Great PowerPC emulation code resynchronisation and improvments:

[qemu.git] / qemu-doc.texi

\input texinfo @c -*- texinfo -*-
@c %**start of header
@setfilename qemu-doc.info
@settitle QEMU Emulator User Documentation
@exampleindent 0
@paragraphindent 0
@c %**end of header

@iftex
@titlepage
@sp 7
@center @titlefont{QEMU Emulator}
@sp 1
@center @titlefont{User Documentation}
@sp 3
@end titlepage
@end iftex

@ifnottex
@node Top
@top

@menu
* Introduction::
* Installation::
* QEMU PC System emulator::
* QEMU System emulator for non PC targets::
* QEMU User space emulator::
* compilation:: Compilation from the sources
* Index::
@end menu
@end ifnottex

@contents

@node Introduction
@chapter Introduction

@menu
* intro_features:: Features
@end menu

@node intro_features
@section Features

QEMU is a FAST! processor emulator using dynamic translation to
achieve good emulation speed.

QEMU has two operating modes:

@itemize @minus

@item 
Full system emulation. In this mode, QEMU emulates a full system (for
example a PC), including one or several processors and various
peripherals. It can be used to launch different Operating Systems
without rebooting the PC or to debug system code.

@item 
User mode emulation. In this mode, QEMU can launch
processes compiled for one CPU on another CPU. It can be used to
launch the Wine Windows API emulator (@url{http://www.winehq.org}) or
to ease cross-compilation and cross-debugging.

@end itemize

QEMU can run without an host kernel driver and yet gives acceptable
performance. 

For system emulation, the following hardware targets are supported:
@itemize
@item PC (x86 or x86_64 processor)
@item ISA PC (old style PC without PCI bus)
@item PREP (PowerPC processor)
@item G3 BW PowerMac (PowerPC processor)
@item Mac99 PowerMac (PowerPC processor, in progress)
@item Sun4m (32-bit Sparc processor)
@item Sun4u (64-bit Sparc processor, in progress)
@item Malta board (32-bit MIPS processor)
@item ARM Integrator/CP (ARM926E or 1026E processor)
@item ARM Versatile baseboard (ARM926E)
@item ARM RealView Emulation baseboard (ARM926EJ-S)
@end itemize

For user emulation, x86, PowerPC, ARM, MIPS, Sparc32/64 and ColdFire(m68k) CPUs are supported.

@node Installation
@chapter Installation

If you want to compile QEMU yourself, see @ref{compilation}.

@menu
* install_linux::   Linux
* install_windows:: Windows
* install_mac::     Macintosh
@end menu

@node install_linux
@section Linux

If a precompiled package is available for your distribution - you just
have to install it. Otherwise, see @ref{compilation}.

@node install_windows
@section Windows

Download the experimental binary installer at
@url{http://www.free.oszoo.org/@/download.html}.

@node install_mac
@section Mac OS X

Download the experimental binary installer at
@url{http://www.free.oszoo.org/@/download.html}.

@node QEMU PC System emulator
@chapter QEMU PC System emulator

@menu
* pcsys_introduction:: Introduction
* pcsys_quickstart::   Quick Start
* sec_invocation::     Invocation
* pcsys_keys::         Keys
* pcsys_monitor::      QEMU Monitor
* disk_images::        Disk Images
* pcsys_network::      Network emulation
* direct_linux_boot::  Direct Linux Boot
* pcsys_usb::          USB emulation
* gdb_usage::          GDB usage
* pcsys_os_specific::  Target OS specific information
@end menu

@node pcsys_introduction
@section Introduction

@c man begin DESCRIPTION

The QEMU PC System emulator simulates the
following peripherals:

@itemize @minus
@item 
i440FX host PCI bridge and PIIX3 PCI to ISA bridge
@item
Cirrus CLGD 5446 PCI VGA card or dummy VGA card with Bochs VESA
extensions (hardware level, including all non standard modes).
@item
PS/2 mouse and keyboard
@item 
2 PCI IDE interfaces with hard disk and CD-ROM support
@item
Floppy disk
@item 
NE2000 PCI network adapters
@item
Serial ports
@item
Creative SoundBlaster 16 sound card
@item
ENSONIQ AudioPCI ES1370 sound card
@item
Adlib(OPL2) - Yamaha YM3812 compatible chip
@item
PCI UHCI USB controller and a virtual USB hub.
@end itemize

SMP is supported with up to 255 CPUs.

Note that adlib is only available when QEMU was configured with
-enable-adlib

QEMU uses the PC BIOS from the Bochs project and the Plex86/Bochs LGPL
VGA BIOS.

QEMU uses YM3812 emulation by Tatsuyuki Satoh.

@c man end

@node pcsys_quickstart
@section Quick Start

Download and uncompress the linux image (@file{linux.img}) and type:

@example
qemu linux.img
@end example

Linux should boot and give you a prompt.

@node sec_invocation
@section Invocation

@example
@c man begin SYNOPSIS
usage: qemu [options] [disk_image]
@c man end
@end example

@c man begin OPTIONS
@var{disk_image} is a raw hard disk image for IDE hard disk 0.

General options:
@table @option
@item -M machine
Select the emulated machine (@code{-M ?} for list)

@item -fda file
@item -fdb file
Use @var{file} as floppy disk 0/1 image (@pxref{disk_images}). You can
use the host floppy by using @file{/dev/fd0} as filename (@pxref{host_drives}).

@item -hda file
@item -hdb file
@item -hdc file
@item -hdd file
Use @var{file} as hard disk 0, 1, 2 or 3 image (@pxref{disk_images}).

@item -cdrom file
Use @var{file} as CD-ROM image (you cannot use @option{-hdc} and and
@option{-cdrom} at the same time). You can use the host CD-ROM by
using @file{/dev/cdrom} as filename (@pxref{host_drives}).

@item -boot [a|c|d|n]
Boot on floppy (a), hard disk (c), CD-ROM (d), or Etherboot (n). Hard disk boot
is the default.

