1GXEMUL(1) BSD General Commands Manual GXEMUL(1)
2
4 gxemul — an experimental machine emulator
5
7 gxemul [machine, other, and general options] [file ...]
8 gxemul [general options] @configfile
9 gxemul [userland, other, and general options] file [args ...]
10
12 gxemul is an experimental instruction-level machine emulator. Several
13 emulation modes are available. In some modes, processors and surrounding
14 hardware components are emulated well enough to let unmodified operating
15 systems (e.g. NetBSD) run inside the emulator as if they were running on
16 a real machine.
17 Processors (ARM, MIPS, PowerPC, and SuperH) are emulated using dynamic
19 translation. However, unlike some other dynamically translating emula‐
20 tors, GXemul does not need to generate native code, only a "runnable
21 intermediate representation", and will thus run on any host architecture,
22 without the need to implement per-architecture backends.
23 The emulator can be invoked in the following ways:
25 1. When emulating a complete machine, configuration options can be sup‐
27 plied directly on the command line.
28 2. Options can be read from a configuration file.
30 3. When emulating a userland environment (syscall-only emulation, not
32 emulating complete machines), then the program name and its argument
33 should be given on the command line. (This mode is not really usable
34 yet.)
35 The easiest way to use the emulator is to supply settings directly on the
37 command line.
38 The most important thing you need to supply is the file argument. This is
40 the name of a binary file (an ELF, a.out, COFF/ECOFF, SREC, or a raw
41 binary image) which you wish to run in the emulator. This file might be
42 an operating system kernel, or perhaps a ROM image file. If more than
43 one filename is supplied, all files are loaded into memory, and the entry
44 point (if available) is taken from the last file.
45 Apart from the name of a binary file, you must also use the -E and/or -e
47 options to select which emulation mode to use. This is necessary because
48 the emulator cannot in general deduce this from the file being executed.
49 For example, a MIPS-based machine from DEC (a DECstation) is very differ‐
50 ent from a MIPS-based machine from SGI. Use gxemul -H to get a list of
51 available emulation modes.
52 There are three exceptions to the normal invocation usage mentioned
54 above.
55 1. For DECstation emulation, if you have a bootable DECstation harddisk
57 or CDROM image, then just supplying the diskimage via the -d option is
58 sufficient. The filename of the kernel can then be skipped, as the emula‐
59 tor runs the bootblocks from the diskimage directly and doesn't need the
60 kernel as a separate file.
61 2. If you supply an ISO9660 CDROM disk image, then using the -j option to
63 indicate a file on the CDROM filesystem to load is sufficient; no addi‐
64 tional kernel filename needs to be supplied on the command line.
65 3. For Dreamcast emulation, when booting e.g. a NetBSD/dreamcast CDROM
67 image, it is enough to supply the disk image (with the correct ISO parti‐
68 tion start offset). Bootblocks will be read directly from the CDROM
69 image, and there is no need to supply the name of an external kernel on
70 the command line.
71 Gzipped kernels are automatically unzipped, by calling the external gun‐
73 zip program, both when specifying a gzipped file directly on the command
74 line and when loading such a file using the -j option.
75 Machine selection options:
77 -E t Try to emulate machine type t. This option is not always needed,
79 if the -e option uniquely selects a machine. (Use -H to get a
80 list of types.)
81 -e st Try to emulate machine subtype st. Use this together with -E.
83 (This option is not always needed, if a machine type has no sub‐
84 types.)
85 Other options:
87 -C x Try to emulate a specific CPU type, x. This overrides the
89 default CPU type for the machine being emulated. (Use -H to get
90 a list of available CPU types.)
91 -d [modifiers:]filename
93 Add filename as a disk image. By adding one or more modifier
94 characters and then a colon (":") as a prefix to filename, you
95 can modify the way the disk image is treated. Available modifiers
96 are:
97 b Specifies that this is a boot device.
99 c CD-ROM.
101 d DISK (this is the default).
103 f FLOPPY.
105 gH;S; Override the default geometry; use H heads and S sectors-
107 per-track. (The number of cylinders is calculated auto‐
108 matically.)
109 i IDE. (This is the default for most machine types.)
111 oOFS; Set the base offset for an ISO9660 filesystem on a disk
113 image. The default is 0. A suitable offset when booting
114 from Dreamcast ISO9660 filesystem images, which are off‐
115 set by 11702 sectors, is 23965696.
116 r Read-only (don't allow changes to be written to the
118 file).
119 s SCSI.
121 t Tape.
123 V Add an overlay filename to an already defined disk image.
125 (A ID number must also be specified when this flag is
126 used. See the documentation for an example of how to use
127 overlays.)
128 0-7 Force a specific ID number.
130 For SCSI devices, the ID number is the SCSI ID. For IDE hard‐
132 disks, the ID number has the following meaning:
133 0 Primary master.
135 1 Primary slave.
137 2 Secondary master.
139 3 Secondary slave.
