Well considering what a hit it was, the last time I did this, I thought I’d give it another go!
And after a bit of fighting, I got it to run!
Now what were the obstacles? Â Well for starters not having a full libc certainly hurts things. Â Things like a malloc. Â And without getting fancy with the memory map I did the lamest cheat ever, which is a 1MB static array I just handed out with a fake malloc (no free, I didn’t bother to track chunks), and you know it works enough.
Also I need to read files, and I need to look more into the hardware to see how to do that. Â There seems to be plenty of hooks for NVRAM, but the ROMMON substitute doesn’t seem to support them. Â Also there is no ROMMON hook for reading from the console! Â The MIPS cilo is more ROMMON dependent, while the PowerPC c1700 talks to the uart directly so this is a PowerPC thing for right now.
I also learned something exciting about ld, which is how it can absorb binary images into objects, that you can link and access directly into your program! Â No more having to convert it to hex, make these insane headders that CPP may or may not bomb over. Â No you can make them objects right away!
In this example I read the file planetfa.dat as BINARY, and encapsulate it in an object file called planetfa.o . It’ll now have a symbol name of _binary_planetfa_dat_start for where the image begins, _binary_planetfa_dat_size will tell me how big it is in memory, and _binary_planetfa_dat_end will mark the end of this ‘file’ in memory.
Now in the old days when it was a file I could access it like this:
fread ((char *)ptr,block_size,(int)num_blocks,game_file);
But that won’t work. Â So now instead of calling fopen/fclose (which don’t exist in CILO), I set a counter to what my current offset is, change the ‘fseek’ to just set the global counter to where it should be, and when I fread I just memcpy:
I suppose I could just have wrapped the f* calls into some emulation library but I don’t need to get all that crazy sophisticated.
Cisco Router Simulation Platform (version 0.2.15-experimental(merge uppc smips)Build-3-x86/MinGW stable)
Copyright (c) 2005-2011 Christophe Fillot.
Build date: Sep 19 2015 19:33:12
Local UUID: 0450c178-6480-11e5-a559-019031cf957a
Pcap version [WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008)]
Unsure if this file (c1700_i0_rommon_vars) needs to be in binary mode
Virtual RAM size set to 4 MB.
IOS image file: ciscoload.bin
ILT: loaded table “mips64j” from cache.
ILT: loaded table “mips64e” from cache.
ILT: loaded table “ppc32j” from cache.
ILT: loaded table “ppc32e” from cache.
vtty_term_init
CPU0: carved JIT exec zone of 64 Mb into 2048 pages of 32 Kb.
C1700 instance ‘default’ (id 0):
VM Status : 0
RAM size : 4 Mb
NVRAM size : 32 Kb
IOS image : ciscoload.bin
Loading BAT registers
Loading ELF file ‘ciscoload.bin’…
ELF entry point: 0x8000d9c8
C1700 ‘default’: starting simulation (CPU0 IA=0xfff00100), JIT enabled.
ROMMON emulation microcode.
Launching IOS image at 0x8000d9c8…
CILO
CiscoLoader (CILO) – Linux bootloader for Cisco Routers
Available RAM: 4096 kB
Available commands:
queen
hanoi
horse
fib
planetfall
halt
Enter filename to boot:
malloc 64512 offset is 0 offset is now 64522
malloc 38912 offset is 64522 offset is now 103444
PLANETFALL
Infocom interactive fiction – a science fiction story
Copyright (c) 1983 by Infocom, Inc. All rights reserved.
PLANETFALL is a trademark of Infocom, Inc.
Release 37 / Serial number 851003
Another routine day of drudgery aboard the Stellar Patrol Ship Feinstein. This
morning’s assignment for a certain lowly Ensign Seventh Class: scrubbing the
filthy metal deck at the port end of Level Nine. With your Patrol-issue
self-contained multi-purpose all-weather scrub brush you shine the floor with a
diligence born of the knowledge that at any moment dreaded Ensign First Class
Blather, the bane of your shipboard existence, could appear.
