Run cam's firmware in qemu
Any comments are welcome! post here
QEMU is a processor emulator that relies on dynamic binary translation to achieve a reasonable speed while being easy to port on new host CPU architectures. In conjunction with CPU emulation, it also provides a set of device models (ARM !), allowing it to run a variety of unmodified guest operating systems, thus it can be viewed as a hosted virtual machine monitor.
Mh, why not run the firmware dump with that? ;)
Status
I know virtually nothing about the cams ... theres some RAM at 0x0, ROM starts at 0xff81000. There's some I/O at 0xc0000000 and 0x40000000 smells like DMA. I found stderr/stdout so we get some cute core dumps in the console ;)
However, qemu is a nice toolbox so I set up a simple ARM board. No SD-Card, no USB, no VGA output ... yet.
I'll post the files in the forum, because this wiki is not that comfortable for exchanging code pieces.
Prerequisites
- Gpl_Disassembling
- have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here.
- download qemu source
- I simply typed 'apt-get source qemu' and got 0.9.1 here.
- apply patch
- make
We can run qemu from builddir so no need for make install:
./arm-softmmu/qemu-system-arm -M help ./arm-softmmu/qemu-system-arm -nographic -s -S -m 128 -M ixus -option-rom ../ixus860is.dump README
This starts qemu without starting the CPU and waits for the debugger. The "README" is just a dummy file to make qemu's parseopts happy.
Next, let's start the debugger. I setup a little startupfile "gdbopts":
target remote localhost:1234 set language asm layout asm layout regs focus cmd
arm-linux-gnu-gdb -x gdbopts
Hint:
(ctrl-x a) switches to cmd mode (ctrl-x 2) 3 times back to asm/reg view (crtl-x o) to cycle between windows
We are almost ready for takeoff. But gdb needs at least 2 symbols to operate as intended: rom_start and rom_end. Here comes the elf file:
(gdb) symbol-file ixus860is_dump.elf
So, now u should have this:
+--Register group: general---------------------------------------------------------+ |r0 0x0 0 | |r1 0x0 0 | |r2 0x0 0 | |r3 0x0 0 | |r4 0x0 0 | |r5 0x0 0 | |r6 0x0 0 | +-------------------------------------------------------------------------------+ >|0xff810000 <_binary_ixus860is_dump_start> b 0xff81000c <_binary_ixus| |0xff810004 <_binary_ixus860is_dump_start+4> powvsez f6, f7, f7 | |0xff810008 <_binary_ixus860is_dump_start+8> stmvcdb pc!, {r0, r3, r5| |0xff81000c <_binary_ixus860is_dump_start+12> ldr r1, [pc, #336] ; 0xff81| |0xff810010 <_binary_ixus860is_dump_start+16> mov r0, #0 ; 0x0 | |0xff810014 <_binary_ixus860is_dump_start+20> str r0, [r1] | |0xff810018 <_binary_ixus860is_dump_start+24> mov r1, #120 ; 0x78 | +-------------------------------------------------------------------------------+ Focus set to CMD window. (gdb) symbol-file ixus860is_dump.elf Reading symbols from /home/chris/ixus/ixus860is_dump.elf...(no debugging symbols fou nd)...done. (gdb)
Use 'ni' or 'si' to execute step by step, or c for continue. Actually this will brick qemu. I found a lot cpu#15 (guess: it's the DIGIC unit) instructions at the beginning. Most seems to be harmless except
ff810098: ee010f10 mcr 15, 0, r0, cr1, cr0, {0}
I manually patched them away. But finally it runs throught and stuck in an endless loop (around 0xff8150e0). I guess waiting for the hardware coming up. But it's setup stuff! Press ctrl-c and have a look:
(gdb) x/12x 0 0x0: 0xe1a00000 0xe59ff014 0xe59ff014 0xe59ff014 0x10: 0xe59ff014 0xe1a00000 0xe59ff010 0xe59ff010 0x20: 0xff810468 0xff8104d8 0xff81047c 0xff810494
Ok, 0xff810468 is reset/ill instr. Let's jump there:
j *0xff810468
Look at qemu console:
< Error Exception > TYPE : undefined ISR : FALSE TASK ID : 917508 TASK Name : ClockSave R 0 : 00000001 R 1 : ff8150cc R 2 : 19980218 R 3 : 19980218 R 4 : 00001998 R 5 : c0400000 R 6 : 40000000 R 7 : 19980218 R 8 : 19980218 R 9 : 19980218 R10 : 19980218 R11 : 19980218 R12 : 19980218 R13 : 0000febc R14 : ff8163a0 PC : ff8163a0 CPSR : 00000093
ctrl-c j *0xff810468
(qemu) < Error Exception > TYPE : undefined ISR : FALSE TASK ID : 65537 TASK Name : idle R 0 : 19980218 R 1 : 19980218 R 2 : 19980218 R 3 : 19980218 R 4 : 00000013 R 5 : 19980218 R 6 : 19980218 R 7 : 19980218 R 8 : 19980218 R 9 : 19980218 R10 : 19980218 R11 : 19980218 R12 : ffff8002 R13 : 0000febc R14 : ff8160ec PC : ff8160ec CPSR : 60000093 DRYOS PANIC: Module Code = 1, Panic Code = 2
cute !!!!!!
More fun? Goto forum