Magic Lantern Firmware Wiki
Register
Advertisement
Gdb

gdb stepping through boot code

Emulating the Canon 7D or 5D Mark II requires qemu to simulate the system and either arm-elf-gdb or IDA Pro to step through it.

qemu[]

Configuring qemu 0.11[]

Download the patch file, patches/qemu-0.11.patch. Patch files will soon be updated to have hw name canon, but for now it is based on the chdk patches for the ixus platform.

patch -p1 < patches/qemu-0.11.patch
./configure \
 --disable-werror \
 --target-list=arm-softmmu

Running qemu[]

(For flasher code)

QEMU_LOAD=0x800120 QEMU_ENTRY=0x800120 \
./arm-softmmu/qemu-system-arm \
   -s \
   -S \
   -nographic \
   -m 1024 \
   -M ixus \
   -option-rom ~/build/5d/7d000110/flasher_payload.bin \
   /dev/null


Be careful of this QEmu bug under Windows 7: http://developer.symbian.org/bugs/show_bug.cgi?id=3671

here is my patch against 0.12.5 (in gdbstub.c) :

//                     "%s,nowait,nodelay,server", device);
                     "tcp:127.0.0.1:1234,nowait,nodelay,server");

IDA Pro[]

Select Debugger - Process Options and set hostname to localhost port 1234 to contact qemu running on the same machine. Then select Debugger - Continue Process to run the firmware until it enters the infinite loop at 0x8009f4

ELF files are not required.

GDB[]

Configuring arm-elf-gdb[]

I built with gdb-7.0.

./configure \
   --disable-werror \
   --target arm-elf
make && sudo make install

Generating ELF files from ROM dumps[]

remake-elf builds an ELF file from a binary dump and an IDA map file:

./remake-elf \
  -o flasher.elf \
  -b 0x80000 \
  --relative \
  flasher.bin \
  flasher.map

Depending on the segment number in IDA, you might need to modify the regex to extract symbols from the correct segment.

gdbopts file:

target remote localhost:1234
set language asm
layout asm
layout regs
focus cmd
symbol-file flasher.elf
# Break if we enter the infinite loop of death
br *0x8009f4

flasher-script file:

echo Jumping to firmware updater
set $pc = 0x80a294
set $r0 = 0xb00000
set $r1 = 0x22e100

# problem?
br *0x846744

Run gdb:

arm-elf-gdb -x gdbopts

See also[]

Advertisement