ARM Bare metal try

发表于 2025-07-15 分类于 Pwn

Foreword

想给今年的 HGAME Mini 2025 出一道简单的 Pwn 题，突然想着之前的题目似乎没有涉及到 IoT Pwn 的（虽然可能是因为不太算 pwn 的入门内容？），打算来一道比较简单的，正好学习一下 IoT 的相关知识吧。

Choose a Platform

IoT 设备的 ISA 一般使用 ARM, RISC-V, MIPS。题目考虑使用 nRF51822 based on ARM Cortex-M0 SoC, QEMU 对其有较好支持。

qemu-system-arm \
  -M microbit \
  -cpu cortex-m0 \
  -nographic \
  -serial tcp:127.0.0.1:2333,server,telnet \
  -kernel main.elf \
  --gdb tcp::1234

Hello World

To communicate - UART¹

In QEMU, a simulated serial port can serve as stdio. nRF51822 has one UART peripheral, we would use it to interact.

For convenience, using the official library nrfx to implement related functions, instead of defining addresses and operations by myself.

Also, you can finish it with the manual.

How to Transmit

nrfx defines a struct for parameters controlling uart.

typedef struct
{
    void                    * p_context;
    nrfx_uart_event_handler_t handler;
    uint8_t           const * p_tx_buffer;
    uint8_t                 * p_rx_buffer;
    uint8_t                 * p_rx_secondary_buffer;
    volatile size_t           tx_buffer_length;
    size_t                    rx_buffer_length;
    size_t                    rx_secondary_buffer_length;
    volatile size_t           tx_counter;
    volatile size_t           rx_counter;
    volatile bool             tx_abort;
    bool                      rx_enabled;
    nrfx_drv_state_t          state;
    bool                      skip_gpio_cfg : 1;
    bool                      skip_psel_cfg : 1;
} uart_control_block_t;
static uart_control_block_t m_cb[NRFX_UART_ENABLED_COUNT];

nrfx_uart_tx() implenments this operation.

nrfx_err_t nrfx_uart_tx(nrfx_uart_t const * p_instance,
                        uint8_t const *     p_data,
                        size_t              length)
{
    uart_control_block_t * p_cb = &m_cb[p_instance->drv_inst_idx];

    NRFX_ASSERT(p_cb->state == NRFX_DRV_STATE_INITIALIZED);
    NRFX_ASSERT(p_data);
    NRFX_ASSERT(length > 0);

    nrfx_err_t err_code;

    if (nrfx_uart_tx_in_progress(p_instance))
    {
        err_code = NRFX_ERROR_BUSY;
        NRFX_LOG_WARNING("Function: %s, error code: %s.",
                         __func__,
                         NRFX_LOG_ERROR_STRING_GET(err_code));
        return err_code;
    }
    p_cb->tx_buffer_length = length;
    p_cb->p_tx_buffer      = p_data;
    p_cb->tx_counter       = 0;
    p_cb->tx_abort         = false;

    NRFX_LOG_INFO("Transfer tx_len: %d.", p_cb->tx_buffer_length);
    NRFX_LOG_DEBUG("Tx data:");
    NRFX_LOG_HEXDUMP_DEBUG(p_cb->p_tx_buffer,
                           p_cb->tx_buffer_length * sizeof(p_cb->p_tx_buffer[0]));

    err_code = NRFX_SUCCESS;

    nrf_uart_event_clear(p_instance->p_reg, NRF_UART_EVENT_TXDRDY);
    nrf_uart_task_trigger(p_instance->p_reg, NRF_UART_TASK_STARTTX);

    tx_byte(p_instance->p_reg, p_cb);

    if (p_cb->handler == NULL)
    {
        if (!tx_blocking(p_instance->p_reg, p_cb))
        {
            // The transfer has been aborted.
            err_code = NRFX_ERROR_FORBIDDEN;
        }
        else
        {
            // Wait until the last byte is completely transmitted.
            while (!nrf_uart_event_check(p_instance->p_reg, NRF_UART_EVENT_TXDRDY))
            {}
            nrf_uart_task_trigger(p_instance->p_reg, NRF_UART_TASK_STOPTX);
        }
        p_cb->tx_buffer_length = 0;
    }

