A minute of Black Magic

This article will tell you how to learn how to debug and love the little black board of the Black Magic Probe V2.1. But first, a little about what it is and why it is needed.

The Black Magic Probe Mini V2.1 (BMPM2) board, developed by 1BitSquared in collaboration with Black Sphere Technologies, is a JTAG and SWD adapter, designed for programming and debugging ARM Cortex-M and ARM Cortex-A microcontrollers. You can add support for other processors. Description of the process of adding can be found by reference . It is also worth noting that any processor with ADIv5 support (ARM Debug Interface v5) will be determined by the board.

The figures show the ARM Cortex-M and ARM Cortex-A processor families supported by the Black Magic Probe Mini V2.1 board.

Cortex-M processor family supported by Black Magic Probe Mini V2.1 board
Cortex-A processor family supported by Black Magic Probe Mini V2.1

During testing, Black Magic Probe revealed that the supported processors are not limited to the list provided by the manufacturer. Officially not supported processors with ARM Debug Interface v5 are defined, for example, as “Cortex-M0” or “Cortex-A7”. At the same time, full functionality is not guaranteed, but still it will take minimal debugging actions.

What you can do with the Black Magic Probe:

interrupt the program execution process;
observe changes in registers and variables;
set breakpoints (you can set a breakpoint in the code that will cause the program to stop as soon as this breakpoint is reached);
view the call stack (a list of functions and their parameters that led us to the current point and the state of the program);
disassembling (the ability to view the machine code and find out exactly what the program does);
memory dump (save RAM and / or flash content to a file).

Functions of the Black Magic Probe, which can be useful in the study of information security devices:

development of embedded software and devices for conducting attacks;
reverse engineering IoT;
search for vulnerabilities;
dynamic analysis using IDA and other gdb compatible tools.

BMPM2 has two main features. The first is that the gdb server is running on the device itself, opening a virtual port to which you can directly connect via the gdb client on your host computer (the gcc-arm-embedded toolset is recommended), so you don’t need to configure OpenOCD or STLink configurations . A comparison of the debugging interface connection diagrams using OpenOCD / STLink and BMPM2 can be seen below. As you can see, the BMPM2 connection option is simpler.

Comparison of algorithms for debugging without Black Magic Probe Mini V2.1 board and with it

The second is the ability to compile the firmware for other boards, with no need for BMPM2. Compatible boards are presented here .

To study the possibilities of work, four boards were taken: TM32F103C8, STM32vldiscovery, STM32F429I-disc1 and the 1Bitsy V1.0 proposed by the developers.

Work with 1Bitsy and STM32F429I-disc1 will be discussed in more detail. The first one was chosen on the recommendation of the developers themselves, and the second one has a touch screen, which makes the research process more visual.

Discover the world of debugging with the Black Magic Probe

Studying the work of the Black Magic Probe V2.1 is convenient to start by debugging 1Bitsy. This board was created specifically to work with BMPM2, so no difficulty should arise.
Connect the Black Magic Probe and 1Bitsy with a JTAG cable and connect them to the computer.
Below will be described the work in the GNU / Linux environment, a guide to work in Windows and MacOS is easy to find at the link .

After connecting BMPM2 to the PC and to the JTAG connector, on 1Bitsy we will execute three commands in gdb to start debugging. It is important that the user is added to the dialout group with the command "sudo adduser $ USER dialout", otherwise it will not work. The first command “target extended-remote / dev / ttyACMx” connects to BMPM2, where x is the serial port number, then we scan all devices connected to the Black Magic Probe with the help of the command “monitor jtag_scan”. If everything is good, then the list of found devices will be displayed and with the “attach 1” command we will connect to 1Bitsy.

(gdb) target extended-remote /dev/ttyACM0 Remote debugging using /dev/ttyACM0 (gdb) monitor jtag_scan Target voltage: 3.3V Available Targets: No. Att Driver 1 STM32F4xx (gdb) attach 1 Attaching to Remote target warning: No executable has been specified and target does not support determining executable automatically. Try using the "file" command. 0x0800026c in ?? () (gdb)

That's it, now we can debug the firmware loaded in 1Bitsy. With 1Bitsy, and the truth, there were no problems with the connection, everything is simple and quite convenient. Will simplicity and convenience be maintained when working with another card?

There was a motherboard based on the STM32 microcontroller - STM32F429I-disc1, and we will use it, at the same time we will fill it with some interesting firmware. The main difference in working with this board from working with 1Bitsy is the connection via SWD interface, not JTAG.

