Run cam's firmware in qemu[]
Any comments are welcome! post here
QEMU is a processor emulator that relies on dynamic binary translation to achieve a reasonable speed while being easy to port on new host CPU architectures. In conjunction with CPU emulation, it also provides a set of device models (ARM !), allowing it to run a variety of unmodified guest operating systems, thus it can be viewed as a hosted virtual machine monitor.
Mh, why not run the firmware dump with that? ;)
Status[]
I know virtually nothing about the cams ... theres some RAM at 0x0, ROM starts at 0xff81000. There's some I/O at 0xc0000000 and 0x40000000 smells like DMA. I found stderr/stdout so we get some cute core dumps in the console ;)
However, qemu is a nice toolbox so I set up a simple ARM board. No SD-Card, no USB, no VGA output ... yet.
I'll post the files in the forum, because this wiki is not that comfortable for exchanging code pieces.
Prerequisites[]
- Gpl_Disassembling
- have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here.
- download qemu source
- I simply typed 'apt-get source qemu' and got 0.9.1 here.
- apply patch
- make
We can run qemu from builddir so no need for make install:
./arm-softmmu/qemu-system-arm -M help ./arm-softmmu/qemu-system-arm -nographic -s -S -m 128 -M ixus -option-rom ../ixus860is.dump README
This starts qemu without starting the CPU and waits for the debugger. The "README" is just a dummy file to make qemu's parseopts happy.
Next, let's start the debugger. I setup a little startupfile "gdbopts":
target remote localhost:1234 set language asm layout asm layout regs focus cmd
arm-linux-gnu-gdb -x gdbopts
STOP: How to setup arm-linux-gnu-gdb?
Hint:
(ctrl-x a) switches to cmd mode (ctrl-x 2) 3 times back to asm/reg view (crtl-x o) to cycle between windows
We are almost ready for takeoff. But gdb needs at least 2 symbols to operate as intended: rom_start and rom_end. Here comes the elf file:
(gdb) symbol-file ixus860is_dump.elf
So, now u should have this:
+--Register group: general---------------------------------------------------------+ |r0 0x0 0 | |r1 0x0 0 | |r2 0x0 0 | |r3 0x0 0 | |r4 0x0 0 | |r5 0x0 0 | |r6 0x0 0 | +-------------------------------------------------------------------------------+ >|0xff810000 <_binary_ixus860is_dump_start> b 0xff81000c <_binary_ixus| |0xff810004 <_binary_ixus860is_dump_start+4> powvsez f6, f7, f7 | |0xff810008 <_binary_ixus860is_dump_start+8> stmvcdb pc!, {r0, r3, r5| |0xff81000c <_binary_ixus860is_dump_start+12> ldr r1, [pc, #336] ; 0xff81| |0xff810010 <_binary_ixus860is_dump_start+16> mov r0, #0 ; 0x0 | |0xff810014 <_binary_ixus860is_dump_start+20> str r0, [r1] | |0xff810018 <_binary_ixus860is_dump_start+24> mov r1, #120 ; 0x78 | +-------------------------------------------------------------------------------+ Focus set to CMD window. (gdb) symbol-file ixus860is_dump.elf Reading symbols from /home/chris/ixus/ixus860is_dump.elf...(no debugging symbols fou nd)...done. (gdb)
Use 'ni' or 'si' to execute step by step, or c for continue. Actually this will brick qemu. I found a lot cpu#15 (guess: it's the DIGIC unit Nope, it's about setting up TCM which qemu doesn't support, yet. There is some information about the cam's cpu in the
forum) instructions at the beginning. Most seems to be harmless except
ff810098: ee010f10 mcr 15, 0, r0, cr1, cr0, {0}
I manually patched them away. But finally it runs through and stuck in an endless loop (around 0xff8150e0). I guess waiting for the hardware coming up. But it's setup stuff! Press ctrl-c and have a look:
(gdb) x/12x 0 0x0: 0xe1a00000 0xe59ff014 0xe59ff014 0xe59ff014 0x10: 0xe59ff014 0xe1a00000 0xe59ff010 0xe59ff010 0x20: 0xff810468 0xff8104d8 0xff81047c 0xff810494
Panic[]
Ok, 0xff810468 is reset/ill instr. Let's jump there:
j *0xff810468
Look at qemu console:
< Error Exception > TYPE : undefined ISR : FALSE TASK ID : 917508 TASK Name : ClockSave R 0 : 00000001 R 1 : ff8150cc R 2 : 19980218 R 3 : 19980218 R 4 : 00001998 R 5 : c0400000 R 6 : 40000000 R 7 : 19980218 R 8 : 19980218 R 9 : 19980218 R10 : 19980218 R11 : 19980218 R12 : 19980218 R13 : 0000febc R14 : ff8163a0 PC : ff8163a0 CPSR : 00000093
ctrl-c j *0xff810468
(qemu) < Error Exception > TYPE : undefined ISR : FALSE TASK ID : 65537 TASK Name : idle R 0 : 19980218 R 1 : 19980218 R 2 : 19980218 R 3 : 19980218 R 4 : 00000013 R 5 : 19980218 R 6 : 19980218 R 7 : 19980218 R 8 : 19980218 R 9 : 19980218 R10 : 19980218 R11 : 19980218 R12 : ffff8002 R13 : 0000febc R14 : ff8160ec PC : ff8160ec CPSR : 60000093 DRYOS PANIC: Module Code = 1, Panic Code = 2
cute !!!!!!
More fun? Goto forum