ARM Bare metal try
Foreword
想给今年的 HGAME Mini 2025 出一道简单的 Pwn 题,突然想着之前的题目似乎没有涉及到 IoT Pwn 的(虽然可能是因为不太算 pwn 的入门内容?),打算来一道比较简单的,正好学习一下 IoT 的相关知识吧。
Choose a Platform
IoT 设备的 ISA 一般使用 ARM, RISC-V, MIPS。题目考虑使用 nRF51822 based on ARM Cortex-M0 SoC, QEMU 对其有较好支持。
qemu-system-arm \
-M microbit \
-cpu cortex-m0 \
-nographic \
-serial tcp:127.0.0.1:2333,server,telnet \
-kernel main.elf \
--gdb tcp::1234Hello World
To communicate - UART1
In QEMU, a simulated serial port can serve as stdio.
nRF51822 has one UART peripheral, we would use it to interact.
For convenience, using the official library nrfx to implement related functions, instead of defining addresses and operations by myself.
Also, you can finish it with the manual.
How to Transmit
nrfx defines a struct for parameters controlling uart.
typedef struct
{
void * p_context;
nrfx_uart_event_handler_t handler;
uint8_t const * p_tx_buffer;
uint8_t * p_rx_buffer;
uint8_t * p_rx_secondary_buffer;
volatile size_t tx_buffer_length;
size_t rx_buffer_length;
size_t rx_secondary_buffer_length;
volatile size_t tx_counter;
volatile size_t rx_counter;
volatile bool tx_abort;
bool rx_enabled;
nrfx_drv_state_t state;
bool skip_gpio_cfg : 1;
bool skip_psel_cfg : 1;
} uart_control_block_t;
static uart_control_block_t m_cb[NRFX_UART_ENABLED_COUNT];nrfx_uart_tx() implenments this operation.
nrfx_err_t nrfx_uart_tx(nrfx_uart_t const * p_instance,
uint8_t const * p_data,
size_t length)
{
uart_control_block_t * p_cb = &m_cb[p_instance->drv_inst_idx];
NRFX_ASSERT(p_cb->state == NRFX_DRV_STATE_INITIALIZED);
NRFX_ASSERT(p_data);
NRFX_ASSERT(length > 0);
nrfx_err_t err_code;
if (nrfx_uart_tx_in_progress(p_instance))
{
err_code = NRFX_ERROR_BUSY;
NRFX_LOG_WARNING("Function: %s, error code: %s.",
__func__,
NRFX_LOG_ERROR_STRING_GET(err_code));
return err_code;
}
p_cb->tx_buffer_length = length;
p_cb->p_tx_buffer = p_data;
p_cb->tx_counter = 0;
p_cb->tx_abort = false;
NRFX_LOG_INFO("Transfer tx_len: %d.", p_cb->tx_buffer_length);
NRFX_LOG_DEBUG("Tx data:");
NRFX_LOG_HEXDUMP_DEBUG(p_cb->p_tx_buffer,
p_cb->tx_buffer_length * sizeof(p_cb->p_tx_buffer[0]));
err_code = NRFX_SUCCESS;
nrf_uart_event_clear(p_instance->p_reg, NRF_UART_EVENT_TXDRDY);
nrf_uart_task_trigger(p_instance->p_reg, NRF_UART_TASK_STARTTX);
tx_byte(p_instance->p_reg, p_cb);
if (p_cb->handler == NULL)
{
if (!tx_blocking(p_instance->p_reg, p_cb))
{
// The transfer has been aborted.
err_code = NRFX_ERROR_FORBIDDEN;
}
else
{
// Wait until the last byte is completely transmitted.
while (!nrf_uart_event_check(p_instance->p_reg, NRF_UART_EVENT_TXDRDY))
{}
nrf_uart_task_trigger(p_instance->p_reg, NRF_UART_TASK_STOPTX);
}
p_cb->tx_buffer_length = 0;
}
NRFX_LOG_INFO("Function: %s, error code: %s.", __func__, NRFX_LOG_ERROR_STRING_GET(err_code));
return err_code;
}it calls tx_byte(),
nrf_uart_txd_set()...
static void tx_byte(NRF_UART_Type * p_uart, uart_control_block_t * p_cb)
{
nrf_uart_event_clear(p_uart, NRF_UART_EVENT_TXDRDY);
uint8_t txd = p_cb->p_tx_buffer[p_cb->tx_counter];
p_cb->tx_counter++;
nrf_uart_txd_set(p_uart, txd);
}
NRF_STATIC_INLINE void nrf_uart_txd_set(NRF_UART_Type * p_reg, uint8_t txd)
{
p_reg->TXD = txd;
}Base and registers addresses were defined in nrf51.h.