    NRFX_LOG_INFO("Function: %s, error code: %s.", __func__, NRFX_LOG_ERROR_STRING_GET(err_code));
    return err_code;
}

it calls tx_byte(), nrf_uart_txd_set()...

static void tx_byte(NRF_UART_Type * p_uart, uart_control_block_t * p_cb)
{
    nrf_uart_event_clear(p_uart, NRF_UART_EVENT_TXDRDY);
    uint8_t txd = p_cb->p_tx_buffer[p_cb->tx_counter];
    p_cb->tx_counter++;
    nrf_uart_txd_set(p_uart, txd);
}

NRF_STATIC_INLINE void nrf_uart_txd_set(NRF_UART_Type * p_reg, uint8_t txd)
{
    p_reg->TXD = txd;
}

Base and registers addresses were defined in nrf51.h.

typedef struct {                                /*!< (@ 0x40002000) UART0 Structure                                            */
  __OM  uint32_t  TASKS_STARTRX;                /*!< (@ 0x00000000) Start UART receiver.                                       */
  __OM  uint32_t  TASKS_STOPRX;                 /*!< (@ 0x00000004) Stop UART receiver.                                        */
  __OM  uint32_t  TASKS_STARTTX;                /*!< (@ 0x00000008) Start UART transmitter.                                    */
  __OM  uint32_t  TASKS_STOPTX;                 /*!< (@ 0x0000000C) Stop UART transmitter.                                     */
  __IM  uint32_t  RESERVED[3];
  __OM  uint32_t  TASKS_SUSPEND;                /*!< (@ 0x0000001C) Suspend UART.                                              */
  __IM  uint32_t  RESERVED1[56];
  __IOM uint32_t  EVENTS_CTS;                   /*!< (@ 0x00000100) CTS activated.                                             */
  __IOM uint32_t  EVENTS_NCTS;                  /*!< (@ 0x00000104) CTS deactivated.                                           */
  __IOM uint32_t  EVENTS_RXDRDY;                /*!< (@ 0x00000108) Data received in RXD.                                      */
  __IM  uint32_t  RESERVED2[4];
  __IOM uint32_t  EVENTS_TXDRDY;                /*!< (@ 0x0000011C) Data sent from TXD.                                        */
  __IM  uint32_t  RESERVED3;
  __IOM uint32_t  EVENTS_ERROR;                 /*!< (@ 0x00000124) Error detected.                                            */
  __IM  uint32_t  RESERVED4[7];
  __IOM uint32_t  EVENTS_RXTO;                  /*!< (@ 0x00000144) Receiver timeout.                                          */
  __IM  uint32_t  RESERVED5[46];
  __IOM uint32_t  SHORTS;                       /*!< (@ 0x00000200) Shortcuts for UART.                                        */
  __IM  uint32_t  RESERVED6[64];
  __IOM uint32_t  INTENSET;                     /*!< (@ 0x00000304) Interrupt enable set register.                             */
  __IOM uint32_t  INTENCLR;                     /*!< (@ 0x00000308) Interrupt enable clear register.                           */
  __IM  uint32_t  RESERVED7[93];
  __IOM uint32_t  ERRORSRC;                     /*!< (@ 0x00000480) Error source. Write error field to 1 to clear
                                                                    error.                                                     */
  __IM  uint32_t  RESERVED8[31];
  __IOM uint32_t  ENABLE;                       /*!< (@ 0x00000500) Enable UART and acquire IOs.                               */
  __IM  uint32_t  RESERVED9;
  __IOM uint32_t  PSELRTS;                      /*!< (@ 0x00000508) Pin select for RTS.                                        */
  __IOM uint32_t  PSELTXD;                      /*!< (@ 0x0000050C) Pin select for TXD.                                        */
  __IOM uint32_t  PSELCTS;                      /*!< (@ 0x00000510) Pin select for CTS.                                        */
  __IOM uint32_t  PSELRXD;                      /*!< (@ 0x00000514) Pin select for RXD.                                        */
  __IM  uint32_t  RXD;                          /*!< (@ 0x00000518) RXD register. On read action the buffer pointer
                                                                    is displaced. Once read the character is
                                                                    consumed. If read when no character available,
                                                                    the UART will stop working.                                */
  __OM  uint32_t  TXD;                          /*!< (@ 0x0000051C) TXD register.                                              */
  __IM  uint32_t  RESERVED10;
  __IOM uint32_t  BAUDRATE;                     /*!< (@ 0x00000524) UART Baudrate.                                             */
  __IM  uint32_t  RESERVED11[17];
  __IOM uint32_t  CONFIG;                       /*!< (@ 0x0000056C) Configuration of parity and hardware flow control
                                                                    register.                                                  */
  __IM  uint32_t  RESERVED12[675];
  __IOM uint32_t  POWER;                        /*!< (@ 0x00000FFC) Peripheral power control.                                  */
} NRF_UART_Type;                                /*!< Size = 4096 (0x1000)                                                      */

