Skip to content

Instantly share code, notes, and snippets.

@jacobrosenthal

jacobrosenthal/0001-add-s110-syscalls.patch

Last active August 14, 2018 05:32
Show Gist options
  • Save jacobrosenthal/6814a2fa2d101827b1bd6f6ecaf4fd47 to your computer and use it in GitHub Desktop.
Save jacobrosenthal/6814a2fa2d101827b1bd6f6ecaf4fd47 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
0001-add-s110-syscalls.patch
From 727cffc1735597e950abdc605edf935b535466dc Mon Sep 17 00:00:00 2001
From: Jacob Rosenthal <[email protected]>
Date: Mon, 30 Jul 2018 14:39:28 -0700
Subject: [PATCH] add s110 syscalls
---
libr/syscall/d/Makefile | 1 +
libr/syscall/d/meson.build | 1 +
libr/syscall/d/s110-arm-16.sdb.txt | 134 +++++++++++++++++++++++++++++++++++++
3 files changed, 136 insertions(+)
create mode 100644 libr/syscall/d/s110-arm-16.sdb.txt
diff --git a/libr/syscall/d/Makefile b/libr/syscall/d/Makefile
index 5a19bdac7..00c5833b2 100644
--- a/libr/syscall/d/Makefile
+++ b/libr/syscall/d/Makefile
@@ -8,6 +8,7 @@ F+= linux-x86-32
F+= linux-x86-64
F+= linux-arm-32
F+= linux-arm-64
+F+= s110-arm-16
F+= linux-mips-32
F+= linux-sparc-32
F+= darwin-x86-32
diff --git a/libr/syscall/d/meson.build b/libr/syscall/d/meson.build
index 9f6b75ec4..8c33d5fb3 100644
--- a/libr/syscall/d/meson.build
+++ b/libr/syscall/d/meson.build
@@ -5,6 +5,7 @@ sdb_files = [
'ios-arm-64',
'linux-x86-32',
'linux-x86-64',
+ 's110-arm-16',
'linux-arm-32',
'linux-arm-64',
'linux-mips-32',
diff --git a/libr/syscall/d/s110-arm-16.sdb.txt b/libr/syscall/d/s110-arm-16.sdb.txt
new file mode 100644
index 000000000..6ad0387f0
--- /dev/null
+++ b/libr/syscall/d/s110-arm-16.sdb.txt
@@ -0,0 +1,134 @@
+_=0x80
+DFU_BLE_SVC_SET_PEER_DATA=0x80,0
+BOOTLOADER_SVC_LAST=0x80,1
+SD_SOFTDEVICE_ENABLE=0x80,16
+SD_SOFTDEVICE_DISABLE=0x80,17
+SD_SOFTDEVICE_IS_ENABLED=0x80,18
+SD_SOFTDEVICE_VECTOR_TABLE_BASE_SET=0x80,19
+SVC_SDM_LAST=0x80,20
+SD_MBR_COMMAND=0x80,24
+SD_PPI_CHANNEL_ENABLE_GET=0x80,32
+SD_PPI_CHANNEL_ENABLE_SET=0x80,33
+SD_PPI_CHANNEL_ENABLE_CLR=0x80,34
+SD_PPI_CHANNEL_ASSIGN=0x80,35
+SD_PPI_GROUP_TASK_ENABLE=0x80,36
+SD_PPI_GROUP_TASK_DISABLE=0x80,37
+SD_PPI_GROUP_ASSIGN=0x80,38
+SD_PPI_GROUP_GET=0x80,39
+SD_FLASH_PAGE_ERASE=0x80,40
+SD_FLASH_WRITE=0x80,41
+SD_FLASH_PROTECT=0x80,42
+SD_MUTEX_NEW=0x80,43
+SD_MUTEX_ACQUIRE=0x80,44
+SD_MUTEX_RELEASE=0x80,45
+SD_NVIC_ENABLEIRQ=0x80,46
+SD_NVIC_DISABLEIRQ=0x80,47
+SD_NVIC_GETPENDINGIRQ=0x80,48
+SD_NVIC_SETPENDINGIRQ=0x80,49
+SD_NVIC_CLEARPENDINGIRQ=0x80,50
+SD_NVIC_SETPRIORITY=0x80,51
+SD_NVIC_GETPRIORITY=0x80,52
+SD_NVIC_SYSTEMRESET=0x80,53
+SD_NVIC_CRITICAL_REGION_ENTER=0x80,54
+SD_NVIC_CRITICAL_REGION_EXIT=0x80,55
+SD_RAND_APPLICATION_POOL_CAPACITY=0x80,56
+SD_RAND_APPLICATION_BYTES_AVAILABLE=0x80,57
+SD_RAND_APPLICATION_GET_VECTOR=0x80,58
+SD_POWER_MODE_SET=0x80,59
+SD_POWER_SYSTEM_OFF=0x80,60
+SD_POWER_RESET_REASON_GET=0x80,61
+SD_POWER_RESET_REASON_CLR=0x80,62
+SD_POWER_POF_ENABLE=0x80,63
+SD_POWER_POF_THRESHOLD_SET=0x80,64
