1GXEMUL(1) BSD General Commands Manual GXEMUL(1)
2
4 gxemul — an experimental framework for full-system machine emulation
5
7 gxemul [machine, other, and general options] [file ...]
8 gxemul [general options] @configfile
9 gxemul -H
10
12 gxemul is a framework for full-system computer architecture emulation.
13 Several processor architectures and machine types have been implemented.
14 It is working well enough to allow unmodified "guest" operating systems
15 (e.g. NetBSD) to run inside the emulator, as if they were running on real
16 hardware.
17 The emulator emulates (networks of) real machines. The machines may con‐
19 sist of ARM, MIPS, Motorola 88K, PowerPC, and SuperH processors, and var‐
20 ious surrounding hardware components such as framebuffers, busses, inter‐
21 rupt controllers, ethernet controllers, disk controllers, and serial port
22 controllers.
23
25 Please read the HTML documentation for more details on how to run spe‐
26 cific guest operating systems in the emulator.
27
29 The emulator can be invoked in the following ways:
30 1. When emulating a complete machine, configuration options can be sup‐
32 plied directly on the command line.
33 2. Options can be read from a configuration file.
35 The easiest way to use the emulator is to supply settings directly on the
37 command line.
38 The most important thing you need to supply is the file argument. This is
40 the name of a binary file (an ELF, a.out, COFF/ECOFF, SREC, or a raw bi‐
41 nary image) which you wish to run in the emulator. This file might be an
42 operating system kernel, or perhaps a ROM image file. If more than one
43 filename is supplied, all files are loaded into memory, and the entry
44 point (if available) is taken from the last file.
45 Apart from the name of a binary file, you must also use the -E and/or -e
47 options to select which emulation mode to use. This is necessary because
48 the emulator cannot in general deduce this from the file being executed.
49 For example, a MIPS-based machine from DEC (a DECstation) is very differ‐
50 ent from a MIPS-based machine from SGI. Use gxemul -H to get a list of
51 available emulation modes.
52 There are three exceptions to the normal invocation usage mentioned
54 above.
55 1. For DECstation emulation, if you have a bootable DECstation harddisk
57 or CDROM image, then just supplying the diskimage via the -d option is
58 sufficient. The filename of the kernel can then be skipped, as the emula‐
59 tor runs the bootblocks from the diskimage directly and doesn't need the
60 kernel as a separate file.
61 2. If you supply an ISO9660 CDROM disk image, then using the -j option to
63 indicate a file on the CDROM filesystem to load is sufficient; no addi‐
64 tional kernel filename needs to be supplied on the command line.
65 3. For Dreamcast emulation, when booting e.g. a NetBSD/dreamcast CDROM
67 image, it is enough to supply the disk image (with the correct ISO parti‐
68 tion start offset). Bootblocks will be read directly from the CDROM im‐
69 age, and there is no need to supply the name of an external kernel on the
70 command line.
71 Gzipped kernels are automatically unzipped, by calling the external gun‐
73 zip program, both when specifying a gzipped file directly on the command
74 line and when loading such a file using the -j option.
75 Machine selection options:
77 -E t Try to emulate machine type t. This option is not always needed,
79 if the -e option uniquely selects a machine. (Use -H to get a
80 list of types.)
81 -e st Try to emulate machine subtype st. Use this together with -E.
83 (This option is not always needed, if a machine type has no sub‐
84 types.)
85 Other options:
87 -C x Try to emulate a specific CPU type, x. This overrides the de‐
89 fault CPU type for the machine being emulated. (Use -H to get a
90 list of available CPU types.)
91 -d [modifiers:]filename
93 Add filename as a disk image. By adding one or more modifier
94 characters and then a colon (":") as a prefix to filename, you
95 can modify the way the disk image is treated. Available modifiers
96 are:
97 b Specifies that this is a boot device.
99 c CD-ROM.
101 d DISK (this is the default).
103 f FLOPPY.
105 gH;S; Override the default geometry; use H heads and S sectors-
107 per-track. (The number of cylinders is calculated auto‐
108 matically.)
109 i IDE.
111 oOFS; Set the base offset for an ISO9660 filesystem on a disk
113 image. The default is 0. A suitable offset when booting
114 from Dreamcast ISO9660 filesystem images, which are off‐
115 set by 11702 sectors, is 23965696.
