[Qemu-devel] MIPS emulation

[Qemu-devel] MIPS emulation

[Luke -Jr]

Is it possible to just emulate a MIPS CPU without any kind of ELF 
loader/BIOS/boot process, ideally letting me watch/debug the instruction flow 	
and registers?

Thanks,

Luke

Re: [Qemu-devel] MIPS emulation

[Luke -Jr]

On Friday 27 June 2008, Luke -Jr wrote:
> Is it possible to just emulate a MIPS CPU without any kind of ELF
> loader/BIOS/boot process, ideally letting me watch/debug the instruction
> flow and registers?

In particular, I get this log output when I try to boot a flash image:

cpu_mips_handle_mmu_fault pc bfc00000 ad bfc00000 rw 2 mmu_idx 0 smmu 1
cpu_mips_handle_mmu_fault address=bfc00000 ret 0 physical 1fc00000 prot 3
do_raise_exception_err: 15 0
do_interrupt enter: PC bfc00000 EPC 00000000 instruction bus error exception
do_interrupt: PC bfc00380 EPC bfc00000 cause 6
    S 00400006 C 00000418 A 00000000 D 00000000
do_raise_exception_err: 15 0
do_interrupt enter: PC bfc00380 EPC bfc00000 instruction bus error exception
do_interrupt: PC bfc00380 EPC bfc00000 cause 6
    S 00400006 C 00000418 A 00000000 D 00000000

Re: [Qemu-devel] MIPS emulation

[Thiemo Seufer]

Luke -Jr wrote:
> On Friday 27 June 2008, Luke -Jr wrote:
> > Is it possible to just emulate a MIPS CPU without any kind of ELF
> > loader/BIOS/boot process, ideally letting me watch/debug the instruction
> > flow and registers?
>
> In particular, I get this log output when I try to boot a flash image:
> 
> cpu_mips_handle_mmu_fault pc bfc00000 ad bfc00000 rw 2 mmu_idx 0 smmu 1
> cpu_mips_handle_mmu_fault address=bfc00000 ret 0 physical 1fc00000 prot 3
> do_raise_exception_err: 15 0
> do_interrupt enter: PC bfc00000 EPC 00000000 instruction bus error exception
> do_interrupt: PC bfc00380 EPC bfc00000 cause 6
>     S 00400006 C 00000418 A 00000000 D 00000000
> do_raise_exception_err: 15 0
> do_interrupt enter: PC bfc00380 EPC bfc00000 instruction bus error exception
> do_interrupt: PC bfc00380 EPC bfc00000 cause 6
>     S 00400006 C 00000418 A 00000000 D 00000000

An "instruction bus error" means Qemu wasn't able to fetch an instruction
from address 0xbfc00000, which should correspond to the very begin of
your flash image. This looks like your Qemu build is broken for some
reason. Did you build with gcc4, per chance?


Thiemo

Re: [Qemu-devel] MIPS emulation

[Luke -Jr]

On Saturday 28 June 2008, Thiemo Seufer wrote:
> Luke -Jr wrote:
> > On Friday 27 June 2008, Luke -Jr wrote:
> > > Is it possible to just emulate a MIPS CPU without any kind of ELF
> > > loader/BIOS/boot process, ideally letting me watch/debug the
> > > instruction flow and registers?
> >
> > In particular, I get this log output when I try to boot a flash image:
> >
> > cpu_mips_handle_mmu_fault pc bfc00000 ad bfc00000 rw 2 mmu_idx 0 smmu 1
> > cpu_mips_handle_mmu_fault address=bfc00000 ret 0 physical 1fc00000 prot 3
> > do_raise_exception_err: 15 0
> > do_interrupt enter: PC bfc00000 EPC 00000000 instruction bus error
> > exception do_interrupt: PC bfc00380 EPC bfc00000 cause 6
> >     S 00400006 C 00000418 A 00000000 D 00000000
> > do_raise_exception_err: 15 0
> > do_interrupt enter: PC bfc00380 EPC bfc00000 instruction bus error
> > exception do_interrupt: PC bfc00380 EPC bfc00000 cause 6
> >     S 00400006 C 00000418 A 00000000 D 00000000
>
> An "instruction bus error" means Qemu wasn't able to fetch an instruction
> from address 0xbfc00000, which should correspond to the very begin of
> your flash image. This looks like your Qemu build is broken for some
> reason. Did you build with gcc4, per chance?