+SD_POWER_RAMON_SET=0x80,65
+SD_POWER_RAMON_CLR=0x80,66
+SD_POWER_RAMON_GET=0x80,67
+SD_POWER_GPREGRET_SET=0x80,68
+SD_POWER_GPREGRET_CLR=0x80,69
+SD_POWER_GPREGRET_GET=0x80,70
+SD_POWER_DCDC_MODE_SET=0x80,71
+SD_APP_EVT_WAIT=0x80,72
+SD_CLOCK_HFCLK_REQUEST=0x80,73
+SD_CLOCK_HFCLK_RELEASE=0x80,74
+SD_CLOCK_HFCLK_IS_RUNNING=0x80,75
+SD_RADIO_NOTIFICATION_CFG_SET=0x80,76
+SD_ECB_BLOCK_ENCRYPT=0x80,77
+SD_RADIO_SESSION_OPEN=0x80,78
+SD_RADIO_SESSION_CLOSE=0x80,79
+SD_RADIO_REQUEST=0x80,80
+SD_EVT_GET=0x80,81
+SD_TEMP_GET=0x80,82
+SVC_SOC_LAS=0x80,83
+SD_BLE_ENABLE=0x80,96
+SD_BLE_EVT_GET=0x80,97
+SD_BLE_TX_BUFFER_COUNT_GET=0x80,98
+SD_BLE_UUID_VS_ADD=0x80,99
+SD_BLE_UUID_DECODE=0x80,100
+SD_BLE_UUID_ENCODE=0x80,101
+SD_BLE_VERSION_GET=0x80,102
+SD_BLE_USER_MEM_REPLY=0x80,103
+SD_BLE_OPT_SET=0x80,104
+SD_BLE_OPT_GET=0x80,105
+SD_BLE_GAP_ADDRESS_SET=0x80,112
+SD_BLE_GAP_ADDRESS_GET=0x80,113
+SD_BLE_GAP_ADV_DATA_SET=0x80,114
+SD_BLE_GAP_ADV_START=0x80,115
+SD_BLE_GAP_ADV_STOP=0x80,116
+SD_BLE_GAP_CONN_PARAM_UPDATE=0x80,117
+SD_BLE_GAP_DISCONNECT=0x80,118
+SD_BLE_GAP_TX_POWER_SET=0x80,119
+SD_BLE_GAP_APPEARANCE_SET=0x80,120
+SD_BLE_GAP_APPEARANCE_GET=0x80,121
+SD_BLE_GAP_PPCP_SET=0x80,122
+SD_BLE_GAP_PPCP_GET=0x80,123
+SD_BLE_GAP_DEVICE_NAME_SET=0x80,124
+SD_BLE_GAP_DEVICE_NAME_GET=0x80,125
+SD_BLE_GAP_AUTHENTICATE=0x80,126
+SD_BLE_GAP_SEC_PARAMS_REPLY=0x80,127
+SD_BLE_GAP_AUTH_KEY_REPLY=0x80,128
+SD_BLE_GAP_ENCRYPT=0x80,129
+SD_BLE_GAP_SEC_INFO_REPLY=0x80,130
+SD_BLE_GAP_CONN_SEC_GET=0x80,131
+SD_BLE_GAP_RSSI_START=0x80,132
+SD_BLE_GAP_RSSI_STOP=0x80,133
+SD_BLE_GAP_SCAN_START=0x80,134
+SD_BLE_GAP_SCAN_STOP=0x80,135
+SD_BLE_GAP_CONNECT=0x80,136
+SD_BLE_GAP_CONNECT_CANCEL=0x80,137
+SD_BLE_GAP_RSSI_GET=0x80,138
+SD_BLE_GATTC_PRIMARY_SERVICES_DISCOVER=0x80,144
+SD_BLE_GATTC_RELATIONSHIPS_DISCOVER=0x80,145
+SD_BLE_GATTC_CHARACTERISTICS_DISCOVER=0x80,146
+SD_BLE_GATTC_DESCRIPTORS_DISCOVER=0x80,147
+SD_BLE_GATTC_CHAR_VALUE_BY_UUID_READ=0x80,148
+SD_BLE_GATTC_READ=0x80,149
+SD_BLE_GATTC_CHAR_VALUES_READ=0x80,150
+SD_BLE_GATTC_WRITE=0x80,151
+SD_BLE_GATTC_HV_CONFIRM=0x80,152
+SD_BLE_GATTS_SERVICE_ADD=0x80,160
+SD_BLE_GATTS_INCLUDE_ADD=0x80,161
+SD_BLE_GATTS_CHARACTERISTIC_ADD=0x80,162
+SD_BLE_GATTS_DESCRIPTOR_ADD=0x80,163
+SD_BLE_GATTS_VALUE_SET=0x80,164
+SD_BLE_GATTS_VALUE_GET=0x80,165
+SD_BLE_GATTS_HVX=0x80,166
+SD_BLE_GATTS_SERVICE_CHANGED=0x80,167
+SD_BLE_GATTS_RW_AUTHORIZE_REPLY=0x80,168
+SD_BLE_GATTS_SYS_ATTR_SET=0x80,169
+SD_BLE_GATTS_SYS_ATTR_GET=0x80,170
+SD_BLE_L2CAP_CID_REGISTER=0x80,176
+SD_BLE_L2CAP_CID_UNREGISTER=0x80,177
+SD_BLE_L2CAP_TX=0x80,178
+SD_BLE_L2CAP_4=0x80,179
+SD_BLE_L2CAP_5=0x80,180
+SD_BLE_L2CAP_6=0x80,181
+SD_BLE_L2CAP_7=0x80,182
+SD_BLE_L2CAP_8=0x80,183
+SD_BLE_L2CAP_9=0x80,184
+SD_BLE_L2CAP_10=0x80,185
+SD_BLE_L2CAP_11=0x80,186
+SD_BLE_L2CAP_12=0x80,187
+SD_BLE_L2CAP_13=0x80,188
+SD_BLE_L2CAP_14=0x80,189
+SD_BLE_L2CAP_15=0x80,190
+SD_BLE_L2CAP_16=0x80,191
--
2.15.2 (Apple Git-101.1)
@jacobrosenthal
Copy link
Author

