Merge pull request #2 from qilingframework/dev

Dev

Author: kabeor

ChangeLog

@@ -1,17 +1,25 @@
 This file details the changelog of Qiling Framework.
 
 ------------------------------------
-[Version 1.4.1]: Nov Xth, 2021
+[Version 1.4.1]: Nov 15th, 2021
 
 New features:
 - Introduced riscv, both 32 and 64 (#980)
+- Added U-boot (#1000)
 
 Improvements:
 - Refactored core hooks (#966)
 - update ql.os.posix.const_mapping with more os/arch match (#973)
-- Minor refactor on ql.interpreter and ql.baremetal (#975)
 - More update in MCU modules (#971)
 - Fix getpeername and getsockname syscalls (#986)
+- Qdb improvements (#999)
+
+Contributors:
+- cq674350529
+- ucgJhe
+- cla7aye15I4nd
+- elicn
+- xwings
 
 
 ------------------------------------

README.md

@@ -1,5 +1,7 @@
+[![Documentation Status](https://readthedocs.org/projects/qilingframework/badge/?version=latest)](https://docs.qiling.io)
 [![Downloads](https://pepy.tech/badge/qiling)](https://pepy.tech/project/qiling)
 [![Chat on Telegram](https://img.shields.io/badge/Chat%20on-Telegram-brightgreen.svg)](https://t.me/qilingframework)
+
 ---
 
 <p align="center">
@@ -193,14 +195,11 @@ With binary and GDB debugger enable:
 $ ./qltool run -f examples/rootfs/x8664_linux/bin/x8664_hello --gdb 127.0.0.1:9999 --rootfs examples/rootfs/x8664_linux
 ```
 
-See  https://docs.qiling.io/  for more details
-
 With code coverage collection (UEFI only for now):
 
