Full Report
Disclaimer: These are unfiltered study notes mostly for myself. Guaranteed not to be error free. So if you did land here, managed to get to the end of it and found some mistakes just hit me up, I'd love to know what's wrong :)AArch64 - Preface
Analysis Summary
# Research: AArch64 - Preface (Study Notes on ARM Assembly and Test Environment Setup)
## Metadata
- Authors: [Self-documented, indicated as 'pwn@host$']
- Institution: [Implied self-study/personal research notes]
- Publication: [Unpublished study notes/blog post draft]
- Date: [Implied recent, based on Raspbian image date 2022-01-28]
## Abstract
These are personal, unfiltered study notes focusing on establishing a foundational understanding of AArch64 (ARM 64-bit) assembly language basics and setting up a practical testing environment using QEMU to emulate a recent Raspbian OS (AArch64 target). The notes cover assembly syntax, fundamental differences between ARM/Thumb modes (though irrelevant for AArch64), register conventions, instruction encoding, and specific details for system calls and exception handling registers.
## Research Objective
The primary objective appears to be preparatory: to document the basics of AArch64 assembly syntax and conventions necessary for security research (likely exploit development or reverse engineering) and to successfully construct a reproducible, emulated environment running AArch64 Linux (Raspbian) for practical testing.
## Methodology
### Approach
The approach is primarily observational and practical setup:
1. **Environment Construction:** Detailed steps for setting up a QEMU environment targeting the Raspberry Pi 3 Model B+ architecture running Raspbian (Bullseye, 64-bit).
2. **Assembly Documentation:** Systematic recording of ARM/AArch64 assembly terminology, instruction format, register organization, and mode switching concepts (primarily for context relative to older ARM versions).
### Dataset/Environment
The study focuses on the **AArch64 (ARMv8-A)** instruction set architecture running on a simulated **Raspberry Pi 3 Model B+** platform.
- **OS Image:** `2022-01-28-raspios-bullseye-arm64.img`
- **Emulator:** QEMU (version 6.0 mentioned)
### Tools & Technologies
- **QEMU:** `qemu-system-aarch64` used for virtualization.
- **Utilities:** `fdisk`, `mount`, `busybox unzip`.
- **Post-Boot Tools:** `nasm` (assembler), `neovim` (editor), and `gef` (GDB enhancement framework).
- **Cross-Compilation (Workaround):** `gcc-aarch64-linux-gnu`.
## Key Findings
### Primary Results
1. **AArch64 Unification:** Unlike ARMv7, AArch64 exclusively supports one instruction set: **A64**. Thumb mode instructions are *not* supported.
2. **Instruction Encoding:** AArch64 instructions are uniformly **32-bit wide** and typically **little-endian**. The general format is `MNEMONIC{S} {condition} {dest_register}, op1, op2`.
3. **Endianness Control:** Data endianness during execution at EL-0/EL-1 is governed by the hardware configuration register `SCTLR_EL1.E0E`.
4. **Register R31 Specialization:** Register 31 is dual-purpose: it acts as the stack pointer ($\text{rsp}$) when dealing with stack operations, and as the **zero register** ($\text{xzr}/\text{wzr}$) otherwise (reads 0, discards writes).
5. **Calling Convention:** Arguments and return values reside in registers **r0-r7**. For system calls, the syscall number is expected in register **r8**. For Exception Level (EL) switching via SMC, the SMC ID is in **x0**.
### Supporting Evidence
- Direct citations of instruction formats (e.g., register naming conventions, immediate prefixes `#`, memory access brackets `[]`).
- Specific register mappings for parameter passing and syscalls (r0-r7 for args, r8 for syscall number).
### Novel Contributions
The notes serve as a curated, practical introduction targeted specifically at setting up an AArch64 exploitation/reverse engineering environment, consolidating architectural facts (like the removal of Thumb mode) and practical setup steps (QEMU command line). The technical insight provided is the specific register use in AArch64 syscalls ($\text{r8}$) and SMC calls ($\text{x0}$).
## Technical Details
The environment setup details are highly technical, requiring manipulation of disk images, calculating offsets for partition mounting, and specific QEMU launch flags (`-M raspi3`, specific kernel/device tree binaries) to boot the ARM OS correctly under emulation.
The notes meticulously contrast AArch64 with older ARM:
- **Conditional Execution:** Absent in AArch64, whereas it was a feature of full ARM (but not all Thumb modes).
