Run cam's firmware in qemu[]

Any comments are welcome! post here

QEMU is a processor emulator that relies on dynamic binary translation to achieve a reasonable speed while being easy to port on new host CPU architectures. In conjunction with CPU emulation, it also provides a set of device models (ARM !), allowing it to run a variety of unmodified guest operating systems, thus it can be viewed as a hosted virtual machine monitor.

Mh, why not run the firmware dump with that? ;)


I know virtually nothing about the cams ... theres some RAM at 0x0, ROM starts at 0xff81000. There's some I/O at 0xc0000000 and 0x40000000 smells like DMA. I found stderr/stdout so we get some cute core dumps in the console ;)

However, qemu is a nice toolbox so I set up a simple ARM board. No SD-Card, no USB, no VGA output ... yet.

I'll post the files in the forum, because this wiki is not that comfortable for exchanging code pieces.


  • Gpl_Disassembling
  • have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here.
  • download qemu source
I simply typed 'apt-get source qemu' and got 0.9.1 here.

We can run qemu from builddir so no need for make install:

./arm-softmmu/qemu-system-arm -M help

./arm-softmmu/qemu-system-arm -nographic -s -S -m 128 -M ixus -option-rom ../ixus860is.dump README

This starts qemu without starting the CPU and waits for the debugger. The "README" is just a dummy file to make qemu's parseopts happy.

Next, let's start the debugger. I setup a little startupfile "gdbopts":

target remote localhost:1234
set language asm
layout asm
layout regs
focus cmd
arm-linux-gnu-gdb -x gdbopts 

STOP: How to setup arm-linux-gnu-gdb?


(ctrl-x a) switches to cmd mode
(ctrl-x 2) 3 times back to asm/reg view
(crtl-x o) to cycle between windows

We are almost ready for takeoff. But gdb needs at least 2 symbols to operate as intended: rom_start and rom_end. Here comes the elf file:

(gdb) symbol-file ixus860is_dump.elf

So, now u should have this:

+--Register group: general---------------------------------------------------------+
|r0             0x0      0                                                         |
|r1             0x0      0                                                         |
|r2             0x0      0                                                         |
|r3             0x0      0                                                         |
|r4             0x0      0                                                         |
|r5             0x0      0                                                         |
|r6             0x0      0                                                         |
  >|0xff810000 <_binary_ixus860is_dump_start>       b      0xff81000c <_binary_ixus|
   |0xff810004 <_binary_ixus860is_dump_start+4>     powvsez        f6, f7, f7      |
   |0xff810008 <_binary_ixus860is_dump_start+8>     stmvcdb        pc!, {r0, r3, r5|
   |0xff81000c <_binary_ixus860is_dump_start+12>    ldr    r1, [pc, #336]  ; 0xff81|
   |0xff810010 <_binary_ixus860is_dump_start+16>    mov    r0, #0  ; 0x0           |
   |0xff810014 <_binary_ixus860is_dump_start+20>    str    r0, [r1]                |
   |0xff810018 <_binary_ixus860is_dump_start+24>    mov    r1, #120        ; 0x78  |
Focus set to CMD window.
(gdb) symbol-file ixus860is_dump.elf
Reading symbols from /home/chris/ixus/ixus860is_dump.elf...(no debugging symbols fou

Use 'ni' or 'si' to execute step by step, or c for continue. Actually this will brick qemu. I found a lot cpu#15 (guess: it's the DIGIC unit Nope, it's about setting up TCM which qemu doesn't support, yet. There is some information about the cam's cpu in the forum) instructions at the beginning. Most seems to be harmless except

ff810098:   ee010f10    mcr 15, 0, r0, cr1, cr0, {0}

I manually patched them away. But finally it runs through and stuck in an endless loop (around 0xff8150e0). I guess waiting for the hardware coming up. But it's setup stuff! Press ctrl-c and have a look:

(gdb) x/12x 0
0x0:    0xe1a00000      0xe59ff014      0xe59ff014      0xe59ff014
0x10:   0xe59ff014      0xe1a00000      0xe59ff010      0xe59ff010
0x20:   0xff810468      0xff8104d8      0xff81047c      0xff810494


Ok, 0xff810468 is reset/ill instr. Let's jump there:

j *0xff810468

Look at qemu console:

< Error Exception >
TYPE : undefined
TASK ID   : 917508
TASK Name : ClockSave
R 0  : 00000001
R 1  : ff8150cc
R 2  : 19980218
R 3  : 19980218
R 4  : 00001998
R 5  : c0400000
R 6  : 40000000
R 7  : 19980218
R 8  : 19980218
R 9  : 19980218
R10  : 19980218
R11  : 19980218
R12  : 19980218
R13  : 0000febc
R14  : ff8163a0
PC   : ff8163a0
CPSR : 00000093
j *0xff810468
(qemu) < Error Exception >
TYPE : undefined
TASK ID   : 65537
TASK Name : idle
R 0  : 19980218
R 1  : 19980218
R 2  : 19980218
R 3  : 19980218
R 4  : 00000013
R 5  : 19980218
R 6  : 19980218
R 7  : 19980218
R 8  : 19980218
R 9  : 19980218
R10  : 19980218
R11  : 19980218
R12  : ffff8002
R13  : 0000febc
R14  : ff8160ec
PC   : ff8160ec
CPSR : 60000093
DRYOS PANIC: Module Code = 1, Panic Code = 2

cute !!!!!!

More fun? Goto forum