CCS/TMS320F28335: Can I manipulate RPCs in the source code?

Han SeungJae

Part Number: TMS320F28335

Tool/software: Code Composer Studio

Hello,

Is it possible to arbitrarily change the value of the RPC register from source code or assembly code in CCS?

When accessing the stack area from executable code(.text), if MCU encounter executable code such as shellcode in stack, can that shellcode be executed?

Thanks, Regards

Han

over 5 years ago

0 Richard Poley over 5 years ago

TI__Mastermind 27200 points

Han,

You would have to access the RPC via assembly code. You could write a short routine something like this:

.global _loadRPC

_loadRPC:

PUSH RPC
MOVL *-SP[2], ACC
POP RPC
LRETR

You would extern it from C like this:

extern void loadRPC(long int addr);

I don't know what 'shellcode' is so I regret I can't answer the second part of your question. The stack is normally used for saving registers and data; I don't know what code would be doing there. Hypothetically you could execute code from it since the memory map is unified, but why you would do that is outside my experience.

Regards,

Richard

0 Han SeungJae over 5 years ago in reply to Richard Poley

Intellectual 980 points

I applied the code you told me as it was, but [E0002] invalid mnemonic specification error occurred.

and I used extern void loadRPC (long int addr);

then,

loadRPC was called from a user-defined function.

Here's one more question: Why is the long int data type taken as an argument to the RPC function because of this part of "MOVL * -SP [2], ACC" in assembly code?

Why long int type?

As a beginner in assembly language, please explain in detail.

Thanks, Regards

Han

0 Richard Poley over 5 years ago in reply to Han SeungJae

TI__Mastermind 27200 points

Han,

The first issue is because you need at least one whitespace before the "." character. That wasn't clear from my first reply - sorry about that. Put a space or tab before ".global" and it will be fine.

The second issue is because you have put a space before the ":" character after the label. Change "_loadRPC :" to "_loadRPC:" and it will be fine. To summarize, you need:

.global _loadRPC

_loadRPC:

The program counter on C28x is 22 bits, so you need a data type of at least that size to hold it. On C28x, and "int" data type is 16-bits, while a "long int" is 32 bits. Hence you need to specify the RPC value you want in a long int data type when you call the function.

Hope this helps. Please post back if anything's not clear.

Regards,

Richard

0 Han SeungJae over 5 years ago in reply to Richard Poley

Intellectual 980 points

Thank you for your kind explanation.

There is one more question.

Can you give me an example of an assembly code that can change the PC value within the code?

0 Richard Poley over 5 years ago in reply to Han SeungJae

TI__Mastermind 27200 points

Any branch or loop instruction will load the PC. One such example is "B _label, UNC", which loads the PC with a relative offset depending on the label address. The C28x CPU CPU & Instruction Set Guide has a full list of assembly instructions in chapter 6.

I'm not sure why you want to do this. Could you provide a few details on what you are trying to do please?

Regards,

Richard

0 Han SeungJae over 5 years ago in reply to Richard Poley

Intellectual 980 points

I am a student studying embedded security.

I am wondering whether PC values can be manipulated, and I am not familiar with assembly language, so I have many questions.

What I want to do is to call a specific function by executing a code that changes the RPC value in the data area by manipulate the PC at a certain moment.

I apologize if you are unhappy with these questions.

Thanks,

Regards,

Han

0 Richard Poley over 5 years ago in reply to Han SeungJae

TI__Mastermind 27200 points

Han,

No problem. The information you need is contained in these two user guides.

The CPU and Instruction Set Guide contains information on the assembly instructions, as well as register usage:
www.ti.com/.../spru430f.pdf

The C Compiler User's Guide has information on how function calls from C are made (see especially section 7.3)
www.ti.com/.../spru514t.pdf

Regards,

Richard

0 Han SeungJae over 5 years ago in reply to Richard Poley

Intellectual 980 points

There is one more thing to ask.

loadRPC:

PUSH RPC // Store the value of the current RPC register on the stack
MOVL * -SP [2], ACC // Save the contents of the ACC register in the SP-2word location
POP RPC // Save the contents of the ACC register in the RPC register
LRETR // Save the contents of the RPC register to the PC

Is there an incorrect interpretation of the part I commented on?

MOVL * -SP [2], Does ACC take the loadRPC's argument from loadRPC(long int address) and store it in the ACC register?

And, I want to check the opcode of MOVL * -SP [2], ACC, but it doesn't seem to exist in the user guide.

Is this part I should infer and find out?

Thanks, and Regards

Han

0 Richard Poley over 5 years ago in reply to Han SeungJae

TI__Mastermind 27200 points

Han,

"MOVL * -SP [2], Does ACC take the loadRPC's argument from loadRPC(long int address) and store it in the ACC register?"
Correct. The compiler will place the argument in the ACC register before the call branch (see section 7.3.1 in the compiler user's guide I referenced). This instruction moves the ACC contents into the memory location 2 words below the stack pointer (SP), which is where the current RPC has been pushed by the previous instruction. The next instruction moves this data into the RPC.

The instruction is documented on page 300 of the CPU instruction set guide I referenced in my last post. The "loc32" field is defined using stack relative addressing, which is described on p.85.

Hope this helps.

Regards,

Richard

0 Han SeungJae over 5 years ago in reply to Richard Poley

Intellectual 980 points

Your kind explanation helped me a lot.

Thank you very much.

Have a nice day.

Regards,

Han

C2000™︎ microcontrollers

C2000 microcontrollers forum

CCS/TMS320F28335: Can I manipulate RPCs in the source code?