@item -snapshot
Write to temporary files instead of disk image files. In this case,
the raw disk image you use is not written back. You can however force
the write back by pressing @key{C-a s} (@pxref{disk_images}).

@item -no-fd-bootchk
Disable boot signature checking for floppy disks in Bochs BIOS. It may
be needed to boot from old floppy disks.

@item -m megs
Set virtual RAM size to @var{megs} megabytes. Default is 128 MB.

@item -smp n
Simulate an SMP system with @var{n} CPUs. On the PC target, up to 255
CPUs are supported.

@item -nographic

Normally, QEMU uses SDL to display the VGA output. With this option,
you can totally disable graphical output so that QEMU is a simple
command line application. The emulated serial port is redirected on
the console. Therefore, you can still use QEMU to debug a Linux kernel
with a serial console.

@item -no-frame

Do not use decorations for SDL windows and start them using the whole
available screen space. This makes the using QEMU in a dedicated desktop
workspace more convenient.

@item -vnc display

Normally, QEMU uses SDL to display the VGA output.  With this option,
you can have QEMU listen on VNC display @var{display} and redirect the VGA
display over the VNC session.  It is very useful to enable the usb
tablet device when using this option (option @option{-usbdevice
tablet}). When using the VNC display, you must use the @option{-k}
option to set the keyboard layout if you are not using en-us.

@var{display} may be in the form @var{interface:d}, in which case connections
will only be allowed from @var{interface} on display @var{d}. Optionally,
@var{interface} can be omitted.  @var{display} can also be in the form
@var{unix:path} where @var{path} is the location of a unix socket to listen for
connections on.


@item -k language

Use keyboard layout @var{language} (for example @code{fr} for
French). This option is only needed where it is not easy to get raw PC
keycodes (e.g. on Macs, with some X11 servers or with a VNC
display). You don't normally need to use it on PC/Linux or PC/Windows
hosts.

The available layouts are:
@example
ar  de-ch  es  fo     fr-ca  hu  ja  mk     no  pt-br  sv
da  en-gb  et  fr     fr-ch  is  lt  nl     pl  ru     th
de  en-us  fi  fr-be  hr     it  lv  nl-be  pt  sl     tr
@end example

The default is @code{en-us}.

@item -audio-help

Will show the audio subsystem help: list of drivers, tunable
parameters.

@item -soundhw card1,card2,... or -soundhw all

Enable audio and selected sound hardware. Use ? to print all
available sound hardware.

@example
qemu -soundhw sb16,adlib hda
qemu -soundhw es1370 hda
qemu -soundhw all hda
qemu -soundhw ?
@end example

@item -localtime
Set the real time clock to local time (the default is to UTC
time). This option is needed to have correct date in MS-DOS or
Windows.

@item -full-screen
Start in full screen.

@item -pidfile file
Store the QEMU process PID in @var{file}. It is useful if you launch QEMU
from a script.

@item -daemonize
Daemonize the QEMU process after initialization.  QEMU will not detach from
standard IO until it is ready to receive connections on any of its devices.
This option is a useful way for external programs to launch QEMU without having
to cope with initialization race conditions.

@item -win2k-hack
Use it when installing Windows 2000 to avoid a disk full bug. After
Windows 2000 is installed, you no longer need this option (this option
slows down the IDE transfers).

@item -option-rom file
Load the contents of file as an option ROM.  This option is useful to load
things like EtherBoot.

@end table

USB options:
@table @option

@item -usb
Enable the USB driver (will be the default soon)

@item -usbdevice devname
Add the USB device @var{devname}. @xref{usb_devices}.
@end table

Network options:

@table @option

@item -net nic[,vlan=n][,macaddr=addr][,model=type]
Create a new Network Interface Card and connect it to VLAN @var{n} (@var{n}
= 0 is the default). The NIC is currently an NE2000 on the PC
target. Optionally, the MAC address can be changed. If no
@option{-net} option is specified, a single NIC is created.
Qemu can emulate several different models of network card.  Valid values for
@var{type} are @code{ne2k_pci}, @code{ne2k_isa}, @code{rtl8139},
@code{smc91c111} and @code{lance}.  Not all devices are supported on all
targets.

@item -net user[,vlan=n][,hostname=name]
Use the user mode network stack which requires no administrator
priviledge to run.  @option{hostname=name} can be used to specify the client
hostname reported by the builtin DHCP server.

@item -net tap[,vlan=n][,fd=h][,ifname=name][,script=file]
Connect the host TAP network interface @var{name} to VLAN @var{n} and
use the network script @var{file} to configure it. The default
network script is @file{/etc/qemu-ifup}. Use @option{script=no} to
disable script execution. If @var{name} is not
provided, the OS automatically provides one.  @option{fd=h} can be
used to specify the handle of an already opened host TAP interface. Example:

@example
qemu linux.img -net nic -net tap
@end example

More complicated example (two NICs, each one connected to a TAP device)
@example
qemu linux.img -net nic,vlan=0 -net tap,vlan=0,ifname=tap0 \
               -net nic,vlan=1 -net tap,vlan=1,ifname=tap1
@end example


@item -net socket[,vlan=n][,fd=h][,listen=[host]:port][,connect=host:port]

Connect the VLAN @var{n} to a remote VLAN in another QEMU virtual
machine using a TCP socket connection. If @option{listen} is
specified, QEMU waits for incoming connections on @var{port}
(@var{host} is optional). @option{connect} is used to connect to
another QEMU instance using the @option{listen} option. @option{fd=h}
specifies an already opened TCP socket.