No, I installed it with Gentoo, which forces manual GCC 3 selection.
Specifically, app-emulation/qemu-softmmu-0.9.1-r3 with USE='alsa gnutls kqemu 
sdl'

Re: [Qemu-devel] MIPS emulation

[Luke -Jr]

On Saturday 28 June 2008, Thiemo Seufer wrote:
> Luke -Jr wrote:
> > On Friday 27 June 2008, Luke -Jr wrote:
> > > Is it possible to just emulate a MIPS CPU without any kind of ELF
> > > loader/BIOS/boot process, ideally letting me watch/debug the
> > > instruction flow and registers?
> >
> > In particular, I get this log output when I try to boot a flash image:
> >
> > cpu_mips_handle_mmu_fault pc bfc00000 ad bfc00000 rw 2 mmu_idx 0 smmu 1
> > cpu_mips_handle_mmu_fault address=bfc00000 ret 0 physical 1fc00000 prot 3
> > do_raise_exception_err: 15 0
> > do_interrupt enter: PC bfc00000 EPC 00000000 instruction bus error
> > exception do_interrupt: PC bfc00380 EPC bfc00000 cause 6
> >     S 00400006 C 00000418 A 00000000 D 00000000
> > do_raise_exception_err: 15 0
> > do_interrupt enter: PC bfc00380 EPC bfc00000 instruction bus error
> > exception do_interrupt: PC bfc00380 EPC bfc00000 cause 6
> >     S 00400006 C 00000418 A 00000000 D 00000000
>
> An "instruction bus error" means Qemu wasn't able to fetch an instruction
> from address 0xbfc00000, which should correspond to the very begin of
> your flash image. This looks like your Qemu build is broken for some
> reason. Did you build with gcc4, per chance?

Just tried and got this same thing with a vanilla checkout of trunk compiled 
with GCC 3.4.6...

Re: [Qemu-devel] MIPS emulation

[Thiemo Seufer]

Luke -Jr wrote:
> On Saturday 28 June 2008, Thiemo Seufer wrote:
> > Luke -Jr wrote:
> > > On Friday 27 June 2008, Luke -Jr wrote:
> > > > Is it possible to just emulate a MIPS CPU without any kind of ELF
> > > > loader/BIOS/boot process, ideally letting me watch/debug the
> > > > instruction flow and registers?
> > >
> > > In particular, I get this log output when I try to boot a flash image:
> > >
> > > cpu_mips_handle_mmu_fault pc bfc00000 ad bfc00000 rw 2 mmu_idx 0 smmu 1
> > > cpu_mips_handle_mmu_fault address=bfc00000 ret 0 physical 1fc00000 prot 3
> > > do_raise_exception_err: 15 0
> > > do_interrupt enter: PC bfc00000 EPC 00000000 instruction bus error
> > > exception do_interrupt: PC bfc00380 EPC bfc00000 cause 6
> > >     S 00400006 C 00000418 A 00000000 D 00000000
> > > do_raise_exception_err: 15 0
> > > do_interrupt enter: PC bfc00380 EPC bfc00000 instruction bus error
> > > exception do_interrupt: PC bfc00380 EPC bfc00000 cause 6
> > >     S 00400006 C 00000418 A 00000000 D 00000000
> >
> > An "instruction bus error" means Qemu wasn't able to fetch an instruction
> > from address 0xbfc00000, which should correspond to the very begin of
> > your flash image. This looks like your Qemu build is broken for some
> > reason. Did you build with gcc4, per chance?
> 
> Just tried and got this same thing with a vanilla checkout of trunk compiled 
> with GCC 3.4.6...

Well, the -pflash option works well enough for me to execute the first
instructions of a YAMON or redboot image. I figure you'll have to chase
this down yourself with the help of gdb. (The IBE is triggered by the
do_unassigned_access call in exec-all.h:get_phys_addr_code.)


Thiemo

Re: [Qemu-devel] MIPS emulation

[Luke -Jr]

