~thestr4ng3r/rz-amsdump

Tool for analyzing Atmosphère (Nintendo Switch CFW) crash dumps in Rizin

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~thestr4ng3r/rz-amsdump
read/write
git@git.sr.ht:~thestr4ng3r/rz-amsdump

You can also use your local clone with git send-email.

#rz-amsdump

Tool for analyzing Atmosphère (Nintendo Switch CFW) crash dumps in Rizin. It lets you load binary dumps that Atmosphère puts into atmosphere/crash_reports/dumps on the SD card as flags and mapped stack and tls contents.

#Installation

rz-amsdump works as a single executable that you can run from inside Rizin. To build it, you need to have GHC and Cabal installed. The easiest way to install these is by using ghcup but if you prefer, you may want to use your distribution's packages instead.

Then, clone this repo and install rz-amsdump like this (replace $HOME/bin by the directory you want the final executable to be installed to):

git clone https://git.sr.ht/~thestr4ng3r/rz-amsdump
cd rz-amsdump
cabal v2-install --installdir=$HOME/bin

#Usage

Usage: rz-amsdump COMMAND
  Tool for analyzing Atmosphère crash dumps in Rizin

Available options:
  -h,--help                Show this help text

Available commands:
  load                     Load dump from file as flags into Rizin
  stacktrace               Print stacktrace of a thread (by default the crashed
                           one)

#Loading

In this example, we will analyze a crash of the hid_mitm module. First, make sure to load the modules into Rizin at the correct base addresses from the dump. This info is not available in the binary dump, so you have to manually read it from the text .log file:

$ grep -A 2 Module .../crash_reports/01582056428_0100000000000faf.log
Module Info:
    Number of Modules:           1
    Module 00:
        Address:                 0000000060400000-0000000060457000
        Name:                    hid_mitm
$ rizin -B 0x60400000 hid_mitm.elf
[0x604001c0]>

Then, load the dump on top of it from inside rizin (make sure rz-amsdump is in your PATH or provide the full path to it):

[0x604001c0]> #!pipe rz-amsdump load .../crash_reports/dumps/01582056428_0100000000000faf_thread_info.bin
# running inside rizin, applying commands through rz-pipe.
# done.

Or, the entire loading as a one-liner:

rizin -c '#!pipe rz-amsdump load .../crash_reports/dumps/01582056428_0100000000000faf_thread_info.bin' -B 0x60400000 hid_mitm.elf

#Displaying Info

All loaded flags for the dump:

[0x604001c0]> f@F:dump
0x00000000 1 th339.crash.reg.x7
0x00000000 1 th339.crash.reg.x8
0x00000000 1 th339.crash.reg.x9
0x00000000 1 th339.crash.reg.x10

Register contents for tid 395:

[0x604001c0]> f,name/cols/addr,name/str/reg,name/str/th395@F:dump
┌──────────────────────────────┐
│ name           │ addr        │
│──────────────────────────────│
│ th395.reg.x0   │ 0x00000000  │
│ th395.reg.x1   │ 0x00000000  │
│ th395.reg.x2   │ 0x00000000  │
│ th395.reg.x3   │ 0x00000000  │
│ th395.reg.x4   │ 0x00000000  │
│ th395.reg.x5   │ 0x00000000  │
│ th395.reg.x6   │ 0x00000000  │
│ th395.reg.x7   │ 0x00000000  │
│ th395.reg.x8   │ 0x00000000  │
│ th395.reg.x9   │ 0x00000000  │
│ th395.reg.x10  │ 0x00000000  │
│ th395.reg.x11  │ 0x00000000  │
│ th395.reg.x12  │ 0x00000000  │
│ th395.reg.x13  │ 0x00000000  │
│ th395.reg.x14  │ 0x00000000  │
│ th395.reg.x15  │ 0x00000000  │
│ th395.reg.x16  │ 0x00000000  │
│ th395.reg.x17  │ 0x00000000  │
│ th395.reg.x18  │ 0x00000000  │
│ th395.reg.x19  │ 0x00000000  │
│ th395.reg.x20  │ 0x00000000  │
│ th395.reg.x21  │ 0x00000000  │
│ th395.reg.x22  │ 0x00000000  │
│ th395.reg.x23  │ 0x00000000  │
│ th395.reg.x24  │ 0x00000000  │
│ th395.reg.x25  │ 0x00000000  │
│ th395.reg.x26  │ 0x00000000  │
│ th395.reg.x27  │ 0x00000000  │
│ th395.reg.x28  │ 0x00000000  │
│ th395.reg.fp   │ 0x08003ed0  │
│ th395.reg.sp   │ 0x08003ed0  │
│ th395.reg.lr   │ 0x6040477c  │
│ th395.reg.pc   │ 0x60439bac  │
└──────────────────────────────┘

