CHDK Wiki
Don't have an account?
Register
Register
CHDK Wiki
CHDK Wiki
632
pages
in: Development, GPL

Changes: GPL Qemu

Back to page
Sign in to edit
Disass (talk | contribs)
No edit summary
 
(14 intermediate revisions by 4 users not shown)
Line 1: Line 1:
  +
===Run cam's firmware in qemu===
  +
  +
Any comments are welcome! [http://chdk.setepontos.com/index.php/topic,1918.0.html post here]
  +
 
QEMU is a processor emulator that relies on dynamic binary translation to achieve a reasonable speed while being easy to port on new host CPU architectures. In conjunction with CPU emulation, it also provides a set of device models (ARM !), allowing it to run a variety of unmodified guest operating systems, thus it can be viewed as a hosted virtual machine monitor.
  
QEMU is a processor emulator that relies on dynamic binary translation to achieve a reasonable speed while being easy to port on new host CPU architectures. In conjunction with CPU emulation, it also provides a set of device models (ARM !), allowing it to run a variety of unmodified guest operating systems, thus it can be viewed as a hosted virtual machine monitor.
   
Line 11: Line 15:
 
However, qemu is a nice toolbox so I set up a simple ARM board. No SD-Card, no USB, no VGA output ... yet.
  
However, qemu is a nice toolbox so I set up a simple ARM board. No SD-Card, no USB, no VGA output ... yet.
   
I'll post the files in the forum, because this wiki is not that comfortable for exchanging code pieces.
 +
I'll post the files in the [http://chdk.setepontos.com/index.php/topic,1918.0.html forum], because this wiki is not that comfortable for exchanging code pieces.
   
 
=== Prerequisites ===
  
=== Prerequisites ===
   
* have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here.
  
 
* [[Gpl_Disassembling]]
  
* [[Gpl_Disassembling]]
 
* have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here.
 
* download qemu source
  
* download qemu source
 
: I simply typed 'apt-get source qemu' and got 0.9.1 here.
  
: I simply typed 'apt-get source qemu' and got 0.9.1 here.
  +
* apply [http://chdk.setepontos.com/index.php?action=dlattach;topic=1918.0;attach=1822 patch]
* apply patch
  
 
* make
  
* make
   
Line 39: Line 43:
   
 
arm-linux-gnu-gdb -x gdbopts
 
arm-linux-gnu-gdb -x gdbopts
  +
  +
'''STOP: How to setup arm-linux-gnu-gdb?'''
   
 
Hint:
  
Hint:
Line 76: Line 82:
 
</pre>
  
</pre>
   
Use 'ni' or 'si' to execute step by step, or c for continue. Actually this will brick qemu. I found a lot cpu#15 (guess: it's the DIGIC unit) instructions at the beginning. Most seems to be harmless except
 +
Use 'ni' or 'si' to execute step by step, or c for continue. Actually this will brick qemu. I found a lot cpu#15 (<s>guess: it's the DIGIC unit</s> Nope, it's about setting up TCM which qemu doesn't support, yet. There is some information about the cam's cpu in the
  +
[http://chdk.setepontos.com/index.php/topic,2139.msg19794.html#msg19794 forum]) instructions at the beginning. Most seems to be harmless except
   
 
ff810098: ee010f10 mcr 15, 0, r0, cr1, cr0, {0}
  
ff810098: ee010f10 mcr 15, 0, r0, cr1, cr0, {0}
   
I manually patched them away. But finally it runs throught and stuck in an endless loop (around 0xff8150e0). I guess waiting for the hardware coming up. But it's setup stuff! Press ctrl-c and have a look:
 +
I manually patched them away. But finally it runs through and stuck in an endless loop (around 0xff8150e0). I guess waiting for the hardware coming up. But it's setup stuff! Press ctrl-c and have a look:
   
 
(gdb) x/12x 0
  
(gdb) x/12x 0
Line 86: Line 93:
 
0x10: 0xe59ff014 0xe1a00000 0xe59ff010 0xe59ff010
  
0x10: 0xe59ff014 0xe1a00000 0xe59ff010 0xe59ff010
 
0x20: 0xff810468 0xff8104d8 0xff81047c 0xff810494
  
0x20: 0xff810468 0xff8104d8 0xff81047c 0xff810494
  +
  +
===Panic===
   
 
Ok, 0xff810468 is reset/ill instr. Let's jump there:
  
Ok, 0xff810468 is reset/ill instr. Let's jump there:
Line 145: Line 154:
 
'''cute !!!!!!'''
  
'''cute !!!!!!'''
   
More fun in the forum.
 +
More fun?
  +
Goto [http://chdk.setepontos.com/index.php/topic,1918.msg17501.html#msg17501 forum]
  +
  +
[[Category:Development]]
  +
[[Category:GPL]]

Latest revision as of 03:09, 17 May 2009

Run cam's firmware in qemu

Any comments are welcome! post here

QEMU is a processor emulator that relies on dynamic binary translation to achieve a reasonable speed while being easy to port on new host CPU architectures. In conjunction with CPU emulation, it also provides a set of device models (ARM !), allowing it to run a variety of unmodified guest operating systems, thus it can be viewed as a hosted virtual machine monitor.

http://bellard.org/qemu/

Mh, why not run the firmware dump with that? ;)

Status

I know virtually nothing about the cams ... theres some RAM at 0x0, ROM starts at 0xff81000. There's some I/O at 0xc0000000 and 0x40000000 smells like DMA. I found stderr/stdout so we get some cute core dumps in the console ;)

However, qemu is a nice toolbox so I set up a simple ARM board. No SD-Card, no USB, no VGA output ... yet.

