ARM + EOS Emulator

Started by g3gg0, September 24, 2012, 12:08:57 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

g3gg0

well, it think i can make it public.

1. ready-to-run package

Quote
i added GDB stubs to my emulator.
what this means?
you can use IDA Pro to connect to the emulator and step through code using breakpoints, dumping memory etc etc.
check contents of main routine at line 938 and make fit them to your firmware.

1. start TriX
2. select your firmware image as input file
3. click on "Scripts" tab ("General", "Scripts", "Editor")
4. click the lens at the bottom, right of "Script" and the textbox
5. choose "armulate_shell_eos.trx"
6. click "Add" button at bottom
7. click "Start" in the top toolbar
8. a few register/disassembly windows pop up
9. arrange them that you see every window
10. in the main dialog again where it asks you "Your choice", below is a text box. enter the number "16" and press enter


then in IDA just connect to localhost, port 23946 using gdb as debugger interface.

before connecting: in "Debugger Setup", "Set specific options" you should set "Max packet size" to 512
and in same window under "Memory map" you have to insert (rightclick into the list) a new memory segment which
starts at 0x000000 and ends at 0xFFFFFFFE, base 0, 32 bit, read only. delete the old one, if one is defined.

enjoy :)

http://upload.g3gg0.de/pub_files/0e7cc977a512c2168003a4ceb0e82932/TriX_EOS.7z

2. do-it-all-yourself repository

1. get a SVN client (e.g. TortoiseSVN)
2. checkout http://svn.g3gg0.de/svn/default/trunk/nokia/TriX/  (user: trix, pass: trix)
3. get Visual Studio 2008 (v9.0)
4. get Qt SDK (e.g. i have v4.5.1) and build/install *
5. set environment variable QTDIR to your Qt-Dir (that contains bin, lib, include, tools, ...) *
6. open \platform\msvc\TriX.sln
7. rebuild all

* = if you cannot get the project "TriX" compiling because of Qt issues, but the plugins TriX_DisARM, TriX_ARMulate, TriX_HWemuEOS are building fine, then it is also okay.
the most important stuff for emulating canon firmware is in HWemuEOS anyway.
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

jplxpto

Quote from: g3gg0 on September 24, 2012, 12:08:57 AM
well, it think i can make it public.

Thank you ... I open your emulator and found it has a good presentation. Once I have time I will test it.

My antivirus says that an application can be dangerous! What features has its application for him to say that?

Thank you.

g3gg0

uuh, well a lot :)
it is a patcher plattform that is scriptable and has plugins.
so there are some techniques that are e.g. loading DLLs into RAM by injecting in EXE etc.
that is for loading encrypted plugins. but not used here in this example.

i (ab)use my TriX to load a ARM emulator and a ARM disassembler plugin and control that with a script (.trx).
these scripts are C-code that gets compiled dynamically.

its open source too and also contains a plugin named HWemu_EOS which emulates the DIGiC behavior.
e.g. serial port, DMA timers and even flash chip emulation with reflashing etc.
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

g3gg0

and if you dont start the GDB stub with '17', bu you start execution normally ('8' (run until) then '0' (or any oher address))
you will see the boot rom output in the terminal window.

it is waiting for input there. you can enter commands in this terminal window like testing audio ;)
but of course many things wont work. but it is helpful for testing how things work.
e.g. setting boot flags or PAL/NTSC parameters should work in this version as flash emulation is integrated.

pressing ctrl-c in terminal will break execution
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

jplxpto

Quote from: g3gg0 on September 24, 2012, 12:48:31 PM
and if you dont start the GDB stub with '17', bu you start execution normally ('8' (run until) then '0' (or any oher address))
you will see the boot rom output in the terminal window.

it is waiting for input there. you can enter commands in this terminal window like testing audio ;)
but of course many things wont work. but it is helpful for testing how things work.
e.g. setting boot flags or PAL/NTSC parameters should work in this version as flash emulation is integrated.

pressing ctrl-c in terminal will break execution


I did a basic test and it worked :) I will test your emulator with GDB.

g3gg0

makes most sense with IDA pro :)
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

nanomad

Well, after trying the emulator I have to admit it's quite powerful. One question, how far in the firmware execution can you go?
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

jplxpto

Quote from: g3gg0 on September 24, 2012, 03:39:53 PM
makes most sense with IDA pro :)

Yes it's true! I agree with you but is too expensive for many of us :)
There are less expensive solutions like Eclipse CDT, DDD, Insight that should be sufficient for many of our tests.

g3gg0

Quote from: nanomad on September 24, 2012, 04:46:26 PM
Well, after trying the emulator I have to admit it's quite powerful. One question, how far in the firmware execution can you go?

thanks ;)
well, after patching one data word in flash (no idea why this was neccessary) the os booted and started tasks.
task switching worked, as i emulated the timer interrupt too.
not sure if this is still in the current version.

