Closed DerZc closed 2 years ago
I add 'mem[0x400FF000*8192] = |00|?0xFF' in configuration, and if set 0x40000000-0x50000000 as |00|?0xFF will need lot of memory, then set this memory as tainted. Bincat can run but throw exception '[ABORT] armv7: at 0xb494: software interrupt not implemented (swi=af00b580)'. Could please help me how can I ignore or skep this exception.
To taint from 0x40000000 to 0x50000000 excluded which is 268435456 byte wide, you'll have to add *mem[0x40000000268435456] = |00|!0xFF (note the '!'*) This will both initialize the memory to zero and taint it. If you want to let the memory unitialized but taint it, add: "mem[0x40000000268435456] = |00|?0xFF!0xFF"
Note this is a lot of memory to make analysed by bincat. You should split that large chunk into pieces and make them analysed sequentially to measure their impact on the code.
@szennou I got it. Thank you very much. Could you please teach me how to ignore the exception I mentioned.
In the [analyzer] section, add nop = 0xb494 You can add a list of addresses to nop separated by commas, see _doc/initformat.md
But in fact this address is the entry of the main function, I don't know why there is this exception.
Could be due to a bincat's bug but we cannot help without the binary :-/
I just skip the function at 0xb494, then start analysis from the main task. I meet this exception. "[ABORT] armv7: at 0x1b84: MSR (Banked register) (d1232b00): ARM instruction not implemented yet". The binary as that:
.text:00001B78 ; void __cdecl main_task(uint32_t param)
.text:00001B78 EXPORT main_task
.text:00001B78 main_task ; DATA XREF: .data:os_thread_def_main_task↓o
.text:00001B78
.text:00001B78 pSetFlags = -0x10
.text:00001B78 param = -4
.text:00001B78
.text:00001B78 PUSH {R7,LR}
.text:00001B7A SUB SP, SP, #0x10
.text:00001B7C ADD R7, SP, #8
.text:00001B7E STR R0, [R7,#8+param]
.text:00001B80 LDR R3, =bIsInitialized.7189
.text:00001B82 LDRB R3, [R3]
.text:00001B84 CMP R3, #0
.text:00001B86 BNE loc_1BD0
.text:00001B88 BL hardware_init
.text:00001B8C BL MEM_Init
.text:00001B90 BL TMR_Init
.text:00001B94 BL LED_Init
.text:00001B98 BL Phy_Init
.text:00001B9C BL SerialManager_Init
.text:00001BA0 BL SecLib_Init
frdmkw41z_wireless_examples_smac_wireless_messenger_bm.zip I upload the file I want to analysis, it just a sample of frdmkw41z board with arm instruction.
Please give us also the configuration file you're using
init.zip I use the default configuration. Then just taint the memory "mem[0x400FF000*8192]", 0x400FF000 is the base address of GPIO.
There was a bug in the plugin that generates the config file from IDA. Commit 30719af6473db64b32cca262ebb31df6d0fc20d3 fixes this issue. You'll have to resinstall the plugin (see manual) after the checkout Note that our coverage of the thumb instructions does not currently cover the whole set of instructions of your firmware. We'll add them in the coming days
I got it, Thank you very much!
I want to do taint analysis of ARM firmware, such as firmware of router. The taint source is the input get from peripheral, which is specific memory address, i.e., 0x40000000-0x50000000. Then find all the instructions that are tainted. Can I do that analysis with bincan, and how can I do?