Emulating Digicam with QEMU - page 5 - General Discussion and Assistance - CHDK Forum
« previous next »
Pages: 1 2 3 4 [5] 6   Go Down

Emulating Digicam with QEMU

  • 51 Replies
  • 45954 Views
*

Offline fudgey

  • *****
  • 1705
  • a570is
Re: Emulating Digicam with QEMU
« Reply #40 on: 26 / January / 2009, 15:51:21 »
Advertisements
disassemble_with_stubs_funcs-v1.0.sh

Attached is a batch mode (or single mode if you wish) bash shell script which pretty much automatically does a number of things for one or more firmware dumps:

1) If functions.txt files (function list exported from IDA) are available, it processes them into stub files so that they can be included in the disassemblies (PhyrePhoX did the hard work for us with IDA for cameras which have already been ported, see http://chdk.setepontos.com/index.php/topic,288.msg27742.html#msg27742).

2) Truncates oversized dumps (but doesn't check for validity otherwise!).

3) Gets ROMBASEADDR from makefile.inc and stubs from several stub files (see script for more info), disassembles
and adds strings and stubs using Chr's disassembly tools disassemble.pl (v0.2) and stubs2dis.pl (http://chdk.wikia.com/wiki/GPL_Tools).

It appears to run fine on Ubuntu 8.10 but some of it is quite horrible use of shell tools and I find it likely that parts of it will fail to work on some other operating systems... but this one suits me for now, feel free to improve/rewrite it.

Logged
*

Offline foofighter69

  • *
  • 15
  • Canon A470
Re: Emulating Digicam with QEMU
« Reply #41 on: 15 / May / 2009, 11:51:44 »
Trying QEmu in windows:

Code: [Select]
c:\qemu-0.9.1-windows\bin>qemu-system-arm.exe  -kernel PRIMARY_A470-102c.bin
qemu: fatal: Unimplemented cp15 register write (c5, c0, {0, 2})

R00=03333330 R01=00000000 R02=00000100 R03=00000000
R04=00000000 R05=00000000 R06=00000000 R07=00000000
R08=00000000 R09=00000000 R10=00000000 R11=00000000
R12=00000000 R13=00000000 R14=00000000 R15=00010078
PSR=400001d3 -Z-- A svc32
s00=00000000(       0) s01=00000000(       0) d00=0000000000000000(       0)
s02=00000000(       0) s03=00000000(       0) d01=0000000000000000(       0)
s04=00000000(       0) s05=00000000(       0) d02=0000000000000000(       0)
s06=00000000(       0) s07=00000000(       0) d03=0000000000000000(       0)
s08=00000000(       0) s09=00000000(       0) d04=0000000000000000(       0)
s10=00000000(       0) s11=00000000(       0) d05=0000000000000000(       0)
s12=00000000(       0) s13=00000000(       0) d06=0000000000000000(       0)
s14=00000000(       0) s15=00000000(       0) d07=0000000000000000(       0)
s16=00000000(       0) s17=00000000(       0) d08=0000000000000000(       0)
s18=00000000(       0) s19=00000000(       0) d09=0000000000000000(       0)
s20=00000000(       0) s21=00000000(       0) d10=0000000000000000(       0)
s22=00000000(       0) s23=00000000(       0) d11=0000000000000000(       0)
s24=00000000(       0) s25=00000000(       0) d12=0000000000000000(       0)
s26=00000000(       0) s27=00000000(       0) d13=0000000000000000(       0)
s28=00000000(       0) s29=00000000(       0) d14=0000000000000000(       0)
s30=00000000(       0) s31=00000000(       0) d15=0000000000000000(       0)
FPSCR: 00000000

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

Of course without success...
Logged
*

MrSpoon

Re: Emulating Digicam with QEMU
« Reply #42 on: 16 / May / 2009, 11:25:06 »
Qemu doesn't emulate all the instructions so you have to jump past any that crash it. Alternatively you could edit them out of the ROM you're emulating.

chr put up some info on the wiki.
Logged
*

Offline lorenzo353

  • *
  • 38
Re: Emulating Digicam with QEMU
« Reply #43 on: 28 / November / 2009, 13:32:46 »
hi,

is there a working 'ixus' patch against qemu 0.11 ?

this one http://chdk.setepontos.com/index.php/topic,1918.msg17500.html#msg17500
is not working

[root@t qemu-0.11.0]# patch -p1 <../qemu.ixus.patch
patching file Makefile.target
Hunk #1 FAILED at 498.
1 out of 1 hunk FAILED -- saving rejects to file Makefile.target.rej
patching file hw/boards.h
Hunk #1 FAILED at 82.
1 out of 1 hunk FAILED -- saving rejects to file hw/boards.h.rej
patching file hw/ixus.c
patching file vl.c
Hunk #1 FAILED at 7912.
1 out of 1 hunk FAILED -- saving rejects to file vl.c.rej

thank you
Logged
*

Offline hudson

  • *
  • 43
Re: Emulating Digicam with QEMU
« Reply #44 on: 28 / November / 2009, 19:26:17 »
Quote from: lorenzo353 on 28 / November / 2009, 13:32:46
is there a working 'ixus' patch against qemu 0.11 ?
I've written a patch for qemu-0.11 as part of the Magic Lantern project.  You can download the patch from: bitbucket.org - magiclantern/patches/qemu-0.11.patch

It no longer emulates the ixus, even though I haven't renamed the architecture.  The memory layout and console device are for the 7D and 5D Mark II.
Logged
*

Offline lorenzo353

  • *
  • 38
Re: Emulating Digicam with QEMU + IDA >=5.4
« Reply #45 on: 11 / December / 2009, 13:11:04 »
since IDA PRO 5.4, it is possible to connect IDA to QEMU (using Windows version).
http://www.hex-rays.com/idapro/debugger/gdb_qemu.pdf

and QEmu can be compiled under Win32 using Mingw
http://qemu-forum.ipi.fi/viewtopic.php?f=22&t=5308

with IDA, no need to generate an ELF image since binary can be loaded directly.
QEMU must first be patched with Trammell's patch against QEmu 0.11 (see previous post)
http://magiclantern.wikia.com/wiki/Emulation

Lorenzo
Logged
*

Offline yukia10

  • *
  • 32
  • SX50_100c
Re: Emulating Digicam with QEMU
« Reply #46 on: 01 / May / 2013, 06:45:30 »
Minimal hw/sx50.c for qemu-1.4.1 is attached. It has far less functions than Magic Lantern (contrib/qemu/hw/eos.c).

You have to start qemu-system-arm under the same directory as dump.bin (and additional main.bin for sx50_chdk). Rom file names (dump.bin and main.bin) and entry points (0xFF000000 and 0x1900) are hard coded in sx50.c.

$ qemu-system-arm -nographic -s -S -M sx50 (or sx50_chdk)

You will need gdb (or IDA?) to see what is going on. See here: http://chdk.wikia.com/wiki/GPL_Qemu.

$ arm-elf-gdb -x gdbopts

« Last Edit: 01 / May / 2013, 07:39:10 by yukia10 »
Logged
*

Offline reyalp

  • ******
  • 14082
Re: Emulating Digicam with QEMU
« Reply #47 on: 07 / May / 2023, 00:16:37 »
10 year bump  :haha

I spent some time improving A1100 support in @names_are_hard's excellent qemu fork, and figured I should put some notes somewhere. Over a few posts, I'll try to cover how to build / use it, CHDK / PowerShot specifics, and lessons learned adding camera support.

Setup
The code is in https://github.com/reticulatedpines/qemu-eos/tree/qemu-eos-v4.2.1 (you want the qemu-eos-v4.2.1 branch. This includes my A1100 fixes)

The configuration below is just what works for me, it's not the only or necessarily best way to set things up.

I found following the build instructions on https://github.com/reticulatedpines/qemu-eos/tree/qemu-eos-v4.2.1/magiclantern worked out of the box on a Debian 11 x64 VM in virtualbox. It is a quite old qemu version and does have some compiler and distro sensitivities, so other distros may be less smooth. I'd stay away from trying to build it natively on Windows or Mac (though I haven't actually tried Mac)

If you do run into problems building, I suggest leaving off the -j option, as non-parallel output is much easier to follow.

Performance running in virtualbox on an ancient i5 windows system is fine, though it can get sluggish with gdb scripts.

For powershots, you don't need the magiclantern_simplified tree mentioned in the instructions. You also don't need the libmagiclantern.so plugin, though it's tiny and harmless (it allows printing camera debug messages without gdb, but the function signature is different from powershot LogCameraEvent)

I use a virtualbox file share for the source so I can work on the code outside of the VM, so in my configuration qemu-eos is a symlink into the mounted tree of my CHDK stuff. The qemu-eos-build directory is on the VM filesystem.

qemu also expects the firmware to have different names and directory structure from typical CHDK usage, so I use a separate tree with symlinks for that.

My tree (under $HOME in this case) ends up looking like
Code: [Select]
qemu/
  qemu-eos -> /mnt/chdk/qemu-eos
    ... clone of git repo
  qemu-eos-build/
     ... binaries and disk images are under here
  roms/
    A1100/
       ROM1.BIN -> /mnt/chdk/dumps/a1100/sub/100c/PRIMARY.BIN

Note qemu-eos does support setting the firmware version, but it expects the version to be a plain number (rather than powershot style number + letter), and the actual qemu implementation may have firmware version specific code (patching addresses in ROM, for example,)  though A1100 currently does not.

In the case of A1100, the only known firmware versions are 100b and 100c, and 100b is a copied sub in CHDK, so should presumably be identical from a qemu POV.

My usual build command looks like
Code: [Select]
( cd ~/qemu/qemu-eos-build && make && make plugins && cp tests/plugin/libmagiclantern.so arm-softmmu/plugins/ )
I keep long commands like this in my notes and paste or run from history as needed, hence the subshell and cds.

... to be continued
Logged
Don't forget what the H stands for.
*

Offline reyalp

  • ******
  • 14082
Re: Emulating Digicam with QEMU
« Reply #48 on: 07 / May / 2023, 00:33:56 »
Running
The included magic_lantern/run_qemu.py has some magic lantern specifics (and fails to create pipe funky mounted from windows setup), so I generally run qemu directly.

I also prefer to have the camera UART in a putty window rather than the qemu GUI.

To run qemu without GDB, I use a command like
Code: [Select]
QEMU_EOS_WORKDIR=~/qemu/roms DISPLAY=:0.0 ~/qemu/qemu-eos-build/arm-softmmu/qemu-system-arm \
 -drive if=sd,file=$HOME/qemu/qemu-eos-build/disk_images/sd.qcow2 \
 -drive if=ide,file=$HOME/qemu/qemu-eos-build/disk_images/cf.qcow2 \
 -serial stdio -name A1100 -M A1100
Note the CF is required, even though powershots only have a single SD slot.

The disk images are copied from magiclantern/disk_images/sd.qcow2.xz in the source. This is  a bootable ML image, but for basic usage can just be uncompressed and copied. Preparing a bootable CHDK image will be covered later.

To run with gdb, I add -s -S, ending up with
Code: [Select]
QEMU_EOS_WORKDIR=~/qemu/roms DISPLAY=:0.0 ~/qemu/qemu-eos-build/arm-softmmu/qemu-system-arm \
 -drive if=sd,file=$HOME/qemu/qemu-eos-build/disk_images/sd.qcow2 \
 -drive if=ide,file=$HOME/qemu/qemu-eos-build/disk_images/cf.qcow2 \
 -serial stdio -name A1100 -M A1100 -s -S
and then in a separate terminal
Code: [Select]
(cd ~/qemu/qemu-eos/magiclantern/cam_config/ && gdb-multiarch -x A1100/debugmsg.gdb)
running in gdb gives you LogCameraEvent output as well as logging of many other useful things.

On debian the appropriate gdb package can be installed with
Code: [Select]
apt-get install gdb-arm-none-eabi

Having the gdb console in a different terminal from the camera UART and qemu output makes it easier to work in gdb, but can make it harder to figure out what order things happened in.

Note running in gdb, you'll see a lot of messages in qemu output like
Code: [Select]
[EOS] MEMTX invalid read - addr, size: 0xece2bef0, 0x4
These are a side effect of some of the gdb scripts and are harmless, except for possibly drowning the output you want in spam.

You can edit qemu-eos/magiclantern/cam_config/A1100/debugmsg.gdb to add breakpoints or scripts to debug or investigate specific things.

At present, there is no way to interact with the camera keyboard through qemu on A1100. EOS cameras use a separate processor (MPU) to handle keyboard input, so the additional work is needed to support powershots direct GPIO keyboard.

However, you can interact with the camera very clumsily using the evenshell in the serial console:
Code: [Select]
UI.CreatePublicregisters levents as eventprocs, and the you can use, for example
Code: [Select]
PressMenuButton
UnpressMenuButton
to open the camera menu.

Of course you can also use all the other normal eventprocs, including drysh to get a dryos shell.

You cannot currently interact with the CHDK keyboard.

... to be continued
Logged
Don't forget what the H stands for.
*

Offline reyalp

  • ******
  • 14082
Re: Emulating Digicam with QEMU
« Reply #49 on: 07 / May / 2023, 01:34:00 »
Booting CHDK
I used nbd (libguestfs may be an alternative, nbd was the first thing I tried and it worked)

As root, in qemu-eos-build
Code: [Select]
modprobe nbd
./qemu-nbd -c /dev/nbd0 -f qcow2 disk_images/a1100-sd.qcow2
The default SD image appears to already have BOOTDISK at 0x40, but you could set it with
Code: [Select]
echo -n BOOTDISK | dd bs=1 count=8 seek=64 of=/dev/nbd0p1
To copy files, mount like
Code: [Select]
mount /dev/nbd0p1 /mnt/sdimg
and then copy your CHDK files into /mnt/sdimg

When done
Code: [Select]
umount /mnt/sdimg
./qemu-nbd -d /dev/nbd0

The A1100 qemu implementation currently has the SD lock indicator hard-coded on, so a bootable card with diskboot.bin should boot.

The current CHDK port (under qemu at least) defaults to booting in rec mode, which quickly crashes with lens error. To avoid this, you can invert the logic in CHDK boot.c
Code: [Select]
     *(int*)(0x2234)= (*(int*)0xC0220134)&1 ?0x200000 : 0x100000; // replacement of sub_FFC3040C for correct power-on.
If you use the gdb script, a workaround is automatically applied and this isn't needed.

I'm fairly sure this is a bug in the CHDK port, but don't want to change it without confirmation on the real hardware.

As mentioned, you can't interact with the CHDK UI, but you should be able to run a startup script using a CFG prepared on another camera.

... more later
Logged
Don't forget what the H stands for.
Pages: 1 2 3 4 [5] 6   Go Up
« previous next »
 

Related Topics