Example:
@example
# launch a first QEMU instance
qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \
               -net socket,listen=:1234
# connect the VLAN 0 of this instance to the VLAN 0
# of the first instance
qemu linux.img -net nic,macaddr=52:54:00:12:34:57 \
               -net socket,connect=127.0.0.1:1234
@end example

@item -net socket[,vlan=n][,fd=h][,mcast=maddr:port]

Create a VLAN @var{n} shared with another QEMU virtual
machines using a UDP multicast socket, effectively making a bus for 
every QEMU with same multicast address @var{maddr} and @var{port}.
NOTES:
@enumerate
@item 
Several QEMU can be running on different hosts and share same bus (assuming 
correct multicast setup for these hosts).
@item
mcast support is compatible with User Mode Linux (argument @option{eth@var{N}=mcast}), see
@url{http://user-mode-linux.sf.net}.
@item Use @option{fd=h} to specify an already opened UDP multicast socket.
@end enumerate

Example:
@example
# launch one QEMU instance
qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \
               -net socket,mcast=230.0.0.1:1234
# launch another QEMU instance on same "bus"
qemu linux.img -net nic,macaddr=52:54:00:12:34:57 \
               -net socket,mcast=230.0.0.1:1234
# launch yet another QEMU instance on same "bus"
qemu linux.img -net nic,macaddr=52:54:00:12:34:58 \
               -net socket,mcast=230.0.0.1:1234
@end example

Example (User Mode Linux compat.):
@example
# launch QEMU instance (note mcast address selected
# is UML's default)
qemu linux.img -net nic,macaddr=52:54:00:12:34:56 \
               -net socket,mcast=239.192.168.1:1102
# launch UML
/path/to/linux ubd0=/path/to/root_fs eth0=mcast
@end example

@item -net none
Indicate that no network devices should be configured. It is used to
override the default configuration (@option{-net nic -net user}) which
is activated if no @option{-net} options are provided.

@item -tftp dir
When using the user mode network stack, activate a built-in TFTP
server. The files in @var{dir} will be exposed as the root of a TFTP server.
The TFTP client on the guest must be configured in binary mode (use the command
@code{bin} of the Unix TFTP client). The host IP address on the guest is as
usual 10.0.2.2.

@item -bootp file
When using the user mode network stack, broadcast @var{file} as the BOOTP
filename.  In conjunction with @option{-tftp}, this can be used to network boot
a guest from a local directory.

Example (using pxelinux):
@example
qemu -hda linux.img -boot n -tftp /path/to/tftp/files -bootp /pxelinux.0
@end example

@item -smb dir
When using the user mode network stack, activate a built-in SMB
server so that Windows OSes can access to the host files in @file{dir}
transparently.

In the guest Windows OS, the line:
@example
10.0.2.4 smbserver
@end example
must be added in the file @file{C:\WINDOWS\LMHOSTS} (for windows 9x/Me)
or @file{C:\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS} (Windows NT/2000).

Then @file{dir} can be accessed in @file{\\smbserver\qemu}.

Note that a SAMBA server must be installed on the host OS in
@file{/usr/sbin/smbd}. QEMU was tested successfully with smbd version
2.2.7a from the Red Hat 9 and version 3.0.10-1.fc3 from Fedora Core 3.

@item -redir [tcp|udp]:host-port:[guest-host]:guest-port

When using the user mode network stack, redirect incoming TCP or UDP
connections to the host port @var{host-port} to the guest
@var{guest-host} on guest port @var{guest-port}. If @var{guest-host}
is not specified, its value is 10.0.2.15 (default address given by the
built-in DHCP server).

For example, to redirect host X11 connection from screen 1 to guest
screen 0, use the following:

@example
# on the host
qemu -redir tcp:6001::6000 [...]
# this host xterm should open in the guest X11 server
xterm -display :1
@end example

To redirect telnet connections from host port 5555 to telnet port on
the guest, use the following:

@example
# on the host
qemu -redir tcp:5555::23 [...]
telnet localhost 5555
@end example

Then when you use on the host @code{telnet localhost 5555}, you
connect to the guest telnet server.

@end table

Linux boot specific: When using these options, you can use a given
Linux kernel without installing it in the disk image. It can be useful
for easier testing of various kernels.

@table @option

@item -kernel bzImage 
Use @var{bzImage} as kernel image.

@item -append cmdline 
Use @var{cmdline} as kernel command line

@item -initrd file
Use @var{file} as initial ram disk.

@end table

Debug/Expert options:
@table @option

@item -serial dev
Redirect the virtual serial port to host character device
@var{dev}. The default device is @code{vc} in graphical mode and
@code{stdio} in non graphical mode.

This option can be used several times to simulate up to 4 serials
ports.

Use @code{-serial none} to disable all serial ports.

Available character devices are:
@table @code
@item vc
Virtual console
@item pty
[Linux only] Pseudo TTY (a new PTY is automatically allocated)
@item none
No device is allocated.
@item null
void device
@item /dev/XXX
[Linux only] Use host tty, e.g. @file{/dev/ttyS0}. The host serial port
parameters are set according to the emulated ones.
@item /dev/parportN
[Linux only, parallel port only] Use host parallel port
@var{N}. Currently SPP and EPP parallel port features can be used.
@item file:filename
Write output to filename. No character can be read.
@item stdio
[Unix only] standard input/output
@item pipe:filename
name pipe @var{filename}
@item COMn
[Windows only] Use host serial port @var{n}
@item udp:[remote_host]:remote_port[@@[src_ip]:src_port]
This implements UDP Net Console.  When @var{remote_host} or @var{src_ip} are not specified they default to @code{0.0.0.0}.  When not using a specifed @var{src_port} a random port is automatically chosen.

If you just want a simple readonly console you can use @code{netcat} or
@code{nc}, by starting qemu with: @code{-serial udp::4555} and nc as:
@code{nc -u -l -p 4555}. Any time qemu writes something to that port it
will appear in the netconsole session.

