Port to Rizin
Fix Stacktrace Ordering
Load TLS
Tool for analyzing Atmosphère (Nintendo Switch CFW) crash dumps in Rizin.
It lets you load binary dumps that Atmosphère puts into atmosphere/crash_reports/dumps
on the SD card as flags and
mapped stack and tls contents.
rz-amsdump works as a single executable that you can run from inside Rizin. To build it, you need to have GHC and Cabal installed. The easiest way to install these is by using ghcup but if you prefer, you may want to use your distribution's packages instead.
Then, clone this repo and install rz-amsdump like this
(replace $HOME/bin
by the directory you want the final executable to be installed to):
git clone https://git.sr.ht/~thestr4ng3r/rz-amsdump
cd rz-amsdump
cabal v2-install --installdir=$HOME/bin
Usage: rz-amsdump COMMAND
Tool for analyzing Atmosphère crash dumps in Rizin
Available options:
-h,--help Show this help text
Available commands:
load Load dump from file as flags into Rizin
stacktrace Print stacktrace of a thread (by default the crashed
one)
In this example, we will analyze a crash of the hid_mitm
module.
First, make sure to load the modules into Rizin at the correct base addresses from the dump.
This info is not available in the binary dump, so you have to manually read it from the text .log file:
$ grep -A 2 Module .../crash_reports/01582056428_0100000000000faf.log
Module Info:
Number of Modules: 1
Module 00:
Address: 0000000060400000-0000000060457000
Name: hid_mitm
$ rizin -B 0x60400000 hid_mitm.elf
[0x604001c0]>
Then, load the dump on top of it from inside rizin (make sure rz-amsdump is in your PATH or provide the full path to it):
[0x604001c0]> #!pipe rz-amsdump load .../crash_reports/dumps/01582056428_0100000000000faf_thread_info.bin
# running inside rizin, applying commands through rz-pipe.
# done.
Or, the entire loading as a one-liner:
rizin -c '#!pipe rz-amsdump load .../crash_reports/dumps/01582056428_0100000000000faf_thread_info.bin' -B 0x60400000 hid_mitm.elf
All loaded flags for the dump:
[0x604001c0]> f@F:dump
0x00000000 1 th339.crash.reg.x7
0x00000000 1 th339.crash.reg.x8
0x00000000 1 th339.crash.reg.x9
0x00000000 1 th339.crash.reg.x10
Register contents for tid 395:
[0x604001c0]> f,name/cols/addr,name/str/reg,name/str/th395@F:dump
┌──────────────────────────────┐
│ name │ addr │
│──────────────────────────────│
│ th395.reg.x0 │ 0x00000000 │
│ th395.reg.x1 │ 0x00000000 │
│ th395.reg.x2 │ 0x00000000 │
│ th395.reg.x3 │ 0x00000000 │
│ th395.reg.x4 │ 0x00000000 │
│ th395.reg.x5 │ 0x00000000 │
│ th395.reg.x6 │ 0x00000000 │
│ th395.reg.x7 │ 0x00000000 │
│ th395.reg.x8 │ 0x00000000 │
│ th395.reg.x9 │ 0x00000000 │
│ th395.reg.x10 │ 0x00000000 │
│ th395.reg.x11 │ 0x00000000 │
│ th395.reg.x12 │ 0x00000000 │
│ th395.reg.x13 │ 0x00000000 │
│ th395.reg.x14 │ 0x00000000 │
│ th395.reg.x15 │ 0x00000000 │
│ th395.reg.x16 │ 0x00000000 │
│ th395.reg.x17 │ 0x00000000 │
│ th395.reg.x18 │ 0x00000000 │
│ th395.reg.x19 │ 0x00000000 │
│ th395.reg.x20 │ 0x00000000 │
│ th395.reg.x21 │ 0x00000000 │
│ th395.reg.x22 │ 0x00000000 │
│ th395.reg.x23 │ 0x00000000 │
│ th395.reg.x24 │ 0x00000000 │
│ th395.reg.x25 │ 0x00000000 │
│ th395.reg.x26 │ 0x00000000 │
│ th395.reg.x27 │ 0x00000000 │
│ th395.reg.x28 │ 0x00000000 │