typedef struct { /*!< (@ 0x40002000) UART0 Structure */
__OM uint32_t TASKS_STARTRX; /*!< (@ 0x00000000) Start UART receiver. */
__OM uint32_t TASKS_STOPRX; /*!< (@ 0x00000004) Stop UART receiver. */
__OM uint32_t TASKS_STARTTX; /*!< (@ 0x00000008) Start UART transmitter. */
__OM uint32_t TASKS_STOPTX; /*!< (@ 0x0000000C) Stop UART transmitter. */
__IM uint32_t RESERVED[3];
__OM uint32_t TASKS_SUSPEND; /*!< (@ 0x0000001C) Suspend UART. */
__IM uint32_t RESERVED1[56];
__IOM uint32_t EVENTS_CTS; /*!< (@ 0x00000100) CTS activated. */
__IOM uint32_t EVENTS_NCTS; /*!< (@ 0x00000104) CTS deactivated. */
__IOM uint32_t EVENTS_RXDRDY; /*!< (@ 0x00000108) Data received in RXD. */
__IM uint32_t RESERVED2[4];
__IOM uint32_t EVENTS_TXDRDY; /*!< (@ 0x0000011C) Data sent from TXD. */
__IM uint32_t RESERVED3;
__IOM uint32_t EVENTS_ERROR; /*!< (@ 0x00000124) Error detected. */
__IM uint32_t RESERVED4[7];
__IOM uint32_t EVENTS_RXTO; /*!< (@ 0x00000144) Receiver timeout. */
__IM uint32_t RESERVED5[46];
__IOM uint32_t SHORTS; /*!< (@ 0x00000200) Shortcuts for UART. */
__IM uint32_t RESERVED6[64];
__IOM uint32_t INTENSET; /*!< (@ 0x00000304) Interrupt enable set register. */
__IOM uint32_t INTENCLR; /*!< (@ 0x00000308) Interrupt enable clear register. */
__IM uint32_t RESERVED7[93];
__IOM uint32_t ERRORSRC; /*!< (@ 0x00000480) Error source. Write error field to 1 to clear
error. */
__IM uint32_t RESERVED8[31];
__IOM uint32_t ENABLE; /*!< (@ 0x00000500) Enable UART and acquire IOs. */
__IM uint32_t RESERVED9;
__IOM uint32_t PSELRTS; /*!< (@ 0x00000508) Pin select for RTS. */
__IOM uint32_t PSELTXD; /*!< (@ 0x0000050C) Pin select for TXD. */
__IOM uint32_t PSELCTS; /*!< (@ 0x00000510) Pin select for CTS. */
__IOM uint32_t PSELRXD; /*!< (@ 0x00000514) Pin select for RXD. */
__IM uint32_t RXD; /*!< (@ 0x00000518) RXD register. On read action the buffer pointer
is displaced. Once read the character is
consumed. If read when no character available,
the UART will stop working. */
__OM uint32_t TXD; /*!< (@ 0x0000051C) TXD register. */
__IM uint32_t RESERVED10;
__IOM uint32_t BAUDRATE; /*!< (@ 0x00000524) UART Baudrate. */
__IM uint32_t RESERVED11[17];
__IOM uint32_t CONFIG; /*!< (@ 0x0000056C) Configuration of parity and hardware flow control
register. */
__IM uint32_t RESERVED12[675];
__IOM uint32_t POWER; /*!< (@ 0x00000FFC) Peripheral power control. */
} NRF_UART_Type; /*!< Size = 4096 (0x1000) */Run a helloworld.c
Initialize
Before executing the program, we need to initialize memory space satisfying the ARMv6-M architecture.2
Includes:
Stack Definition, Heap Definition, Interrupt Vector Table, Reset
Handler, Entry point and prepare .data,
.bss.
For GCC compiler, the library provides a startup.S.
/*
Copyright (c) 2009-2025 ARM Limited. All rights reserved.
SPDX-License-Identifier: Apache-2.0
Licensed under the Apache License, Version 2.0 (the License); you may
not use this file except in compliance with the License.
You may obtain a copy of the License at
www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an AS IS BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
NOTICE: This file has been modified by Nordic Semiconductor ASA.