If you plan to send characters back via netconsole or you want to stop
and start qemu a lot of times, you should have qemu use the same
source port each time by using something like @code{-serial
udp::4555@@:4556} to qemu. Another approach is to use a patched
version of netcat which can listen to a TCP port and send and receive
characters via udp.  If you have a patched version of netcat which
activates telnet remote echo and single char transfer, then you can
use the following options to step up a netcat redirector to allow
telnet on port 5555 to access the qemu port.
@table @code
@item Qemu Options:
-serial udp::4555@@:4556
@item netcat options:
-u -P 4555 -L 0.0.0.0:4556 -t -p 5555 -I -T
@item telnet options:
localhost 5555
@end table


@item tcp:[host]:port[,server][,nowait][,nodelay]
The TCP Net Console has two modes of operation.  It can send the serial
I/O to a location or wait for a connection from a location.  By default
the TCP Net Console is sent to @var{host} at the @var{port}.  If you use
the @var{server} option QEMU will wait for a client socket application
to connect to the port before continuing, unless the @code{nowait}
option was specified.  The @code{nodelay} option disables the Nagle buffering
algoritm.  If @var{host} is omitted, 0.0.0.0 is assumed. Only
one TCP connection at a time is accepted. You can use @code{telnet} to
connect to the corresponding character device.
@table @code
@item Example to send tcp console to 192.168.0.2 port 4444
-serial tcp:192.168.0.2:4444
@item Example to listen and wait on port 4444 for connection
-serial tcp::4444,server
@item Example to not wait and listen on ip 192.168.0.100 port 4444
-serial tcp:192.168.0.100:4444,server,nowait
@end table

@item telnet:host:port[,server][,nowait][,nodelay]
The telnet protocol is used instead of raw tcp sockets.  The options
work the same as if you had specified @code{-serial tcp}.  The
difference is that the port acts like a telnet server or client using
telnet option negotiation.  This will also allow you to send the
MAGIC_SYSRQ sequence if you use a telnet that supports sending the break
sequence.  Typically in unix telnet you do it with Control-] and then
type "send break" followed by pressing the enter key.

@item unix:path[,server][,nowait]
A unix domain socket is used instead of a tcp socket.  The option works the
same as if you had specified @code{-serial tcp} except the unix domain socket
@var{path} is used for connections.

@item mon:dev_string
This is a special option to allow the monitor to be multiplexed onto
another serial port.  The monitor is accessed with key sequence of
@key{Control-a} and then pressing @key{c}. See monitor access
@ref{pcsys_keys} in the -nographic section for more keys.
@var{dev_string} should be any one of the serial devices specified
above.  An example to multiplex the monitor onto a telnet server
listening on port 4444 would be:
@table @code
@item -serial mon:telnet::4444,server,nowait
@end table

@end table

@item -parallel dev
Redirect the virtual parallel port to host device @var{dev} (same
devices as the serial port). On Linux hosts, @file{/dev/parportN} can
be used to use hardware devices connected on the corresponding host
parallel port.

This option can be used several times to simulate up to 3 parallel
ports.

Use @code{-parallel none} to disable all parallel ports.

@item -monitor dev
Redirect the monitor to host device @var{dev} (same devices as the
serial port).
The default device is @code{vc} in graphical mode and @code{stdio} in
non graphical mode.

@item -echr numeric_ascii_value
Change the escape character used for switching to the monitor when using
monitor and serial sharing.  The default is @code{0x01} when using the
@code{-nographic} option.  @code{0x01} is equal to pressing
@code{Control-a}.  You can select a different character from the ascii
control keys where 1 through 26 map to Control-a through Control-z.  For
instance you could use the either of the following to change the escape
character to Control-t.
@table @code
@item -echr 0x14
@item -echr 20
@end table

@item -s
Wait gdb connection to port 1234 (@pxref{gdb_usage}). 
@item -p port
Change gdb connection port.  @var{port} can be either a decimal number
to specify a TCP port, or a host device (same devices as the serial port).
@item -S
Do not start CPU at startup (you must type 'c' in the monitor).
@item -d             
Output log in /tmp/qemu.log
@item -hdachs c,h,s,[,t]
Force hard disk 0 physical geometry (1 <= @var{c} <= 16383, 1 <=
@var{h} <= 16, 1 <= @var{s} <= 63) and optionally force the BIOS
translation mode (@var{t}=none, lba or auto). Usually QEMU can guess
all thoses parameters. This option is useful for old MS-DOS disk
images.

@item -L path
Set the directory for the BIOS, VGA BIOS and keymaps.

@item -std-vga
Simulate a standard VGA card with Bochs VBE extensions (default is
Cirrus Logic GD5446 PCI VGA). If your guest OS supports the VESA 2.0
VBE extensions (e.g. Windows XP) and if you want to use high
resolution modes (>= 1280x1024x16) then you should use this option.

@item -no-acpi
Disable ACPI (Advanced Configuration and Power Interface) support. Use
it if your guest OS complains about ACPI problems (PC target machine
only).

@item -no-reboot
Exit instead of rebooting.

@item -loadvm file
Start right away with a saved state (@code{loadvm} in monitor)

@item -semihosting
Enable "Angel" semihosting interface (ARM target machines only).
Note that this allows guest direct access to the host filesystem,
so should only be used with trusted guest OS.
@end table

@c man end

@node pcsys_keys
@section Keys

@c man begin OPTIONS

During the graphical emulation, you can use the following keys:
@table @key
@item Ctrl-Alt-f
Toggle full screen

@item Ctrl-Alt-n
Switch to virtual console 'n'. Standard console mappings are:
@table @emph
@item 1
Target system display
@item 2
Monitor
@item 3
Serial port
@end table

@item Ctrl-Alt
Toggle mouse and keyboard grab.
@end table

In the virtual consoles, you can use @key{Ctrl-Up}, @key{Ctrl-Down},
@key{Ctrl-PageUp} and @key{Ctrl-PageDown} to move in the back log.

During emulation, if you are using the @option{-nographic} option, use
@key{Ctrl-a h} to get terminal commands:

@table @key
@item Ctrl-a h
Print this help
@item Ctrl-a x    
Exit emulator
@item Ctrl-a s    
Save disk data back to file (if -snapshot)
@item Ctrl-a t
toggle console timestamps
@item Ctrl-a b
Send break (magic sysrq in Linux)
@item Ctrl-a c
Switch between console and monitor
@item Ctrl-a Ctrl-a
Send Ctrl-a
@end table
@c man end

@ignore

@c man begin SEEALSO
The HTML documentation of QEMU for more precise information and Linux
user mode emulator invocation.
@c man end

@c man begin AUTHOR
Fabrice Bellard
@c man end

@end ignore

@node pcsys_monitor
@section QEMU Monitor

The QEMU monitor is used to give complex commands to the QEMU
emulator. You can use it to:

@itemize @minus

@item
Remove or insert removable medias images
(such as CD-ROM or floppies)

@item 
Freeze/unfreeze the Virtual Machine (VM) and save or restore its state
from a disk file.