Then rebuild radare, open file and make sure os bits and arch are set

[0x00000000]> e asm.os
s110
[0x00000000]> e asm.bits
16
[0x00000000]> e asm.arch
arm
[0x00000000]> /s

[0x00000000]> /A swi
...
0x00000000 2 svc 0x51
[0x00000000]> pd 1 @ 0x0003eb46
|           ;-- hit0_183:
|           0x0003eb46      51df           svc 0x51
[0x00000000]>

@sivaramaaa
Copy link

@jacobrosenthal hey hi , let me try to explain syscall sdb foramt here afaik :

_= , this one is used to define software interupt no (SWI) like 0x80 (if instruction u are targetting is int 0x80)

read=0x80,0,3,ipi , this line defines read sysacall for interupt no 0x80 , and 0 is Syscall no , then no of arguments , then argument types

Also for /s to work u have to intialize the esil like this s main ; aei ; aeim ; aeip ;

@jacobrosenthal
Copy link
Author

@sivaramaaa Thanks so much for the clarity.

Just some more background, this is arm cortex m0 microcontroller. I dont think I have a swi equivilent, I guess ill just use x80 like everyone else?

Updated file above, seems like it needs integers for interrupts so translated those and now it picks up the 0 and 1 syscall, but nothing after. Note theres a gap there to the 16th interrupt. Might I need to fill that somehow?

