[eresi-dev] The ERESI ARM/JTAG debugger: final version roadmap

[Julien Vanegue]

Hi Guys

Its been 3 months now that this project started and we have reached some
success
lately in debugging/analyzing embedded ARM/JTAG targets.

Jesus Palencia and Thiago Figueiredo made those important advances in the
implementation:

* The remote eresi debugger (kedbg) can now debug ARM/JTAG targets and do
the basic
operations like breakpoint, stepping, getting register values, etc.

* The libasm ARM is now more and more complete. Control flow instructions
are recognized
and good (but still incomplete) control flow graphs are being displayed on
ARM binaries.

It is now time to finalize the implementation and integrate those two
features, so that the JTAG
debugger can start to dump graphs of strategic entry points in memory
snapshots and such.

As the deadline of this project is June 10th (date of Jesus' final report
delivery), the final touch
would give a coherence to the project, making it a valid contribution as a
whole for the community
and the ERESI project.

Here is the final roadmap we should follow to reach the level of an achieved
project:

* Finish integration of KEDBG-JTAG:

- Create new handlers for calling specific monitor commands.
  -> Each command handler would be a wrapper to the gdbwrap_remote_cmd()
API.
  -> Register the handlers in the appropriate vectors.
  -> Command should be called via break, step, cont etc (instead of monitor
break|step|cont..)
- Support for setting ARM registers.

If time permits, the following would be also appreciated:

- Support for the itrace command (this is currently IA32 specific, but could
be generalized easily)
- Support for ELF MAP generation from scratch via memory map request, when
ELF not provided:
  -> This can be done via calling libelfsh API from kedbg/main.c
- Code cleaning of KEDBG/GDBWRAP and final multiarchitecture tree shape for
KEDBG.


As for the analysis features, the following would be needed:


* Finish support for Libasm-ARM.

- CFG support for explicit $pc/$ra manipulations
- Create a processor specific structure in libasm-arm to store the
information of ARM/THUMB mode
  (on the model of the one for IA32 that stores the protectedmode/realmode
information)
- Create an API to set/get this information easily (as in IA32 backend)
- Implement a function that determine for a given address if it points to a
ARM or THUMB instruction
  (if $t and $a symbols are available: this is easy to do in 10LOC calling
the good libelfsh API)
  (no support for ARM/THUMB determination in the absence of symbols for now:
we dont know of any algorithm)
- Whenever an instruction is disassembled on ARM, make sure we put the
libasm mode to ARM or THUMB
  (by calling the previous function at a strategic point in
libstderesi/cmd/disasm.c)

A last effort and you guys made it !

Julien
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.einherjar.de/pipermail/eresi-dev/attachments/20090515/e8d9a78a/attachment.html>