unicorn
unicorn copied to clipboard
unicorn-engine
Error UC_ERR_FETCH_UNMAPPED with TriCore function call
I'd like to emulate a piece of code extracted from a TriCore TC1797 flash but I get error Invalid memory fetch when the first function call occurs (addr 0x8012B5D8).
Here a test code to replicate the issue
#include <unicorn/unicorn.h>
#define FLASH_ADDRESS 0x80000000
#define FLASH_SIZE (4*1024*1024)
#define CODE_START_ADDR 0x8012B5BE
const uint8_t CODE[] = { \
/* get_struct_idx: */ \
/* 8012B5BE */ 0x4C, 0x40, /* ld16.w d15, [a4]0 ; uds_struct_list */ \
/* 8012B5C0 */ 0x37, 0x0F, 0x64, 0x04, /* extr.u d0, d15, #8, #4 */ \
/* 8012B5C4 */ 0x02, 0x02, /* mov16 d2, d0 */ \
/* 8012B5C6 */ 0xEF, 0x5F, 0x06, 0x80, /* jnz32.t d15:0x15, locret_8012B5D2 */ \
/* 8012B5CA */ 0x37, 0x0F, 0x64, 0xF6, /* extr.u d15, d15, #0xC, #4 */ \
/* 8012B5CE */ 0x0B, 0xF0, 0x00, 0x20, /* add32 d2, d0, d15 */ \
/* 8012B5D2 */ 0x00, 0x90, /* ret16 */ \
\
\
/* get_subfunc_params: */ \
/* 8012B5D4 */ 0x02, 0x48, /* mov16 d8, d4 */ \
/* 8012B5D6 */ 0x40, 0x4F, /* mov16.aa a15, a4 */ \
/* 8012B5D8 */ 0x5C, 0xF3, /* call16 get_struct_idx */ \
/* 8012B5DA */ 0x91, 0x50, 0x00, 0x28, /* movh.a a2, #0x8005 */ \
/* 8012B5DE */ 0x8C, 0xF3, /* ld16.h d15, [a15]6 */ \
/* 8012B5E0 */ 0xA2, 0xF8, /* sub16 d8, d15 */ \
/* 8012B5E2 */ 0x09, 0xFF, 0xC8, 0x08, /* ld.hu d15, [a15]8 */ \
/* 8012B5E6 */ 0xD9, 0x22, 0x8F, 0x0E, /* lea a2, [a2]@LOS(unk_8004E80F) */ \
/* 8012B5EA */ 0x37, 0x08, 0x70, 0x80, /* extr.u d8, d8, #0, #0x10 */ \
/* 8012B5EE */ 0x03, 0x82, 0x0A, 0xFF, /* madd d15, d15, d2, d8 */ \
/* 8012B5F2 */ 0x10, 0x22, /* addsc16.a a2, a2, d15, #0; */ \
/* 8012B5F4 */ 0x00, 0x90, /* ret16 */ \
};
static void hook_code(uc_engine *uc, uint64_t address, uint32_t size, void *user_data)
{
printf(">>> Tracing instruction at 0x%" PRIx64 ", instruction size = 0x%x\n", address, size);
}
int main(int argc, char **argv, char **envp)
{
uc_engine *uc;
uc_err err;
uc_hook trace1, trace2;
err = uc_open(UC_ARCH_TRICORE, UC_MODE_LITTLE_ENDIAN, &uc);
if (err)
{
printf("Failed on uc_open() with error returned: %u (%s)\n", err, uc_strerror(err));
return -1;
}
uc_mem_map(uc, FLASH_ADDRESS, FLASH_SIZE, UC_PROT_ALL);
uc_mem_write(uc, CODE_START_ADDR, CODE, sizeof(CODE));
uc_hook_add(uc, &trace2, UC_HOOK_CODE, hook_code, NULL, FLASH_ADDRESS, FLASH_ADDRESS + FLASH_SIZE - 1);
uint32_t d4 = 6;
uint32_t a4 = 0x80028480;
uc_reg_write(uc, UC_TRICORE_REG_D4, &d4);
uc_reg_write(uc, UC_TRICORE_REG_A4, &a4);
err = uc_emu_start(uc, 0x8012B5D4, 0x8012B5F4, 0,0);
if (err)
{
printf("Failed on uc_emu_start() with error returned: %u (%s)\n", err, uc_strerror(err));
}
uint32_t pc = 0;
uc_reg_read(uc, UC_TRICORE_REG_PC, &pc);
printf("PC: 0x%08X\n", pc);
uc_close(uc);
return 0;
}
Program output:
>>> Tracing instruction at 0x8012b5d4, instruction size = 0x2
>>> Tracing instruction at 0x8012b5d6, instruction size = 0x2
>>> Tracing instruction at 0x8012b5d8, instruction size = 0x2
Failed on uc_emu_start() with error returned: 8 (Invalid memory fetch (UC_ERR_FETCH_UNMAPPED))
PC: 0x00000060
Am I doing something wrong? Since the issue looks similar to #1663 I tried also to compile from dev branch. The problem occurs with Python binding too.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 15 days.
Did anybody ever find what the problem is with this 0x60 pc error? It is still in the dev release