[0x00000000]> e asm.bits=16; e asm.arch=arm; e asm.os=s110; s entry0 ; aeim 0x20002000 0x5560 app_ram;
[0x0001ece0]> /A swi
0x0000e404 2 svc 0xb8
0x0000e8c8 2 svc 0xb8
0x0000ed48 2 svc 0xb8
0x0000f0cc 2 svc 0xb8
0x000157d4 2 svc 0xc0
0x000187b2 2 svc 0x76
0x000187c2 2 svc 0x76
0x000189ea 2 svc 0xa9
0x00018a0e 2 svc 0x82
0x00018a16 2 svc 0x76
0x00018b32 2 svc 0x76
0x00018c32 2 svc 0x85
0x00018d0e 2 svc 0x48
0x00018d88 2 svc 0x8a
0x00018d94 2 svc 0x84
0x00018dbc 2 svc 0x74
0x00018dee 2 svc 0x7c
0x00018dfe 2 svc 0x78
0x00018e28 2 svc 0x7a
0x00018edc 2 svc 0x60
0x00018f5c 2 svc 0x3d
0x00018f60 2 svc 0x3e
0x00018f9e 2 svc 0x44
0x00018fb8 2 svc 0x45
0x00018fbc 2 svc 0x44
0x00018fcc 2 svc 0x44
0x00018fda 2 svc 0x11
0x00018fec 2 svc 0x13
0x00019034 2 svc 0x35
0x00019082 2 svc 0x3c
0x00019086 2 svc 0x35
0x0001909e 2 svc 0x71
0x000190c2 2 svc 0x71
0x000190f2 2 svc 0x3c
0x000190f8 2 svc 0x47
0x00019136 2 svc 0x46
0x0001914c 2 svc 0x44
0x0001931e 2 svc 0x35
0x00019380 2 svc 0xbc
0x0001a87c 2 svc 0x32
0x0001a88e 2 svc 0x33
0x0001a89e 2 svc 0x2e
0x0001bb90 2 svc 0xad
0x0001be0e 2 svc 0x84
0x0001e2c8 2 svc 0x6b
0x0001e8e8 2 svc 0x63
0x0001e8fe 2 svc 0x63
0x0001e912 2 svc 0x63
0x0001e926 2 svc 0x63
0x0001e990 2 svc 0x97
0x0001ea64 2 svc 0x97
0x0001ed92 2 svc 0xa2
0x0001ee14 2 svc 0xa2
0x0001eece 2 svc 0xa2
0x0001ef8c 2 svc 0xa2
0x0001efb6 2 svc 0xa0
0x0001f07c 2 svc 0xa6
0x0001f0c4 2 svc 0xa6
0x0001f144 2 svc 0x65
0x0001f188 2 svc 0x65
0x0001f210 2 svc 0x79
0x0001f396 2 svc 0x72
0x0001f3d0 2 svc 0x7d
0x0001f594 2 svc 0x75
0x0001f5b0 2 svc 0x76
0x0001f5f2 2 svc 0x7a
0x0001f5fa 2 svc 0x7b
0x0001f7a8 2 svc 0x36
0x0001f7de 2 svc 0x37
0x0002029e 2 svc 0x32
0x000202b2 2 svc 0x33
0x000202d0 2 svc 0x2e
0x0002030e 2 svc 0x32
0x00020320 2 svc 0x2f
0x000203a4 2 svc 0x36
0x000203ac 2 svc 0x2f
0x000203cc 2 svc 0x37
0x0002049e 2 svc 0x2e
0x0002054c 2 svc 0x29
0x00020558 2 svc 0x28
0x00020592 2 svc 0x29
0x000205d2 2 svc 0x29
0x000205ea 2 svc 0x29
0x00020610 2 svc 0x28
0x00020686 2 svc 0x29
0x0002068e 2 svc 0x29
0x000206f8 2 svc 0x28
0x000208e8 2 svc 0x28
0x00020d3e 2 svc 0x51
0x00020d68 2 svc 0x61
0x00020da8 2 svc 0x10
0x00020db4 2 svc 0x2e
0x00024184 2 svc 0x73