I'll post the files in the forum, because this wiki is not that comfortable for exchanging code pieces.

Prerequisites

  • Gpl_Disassembling
  • have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here.
  • download qemu source
I simply typed 'apt-get source qemu' and got 0.9.1 here.

We can run qemu from builddir so no need for make install: 

./arm-softmmu/qemu-system-arm -M help

./arm-softmmu/qemu-system-arm -nographic -s -S -m 128 -M ixus -option-rom ../ixus860is.dump README

This starts qemu without starting the CPU and waits for the debugger. The "README" is just a dummy file to make qemu's parseopts happy.

Next, let's start the debugger. I setup a little startupfile "gdbopts": 

target remote localhost:1234
set language asm
layout asm
layout regs
focus cmd

arm-linux-gnu-gdb -x gdbopts

STOP: How to setup arm-linux-gnu-gdb?

Hint: 

(ctrl-x a) switches to cmd mode
(ctrl-x 2) 3 times back to asm/reg view
(crtl-x o) to cycle between windows

We are almost ready for takeoff. But gdb needs at least 2 symbols to operate as intended: rom_start and rom_end. Here comes the elf file: 

(gdb) symbol-file ixus860is_dump.elf

So, now u should have this: 

+--Register group: general---------------------------------------------------------+
|r0             0x0      0                                                         |
|r1             0x0      0                                                         |
|r2             0x0      0                                                         |
|r3             0x0      0                                                         |
|r4             0x0      0                                                         |
|r5             0x0      0                                                         |
|r6             0x0      0                                                         |
   +-------------------------------------------------------------------------------+
  >|0xff810000 <_binary_ixus860is_dump_start>       b      0xff81000c <_binary_ixus|
   |0xff810004 <_binary_ixus860is_dump_start+4>     powvsez        f6, f7, f7      |
   |0xff810008 <_binary_ixus860is_dump_start+8>     stmvcdb        pc!, {r0, r3, r5|
   |0xff81000c <_binary_ixus860is_dump_start+12>    ldr    r1, [pc, #336]  ; 0xff81|
   |0xff810010 <_binary_ixus860is_dump_start+16>    mov    r0, #0  ; 0x0           |
   |0xff810014 <_binary_ixus860is_dump_start+20>    str    r0, [r1]                |
   |0xff810018 <_binary_ixus860is_dump_start+24>    mov    r1, #120        ; 0x78  |
   +-------------------------------------------------------------------------------+
Focus set to CMD window.
(gdb) symbol-file ixus860is_dump.elf
Reading symbols from /home/chris/ixus/ixus860is_dump.elf...(no debugging symbols fou
nd)...done.
(gdb)

Use 'ni' or 'si' to execute step by step, or c for continue. Actually this will brick qemu. I found a lot cpu#15 (guess: it's the DIGIC unit Nope, it's about setting up TCM which qemu doesn't support, yet. There is some information about the cam's cpu in the forum) instructions at the beginning. Most seems to be harmless except 

ff810098:   ee010f10    mcr 15, 0, r0, cr1, cr0, {0}

I manually patched them away. But finally it runs through and stuck in an endless loop (around 0xff8150e0). I guess waiting for the hardware coming up. But it's setup stuff! Press ctrl-c and have a look: 

(gdb) x/12x 0
0x0:    0xe1a00000      0xe59ff014      0xe59ff014      0xe59ff014
0x10:   0xe59ff014      0xe1a00000      0xe59ff010      0xe59ff010
0x20:   0xff810468      0xff8104d8      0xff81047c      0xff810494

Panic

Ok, 0xff810468 is reset/ill instr. Let's jump there: 

j *0xff810468

Look at qemu console: 

< Error Exception >
TYPE : undefined
ISR  : FALSE
TASK ID   : 917508
TASK Name : ClockSave
R 0  : 00000001
R 1  : ff8150cc
R 2  : 19980218
R 3  : 19980218
R 4  : 00001998
R 5  : c0400000
R 6  : 40000000
R 7  : 19980218
R 8  : 19980218
R 9  : 19980218
R10  : 19980218
R11  : 19980218
R12  : 19980218
R13  : 0000febc
R14  : ff8163a0
PC   : ff8163a0
CPSR : 00000093

ctrl-c
j *0xff810468

(qemu) < Error Exception >
TYPE : undefined
ISR  : FALSE
TASK ID   : 65537
TASK Name : idle
R 0  : 19980218
R 1  : 19980218
R 2  : 19980218
R 3  : 19980218
R 4  : 00000013
R 5  : 19980218
R 6  : 19980218
R 7  : 19980218
R 8  : 19980218
R 9  : 19980218
R10  : 19980218
R11  : 19980218
R12  : ffff8002
R13  : 0000febc
R14  : ff8160ec
PC   : ff8160ec
CPSR : 60000093
DRYOS PANIC: Module Code = 1, Panic Code = 2

cute !!!!!!

More fun? Goto forum

Community content is available under CC-BY-SA unless otherwise noted.