Emulating Digicam with QEMU - page 3 - General Discussion and Assistance - CHDK Forum
« previous next »
Pages: 1 2 [3] 4 5 6   Go Down

Emulating Digicam with QEMU

  • 51 Replies
  • 45925 Views
*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: Emulating Digicam with QEMU
« Reply #20 on: 10 / August / 2008, 14:55:37 »
Advertisements
Quote from: chr on 10 / August / 2008, 13:47:02
I found many strings aligned 0x0 padded to 4, but also strings only 1x 0x0 terminated. The only thing we are missing is the insert:

"GetCurrentAvValue":
ffb114a1  blahblah ...

Would preprocessing the strings file to round all addresses down to multiples of 4 fix this?

Quote from: chr on 10 / August / 2008, 13:47:02
Ah, I also wrote a stubs2diss.pl  8)

Anyone wants it?

umm... well... _o/   :P
Logged
*

Offline ewavr

  • ****
  • 1057
  • A710IS
Re: Emulating Digicam with QEMU
« Reply #21 on: 10 / August / 2008, 17:12:53 »
Quote from: chr on 08 / August / 2008, 09:40:05
Mh, this does not answer my question ... or I must ask more precisely: What does it do? It's called from many interesting functions ... e.g. while putting acid on a diskboot.bin
So IDA has no idea about "sub_FFAA4C98", too.
You want, that I decompiled this function? I don't like this work :) (maybe later...)
However, I can run Desquirr :
Code: [Select]
ffaa4c98 sub_FFAA4C98:
ffaa4c98   Cond = R2 - 0x20;
ffaa4c98   R2 = R2 - 0x20;
ffaa4c9c   /* push LR */
ffaa4c9c   /* push R4 */
ffaa4ca0   if (Cond < 0) goto loc_FFAA4CBC;

ffaa4ca4 loc_FFAA4CA4:
ffaa4ca4   /* Low-level instruction of type 33 */
ffaa4ca8   /* Low-level instruction of type 34 */
ffaa4cac   /* Low-level instruction of type 33 */
ffaa4cb0   /* Low-level instruction of type 34 */
ffaa4cb4   Cond = R2 - 0x20;
ffaa4cb4   if (Cond < 0) goto loc_FFAA4CB8;

ffaa4cb4   R2 = R2 - 0x20;

ffaa4cb8 loc_FFAA4CB8:
ffaa4cb8   if (Cond >= 0) goto loc_FFAA4CA4;

ffaa4cbc loc_FFAA4CBC:
ffaa4cbc   Cond = R2 << 0x1c;
ffaa4cc0   /* Low-level instruction of type 33 */
ffaa4cc4   /* Low-level instruction of type 34 */
ffaa4cc8   /* Low-level instruction of type 33 */
ffaa4ccc   /* Low-level instruction of type 34 */
ffaa4cd0   Cond = R2 << 0x1e;
ffaa4cd4   /* pop  */
ffaa4cd4   /* pop LR */
ffaa4cd8   if (Cond < 0) goto loc_FFAA4CDC;

ffaa4cd8   R3 = * (R1 + 4);

ffaa4cdc loc_FFAA4CDC:
ffaa4cdc   if (Cond < 0) goto loc_FFAA4CE0;

ffaa4cdc   * (R0 + 4) = R3;

ffaa4ce0 loc_FFAA4CE0:
ffaa4ce0   if (Cond != 0) goto loc_FFAA4CE4;

ffaa4ce0   R0 = LR(R0, R1, R2, R3);

ffaa4ce4 loc_FFAA4CE4:

ffaa4ce4 loc_FFAA4CE4:
ffaa4ce4   Cond = R2 << 0x1f;
ffaa4ce4   R2 = R2 << 0x1f;
ffaa4ce8   if (Cond >= 0) goto loc_FFAA4CEC;

ffaa4ce8   R2 = * (R1 + 1);

ffaa4cec loc_FFAA4CEC:
ffaa4cec   if (Cond < 0) goto loc_FFAA4CF0;

ffaa4cec   R3 = * (R1 + 1);

