The information of the base address/offset of debug registers on a real device

[ak7346f23]

Hi Zhenyu, I have a question about the nailgun attack on real devices (e.g. Raspberry PI 3 Model B+). I read your paper and POC code (e.g. nailgun.c) and curious about how do you get the information of the base address/offset of debug registers/cross trigger interface registers on Core 0. Do there exist any open-source technique reference manuals of attack target (e.g. BCM2837 of Raspberry PI 3 Model B+) that provide the info of debug infrastructures (Registers name & address)? Or the code just builds a virtual debug infrastructures and simulate it on the real device?

[ningzhenyu]

Hello,

Basically, we suggest 4 ways to get the address of the debug interface.

1. Access the MDRAR register to get the base address of debug ROM table, which might contain further information of the debug components.
2. Read the hardware manuals, if available.
3. Try to find the corresponding source code of linux kernel for your device. The device tree files might contain some information about the debug components.
4. Brute force. The CoreSight components are 4k-aligned. So you may try each 4k block and check the magic numbers at offset 0xfc8 and 0xfcc.

[ak7346f23]

Hello,

Basically, we suggest 4 ways to get the address of the debug interface.

1. Access the MDRAR register to get the base address of debug ROM table, which might contain further information of the debug components.
2. Read the hardware manuals, if available.
3. Try to find the corresponding source code of linux kernel for your device. The device tree files might contain some information about the debug components.
4. Brute force. The CoreSight components are 4k-aligned. So you may try each 4k block and check the magic numbers at offset 0xfc8 and 0xfcc.

Thanks for your kind response! I hope you have a good day!