U-Boot How to run a standalone binary program? - binary

I have compiled a simple binary file (hello.bin) and stored it on a memory card.
I am running a NXP Sabre dev kit with i.mx 6 quad processor. I have started up U-boot and am trying to access the binary file and make it run.
The hello.bin is availiable because the following command works:
=> fatload mmc 1:4 0x20005000 hello.bin
reading hello.bin
The way I understand it the file should be loaded into RAM at the address 0x20005000
So I want to test that the binary is there
=> md 0x20005000
20005000: 464c457f 00010101 00000000 00000000 .ELF............
20005010: 00280002 00000001 00010315 00000034 ..(.........4...
20005020: 000028f4 05000400 00200034 00280009 .(......4. ...(.
20005030: 00240025 70000001 00000454 00010454 %.$....pT...T...
Looks all right, as the starting bits are matching the file I copied to SD-card.
When I try to start the binary, the device reports undefined instruction:
=> go 0x20005000
## Starting application at 0x20005000 ...
undefined instruction
pc : [<20005158>] lr : [<4ff71403>]
reloc pc : [<e7897158>] lr : [<17803403>]
sp : 4f56dd50 ip : 00000000 fp : 00000002
r10: 4f56f938 r9 : 4f56deb0 r8 : 4ffc3c40
r7 : 4ff713d9 r6 : 00000002 r5 : 20005000 r4 : 4f56f93c
r3 : 20005000 r2 : 4f56f93c r1 : 4f56f93c r0 : 00000000
Flags: nzCv IRQs off FIQs off Mode SVC_32
Resetting CPU ...
Thanks for your help

Please, find an example at https://www.denx.de/wiki/view/DULG/UBootStandalone#Section_5.12.1.
go does not expect the start of an ELF binary but the address of the entry routine. If you want to access U-Boot routines the binary must have been relocated.

I have compiled a simple binary file (hello.bin) and stored it on a memory card.
You have omitted many salient details.
How did you compile this program, e.g. what toolchain, what makefile?
Did you link this program with a library?
The way I understand it the file should be loaded into RAM at the address 0x20005000
How did you get this "understanding"?
Typically the load address of a standalone program depends on a few factors.
First the addresses of available memory (on the target board) has to be considered.
Second, unless the standalone program is relocatable (not likely in your case), then the program must be loaded at its load/starting address as defined when the program was linked.
The load and starting addresses of a program can be obtained from its map file (i.e. the linker output).
When I try to start the binary, the device reports undefined instruction:
That is what happens when the ELF header is "executed".
Since the file clearly contains an ELF header, its filename extension should be .elf rather than .bin.
How did this executable file get the misleading name?
You probably did not build a standalone binary image file.
The examples/standalone/ directory of the U-Boot source code has sample code and a makefile for building standalone binaries, e.g. a hello_world.bin.
Be sure to properly define CONFIG_STANDALONE_LOAD_ADDR for your board!
The default load address is surely to be inappropriate.
the => bdinfo, command told me something about the DRAM bank, starts at 0x10000000 (7 zeros) and ends at 0x4000000.
(First of all, do not put salient information in comments. Add this to your original post by using the edit capability.)
The "information" you provided makes no sense (i.e. the end address is less than the start address). Avoid interpreting the information, and instead simply present (copy'n'paste) the actual output.
I then used fatload mmc 1:4 0x10005000 hello.bin instead, which then seems to work. I guess I was writing to a out of bound address.
The fatload command merely copies the contents of a file into memory. The true success of that copy is confirmed by validating the memory, rather than completion of the command.
Your comment is confusing since you have not mentioned any prior load issues.
go 0x10005000 still does not work.
Trying arbitrary load/start addresses is not an effective debugging technique.
A summation of "seems to work" or "still does not work" is a low-quality description for results.
See How To Ask Questions The Smart Way.

Got some help from another friend, I found it very helpful so I will post it:
You can use the Yocto toolchain but you cannot link against the C library (which is done by default) so you have to put some extra options to GCC to let it know that, also, you cannot use the go instruction from U-Boot to jump to an ELF binary that you just loaded in memory, the ELF binary has to be converted to a 'raw' binary (list of ARM instructions in your case) with the tool objdump. An ELF binary it's a specific format that encapsulate your code/your data and some extra information, and the first part of the ELF is the description of the binary, so right now, when you do a go at the first address, you are trying to tell the CPU to execute something which is not an ARM instruction. You basically want to execute what we call the '.text' section of the ELF binary.