ffaa4cf0 loc_FFAA4CF0:
ffaa4cf0   if (Cond < 0) goto loc_FFAA4CF4;

ffaa4cf0   R12 = * (R1 + 1);

ffaa4cf4 loc_FFAA4CF4:
ffaa4cf4   if (Cond >= 0) goto loc_FFAA4CF8;

ffaa4cf4   * (R0 + 1) = R2;

ffaa4cf8 loc_FFAA4CF8:
ffaa4cf8   if (Cond < 0) goto loc_FFAA4CFC;

ffaa4cf8   * (R0 + 1) = R3;

ffaa4cfc loc_FFAA4CFC:
ffaa4cfc   if (Cond < 0) goto loc_FFAA4D00;

ffaa4cfc   * (R0 + 1) = R12;

Remarkable result, nicht wahr?   :D
Logged
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Emulating Digicam with QEMU
« Reply #22 on: 11 / August / 2008, 12:31:42 »
Quote from: fudgey on 10 / August / 2008, 14:55:37

Quote from: chr on 10 / August / 2008, 13:47:02
Ah, I also wrote a stubs2diss.pl  8)

Anyone wants it?

umm... well... _o/   :P

ok. here it is:

GPL:stubs2dis.pl - CHDK Wiki

usage:

cat stubs_entry.S stubs_entry_2.S | ./stubs2diss.pl dump.bin.dis > outfile.dis.stubs

e.g.:

NSTUB(opendir, 0xffa0c0a8):
ffa0c0a8:    e92d4070    stmdb   sp!, {r4, r5, r6, lr}
ffa0c0ac:    e1a05000    mov   r5, r0
ffa0c0b0:    e3a00014    mov   r0, #20   ; 0x14
ffa0c0b4:    ebf87130    bl   ff82857c <PT_AllocateMemory -1981240>
ffa0c0b8:    e1b04000    movs   r4, r0
ffa0c0bc:    03a01059    moveq   r1, #89   ; 0x59
ffa0c0c0:    028f0e26    addeq   r0, pc, #608   ; ffa0c328: (64616552)  *"ReadFDir.c"
ffa0c0c4:    0bf83f3b    bleq   ff81bdb8 <DebugAssert -2032396>
ffa0c0c8:    e3e00000    mvn   r0, #0   ; 0x0
ffa0c0cc:    e5840000    str   r0, [r4]
ffa0c0d0:    e3a00902    mov   r0, #32768   ; 0x8000
ffa0c0d4:    ebf87155    bl   ff828630 <AllocateUncacheableMemory -1981092>
ffa0c0d8:    e3a01902    mov   r1, #32768   ; 0x8000
ffa0c0dc:    e9840003    stmib   r4, {r0, r1}
ffa0c0e0:    e3a01000    mov   r1, #0   ; 0x0
ffa0c0e4:    e3500000    cmp   r0, #0   ; 0x0
ffa0c0e8:    e584100c    str   r1, [r4, #12]
ffa0c0ec:    e5841010    str   r1, [r4, #16]
ffa0c0f0:    03a01060    moveq   r1, #96   ; 0x60
ffa0c0f4:    028f0f8b    addeq   r0, pc, #556   ; ffa0c328: (64616552)  *"ReadFDir.c"
ffa0c0f8:    0bf83f2e    bleq   ff81bdb8 <DebugAssert -2032448>
ffa0c0fc:    e3a02f49    mov   r2, #292   ; 0x124
ffa0c100:    e3a01000    mov   r1, #0   ; 0x0
ffa0c104:    e1a00005    mov   r0, r5
ffa0c108:    ebf85f47    bl   ff823e2c <Open -1999580>
ffa0c10c:    e3700001    cmn   r0, #1   ; 0x1
ffa0c110:    e5840000    str   r0, [r4]
...


bl   ff82857c <PT_AllocateMemory -1981240>

The value -1981240 is the relative position from this instruction. If the numer is small, it's a loop.
Logged
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Reformat disassembler to gas
« Reply #23 on: 12 / August / 2008, 01:36:32 »
Logged
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Emulating Digicam with QEMU
« Reply #24 on: 12 / August / 2008, 12:20:41 »
GPL:dis2gas.pl - CHDK Wiki

Before:
Code: (asm) [Select]

ff85f0ac: e3100001 tst r0, #1 ; 0x1
ff85f0b0: 0a000004 beq ff85f0c8 <_binary_dump_bin_start+0x4f0c8 +24>
ff85f0b4: e59f1290 ldr r1, [pc, #656] ; ff85f34c: (00000186)
ff85f0b8: e28f0e27 add r0, pc, #624 ; ff85f330: (6f4d7353)  *"SsMovieRec.c"
ff85f0bc: ebfef33d bl ff81bdb8 <DebugAssert -275204>
ff85f0c0: e28dd038 add sp, sp, #56 ; 0x38
ff85f0c4: e8bd81f0 ldmia sp!, {r4, r5, r6, r7, r8, pc}
ff85f0c8: e5940004 ldr r0, [r4, #4]
ff85f0cc: e3a03004 mov r3, #4 ; 0x4
ff85f0d0: e28d2030 add r2, sp, #48 ; 0x30
ff85f0d4: e3a0102b mov r1, #43 ; 0x2b
ff85f0d8: eb003851 bl ff86d224 <_binary_dump_bin_start+0x5d224 +57676>
ff85f0dc: eb0082a0 bl ff87fb64 <_binary_dump_bin_start+0x6fb64 +133768>
ff85f0e0: e1dd13d4 ldrsb r1, [sp, #52]
ff85f0e4: e1500001 cmp r0, r1
ff85f0e8: 03a07000 moveq r7, #0 ; 0x0
ff85f0ec: 0a00000a beq ff85f11c <_binary_dump_bin_start+0x4f11c +48>
after:
Code: (c) [Select]

"tst r0, #1 \n" // ; 0x1
"BEQ loc_FF85F0C8 \n"
"ldr r1,  =0x00000186 \n"
"loc_FF85F0B8:\n"
"ldr r0, =0xff85f330 \n" // ; (6f4d7353)  *"SsMovieRec.c"
"BL sub_FF81BDB8 \n" // <DebugAssert -275204>
"loc_FF85F0C0:\n"
"add sp, sp, #56 \n" // ; 0x38
"ldmia sp!, {r4, r5, r6, r7, r8, pc} \n"
"loc_FF85F0C8:\n"
"ldr r0, [r4, #4] \n"
"mov r3, #4 \n" // ; 0x4
"add r2, sp, #48 \n" // ; 0x30
"mov r1, #43 \n" // ; 0x2b
"BL sub_FF86D224 \n"
"BL sub_FF87FB64 \n"
"ldrsb r1, [sp, #52] \n"
"cmp r0, r1 \n"
"moveq r7, #0 \n" // ; 0x0
"BEQ loc_FF85F11C \n"

Logged
*

Offline pixeldoc2000

  • ****
  • 356
  • IXUS900Ti 1.00C, IXUS300HS 1.00D
    • pixel::doc homebase
Re: Emulating Digicam with QEMU
« Reply #25 on: 13 / August / 2008, 18:53:30 »
at GPL Qemu - CHDK Wiki Dissass (chr ?) wrote "Prerequisites: have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here."
How do i create / convert binary firmware dump to elf? i've never used qemu before... Sorry.
« Last Edit: 13 / August / 2008, 18:55:08 by pixeldoc2000 »
Logged
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Emulating Digicam with QEMU
« Reply #26 on: 13 / August / 2008, 21:58:39 »
Quote from: pixeldoc2000 on 13 / August / 2008, 18:53:30
at GPL Qemu - CHDK Wiki Dissass (chr ?) wrote "Prerequisites: have a raw firmware dump and an elf packed version of it. I use ixus860is.dump and isus860is_dump.elf here."
How do i create / convert binary firmware dump to elf? i've never used qemu before... Sorry.

Ups, sorry! I bugfixed the wiki:

GPL Qemu - CHDK Wiki

 ::)

edit:

:blink:  :haha

« Last Edit: 14 / August / 2008, 02:43:15 by chr »
Logged
*

Offline pixeldoc2000

  • ****
  • 356
  • IXUS900Ti 1.00C, IXUS300HS 1.00D
    • pixel::doc homebase
Re: Emulating Digicam with QEMU
« Reply #27 on: 16 / August / 2008, 23:34:02 »
@chr

Quote from: chr on 13 / August / 2008, 21:58:39
Ups, sorry! I bugfixed the wiki:
GPL Qemu - CHDK Wiki
Thanks!

I've followed your guide, but when i load symbol-file into gdb i get:
Code: [Select]
(gdb) symbol-file dump.bin.elf
Reading symbols from /home/foo/canon_ixus900_sd900_100c/dump.bin.elf...(no debugging symbols fou
nd)...done.
No function contains program counter for selected frame.whats does "No function contains program counter for selected frame." means?

"arm-elf-objdump -x dump.bin.elf" output:
Code: [Select]
dump.bin.elf:     file format elf32-littlearm
dump.bin.elf
architecture: arm, flags 0x00000010:
HAS_SYMS
start address 0xff810000
private flags = 0: [APCS-32] [FPA float format]

Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .data         0036a640  ff810000  ff810000  00000034  2**0
                  CONTENTS, CODE
SYMBOL TABLE:
ff810000 l    d  .data 00000000
ff810000 g       .data 00000000 _binary_dump_bin_start
ffb7a640 g       .data 00000000 _binary_dump_bin_end
0036a640 g       *ABS* 00000000 _binary_dump_bin_size
I've double check every previous steps to create nesseary files... should be ok... ?!?

I'm using Canon IXUS 900 Ti / SD900 1.00C dump (VxWorks 5.5).
« Last Edit: 16 / August / 2008, 23:35:47 by pixeldoc2000 »
Logged
*

Offline chr

  • ***
  • 138
  • IXUS 82 IS
Re: Emulating Digicam with QEMU
« Reply #28 on: 17 / August / 2008, 00:53:48 »
Quote from: pixeldoc2000 on 16 / August / 2008, 23:34:02
Code: [Select]
(gdb) symbol-file dump.bin.elf
Sections:
Idx Name          Size      VMA       LMA       File off  Algn
  0 .data         0036a640  ff810000  ff810000  00000034  2**0
                  CONTENTS, CODE
Mh, I compared with my file. I got:
CONTENTS, ALLOC, LOAD, CODE

Try arm-objcopy --set-section-flags .data=load, ... mh, or let's correct the disassemble.pl script in line 48 !
Quote
whats does "No function contains program counter for selected frame." means?
Pain in the ase!

You are going to run the chdk boot in qemu? ;) The gotcha is, it copies himself. Look for *.elf/*.dump files in chdk build dir.

(gdb) restore ../chdk.trunk/bin/DISKBOOT.BIN binary 0x1900
Restoring binary file ../chdk.trunk/bin/DISKBOOT.BIN into memory (0x1900 to 0x2ec04)
(gdb) b *0x1900
Breakpoint 2 at 0x1900
(gdb) j *0x1900
Continuing at 0x1900.
No function contains program counter for selected frame.

>:(

(gdb) add-symbol-file ../chdk.trunk/loader/ixus80_sd1100/main.elf 0x1900
add symbol table from file "../chdk.trunk/loader/ixus80_sd1100/main.elf" at
        .text_addr = 0x1900
(y or n)
Reading symbols from /home/turboB/Softw/ixus/chdk.trunk/loader/ixus80_sd1100/main.elf...(no debugging symbols found)...done.

(gdb) x/16i $pc
0x1900 <link_text_start>:       ldr     r3, [pc, #32]   ; 0x1928 <link_text_start+40>
0x1904 <link_text_start+4>:     mov     r2, #68 ; 0x44
0x1908 <link_text_start+8>:     str     r2, [r3]
0x190c <link_text_start+12>:    mov     r3, #32768      ; 0x8000
0x1910 <link_text_start+16>:    sub     r3, r3, #1      ; 0x1
0x1914 <link_text_start+20>:    cmp     r3, #0  ; 0x0
0x1918 <link_text_start+24>:    bne     0x1910 <link_text_start+16>
0x191c <link_text_start+28>:    mov     sp, #6400       ; 0x1900
0x1920 <link_text_start+32>:    mov     r11, #0 ; 0x0
0x1924 <link_text_start+36>:    b       0x192c <my_restart>
0x1928 <link_text_start+40>:    eorgt   r0, r2, r8, asr #32
0x192c <my_restart>:    mov     r0, #0  ; 0x0
0x1930 <my_restart+4>:  mov     r1, r0
---Type <return> to continue, or q <return> to quit---

:)

b *0x50000 <- RERESTART
c

Breakpoint 2, 0x00050000 in ?? ()

add-symbol-file ../chdk.trunk/loader/ixus80_sd1100/resetcode/main.elf 0x50000
add symbol table from file "../chdk.trunk/loader/ixus80_sd1100/resetcode/main.elf" at
        .text_addr = 0x50000
(y or n)
Reading symbols from /home/turboB/Softw/ixus/chdk.trunk/loader/ixus80_sd1100/resetcode/main.elf...(no debugging symbols found)...done.
(gdb) x/16i 0x50000
0x50000 <link_text_start>:      mov     sp, #6400       ; 0x1900
0x50004 <link_text_start+4>:    mov     r11, #0 ; 0x0
0x50008 <link_text_start+8>:    b       0x5000c <copy_and_restart>
0x5000c <copy_and_restart>:     cmp     r1, r0
0x50010 <copy_and_restart+4>:   mov     r12, r0
0x50014 <copy_and_restart+8>:   bcs     0x50054 <copy_and_restart+72>
0x50018 <copy_and_restart+12>:  add     r3, r1, r2
0x5001c <copy_and_restart+16>:  cmp     r0, r3
0x50020 <copy_and_restart+20>:  movcc   r0, r3
0x50024 <copy_and_restart+24>:  addcc   r1, r12, r2
0x50028 <copy_and_restart+28>:  bcc     0x50038 <copy_and_restart+44>
0x5002c <copy_and_restart+32>:  b       0x50054 <copy_and_restart+72>
0x50030 <copy_and_restart+36>:  ldrb    r3, [r0, #-1]!



Yes, it works. However, finally it crashes just like my real cam.  :-X


(gdb) restore ../chdk.trunk/core/main.elf
Restoring section .text (0xbff60 to 0xeb8a4)
Restoring section .data (0xeb8a4 to 0xed0a8)
(gdb) add-symbol-file ../chdk.trunk/core/main.elf 0xbff60
(gdb) p boot
$5 = {<text variable, no debug info>} 0xd5974 <boot>
(gdb) j boot


« Last Edit: 17 / August / 2008, 01:11:32 by chr »
Logged
*

Offline pixeldoc2000

  • ****
  • 356
  • IXUS900Ti 1.00C, IXUS300HS 1.00D
    • pixel::doc homebase
Re: Emulating Digicam with QEMU
« Reply #29 on: 17 / August / 2008, 02:14:05 »
@chr

Quote from: chr on 17 / August / 2008, 00:53:48
Mh, I compared with my file. I got:
CONTENTS, ALLOC, LOAD, CODE
So, ALLOC & LOAD sections are missing?

if i understand your last post correctly, i changed disassemble.pl like this:
Code: [Select]
print "create elf file\n";
`$objcopy --change-addresses=$offset -I binary -O elf32-littlearm -B arm $binfile $binfile.elf`;
`$objcopy --set-section-flags .data=load $binfile.elf`;   <--- ADDED THIS
`$objcopy --set-section-flags .data=code $binfile.elf`;
 but "arm-elf-objdump -x dump.bin.elf" output remains the same...

Quote
Pain in the ase!
You name it!  :)

Quote
You are going to run the chdk boot in qemu?
This would have been one of my next questions...  ;)
You should include what you wrote at wiki!

Thanks for your fast answer!
Logged
Pages: 1 2 [3] 4 5 6   Go Up
« previous next »
 

Related Topics