On Thursday 03 July 2008, Thiemo Seufer wrote:
> Luke -Jr wrote:
> > On Saturday 28 June 2008, Thiemo Seufer wrote:
> > > Luke -Jr wrote:
> > > > On Friday 27 June 2008, Luke -Jr wrote:
> > > > > Is it possible to just emulate a MIPS CPU without any kind of ELF
> > > > > loader/BIOS/boot process, ideally letting me watch/debug the
> > > > > instruction flow and registers?
> > > >
> > > > In particular, I get this log output when I try to boot a flash
> > > > image:
> > > >
> > > > cpu_mips_handle_mmu_fault pc bfc00000 ad bfc00000 rw 2 mmu_idx 0 smmu
> > > > 1 cpu_mips_handle_mmu_fault address=bfc00000 ret 0 physical 1fc00000
> > > > prot 3 do_raise_exception_err: 15 0
> > > > do_interrupt enter: PC bfc00000 EPC 00000000 instruction bus error
> > > > exception do_interrupt: PC bfc00380 EPC bfc00000 cause 6
> > > >     S 00400006 C 00000418 A 00000000 D 00000000
> > > > do_raise_exception_err: 15 0
> > > > do_interrupt enter: PC bfc00380 EPC bfc00000 instruction bus error
> > > > exception do_interrupt: PC bfc00380 EPC bfc00000 cause 6
> > > >     S 00400006 C 00000418 A 00000000 D 00000000
> > >
> > > An "instruction bus error" means Qemu wasn't able to fetch an
> > > instruction from address 0xbfc00000, which should correspond to the
> > > very begin of your flash image. This looks like your Qemu build is
> > > broken for some reason. Did you build with gcc4, per chance?
> >
> > Just tried and got this same thing with a vanilla checkout of trunk
> > compiled with GCC 3.4.6...
>
> Well, the -pflash option works well enough for me to execute the first
> instructions of a YAMON or redboot image.

-pflash does appear to do a bit better! Strange that -mtdblock doesn't... 
wouldn't that be the most common interface? :/

Re: [Qemu-devel] MIPS emulation

[Luke -Jr]

[-- Attachment #1: Type: text/plain, Size: 172 bytes --]

I've attached a log of my qemu session... it gives the same results I expected 
from manual disassembly. Does anyone have any clues as to why this works on 
real hardware?

[-- Attachment #2: qemu.log --]
[-- Type: text/x-log, Size: 11309 bytes --]

cpu_mips_handle_mmu_fault pc bfc00000 ad bfc00000 rw 2 mmu_idx 0 smmu 1
cpu_mips_handle_mmu_fault address=bfc00000 ret 0 physical 1fc00000 prot 3
------------------------------------------------
pc=0xbfc00000 HI=0x08428ec4 LO=0x08428ed4 ds 0010 00000000 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00000000 a1 00000000 a2 00000000 a3 00000000
GPR08: t0 00000000 t1 00000000 t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 00000000 s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 00000000 k0 00000000 k1 00000000
GPR28: gp 00000000 sp 00000000 s8 00000000 ra 00000000
CP0 Status  0x00400004 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc00000:  j	0xbfc00010
0xbfc00004:  nop

---------------- 2 00000010
------------------------------------------------
pc=0xbfc00010 HI=0x08428ec4 LO=0x08428ed4 ds 0010 00000000 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00000000 a1 00000000 a2 00000000 a3 00000000
GPR08: t0 00000000 t1 00000000 t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 00000000 s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 00000000 k0 00000000 k1 00000000
GPR28: gp 00000000 sp 00000000 s8 00000000 ra 00000000
CP0 Status  0x00400004 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc00010:  j	0xbfc00410
0xbfc00014:  nop

---------------- 2 00000010
------------------------------------------------
pc=0xbfc00410 HI=0x08428ec4 LO=0x08428ed4 ds 0010 00000000 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00000000 a1 00000000 a2 00000000 a3 00000000
GPR08: t0 00000000 t1 00000000 t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 00000000 s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 00000000 k0 00000000 k1 00000000
GPR28: gp 00000000 sp 00000000 s8 00000000 ra 00000000
CP0 Status  0x00400004 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc00410:  lui	t0,0x40
0xbfc00414:  mtc0	t0,$12

---------------- 3 00000010
Status 00400004 (00000000) => 00400000 (00000000) Cause 00000400
------------------------------------------------
pc=0xbfc00418 HI=0x08428ec4 LO=0x08428ed4 ds 0090 00000000 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00000000 a1 00000000 a2 00000000 a3 00000000
GPR08: t0 00400000 t1 00000000 t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 00000000 s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 00000000 k0 00000000 k1 00000000
GPR28: gp 00000000 sp 00000000 s8 00000000 ra 00000000
CP0 Status  0x00400000 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc00418:  mtc0	zero,$13

