Emulating Digicam with QEMU

fudgey

1705
a570is

Re: Emulating Digicam with QEMU

« Reply #40 on: 26 / January / 2009, 15:51:21 »

Advertisements

disassemble_with_stubs_funcs-v1.0.sh

Attached is a batch mode (or single mode if you wish) bash shell script which pretty much automatically does a number of things for one or more firmware dumps:

1) If functions.txt files (function list exported from IDA) are available, it processes them into stub files so that they can be included in the disassemblies (PhyrePhoX did the hard work for us with IDA for cameras which have already been ported, see http://chdk.setepontos.com/index.php/topic,288.msg27742.html#msg27742).

2) Truncates oversized dumps (but doesn't check for validity otherwise!).

3) Gets ROMBASEADDR from makefile.inc and stubs from several stub files (see script for more info), disassembles
and adds strings and stubs using Chr's disassembly tools disassemble.pl (v0.2) and stubs2dis.pl (http://chdk.wikia.com/wiki/GPL_Tools).

It appears to run fine on Ubuntu 8.10 but some of it is quite horrible use of shell tools and I find it likely that parts of it will fail to work on some other operating systems... but this one suits me for now, feel free to improve/rewrite it.

disassemble_with_stubs_funcs-v1.0.zip (4.56 kB - downloaded 106 times.)

Logged

foofighter69

15
Canon A470

Re: Emulating Digicam with QEMU

« Reply #41 on: 15 / May / 2009, 11:51:44 »

Trying QEmu in windows:

Code: [Select]

c:\qemu-0.9.1-windows\bin>qemu-system-arm.exe  -kernel PRIMARY_A470-102c.bin
qemu: fatal: Unimplemented cp15 register write (c5, c0, {0, 2})

R00=03333330 R01=00000000 R02=00000100 R03=00000000
R04=00000000 R05=00000000 R06=00000000 R07=00000000
R08=00000000 R09=00000000 R10=00000000 R11=00000000
R12=00000000 R13=00000000 R14=00000000 R15=00010078
PSR=400001d3 -Z-- A svc32
s00=00000000(       0) s01=00000000(       0) d00=0000000000000000(       0)
s02=00000000(       0) s03=00000000(       0) d01=0000000000000000(       0)
s04=00000000(       0) s05=00000000(       0) d02=0000000000000000(       0)
s06=00000000(       0) s07=00000000(       0) d03=0000000000000000(       0)
s08=00000000(       0) s09=00000000(       0) d04=0000000000000000(       0)
s10=00000000(       0) s11=00000000(       0) d05=0000000000000000(       0)
s12=00000000(       0) s13=00000000(       0) d06=0000000000000000(       0)
s14=00000000(       0) s15=00000000(       0) d07=0000000000000000(       0)
s16=00000000(       0) s17=00000000(       0) d08=0000000000000000(       0)
s18=00000000(       0) s19=00000000(       0) d09=0000000000000000(       0)
s20=00000000(       0) s21=00000000(       0) d10=0000000000000000(       0)
s22=00000000(       0) s23=00000000(       0) d11=0000000000000000(       0)
s24=00000000(       0) s25=00000000(       0) d12=0000000000000000(       0)
s26=00000000(       0) s27=00000000(       0) d13=0000000000000000(       0)
s28=00000000(       0) s29=00000000(       0) d14=0000000000000000(       0)
s30=00000000(       0) s31=00000000(       0) d15=0000000000000000(       0)
FPSCR: 00000000

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

Of course without success...

Logged

MrSpoon

Re: Emulating Digicam with QEMU

« Reply #42 on: 16 / May / 2009, 11:25:06 »

Qemu doesn't emulate all the instructions so you have to jump past any that crash it. Alternatively you could edit them out of the ROM you're emulating.

chr put up some info on the wiki.

Logged

lorenzo353

Re: Emulating Digicam with QEMU

« Reply #43 on: 28 / November / 2009, 13:32:46 »

hi,

is there a working 'ixus' patch against qemu 0.11 ?

this one http://chdk.setepontos.com/index.php/topic,1918.msg17500.html#msg17500
is not working

[root@t qemu-0.11.0]# patch -p1 <../qemu.ixus.patch
patching file Makefile.target
Hunk #1 FAILED at 498.
1 out of 1 hunk FAILED -- saving rejects to file Makefile.target.rej
patching file hw/boards.h
Hunk #1 FAILED at 82.
1 out of 1 hunk FAILED -- saving rejects to file hw/boards.h.rej
patching file hw/ixus.c
patching file vl.c
Hunk #1 FAILED at 7912.
1 out of 1 hunk FAILED -- saving rejects to file vl.c.rej

thank you

Logged

hudson

Re: Emulating Digicam with QEMU

« Reply #44 on: 28 / November / 2009, 19:26:17 »

Quote from: lorenzo353 on 28 / November / 2009, 13:32:46

is there a working 'ixus' patch against qemu 0.11 ?

I've written a patch for qemu-0.11 as part of the Magic Lantern project. You can download the patch from: bitbucket.org - magiclantern/patches/qemu-0.11.patch

It no longer emulates the ixus, even though I haven't renamed the architecture. The memory layout and console device are for the 7D and 5D Mark II.

Logged

lorenzo353

Re: Emulating Digicam with QEMU + IDA >=5.4

« Reply #45 on: 11 / December / 2009, 13:11:04 »

since IDA PRO 5.4, it is possible to connect IDA to QEMU (using Windows version).
http://www.hex-rays.com/idapro/debugger/gdb_qemu.pdf

and QEmu can be compiled under Win32 using Mingw
http://qemu-forum.ipi.fi/viewtopic.php?f=22&t=5308

with IDA, no need to generate an ELF image since binary can be loaded directly.
QEMU must first be patched with Trammell's patch against QEmu 0.11 (see previous post)
http://magiclantern.wikia.com/wiki/Emulation

Lorenzo

Logged

yukia10

32
SX50_100c

Re: Emulating Digicam with QEMU

« Reply #46 on: 01 / May / 2013, 06:45:30 »

Minimal hw/sx50.c for qemu-1.4.1 is attached. It has far less functions than Magic Lantern (contrib/qemu/hw/eos.c).

You have to start qemu-system-arm under the same directory as dump.bin (and additional main.bin for sx50_chdk). Rom file names (dump.bin and main.bin) and entry points (0xFF000000 and 0x1900) are hard coded in sx50.c.

$ qemu-system-arm -nographic -s -S -M sx50 (or sx50_chdk)

You will need gdb (or IDA?) to see what is going on. See here: http://chdk.wikia.com/wiki/GPL_Qemu.

$ arm-elf-gdb -x gdbopts

sx50.c (3.95 kB - downloaded 34 times.)

gdb.png (63.28 kB, 656x875 - viewed 99 times.)

« Last Edit: 01 / May / 2013, 07:39:10 by yukia10 »

Logged