*/
.syntax unified
.arch armv6-m
#ifdef __STARTUP_CONFIG
#include "startup_config.h"
#ifndef __STARTUP_CONFIG_STACK_ALIGNEMENT
#define __STARTUP_CONFIG_STACK_ALIGNEMENT 3
#endif
#endif
.section .stack
#if defined(__STARTUP_CONFIG)
.align __STARTUP_CONFIG_STACK_ALIGNEMENT
.equ Stack_Size, __STARTUP_CONFIG_STACK_SIZE
#elif defined(__STACK_SIZE)
.align 3
.equ Stack_Size, __STACK_SIZE
#else
.align 3
.equ Stack_Size, 2048
#endif
.globl __StackTop
.globl __StackLimit
__StackLimit:
.space Stack_Size
.size __StackLimit, . - __StackLimit
__StackTop:
.size __StackTop, . - __StackTop
.section .heap
.align 3
#if defined(__STARTUP_CONFIG)
.equ Heap_Size, __STARTUP_CONFIG_HEAP_SIZE
#elif defined(__HEAP_SIZE)
.equ Heap_Size, __HEAP_SIZE
#else
.equ Heap_Size, 2048
#endif
.globl __HeapBase
.globl __HeapLimit
__HeapBase:
.if Heap_Size
.space Heap_Size
.endif
.size __HeapBase, . - __HeapBase
__HeapLimit:
.size __HeapLimit, . - __HeapLimit
.section .isr_vector, "ax"
.align 2
.globl __isr_vector
__isr_vector:
.long __StackTop /* Top of Stack */
.long Reset_Handler
.long NMI_Handler
.long HardFault_Handler
.long 0 /*Reserved */
.long 0 /*Reserved */
.long 0 /*Reserved */
.long 0 /*Reserved */
.long 0 /*Reserved */
.long 0 /*Reserved */
.long 0 /*Reserved */
.long SVC_Handler
.long 0 /*Reserved */
.long 0 /*Reserved */
.long PendSV_Handler
.long SysTick_Handler
/* External Interrupts */
.long POWER_CLOCK_IRQHandler
.long RADIO_IRQHandler
.long UART0_IRQHandler
.long SPI0_TWI0_IRQHandler
.long SPI1_TWI1_IRQHandler
.long 0 /*Reserved */
.long GPIOTE_IRQHandler
.long ADC_IRQHandler
.long TIMER0_IRQHandler
.long TIMER1_IRQHandler
.long TIMER2_IRQHandler
.long RTC0_IRQHandler
.long TEMP_IRQHandler
.long RNG_IRQHandler
.long ECB_IRQHandler
.long CCM_AAR_IRQHandler
.long WDT_IRQHandler
.long RTC1_IRQHandler
.long QDEC_IRQHandler
.long LPCOMP_IRQHandler
.long SWI0_IRQHandler
.long SWI1_IRQHandler
.long SWI2_IRQHandler
.long SWI3_IRQHandler
.long SWI4_IRQHandler
.long SWI5_IRQHandler
.long 0 /*Reserved */
.long 0 /*Reserved */
.long 0 /*Reserved */
.long 0 /*Reserved */
.long 0 /*Reserved */
.long 0 /*Reserved */
.size __isr_vector, . - __isr_vector
/* Reset Handler */
.equ NRF_POWER_RAMON_ADDRESS, 0x40000524
.equ NRF_POWER_RAMONB_ADDRESS, 0x40000554
.equ NRF_POWER_RAMONx_RAMxON_ONMODE_Msk, 0x3
.text
.thumb
.thumb_func
.align 1
.globl Reset_Handler
.type Reset_Handler, %function
Reset_Handler:
MOVS R1, #NRF_POWER_RAMONx_RAMxON_ONMODE_Msk
LDR R0, =NRF_POWER_RAMON_ADDRESS
LDR R2, [R0]
ORRS R2, R1
STR R2, [R0]
LDR R0, =NRF_POWER_RAMONB_ADDRESS
LDR R2, [R0]
ORRS R2, R1
STR R2, [R0]
/* Loop to copy data from read only memory to RAM.
* The ranges of copy from/to are specified by following symbols:
* __etext: LMA of start of the section to copy from. Usually end of text
* __data_start: VMA of start of the section to copy to.
* __data_end: VMA of end of the section to copy to.
*
* All addresses must be aligned to 4 bytes boundary.
*/
#ifndef __STARTUP_SKIP_ETEXT
/* Load .data */
ldr r1, =__data_start
ldr r2, =__data_end
ldr r3, =__data_load_start
bl copy_region
/* Load .sdata */
ldr r1, =__sdata_start
ldr r2, =__sdata_end
ldr r3, =__sdata_load_start
bl copy_region
/* Load .tdata */
ldr r1, =__tdata_start
ldr r2, =__tdata_end
ldr r3, =__tdata_load_start
bl copy_region
/* Load .fast */
ldr r1, =__fast_start
ldr r2, =__fast_end
ldr r3, =__fast_load_start
bl copy_region
b copy_etext_done
/* Method that loads data from nvm to ram */
copy_region:
subs r2, r2, r1
ble L_copy_region_done
L_copy_region:
subs r2, r2, #4
ldr r0, [r3,r2]
str r0, [r1,r2]
bgt L_copy_region
L_copy_region_done:
bx lr
copy_etext_done:
#endif
/* This part of work usually is done in C library startup code. Otherwise,
* define __STARTUP_CLEAR_BSS to enable it in this startup. This section
* clears the RAM where BSS data is located.