the patch i made is below.
it will not work anymore, since the flash data cannot simply be written with a SetWord due to the flash ic emulation.
best is to do this in original flash image file :)
Quote
    // some timeout? set to 1 else debugmsg will fail :(
    SetWord(0xF85A1630, 1);

i got a lot debug messages during boot.
cant find where ive stored the logs atm :)

Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

nanomad

Uhm, weird. I'm loading the 600D bin you provided and it looks like it boots into some kind of factory mode for K286. It prints the first message then hangs
The last routine called is at 0xFFFF18F8
EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5

jplxpto

Quote from: nanomad on September 24, 2012, 06:47:00 PM
Uhm, weird. I'm loading the 600D bin you provided and it looks like it boots into some kind of factory mode for K286. It prints the first message then hangs
The last routine called is at 0xFFFF18F8

I think its very interesting tool, but this conversation starts to get out of the initial scope.
I suggest that you create another thread to discuss this issue. I'll join that conversation ..

nanomad

EOS 1100D | EOS 650 (No, I didn't forget the D) | Ye Olde Canon EF Lenses ('87): 50 f/1.8 - 28 f/2.8 - 70-210 f/4 | EF-S 18-55 f/3.5-5.6 | Metz 36 AF-5


g3gg0

Quote from: nanomad on September 24, 2012, 06:47:00 PM
Uhm, weird. I'm loading the 600D bin you provided and it looks like it boots into some kind of factory mode for K286. It prints the first message then hangs
The last routine called is at 0xFFFF18F8

press enter in the "Terminal" window ;)

you are booting the bootloader.
to boot normal firmware, modify the .trx file or set the PC (register 15) manually to 0xf8010000
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

jplxpto

I liked knowing that my original post have given rise to this thread. I think this topic is very interesting and will give much to talk about.

jplxpto


'Script is not signed correctly.'

This message appears. What does that mean?

jplxpto

g3gg0 you're my hero!

Now, I could see the service menu of the 600D. My congratulations!
You work very well! The port of the 7D is a good example! ... The IDx debugger is beautiful;)

K286 System & Display Check & Adjustment program has started.

********** FACTORY ADJUSTMENT MENU VER 0.01 **********
0. Exit from Factory Adjustment
1. Leak Check
2. SDRAM Check
3. ROM Check
4. HDMI Implementation Check
5. Video Adjustment
6. ICU Version Check
7. Audio Implementation Check
8. Adjustment Data Display and Change
9. Check Flag Display and Initialization
D. Debug Command
A. ALL Check
B. ALL Check without Unique
Y. Input Unique
Z. Input_Device_Unique
CheckPro> 2
--- Start SDRAM access check ---
Data Bus Test.
Write Address : 0x04000000
Write Address : 0x04000000
NG
--- Finish ---

jplxpto

I do not know why but it does not work in the dump 40D v1.1.1. I start to debug step by step and from one moment to another memory seems to be all '0 'and' arm 'throws an exception ... invalid instruction.

The problem occurs in:

FF8100C0  LDR PC, =rom_cstart_FF8100DC

g3gg0

are you sure about all the addresses?
sure that at the address is a valid instruction (try setting PC manually there)

can you upload the firmware file (http://upload.g3gg0.de/) and tell me the start address?
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!

jplxpto

Yes I made a mistake. I edited the file .trx of eos and then got in debugging the 40D .fir

I did not understand very well some things in the file .trx but I could see some things working.

I will greatly appreciate your help to redirect messages to the console of your emulator.

Together we will surely get ... This simple but powerful tool can help a lot in the port of 40D camera.

In a few hours I'll send you some files :)


Thank you

1%

Input device unique? Is that the serial.

jplxpto

Quote from: 1% on September 25, 2012, 09:19:25 PM
Input device unique? Is that the serial.

Also available is the door USB.Excelente would redirect the debug logs, and serial console for your emulator.
I think you did it with the 600D camera.

jplxpto

Quote from: g3gg0 on September 25, 2012, 07:57:28 PM
are you sure about all the addresses?
sure that at the address is a valid instruction (try setting PC manually there)

can you upload the firmware file (http://upload.g3gg0.de/) and tell me the start address?


I've sent you some files ...

jplxpto


g3gg0

using this ARMulate plugin:
http://upload.g3gg0.de/pub_files/94598913edfe93f9c9b556a1f02bf925/TriX_ARMulate.txp

and this HWEmuEOS plugin:
http://upload.g3gg0.de/pub_files/2770e0e87a7c7a8ac36e441e072cfdda/TriX_HWemuEOS.txp

you should get a bit further.
it might lock somewhere in CF code.
if you tell me some 0xC0... registers, how they should behave, i can implement this.

but you still should be able to boot the ROMUTIL.
simply execute until 0xFFFF0320 (using '8', 'FFFF0320') then skip that one BL instruction that
executes FROMUTIL (this causes emulator to hang with some output on terminal)

simply continue execution at FFFF0324 and you get the ROMUTIL asking you what to do ;)
Help us with datasheets - Help us with register dumps
magic lantern: 1Magic9991E1eWbGvrsx186GovYCXFbppY, server expenses: [email protected]
ONLY donate for things we have done, not for things you expect!