Running FreeRTOS on ARM Cortex-M4 CPU

[pipe01]

I'm trying to run an app built using FreeRTOS using Unicorn, but I can't seem to get the exception handlers right.

Relevant FreeRTOS code:

0000413c <vPortStartFirstTask>:
    413c:   4805        ldr r0, [pc, #20]   ; (4154 <vPortStartFirstTask+0x18>)
    413e:   6800        ldr r0, [r0, #0]
    4140:   f380 8808   msr MSP, r0
    4144:   b662        cpsie   i
    4146:   b661        cpsie   f
    4148:   f3bf 8f4f   dsb sy
    414c:   f3bf 8f6f   isb sy
    4150:   df00        svc 0
    4152:   bf00        nop
    4154:   00000000    andeq   r0, r0, r0

00004158 <SVC_Handler>:
    4158:   4b06        ldr r3, [pc, #24]   ; (4174 <SVC_Handler+0x1c>)
    415a:   6819        ldr r1, [r3, #0]
    415c:   6808        ldr r0, [r1, #0]
    415e:   e8b0 4ff0   ldmia.w r0!, {r4, r5, r6, r7, r8, r9, sl, fp, lr}
    4162:   f380 8809   msr PSP, r0
    4166:   f3bf 8f6f   isb sy
    416a:   f04f 0000   mov.w   r0, #0
    416e:   f380 8811   msr BASEPRI, r0
    4172:   4770        bx  lr
    4174:   2000c6c8    andcs   ip, r0, r8, asr #13

When the svc 0 exception is raised I set the PC to the corresponding entry in the vector table, which is hard-coded at the moment:

p, _ := mu.MemRead(11*4, 4)
mu.RegWrite(uc.ARM_REG_PC, uint64(binary.LittleEndian.Uint32(p)))

This works until execution gets to 0x4172, where the lr register is pointing to garbage (0x0xfffffffd) so when the code jumps there it dies. The lr register points to a sensible address until the msr PSP, r0 call, which is when it changes into garbage. Any idea what I'm doing wrong?

[lockbox]

See page B1-539 here. That is proper return address from an exception, you need to hook it and handle it how your use case requires.