0x0002ac36 2 svc 0x76
0x0002ac5a 2 svc 0x63
0x0002ac6e 2 svc 0x63
0x0002ac80 2 svc 0x63
0x0002ac92 2 svc 0x63
0x0002b0c8 2 svc 0x97
0x0002b0e0 2 svc 0x95
0x0002b664 2 svc 0xaa
0x0002b766 2 svc 0xa9
0x0002b77e 2 svc 0xa9
0x0002b798 2 svc 0xa7
0x0002bacc 2 svc 0x7e
0x0002bdee 2 svc 0x82
0x0002be12 2 svc 0x7f
0x0002be92 2 svc 0x7f
0x0002c24e 2 svc 0x90
0x0002c2de 2 svc 0x92
0x0002c35a 2 svc 0x93
0x0002c4c8 2 svc 0x90
0x00032b66 2 svc 0xe
0x0003480e 2 svc 0xcf
0x00034e38 2 svc 0xc1
0x00034f2a 2 svc 0x8f
0x0003577e 2 svc 0x8f
0x000357bc 2 svc 0x8f
0x00036082 2 svc 0x8f
0x0003b20c 2 svc 0x18
0x0003b216 2 svc 0x13
0x0003b238 2 svc 0x60
0x0003b3ce 2 svc 0x71
0x0003b9dc 2 svc 0x32
0x0003b9f0 2 svc 0x33
0x0003ba0e 2 svc 0x2e
0x0003ba46 2 svc 0x32
0x0003ba58 2 svc 0x2f
0x0003bad6 2 svc 0x36
0x0003bade 2 svc 0x2f
0x0003bafe 2 svc 0x37
0x0003bba6 2 svc 0x2e
0x0003c200 2 svc 0x65
0x0003c24e 2 svc 0x65
0x0003c2d6 2 svc 0x79
0x0003c440 2 svc 0x72
0x0003c47a 2 svc 0x7d
0x0003c636 2 svc 0x75
0x0003c652 2 svc 0x76
0x0003c694 2 svc 0x7a
0x0003c69c 2 svc 0x7b
0x0003c814 2 svc 0xa6
0x0003c842 2 svc 0xa5
0x0003c864 2 svc 0xa8
0x0003c890 2 svc 0xa8
0x0003c936 2 svc 0x63
0x0003c942 2 svc 0xa0
0x0003ca6c 2 svc 0xa6
0x0003cad2 2 svc 0xa6
0x0003cb68 2 svc 0xa2
0x0003cc02 2 svc 0xa2
0x0003cc86 2 svc 0xa2
0x0003ccd8 2 svc 0x28
0x0003ccfe 2 svc 0x29
0x0003cd06 2 svc 0x29
0x0003cf4e 2 svc 0x36
0x0003cf94 2 svc 0x37
0x0003d7be 2 svc 0x48
0x0003d970 2 svc 0x11
0x0003d9a8 2 svc 0x13
0x0003dbd8 2 svc 0x76
0x0003dd40 2 svc 0x76
0x0003dd56 2 svc 0x74
0x0003df7e 2 svc 0x73
0x0003e00e 2 svc 0x82
0x0003e048 2 svc 0x76
0x0003e06a 2 svc 0xaa
0x0003e0ba 2 svc 0x7f
0x0003e0dc 2 svc 0x67
0x0003e108 2 svc 0xa8
0x0003e16c 2 svc 0x71
0x0003e184 2 svc 0x70
0x0003e19e 2 svc 0x7c
0x0003e1c2 2 svc 0x7a
0x0003e288 2 svc 0xa9
0x0003e296 2 svc 0xa9
0x0003e2a2 2 svc 0xa7
0x0003e2be 2 svc 0xa9
0x0003ea42 2 svc 0x18
0x0003ea80 2 svc 0x18
0x0003eae0 2 svc 0x18
0x0003eaf4 2 svc 0x18
0x0003eb0a 2 svc 0x18
0x0003eb46 2 svc 0x51
0x0003eb70 2 svc 0x61
0x0003ebb2 2 svc 0x10
0x0003ebbc 2 svc 0x2e
0x40006512 2 svc 0xf5
[0x0001ece0]> /s
0x0000e404 DFU_BLE_SVC_SET_PEER_DATA
0x0001f210 BOOTLOADER_SVC_LAST