---------------- 1 00000090
------------------------------------------------
pc=0xbfc0041c HI=0x08428ec4 LO=0x08428ed4 ds 0090 00000000 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00000000 a1 00000000 a2 00000000 a3 00000000
GPR08: t0 00400000 t1 00000000 t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 00000000 s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 00000000 k0 00000000 k1 00000000
GPR28: gp 00000000 sp 00000000 s8 00000000 ra 00000000
CP0 Status  0x00400000 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc0041c:  lui	t0,0x9fc0
0xbfc00420:  addiu	t0,t0,1076
0xbfc00424:  lui	t9,0xa000
0xbfc00428:  or	t0,t0,t9
0xbfc0042c:  jr	t0
0xbfc00430:  nop

---------------- 2 00000090
------------------------------------------------
pc=0xbfc00434 HI=0x08428ec4 LO=0x08428ed4 ds 0090 bfc00434 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00000000 a1 00000000 a2 00000000 a3 00000000
GPR08: t0 bfc00434 t1 00000000 t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 00000000 s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 a0000000 k0 00000000 k1 00000000
GPR28: gp 00000000 sp 00000000 s8 00000000 ra 00000000
CP0 Status  0x00400000 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc00434:  jal	0xbfc008bc
0xbfc00438:  nop

---------------- 2 00000090
------------------------------------------------
pc=0xbfc008bc HI=0x08428ec4 LO=0x08428ed4 ds 0090 bfc00434 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00000000 a1 00000000 a2 00000000 a3 00000000
GPR08: t0 bfc00434 t1 00000000 t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 00000000 s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 a0000000 k0 00000000 k1 00000000
GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc0043c
CP0 Status  0x00400000 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc008bc:  move	s0,ra
0xbfc008c0:  lui	k1,0x9fc0
0xbfc008c4:  addiu	k1,k1,32
0xbfc008c8:  or	k1,k1,t9
0xbfc008cc:  lw	k0,0(k1)
0xbfc008d0:  beqz	k0,0xbfc0095c
0xbfc008d4:  nop

---------------- 2 00000090
------------------------------------------------
pc=0xbfc008d8 HI=0x08428ec4 LO=0x08428ed4 ds 0090 bfc00434 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00000000 a1 00000000 a2 00000000 a3 00000000
GPR08: t0 bfc00434 t1 00000000 t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 a0000000 k0 9fc00050 k1 bfc00020
GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc0043c
CP0 Status  0x00400000 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc008d8:  or	k0,k0,t9
0xbfc008dc:  lhu	a0,0(k0)
0xbfc008e0:  lw	t0,8(k0)
0xbfc008e4:  lw	a1,0(t0)
0xbfc008e8:  lw	t1,20(k0)
0xbfc008ec:  lw	a2,4(k0)
0xbfc008f0:  or	t1,t1,t9
0xbfc008f4:  jalr	t1
0xbfc008f8:  nop

---------------- 2 00000090
cpu_mips_handle_mmu_fault pc bfc008d8 ad 9fc00398 rw 0 mmu_idx 0 smmu 1
cpu_mips_handle_mmu_fault address=9fc00398 ret 0 physical 1fc00398 prot 3
cpu_mips_handle_mmu_fault pc bfc008d8 ad bfc00064 rw 0 mmu_idx 0 smmu 1
cpu_mips_handle_mmu_fault address=bfc00064 ret 0 physical 1fc00064 prot 3
------------------------------------------------
pc=0xbfc0096c HI=0x08428ec4 LO=0x08428ed4 ds 0090 bfc0096c 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
CP0 Status  0x00400000 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc0096c:  lhu	t0,0(a1)
0xbfc00970:  bne	t0,a0,0xbfc009c4
0xbfc00974:  nop

---------------- 2 00000090
cpu_mips_handle_mmu_fault pc bfc0096c ad fffe0000 rw 0 mmu_idx 0 smmu 1
cpu_mips_handle_mmu_fault address=fffe0000 ret -2 physical b7ceca12 prot 138223624
search pc 1
------------------------------------------------
pc=0xbfc0096c HI=0x08428ec4 LO=0x08428ed4 ds 0090 bfc0096c 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
CP0 Status  0x00400000 Cause   0x00000400 EPC    0x00000000
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc0096c:  lhu	t0,0(a1)
0xbfc00970:  bne	t0,a0,0xbfc009c4
0xbfc00974:  nop