141 Unless otherwise specified, filenames ending with ".iso" or
143 ".cdr" are assumed to be CDROM images. Most others are assumed to
144 be disks. Depending on which machine is being emulated, the
145 default for disks can be either SCSI or IDE. Some disk images
146 that are very small are assumed to be floppy disks. (If you are
147 not happy with the way a disk image is detected, then you need to
148 use explicit prefixes to force a specific type.)
149 For floppies, the gH;S; prefix is ignored. Instead, the number of
151 heads and cylinders are assumed to be 2 and 80, respectively, and
152 the number of sectors per track is calculated automatically.
153 (This works for 720KB, 1.2MB, 1.44MB, and 2.88MB floppies.)
154 -I hz Set the main CPU's frequency to hz Hz. This option does not work
156 for all emulated machine modes. It affects the way count/compare
157 interrupts are faked to simulate emulated time = real world time.
158 If the guest operating system relies on RTC interrupts instead of
159 count/compare interrupts, then this option has no effect.
160 Setting the frequency to zero disables automatic synchronization
162 of emulated time vs real world time, and the count/compare system
163 runs at a fixed rate.
164 -i Enable instruction trace, i.e. display disassembly of each
166 instruction as it is being executed.
167 -J Disable instruction combinations in the dynamic translator.
169 -j n Set the name of the kernel to n. When booting from an ISO9660
171 filesystem, the emulator will try to boot using this file. (In
172 some emulation modes, eg. DECstation, this name is passed along
173 to the boot program. Useful names are "bsd" for OpenBSD/pmax,
174 "vmunix" for Ultrix, or "vmsprite" for Sprite.)
175 -M m Emulate m MBs of physical RAM. This overrides the default amount
177 of RAM for the selected machine type.
178 -N Display the number of executed instructions per second on aver‐
180 age, at regular intervals.
181 -n nr Set the number of processors in the machine, for SMP experiments.
183 Note 1: The emulator allocates quite a lot of virtual memory for
185 per-CPU translation tables. On 64-bit hosts, this is normally not
186 a problem. On 32-bit hosts, this can use up all available virtual
187 userspace memory. The solution is to either run the emulator on a
188 64-bit host, or limit the number of emulated CPUs to a reasonably
189 low number.
190 Note 2: SMP simulation is not working very well yet; multiple
192 processors are simulated, but synchronization between the proces‐
193 sors does not map very well to how real-world SMP systems work.
194 -O Force a "netboot" (tftp instead of disk), even when a disk image
196 is present (for DECstation, SGI, and ARC emulation).
197 -o arg Set the boot argument (mostly useful for DEC, ARC, or SGI emula‐
199 tion). Default arg for DEC is "-a", for ARC/SGI it is "-aN", and
200 for CATS it is "-A".
201 -p pc Add a breakpoint. pc can be a symbol, or a numeric value.
203 (Remember to use the "0x" prefix for hexadecimal values.)
204 -Q Disable the built-in (software-only) PROM emulation. This option
206 is useful for experimenting with running raw ROM images from real
207 machines. The default behaviour of the emulator is to "fake" cer‐
208 tain PROM calls used by guest operating systems (e.g. NetBSD), so
209 that no real PROM image is needed.
210 -R Use a random bootstrap cpu, instead of CPU nr 0. (This option is
212 only meaningful together with the -n option.)
213 -r Dump register contents for every executed instruction.
215 -S Initialize emulated RAM to random data, instead of zeroes. This
217 option is useful when trying to trigger bugs in a program that
218 occur because the program assumed that uninitialized memory con‐
219 tains zeros. (Use with care.)
220 -s flags:filename
222 Gather statistics based on the current emulated program counter
223 value, while the program executes. The statistics is actually
224 just a raw dump of all program counter values in sequence, suit‐
225 able for post-analysis with separate tools. Output is appended to
226 filename.
227 The flags should include one or more of the following type speci‐
229 fiers:
230 v Virtual. This means that the program counter value is
232 used.
233 p Physical. This means that the physical address of where
235 the program is actually running is used.
236 i Instruction call. This type of statistics gathering is
238 practically only useful during development of the emula‐
239 tor itself. The output is a list of addresses of instruc‐
240 tion call functions (ic->f), which after some post-pro‐
241 cessing can be used as a basis for deciding when to
242 implement instruction combinations.
243 The flags may also include the following optional modifiers:
245 d Disabled at startup.
247 o Overwrite the file, instead of appending to it.
249 Statistics gathering can be enabled/disabled at runtime by using
251 the "statistics_enabled = yes" and "statistics_enabled = no"
252 debugger commands.
253 When gathering instruction statistics using the -s option,
255 instruction combinations and native code generation are always
256 disabled (i.e. implicit -J and -B flags are added to the command
257 line).
258 -T Halt if the emulated program attempts to access non-existing mem‐
260 ory.
261 -t Show a trace tree of all function calls being made.
263 -U Enable slow_serial_interrupts_hack_for_linux.
265 -X Use X11. This option enables graphical framebuffers.
267 -x Open up new xterms for emulated serial ports. The default behav‐
269 iour is to open up xterms when using configuration files, or if
270 X11 is enabled. When starting up a simple emulation session with
271 settings directly on the command line, and neither -X nor -x is
272 used, then all output is confined to the terminal that gxemul
273 started in.