116 r Read-only (don't allow changes to be written to the
118 file).
119 s SCSI.
121 t Tape.
123 V Add an overlay filename to an already defined disk image.
125 (A ID number must also be specified when this flag is
126 used. See the documentation for an example of how to use
127 overlays.)
128 0-7 Force a specific ID number.
130 For SCSI devices, the ID number is the SCSI ID. For IDE hard‐
132 disks, the ID number has the following meaning:
133 0 Primary master.
135 1 Primary slave.
137 2 Secondary master.
139 3 Secondary slave.
141 Unless otherwise specified, filenames ending with ".iso" or
143 ".cdr" are assumed to be CDROM images. Most others are assumed to
144 be disks. Depending on which machine is being emulated, the de‐
145 fault for disks can be either SCSI or IDE. Some disk images that
146 are very small are assumed to be floppy disks. (If you are not
147 happy with the way a disk image is detected, then you need to use
148 explicit prefixes to force a specific type.)
149 For floppies, the gH;S; prefix is ignored. Instead, the number of
151 heads and cylinders are assumed to be 2 and 80, respectively, and
152 the number of sectors per track is calculated automatically.
153 (This works for 720KB, 1.2MB, 1.44MB, and 2.88MB floppies.)
154 -I hz Set the main CPU's frequency to hz Hz. This option does not work
156 for all emulated machine modes. It affects the way count/compare
157 interrupts are faked to simulate emulated time = real world time.
158 If the guest operating system relies on RTC interrupts instead of
159 count/compare interrupts, then this option has no effect.
160 Setting the frequency to zero disables automatic synchronization
162 of emulated time vs real world time, and the count/compare system
163 runs at a fixed rate.
164 -i Enable instruction trace, i.e. display disassembly of each in‐
166 struction as it is being executed.
167 -J Disable instruction combinations in the dynamic translator.
169 -j n Set the name of the kernel to n. When booting from an ISO9660
171 filesystem, the emulator will try to boot using this file. (In
172 some emulation modes, eg. DECstation, this name is passed along
173 to the boot program. Useful names are "bsd" for OpenBSD/pmax,
174 "vmunix" for Ultrix, or "vmsprite" for Sprite.)
175 -M m Emulate m MBs of physical RAM. This overrides the default amount
177 of RAM for the selected machine type.
178 -N Display the number of executed instructions per second on aver‐
180 age, at regular intervals.
181 -n nr Set the number of processors in the machine, for SMP experiments.
183 Note 1: The emulator allocates quite a lot of virtual memory for
185 per-CPU translation tables. On 64-bit hosts, this is normally not
186 a problem. On 32-bit hosts, this can use up all available virtual
187 userspace memory. The solution is to either run the emulator on a
188 64-bit host, or limit the number of emulated CPUs to a reasonably
189 low number.
190 Note 2: SMP simulation is not working very well yet; multiple
192 processors are simulated, but synchronization between the proces‐
193 sors does not map very well to how real-world SMP systems work.
194 -O Force a "netboot" (tftp instead of disk), even when a disk image
196 is present (for DECstation, SGI, and ARC emulation).
197 -o arg Set the boot argument (mostly useful for DEC, ARC, or SGI emula‐
199 tion). Default arg for DEC is "-a", for ARC/SGI it is "-aN", and
200 for CATS it is "-A".
201 -p pc Add a breakpoint. pc can be a symbol, or a numeric value. (Re‐
203 member to use the "0x" prefix for hexadecimal values.)
204 -Q Disable the built-in (software-only) PROM emulation. This option
206 is useful for experimenting with running raw ROM images from real
207 machines. The default behaviour of the emulator is to "fake" cer‐
208 tain PROM calls used by guest operating systems (e.g. NetBSD), so
209 that no real PROM image is needed.
210 -R Use a random bootstrap cpu, instead of CPU nr 0. (This option is
212 only meaningful together with the -n option.)
213 -r Dump register contents for every executed instruction.
215 -S Initialize emulated RAM to random data, instead of zeroes. This
217 option is useful when trying to trigger bugs in a program that
218 occur because the program assumed that uninitialized memory con‐
219 tains zeros. (Use with care.)