@item Inspect the VM state without an external debugger.

@end itemize

@subsection Commands

The following commands are available:

@table @option

@item help or ? [cmd]
Show the help for all commands or just for command @var{cmd}.

@item commit  
Commit changes to the disk images (if -snapshot is used)

@item info subcommand 
show various information about the system state

@table @option
@item info network
show the various VLANs and the associated devices
@item info block
show the block devices
@item info registers
show the cpu registers
@item info history
show the command line history
@item info pci
show emulated PCI device
@item info usb
show USB devices plugged on the virtual USB hub
@item info usbhost
show all USB host devices
@item info capture
show information about active capturing
@item info snapshots
show list of VM snapshots
@item info mice
show which guest mouse is receiving events
@end table

@item q or quit
Quit the emulator.

@item eject [-f] device
Eject a removable media (use -f to force it).

@item change device filename
Change a removable media.

@item screendump filename
Save screen into PPM image @var{filename}.

@item mouse_move dx dy [dz]
Move the active mouse to the specified coordinates @var{dx} @var{dy}
with optional scroll axis @var{dz}.

@item mouse_button val
Change the active mouse button state @var{val} (1=L, 2=M, 4=R).

@item mouse_set index
Set which mouse device receives events at given @var{index}, index
can be obtained with
@example
info mice
@end example

@item wavcapture filename [frequency [bits [channels]]]
Capture audio into @var{filename}. Using sample rate @var{frequency}
bits per sample @var{bits} and number of channels @var{channels}.

Defaults:
@itemize @minus
@item Sample rate = 44100 Hz - CD quality
@item Bits = 16
@item Number of channels = 2 - Stereo
@end itemize

@item stopcapture index
Stop capture with a given @var{index}, index can be obtained with
@example
info capture
@end example

@item log item1[,...]
Activate logging of the specified items to @file{/tmp/qemu.log}.

@item savevm [tag|id]
Create a snapshot of the whole virtual machine. If @var{tag} is
provided, it is used as human readable identifier. If there is already
a snapshot with the same tag or ID, it is replaced. More info at
@ref{vm_snapshots}.

@item loadvm tag|id
Set the whole virtual machine to the snapshot identified by the tag
@var{tag} or the unique snapshot ID @var{id}.

@item delvm tag|id
Delete the snapshot identified by @var{tag} or @var{id}.

@item stop
Stop emulation.

@item c or cont
Resume emulation.

@item gdbserver [port]
Start gdbserver session (default port=1234)

@item x/fmt addr
Virtual memory dump starting at @var{addr}.

@item xp /fmt addr
Physical memory dump starting at @var{addr}.

@var{fmt} is a format which tells the command how to format the
data. Its syntax is: @option{/@{count@}@{format@}@{size@}}

@table @var
@item count 
is the number of items to be dumped.

@item format
can be x (hexa), d (signed decimal), u (unsigned decimal), o (octal),
c (char) or i (asm instruction).

@item size
can be b (8 bits), h (16 bits), w (32 bits) or g (64 bits). On x86,
@code{h} or @code{w} can be specified with the @code{i} format to
respectively select 16 or 32 bit code instruction size.

@end table

Examples: 
@itemize
@item
Dump 10 instructions at the current instruction pointer:
@example 
(qemu) x/10i $eip
0x90107063:  ret
0x90107064:  sti
0x90107065:  lea    0x0(%esi,1),%esi
0x90107069:  lea    0x0(%edi,1),%edi
0x90107070:  ret
0x90107071:  jmp    0x90107080
0x90107073:  nop
0x90107074:  nop
0x90107075:  nop
0x90107076:  nop
@end example

@item
Dump 80 16 bit values at the start of the video memory.
@smallexample 
(qemu) xp/80hx 0xb8000
0x000b8000: 0x0b50 0x0b6c 0x0b65 0x0b78 0x0b38 0x0b36 0x0b2f 0x0b42
0x000b8010: 0x0b6f 0x0b63 0x0b68 0x0b73 0x0b20 0x0b56 0x0b47 0x0b41
0x000b8020: 0x0b42 0x0b69 0x0b6f 0x0b73 0x0b20 0x0b63 0x0b75 0x0b72
0x000b8030: 0x0b72 0x0b65 0x0b6e 0x0b74 0x0b2d 0x0b63 0x0b76 0x0b73
0x000b8040: 0x0b20 0x0b30 0x0b35 0x0b20 0x0b4e 0x0b6f 0x0b76 0x0b20
0x000b8050: 0x0b32 0x0b30 0x0b30 0x0b33 0x0720 0x0720 0x0720 0x0720
0x000b8060: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8070: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8080: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
0x000b8090: 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720 0x0720
@end smallexample
@end itemize

@item p or print/fmt expr

Print expression value. Only the @var{format} part of @var{fmt} is
used.

@item sendkey keys

Send @var{keys} to the emulator. Use @code{-} to press several keys
simultaneously. Example:
@example
sendkey ctrl-alt-f1
@end example

This command is useful to send keys that your graphical user interface
intercepts at low level, such as @code{ctrl-alt-f1} in X Window.

@item system_reset

Reset the system.

@item usb_add devname

Add the USB device @var{devname}.  For details of available devices see
@ref{usb_devices}

@item usb_del devname

Remove the USB device @var{devname} from the QEMU virtual USB
hub. @var{devname} has the syntax @code{bus.addr}. Use the monitor
command @code{info usb} to see the devices you can remove.

@end table

@subsection Integer expressions

The monitor understands integers expressions for every integer
argument. You can use register names to get the value of specifics
CPU registers by prefixing them with @emph{$}.

