gdb stepping through boot code

Emulating the Canon 7D or 5D Mark II requires qemu to simulate the system and either arm-elf-gdb or IDA Pro to step through it.

qemu[edit | edit source]

Configuring qemu 0.11[edit | edit source]

Download the patch file, patches/qemu-0.11.patch. Patch files will soon be updated to have hw name canon, but for now it is based on the chdk patches for the ixus platform.

patch -p1 < patches/qemu-0.11.patch
./configure \
 --disable-werror \

Running qemu[edit | edit source]

(For flasher code)

QEMU_LOAD=0x800120 QEMU_ENTRY=0x800120 \
./arm-softmmu/qemu-system-arm \
   -s \
   -S \
   -nographic \
   -m 1024 \
   -M ixus \
   -option-rom ~/build/5d/7d000110/flasher_payload.bin \

Be careful of this QEmu bug under Windows 7:

here is my patch against 0.12.5 (in gdbstub.c) :

//                     "%s,nowait,nodelay,server", device);

IDA Pro[edit | edit source]

Select Debugger - Process Options and set hostname to localhost port 1234 to contact qemu running on the same machine. Then select Debugger - Continue Process to run the firmware until it enters the infinite loop at 0x8009f4

ELF files are not required.

GDB[edit | edit source]

Configuring arm-elf-gdb[edit | edit source]

I built with gdb-7.0.

./configure \
   --disable-werror \
   --target arm-elf
make && sudo make install

Generating ELF files from ROM dumps[edit | edit source]

remake-elf builds an ELF file from a binary dump and an IDA map file:

./remake-elf \
  -o flasher.elf \
  -b 0x80000 \
  --relative \
  flasher.bin \

Depending on the segment number in IDA, you might need to modify the regex to extract symbols from the correct segment.

gdbopts file:

target remote localhost:1234
set language asm
layout asm
layout regs
focus cmd
symbol-file flasher.elf
# Break if we enter the infinite loop of death
br *0x8009f4

flasher-script file:

echo Jumping to firmware updater
set $pc = 0x80a294
set $r0 = 0xb00000
set $r1 = 0x22e100

# problem?
br *0x846744

Run gdb:

arm-elf-gdb -x gdbopts

See also[edit | edit source]

Community content is available under CC-BY-SA unless otherwise noted.