Magic Lantern Firmware Wiki


327pages on
this wiki
Add New Page
Add New Page Talk2

gdb stepping through boot code

Emulating the Canon 7D or 5D Mark II requires qemu to simulate the system and either arm-elf-gdb or IDA Pro to step through it.

qemu Edit

Configuring qemu 0.11 Edit

Download the patch file, patches/qemu-0.11.patch. Patch files will soon be updated to have hw name canon, but for now it is based on the chdk patches for the ixus platform.

patch -p1 < patches/qemu-0.11.patch
./configure \
 --disable-werror \

Running qemu Edit

(For flasher code)

QEMU_LOAD=0x800120 QEMU_ENTRY=0x800120 \
./arm-softmmu/qemu-system-arm \
   -s \
   -S \
   -nographic \
   -m 1024 \
   -M ixus \
   -option-rom ~/build/5d/7d000110/flasher_payload.bin \

Be careful of this QEmu bug under Windows 7:

here is my patch against 0.12.5 (in gdbstub.c) :

//                     "%s,nowait,nodelay,server", device);

IDA Pro Edit

Select Debugger - Process Options and set hostname to localhost port 1234 to contact qemu running on the same machine. Then select Debugger - Continue Process to run the firmware until it enters the infinite loop at 0x8009f4

ELF files are not required.

GDB Edit

Configuring arm-elf-gdb Edit

I built with gdb-7.0.

./configure \
   --disable-werror \
   --target arm-elf
make && sudo make install

Generating ELF files from ROM dumps Edit

remake-elf builds an ELF file from a binary dump and an IDA map file:

./remake-elf \
  -o flasher.elf \
  -b 0x80000 \
  --relative \
  flasher.bin \

Depending on the segment number in IDA, you might need to modify the regex to extract symbols from the correct segment.

gdbopts file:

target remote localhost:1234
set language asm
layout asm
layout regs
focus cmd
symbol-file flasher.elf
# Break if we enter the infinite loop of death
br *0x8009f4

flasher-script file:

echo Jumping to firmware updater
set $pc = 0x80a294
set $r0 = 0xb00000
set $r1 = 0x22e100

# problem?
br *0x846744

Run gdb:

arm-elf-gdb -x gdbopts

See also Edit

Also on Fandom

Random Wiki