@node disk_images
@section Disk Images

Since version 0.6.1, QEMU supports many disk image formats, including
growable disk images (their size increase as non empty sectors are
written), compressed and encrypted disk images. Version 0.8.3 added
the new qcow2 disk image format which is essential to support VM
snapshots.

@menu
* disk_images_quickstart::    Quick start for disk image creation
* disk_images_snapshot_mode:: Snapshot mode
* vm_snapshots::              VM snapshots
* qemu_img_invocation::       qemu-img Invocation
* host_drives::               Using host drives
* disk_images_fat_images::    Virtual FAT disk images
@end menu

@node disk_images_quickstart
@subsection Quick start for disk image creation

You can create a disk image with the command:
@example
qemu-img create myimage.img mysize
@end example
where @var{myimage.img} is the disk image filename and @var{mysize} is its
size in kilobytes. You can add an @code{M} suffix to give the size in
megabytes and a @code{G} suffix for gigabytes.

See @ref{qemu_img_invocation} for more information.

@node disk_images_snapshot_mode
@subsection Snapshot mode

If you use the option @option{-snapshot}, all disk images are
considered as read only. When sectors in written, they are written in
a temporary file created in @file{/tmp}. You can however force the
write back to the raw disk images by using the @code{commit} monitor
command (or @key{C-a s} in the serial console).

@node vm_snapshots
@subsection VM snapshots

VM snapshots are snapshots of the complete virtual machine including
CPU state, RAM, device state and the content of all the writable
disks. In order to use VM snapshots, you must have at least one non
removable and writable block device using the @code{qcow2} disk image
format. Normally this device is the first virtual hard drive.

Use the monitor command @code{savevm} to create a new VM snapshot or
replace an existing one. A human readable name can be assigned to each
snapshot in addition to its numerical ID.

Use @code{loadvm} to restore a VM snapshot and @code{delvm} to remove
a VM snapshot. @code{info snapshots} lists the available snapshots
with their associated information:

@example
(qemu) info snapshots
Snapshot devices: hda
Snapshot list (from hda):
ID        TAG                 VM SIZE                DATE       VM CLOCK
1         start                   41M 2006-08-06 12:38:02   00:00:14.954
2                                 40M 2006-08-06 12:43:29   00:00:18.633
3         msys                    40M 2006-08-06 12:44:04   00:00:23.514
@end example

A VM snapshot is made of a VM state info (its size is shown in
@code{info snapshots}) and a snapshot of every writable disk image.
The VM state info is stored in the first @code{qcow2} non removable
and writable block device. The disk image snapshots are stored in
every disk image. The size of a snapshot in a disk image is difficult
to evaluate and is not shown by @code{info snapshots} because the
associated disk sectors are shared among all the snapshots to save
disk space (otherwise each snapshot would need a full copy of all the
disk images).

When using the (unrelated) @code{-snapshot} option
(@ref{disk_images_snapshot_mode}), you can always make VM snapshots,
but they are deleted as soon as you exit QEMU.

VM snapshots currently have the following known limitations:
@itemize
@item 
They cannot cope with removable devices if they are removed or
inserted after a snapshot is done.
@item 
A few device drivers still have incomplete snapshot support so their
state is not saved or restored properly (in particular USB).
@end itemize

@node qemu_img_invocation
@subsection @code{qemu-img} Invocation

@include qemu-img.texi

@node host_drives
@subsection Using host drives

In addition to disk image files, QEMU can directly access host
devices. We describe here the usage for QEMU version >= 0.8.3.

@subsubsection Linux

On Linux, you can directly use the host device filename instead of a
disk image filename provided you have enough proviledge to access
it. For example, use @file{/dev/cdrom} to access to the CDROM or
@file{/dev/fd0} for the floppy.

@table @code
@item CD
You can specify a CDROM device even if no CDROM is loaded. QEMU has
specific code to detect CDROM insertion or removal. CDROM ejection by
the guest OS is supported. Currently only data CDs are supported.
@item Floppy
You can specify a floppy device even if no floppy is loaded. Floppy
removal is currently not detected accurately (if you change floppy
without doing floppy access while the floppy is not loaded, the guest
OS will think that the same floppy is loaded).
@item Hard disks
Hard disks can be used. Normally you must specify the whole disk
(@file{/dev/hdb} instead of @file{/dev/hdb1}) so that the guest OS can
see it as a partitioned disk. WARNING: unless you know what you do, it
is better to only make READ-ONLY accesses to the hard disk otherwise
you may corrupt your host data (use the @option{-snapshot} command
line option or modify the device permissions accordingly).
@end table

@subsubsection Windows

@table @code
@item CD
The prefered syntax is the drive letter (e.g. @file{d:}). The
alternate syntax @file{\\.\d:} is supported. @file{/dev/cdrom} is
supported as an alias to the first CDROM drive.

Currently there is no specific code to handle removable medias, so it
is better to use the @code{change} or @code{eject} monitor commands to
change or eject media.
@item Hard disks
Hard disks can be used with the syntax: @file{\\.\PhysicalDriveN}
where @var{N} is the drive number (0 is the first hard disk).

WARNING: unless you know what you do, it is better to only make
READ-ONLY accesses to the hard disk otherwise you may corrupt your
host data (use the @option{-snapshot} command line so that the
modifications are written in a temporary file).
@end table


@subsubsection Mac OS X

@file{/dev/cdrom} is an alias to the first CDROM. 

Currently there is no specific code to handle removable medias, so it
is better to use the @code{change} or @code{eject} monitor commands to
change or eject media.

@node disk_images_fat_images
@subsection Virtual FAT disk images

QEMU can automatically create a virtual FAT disk image from a
directory tree. In order to use it, just type:

@example 
qemu linux.img -hdb fat:/my_directory
@end example

Then you access access to all the files in the @file{/my_directory}
directory without having to copy them in a disk image or to export
them via SAMBA or NFS. The default access is @emph{read-only}.

