If you cured your Sage SmartProbe of its congenital disease as per the last article on the subject, you may now be wondering what to do with it.
The vendor supplied a massive Java shitware with the thing, which does not merit any discussion whatsoever. Instead, we will use the probe’s very spiffy GDB-compatible interface. Configure your GDB as follows:
### log all instructions set logging on set logging file gdb_out.txt ### only if you want to see the raw gdb packets... #set debug remote 1 ### if you're debugging the BIOS set architecture i386 ### if you are debugging a warmed-up OS # set architecture i386:x86-64 ### where the probe is: target remote /dev/ttyACM0 ### or, if it is connected to your LAN, ### let's say at 192.168.1.111, # target remote 192.168.1.111:2159 # Show instructions on single-step set disassemble-next-line on # Disable evil, heretical GAS syntax #set disassembly-flavor intel ### if you want the ncurses gui in gdb # layout asm
So, for instance, let’s connect to a freshly-booted AMD G-series box spinning in Coreboot’s boot selector menu,
$ gdb --command=gdbinit.txt GNU gdb (Gentoo 7.8.1 vanilla) 7.8.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word". The target architecture is assumed to be i386 (gdb) si 0x001015ae in ?? () => 0x001015ae: c3 ret (gdb) 0x001035a9 in ?? () => 0x001035a9: 29 f0 sub %esi,%eax (gdb) 0x001035ab in ?? () => 0x001035ab: 19 fa sbb %edi,%edx (gdb) 0x001035ad in ?? () => 0x001035ad: 39 ea cmp %ebp,%edx (gdb) 0x001035af in ?? () => 0x001035af: 72 f3 jb 0x1035a4 (gdb) 0x001035b1 in ?? () => 0x001035b1: 77 04 ja 0x1035b7 (gdb) 0x001035b3 in ?? () => 0x001035b3: 39 d8 cmp %ebx,%eax (gdb) 0x001035b5 in ?? () => 0x001035b5: 72 ed jb 0x1035a4 (gdb) 0x001035b7 in ?? () => 0x001035b7: 83 c4 0c add $0xc,%esp (gdb) 0x001035ba in ?? () => 0x001035ba: 5b pop %ebx (gdb) c Continuing. ^C Program received signal SIGTRAP, Trace/breakpoint trap. 0x001035b5 in ?? () => 0x001035b5: 72 ed jb 0x1035a4 (gdb) q A debugging session is active. Inferior 1 [Remote target] will be killed. Quit anyway? (y or n) y
I will add that the probe also works great with IDA Pro’s GDB interface. Or whatever other, similar front-end you might fancy.
But! In order to make proper use of the probe, you will need the vendor-specific command set for manipulating the DC power, PCI bus, JTAG chain, and so forth. These were at one point published on the vendor’s site, which has vanished without a trace. I have made a cleaned-up HTML version:
Note that I have discovered certain undocumented commands. These will be the subject of a later article!