Run a `helloworld.c`

Initialize

Before executing the program, we need to initialize memory space satisfying the ARMv6-M architecture.²

Includes:

Stack Definition, Heap Definition, Interrupt Vector Table, Reset Handler, Entry point and prepare .data, .bss.

For GCC compiler, the library provides a startup.S.

/*
 
Copyright (c) 2009-2025 ARM Limited. All rights reserved.

    SPDX-License-Identifier: Apache-2.0

Licensed under the Apache License, Version 2.0 (the License); you may
not use this file except in compliance with the License.
You may obtain a copy of the License at

    www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an AS IS BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

NOTICE: This file has been modified by Nordic Semiconductor ASA.

*/

    .syntax unified
    .arch armv6-m

#ifdef __STARTUP_CONFIG
#include "startup_config.h"
#ifndef __STARTUP_CONFIG_STACK_ALIGNEMENT
#define __STARTUP_CONFIG_STACK_ALIGNEMENT 3
#endif
#endif

    .section .stack
#if defined(__STARTUP_CONFIG)
    .align __STARTUP_CONFIG_STACK_ALIGNEMENT
    .equ    Stack_Size, __STARTUP_CONFIG_STACK_SIZE
#elif defined(__STACK_SIZE)
    .align 3
    .equ    Stack_Size, __STACK_SIZE
#else
    .align 3
    .equ    Stack_Size, 2048
#endif
    .globl __StackTop
    .globl __StackLimit
__StackLimit:
    .space Stack_Size
    .size __StackLimit, . - __StackLimit
__StackTop:
    .size __StackTop, . - __StackTop

    .section .heap
    .align 3
#if defined(__STARTUP_CONFIG)
    .equ Heap_Size, __STARTUP_CONFIG_HEAP_SIZE
#elif defined(__HEAP_SIZE)
    .equ Heap_Size, __HEAP_SIZE
#else
    .equ Heap_Size, 2048
#endif
    .globl __HeapBase
    .globl __HeapLimit
__HeapBase:
    .if Heap_Size
    .space Heap_Size
    .endif
    .size __HeapBase, . - __HeapBase
__HeapLimit:
    .size __HeapLimit, . - __HeapLimit

    .section .isr_vector, "ax"
    .align 2
    .globl __isr_vector
__isr_vector:
    .long   __StackTop                  /* Top of Stack */
    .long   Reset_Handler
    .long   NMI_Handler
    .long   HardFault_Handler
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   SVC_Handler
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   PendSV_Handler
    .long   SysTick_Handler