---------------- 2 00000090
do_raise_exception_err: 26 1
do_interrupt enter: PC bfc0096c EPC 00000000 TLB load exception
do_interrupt: PC bfc00200 EPC bfc0096c cause 2
    S 00400002 C 00000408 A fffe0000 D 00000000
------------------------------------------------
pc=0xbfc00200 HI=0x08428ec4 LO=0x08428ed4 ds 0098 bfc0096c 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
CP0 Status  0x00400002 Cause   0x00000408 EPC    0xbfc0096c
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc00200:  lwu	zero,984(s8)
0xbfc00204:  0x1ab3f00
0xbfc00208:  lwu	zero,2412(s8)
0xbfc0020c:  lwu	zero,2512(s8)
0xbfc00210:  lwu	zero,2684(s8)
0xbfc00214:  alni.ob	$f23,$f6,$f1,1
0xbfc00218:  lwu	zero,3404(s8)
0xbfc0021c:  lwu	zero,3008(s8)
0xbfc00220:  lwu	zero,3120(s8)
0xbfc00224:  lwu	zero,4124(s8)
0xbfc00228:  nop
0xbfc0022c:  ll	zero,0(zero)
0xbfc00230:  nop
0xbfc00234:  j	0xb8180004
0xbfc00238:  lwu	zero,3496(s8)

---------------- 2 00000098
do_raise_exception_err: 20 0
do_interrupt enter: PC bfc00200 EPC bfc0096c reserved instruction exception
do_interrupt: PC bfc00380 EPC bfc0096c cause 10
    S 00400002 C 00000428 A fffe0000 D 00000000
------------------------------------------------
pc=0xbfc00380 HI=0x08428ec4 LO=0x08428ed4 ds 0098 bfc0096c 0
GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
CP0 Status  0x00400002 Cause   0x00000428 EPC    0xbfc0096c
    Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
IN: 
0xbfc00380:  nop
0xbfc00384:  j	0xb8180004
0xbfc00388:  lwu	zero,3496(s8)

---------------- 2 00000098
do_raise_exception_err: 20 0
do_interrupt enter: PC bfc00388 EPC bfc0096c reserved instruction exception
do_interrupt: PC bfc00380 EPC bfc0096c cause 10
    S 00400002 C 00000428 A fffe0000 D 00000000
do_raise_exception_err: 20 0
do_interrupt enter: PC bfc00388 EPC bfc0096c reserved instruction exception
do_interrupt: PC bfc00380 EPC bfc0096c cause 10
    S 00400002 C 00000428 A fffe0000 D 00000000

Re: [Qemu-devel] MIPS emulation

[Thiemo Seufer]

Luke -Jr wrote:
> I've attached a log of my qemu session... it gives the same results I expected 
> from manual disassembly. Does anyone have any clues as to why this works on 
> real hardware?

[snip]
> cpu_mips_handle_mmu_fault pc bfc008d8 ad 9fc00398 rw 0 mmu_idx 0 smmu 1
> cpu_mips_handle_mmu_fault address=9fc00398 ret 0 physical 1fc00398 prot 3
> cpu_mips_handle_mmu_fault pc bfc008d8 ad bfc00064 rw 0 mmu_idx 0 smmu 1
> cpu_mips_handle_mmu_fault address=bfc00064 ret 0 physical 1fc00064 prot 3
> ------------------------------------------------
> pc=0xbfc0096c HI=0x08428ec4 LO=0x08428ed4 ds 0090 bfc0096c 0
> GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
> GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
> GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
> GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
> GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
> GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
> GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
> GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
> CP0 Status  0x00400000 Cause   0x00000400 EPC    0x00000000
>     Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
> IN: 
> 0xbfc0096c:  lhu	t0,0(a1)
> 0xbfc00970:  bne	t0,a0,0xbfc009c4
> 0xbfc00974:  nop
> 
> ---------------- 2 00000090
> cpu_mips_handle_mmu_fault pc bfc0096c ad fffe0000 rw 0 mmu_idx 0 smmu 1
> cpu_mips_handle_mmu_fault address=fffe0000 ret -2 physical b7ceca12 prot 138223624
> search pc 1

Apparently it wants to read from 0xfffe0000, which is IIRC the EJTAG
address space. EJTAG debugging isn't implemented in Qemu. The address
space is reserved, therefore...

> ------------------------------------------------
> pc=0xbfc0096c HI=0x08428ec4 LO=0x08428ed4 ds 0090 bfc0096c 0
> GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
> GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
> GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
> GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
> GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
> GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
> GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
> GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
> CP0 Status  0x00400000 Cause   0x00000400 EPC    0x00000000
>     Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
> IN: 
> 0xbfc0096c:  lhu	t0,0(a1)
> 0xbfc00970:  bne	t0,a0,0xbfc009c4
> 0xbfc00974:  nop
> 
> ---------------- 2 00000090
> do_raise_exception_err: 26 1
> do_interrupt enter: PC bfc0096c EPC 00000000 TLB load exception

... a TLB exception occurs ...