Deck Nine
This is a featureless corridor similar to every other corridor on the ship. It
curves away to starboard, and a gangway leads up. To port is the entrance to
one of the ship’s primary escape pods. The pod bulkhead is closed.
Deck Nine Score: 0/4451
PLANETFALL
Infocom interactive fiction – a science fiction story
Copyright (c) 1983 by Infocom, Inc. All rights reserved.
PLANETFALL is a trademark of Infocom, Inc.
Release 37 / Serial number 851003
Deck Nine Score: 0/4451
>
For anyone crazy enough, you can find my MinGW Dynamips on sourceforge, cross compilers for PowerPC, and the branch of the firmware source that includes InfoTaskForce, and the binary image.
While I don’t want to write an OS for this, it is almost tempting. Â Or go the other route, and add in some non router based hardware… Like audio hardware, or a framebuffer.
Does anyone have a 1700 to test to see if any of this works? Â Or a 7200?! 😀
As it happens I have a few bits of 1700 series hardware around here. If I can get ciscoload.bin into flash: I’ll give it a go
I think you ought to be able to netboot it.. which I know is a PITA on it’s own right… At least on Dynamips this compiles and acts like IOS. This old version of binutils lets me kick out an exe that only has a single program segment. which is what the cisco ROM can only deal with.
But I totally get that ‘works on an emulator that emulates just enough hardware’ is not the same as real hardware.
ELFTool – a simple tool for viewing ELF file structures.
(c) 2008 Philippe Vachon
ELF File Header:
================================================
Ident bytes:
Class: 32-bit
Data type: Big endian
Version: 1
ELF Object Type: Executable File (2)
Machine ID: 0x33
Cisco 1700 Series Router (PowerPC, MPC860) or Stanford MIPS-X
Version: 0x00000001
Entry point: 0x8000d5d0
Program header offset: 0x00000034
Section header offset: 0x00025930
Flags: 0x00000000
ELF Header Size: 52 bytes
Program Header Entry Size: 32 bytes
Program Header Count: 1
Section header Entry Size: 40 bytes
Section Header Count: 9
String table entry index: 8
Section Header Entries:
================================================
Section 0
Name: null [0]
Type: SHT_NULL (0x00000000)
Flags: 0x00000000
—
Address: 0x00000000
Offset: 0 bytes
Size: 0 bytes
Link: 0x00000000
Additional Info: 0x00000000
Address Alignment: 0x00000000
Per-Entry Size: 0 bytes
Section 1
Name: .text [11]
Type: SHT_PROGBITS (0x00000001)
Flags: 0x00000007
Awx
Address: 0x80008000
Offset: 84 bytes
Size: 40892 bytes
Link: 0x00000000
Additional Info: 0x00000000
Address Alignment: 0x00000004
Per-Entry Size: 0 bytes
Section 2
Name: .rodata [17]
Type: SHT_PROGBITS (0x00000001)
Flags: 0x00000002
A–
Address: 0x80011fbc
Offset: 40976 bytes
Size: 2772 bytes
Link: 0x00000000
Additional Info: 0x00000000
Address Alignment: 0x00000004
Per-Entry Size: 0 bytes
Section 3
Name: .data [25]
Type: SHT_PROGBITS (0x00000001)
Flags: 0x00000003
Aw-
Address: 0x80012a90
Offset: 43748 bytes
Size: 109543 bytes
Link: 0x00000000
Additional Info: 0x00000000
Address Alignment: 0x00000004
Per-Entry Size: 0 bytes
Section 4
Name: .sdata [31]
Type: SHT_PROGBITS (0x00000001)
Flags: 0x00000003
Aw-
Address: 0x8002d678
Offset: 153292 bytes
Size: 12 bytes
Link: 0x00000000
Additional Info: 0x00000000
Address Alignment: 0x00000004
Per-Entry Size: 0 bytes
Section 5
Name: .sbss [38]
Type: SHT_NOBITS (0x00000008)
Flags: 0x00000003
Aw-
Address: 0x8002d684
Offset: 153304 bytes
Size: 208 bytes
Link: 0x00000000
Additional Info: 0x00000000
Address Alignment: 0x00000004
Per-Entry Size: 0 bytes
Section 6
Name: .bss [44]
Type: SHT_NOBITS (0x00000008)
Flags: 0x00000003
Aw-
Address: 0x8002d754
Offset: 153304 bytes
Size: 1049120 bytes
Link: 0x00000000
Additional Info: 0x00000000
Address Alignment: 0x00000004
Per-Entry Size: 0 bytes
Section 7
Name: .comment [49]
Type: SHT_PROGBITS (0x00000001)
Flags: 0x00000000
—
Address: 0x00000000
Offset: 153304 bytes
Size: 540 bytes
Link: 0x00000000
Additional Info: 0x00000000
Address Alignment: 0x00000001
Per-Entry Size: 0 bytes
Section 8
Name: .shstrtab [1]
Type: SHT_STRTAB (0x00000003)
Flags: 0x00000000
—
Address: 0x00000000
Offset: 153844 bytes
Size: 58 bytes
Link: 0x00000000
Additional Info: 0x00000000
Address Alignment: 0x00000001
Per-Entry Size: 0 bytes
Program Header Entries
================================================
Segment 0
Type: PT_LOAD (0x00000001)
Offset: 0x00000054
Virtual Address: 0x80008000
Physical Address: 0x80008000
Size in File: 153220 bytes
Size in Memory: 1202548 bytes
Flags: 0x00000007
Alignment: 0x00000004
Yup!
I copied it to flash and added
boot system flash ciscoload.bin
*Aug 5 23:33:44.743: %SYS-5-RELOAD: Reload requested by console. Reload Reason: Reload Command.
System Bootstrap, Version 12.2(7r)XM4, RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 2003 by cisco Systems, Inc.
C1700 platform with 98304 Kbytes of main memory
program load complete, entry point: 0x8000d9c8, size: 0x24f03
CILO
CiscoLoader (CILO) – Linux bootloader for Cisco Routers
Available RAM: 98304 kB
Available commands:
c1700-k9o3sy7-mz.124-15.T10.bin
vlan.dat
old-startup
ciscoload.bin
queen
hanoi
horse
fib
planetfall
halt
Enter filename to boot:
>
Enter filename to boot:
malloc 64512 offset is 0 offset is now 64522
malloc 38912 offset is 64522 offset is now 103444
PLANETFALL
Infocom interactive fiction – a science fiction story
Copyright (c) 1983 by Infocom, Inc. All rights reserved.
PLANETFALL is a trademark of Infocom, Inc.
Release 37 / Serial number 851003
Another routine day of drudgery aboard the Stellar Patrol Ship Feinstein. This
morning’s assignment for a certain lowly Ensign Seventh Class: scrubbing the
filthy metal deck at the port end of Level Nine. With your Patrol-issue
self-contained multi-purpose all-weather scrub brush you shine the floor with a
diligence born of the knowledge that at any moment dreaded Ensign First Class
Blather, the bane of your shipboard existence, could appear.
Deck Nine
This is a featureless corridor similar to every other corridor on the ship. It
curves away to starboard, and a gangway leads up. To port is the entrance to
one of the ship’s primary escape pods. The pod bulkhead is closed.
Deck Nine Score: 0/4451
>
Wow that’s pretty cool!!!! Thanks for booting it up, it’s awesome to know it actually works on IRON!
It ought to be able to load multisegment ELF executables, and I hope single segment executables… Meaning you should be able to load your IOS back to get a functional device…
Thanks again for testing this!
It didn’t load IOS from the prompt – it eventually dropped me back to the prompt again. Ended up recovering from rommon and tftp booting IOS to recover it.
I’ll tftp boot ciscoload.bin next time. All good fun though!
I guess because it occupies the same space IOS expects to load (because it basically is an IOS), so there is a conflict. I’ll have to read up on relocation, or embedding another copy of itself in itself to relocate in middle memory so high memory and low memory are free…
But otherwise, I need to see how to talk to the clock so I can run those integer benchmark tools (hanoi, queens etc) to get an idea of how fast the emulation is.