This is an old revision of the document!
1. IDA Pro 6.0 and above 2. installed qemu-0.14 and above
1. Open your all bios.rom image on IDA Pro.
2 Run relocate script
3. Place bios.rom, vgacirrus-bios.bin (from qemu site), bios_name.idb, linux.img in the current folder
4. Start qemu in debugging mode “qemu -s -S -L . -m 256 -hda linux.img -localtime -M pc -nographic”
(-s enables GDB stub and -S instructs QEMU to stop at the system start)
also you can :
-parallel /dev/parportN (this map virtual qemu parport to your phisical parallel port)
-serial pipe:filename (redirect serial output to the filename as pipe)
play with -acpitable , -smbios, -option-rom, -usbdevice, -device options… (see man qemu)
QEMU will stop and wait for the debugger.
5. In IDA Pro Debugger→Switch debugger choose Remote GDB debugger
Check “Stop on debugging start” , enable logging of all events. check “Reconstruct the stack”, “Show debugger breakpoint instructions”
Then push the “Set specific options” button, and see this dialog: Set packet size (-1 = infinite, that sometimes can crash qemu or IDA) Disable “Software breakpoints at EIP+1“ and enable “Use CS:IP in real mode” Then push the button “Memory map” and see this dialog: Then right click on the memory map choose “Insert” and add MEMORY segment: Choose start address 0xF0000, end address 0x100000, base address 0xF000, name (any you want), class CODE, 16-bit and RWX rights. Save all Also you can setup verbose tracing:
Debugger→Tracing→Tracing options: I’m usually choose trace all events (because we are in the BIOS!), and save all them to the trace log file. “Trace over debugger segments” and “Trace over library functions” are disabled, because these options disable a lot of tracing inside functions.
Then we can start debugger (we need choose “attach to the process” because we already have running bios, stopped at the entry point in the qemu)
Usually i’m using database notepad for saving some PCI, PNP, IOports information about your BIOS platform (for example outputs of lscpi, dmesg, lsusb, dmidecode, etc…)