Register contents for the crashed thread:

[0x604001c0]> f,name/cols/addr,name/str/reg,name/str/crash@F:dump
┌────────────────────────────────────────────┐
│ name                 │ addr                │
│────────────────────────────────────────────│
│ th339.crash.reg.x7   │ 0x00000000          │
│ th339.crash.reg.x8   │ 0x00000000          │
│ th339.crash.reg.x9   │ 0x00000000          │
│ th339.crash.reg.x10  │ 0x00000000          │
│ th339.crash.reg.x11  │ 0x00000000          │
│ th339.crash.reg.x12  │ 0x00000000          │
│ th339.crash.reg.x13  │ 0x00000000          │
│ th339.crash.reg.x14  │ 0x00000000          │
│ th339.crash.reg.x15  │ 0x00000000          │
│ th339.crash.reg.x16  │ 0x00000000          │
│ th339.crash.reg.x17  │ 0x00000000          │
│ th339.crash.reg.x18  │ 0x00000000          │
│ th339.crash.reg.x21  │ 0x00000000          │
│ th339.crash.reg.x23  │ 0x00000000          │
│ th339.crash.reg.x27  │ 0x00000008          │
│ th339.crash.reg.x1   │ 0x00000100          │
│ th339.crash.reg.x0   │ 0x00000200          │
│ th339.crash.reg.sp   │ 0x4befc610          │
│ th339.crash.reg.fp   │ 0x4befc620          │
│ th339.crash.reg.x6   │ 0x4befc6d0          │
│ th339.crash.reg.x5   │ 0x4befc6f8          │
│ th339.crash.reg.x26  │ 0x4befc6f8          │
│ th339.crash.reg.x20  │ 0x4befc788          │
│ th339.crash.reg.x25  │ 0x4befc8c4          │
│ th339.crash.reg.x22  │ 0x4befc8c8          │
│ th339.crash.reg.x3   │ 0x4befc988          │
│ th339.crash.reg.x19  │ 0x4befc988          │
│ th339.crash.reg.x24  │ 0x4befc988          │
│ th339.crash.reg.x4   │ 0x4befc990          │
│ th339.crash.reg.pc   │ 0x604001d8          │
│ th339.crash.reg.lr   │ 0x60407d00          │
│ th339.crash.reg.x28  │ 0xa55af00ddeadcafe  │
│ th339.crash.reg.x2   │ 0xcccccccccccccccd  │
└────────────────────────────────────────────┘

Stacktrace of thread with tid 395:

[0x604001c0]> #!pipe rz-amsdump stacktrace 395
┌────────────┬────────────────────┬───────────────────────────────────────────────────────────────────────┐
│  Address   │        Flag        │                              Description                              │
╞════════════╪════════════════════╪═══════════════════════════════════════════════════════════════════════╡
│ 0000000000 │ th395.stacktrace.2 │                                                                       │
├────────────┼────────────────────┼───────────────────────────────────────────────────────────────────────┤
│ 0x60400bc8 │ th395.stacktrace.0 │ handler(void*, char const*, char const*, char const*) + 244           │
├────────────┼────────────────────┼───────────────────────────────────────────────────────────────────────┤
│ 0x6043338c │ th395.stacktrace.1 │ __gnu_cxx::__concurrence_lock_error::~__concurrence_lock_error() + 28 │
└────────────┴────────────────────┴───────────────────────────────────────────────────────────────────────┘

Stacktrace of the crashed thread:

[0x604001c0]> #!pipe rz-amsdump stacktrace
┌────────────┬──────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│  Address   │           Flag           │                                                                                       Description                                                                                       │
╞════════════╪══════════════════════════╪═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╡
│ 0x60400300 │ th339.crash.stacktrace.2 │ exit                                                                                                                                                                                    │
├────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ 0x60400758 │ th339.crash.stacktrace.1 │ ams::ResultSuccess::operator ams::Result() const + 4                                                                                                                                    │
├────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ 0x60409b60 │ th339.crash.stacktrace.0 │ ams::Result ams::sf::impl::InvokeServiceCommandImpl<&HidMitmService::ReloadConfig>(CmifOutHeader**, ams::sf::cmif::ServiceDispatchContext&, ams::sf::cmif::PointerAndSize const&) + 372 │
└────────────┴──────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘

Stack of a thread with telescoping:

[0x604001c0]> pxr 0x100 @ th339.crash.stack
0x4befc610 0x000000004befc6d0   ...K.... @th339.crash.stack 1274005200 th339.crash.reg.x6 R W 0x0 -->  0 th396.stacktrace.2
0x4befc618 0x000000004befc8c0   ...K.... 1274005696
0x4befc620 0x000000004befc650   P..K.... @th339.crash.reg.fp 1274005072 R W 0x4befc710 -->  1274005264
0x4befc628 0x0000000060409b60   `.@`.... 1614846816 th339.crash.stacktrace.0 R X 'b 0x60409d68'
0x4befc630 0x000000004befc7c8   ...K.... 1274005448
0x4befc638 0x000000004befc918   ...K.... 1274005784
0x4befc640 0x000000004befc788   ...K.... 1274005384 th339.crash.reg.x20
0x4befc648 0x000000004befc918   ...K.... 1274005784
0x4befc650 0x000000004befc710   ...K.... 1274005264
0x4befc658 0x0000000060400758   X.@`.... 1614808920 th339.crash.stacktrace.1 R X 'mov x29, sp'
0x4befc660 0x000000004befc788   ...K.... 1274005384 th339.crash.reg.x20
0x4befc668 0x000000004beff0e8   ...K.... 1274015976
0x4befc670 0x000000004befc988   ...K.... 1274005896 th339.crash.reg.x24
0x4befc678 0x000000004beff0e8   ...K.... 1274015976
0x4befc680 0x0000000000098012   ........ 622610
0x4befc688 0x0000000000646968   hid..... 6580584 ascii ('h')
0x4befc690 0x000000006046d5f0   ..F`.... 1615255024 R 0x0 -->  0 th396.stacktrace.2
0x4befc698 0x000000006046d588   ..F`.... 1615254920 R 0x0 -->  0 th396.stacktrace.2
0x4befc6a0 0x000000004befc7c8   ...K.... 1274005448
0x4befc6a8 0x000000006046d000   ..F`.... 1615253504 R 0x0 -->  0 th396.stacktrace.2
0x4befc6b0 0x000000004befc818   ...K.... 1274005528
0x4befc6b8 0x000000004befc880   ...K.... 1274005632
0x4befc6c0 0x000000004bf03040   @0.K.... 1274032192
0x4befc6c8 0x0000000000646968   hid..... 6580584 ascii ('h')
0x4befc6d0 ..[ null bytes ]..   00000000 th339.crash.reg.x6
0x4befc6e0 0x0000000000120014   ........ 1179668
0x4befc6e8 0x00088010604e0048   H.N`....
0x4befc6f0 0x000000004befc710   ...K.... 1274005264
0x4befc6f8 ..[ null bytes ]..   00000000 th339.crash.reg.x26

Hexump of the TLS of a thread:

[0x604001c0]> px 0x100 @ th339.crash.tls
- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF
0x6b093200  0200 0000 0000 0000 2000 0000 1580 1100  ........ .......
0x6b093210  5346 434f 0000 0000 0000 0000 0000 0000  SFCO............
0x6b093220  0002 0000 0000 0000 2f01 0000 0000 0001  ......../.......
0x6b093230  0000 0000 0000 0000 0200 0000 0000 0000  ................
0x6b093240  0000 0000 0000 0000 0600 0000 0000 0000  ................
0x6b093250  0004 0000 0000 0000 00c0 0100 0000 0000  ................
0x6b093260  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x6b093270  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x6b093280  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x6b093290  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x6b0932a0  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x6b0932b0  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x6b0932c0  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x6b0932d0  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x6b0932e0  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x6b0932f0  0000 0000 0000 0000 0000 0000 0000 0000  ................