│ th395.reg.fp │ 0x08003ed0 │
│ th395.reg.sp │ 0x08003ed0 │
│ th395.reg.lr │ 0x6040477c │
│ th395.reg.pc │ 0x60439bac │
└──────────────────────────────┘
Register contents for the crashed thread:
[0x604001c0]> f,name/cols/addr,name/str/reg,name/str/crash@F:dump
┌────────────────────────────────────────────┐
│ name │ addr │
│────────────────────────────────────────────│
│ th339.crash.reg.x7 │ 0x00000000 │
│ th339.crash.reg.x8 │ 0x00000000 │
│ th339.crash.reg.x9 │ 0x00000000 │
│ th339.crash.reg.x10 │ 0x00000000 │
│ th339.crash.reg.x11 │ 0x00000000 │
│ th339.crash.reg.x12 │ 0x00000000 │
│ th339.crash.reg.x13 │ 0x00000000 │
│ th339.crash.reg.x14 │ 0x00000000 │
│ th339.crash.reg.x15 │ 0x00000000 │
│ th339.crash.reg.x16 │ 0x00000000 │
│ th339.crash.reg.x17 │ 0x00000000 │
│ th339.crash.reg.x18 │ 0x00000000 │
│ th339.crash.reg.x21 │ 0x00000000 │
│ th339.crash.reg.x23 │ 0x00000000 │
│ th339.crash.reg.x27 │ 0x00000008 │
│ th339.crash.reg.x1 │ 0x00000100 │
│ th339.crash.reg.x0 │ 0x00000200 │
│ th339.crash.reg.sp │ 0x4befc610 │
│ th339.crash.reg.fp │ 0x4befc620 │
│ th339.crash.reg.x6 │ 0x4befc6d0 │
│ th339.crash.reg.x5 │ 0x4befc6f8 │
│ th339.crash.reg.x26 │ 0x4befc6f8 │
│ th339.crash.reg.x20 │ 0x4befc788 │
│ th339.crash.reg.x25 │ 0x4befc8c4 │
│ th339.crash.reg.x22 │ 0x4befc8c8 │
│ th339.crash.reg.x3 │ 0x4befc988 │
│ th339.crash.reg.x19 │ 0x4befc988 │
│ th339.crash.reg.x24 │ 0x4befc988 │
│ th339.crash.reg.x4 │ 0x4befc990 │
│ th339.crash.reg.pc │ 0x604001d8 │
│ th339.crash.reg.lr │ 0x60407d00 │
│ th339.crash.reg.x28 │ 0xa55af00ddeadcafe │
│ th339.crash.reg.x2 │ 0xcccccccccccccccd │
└────────────────────────────────────────────┘
Stacktrace of thread with tid 395:
[0x604001c0]> #!pipe rz-amsdump stacktrace 395
┌────────────┬────────────────────┬───────────────────────────────────────────────────────────────────────┐
│ Address │ Flag │ Description │
╞════════════╪════════════════════╪═══════════════════════════════════════════════════════════════════════╡
│ 0000000000 │ th395.stacktrace.2 │ │
├────────────┼────────────────────┼───────────────────────────────────────────────────────────────────────┤
│ 0x60400bc8 │ th395.stacktrace.0 │ handler(void*, char const*, char const*, char const*) + 244 │
├────────────┼────────────────────┼───────────────────────────────────────────────────────────────────────┤
│ 0x6043338c │ th395.stacktrace.1 │ __gnu_cxx::__concurrence_lock_error::~__concurrence_lock_error() + 28 │
└────────────┴────────────────────┴───────────────────────────────────────────────────────────────────────┘
Stacktrace of the crashed thread:
[0x604001c0]> #!pipe rz-amsdump stacktrace
┌────────────┬──────────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Address │ Flag │ Description │
╞════════════╪══════════════════════════╪═════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╡
│ 0x60400300 │ th339.crash.stacktrace.2 │ exit │
├────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ 0x60400758 │ th339.crash.stacktrace.1 │ ams::ResultSuccess::operator ams::Result() const + 4 │
├────────────┼──────────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ 0x60409b60 │ th339.crash.stacktrace.0 │ ams::Result ams::sf::impl::InvokeServiceCommandImpl<&HidMitmService::ReloadConfig>(CmifOutHeader**, ams::sf::cmif::ServiceDispatchContext&, ams::sf::cmif::PointerAndSize const&) + 372 │
