0

I've got a worked binary used in embeded system. Now i want to write a some kind of patch for it. The patch will be loaded into a RAM bellow the main program and then will be called from main program. The question is how to tell gcc to use manually setted addresses of some function which will be used from patch. in other words: Old code has function sin() and i could use nm to find out the address of sin() in old code. My patched code will use sin() (or something else from main programm) and i want to tell the gcc (or maybe ld or maybe something else) for it to use the static address of function sin() while it linking the patched code. is it possible?

hmatar
  • 2,437
  • 2
  • 17
  • 27
qmor
  • 568
  • 6
  • 20
  • This is not possible with a `binary` image. How do you run `nm` on it? Are you sure you mean `binary`? – artless noise Mar 31 '13 at 17:35
  • Your best approach, if it really is a `binary`, is to patch the original `sin()` to jump to your variant. This is slightly slower. If your `sin()` is smaller, you could just over-write it. – artless noise Mar 31 '13 at 17:43
  • sorry. of course you're right. I've got a binary, but a could find out the function address from not stripped elf. – qmor Mar 31 '13 at 18:16

1 Answers1

0

The problem is that you would gave to replace all references to the original sin() function for the patched code. That would require the runtime system to contain all the object code data used to resolve references, and for the original code to be modifiable (i.e. not in ROM for example).

Windriver's RTOS VxWorks can do something close to what you are suggesting; the way it does it is you use "partial linking" (GNU linker option -r) to generate an object file with links that will be resolved at runtime - this allows an object file to be created with unresolved links - i.e. an incomplete executable. VxWorks itself contains a loader and runtime "linker" that can dynamically load partially linked object files and resolve references. A loaded object file however must be resolvable entirely using already loaded object code - so no circular dependencies, and in your example you would have to reload/restart the system so that the object file containing the sin() were loaded before those that reference it, otherwise only those loaded after would use the new implementation.

So if you were to use VxWorks (or an OS with similar capabilities), the solution is perhaps simple, if not you would have to implement your own loader/linker, which is of course possible, but not trivial.

Another, perhaps simpler possibility is to have all your code call functions through pointers that you hold in variables, so that all calls (or at least all calls you might want to replace) are resolved at runtime. You would have to load the patch and then modify the sin() function's pointer so that all calls thereafter are made to the new function. The problem with this approach is that you would either have to know a priori which functions you might later want to replace, or have all functions called that way (which may be prohibitively expensive in memory terms. It would perhaps be useful for this solution to have some sort of preprocessor or code generator that would allow you to mark functions that would be "dynamic" in this way and could automatically generate the pointers and calling code. So for example you might write code thus:

__dynamic void myFunction( void ) ;

...

myFunction() ;

and your custom preprocessor would generate:

void myFunction( void ) ;
void (*__dynamic_myFunction)(void) = myFunction() ;

...

__dynamic_myFunction() ;

then your patch/loader code would reassign myFunctionDyn with the address of the replacement function.

You could generate a "dynamic symbol table" containing just the names and addresses of the __dynamic_xxxxx symbols and include that in your application so that a loader could change the __dynamic_xxxxx variables by matching the xxxxx name with the symbols in the loaded object file - if you load a plain binary however you would have to provide the link information to the loader - i.e. which __dynamic_xxxxx variable to be reasssigned and teh address to assign to it.

Clifford
  • 88,407
  • 13
  • 85
  • 165
  • Thanks for your answer. What version of VxWorks you using? I want to resolve all the reference using the GCC (or with something similar). Because i've got the original partialimage.o with real old addresses (which are actual for the whole system) and the patch.o which i want somehow to link (or say "use the funtion addresses from partialimage.o") with partialimage.o. then i want to strip it using objcopy and then load this resulted binary to the system. – qmor Apr 02 '13 at 14:09
  • Last I used VxWorks (a long time ago) it was v5.4 I think, and used a Windriver customised version of GCC that was also old. In the system I developed using it, the entire application apart from the kernel itself comprised of a number of object files loaded at runtime from the filesystem. Probably not what you are looking for. However for normal static linking a symbol in an object file overrides one in a library archive, so if the original `sin()` is in a library, and the replacement in an object file, the replacement will be used. – Clifford Apr 02 '13 at 14:55
  • Okay. Could you briefly describe how you has wrote your system? With or without special vxworks modules? – qmor Apr 02 '13 at 17:13
  • As I said, it was a long time ago, and in another job so I do not have access to the code. However it was configurable via the Tornado environment configuration tool, the target shell and the loader module were required, and the system modules were loaded via a target shell command script. – Clifford Apr 02 '13 at 17:38