This is an old revision of the document!
1. IDA Pro 6.0 and above
2. installed qemu-1.4.0 and above
1. Open your all bios.rom image on IDA Pro.
2 Run relocate script
3. Place bios.rom, vgacirrus-bios.bin (from qemu site), bios_name.idb, linux.img in the current folder
4. Start qemu in debugging mode “qemu-system-i386 -s -S -L . -m 256 -hda linux.img -localtime -M pc -nographic”
(-s enables GDB stub and -S instructs QEMU to stop at the system start)
also you can :
-parallel /dev/parportN (this map virtual qemu parport to your phisical parallel port)
-serial pipe:filename (redirect serial output to the filename as pipe)
play with -acpitable , -smbios, -option-rom, -usbdevice, -device options… (see man qemu)
QEMU will stop and wait for the debugger.
5. In IDA Pro Debugger→Switch debugger choose Remote GDB debugger
Then push the “Set specific options” button, and see this dialog: Set packet size (-1 = infinite, that sometimes can crash qemu or IDA) Disable “Software breakpoints at EIP+1“ and enable “Use CS:IP in real mode” Then push the button “Memory map” and see this dialog: Then right click on the memory map choose “Insert” and add MEMORY segment: Choose start address 0xF0000, end address 0x100000, base address 0xF000, name (any you want), class CODE, 16-bit and RWX rights. Save all Also you can setup verbose tracing:
Debugger→Tracing→Tracing options: I’m usually choose trace all events (because we are in the BIOS!), and save all them to the trace log file. “Trace over debugger segments” and “Trace over library functions” are disabled, because these options disable a lot of tracing inside functions.
Then we can start debugger (we need choose “attach to the process” because we already have running bios, stopped at the entry point in the qemu)
1 Recognize pci_writes:
so, let this piece of code run: then go to the trace window and find value of eax in the out 0xCF8, eax line: as we can see eax=0x80003B60. It is 00:07.3 device register BAR2 Also. for example we want to know, all calls of WritePCI_SL function, and values which it write somewhere. This is very simple - just add breakpoint to this function: all calls we can see in the function calls window: As we can see, we need add meaningfull comments in the line, where we can see “jmp WritePCI_SL” , so we can see these comments in each line in the function calls window