└────────────┴──────────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
Stack of a thread with telescoping:
[0x604001c0]> pxr 0x100 @ th339.crash.stack
0x4befc610 0x000000004befc6d0 ...K.... @th339.crash.stack 1274005200 th339.crash.reg.x6 R W 0x0 --> 0 th396.stacktrace.2
0x4befc618 0x000000004befc8c0 ...K.... 1274005696
0x4befc620 0x000000004befc650 P..K.... @th339.crash.reg.fp 1274005072 R W 0x4befc710 --> 1274005264
0x4befc628 0x0000000060409b60 `.@`.... 1614846816 th339.crash.stacktrace.0 R X 'b 0x60409d68'
0x4befc630 0x000000004befc7c8 ...K.... 1274005448
0x4befc638 0x000000004befc918 ...K.... 1274005784
0x4befc640 0x000000004befc788 ...K.... 1274005384 th339.crash.reg.x20
0x4befc648 0x000000004befc918 ...K.... 1274005784
0x4befc650 0x000000004befc710 ...K.... 1274005264
0x4befc658 0x0000000060400758 X.@`.... 1614808920 th339.crash.stacktrace.1 R X 'mov x29, sp'
0x4befc660 0x000000004befc788 ...K.... 1274005384 th339.crash.reg.x20
0x4befc668 0x000000004beff0e8 ...K.... 1274015976
0x4befc670 0x000000004befc988 ...K.... 1274005896 th339.crash.reg.x24
0x4befc678 0x000000004beff0e8 ...K.... 1274015976
0x4befc680 0x0000000000098012 ........ 622610
0x4befc688 0x0000000000646968 hid..... 6580584 ascii ('h')
0x4befc690 0x000000006046d5f0 ..F`.... 1615255024 R 0x0 --> 0 th396.stacktrace.2
0x4befc698 0x000000006046d588 ..F`.... 1615254920 R 0x0 --> 0 th396.stacktrace.2
0x4befc6a0 0x000000004befc7c8 ...K.... 1274005448
0x4befc6a8 0x000000006046d000 ..F`.... 1615253504 R 0x0 --> 0 th396.stacktrace.2
0x4befc6b0 0x000000004befc818 ...K.... 1274005528
0x4befc6b8 0x000000004befc880 ...K.... 1274005632
0x4befc6c0 0x000000004bf03040 @0.K.... 1274032192
0x4befc6c8 0x0000000000646968 hid..... 6580584 ascii ('h')
0x4befc6d0 ..[ null bytes ].. 00000000 th339.crash.reg.x6
0x4befc6e0 0x0000000000120014 ........ 1179668
0x4befc6e8 0x00088010604e0048 H.N`....
0x4befc6f0 0x000000004befc710 ...K.... 1274005264
0x4befc6f8 ..[ null bytes ].. 00000000 th339.crash.reg.x26
Hexump of the TLS of a thread:
[0x604001c0]> px 0x100 @ th339.crash.tls
- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x6b093200 0200 0000 0000 0000 2000 0000 1580 1100 ........ .......
0x6b093210 5346 434f 0000 0000 0000 0000 0000 0000 SFCO............
0x6b093220 0002 0000 0000 0000 2f01 0000 0000 0001 ......../.......
0x6b093230 0000 0000 0000 0000 0200 0000 0000 0000 ................
0x6b093240 0000 0000 0000 0000 0600 0000 0000 0000 ................
0x6b093250 0004 0000 0000 0000 00c0 0100 0000 0000 ................
0x6b093260 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x6b093270 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x6b093280 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x6b093290 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x6b0932a0 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x6b0932b0 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x6b0932c0 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x6b0932d0 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x6b0932e0 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x6b0932f0 0000 0000 0000 0000 0000 0000 0000 0000 ................