220 -s flags:filename
222 Gather statistics based on the current emulated program counter
223 value, while the program executes. The statistics is actually
224 just a raw dump of all program counter values in sequence, suit‐
225 able for post-analysis with separate tools. Output is appended to
226 filename.
227 The flags should include one or more of the following type speci‐
229 fiers:
230 v Virtual. This means that the program counter value is
232 used.
233 p Physical. This means that the physical address of where
235 the program is actually running is used.
236 i Instruction call. This type of statistics gathering is
238 practically only useful during development of the emula‐
239 tor itself. The output is a list of addresses of instruc‐
240 tion call functions (ic->f), which after some post-pro‐
241 cessing can be used as a basis for deciding when to im‐
242 plement instruction combinations.
243 The flags may also include the following optional modifiers:
245 d Disabled at startup.
247 o Overwrite the file, instead of appending to it.
249 Statistics gathering can be enabled/disabled at runtime by using
251 the "statistics_enabled = yes" and "statistics_enabled = no" de‐
252 bugger commands.
253 When gathering instruction statistics using the -s option, in‐
255 struction combinations are always disabled (i.e. an implicit -J
256 flag is added to the command line).
257 -T Halt if the emulated program attempts to access non-existing mem‐
259 ory.
260 -t Show a trace tree of all function calls being made.
262 -U Enable slow_serial_interrupts_hack_for_linux.
264 -X Use X11. This option enables graphical framebuffers.
266 -x Open up new xterms for emulated serial ports. The default behav‐
268 iour is to open up xterms when using configuration files, or if
269 X11 is enabled. When starting up a simple emulation session with
270 settings directly on the command line, and neither -X nor -x is
271 used, then all output is confined to the terminal that gxemul
272 started in.
273 -Y n Scale down framebuffer windows by n x n times. This option is
275 useful when emulating a very large framebuffer, and the actual
276 display is of lower resolution. If n is negative, then there will
277 be no scaledown, but emulation of certain graphic controllers
278 will be scaled up by -n times instead. E.g. Using -2 with VGA
279 text mode emulation will result in 80x25 character cells rendered
280 in a 1280x800 window, instead of the normal resolution of
281 640x400.
282 -Z n Set the number of graphics cards, for emulating a dual-head or
284 tripple-head environment. (Only for DECstation emulation so far.)
285 -z disp
287 Add disp as an X11 display to use for framebuffers.
288 General options:
290 -c cmd Add cmd as a command to run before starting the simulation. A
292 similar effect can be achieved by using the -V option, and enter‐
293 ing the commands manually.
294 -D Causes the emulator to skip a call to srandom(). This leads to
296 somewhat more deterministic behaviour than running without this
297 option. However, if the emulated machine has clocks or timer in‐
298 terrupt sources, or if user interaction is taking place (e.g.
299 keyboard input at irregular intervals), then this option is mean‐
300 ingless.
301 -H Display a list of available CPU types and machine types. (Most
303 of these don't work. Please read the HTML documentation included
304 in the gxemul distribution for details on which modes that actu‐
305 ally work.)
306 -h Display a list of all available command line options.
308 -k n Set the size of the dyntrans cache (per emulated CPU) to n MB.
310 The default size is 96 MB.
311 -K Force the single-step debugger to be entered at the end of a sim‐
313 ulation.
314 -q Quiet mode; this suppresses startup messages.
316 -V Start up in the single-step debugger, paused. If this option is
318 used, -q is ignored.
319 -v Increase verbosity (show more debug messages). This option can be
321 used multiple times.
322 Configuration file startup:
324 @ configfile
326 Start an emulation based on the contents of configfile.
327
329 The following command will start NetBSD/pmax on an emulated DECstation
330 5000/200 (3MAX):
331 gxemul -e 3max -d nbsd_pmax.img
333 nbsd_pmax.img should be a raw disk image containing a bootable Net‐
335 BSD/pmax filesystem.
336 The following command will start an emulation session based on settings
338 in the configuration file "mysession". The -v option tells gxemul to be
339 verbose.
