Android4.2 Emulator Kernel Debugging

存储架构 2016-04-12

This article will discuss something about Android4.2 kernel debugging,i won’t tell you how to set up the environment , if you want to know how,please review this article : Android Linux内核编译调试 , but that article still contains some errors, for example , the command to open an emulator that can be debugged is as below:

emulator -verbose -show-kernel -netfast -kernel  kernel/goldfish/arch/arm/boot/zImage -sdcardsdcard.img  -partition-size 1024 -datauserdata.img -qemu -gdbtcp::1234 -S

After set up the environment,we can use gdb to connect to the emulator:

arm-linux-androideabi-gdb  /xxx/kernel/goldfish/vmlinux
targetremotelocalhost:1234 to get sys_call_table

In kernel mode, sys call is the most important thing that can communicate with user mode, sys call table contains all the sys call’s addr. so, how could we get sys call table’s addr? I got two ways to get that addr:

  1. get sys call table’s addr by calculating the offset.
  2. read from

For the first way,we can use code like below:

void get_sys_call_table(){
 // Interrupt tables are loaded in high memory in android starting at 0xffff0000
 void *swi_table_addr=(long *)0xffff0008; // Known address of Software Interrupt handler
 unsigned long offset_from_swi_vector_adr=0;
 unsigned long *swi_vector_adr=0;
 offset_from_swi_vector_adr=((*(long *)swi_table_addr)&0xfff)+8;
 swi_vector_adr=*(unsigned long *)(swi_table_addr+offset_from_swi_vector_adr);
 if(((*(unsigned long *)swi_vector_adr)&0xfffff000)==0xe28f8000){ // Copy the entire sys_call_table from the offset_from_swi_vector_adr starting the hardware interrupt table
 offset_from_swi_vector_adr=((*(unsigned long *)swi_vector_adr)&0xfff)+8;  // 0xe28f8000 is end of interrupt space. Hence we stop.
 sys_call_table=(void *)swi_vector_adr+offset_from_swi_vector_adr;

The contains kernel function address,you can find sys_call_table’s addr in this file:

c0032d84 T sys_call_table
c0033334 t sys_syscall
c003335c t sys_fork_wrapper

use gdb to see sys call table’s items:

2.break at sys call’s entry

In Android, r7 register contains sys call num,through instruction “svc 0″ to enter kernel mode. so, if we want to debug a sys call directly, just set a breakpoint at sys call’s entry . The entry is at arch/arm/kernel/entry-common.S :

 subsp, sp, #S_FRAME_SIZE
 stmiasp, {r0 - r12} @ Callingr0 - r12
 addr8, sp, #S_PC
 stmdbr8, {sp, lr}^ @ Callingsp, lr
 mrsr8, spsr @ calledfromnon-FIQmode, sook.
 strlr, [sp, #S_PC] @ Save calling PC
 strr8, [sp, #S_PSR] @ Save CPSR
 strr0, [sp, #S_OLD_R0] @ Save OLD_R0
* Get the system call number.
* If we have CONFIG_OABI_COMPAT then we need to look at the swi
* value to determine if it is an EABI or an old ABI call.
 tstr8, #PSR_T_BIT
 movner10, #0 @ no thumb OABI emulation
 ldreqr10, [lr, #-4] @ get SWI instruction
 ldrr10, [lr, #-4] @ get SWI instruction
  A710( and ip, r10, #0x0f000000 @ check for SWI )
  A710( teqip, #0x0f000000 )
  A710( bne .Larm710bug )
#elif defined(CONFIG_AEABI)
* Pure EABI user space always put syscall number into scno (r7).
  A710( ldrip, [lr, #-4] @ get SWI instruction )
  A710( and ip, ip, #0x0f000000 @ check for SWI )
  A710( teqip, #0x0f000000 )
  A710( bne .Larm710bug )
#elif defined(CONFIG_ARM_THUMB)
 /* Legacy ABI only, possibly thumb mode. */
 tstr8, #PSR_T_BIT @ this is SPSR from save_user_regs
 addnescno, r7, #__NR_SYSCALL_BASE @ put OS number in
 ldreqscno, [lr, #-4]
 /* Legacy ABI only. */
 ldrscno, [lr, #-4] @ get SWI instruction
  A710( and ip, scno, #0x0f000000 @ check for SWI )
  A710( teqip, #0x0f000000 )
  A710( bne .Larm710bug )
 ldrip, __cr_alignment
 ldrip, [ip]
 mcrp15, 0, ip, c1, c0 @ updatecontrolregister
 adrtbl, sys_call_table @ loadsyscalltablepointer
 ldrip, [tsk, #TI_FLAGS] @ check for syscall tracing
* If the swi argument is zero, this is an EABI call and we do nothing.
* If this is an old ABI call, get the syscall number into scno and
* get the old ABI syscall table address.
 bicsr10, r10, #0xff000000
 eornescno, r10, #__NR_OABI_SYSCALL_BASE
 ldrnetbl, =sys_oabi_call_table
#elif !defined(CONFIG_AEABI)
 bicscno, scno, #0xff000000 @ mask off SWI op-code
 eorscno, scno, #__NR_SYSCALL_BASE @ check OS number
 stmdbsp!, {r4, r5} @ pushfifthand sixthargs
 tstip, #_TIF_SYSCALL_TRACE @ are we tracing syscalls?
 cmpscno, #NR_syscalls

we can set a breakpoint at this instruction:


use conditional breakpoint to monitor some special sys call:

b arch/arm/kernel/entry-common.S:265 if $r7==0xf0002

责编内容by:IT Dreamer (源链)。感谢您的支持!


开发前搭建网络框架:(NetKnife)对OkHttp网络请求框架的再封装... 前言: 当一个手机应用需要连接外部世界当时候,网络请求就必须要学习了。百度虽然是有点用,但对于新人来说都特默什么乱七八糟的东西!所以我将最近学习的关于...
Android设备兼容性 2 文章最早发布于我的微信公众号中,欢迎大家扫描下面二维码关注微信公众获取更多干货资源。 本文为sydMobile原创文章,可以随意转载,但请务必注明出处! ...
主项目引入aar文件,aar文件里面的部分jar没有加入进来... 今天弄要升级极光的jar包,我极光的jar包是放在底层项目里面的,我先把底层里面的jar包替换最新的,然后编译成aar文件,替换旧的aar文件。我以为可以...
Android 开发中的 403 forbidden错误 今天遇到一个问题。用户反馈下载APP新版安装包失败。但是我尝试复现的时候发现没问题。浏览器上可以正常下载。困惑很久。在反复尝试多次后。终于复现了问题。 ...
Android持续集成:Jenkins+Gradle+360加固+多渠道打包... 首先说下我们项目的对于打包的需求,这里只针对发布正式环境的包。 项目的代码放在Gitlab,需要打包的应用市场有十多个,apk都需要使用360加固,打...