1GXEMUL(1) BSD General Commands Manual GXEMUL(1)
2
4 gxemul — an experimental framework for full-system machine emulation
5
7 gxemul [machine, other, and general options] [file ...]
8 gxemul [general options] @configfile
9 gxemul -H
10
12 gxemul is a framework for full-system computer architecture emulation.
13 Several processor architectures and machine types have been implemented.
14 It is working well enough to allow unmodified "guest" operating systems
15 (e.g. NetBSD) to run inside the emulator, as if they were running on real
16 hardware.
17 The emulator emulates (networks of) real machines. The machines may con‐
19 sist of ARM, MIPS, Motorola 88K, PowerPC, and SuperH processors, and var‐
20 ious surrounding hardware components such as framebuffers, busses, inter‐
21 rupt controllers, ethernet controllers, disk controllers, and serial port
22 controllers.
23
25 Please read the HTML documentation for more details on how to run spe‐
26 cific guest operating systems in the emulator.
27
29 The emulator can be invoked in the following ways:
30 1. When emulating a complete machine, configuration options can be sup‐
32 plied directly on the command line.
33 2. Options can be read from a configuration file.
35 The easiest way to use the emulator is to supply settings directly on the
37 command line.
38 The most important thing you need to supply is the file argument. This is
40 the name of a binary file (an ELF, a.out, COFF/ECOFF, SREC, or a raw bi‐
41 nary image) which you wish to run in the emulator. This file might be an
42 operating system kernel, or perhaps a ROM image file. If more than one
43 filename is supplied, all files are loaded into memory, and the entry
44 point (if available) is taken from the last file.
45 Apart from the name of a binary file, you must also use the -E and/or -e
47 options to select which emulation mode to use. This is necessary because
48 the emulator cannot in general deduce this from the file being executed.
49 For example, a MIPS-based machine from DEC (a DECstation) is very differ‐
50 ent from a MIPS-based machine from SGI. Use gxemul -H to get a list of
51 available emulation modes.
52 There are three exceptions to the normal invocation usage mentioned
54 above.
55 1. For DECstation emulation, if you have a bootable DECstation harddisk
57 or CDROM image, then just supplying the diskimage via the -d option is
58 sufficient. The filename of the kernel can then be skipped, as the emula‐
59 tor runs the bootblocks from the diskimage directly and doesn't need the
60 kernel as a separate file.
61 2. If you supply an ISO9660 CDROM disk image, then using the -j option to
63 indicate a file on the CDROM filesystem to load is sufficient; no addi‐
64 tional kernel filename needs to be supplied on the command line.
65 3. For Dreamcast emulation, when booting e.g. a NetBSD/dreamcast CDROM
67 image, it is enough to supply the disk image (with the correct ISO parti‐
68 tion start offset). Bootblocks will be read directly from the CDROM im‐
69 age, and there is no need to supply the name of an external kernel on the
70 command line.
71 Gzipped kernels are automatically unzipped, by calling the external gun‐
73 zip program, both when specifying a gzipped file directly on the command
74 line and when loading such a file using the -j option.
75 Machine selection options:
77 -E t Try to emulate machine type t. This option is not always needed,
79 if the -e option uniquely selects a machine. (Use -H to get a
80 list of types.)
81 -e st Try to emulate machine subtype st. Use this together with -E.
83 (This option is not always needed, if a machine type has no sub‐
84 types.)
85 Other options:
87 -C x Try to emulate a specific CPU type, x. This overrides the de‐
89 fault CPU type for the machine being emulated. (Use -H to get a
90 list of available CPU types.)
91 -d [modifiers:]filename
93 Add filename as a disk image. By adding one or more modifier
94 characters and then a colon (":") as a prefix to filename, you
95 can modify the way the disk image is treated. Available modifiers
96 are:
97 b Specifies that this is a boot device.
99 c CD-ROM.
101 d DISK (this is the default).
103 f FLOPPY.
105 gH;S; Override the default geometry; use H heads and S sectors-
107 per-track. (The number of cylinders is calculated auto‐
108 matically.)
109 i IDE.
111 oOFS; Set the base offset for an ISO9660 filesystem on a disk
113 image. The default is 0. A suitable offset when booting
114 from Dreamcast ISO9660 filesystem images, which are off‐
115 set by 11702 sectors, is 23965696.
116 r Read-only (don't allow changes to be written to the
118 file).
119 R Don't allow changes to the file, but add a temporary
121 overlay for the disk image to allow guest operating sys‐
122 tems to write to the disk. (These changes are lost when
123 the GXemul process exits.)
124 s SCSI.
126 t Tape.
128 V Add an overlay filename to an already defined disk image.
130 (A ID number must also be specified when this flag is
131 used. See the documentation for an example of how to use
132 overlays.)
133 0-7 Force a specific ID number.
135 For SCSI devices, the ID number is the SCSI ID. For IDE hard‐
137 disks, the ID number has the following meaning:
138 0 Primary master.
140 1 Primary slave.
142 2 Secondary master.
144 3 Secondary slave.