*
* The BSS section is specified by following symbols
* __bss_start__: start of the BSS section.
* __bss_end__: end of the BSS section.
*
* All addresses must be aligned to 4 bytes boundary.
*/
#ifdef __STARTUP_CLEAR_BSS
ldr r1, =__bss_start__
ldr r2, =__bss_end__
bl clear_region
ldr r1, =__tbss_start__
ldr r2, =__tbss_end__
bl clear_region
ldr r1, =__sbss_start__
ldr r2, =__sbss_end__
bl clear_region
b clear_bss_done
/* Method that clears default-0 registers */
clear_region:
movs r0, 0
subs r2, r2, r1
ble .L_clear_region_done
.L_clear_region:
subs r2, r2, #4
str r0, [r1, r2]
bgt .L_clear_region
.L_clear_region_done:
bx lr
clear_bss_done:
#endif /* __STARTUP_CLEAR_BSS */
/* Execute SystemInit function. */
bl SystemInit
/* Call _start function provided by libraries.
* If those libraries are not accessible, define __START as your entry point.
*/
#ifndef __START
#define __START _start
#endif
bl __START
.pool
.size Reset_Handler,.-Reset_Handler
.section ".text"
/* Dummy Exception Handlers (infinite loops which can be modified) */
.weak NMI_Handler
.type NMI_Handler, %function
NMI_Handler:
b .
.size NMI_Handler, . - NMI_Handler
.weak HardFault_Handler
.type HardFault_Handler, %function
HardFault_Handler:
b .
.size HardFault_Handler, . - HardFault_Handler
.weak SVC_Handler
.type SVC_Handler, %function
SVC_Handler:
b .
.size SVC_Handler, . - SVC_Handler
.weak PendSV_Handler
.type PendSV_Handler, %function
PendSV_Handler:
b .
.size PendSV_Handler, . - PendSV_Handler
.weak SysTick_Handler
.type SysTick_Handler, %function
SysTick_Handler:
b .
.size SysTick_Handler, . - SysTick_Handler
/* IRQ Handlers */
.globl Default_Handler
.type Default_Handler, %function
Default_Handler:
b .
.size Default_Handler, . - Default_Handler
.macro IRQ handler
.weak \handler
.set \handler, Default_Handler
.endm
IRQ POWER_CLOCK_IRQHandler
IRQ RADIO_IRQHandler
IRQ UART0_IRQHandler
IRQ SPI0_TWI0_IRQHandler
IRQ SPI1_TWI1_IRQHandler
IRQ GPIOTE_IRQHandler
IRQ ADC_IRQHandler
IRQ TIMER0_IRQHandler
IRQ TIMER1_IRQHandler
IRQ TIMER2_IRQHandler
IRQ RTC0_IRQHandler
IRQ TEMP_IRQHandler
IRQ RNG_IRQHandler
IRQ ECB_IRQHandler
IRQ CCM_AAR_IRQHandler
IRQ WDT_IRQHandler
IRQ RTC1_IRQHandler
IRQ QDEC_IRQHandler
IRQ LPCOMP_IRQHandler
IRQ SWI0_IRQHandler
IRQ SWI1_IRQHandler
IRQ SWI2_IRQHandler
IRQ SWI3_IRQHandler
IRQ SWI4_IRQHandler
IRQ SWI5_IRQHandler
.end
All the symbol above would be defined at a linker script(.ld).
Makefile
After everything prepared, use simply a makefile to complie.
TARGET = main
CC = arm-none-eabi-gcc
OBJCOPY = arm-none-eabi-objcopy
SRC = main.c \
$(wildcard nrfx/drivers/src/*.c) \
nrfx/mdk/gcc_startup_nrf51.S
INCLUDES = -I. -Inrfx -Inrfx/mdk -Inrfx/hal -Inrfx/templates -Inrfx/drivers/include
CFLAGS = -mcpu=cortex-m0 -mthumb -Wall -O0 -g -DNRF51 -DNRF51822_XXAA $(INCLUDES)
LDFLAGS = -T nrf51822_xxaa.ld -nostartfiles
OBJ := $(SRC:.c=.o)
OBJ := $(OBJ:.S=.o)
all: $(TARGET).elf
%.o: %.c
$(CC) $(CFLAGS) -c $< -o $@
%.o: %.S
$(CC) $(CFLAGS) -c $< -o $@
$(TARGET).elf: $(OBJ)
$(CC) $(CFLAGS) $(LDFLAGS) $^ -o $@
bin: $(TARGET).elf
$(OBJCOPY) -O binary $< $(TARGET).bin
clean:
rm -f $(OBJ) $(TARGET).elf $(TARGET).bin