Floppies can be emulated with the @code{:floppy:} option:

@example 
qemu linux.img -fda fat:floppy:/my_directory
@end example

A read/write support is available for testing (beta stage) with the
@code{:rw:} option:

@example 
qemu linux.img -fda fat:floppy:rw:/my_directory
@end example

What you should @emph{never} do:
@itemize
@item use non-ASCII filenames ;
@item use "-snapshot" together with ":rw:" ;
@item expect it to work when loadvm'ing ;
@item write to the FAT directory on the host system while accessing it with the guest system.
@end itemize

@node pcsys_network
@section Network emulation

QEMU can simulate several networks cards (NE2000 boards on the PC
target) and can connect them to an arbitrary number of Virtual Local
Area Networks (VLANs). Host TAP devices can be connected to any QEMU
VLAN. VLAN can be connected between separate instances of QEMU to
simulate large networks. For simpler usage, a non priviledged user mode
network stack can replace the TAP device to have a basic network
connection.

@subsection VLANs

QEMU simulates several VLANs. A VLAN can be symbolised as a virtual
connection between several network devices. These devices can be for
example QEMU virtual Ethernet cards or virtual Host ethernet devices
(TAP devices).

@subsection Using TAP network interfaces

This is the standard way to connect QEMU to a real network. QEMU adds
a virtual network device on your host (called @code{tapN}), and you
can then configure it as if it was a real ethernet card.

@subsubsection Linux host

As an example, you can download the @file{linux-test-xxx.tar.gz}
archive and copy the script @file{qemu-ifup} in @file{/etc} and
configure properly @code{sudo} so that the command @code{ifconfig}
contained in @file{qemu-ifup} can be executed as root. You must verify
that your host kernel supports the TAP network interfaces: the
device @file{/dev/net/tun} must be present.

See @ref{sec_invocation} to have examples of command lines using the
TAP network interfaces.

@subsubsection Windows host

There is a virtual ethernet driver for Windows 2000/XP systems, called
TAP-Win32. But it is not included in standard QEMU for Windows,
so you will need to get it separately. It is part of OpenVPN package,
so download OpenVPN from : @url{http://openvpn.net/}.

@subsection Using the user mode network stack

By using the option @option{-net user} (default configuration if no
@option{-net} option is specified), QEMU uses a completely user mode
network stack (you don't need root priviledge to use the virtual
network). The virtual network configuration is the following:

@example

         QEMU VLAN      <------>  Firewall/DHCP server <-----> Internet
                           |          (10.0.2.2)
                           |
                           ---->  DNS server (10.0.2.3)
                           |     
                           ---->  SMB server (10.0.2.4)
@end example

The QEMU VM behaves as if it was behind a firewall which blocks all
incoming connections. You can use a DHCP client to automatically
configure the network in the QEMU VM. The DHCP server assign addresses
to the hosts starting from 10.0.2.15.

In order to check that the user mode network is working, you can ping
the address 10.0.2.2 and verify that you got an address in the range
10.0.2.x from the QEMU virtual DHCP server.

Note that @code{ping} is not supported reliably to the internet as it
would require root priviledges. It means you can only ping the local
router (10.0.2.2).

When using the built-in TFTP server, the router is also the TFTP
server.

When using the @option{-redir} option, TCP or UDP connections can be
redirected from the host to the guest. It allows for example to
redirect X11, telnet or SSH connections.

@subsection Connecting VLANs between QEMU instances

Using the @option{-net socket} option, it is possible to make VLANs
that span several QEMU instances. See @ref{sec_invocation} to have a
basic example.

@node direct_linux_boot
@section Direct Linux Boot

This section explains how to launch a Linux kernel inside QEMU without
having to make a full bootable image. It is very useful for fast Linux
kernel testing.

The syntax is:
@example
qemu -kernel arch/i386/boot/bzImage -hda root-2.4.20.img -append "root=/dev/hda"
@end example

Use @option{-kernel} to provide the Linux kernel image and
@option{-append} to give the kernel command line arguments. The
@option{-initrd} option can be used to provide an INITRD image.

When using the direct Linux boot, a disk image for the first hard disk
@file{hda} is required because its boot sector is used to launch the
Linux kernel.

If you do not need graphical output, you can disable it and redirect
the virtual serial port and the QEMU monitor to the console with the
@option{-nographic} option. The typical command line is:
@example
qemu -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \
     -append "root=/dev/hda console=ttyS0" -nographic
@end example

Use @key{Ctrl-a c} to switch between the serial console and the
monitor (@pxref{pcsys_keys}).

@node pcsys_usb
@section USB emulation

QEMU emulates a PCI UHCI USB controller. You can virtually plug
virtual USB devices or real host USB devices (experimental, works only
on Linux hosts).  Qemu will automatically create and connect virtual USB hubs
as necessary to connect multiple USB devices.

@menu
* usb_devices::
* host_usb_devices::
@end menu
@node usb_devices
@subsection Connecting USB devices

USB devices can be connected with the @option{-usbdevice} commandline option
or the @code{usb_add} monitor command.  Available devices are:

@table @var
@item @code{mouse}
Virtual Mouse.  This will override the PS/2 mouse emulation when activated.
@item @code{tablet}
Pointer device that uses absolute coordinates (like a touchscreen).
This means qemu is able to report the mouse position without having
to grab the mouse.  Also overrides the PS/2 mouse emulation when activated.
@item @code{disk:file}
Mass storage device based on @var{file} (@pxref{disk_images})
@item @code{host:bus.addr}
Pass through the host device identified by @var{bus.addr}
(Linux only)
@item @code{host:vendor_id:product_id}
Pass through the host device identified by @var{vendor_id:product_id}
(Linux only)
@end table

@node host_usb_devices
@subsection Using host USB devices on a Linux host

WARNING: this is an experimental feature. QEMU will slow down when
using it. USB devices requiring real time streaming (i.e. USB Video
Cameras) are not supported yet.

@enumerate
@item If you use an early Linux 2.4 kernel, verify that no Linux driver 
is actually using the USB device. A simple way to do that is simply to
disable the corresponding kernel module by renaming it from @file{mydriver.o}
to @file{mydriver.o.disabled}.