146 Unless otherwise specified, filenames ending with ".iso" or
148 ".cdr" are assumed to be CDROM images. Most others are assumed to
149 be disks. Depending on which machine is being emulated, the de‐
150 fault for disks can be either SCSI or IDE. Some disk images that
151 are very small are assumed to be floppy disks. (If you are not
152 happy with the way a disk image is detected, then you need to use
153 explicit prefixes to force a specific type.)
154 For floppies, the gH;S; prefix is ignored. Instead, the number of
156 heads and cylinders are assumed to be 2 and 80, respectively, and
157 the number of sectors per track is calculated automatically.
158 (This works for 720KB, 1.2MB, 1.44MB, and 2.88MB floppies.)
159 -I hz Set the main CPU's frequency to hz Hz. This option does not work
161 for all emulated machine modes. It affects the way count/compare
162 interrupts are faked to simulate emulated time = real world time.
163 If the guest operating system relies on RTC interrupts instead of
164 count/compare interrupts, then this option has no effect.
165 Setting the frequency to zero disables automatic synchronization
167 of emulated time vs real world time, and the count/compare system
168 runs at a fixed rate.
169 -i Enable instruction trace, i.e. display disassembly of each in‐
171 struction as it is being executed.
172 -J Disable instruction combinations in the dynamic translator.
174 -j n Set the name of the kernel to n. When booting from an ISO9660
176 filesystem, the emulator will try to boot using this file. (In
177 some emulation modes, eg. DECstation, this name is passed along
178 to the boot program. Useful names are "bsd" for OpenBSD/pmax,
179 "vmunix" for Ultrix, or "vmsprite" for Sprite.)
180 -L tapdev
182 Enable tap networking using device 'tapdev', on systems that sup‐
183 port it.
184 -M m Emulate m MBs of physical RAM. This overrides the default amount
186 of RAM for the selected machine type.
187 -N Display the number of executed instructions per second on aver‐
189 age, at regular intervals.
190 -n nr Set the number of processors in the machine, for SMP experiments.
192 Note 1: The emulator allocates quite a lot of virtual memory for
194 per-CPU translation tables. On 64-bit hosts, this is normally not
195 a problem. On 32-bit hosts, this can use up all available virtual
196 userspace memory. The solution is to either run the emulator on a
197 64-bit host, or limit the number of emulated CPUs to a reasonably
198 low number.
199 Note 2: SMP simulation is not working very well yet; multiple
201 processors are simulated, but synchronization between the proces‐
202 sors does not map very well to how real-world SMP systems work.
203 -O Force a "netboot" (tftp instead of disk), even when a disk image
205 is present (for DECstation, SGI, and ARC emulation).
206 -o arg Set the boot argument (mostly useful for DEC, ARC, or SGI emula‐
208 tion). Default arg for DEC is "-a", for ARC/SGI it is "-aN", and
209 for CATS it is "-A".
210 -p pc Add a breakpoint. pc can be a symbol, or a numeric value. (Re‐
212 member to use the "0x" prefix for hexadecimal values.)
213 -Q Disable the built-in (software-only) PROM emulation. This option
215 is useful for experimenting with running raw ROM images from real
216 machines. The default behaviour of the emulator is to "fake" cer‐
217 tain PROM calls used by guest operating systems (e.g. NetBSD), so
218 that no real PROM image is needed.
219 -R Use a random bootstrap cpu, instead of CPU nr 0. (This option is
221 only meaningful together with the -n option.)
222 -r Dump register contents for every executed instruction.
224 -S Initialize emulated RAM to random data, instead of zeroes. This
226 option is useful when trying to trigger bugs in a program that
227 occur because the program assumed that uninitialized memory con‐
228 tains zeros. (Use with care.)
229 -s flags:filename
231 Gather statistics based on the current emulated program counter
232 value, while the program executes. The statistics is actually
233 just a raw dump of all program counter values in sequence, suit‐
234 able for post-analysis with separate tools. Output is appended to
235 filename.
236 The flags should include one or more of the following type speci‐
238 fiers:
239 v Virtual. This means that the program counter value is
241 used.
242 p Physical. This means that the physical address of where
244 the program is actually running is used.
245 i Instruction call. This type of statistics gathering is
247 practically only useful during development of the emula‐
248 tor itself. The output is a list of addresses of instruc‐
249 tion call functions (ic->f), which after some post-pro‐
250 cessing can be used as a basis for deciding when to im‐
251 plement instruction combinations.
252 The flags may also include the following optional modifiers:
254 d Disabled at startup.
256 o Overwrite the file, instead of appending to it.
258 Statistics gathering can be enabled/disabled at runtime by using
260 the "statistics_enabled = yes" and "statistics_enabled = no" de‐
261 bugger commands.
262 When gathering instruction statistics using the -s option, in‐
264 struction combinations are always disabled (i.e. an implicit -J
265 flag is added to the command line).
266 -T Halt if the emulated program attempts to access non-existing mem‐
268 ory.
269 -t Show a trace tree of all function calls being made.
271 -X Use X11. This option enables graphical framebuffers.