340 gxemul -v @mysession
342 If you have compiled the small Hello World program mentioned in the
344 gxemul documentation, the following command will start up an emulated
345 test machine in "paused" mode:
346 gxemul -E testmips -V hello_mips
348 Paused mode means that you enter the interactive single-step debugger di‐
350 rectly at startup, instead of launching the Hello World program.
351 The paused mode is also what should be used when running "unknown" files
353 for the first time in the emulator. E.g. if you have a binary which you
354 think is some kind of MIPS ROM image, then you can try the following:
355 gxemul -vv -E baremips -V 0xbfc00000:image.raw
357 You can then use the single-stepping functionality of the built-in debug‐
359 ger to run the code in the ROM image, to see how it behaves. Based on
360 that, you can deduce what machine type it was actually from (the baremips
361 machine is not a real machine), and perhaps try again with another emula‐
362 tion mode.
363 In general, however, real ROM images require much more emulation detail
365 than GXemul provides, so they can usually not run.
366
368 gxemul [options] -e name [additional components and files ...]
369 gxemul [options] configfile
370 gxemul -V
371 gxemul -H
372
374 The options available for the new framework are:
375 -B Enables snapshotting (required for reverse execution/stepping).
377 -e name
379 Start with a machine based on template 'name'. The name may be
380 followed by optional arguments in parentheses, e.g.
381 gxemul -V -e 'testm88k(cpu=88110,ram=10485760)'
383 Remember to use quotes if your shell gives special meaning to
385 parentheses.
386 -H Display a list of available machine templates.
388 -q Start up in Quiet mode (i.e. suppress debug messages). If an er‐
390 ror occurs during emulation which stops execution and drops the
391 user into the debugger, quiet mode is turned off.
392 -V Start up in interactive mode, paused. If this option is used, -q
394 is ignored.
395 When using the -e option, the remainder of the command line consists of
397 zero or more additional files to load, or components to add to the emula‐
398 tion setup. Including these on the command line is equivalent to using
399 the 'add' command (although with a different syntax) in the interactive
400 debugger. A simple example is a file name to load into the emulated ma‐
401 chine, but they can be more complex as well.
402 When not using the -e option, the config file should be one that was pre‐
404 viously saved from within the emulator using the 'save' command.
405 Starting the emulator with the -V switch will bring you to the interac‐
407 tive debugger environment, without starting the emulation.
408 The general syntax for adding components is:
410 existing_component_path:component(args)
412 If existing_component_path part is omitted, it is assumed to be cpu0.
414 The component(args) part may be written as just args, in which case the
415 name of the component is autodetected, and the args is given as an argu‐
416 ment called "name" to that component.
417 For example, if the additional component/filename is just
419 netbsd-GENERIC
421 this will be equivalent to
423 cpu0:file(name=netbsd-GENERIC)
425 An attempt will be made to load the file netbsd-GENERIC into cpu0, which
427 is the default component if none is specified. This will most likely be
428 expanded into root.machine0.mainbus0.cpu0. If cpu0 is ambiguous, then
429 this will not work; the specific cpu0 name must be supplied instead, like
430 this:
431 machine3.mainbus0.cpu0:netbsd-GENERIC
433
435 There are many bugs. Some of the known bugs are mentioned in the TODO
436 file in the gxemul source distribution, some are marked as TODO in the
437 source code itself.
438 gxemul is in general not cycle-accurate; it does not simulate individual
440 pipe-line stages or penalties caused by branch-prediction misses or cache
441 misses, so it cannot be used for accurate simulation of any actual real-
442 world processor.
443 gxemul is in general not timing-accurate. Many emulation modes try to
445 make the guest operating system's clock run at the same speed as the host
446 clock. However, the number of instructions executed per clock tick can
447 obviously vary, depending on the current CPU load on the host.
448 gxemul is in general not guaranteed to be secure; when used as a virtual
450 machine to run untrusted code in the form of a guest OS, the untrusted
451 code may be able to crash the emulator, or due to bugs, take over the
452 host.
453
455 GXemul is Copyright (C) 2003-2021 Anders Gavare <gavare@gmail.com>
456 See http://gavare.se/gxemul/ for more information. For other Copyright
458 messages, see the corresponding parts of the source code and/or documen‐
459 tation.
460BSD June 14, 2021 BSD