cy384
Well-known member
Somewhat recently, QEMU support has been developed for the Quadra 800. This is great for a few reasons, but one that I think is uniquely useful is the debugging tools you can use with it. I was going to do a nice full tutorial, but sadly been too busy with work and other matters, so I hope this is enough of a start to be useful.
I won't go into the details of compiling/setting QEMU up, but it's not too hard and I think there are pre-built binaries for mac and windows now. Figure out your ROM, disk images, etc. as usual. Also, you'll need gdb with multiarch capabilities, on Ubuntu this is just the gdb-multiarch package.
My QEMU command line arguments are like so:
Note specifically the addition of
Next, run gdb-multiarch. Use
For breakpoints, I'm using Ghidra to disassemble the ROM and find offsets (just add 0x40800000, which is the base address the ROM gets loaded at).
From here, you can do anything in GDB as usual. Single stepping, printing register state, memory values, breaking on writes to specific locations, and lots more. One neat QEMU debugging extra is recording and replaying emulator state, which lets you do "reverse debugging." Take a look at the QEMU and GDB docs for exact details.
In short, this is a very very useful tool especially for early stages of the ROM boot process, where it's hard to communicate any info through other means (I've been using it to mess with memory detection and configuration.)
(pinging @cheesestraws since they mentioned interest)
I won't go into the details of compiling/setting QEMU up, but it's not too hard and I think there are pre-built binaries for mac and windows now. Figure out your ROM, disk images, etc. as usual. Also, you'll need gdb with multiarch capabilities, on Ubuntu this is just the gdb-multiarch package.
My QEMU command line arguments are like so:
./qemu-system-m68k -gdb tcp::1234 -S -boot d -L pc-bios -M q800 -m 64 -bios ~/roms/mac/quadra650.rom -drive file=~/roms/mac/qemu-pram.bin,format=raw,if=mtd -device scsi-cd,scsi-id=3,drive=cd1,vendor="MATSHITA",product="CD-ROM CR-8005",ver="1.0k" -drive file=~/roms/mac/disk\ images/MacOS753.cdr,media=cdrom,if=none,id=cd1
Note specifically the addition of
-gdb tcp::1234 -S
which tells QEMU to not immediately start running, and to listen for a GDB connection on port 1234.Next, run gdb-multiarch. Use
set architecture m68k
to set the architecture and target remote localhost:1234
to connect to QEMU. From here, you're ready to do anything you want. Since I'm interested in ROM hacking, I can set a breakpoint to the start of the ROM code like break * 0x4080000a
. Then run continue
to start execution.For breakpoints, I'm using Ghidra to disassemble the ROM and find offsets (just add 0x40800000, which is the base address the ROM gets loaded at).
From here, you can do anything in GDB as usual. Single stepping, printing register state, memory values, breaking on writes to specific locations, and lots more. One neat QEMU debugging extra is recording and replaying emulator state, which lets you do "reverse debugging." Take a look at the QEMU and GDB docs for exact details.
In short, this is a very very useful tool especially for early stages of the ROM boot process, where it's hard to communicate any info through other means (I've been using it to mess with memory detection and configuration.)
(pinging @cheesestraws since they mentioned interest)