- **Barrel Shifter:** An ARM-exclusive feature (e.g., `mov r1, r0, LSL #1`) which is not directly present in the same form in A64.
## Practical Implications
### For Security Practitioners
The notes provide the necessary starting point for analyzing software targeting modern ARM CPUs (like those found in mobile devices or specific IoT/server infrastructure). Understanding the AArch64 calling convention and register roles (especially $\text{r8}$ for syscalls) is crucial for writing shellcode, debugging native binaries, or performing vulnerability analysis.
### For Defenders
Defenders must be aware that exploit payloads targeting AArch64 systems will follow the A64 instruction set rules, which differ significantly from 32-bit ARM exploitation, particularly regarding instruction length and conditional execution reliance.
### For Researchers
The documented QEMU setup acts as a reproducible baseline for studying dynamic analysis tools (like GEF) or vulnerability research on AArch64 Linux kernels or userland processes without requiring physical hardware.
## Limitations
- **Stated Disclaimer:** The author explicitly states the notes are unfiltered, preliminary, and "guaranteed not to be error free."
- **macOS Compatibility Issue:** The standard QEMU setup exhibited network problems when run on macOS, requiring a workaround via a separate Linux VM.
## Comparison to Prior Work
The notes acknowledge the necessity of understanding older ARM concepts (e.g., Thumb mode, CPSR) only for context, clearly distinguishing that the *current focus* is AArch64 (A64), which simplifies the instruction set landscape by eliminating mode switching complexity inherent in ARMv7. The inclusion of detailed links suggests the notes are built upon existing deep technical analyses concerning TrustZone exploitation, indicating this work is aimed at advanced system security topics.
## Real-world Applications
- Development of AArch64 shellcode and proof-of-concept exploits.
- Static and dynamic analysis of firmware and system binaries compiled for AArch64 Linux.
- Establishing secure, emulated sandboxes for testing ARM-based security software.
### Implementation Considerations
The main consideration is hardware virtualization support (`KVM` equivalent for AArch64 emulation) for performance, although the notes only explicitly use QEMU. Cross-compilation toolchains must specifically target `aarch64-linux-gnu`.
## Future Work
The documented QEMU setup is likely intended to precede practical research, such as:
- Writing and testing basic AArch64 shellcode.
- Analyzing exception handling paths in the emulated environment.
- Implementing or testing TEE bypasses, given the breadth of related references.
## References
- [Quarkslab: A deep dive into Samsung’s TrustZone](https://blog.quarkslab.com/a-deep-dive-into-samsungs-trustzone-part-3.html)
- [Google Project Zero: Trust Issues: Exploiting TrustZone TEEs](https://googleprojectzero.blogspot.com/2017/07/trust-issues-exploiting-trustzone-tees.html)
- [Azeria Labs: Trustonic’s Kinibi TEE Implementation](https://azeria-labs.com/trustonics-kinibi-tee-implementation/)
- [BlueFrostSecurity: TEE Exploitation on Samsung Exynos devices](https://labs.bluefrostsecurity.de/blog/2019/05/27/tee-exploitation-on-samsung-exynos-devices-introduction/)
- [Riscure: Breaking TEE Security Part 1: TEEs, TrustZone and TEEGRIS](https://www.riscure.com/blog/tee-security-samsung-teegris-part-1)
- [Checkpoint: The Road to Qualcomm TrustZone Apps Fuzzing](https://research.checkpoint.com/2019/the-road-to-qualcomm-trustzone-apps-fuzzing/)
- [Raelize: Qualcomm IPQ40xx: Achieving QSEE Code Execution](https://raelize.com/blog/qualcomm-ipq40xx-achieving-qsee-code-execution/)
- [ARM Blogs on Thumb-2 and AArch64 ISA Overview](https://devblogs.microsoft.com/oldnewthing/20210531-00/?p=105265&ref=0x434b.dev), [https://armkeil.blob.core.windows.net/developer/Files/pdf/graphics-and-multimedia/ARMv8\_InstructionSetOverview.pdf](https://armkeil.blob.core.windows.net/developer/Files/pdf/graphics-and-multimedia/ARMv8_InstructionSetOverview.pdf)
- [modexp: A Guide to ARM64 / AArch64 Assembly on Linux](https://modexp.wordpress.com/2018/10/30/arm64-assembly/)