@jacobrosenthal
Copy link
Author

jacobrosenthal commented Jul 31, 2018
edited
Loading 

#define SVCALL(number, return_type, signature) \
  _Pragma("GCC diagnostic ignored \"-Wunused-function\"") \
  _Pragma("GCC diagnostic push") \
  _Pragma("GCC diagnostic ignored \"-Wreturn-type\"") \
  __attribute__((naked)) static return_type signature \
  { \
    __asm( \
        "svc %0\n" \
        "bx r14" : : "I" (number) : "r0" \
    ); \
  }    \
  _Pragma("GCC diagnostic pop")

SVCALL(0x10, uint32_t, sd_softdevice_enable(nrf_clock_lfclksrc_t clock_source, softdevice_assertion_handler_t assertion_handler));

SVC number ranges
SoftDevice 0x10-0xFF
Application 0x00-0x0F (in our case the bootloader/dfu stuff uses 0 and 1 it seems)

@jacobrosenthal
Copy link
Author

jacobrosenthal commented Jul 31, 2018
edited
Loading

 Software interrupt (SWI) Peripheral ID SoftDevice Signal
0 20 Unused by the SoftDevice and available to the application.
1 21 Radio Notification - optionally configured through API.
2 22 SoftDevice Event Notification.
3 23 Reserved.
4 24 Lower stack processing - not user configurable.
5 25 Upper stack signaling - not user configurable.

ok so these are just more interrupts available on the device, and unrelated to 'swi'
but we now know on nrf51 that swi1 handlers are radio handlers, swi2 are softdevice handlers if a softdevice is present

@sivaramaaa
Copy link

now it picks up the 0 and 1 syscall

nice , some improvment atleast :D

but nothing after. Note theres a gap there to the 16th interrupt. Might I need to fill that somehow?

that's littile strange , and currently, i am very busy with many things , but sure i will look into it whenever i am free !

@jacobrosenthal
Copy link
Author

@sivaramaaa Any thoughts on how to patch /as to be able to get syscall number from immediate for arm thumb platforms?
You can see below that it calls svc 0x7c so I wanna use 0x7c as offset here https://github.com/radare/radare2/blob/master/libr/core/cmd_search.c#L1811

/ (fcn) sub.EASYFIT_HR_de0 88                                                                                                                                  
|   sub.EASYFIT_HR_de0 (int arg_0h, int arg_4h);                                                                                                               
|           ; arg int arg_0h @ sp+0x0                                                                                                                          
|           ; arg int arg_4h @ sp+0x4                                                                                                                          
|           ; CALL XREF from fcn.00018c54 (0x18c64)                                                                                                            
|           0x00018de0      0eb5           push {r1, r2, r3, lr}       ; sp=0x20004aa8                                                                         
|           0x00018de2      1120           movs r0, 0x11               ; r0=0x11 -> 0x7c0 ; zf=0x0                                                             
|           0x00018de4      6946           mov r1, sp                  ; r1=0x20004aa8                                                                         
|           0x00018de6      0872           strb r0, [r1, 8]                                                                                                    
|           0x00018de8      0a22           movs r2, 0xa                ; aav.0x0000000a ; r2=0xa -> 0x6b10000 ; zf=0x0                                         
|           0x00018dea      50a1           adr r1, str.EASYFIT_HR      ; 0x18f2c ; "EASYFIT HR" ; r1=0x140 -> 0x6809493e                                       
|           0x00018dec      02a8           add r0, sp, 8               ; r0=0x20004ab0 r13                                                                     
|           ;-- hit0_16.DFU_BLE_SVC_SET_PEER_DATA:                                                                                                             
|           0x00018dee      7cdf           svc 0x7c                    ; 0x00 = DFU_BLE_SVC_SET_PEER_DATA ()

@jacobrosenthal
Copy link
Author

Update pancake fixed op.val on thumb and I have the start of a pr here radareorg/radare2#11079

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment