Invalid memory write for Demo #3

[YourButterfly]

Invalid memory write (UC_ERR_WRITE_UNMAPPED)

Traceback (most recent call last):
  File "test.py", line 12, in <module>
    my_sandbox(["squashfs-root/bin/httpd"], "squashfs-root")
  File "test.py", line 8, in my_sandbox
    ql.run()
  File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/core.py", line 236, in run
    runner(self)
  File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/os/linux/arm.py", line 267, in runner
    ql.enable_lib_patch()
  File "/usr/local/lib/python3.6/dist-packages/qiling-0.9-py3.6.egg/qiling/core.py", line 629, in enable_lib_patch
    self.uc.mem_write(self.__get_lib_base(filename) + addr, code)
  File "/usr/local/lib/python3.6/dist-packages/unicorn/unicorn.py", line 442, in mem_write
    raise UcError(status)
unicorn.unicorn.UcError: Invalid memory write (UC_ERR_WRITE_UNMAPPED)

The method self.__get_lib_base cannot find the library libChipApi.so

[[32768, 933888, 'r-x', '/home/pwd/Desktop/_US_AC15V1.0BR_V15.03.1.17_multi_TD01.bin.extracted/squashfs-root/bin/httpd'], [4156448768, 4156477440, 'rw-', '[mapped]'], [4156477440, 4156481536, 'rw-', '/home/pwd/Desktop/_US_AC15V1.0BR_V15.03.1.17_multi_TD01.bin.extracted/squashfs-root/lib/libCfm.so'], [4156669952, 4156702720, 'rw-', '[mapped]'], [4156739584, 4156768256, 'rw-', '[mapped]'], [4156784640, 4156817408, 'rw-', '[mapped]'], [4156907520, 4156936192, 'rw-', '[mapped]'], [4156993536, 4157022208, 'rw-', '[mapped]'], [4157022208, 4157046784, 'r--', '/home/pwd/Desktop/_US_AC15V1.0BR_V15.03.1.17_multi_TD01.bin.extracted/squashfs-root/lib/libpthread.so.0'], [4157063168, 4157091840, 'rw-', '[mapped]'], [4157153280, 4157186048, 'rw-', '[mapped]'], [4157595648, 4157624320, 'rw-', '[mapped]'], [4157624320, 4157632512, 'rw-', '/home/pwd/Desktop/_US_AC15V1.0BR_V15.03.1.17_multi_TD01.bin.extracted/squashfs-root/lib/libtpi.so'], [4157931520, 4157964288, 'rw-', '[mapped]'], [4158136320, 4158169088, 'rw-', '[mapped]'], [4158169088, 4158173184, 'rw-', '/home/pwd/Desktop/_US_AC15V1.0BR_V15.03.1.17_multi_TD01.bin.extracted/squashfs-root/lib/libucapi.so'], [4158226432, 4158255104, 'rw-', '[mapped]'], [4158676992, 4158709760, 'rw-', '[mapped]'], [4158709760, 4158717952, 'r--', '/home/pwd/Desktop/_US_AC15V1.0BR_V15.03.1.17_multi_TD01.bin.extracted/squashfs-root/lib/libc.so.0'], [4158746624, 4158775296, 'rw-', '[mapped]'], [4158775296, 4158779392, 'r--', '/home/pwd/Desktop/_US_AC15V1.0BR_V15.03.1.17_multi_TD01.bin.extracted/squashfs-root/lib/librt.so.0'], [4160135168, 4160167936, 'rw-', '[mapped]'], [4160167936, 4160245760, 'rw-', '/home/pwd/Desktop/_US_AC15V1.0BR_V15.03.1.17_multi_TD01.bin.extracted/squashfs-root/lib/libcrypto.so.1.0.0'], [4160245760, 4160258048, 'rw-', '[mapped]'], [4219285504, 4219342848, 'r--', '/lib/ld-uClibc.so.0'], [4294106944, 4294107136, 'rw-', '[stack]']]

the source code of test.py

from qiling import *

def my_sandbox(path, rootfs):
    ql = Qiling(path, rootfs, stdin = sys.stdin, stdout = sys.stdout, stderr = sys.stderr)
    # Patch 0x00005930 from br0 to ens33
    ql.patch(0x00005930, b'ens33\x00', file_name = b'libChipApi.so')
    ql.root = False
    ql.run()

if __name__ == "__main__":
    my_sandbox(["squashfs-root/bin/httpd"], "squashfs-root")

my workspace（using binwalk to extract the firmware）

$ tree -L 2
.
├── 198C94.squashfs
├── 5C
├── 5C.7z
├── squashfs-root
│   ├── bin
│   ├── dev
│   ├── etc -> /var/etc
│   ├── etc_ro
│   ├── home -> /var/home
│   ├── init -> bin/busybox
│   ├── lib
│   ├── mnt
│   ├── proc
│   ├── root -> /var/root
│   ├── sbin
│   ├── sys
│   ├── tmp
│   ├── usr
│   ├── var
│   ├── webroot -> var/webroot
│   └── webroot_ro
└── test.py

[xwings]

Hi,

you can turn on dump or disasm mode to take a look, but i think u did not fufill the UDS calling.

[xwings]

this might also be you need the right interface this line is the key

 ql.patch(0x00005930, b'ens33\x00', file_name = b'libChipApi.so')

[xwings]

We found there is some issue with libpatch and we patched it. Please try and reopen the case if u have issue.