Changes: GPL Qemu

Revision as of 17:57, 13 July 2008

QEMU is a processor emulator that relies on dynamic binary translation to achieve a reasonable speed while being easy to port on new host CPU architectures. In conjunction with CPU emulation, it also provides a set of device models (ARM !), allowing it to run a variety of unmodified guest operating systems, thus it can be viewed as a hosted virtual machine monitor.

http://bellard.org/qemu/

Mh, why not run the firmware dump with that? ;)

Status

I know virtually nothing about the cams ... theres some RAM at 0x0, ROM starts at 0xff81000. There's some I/O at 0xc0000000 and 0x40000000 smells like DMA. I found stderr/stdout so we get some cute core dumps in the console ;)

However, qemu is a nice toolbox so I set up a simple ARM board. No SD-Card, no USB, no VGA output ... yet.

I'll post the files in the forum, because this wiki is not that comfortable for exchanging code pieces.

Prerequisites

have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here.
Gpl_Disassembling
download qemu source

I simply typed 'apt-get source qemu' and got 0.9.1 here.

apply patch
make

We can run qemu from builddir so no need for make install:

./arm-softmmu/qemu-system-arm -M help

./arm-softmmu/qemu-system-arm -nographic -s -S -m 128 -M ixus -option-rom ../ixus860is.dump README

This starts qemu without starting the CPU and waits for the debugger. The "README" is just a dummy file to make qemu's parseopts happy.

Next, let's start the debugger. I setup a little startupfile "gdbopts":

target remote localhost:1234
set language asm
layout asm
layout regs
focus cmd

arm-linux-gnu-gdb -x gdbopts

Hint:

(ctrl-x a) switches to cmd mode
(ctrl-x 2) 3 times back to asm/reg view
(crtl-x o) to cycle between windows

We are almost ready for takeoff. But gdb needs at least 2 symbols to operate as intended: rom_start and rom_end. Here comes the elf file:

(gdb) symbol-file ixus860is_dump.elf

So, now u should have this:

+--Register group: general---------------------------------------------------------+
|r0             0x0      0                                                         |
|r1             0x0      0                                                         |
|r2             0x0      0                                                         |
|r3             0x0      0                                                         |
|r4             0x0      0                                                         |
|r5             0x0      0                                                         |
|r6             0x0      0                                                         |
   +-------------------------------------------------------------------------------+
  >|0xff810000 <_binary_ixus860is_dump_start>       b      0xff81000c <_binary_ixus|
   |0xff810004 <_binary_ixus860is_dump_start+4>     powvsez        f6, f7, f7      |
   |0xff810008 <_binary_ixus860is_dump_start+8>     stmvcdb        pc!, {r0, r3, r5|
   |0xff81000c <_binary_ixus860is_dump_start+12>    ldr    r1, [pc, #336]  ; 0xff81|
   |0xff810010 <_binary_ixus860is_dump_start+16>    mov    r0, #0  ; 0x0           |
   |0xff810014 <_binary_ixus860is_dump_start+20>    str    r0, [r1]                |
   |0xff810018 <_binary_ixus860is_dump_start+24>    mov    r1, #120        ; 0x78  |
   +-------------------------------------------------------------------------------+
Focus set to CMD window.
(gdb) symbol-file ixus860is_dump.elf
Reading symbols from /home/chris/ixus/ixus860is_dump.elf...(no debugging symbols fou
nd)...done.
(gdb)

Use 'ni' or 'si' to execute step by step, or c for continue. Actually this will brick qemu. I found a lot cpu#15 (guess: it's the DIGIC unit) instructions at the beginning. Most seems to be harmless except

ff810098:   ee010f10    mcr 15, 0, r0, cr1, cr0, {0}

I manually patched them away. But finally it runs throught and stuck in an endless loop (around 0xff8150e0). I guess waiting for the hardware coming up. But it's setup stuff! Press ctrl-c and have a look:

(gdb) x/12x 0
0x0:    0xe1a00000      0xe59ff014      0xe59ff014      0xe59ff014
0x10:   0xe59ff014      0xe1a00000      0xe59ff010      0xe59ff010
0x20:   0xff810468      0xff8104d8      0xff81047c      0xff810494

Ok, 0xff810468 is reset/ill instr. Let's jump there:

j *0xff810468

Look at qemu console:

< Error Exception >
TYPE : undefined
ISR  : FALSE
TASK ID   : 917508
TASK Name : ClockSave
R 0  : 00000001
R 1  : ff8150cc
R 2  : 19980218
R 3  : 19980218
R 4  : 00001998
R 5  : c0400000
R 6  : 40000000
R 7  : 19980218
R 8  : 19980218
R 9  : 19980218
R10  : 19980218
R11  : 19980218
R12  : 19980218
R13  : 0000febc
R14  : ff8163a0
PC   : ff8163a0
CPSR : 00000093

ctrl-c
j *0xff810468

(qemu) < Error Exception >
TYPE : undefined
ISR  : FALSE
TASK ID   : 65537
TASK Name : idle
R 0  : 19980218
R 1  : 19980218
R 2  : 19980218
R 3  : 19980218
R 4  : 00000013
R 5  : 19980218
R 6  : 19980218
R 7  : 19980218
R 8  : 19980218
R 9  : 19980218
R10  : 19980218
R11  : 19980218
R12  : ffff8002
R13  : 0000febc
R14  : ff8160ec
PC   : ff8160ec
CPSR : 60000093
DRYOS PANIC: Module Code = 1, Panic Code = 2

cute !!!!!!

More fun in the forum.

@@ Line 87: / Line 87: @@
 x20:   0xff810468      0xff8104d8      0xff81047c      0xff810494
-Ok, 0xff810468 is reset. Let's jump there:
+Ok, 0xff810468 is reset/ill instr. Let's jump there:
  j *0xff810468
@@ Line 115: / Line 115: @@
  PC   : ff8163a0
  CPSR : 00000093
+ ctrl-c
+ j *0xff810468
  (qemu) < Error Exception >
@@ Line 140: / Line 143: @@
  DRYOS PANIC: Module Code = 1, Panic Code = 2
-'''cute'''
+'''cute !!!!!!'''
 More fun in the forum.