  /* External Interrupts */
    .long   POWER_CLOCK_IRQHandler
    .long   RADIO_IRQHandler
    .long   UART0_IRQHandler
    .long   SPI0_TWI0_IRQHandler
    .long   SPI1_TWI1_IRQHandler
    .long   0                           /*Reserved */
    .long   GPIOTE_IRQHandler
    .long   ADC_IRQHandler
    .long   TIMER0_IRQHandler
    .long   TIMER1_IRQHandler
    .long   TIMER2_IRQHandler
    .long   RTC0_IRQHandler
    .long   TEMP_IRQHandler
    .long   RNG_IRQHandler
    .long   ECB_IRQHandler
    .long   CCM_AAR_IRQHandler
    .long   WDT_IRQHandler
    .long   RTC1_IRQHandler
    .long   QDEC_IRQHandler
    .long   LPCOMP_IRQHandler
    .long   SWI0_IRQHandler
    .long   SWI1_IRQHandler
    .long   SWI2_IRQHandler
    .long   SWI3_IRQHandler
    .long   SWI4_IRQHandler
    .long   SWI5_IRQHandler
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */
    .long   0                           /*Reserved */

    .size __isr_vector, . - __isr_vector

/* Reset Handler */

    .equ    NRF_POWER_RAMON_ADDRESS,             0x40000524
    .equ    NRF_POWER_RAMONB_ADDRESS,            0x40000554
    .equ    NRF_POWER_RAMONx_RAMxON_ONMODE_Msk,  0x3

    .text
    .thumb
    .thumb_func
    .align 1
    .globl Reset_Handler
    .type Reset_Handler, %function
Reset_Handler:

    MOVS    R1, #NRF_POWER_RAMONx_RAMxON_ONMODE_Msk
    
    LDR     R0, =NRF_POWER_RAMON_ADDRESS
    LDR     R2, [R0]
    ORRS    R2, R1
    STR     R2, [R0]

    LDR     R0, =NRF_POWER_RAMONB_ADDRESS
    LDR     R2, [R0]
    ORRS    R2, R1
    STR     R2, [R0]

/* Loop to copy data from read only memory to RAM.
 * The ranges of copy from/to are specified by following symbols:
 *      __etext: LMA of start of the section to copy from. Usually end of text
 *      __data_start: VMA of start of the section to copy to.
 *      __data_end: VMA of end of the section to copy to. 
 *
 * All addresses must be aligned to 4 bytes boundary.
 */
#ifndef __STARTUP_SKIP_ETEXT

/* Load .data */
    ldr r1, =__data_start
    ldr r2, =__data_end
    ldr r3, =__data_load_start
    bl copy_region

/* Load .sdata */
    ldr r1, =__sdata_start
    ldr r2, =__sdata_end
    ldr r3, =__sdata_load_start
    bl copy_region

/* Load .tdata */
    ldr r1, =__tdata_start
    ldr r2, =__tdata_end
    ldr r3, =__tdata_load_start
    bl copy_region

/* Load .fast */
    ldr r1, =__fast_start
    ldr r2, =__fast_end
    ldr r3, =__fast_load_start
    bl copy_region

    b copy_etext_done

/* Method that loads data from nvm to ram */
copy_region:
    subs r2, r2, r1
    ble L_copy_region_done

L_copy_region:
    subs r2, r2, #4
    ldr r0, [r3,r2]
    str r0, [r1,r2]
    bgt L_copy_region

L_copy_region_done:

    bx lr

copy_etext_done:


#endif

/* This part of work usually is done in C library startup code. Otherwise,
 * define __STARTUP_CLEAR_BSS to enable it in this startup. This section
 * clears the RAM where BSS data is located.
 *
 * The BSS section is specified by following symbols
 *    __bss_start__: start of the BSS section.
 *    __bss_end__: end of the BSS section.
 *
 * All addresses must be aligned to 4 bytes boundary.
 */
#ifdef __STARTUP_CLEAR_BSS
    ldr r1, =__bss_start__
    ldr r2, =__bss_end__
    bl clear_region

    ldr r1, =__tbss_start__
    ldr r2, =__tbss_end__
    bl clear_region

    ldr r1, =__sbss_start__
    ldr r2, =__sbss_end__
    bl clear_region

    b clear_bss_done

/* Method that clears default-0 registers */
clear_region:
    movs r0, 0

    subs r2, r2, r1
    ble .L_clear_region_done

.L_clear_region:
    subs r2, r2, #4
    str r0, [r1, r2]
    bgt .L_clear_region

.L_clear_region_done:

    bx lr

clear_bss_done:

#endif /* __STARTUP_CLEAR_BSS */

/* Execute SystemInit function. */
    bl SystemInit

/* Call _start function provided by libraries.
 * If those libraries are not accessible, define __START as your entry point.
 */
#ifndef __START
#define __START _start
#endif
    bl __START

    .pool
    .size   Reset_Handler,.-Reset_Handler

    .section ".text"


/* Dummy Exception Handlers (infinite loops which can be modified) */

    .weak   NMI_Handler
    .type   NMI_Handler, %function
NMI_Handler:
    b       .
    .size   NMI_Handler, . - NMI_Handler


    .weak   HardFault_Handler
    .type   HardFault_Handler, %function
HardFault_Handler:
    b       .
    .size   HardFault_Handler, . - HardFault_Handler


    .weak   SVC_Handler
    .type   SVC_Handler, %function
SVC_Handler:
    b       .
    .size   SVC_Handler, . - SVC_Handler


    .weak   PendSV_Handler
    .type   PendSV_Handler, %function
PendSV_Handler:
    b       .
    .size   PendSV_Handler, . - PendSV_Handler


    .weak   SysTick_Handler
    .type   SysTick_Handler, %function
SysTick_Handler:
    b       .
    .size   SysTick_Handler, . - SysTick_Handler


/* IRQ Handlers */

    .globl  Default_Handler
    .type   Default_Handler, %function
Default_Handler:
    b       .
    .size   Default_Handler, . - Default_Handler

    .macro  IRQ handler
    .weak   \handler
    .set    \handler, Default_Handler
    .endm

    IRQ  POWER_CLOCK_IRQHandler
    IRQ  RADIO_IRQHandler
    IRQ  UART0_IRQHandler
    IRQ  SPI0_TWI0_IRQHandler
    IRQ  SPI1_TWI1_IRQHandler
    IRQ  GPIOTE_IRQHandler
    IRQ  ADC_IRQHandler
    IRQ  TIMER0_IRQHandler
    IRQ  TIMER1_IRQHandler
    IRQ  TIMER2_IRQHandler
    IRQ  RTC0_IRQHandler
    IRQ  TEMP_IRQHandler
    IRQ  RNG_IRQHandler
    IRQ  ECB_IRQHandler
    IRQ  CCM_AAR_IRQHandler
    IRQ  WDT_IRQHandler
    IRQ  RTC1_IRQHandler
    IRQ  QDEC_IRQHandler
    IRQ  LPCOMP_IRQHandler
    IRQ  SWI0_IRQHandler
    IRQ  SWI1_IRQHandler
    IRQ  SWI2_IRQHandler
    IRQ  SWI3_IRQHandler
    IRQ  SWI4_IRQHandler
    IRQ  SWI5_IRQHandler

  .end

All the symbol above would be defined at a linker script(.ld).

Makefile

After everything prepared, use simply a makefile to complie.

TARGET = main

CC = arm-none-eabi-gcc
OBJCOPY = arm-none-eabi-objcopy

SRC = main.c \
      $(wildcard nrfx/drivers/src/*.c) \
      nrfx/mdk/gcc_startup_nrf51.S

INCLUDES = -I. -Inrfx -Inrfx/mdk -Inrfx/hal -Inrfx/templates -Inrfx/drivers/include

CFLAGS = -mcpu=cortex-m0 -mthumb -Wall -O0 -g -DNRF51 -DNRF51822_XXAA $(INCLUDES)

LDFLAGS = -T nrf51822_xxaa.ld -nostartfiles

OBJ := $(SRC:.c=.o)
OBJ := $(OBJ:.S=.o)

all: $(TARGET).elf

%.o: %.c
  $(CC) $(CFLAGS) -c $< -o $@

%.o: %.S
  $(CC) $(CFLAGS) -c $< -o $@

$(TARGET).elf: $(OBJ)
  $(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@

bin: $(TARGET).elf
  $(OBJCOPY) -O binary $< $(TARGET).bin

clean:
  rm -f $(OBJ) $(TARGET).elf $(TARGET).bin