Related

How to proceed? CTF challenge (binary file)

I have a capture the flag situation; I am quite new to this...
The following is given (translated from Brazilian Portuguese): "This challenge requires digging a little deeper than just "strings" to find the correct flag. Parse the attached binary and score the hidden flag."
A file has been provided, I have already discovered it's an ELF file. Also, by using Strings all I can see is gibberish and a message stating that's not the actual thing (MACK{This_is_not_the_flag_youre_looking_for}; if I test this in the password protect uni hotsite it really confirms it's not the flag).
Discovering the type:
file only_a_binary
only_a_binary: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=bf082798faf7253749442fe4166676287754608f, for GNU/Linux 3.2.0, not stripped
Strings results is too long. How to get along? What else should I try? I have searched a lot and nothing helps out...

ns modification and compiling error

i am working on ns-allinone-2.35 . and i modified the aodv protocol that located on /ns-allinone-2.35/ns-2.35/aodv folder. i do make clean , then make, every thing is ok.
but i notice that no changing in the result.
and i notice that if i change all aodv code to comments, the TCL file will running even if delete the aodv.o.
can any one help to specify exactly where is the changing on ns-allinone-2.35? and from where the TCL file read the routing protocol?
»»
the TCL file will running even if delete the aodv.o
««
Files{.cc, .h, .o}, etc. in the ns-2.35/ folder are not used at simulation time. ( Exceptions : Some simulations can/will use some traffic files, e.g. from tcl/mobility/** ).
All functions from the c++ files (and tcl/lib/files*) are compiled into one file : 'ns'.
Files used by the executable 'ns' are the these only :
ns-allinone-2.35/{ lib/**, bin/tclsh8* }.
Changes : Be aware that ns2 speaks "otcl". And that all the (o)tcl functions in tcl/lib/ are also compiled into the executable 'ns'.
So may be your new function is missing in tcl/lib/{ files.tcl } ?

Torque qsub : Change the ouput/error file destination doesn't work

If I did : qsub myscript.sh
Then it creates in the script path: myscript.sh.e12 and myscript.sh.o12 files.
But if I do : qsub -o /tmp/my.out myscript.sh
Then there is nothing in /tmp and in the script path only the myscript.sh.e12 file.
The output file is lost during the move. I don't know why.
I also tried with #PBS -o in pbs file but same result.
Thanks for your help.
Torque 2.5.7
RHEL 6.2
short answer: don't write output to /tmp/, write to some space you own, preferably with a unique path.
long answer: /tmp/ is ambiguous. Remember: the whole point of using a distributed resource manager is to run a job over multiple, or at least multiply assignable, compute resources. But each such device will almost certainly have its own /tmp/, and
you have no way of knowing to which one your job was written
you may have no rights on the arbitrary_device:/tmp/ on which one your job was written
So don't write output to /tmp/.

MinGW Main routine

In C there is no main program. Sure, C programmers begin with int main(int argc char *argv[]), but this only works because there is a routine that tells the compiler/IDE to run the function named main first.
I can't seem to find this routine in MinGW, though. Where is it defined? I just searched because I wanted to change it (only as a test) and play around with it a bit. Can someone link me to the correct file in the MinGW folders?
The ld linker will look for a match of one of several symbols to use as the entry point when linking a PE file:
entry point subsystem
--------------------- --------------
NtProcessStartup native
WinMainCRTStartup Windows GUI
mainCRTStartup Windows CUI (console)
__PosixProcessStartup POSIX CUI
WinMainCRTStartup WinCE GUI
mainCRTStartup Xbox
mainCRTStartup other
DllMainCRTStartup#12 (or possibly DllMainCRTStartup) for DLLs
MinGW will have an object file that gets automatically linked in that has the actual PE entry point. - you can see what object files are being automatically linked in by using gcc's -v option.
In a quick test using MinGW 4.6.1 building a console subsystem "hello world" program, the object file containing the entry point is crt2.o and it has a symbol mainCRTStartup that is picked up by the linker as the entry point.
The source file containing the entrypoint code is crtexe.c (or crtdll.c).
You can override the entry point using the --entry option to the linker (Wl,--entry=whatever when used on the gcc command line).

How do you find a functions virtual call address in assembly?

I've googled around but i'm not sure i am asking the right question or not and i couldn't find much regardless, perhaps a link would be helpful.
I made a c++ program that shows a message box, then I opened it up with Ollydbg and went to the part where it calls MessageBoxW.
The call address of MessageBoxW changes each time i run the app as windows is updating my Imports table to have the correct address of MessageBoxW. So my question is how do i find the virtual addres of MessageBoxW to my imports table and also how can i use this in ollydbg?
Basically I'm trying to make a code cave in assembly to call MessageBoxW again.
I got fairly close once by searching the executable with a hex editor and found the position of the call, and I think I found the virtual address. But when i call that virtual address in olly and saved it to the executable, the next time i opened it the call was replaced with a bunch of DB xyz (which looked like the virtual address but why did the call get removed?
Sorry if my terminology is off as i'm new to this so i'm not quite sure what to call things.
(reply to comment on original post)
Ah, no, the address specified in the "call" opcode is relative to the call instruction. However, for imported functions, it's most likely an indirect call (which reads the function's address from a memory location).
There is really no "official"/reliable way to get the address of any function without having no access to the import segment. If you are patching a certain executable, just look at the values Windows places in its import segment. If you are injecting code from another process, you can rely on the fact that the address of a function in a system DLL will remain the same, relative to the DLL's load address. It is also possible to manually locate and parse the program's import segment in memory.
1- find address of message box in your executable module. suppose your exe file is a1.exe
Executable modules > select a1.exe > press ctrl + N and find the address of message box. suppose address is 00402008
2- use ff25 08204000 machine code to call message box but before push parameters and push your EIP for returning address.