,
  MICROBLAZE_PC_REGNUM,
  MICROBLAZE_MSR_REGNUM,
  MICROBLAZE_EAR_REGNUM,
  MICROBLAZE_ESR_REGNUM,
  MICROBLAZE_FSR_REGNUM,
  MICROBLAZE_BTR_REGNUM,
  MICROBLAZE_PVR0_REGNUM,
  MICROBLAZE_PVR1_REGNUM,
  MICROBLAZE_PVR2_REGNUM,
  MICROBLAZE_PVR3_REGNUM,
  MICROBLAZE_PVR4_REGNUM,
  MICROBLAZE_PVR5_REGNUM,
  MICROBLAZE_PVR6_REGNUM,
  MICROBLAZE_PVR7_REGNUM,
  MICROBLAZE_PVR8_REGNUM,
  MICROBLAZE_PVR9_REGNUM,
  MICROBLAZE_PVR10_REGNUM,
  MICROBLAZE_PVR11_REGNUM,
  MICROBLAZE_REDR_REGNUM,
  MICROBLAZE_RPID_REGNUM,
  MICROBLAZE_RZPR_REGNUM,
  MICROBLAZE_RTLBX_REGNUM,
  MICROBLAZE_RTLBSX_REGNUM,
  MICROBLAZE_RTLBLO_REGNUM,
  MICROBLAZE_RTLBHI_REGNUM,
  MICROBLAZE_SLR_REGNUM, MICROBLAZE_NUM_CORE_REGS = MICROBLAZE_SLR_REGNUM,
  MICROBLAZE_SHR_REGNUM,
  MICROBLAZE_NUM_REGS
};

, . - , , 00000000 xxxxxxxx, β€” , β€” : unavail. β€” . , qFeatures (TBD: !) , β€” .


, ?


: https://github.com/h4tr3d/gdbproxy/


, BSD MIT. OpenOCD (, : , , , ). .


: . , , RTOS, . . .


?


XSDK:


  1. β€” GDB , System Debugger
  2. GDB, 4002 ( gdbproxy, )
  3. gdbproxy, XSDK hw_server :
    ./gdbproxy --port 4002 --remote-host localhost --remote-port 3002 -- mb_freertos
  5. ...
  6. PROFIT!

In the case of using the remote hw_server, due to the small flexibility of the XSDK configuration, it gdbproxymust be run on the same machine as hw_server.


findings


None. Just the bottom line: threading on FreeRTOS and MicroBlaze is supported.

More articles:


All Articles