Skip to main content
Glama
nebuloss

re-dyn-mcp

by nebuloss
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Remote

@nebuloss/re-dyn-mcp

A dynamic-analysis MCP server for the GT-BE98 / Broadcom BCM6726b0 WiFi-driver reverse-engineering effort. It drives gdb-multiarch over GDB/MI against the QEMU dhd harness gdbstub, and manages the harness lifecycle (run / stop / logs).

This is the runtime/dynamic counterpart to the static stack:

Server

Repo

What it does

re (radare2)

r2-re-mcp

static disassembly, xrefs, signatures

utils

re-utils-mcp

binwalk, source search

dyn

this repo

live gdb against the booting harness

Topology — this is a DIRECT MCP entry, not behind mcpproxy

re-dyn-mcp runs on dev-build (10.0.50.21), because that is where QEMU, gdb-multiarch, the kernel symbols (vmlinux.harness), and the harness scripts live. The build never leaves dev-build.

Unlike the static servers (re/utils/files/ghidra), which are aggregated behind mcpproxy on the RE container, dyn is registered directly in the client's .mcp.json as:

{ "dyn": "http://10.0.50.21:8781/mcp" }

It is not a mcpproxy upstream. Dynamic debugging is stateful and latency- sensitive (a live gdb session, breakpoints, single-stepping) — fronting it behind the proxy's retrieve_tools / call_tool indirection added latency and an approval gate for no benefit. The client talks to it straight over VLAN 50, so it binds 0.0.0.0 (not loopback).

Related MCP server: Aragorn

Tools (18)

Harness lifecycle

Tool

Purpose

harness_run

Boot the QEMU dhd harness (run-harness-dhd.sh) in the background, gdbstub on :1234. setsid + pidfile so harness_stop can kill the whole process group.

harness_stop

Kill the running harness (and any attached gdb session).

harness_logs

Tail the harness boot / dhd-probe / IPC trace (traces/dhd-harness.log).

gdb session

Tool

GDB/MI

Purpose

gdb_connect

-target-select remote

Attach to the harness gdbstub (default localhost:1234), load symbols.

gdb_break

-break-insert

Breakpoint at symbol, file:line, *0xADDR, or fn+off.

gdb_continue

-exec-continue

Resume; report where it halts.

gdb_step

-exec-step

Step into (source line).

gdb_next

-exec-next

Step over (source line).

gdb_finish

-exec-finish

Run to caller.

gdb_stepi

-exec-step-instruction

Single instruction.

gdb_interrupt

SIGINT

Halt a running target, report where it stopped.

gdb_regs

-data-list-register-values x

Registers in hex.

gdb_mem

-data-read-memory-bytes

Read count bytes at an address/expr.

gdb_bt

-stack-list-frames

Call stack.

gdb_eval

-data-evaluate-expression

Evaluate a C/gdb expression in the current frame.

gdb_cmd

(raw)

Escape hatch — run an arbitrary gdb/MI command.

gdb_status

Whether a gdb session is live; default target/symbols.

gdb_disconnect

Detach and terminate the gdb process.

Typical workflow

harness_run                      # boot the dhd harness, gdbstub :1234 (GDB=1 set internally)
gdb_connect                      # attach gdb-multiarch, load vmlinux.harness symbols
gdb_break  brcmf_pcie_probe      # set a breakpoint on the probe path
gdb_continue                     # run to it
gdb_bt ; gdb_regs ; gdb_mem ...  # inspect
gdb_disconnect
harness_stop                     # tear the harness down

Config (environment)

Var

Default

Meaning

RE_DYN_PORT

8781

HTTP listen port.

RE_DYN_HOST

0.0.0.0

Bind address (cross-host: the client is on dev-code).

HARNESS_DIR

Dir holding run-harness-dhd.sh (the QEMU dhd harness).

HARNESS_GDB

localhost:1234

gdbstub address the harness exposes.

HARNESS_VMLINUX

Kernel image with symbols for gdb to load.

GDB_BIN

gdb-multiarch

gdb binary.

LOG_LEVEL

info

Log verbosity.

The MCP endpoint is POST /mcp; GET /health returns {"status":"ok"}.

Build & run

npm install
npm run build        # tsc -> dist/
npm start            # node dist/server.js

Deploy (dev-build)

sudo cp systemd/re-dyn-mcp.service /etc/systemd/system/
sudo systemctl daemon-reload && sudo systemctl enable --now re-dyn-mcp
# expects the built server at /opt/re-dyn-mcp/dist/server.js

The service runs as guillaume (not root) so harness_run behaves like a manual run and doesn't litter root-owned files in the user tree. MemoryMax=512M.

Prerequisite — harness artifacts

gdb_connect can only attach once the harness actually boots. That needs two build artifacts present on dev-build:

  • rootfs/initramfs-dhd.cpio.gz (initrd)

  • vmlinux.harness (kernel image + symbols, path from HARNESS_VMLINUX)

Rebuild them on dev-build (via rtk) before expecting live attach to work. The server itself runs fine without them — harness_run will just fail to boot until they exist.

CI

Typecheck-only (tsc). The runtime drives gdb-multiarch against QEMU, neither of which exists on GitHub runners — the real exercise happens on dev-build.

License

MIT

This server cannot be installed

F
license - not found
-
quality - not tested
C
maintenance

How are these scores calculated?

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/nebuloss/re-dyn-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server