273 -Y n Scale down framebuffer windows by n x n times. This option is
275 useful when emulating a very large framebuffer, and the actual
276 display is of lower resolution. If n is negative, then there will
277 be no scaledown, but emulation of certain graphic controllers
278 will be scaled up by -n times instead. E.g. Using -2 with VGA
279 text mode emulation will result in 80x25 character cells rendered
280 in a 1280x800 window, instead of the normal resolution of
281 640x400.
282 -Z n Set the number of graphics cards, for emulating a dual-head or
284 tripple-head environment. (Only for DECstation emulation so far.)
285 -z disp
287 Add disp as an X11 display to use for framebuffers.
288 General options:
290 -A Disable colorized output.
292 -c cmd Add cmd as a command to run before starting the simulation. A
294 similar effect can be achieved by using the -V option, and enter‐
295 ing the commands manually.
296 -D Causes the emulator to skip a call to srandom(). This leads to
298 somewhat more deterministic behaviour than running without this
299 option. However, if the emulated machine has clocks or timer in‐
300 terrupt sources, or if user interaction is taking place (e.g.
301 keyboard input at irregular intervals), then this option is mean‐
302 ingless.
303 -G Enable colorized output. If the environment variable CLICOLOR is
305 set, then this is the default behavior.
306 -H Display a list of available CPU types and machine types. (Most
308 of these don't work. Please read the HTML documentation included
309 in the gxemul distribution for details on which modes that actu‐
310 ally work.)
311 -h Display a list of all available command line options.
313 -k n Set the size of the dyntrans cache (per emulated CPU) to n MB.
315 The default size is 96 MB.
316 -K Show the debugger prompt instead of exiting, when a simulation
318 ends.
319 -q Quiet mode; this suppresses startup messages.
321 -V Start up in the interactive debugger, paused. If this option is
323 used, -q is ignored. This option also sets -K.
324 -v Increase verbosity (show more debug messages). This option can be
326 used multiple times.
327 -x Open up separate terminal windows for emulated serial ports. The
329 default behaviour is to open up new terminals when using configu‐
330 ration files with more than one machine specified, or if X11 is
331 enabled. When starting up a simple emulation session with set‐
332 tings directly on the command line (or when using configuration
333 files with a single machine specification), and neither -X nor -x
334 is used, then all output is confined to the terminal that gxemul
335 started in. The default terminal to use is 'xterm', but this can
336 be overriden by the XTERM environment variable.
337 Configuration file startup:
339 @ configfile
341 Start an emulation based on the contents of configfile.
342
344 The following command will start NetBSD/pmax on an emulated DECstation
345 5000/200 (3MAX):
346 gxemul -e 3max -d nbsd_pmax.img
348 nbsd_pmax.img should be a raw disk image containing a bootable Net‐
350 BSD/pmax filesystem.
351 The following command will start an emulation session based on settings
353 in the configuration file "mysession". The -v option tells gxemul to be
354 verbose.
355 gxemul -v @mysession
357 If you have compiled the small Hello World program mentioned in the
359 gxemul documentation, the following command will start up an emulated
360 test machine in "paused" mode:
361 gxemul -E testmips -V hello_mips
363 Paused mode means that you enter the interactive single-step debugger di‐
365 rectly at startup, instead of launching the Hello World program.
366 The paused mode is also what should be used when running "unknown" files
368 for the first time in the emulator. E.g. if you have a binary which you
369 think is some kind of MIPS ROM image, then you can try the following:
370 gxemul -vv -E baremips -V 0xbfc00000:image.raw
372 You can then use the single-stepping functionality of the built-in debug‐
374 ger to run the code in the ROM image, to see how it behaves. Based on
375 that, you can deduce what machine type it was actually from (the baremips
376 machine is not a real machine), and perhaps try again with another emula‐
377 tion mode.
378 In general, however, real ROM images require much more emulation detail
380 than GXemul provides, so they can usually not run.
381
383 There are many bugs. Some of the known bugs are mentioned in the TODO
384 file in the gxemul source distribution, some are marked as TODO in the
385 source code itself.
386 gxemul is in general not cycle-accurate; it does not simulate individual
388 pipe-line stages or penalties caused by branch-prediction misses or cache
389 misses, so it cannot be used for accurate simulation of any actual real-
390 world processor.
391 gxemul is in general not timing-accurate. Many emulation modes try to
393 make the guest operating system's clock run at the same speed as the host
394 clock. However, the number of instructions executed per clock tick can
395 obviously vary, depending on the current CPU load on the host.
396 gxemul is in general not guaranteed to be secure; when used as a virtual
398 machine to run untrusted code in the form of a guest OS, the untrusted
399 code may be able to crash the emulator, or due to bugs, take over the
400 host.
401
403 GXemul is Copyright (C) 2003-2021 Anders Gavare <gavare@gmail.com>
404 See http://gavare.se/gxemul/ for more information. For other Copyright
406 messages, see the corresponding parts of the source code and/or documen‐
407 tation.
408BSD December 5, 2021 BSD