> do_interrupt: PC bfc00200 EPC bfc0096c cause 2
>     S 00400002 C 00000408 A fffe0000 D 00000000
> ------------------------------------------------
> pc=0xbfc00200 HI=0x08428ec4 LO=0x08428ed4 ds 0098 bfc0096c 0
> GPR00: r0 00000000 at 00000000 v0 00000000 v1 00000000
> GPR04: a0 00003351 a1 fffe0000 a2 80a0f0ff a3 00000000
> GPR08: t0 9fc00398 t1 bfc0096c t2 00000000 t3 00000000
> GPR12: t4 00000000 t5 00000000 t6 00000000 t7 00000000
> GPR16: s0 bfc0043c s1 00000000 s2 00000000 s3 00000000
> GPR20: s4 00000000 s5 00000000 s6 00000000 s7 00000000
> GPR24: t8 00000000 t9 a0000000 k0 bfc00050 k1 bfc00020
> GPR28: gp 00000000 sp 00000000 s8 00000000 ra bfc008fc
> CP0 Status  0x00400002 Cause   0x00000408 EPC    0xbfc0096c
>     Config0 0x80008482 Config1 0x9e190c8b LLAddr 0x00000000
> IN: 
> 0xbfc00200:  lwu	zero,984(s8)
> 0xbfc00204:  0x1ab3f00
> 0xbfc00208:  lwu	zero,2412(s8)
> 0xbfc0020c:  lwu	zero,2512(s8)
> 0xbfc00210:  lwu	zero,2684(s8)
> 0xbfc00214:  alni.ob	$f23,$f6,$f1,1
> 0xbfc00218:  lwu	zero,3404(s8)
> 0xbfc0021c:  lwu	zero,3008(s8)
> 0xbfc00220:  lwu	zero,3120(s8)
> 0xbfc00224:  lwu	zero,4124(s8)
> 0xbfc00228:  nop
> 0xbfc0022c:  ll	zero,0(zero)
> 0xbfc00230:  nop
> 0xbfc00234:  j	0xb8180004
> 0xbfc00238:  lwu	zero,3496(s8)
> 
> ---------------- 2 00000098
> do_raise_exception_err: 20 0
> do_interrupt enter: PC bfc00200 EPC bfc0096c reserved instruction exception

... which finally kills it because the firmware doesn't handle TLB
exceptions that early in the boot process (when the BEV bit is still set).


Thiemo

Re: [Qemu-devel] MIPS emulation

[Luke -Jr]

On Saturday 05 July 2008, Thiemo Seufer wrote:
> Apparently it wants to read from 0xfffe0000, which is IIRC the EJTAG
> address space. EJTAG debugging isn't implemented in Qemu.

Could you recommend any resources relating to EJTAG so I can nop-out that code 
and move on to more important things? ;)

Re: [Qemu-devel] MIPS emulation

[Luke -Jr]

On Sunday 06 July 2008, Luke -Jr wrote:
> On Saturday 05 July 2008, Thiemo Seufer wrote:
> > Apparently it wants to read from 0xfffe0000, which is IIRC the EJTAG
> > address space. EJTAG debugging isn't implemented in Qemu.
>
> Could you recommend any resources relating to EJTAG so I can nop-out that
> code and move on to more important things? ;)

Specifically, the part relating to 0xfffe0000;
everything I've found so far states that EJTAG uses 0xff200000 to 0xff3fffff.

Thanks,

Luke

Re: [Qemu-devel] MIPS emulation

[Luke -Jr]

On Sunday 06 July 2008, Luke -Jr wrote:
> Specifically, the part relating to 0xfffe0000;

According to
https://dev.openwrt.org/cgi-bin/trac.fcgi/browser/trunk/target/linux/brcm63xx/files/include/asm-mips/mach-bcm963xx/6338_map_part.h
it looks like 0xfffe0000 is some kind of SoC control.

I've thrown together a simple (~500 lines of C) MIPS emulator implementing 
parts of this as needed to boot the bootloader, at least enough to get some 
serial output with the chip model info.

Would it be complex to add support for this to qemu instead?

[Qemu-devel] mapping devices to 0xfffe0000+

[Luke -Jr]

How can I register a serial Uart on 0xfffe0300, and some custom code on 
0xfffe0000? If I modify serial_io[0] to be 0xfffe0300, qemu segfaults. :(