search

seemoo-lab / frankenstein

Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging
Apache License 2.0
424 stars 64 forks source link

MMIO Register Symbols #1

Closed nosedays closed 4 years ago

nosedays commented 4 years ago

Hi, awesome work! I have a tiny question concerning the symbols for the MMIO registers. The thesis mentions they were found in wiced_hidd_lib.a. However, the instance of wiced_hidd_lib.a I have in my ModusToolbox only contains a relatively small number of symbols, almost all of them functions. The thesis also says the file contains C macros, so could that have been a typo? If so, would it be possible to direct me to the correct file? Also, I guess the symbols mentioned in NewProject.md (dc_nbtc_clk etc.) are among these? Thanks :)

bolek42 commented 4 years ago

Hi, thanks alot! I'm not sure for the ModusToolbox, but for WICED Studio it is the wiced_hidd_lib.a . But in fact readelf -a does not reveal anything useful, the trick for us was to simply use strings instead:

strings ~/Documents/WICED-Studio-6.2/20735-B1_Bluetooth/WICED/libraries/wiced_hidd_lib.a | grep dc_nbtc_clk
dc_nbtc_clk_adr 0x00318088
dc_nbtc_clk (*(volatile unsigned int *)dc_nbtc_clk_adr)
[ ... ]

Not sure, why they ended up in the file, but I won't complain. Does this also work for you?

cheer, Jan

jiska2342 commented 4 years ago

You might also want to take a look at these files, locations for a default installation on Linux and macOS:

~/Documents/WICED-Studio-6.4/20706-A2_Bluetooth/Wiced-BT/bsp/inc/20703mapa0.h
~/Documents/WICED-Studio-6.2/43xxx_Wi-Fi/WICED/platform/MCU/BCM920739/inc/B1/hal/20719mapb0.h
~/Documents/WICED-Studio-6.4/common/apps/snip/mesh/mesh_test/20819mapa1.h

They exist in WICED Studio 6.2 and 6.4, but not in ModusToolbox 1.1. At least on my machine. However, the 20819mapa1.h is also in a strange location and might have been created when I built an app.

The 20703 is the chip from the MacBook 2016. 20719 and 20739 are both used for the CYW20719 evaluation board, while 20735 is the evaluation board supported by Frankenstein, and 20819 is the newest CYW20819 evaluation board.

A list of firmware versions can also be found in the InternalBlue firmware readme.

nosedays commented 4 years ago

Awesome, the new wiced_hidd_lib.a in ModusToolbox seems to not have been compiled with debug information, but I got it from WICED 6.4. Also, 20819mapa1.h (the CYW20819 is the one I'm working with) is present by default. Thanks a lot to both of you!