Emulating the Canon 7D or 5D Mark II requires qemu to simulate the system and either arm-elf-gdb or IDA Pro to step through it.
qemu[]
Configuring qemu 0.11[]
Download the patch file, patches/qemu-0.11.patch. Patch files will soon be updated to have hw name canon, but for now it is based on the chdk patches for the ixus platform.
patch -p1 < patches/qemu-0.11.patch ./configure \ --disable-werror \ --target-list=arm-softmmu
Running qemu[]
(For flasher code)
QEMU_LOAD=0x800120 QEMU_ENTRY=0x800120 \ ./arm-softmmu/qemu-system-arm \ -s \ -S \ -nographic \ -m 1024 \ -M ixus \ -option-rom ~/build/5d/7d000110/flasher_payload.bin \ /dev/null
Be careful of this QEmu bug under Windows 7: http://developer.symbian.org/bugs/show_bug.cgi?id=3671
here is my patch against 0.12.5 (in gdbstub.c) :
// "%s,nowait,nodelay,server", device); "tcp:127.0.0.1:1234,nowait,nodelay,server");
IDA Pro[]
Select Debugger - Process Options and set hostname to localhost port 1234 to contact qemu running on the same machine. Then select Debugger - Continue Process to run the firmware until it enters the infinite loop at 0x8009f4
ELF files are not required.
GDB[]
Configuring arm-elf-gdb[]
I built with gdb-7.0.
./configure \ --disable-werror \ --target arm-elf make && sudo make install
Generating ELF files from ROM dumps[]
remake-elf builds an ELF file from a binary dump and an IDA map file:
./remake-elf \ -o flasher.elf \ -b 0x80000 \ --relative \ flasher.bin \ flasher.map
Depending on the segment number in IDA, you might need to modify the regex to extract symbols from the correct segment.
gdbopts file:
target remote localhost:1234 set language asm layout asm layout regs focus cmd symbol-file flasher.elf # Break if we enter the infinite loop of death br *0x8009f4
flasher-script file:
echo Jumping to firmware updater set $pc = 0x80a294 set $r0 = 0xb00000 set $r1 = 0x22e100 # problem? br *0x846744
Run gdb:
arm-elf-gdb -x gdbopts