Idea: Use Qemu to simulate the hardware of the M800 for developing new software and to find out more about existing firmware.

Prepare Qemu

There is support for the S3C2440 in mini2440 project (http://code.google.com/p/mini2440/). Add support for X800 with patch file (see attatchment)

git clone git://repo.or.cz/qemu/mini2440.git
cd mini2440
git apply < /path/to/qemu_glofiish.diff
./configure --target-list=arm-softmmu
make

Qemu without GDB

• Get a dump file (For X800 bootloader dump file read this: http://eten-users.eu/index.php?showtopic=17387)
• Start qemu:

  qemu-system-arm -M glofiish -mtdblock BDL_X800_03_LB_01_090320.bin -serial null -serial null -serial stdio TEST
  

  • TEST is only a empty file. Create it with "touch TEST"
  • With "-serial" options the output of UART2 is piped to stdio
  • Note: if you dont want LCD, start it with "-nographic"

Qemu with GDB

• Get a dump file (For X800 bootloader dump file read this: http://eten-users.eu/index.php?showtopic=17387)
• Create elf file of dump like here: http://chdk.wikia.com/wiki/Gpl_Disassembling
  • Example:

    arm-elf-objcopy --change-addresses=0x33f00000 -I binary -O elf32-littlearm -B arm usbdl.bin usbdl.elf
    arm-elf-objcopy --set-section-flags .data=code,load,alloc,content usbdl.elf
    

• Start qemu:

  qemu-system-arm -nographic -M glofiish -mtdblock dump.bin -serial null -serial null -serial stdio TEST -S -s
  

  • TEST is only a empty file. Create it with "touch TEST"
  • With "-serial" options the output of UART2 is piped to stdio
• Start gdb

  arm-elf-gdb -x opts
  

  • with file opts

    target remote localhost:1234
    set language asm
    layout asm
    layout regs
    focus cmd
    symbol-file dump.elf
    

• Use gdb to go through code. Helpful commands:
  • Step with "ni"
  • Set breakpoint to address with "break *adr" (eg. "break *0x818") and continue program with "c"
  • Quit with "quit"

Experience

• Currently this is more an experiment than working tool
• With described process, it is possible to run the X800 bootloader dump file
  • Output to UART2 is printed out to stdio:

    [X800 Booter]
    Build Date: May 14 2007
    Total ??MB DRAM
    Run Loader...
    
    [X600 Loader Ver 1.00] (Apr 04 2007 )
    Total 0x08000000 Bytes
    Waiting...End
    Loading... USB Downloader
    NF_Init complete.
    
    Jump to image...
    Begin to initialize cGraphics...
    Begin to initialize NFlash...
    Begin to initialize ISR...
    Begin to initialize Timer...
    Begin to initialize Lcd...
    Run VGA PANEL
    CS high - In 
    CS high - Out 
    SCL high - In 
    SCL high - Out 
    Begin to initialize Backlight...
    rGPCDAT=4c0
    rGPCCON=aa9516a9
    rGPDDAT=0
    rGPDCON=aa81aaa5
    
    +--------------------------------------------------------------+
    | USB Downloader Ver B05 0019a (Mar 28 2007 11:26:01) |
    +--------------------------------------------------------------+
    64MB DRAM, FCLK=499MHz, DMA mode
    CPI ID = 32440001
    Flash ID=ecaa
    Flash Capacity=256MB.
    SdmmcInit
    SdmmcHandler
    Card_Detect 0x2201
    Debug -> 0x0
    No Card In!!!
    GPS initial to upgrade mode.
    Begin to initialize USB Device...
    USB host is not connected yet.
    

  • LCD works! Output on LCD:

    USB Downloader 0019a
    Flash Capacity=256MB
    USB Downloader Ready.
    USB host is not connected yet.
    

  • Hey.. wow.. press enter on stdio (serial console) and you get this:

    ###### Select Menu ######
     [0] Download & Run
     [1] Download Only
     [2] Whole Flash Erase EXCEPT BDL
     [3] Program NAND Flash (TC58256 - 32MB NAND)
     [4] NAND Flash MTBF Read Test
     [5] Dump Flash
    
     [D] Load & Program [Demand Page BIN]
     [B] Load & Program [Boot Loader    ]
     [U] Load & Program [USB Down Loader]
     [E] Load & Program [EBoot          ]
     [T] Load & Program [Test Program   ]
     [M] Load & Program [Main OS Image  ]
     [O] Load & Program [OEM Files      ]
     [G] GPS Factory Reset
     [R] Watch Dog Reset
    
     [7] Launch Test Program
     [8] Launch PocketPC 2003
     [9] Launch EBoot
    Waiting a command:
    

• If you launch the test program (aka knight) you can enter <ITEM>Number</ITEM> (replace number with the number of the test you want to run) to run one of the tests (input through emulated touchscreen does not work really)

• Initial bootloader: RAM size is not recognized correctly (initial bootloader seems to use ram banks to check size -> not implemented in qemu?)
• Initial bootloader: Copy ROM content 0x1000-0x2000 into RAM at 0x33fa0000 and jump to this RAM position
• Initial bootloader: Program at RAM 0x33fa0000 copies 128kByte starting from ROM 0x20000 to RAM 0x33f00000 and jumps to this RAM position
• USB Downloader: Starts at RAM 0x33f00000
• Knight Test Program: Starts at RAM 0x30000000