Fandom

Magic Lantern Firmware Wiki

Emulation

328pages on
this wiki
Add New Page
Talk2 Share

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.

Gdb

gdb stepping through boot code

Emulating the Canon 7D or 5D Mark II requires qemu to simulate the system and either arm-elf-gdb or IDA Pro to step through it.

qemu Edit

Configuring qemu 0.11 Edit

Download the patch file, patches/qemu-0.11.patch. Patch files will soon be updated to have hw name canon, but for now it is based on the chdk patches for the ixus platform.

patch -p1 < patches/qemu-0.11.patch
./configure \
 --disable-werror \
 --target-list=arm-softmmu

Running qemu Edit

(For flasher code)

QEMU_LOAD=0x800120 QEMU_ENTRY=0x800120 \
./arm-softmmu/qemu-system-arm \
   -s \
   -S \
   -nographic \
   -m 1024 \
   -M ixus \
   -option-rom ~/build/5d/7d000110/flasher_payload.bin \
   /dev/null


Be careful of this QEmu bug under Windows 7: http://developer.symbian.org/bugs/show_bug.cgi?id=3671

here is my patch against 0.12.5 (in gdbstub.c) :

//                     "%s,nowait,nodelay,server", device);
                     "tcp:127.0.0.1:1234,nowait,nodelay,server");

IDA Pro Edit

Select Debugger - Process Options and set hostname to localhost port 1234 to contact qemu running on the same machine. Then select Debugger - Continue Process to run the firmware until it enters the infinite loop at 0x8009f4

ELF files are not required.

GDB Edit

Configuring arm-elf-gdb Edit

I built with gdb-7.0.

./configure \
   --disable-werror \
   --target arm-elf
make && sudo make install

Generating ELF files from ROM dumps Edit

remake-elf builds an ELF file from a binary dump and an IDA map file:

./remake-elf \
  -o flasher.elf \
  -b 0x80000 \
  --relative \
  flasher.bin \
  flasher.map

Depending on the segment number in IDA, you might need to modify the regex to extract symbols from the correct segment.

gdbopts file:

target remote localhost:1234
set language asm
layout asm
layout regs
focus cmd
symbol-file flasher.elf
# Break if we enter the infinite loop of death
br *0x8009f4

flasher-script file:

echo Jumping to firmware updater
set $pc = 0x80a294
set $r0 = 0xb00000
set $r1 = 0x22e100

# problem?
br *0x846744

Run gdb:

arm-elf-gdb -x gdbopts

See also Edit

Also on Fandom

Random Wiki