 ```
 $ ./qltool run -f examples/rootfs/x8664_efi/bin/TcgPlatformSetupPolicy --rootfs examples/rootfs/x8664_efi --coverage-format drcov --coverage-file TcgPlatformSetupPolicy.cov
 ```
----
 
 With json output (Windows mainly):
 

examples/hello_arm_uboot.py

@@ -0,0 +1,70 @@
+#!/usr/bin/env python3
+#
+# Cross Platform and Multi Architecture Advanced Binary Emulation Framework
+#
+
+import sys
+sys.path.append("..")
+
+from qiling.core import Qiling
+from qiling.const import QL_VERBOSE
+from qiling.os.const import STRING
+
+def get_kaimendaji_password():
+    def my_getenv(ql, *args, **kwargs):
+        env = {"ID": b"000000000000000", "ethaddr": b"11:22:33:44:55:66"}
+        params = ql.os.resolve_fcall_params({'key': STRING})
+        value = env.get(params["key"], b"")
+
+        value_addr = ql.os.heap.alloc(len(value))
+        ql.mem.write(value_addr, value)
+
+        ql.reg.r0 = value_addr
+        ql.reg.arch_pc = ql.reg.lr
+
+    def get_password(ql, *args, **kwargs):
+        password_raw = ql.mem.read(ql.reg.r0, ql.reg.r2)
+
+        password = ''
+        for item in password_raw:
+            if 0 <= item <= 9:
+                password += chr(item + 48)
+            else:
+                password += chr(item + 87)
+
+        print("The password is: %s" % password)
+
+    def partial_run_init(ql):
+        # argv prepare
+        ql.reg.arch_sp -= 0x30
+        arg0_ptr = ql.reg.arch_sp
+        ql.mem.write(arg0_ptr, b"kaimendaji")
+
+        ql.reg.arch_sp -= 0x10
+        arg1_ptr = ql.reg.arch_sp
+        ql.mem.write(arg1_ptr, b"000000")   # arbitrary password
+
+        ql.reg.arch_sp -= 0x20
+        argv_ptr = ql.reg.arch_sp
+        ql.mem.write(argv_ptr, ql.pack(arg0_ptr))
+        ql.mem.write(argv_ptr + ql.pointersize, ql.pack(arg1_ptr))
+
+        ql.reg.r2 = 2
+        ql.reg.r3 = argv_ptr
+
+
+    with open("../examples/rootfs/blob/u-boot.bin.img", "rb") as f:
+        uboot_code = f.read()
+
+    ql = Qiling(code=uboot_code[0x40:], archtype="arm", ostype="blob", profile="uboot_bin.ql", verbose=QL_VERBOSE.OFF)
+
+    image_base_addr = ql.loader.load_address
+    ql.hook_address(my_getenv, image_base_addr + 0x13AC0)
+    ql.hook_address(get_password, image_base_addr + 0x48634)
+
+    partial_run_init(ql)
+
+    ql.run(image_base_addr + 0x486B4, image_base_addr + 0x48718)
+
+if __name__ == "__main__":
+    get_kaimendaji_password()

examples/mcu/gd32vf103_blink.py

@@ -0,0 +1,24 @@
+import sys
+sys.path.append("../..")
+
+from qiling.core import Qiling
+from qiling.const import QL_VERBOSE
+from qiling.extensions.mcu.gd32vf1 import gd32vf103
+
+ql = Qiling(['../rootfs/mcu/gd32vf103/blink.hex'], archtype="riscv64", 
+                    env=gd32vf103, verbose=QL_VERBOSE.DEBUG)
+
+ql.hw.create('rcu')
+ql.hw.create('gpioa').watch()
+ql.hw.create('gpioc').watch()
+
+delay_cycles_begin = 0x800015c
+delay_cycles_end = 0x800018c
+
+def skip_delay(ql):
+    ql.reg.pc = delay_cycles_end
+
+ql.hook_address(skip_delay, delay_cycles_begin)
+ql.hw.gpioc.hook_set(13, lambda : print('Set PC13'))
+
+ql.run(count=20000)

examples/mcu/stm32f407_hack_lock.py

@@ -12,6 +12,8 @@
 
 from qiling.core import Qiling
 from qiling.const import QL_VERBOSE
+from qiling.extensions.mcu.stm32f4 import stm32f407
+
 
 def dicts():
     a = 0x79df7
@@ -25,7 +27,7 @@ def dicts():
 # Cracking the passwd of lock
 def crack(passwd):
     ql = Qiling(["../../examples/rootfs/mcu/stm32f407/backdoorlock.hex"],                    
-                        archtype="cortex_m", profile="stm32f407", verbose=QL_VERBOSE.OFF)
+                        archtype="cortex_m", env=stm32f407, verbose=QL_VERBOSE.OFF)
 
     ql.hw.create('spi2')
     ql.hw.create('gpioe')

examples/mcu/stm32f411_dma_logger.py

@@ -3,11 +3,11 @@
 
 from qiling.core import Qiling
 from qiling.const import QL_VERBOSE
-
+from qiling.extensions.mcu.stm32f4 import stm32f411
 
 def stm32f411_dma():
     ql = Qiling(["../rootfs/mcu/stm32f411/dma-clock.hex"],                    
-        archtype="cortex_m", profile="stm32f411", verbose=QL_VERBOSE.DEBUG)
+        archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
 
     ql.hw.create('usart2').watch()
     ql.hw.create('dma1').watch()

examples/mcu/stm32f411_freertos.py

@@ -3,11 +3,12 @@
 
 from qiling.core import Qiling
 from qiling.const import QL_VERBOSE
+from qiling.extensions.mcu.stm32f4 import stm32f411
 
 
 def stm32f411_freertos():
     ql = Qiling(["../rootfs/mcu/stm32f411/os-demo.hex"],                    
-        archtype="cortex_m", profile="stm32f411", verbose=QL_VERBOSE.DEBUG)
+        archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
 
     ql.hw.create('usart2').watch()
     ql.hw.create('gpioa').watch()

examples/mcu/stm32f411_gpio_hook.py

@@ -3,11 +3,11 @@
 
 from qiling.core import Qiling
 from qiling.const import QL_VERBOSE
-
+from qiling.extensions.mcu.stm32f4 import stm32f411
 
 def test_mcu_gpio_stm32f411():
     ql = Qiling(["../../examples/rootfs/mcu/stm32f411/hello_gpioA.hex"],                    
-                archtype="cortex_m", profile="stm32f411", verbose=QL_VERBOSE.DEBUG)
+                archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
 
     ql.hw.create('usart2').watch()
     ql.hw.create('rcc').watch()

examples/mcu/stm32f411_i2c_lcd.py

@@ -5,10 +5,10 @@
 from qiling.core import Qiling
 from qiling.const import QL_VERBOSE
 from qiling.hw.external_device.lcd.lcd1602 import PyGameLCD1602
-
+from qiling.extensions.mcu.stm32f4 import stm32f411
 
 def create(path, lcd):
-    ql = Qiling([path], archtype="cortex_m", profile="stm32f411", verbose=QL_VERBOSE.DEBUG)
+    ql = Qiling([path], archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.DEBUG)
 
     ql.hw.create('i2c1')
     ql.hw.create('rcc')

examples/mcu/stm32f411_interact_usart.py

@@ -12,9 +12,11 @@
 
 from qiling.core import Qiling
 from qiling.const import QL_VERBOSE
+from qiling.extensions.mcu.stm32f4 import stm32f411
+
 
 ql = Qiling(["../../examples/rootfs/mcu/stm32f411/md5_server.hex"], 
-            archtype="cortex_m", profile="stm32f411", verbose=QL_VERBOSE.OFF)
+            archtype="cortex_m", env=stm32f411, verbose=QL_VERBOSE.OFF)
 
 ql.hw.create('usart2')
 ql.hw.create('rcc')