274 -Y n Scale down framebuffer windows by n x n times. This option is
276 useful when emulating a very large framebuffer, and the actual
277 display is of lower resolution. If n is negative, then there will
278 be no scaledown, but emulation of certain graphic controllers
279 will be scaled up by -n times instead. E.g. Using -2 with VGA
280 text mode emulation will result in 80x25 character cells rendered
281 in a 1280x800 window, instead of the normal resolution of
282 640x400.
283 -Z n Set the number of graphics cards, for emulating a dual-head or
285 tripple-head environment. (Only for DECstation emulation so far.)
286 -z disp
288 Add disp as an X11 display to use for framebuffers.
289 Userland options:
291 -u emul-mode
293 Userland-only (syscall) emulation. (Use -H to get a list of
294 available emulation modes.) Some (but not all) of the options
295 listed under Other options above can also be used with userland
296 emulation.
297 Note: Userland (syscall) emulation does not really work yet.
299 General options:
301 -b Enable native code generation at runtime. This is not really
303 implemented yet. Don't use it unless you know what you are doing.
304 It will most likely not work.
305 -B Disable native code generation at runtime. This is the default in
307 this release of GXemul.
308 -c cmd Add cmd as a command to run before starting the simulation. A
310 similar effect can be achieved by using the -V option, and enter‐
311 ing the commands manually.
312 -D Causes the emulator to skip a call to srandom(). This leads to
314 somewhat more deterministic behaviour than running without this
315 option. However, if the emulated machine has clocks or timer
316 interrupt sources, or if user interaction is taking place (e.g.
317 keyboard input at irregular intervals), then this option is mean‐
318 ingless.
319 -H Display a list of available CPU types, machine types, and user‐
321 land emulation modes. (Most of these don't work. Please read the
322 documentation included in the gxemul distribution for details on
323 which modes that actually work. Userland emulation is not
324 included in stable release builds, since it doesn't work yet.)
325 -h Display a list of all available command line options.
327 -k n Set the size of the dyntrans cache (per emulated CPU) to n MB.
329 The default size is 48 MB.
330 -K Force the single-step debugger to be entered at the end of a sim‐
332 ulation.
333 -q Quiet mode; this suppresses startup messages.
335 -V Start up in the single-step debugger, paused.
337 -v Increase verbosity (show more debug messages). This option can be
339 used multiple times.
340 Configuration file startup:
342 @ configfile
344 Start an emulation based on the contents of configfile.
345 For more information, please read the documentation in the doc/ subdirec‐
347 tory of the gxemul distribution.
348
350 The following command will start NetBSD/pmax on an emulated DECstation
351 5000/200 (3MAX):
352 gxemul -e 3max -d nbsd_pmax.img
354 nbsd_pmax.img should be a raw disk image containing a bootable Net‐
356 BSD/pmax filesystem.
357 The following command will start an emulation session based on settings
359 in the configuration file "mysession". The -v option tells gxemul to be
360 verbose.
361 gxemul -v @mysession
363 If you have compiled the small Hello World program mentioned in the
365 gxemul documentation, the following command will start up an emulated
366 test machine in "paused" mode:
367 gxemul -E testmips -V hello_mips
369 Paused mode means that you enter the interactive single-step debugger
371 directly at startup, instead of launching the Hello World program.
372 The paused mode is also what should be used when running "unknown" files
374 for the first time in the emulator. E.g. if you have a binary which you
375 think is some kind of MIPS ROM image, then you can try the following:
376 gxemul -vv -E baremips -V 0xbfc00000:image.raw
378 You can then use the single-stepping functionality of the built-in debug‐
380 ger to run the code in the ROM image, to see how it behaves. Based on
381 that, you can deduce what machine type it was actually from (the baremips
382 machine is not a real machine), and perhaps try again with another emula‐
383 tion mode.
384 In general, however, real ROM images require much more emulation detail
386 than GXemul provides, so they can usually not run.
387 Please read the documentation for more details.
389
391 There are many bugs. Some of the known bugs are mentioned in the TODO
392 file in the gxemul source distribution, some are marked as TODO in the
393 source code itself.
394 Userland (syscall-only) emulation, i.e. running a userland binary
396 directly without simulating an entire machine, doesn't really work yet.
397 gxemul is in general not cycle-accurate; it does not simulate individual
399 pipe-line stages or penalties caused by branch-prediction misses or cache
400 misses, so it cannot be used for accurate simulation of any actual real-
401 world processor.
402 gxemul is in general not timing-accurate. Many emulation modes try to
404 make the guest operating system's clock run at the same speed as the host
405 clock. However, the number of instructions executed per clock tick can
406 obviously vary, depending on the current CPU load on the host.
407
409 GXemul is Copyright (C) 2003-2007 Anders Gavare <anders@gavare.se>
410 See http://gavare.se/gxemul/ for more information. For other Copyright
412 messages, see the corresponding parts of the source code and/or documen‐
413 tation.
414BSD June 22, 2019 BSD