Getting Started

From SerialICE
Jump to: navigation, search

First Steps With SerialICE

Connect the target to your computer. Figure out the serial port that you can use to talk to it. Relative to the qemu directory in the SerialICE tree, call

$ cd SerialICE/simba
$ ln -sf ../../qemu-0.15.x/i386-softmmu/qemu
$ ./qemu -M serialice -serialice /dev/ttyUSB0 -singlestep -bios /your/bios/image > logfile.txt

This assumes that /dev/ttyUSB0 is your serial port. Replace as appropriate. You'll get a logfile.txt something like this:

SerialICE: Open connection to target hardware...
SerialICE: Waiting for handshake with target... target alive!
SerialICE: Version.....: SerialICE v1.5 (Feb 19 2013)
SerialICE: Mainboard...: Commell LV-672
SerialICE: LUA init...
SerialICE: LUA init...
SerialICE: Starting LUA script
SerialICE: LUA script initialized.
Registering physical memory at 0xffdf8000 (0x00008000 bytes)
VNC server running on `127.0.0.1:5900'
0000.0001    R.Q.    [ffff000:fff0]   MEM:  readb fffffff0 => e9
0000.0002    R.Q.    [ffff000:fff0]   MEM:  readw fffffff1 => f00d
0003.0004    RH..    [ffff000:f006]   IO: outb 0080 <= 01
0003.0005    R.Q.    [ffff000:f018]   MEM:  readl fffff04e => 00000000
0003.0006    R.Q.    [ffff000:f01c]   MEM:  readw fffff01d => f044
0003.0007    R.Q.    [ffff000:f021]   MEM:  readl fffff046 => fffff054
0003.0008    R.Q.    [ffff000:f029]   MEM:  readl fffff02b => 7ffaffd1
0003.0009    R.Q.    [ffff000:f02f]   MEM:  readl fffff031 => 60000001
0003.000a    R.Q.    [ffff000:f038]   MEM:  readb fffff038 => 66
0003.000b    R.Q.    [ffff000:f03b]   MEM:  readl fffff03d => fffff07b
0003.000c    R.Q.    [ffff000:f03b]   MEM:  readw fffff041 => 0008
0003.000d    RH..    [0000:fffff07f]   IO: outb 0080 <= 10
0003.000e    R.Q.    [0000:fffff081]   MEM:  readw fffff083 => 0010
0003.000f    R.Q.    [0000:fffff096]   MEM:  readl fffff097 => 00000200
0003.0010    R.Q.    [0000:fffff0a4]   MEM:  readl fffff0a5 => 0000001b
0011.0012    RH.U    [0000:fffff0a9]   CPU MSR: [0000001b] => 00000000.fee00900
0011.0013    R.Q.    [0000:fffff0b4]   MEM:  readl fffff0b5 => 8000f8dc
0011.0014    R.Q.    [0000:fffff0b9]   MEM:  readw fffff0bb => 0cf8
0016.0017    RH..    [0000:fffff0bd]   IO: outl 0cf8 <= 8000f8dc
0016.0018    RH..    [0000:fffff0c2]   IO:  inb 0cfc => 00
0016.0019    R.Q.    [0000:fffff0d0]   MEM:  readl fffff0d1 => 8000f8dc
0016.001a    R.Q.    [0000:fffff0d5]   MEM:  readw fffff0d7 => 0cf8
001b.001c    RH..    [0000:fffff0d9]   IO: outl 0cf8 <= 8000f8dc
001b.001d    RH..    [0000:fffff0e2]   IO: outb 0cfc <= 08
001b.001e    R.Q.    [0000:fffff0e8]   MEM:  readl fffff0e9 => fffff0ef
001b.001f    R.Q.    [0000:fffff105]   MEM:  readl fffff106 => fffffffc
001b.0020    R.Q.    [0000:fffff10a]   MEM:  readl ffffefe8 => 00000800
001b.0021    R.Q.    [0000:fffff11d]   MEM:  readl fffff11e => 00000000
001b.0022    R.Q.    [0000:fffff130]   MEM:  readl fff80000 => 4352414c
001b.0023    R.Q.    [0000:fffff132]   MEM:  readl fffff1b2 => 4352414c
001b.0024    R.Q.    [0000:fffff13d]   MEM:  readl fffff13f => fffff1b6
001b.0025    R.Q.    [0000:fffff13d]   MEM:  readl fffff1b6 => 45564948
001b.0026    R.Q.    [0000:fff8006c]   MEM:  readl fff80056 => fff80054
001b.0027    R.Q.    [0000:fff80074]   MEM:  readl fff80075 => fff8007b
001b.0028    R.Q.    [0000:fff80074]   MEM:  readw fff80079 => 0008
0029.002a    RH..    [0000:fff8007f]   IO: outb 0080 <= 10
0029.002b    R.Q.    [0000:fff80081]   MEM:  readw fff80083 => 0010
0029.002c    RH..    [0000:fff800b1]   IO: outb 0080 <= 20
002d.002e    RH.U    [0000:fff800b8]   CPU MSR: [0000001b] => 00000000.fee00900
002d.002f    R.Q.    [0000:fff800ba]   MEM:  readl fff800bb => 00000100
002d.0030    R.Q.    [0000:fff800bf]   MEM:  readl fff800c1 => 00000158
002d.0031    R.Q.    [0000:fff800c5]   MEM:  readl fff800c6 => fff803fb
002d.0032    R.Q.    [0000:fff800ca]   MEM:  readl fff800cb => 0000001b
002d.0033    R.Q.    [0000:fff800d3]   MEM:  readw fff803fb => 0250

This is referred to as the raw logfile from qemu session. It usually shows more detail than you care to look at, so you will want to further process this through a replay script.

$ cat logfile.txt | lua replay.lua

The interesting part of the log is below, where loads from flash memory are hidden and PCI configuration access is translated. You can control the verbosity of the replayer with the parameters in user_env.lua file.

0003.0004    .H..    [ffff000:f006]   POST: *** 01 ***
0003.000d    .H..    [0000:fffff07f]   POST: *** 10 ***
0011.0012    RH.U    [0000:fffff0a9]   CPU MSR: [0000001b] => 00000000.fee00900
0016.0018    .H..    [0000:fffff0c2]   PCI: 0:1f.0 [0dc] => 00
001b.001d    .H..    [0000:fffff0e2]   PCI: 0:1f.0 [0dc] <= 08
0029.002a    .H..    [0000:fff8007f]   POST: *** 10 ***
0029.002c    .H..    [0000:fff800b1]   POST: *** 20 ***
002d.002e    RH.U    [0000:fff800b8]   CPU MSR: [0000001b] => 00000000.fee00900