Before starting work, we connect the boards via the JTAG / SWD adapter as follows:
on the SWD interface (if you count from the topmost output):

SWCLK
GND
SWDIO
3V - tVref.

STM32F429I-disc1 and Black Magic Probe

To demonstrate the performance of the debugging process, firmware was used that contains several software modules. One of them - the game Reversi, it will debug the most interesting.

Fill the firmware on the board and in gdb we enter almost the same commands as for 1Bitsy, with the only difference that the board is connected via SWD, so you will need to use the swdp_scan command.

 (gdb) target extended-remote /dev/ttyACM0 Remote debugging using /dev/ttyACM0 (gdb) monitor swdp_scan Target voltage: 3.3V Available Targets: No. Att Driver 1 STM32F4xx (gdb) attach 1 Attaching to Remote target warning: No executable has been specified and target does not support determining executable automatically. Try using the "file" command. 0x0800026c in ?? () (gdb)

To great sadness, we never managed to win, so I wanted to break something in it. For a start, we looked at the source . They found the variable Board, presumably denoting the address of the first cell of the board. Nearby are the lines "Reversi - Player 1" and "Reversi - Player 2".

 static void _SetPlayer(int Player) { int Score, ValidMoves, PossibleMoves; char ac[256]; _Board.ActPlayer = Player; if (Player == 1) { FRAMEWIN_SetText(_hFrame, "Reversi - Player 1"); } else { FRAMEWIN_SetText(_hFrame, "Reversi - Player 2"); } FRAMEWIN_SetBarColor(_hFrame, 1, (Player == 1) ? GUI_RED : GUI_BLUE); PossibleMoves = _CalcValidMoves(&_Board); GUI_Exec(); if (!PossibleMoves) { GUI_Exec(); _Board.ActPlayer = 3 - Player;

On these lines, we searched the IDA disassembler. Found out that from the pseudocode, you can find the address, which is the starting address of the cells of the board.

  v1 = a1; v2002CB74 = a1; if ( a1 == 1 ) { sub_D8B3C(v2002CB80, "Reversi - Player 1"); v2 = 255; } else { sub_D8B3C(v2002CB80, "Reversi - Player 2"); v2 = 16711680; } sub_E06A8(v2002CB80, 1, v2); v3 = sub_DEDF8(0x2002CAF4); result = ((int (*)(void))sub_C91B4)(); if ( v3 ) return result; sub_C91B4(result); v2002CB74 = 3 - v1; v5 = sub_DEDF8(0x2002CAF4);

Next, we decided to use gdb to see what is located at this address.

GDB output
Beginning of the game

That's right. If you carefully study this table and the location of the chips at the beginning of the game, you will notice that 001 means a red chip, and 002 means blue. You can try changing the value of one of the cells. To do this, we used the command:

set *(char *) 0x2002CAF4 = 1

Result:

GDB output
The state of the cells after entering the command

After that, we decided to try to equate the values of all the cells to one, and thereby win the game from the first move.

Script execution result:

Script Execution Result
Cell status after script execution

The script worked successfully, we managed to win the game, which means that using the Black Magic Probe Mini V2.1 board, using gdb, you can successfully debug and "break" the firmware.
And now some boring examples with blinking lights.

STM32F103C8

Connect STM32F103C8 to Black Magic Probe V2.1 via JTAG interface.

JTAG interface

Sources for firmware boards can be found here .

In the source code, you can try to change the blinking speed of the light bulb, reducing or increasing the time intervals when it is lit and when it goes out.

STM32vldiscovery

Connect STM32vldiscovery to the Black Magic Probe V2.1 via the SWD interface, namely:

3V3 - tVref
PA13 - SWDIO
PA14 - SWCLK
GND - GND

Sources for firmware boards can be found here .

Here everything is similar to the previous board, we also change the time intervals in the source and look at the light bulb.

findings

The Black Magic Probe Mini V2.1 board is easy to use and has a set of tools and open source libraries, this is its main advantage.
The downside is the lack of support for the architecture of the arm64 processors and Texas Instruments processors.

http://1bitsy.org/overview/introduction/
https://1bitsquared.com/products/black-magic-probe
https://github.com/esden/1bitsy-bmpm-exercises/blob/master/embedded_programming_with_black_magic_and_lights_on-workshop_guide.pdf
https://github.com/blacksphere/blackmagic/wiki

The authors

Yevgeny Rasskazov Jokiv
Valeria Gubareva veneramuholovka

Source: https://habr.com/ru/post/339940/

All Articles

A minute of Black Magic

More articles: