Re: [Qemu-devel] Emulating mips
On Tue, Jul 23, 2013 at 12:41 AM, Rob Landley r...@landley.net wrote: On 07/23/2013 12:16:53 AM, Renich Bon Ciric wrote: Hello, I am new to this... I'm trying to run some rom file I got from a client. It's a sc2005 processor; supposedly compatible with 4k. Anyway, I do this: qemu-system-mips -M mips -pflash 301-3100\ -\ user\ specified\ -\ Full.bin -serial stdio The processor goes to 100% but I see nothing, not in the serial console nor in the window (monitor, maybe?) I'd appreciate some tips I have working mips images at http://landley.net/aboriginal/bin/system-image-mips.tar.bz2 Grab that extract it, and ./run-emulator.sh. That should let you know what working looks like, and if you can dig a chroot or loopback mount out of your rom image, you can probably mount it under there and try running the binaries. Rob Ah, I've noticed on the kernel output that it's configured for a 24kc and my rom is desinged for a 4k compatible cpu. I think I should recreate the vmlinux right? Anyway, it totally stops when it seems not able to find the right partition for the rom: Linux version 3.10.0 (landley@driftwood) (collect2: ld returned 1 exit status) #1 Wed Jul 3 00:54:09 CDT 2013 bootconsole [early0] enabled CPU revision is: 00019300 (MIPS 24Kc) FPU revision is: 00739300 Software DMA cache coherency enabled Determined physical RAM map: memory: 1000 @ (reserved) memory: 000ef000 @ 1000 (ROM data) memory: 0038f000 @ 000f (reserved) memory: 07b8 @ 0047f000 (usable) Wasting 36832 bytes for tracking 1151 unused pages Zone ranges: DMA [mem 0x-0x00ff] Normal [mem 0x0100-0x07ffefff] Movable zone start for each node Early memory node ranges node 0: [mem 0x-0x07ffefff] Primary instruction cache 2kB, VIPT, 2-way, linesize 16 bytes. Primary data cache 2kB, 2-way, VIPT, no aliases, linesize 16 bytes Built 1 zonelists in Zone order, mobility grouping on. Total pages: 32511 Kernel command line: root=/dev/hda rw console=ttyS0 HOST=mips PID hash table entries: 512 (order: -1, 2048 bytes) Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) Writing ErrCtl register= Readback ErrCtl register= Memory: 125296k/126464k available (2596k kernel code, 1168k reserved, 606k data, 188k init, 0k highmem) SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 NR_IRQS:256 CPU frequency 200.00 MHz Console: colour dummy device 80x25 Calibrating delay loop... 970.75 BogoMIPS (lpj=1941504) pid_max: default: 32768 minimum: 301 Mount-cache hash table entries: 512 devtmpfs: initialized NET: Registered protocol family 16 bio: create slab bio-0 at 0 vgaarb: loaded SCSI subsystem initialized PCI host bridge to bus :00 pci_bus :00: root bus resource [mem 0x1000-0x17ff] pci_bus :00: root bus resource [io 0x2000-0x1f] pci_bus :00: No busn resource found for root bus, will use [bus 00-ff] pci :00:0a.3: no compatible bridge window for [io 0x1100-0x110f] vgaarb: device added: PCI::00:12.0,decodes=io+mem,owns=none,locks=none pci :00:0a.3: BAR 8: [io 0x1100-0x110f] has bogus alignment pci :00:12.0: BAR 0: assigned [mem 0x1000-0x11ff pref] pci :00:0b.0: BAR 6: assigned [mem 0x1200-0x1201 pref] pci :00:12.0: BAR 6: assigned [mem 0x1202-0x1202 pref] pci :00:12.0: BAR 1: assigned [mem 0x1203-0x12030fff] pci :00:0a.2: BAR 4: assigned [io 0x2000-0x201f] pci :00:0b.0: BAR 0: assigned [io 0x2020-0x203f] pci :00:0b.0: BAR 1: assigned [mem 0x12031000-0x1203101f] pci :00:0a.1: BAR 4: assigned [io 0x2040-0x204f] Switching to clocksource pit NET: Registered protocol family 2 TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP: reno registered UDP hash table entries: 256 (order: 0, 4096 bytes) UDP-Lite hash table entries: 256 (order: 0, 4096 bytes) NET: Registered protocol family 1 PCI: Enabling device :00:0a.2 ( - 0001) squashfs: version 4.0 (2009/01/31) Phillip Lougher 9p: Installing v9fs 9p2000 file system support msgmni has been set to 244 io scheduler noop registered (default) Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled serial8250.0: ttyS0 at I/O 0x3f8 (irq = 4) is a 16550A console [ttyS0] enabled, bootconsole disabled console [ttyS0] enabled, bootconsole disabled serial8250.0: ttyS1 at I/O 0x2f8 (irq = 3) is a 16550A loop: module loaded Uniform Multi-Platform E-IDE driver piix :00:0a.1: IDE controller (0x8086:0x7111 rev 0x00) PCI: Enabling device :00:0a.1 ( - 0001) piix :00:0a.1: not 100% native mode: will probe irqs later ide0: BM-DMA at 0x2040-0x2047 ide1: BM-DMA at 0x2048-0x204f hda: QEMU HARDDISK, ATA DISK drive hda: UDMA/33 mode selected hdc: QEMU DVD-ROM, ATAPI CD/DVD-ROM drive hdc: UDMA/33 mode
Re: [Qemu-devel] Emulating mips
