Skip to content

Debugging emulated Cisco devices with BinNavi

Good news from the BinNavi front. For one, our GDB Agent which connects BinNavi with arbitrary GDB servers is now working on Linux. Since that was the last part of BinNavi which had to be used from Windows, all parts of BinNavi are now usable from Linux. Even cooler news is that we have made the Cisco router emulator Dynamips work with the GDB Agent. It is now possible for users of BinNavi to use the GDB server of Cisco devices emulated on Dynamips. This has a wide range of applications for situations where people had to work with physical devices in the past even though Dynamips would have been sufficient.

Out of the box, the GDB server of Cisco devices is not emulated properly by Dynamips. There were two issues that had to be fixed in the Dynamips code:

  • Once the GDB server was active, the console of the Cisco device froze and GDB would neither send nor accept commands
  • The single-step flag was not honored by the emulator, making single-stepping impossible

I have created a patch that solves these two issues. You can download the patch file here. Once this patch is applied to the Dynamips source code, the GDB server of the Cisco 2600 router I used for testing works like a charm and BinNavi can use the GDB server for debugging the emulated device.

Here are some impressions of BinNavi debugging the emulated Cisco 2600 router.

The first screenshot was taken shortly after attaching to the GDB server. You can see the "trap" instruction at offset 0x8021CCAC. When you attach to the GDB server for the first time, this is where the debugger halts.

Then I single-stepped a few times to leave the function in the first screenshot. The second screenshot shows another smaller function where you end up after leaving the first function.

The third screenshot shows a bigger function. In this function I told BinNavi to record all basic blocks which are ever executed and then I resumed the debugger. The result can be seen in the Trace log in the lower part of the window. The address of each basic block hit during execution is shown there in the order in which the basic blocks were hit. Double-clicking on the trace selects all basic blocks that were hit in the graph. This makes it very easy to get a quick code coverage analysis to see what basic blocks were executed and those that were not.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Form options

Submitted comments will be subject to moderation before being displayed.