Hello, Am 23.07.2013 07:16, schrieb Renich Bon Ciric: I'm trying to run some rom file I got from a client. It's a sc2005 processor; supposedly compatible with 4k. Anyway, I do this: qemu-system-mips -M mips -pflash 301-3100\ -\ user\ specified\ -\ Full.bin -serial stdio The processor goes to 100% but I see nothing, not in the serial console nor in the window (monitor, maybe?) You didn't mention which version you're using, so try latest stable 1.5 or qemu.git. You need to know what board the ROM file was for, you can view the list with -M '?' - if it's none of those, chances are you need to implement the machine first. Note that there's qemu-system-mips and qemu-system-mipsel depending on endianness, and you can usually override the CPU via -cpu, again see -cpu '?' for a list. Regards, Andreas -- SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer; HRB 16746 AG Nürnberg
Re: [Qemu-devel] Emulating mips
On Tue, Jul 23, 2013 at 4:06 AM, Andreas Färber afaer...@suse.de wrote: Hello, Am 23.07.2013 07:16, schrieb Renich Bon Ciric: I'm trying to run some rom file I got from a client. It's a sc2005 processor; supposedly compatible with 4k. Anyway, I do this: qemu-system-mips -M mips -pflash 301-3100\ -\ user\ specified\ -\ Full.bin -serial stdio The processor goes to 100% but I see nothing, not in the serial console nor in the window (monitor, maybe?) You didn't mention which version you're using, so try latest stable 1.5 or qemu.git. You need to know what board the ROM file was for, you can view the list with -M '?' - if it's none of those, chances are you need to implement the machine first. Yeah, the board is none from the list; so maybe I need to look into implementing, huh? gulp Note that there's qemu-system-mips and qemu-system-mipsel depending on endianness, and you can usually override the CPU via -cpu, again see -cpu '?' for a list. Thanks a lot, Andreas. The info is very useful. Have a nice day.
[Qemu-devel] Emulating mips
Hello, I am new to this... I'm trying to run some rom file I got from a client. It's a sc2005 processor; supposedly compatible with 4k. Anyway, I do this: qemu-system-mips -M mips -pflash 301-3100\ -\ user\ specified\ -\ Full.bin -serial stdio The processor goes to 100% but I see nothing, not in the serial console nor in the window (monitor, maybe?) I'd appreciate some tips # files -rw-rw-r--. 1 renich renich 144 Jun 15 04:50 301-3100 - Flash 1(IC22-29LV160) - Full.bin -rw-rw-r--. 1 renich renich 4194304 Mar 4 02:49 301-3100 - Flash 2(IC23-29LV160) - Full.bin -rw-rw-r--. 1 renich renich 4194304 May 23 21:26 301-3100 - user specified - Full.bin # processor sc2000, sc2005; compatible with 4k # misc - I have a sc2000.per file bundled with it... Said to be a cpu peripheral definition (don't know if becomes handy) -- Renich Bon Ciric Consultant # Website http://evalinux.com/ # Address Ignacio Ramírez #171, Villaseñor, 44600, Guadalajara, Jalisco, México # Tel +52 (33) 1589-4554 # Mobile +52 (33) 3576-5013
Re: [Qemu-devel] Emulating mips
On 07/23/2013 12:16:53 AM, Renich Bon Ciric wrote: Hello, I am new to this... I'm trying to run some rom file I got from a client. It's a sc2005 processor; supposedly compatible with 4k. Anyway, I do this: qemu-system-mips -M mips -pflash 301-3100\ -\ user\ specified\ -\ Full.bin -serial stdio The processor goes to 100% but I see nothing, not in the serial console nor in the window (monitor, maybe?) I'd appreciate some tips I have working mips images at http://landley.net/aboriginal/bin/system-image-mips.tar.bz2 Grab that extract it, and ./run-emulator.sh. That should let you know what working looks like, and if you can dig a chroot or loopback mount out of your rom image, you can probably mount it under there and try running the binaries. Rob
[Qemu-devel] Emulating MIPS self-examining code
Hello, I'm trying to emulate the following MIPS code (taken from the bootloader of my system): /* Initialize GOT pointer. ** Global symbols can't be resolved before this is done, and as such we can't ** use any global symbols in this code. We use the bal/ move xxx,ra combination to access ** data in a PC relative manner to avoid this. This code will correctly set the ** gp regardless of whether the code has already been relocated or not. ** This code determines the current gp by computing the link time (gp - pc) ** and adding this to the current pc. ** runtime_gp = runtime_pc + (linktime_gp - linktime_pc) ** U-boot is running from the address it is linked at at this time, so this ** general case code is not strictly necessary here. */ /* Branch and link to get current PC in ra */ bal 1f nop .extern _GLOBAL_OFFSET_TABLE_ .word _GLOBAL_OFFSET_TABLE_ /* This contains the linked address of the GOT */ /* The ra register now contains the runtime address of the above memory location */ .word . - 4 /* This contains the link time address of the previous word, which is also what the link time expected PC value is */ 1: movegp, ra/* Move current PC into gp register */ lw t1, 0(ra) /* Load linked address of the GOT into t1 */ lw t2, 4(ra) /* Load the link time address of the GOT storage location into t2 */ sub t1, t2/* Subtract t2 from t1. */ /* t1 now contains the difference between the link-time GOT table address and the link time expected PC */ /* Add this difference to the current PC (copied into gp above) so that gp now has the current runtime ** GOT table address */ add gp, t1 # calculate current location of offset table Corresponding objdump output is: ...[skipped] bfc306c4: 04110003bal bfc306d4 func+0x28 bfc306c8: nop bfc306cc: bfc79d10cache 0x7,-25328(s8) bfc306d0: bfc306cccache 0x3,1740(s8) bfc306d4: 03e0e02dmovegp,ra bfc306d8: 8fe9lw a5,0(ra) bfc306dc: 8fea0004lw a6,4(ra) bfc306e0: 012a4822sub a5,a5,a6 bfc306e4: 0389e020add gp,gp,a5 ...[skipped] bfc79d10 _GLOBAL_OFFSET_TABLE_: bfc79d10: nop ...[skipped] This is a kind of self-examining code (bfc306cc..bfc306d0 is treated as data). The problem is that QEMU translates this (master?)piece into two translation blocks bfc306c4..bfc306c8 and bfc306d4..bfc306e4, silently ignoring bfc306cc..bfc306d0 because there is no way to execute in that area. Due to this, 0(ra) at bfc306d8 can't be evaluated correctly. Is there any ideas on how to get such code emulated? Dmitry
Re: [Qemu-devel] Emulating MIPS self-examining code
On Mon, Feb 08, 2010 at 05:26:33PM +0300, Dmitry Antipov wrote: Hello, I'm trying to emulate the following MIPS code (taken from the bootloader of my system): /* Initialize GOT pointer. ** Global symbols can't be resolved before this is done, and as such we can't ** use any global symbols in this code. We use the bal/ move xxx,ra combination to access ** data in a PC relative manner to avoid this. This code will correctly set the ** gp regardless of whether the code has already been relocated or not. ** This code determines the current gp by computing the link time (gp - pc) ** and adding this to the current pc. ** runtime_gp = runtime_pc + (linktime_gp - linktime_pc) ** U-boot is running from the address it is linked at at this time, so this ** general case code is not strictly necessary here. */ /* Branch and link to get current PC in ra */ bal 1f nop .extern _GLOBAL_OFFSET_TABLE_ .word _GLOBAL_OFFSET_TABLE_ /* This contains the linked address of the GOT */ /* The ra register now contains the runtime address of the above memory location */ .word . - 4 /* This contains the link time address of the previous word, which is also what the link time expected PC value is */ 1: movegp, ra/* Move current PC into gp register */ lw t1, 0(ra) /* Load linked address of the GOT into t1 */ lw t2, 4(ra) /* Load the link time address of the GOT storage location into t2 */ sub t1, t2/* Subtract t2 from t1. */ /* t1 now contains the difference between the link-time GOT table address and the link time expected PC */ /* Add this difference to the current PC (copied into gp above) so that gp now has the current runtime ** GOT table address */ add gp, t1 # calculate current location of offset table Corresponding objdump output is: ...[skipped] bfc306c4: 04110003bal bfc306d4 func+0x28 bfc306c8: nop bfc306cc: bfc79d10cache 0x7,-25328(s8) bfc306d0: bfc306cccache 0x3,1740(s8) bfc306d4: 03e0e02dmovegp,ra bfc306d8: 8fe9lw a5,0(ra) bfc306dc: 8fea0004lw a6,4(ra) bfc306e0: 012a4822sub a5,a5,a6 bfc306e4: 0389e020add gp,gp,a5 ...[skipped] bfc79d10 _GLOBAL_OFFSET_TABLE_: bfc79d10: nop ...[skipped] This is a kind of self-examining code (bfc306cc..bfc306d0 is treated as data). The problem is that QEMU translates this (master?)piece into two translation blocks bfc306c4..bfc306c8 and bfc306d4..bfc306e4, silently ignoring bfc306cc..bfc306d0 because there is no way It does not ignore it, it skips it because of the jump in 0xbfc306c4 which instructs the CPU to jump into bfc306d4. That's why the second block starts at this address. to execute in that area. Due to this, 0(ra) at bfc306d8 can't be evaluated correctly. Why? Do you mean this instruction is not executed? What is important here is the value of gp. Is there any ideas on how to get such code emulated? I personally don't see the problem. Please also post the input asm code and the output tcg code from qemu (-d in_asm,op). -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net