@item Verify that @file{/proc/bus/usb} is working (most Linux distributions should enable it by default). You should see something like that:
@example
ls /proc/bus/usb
001  devices  drivers
@end example

@item Since only root can access to the USB devices directly, you can either launch QEMU as root or change the permissions of the USB devices you want to use. For testing, the following suffices:
@example
chown -R myuid /proc/bus/usb
@end example

@item Launch QEMU and do in the monitor:
@example 
info usbhost
  Device 1.2, speed 480 Mb/s
    Class 00: USB device 1234:5678, USB DISK
@end example
You should see the list of the devices you can use (Never try to use
hubs, it won't work).

@item Add the device in QEMU by using:
@example 
usb_add host:1234:5678
@end example

Normally the guest OS should report that a new USB device is
plugged. You can use the option @option{-usbdevice} to do the same.

@item Now you can try to use the host USB device in QEMU.

@end enumerate

When relaunching QEMU, you may have to unplug and plug again the USB
device to make it work again (this is a bug).

@node gdb_usage
@section GDB usage

QEMU has a primitive support to work with gdb, so that you can do
'Ctrl-C' while the virtual machine is running and inspect its state.

In order to use gdb, launch qemu with the '-s' option. It will wait for a
gdb connection:
@example
> qemu -s -kernel arch/i386/boot/bzImage -hda root-2.4.20.img \
       -append "root=/dev/hda"
Connected to host network interface: tun0
Waiting gdb connection on port 1234
@end example

Then launch gdb on the 'vmlinux' executable:
@example
> gdb vmlinux
@end example

In gdb, connect to QEMU:
@example
(gdb) target remote localhost:1234
@end example

Then you can use gdb normally. For example, type 'c' to launch the kernel:
@example
(gdb) c
@end example

Here are some useful tips in order to use gdb on system code:

@enumerate
@item
Use @code{info reg} to display all the CPU registers.
@item
Use @code{x/10i $eip} to display the code at the PC position.
@item
Use @code{set architecture i8086} to dump 16 bit code. Then use
@code{x/10i $cs*16+$eip} to dump the code at the PC position.
@end enumerate

@node pcsys_os_specific
@section Target OS specific information

@subsection Linux

To have access to SVGA graphic modes under X11, use the @code{vesa} or
the @code{cirrus} X11 driver. For optimal performances, use 16 bit
color depth in the guest and the host OS.

When using a 2.6 guest Linux kernel, you should add the option
@code{clock=pit} on the kernel command line because the 2.6 Linux
kernels make very strict real time clock checks by default that QEMU
cannot simulate exactly.

When using a 2.6 guest Linux kernel, verify that the 4G/4G patch is
not activated because QEMU is slower with this patch. The QEMU
Accelerator Module is also much slower in this case. Earlier Fedora
Core 3 Linux kernel (< 2.6.9-1.724_FC3) were known to incorporte this
patch by default. Newer kernels don't have it.

@subsection Windows

If you have a slow host, using Windows 95 is better as it gives the
best speed. Windows 2000 is also a good choice.

@subsubsection SVGA graphic modes support

QEMU emulates a Cirrus Logic GD5446 Video
card. All Windows versions starting from Windows 95 should recognize
and use this graphic card. For optimal performances, use 16 bit color
depth in the guest and the host OS.

If you are using Windows XP as guest OS and if you want to use high
resolution modes which the Cirrus Logic BIOS does not support (i.e. >=
1280x1024x16), then you should use the VESA VBE virtual graphic card
(option @option{-std-vga}).

@subsubsection CPU usage reduction

Windows 9x does not correctly use the CPU HLT
instruction. The result is that it takes host CPU cycles even when
idle. You can install the utility from
@url{http://www.user.cityline.ru/~maxamn/amnhltm.zip} to solve this
problem. Note that no such tool is needed for NT, 2000 or XP.

@subsubsection Windows 2000 disk full problem

Windows 2000 has a bug which gives a disk full problem during its
installation. When installing it, use the @option{-win2k-hack} QEMU
option to enable a specific workaround. After Windows 2000 is
installed, you no longer need this option (this option slows down the
IDE transfers).

@subsubsection Windows 2000 shutdown

Windows 2000 cannot automatically shutdown in QEMU although Windows 98
can. It comes from the fact that Windows 2000 does not automatically
use the APM driver provided by the BIOS.

In order to correct that, do the following (thanks to Struan
Bartlett): go to the Control Panel => Add/Remove Hardware & Next =>
Add/Troubleshoot a device => Add a new device & Next => No, select the
hardware from a list & Next => NT Apm/Legacy Support & Next => Next
(again) a few times. Now the driver is installed and Windows 2000 now
correctly instructs QEMU to shutdown at the appropriate moment. 

@subsubsection Share a directory between Unix and Windows

See @ref{sec_invocation} about the help of the option @option{-smb}.

@subsubsection Windows XP security problem

Some releases of Windows XP install correctly but give a security
error when booting:
@example
A problem is preventing Windows from accurately checking the
license for this computer. Error code: 0x800703e6.
@end example

The workaround is to install a service pack for XP after a boot in safe
mode. Then reboot, and the problem should go away. Since there is no
network while in safe mode, its recommended to download the full
installation of SP1 or SP2 and transfer that via an ISO or using the
vvfat block device ("-hdb fat:directory_which_holds_the_SP").

@subsection MS-DOS and FreeDOS

@subsubsection CPU usage reduction

DOS does not correctly use the CPU HLT instruction. The result is that
it takes host CPU cycles even when idle. You can install the utility
from @url{http://www.vmware.com/software/dosidle210.zip} to solve this
problem.

@node QEMU System emulator for non PC targets
@chapter QEMU System emulator for non PC targets

QEMU is a generic emulator and it emulates many non PC
machines. Most of the options are similar to the PC emulator. The
differences are mentionned in the following sections.

@menu
* QEMU PowerPC System emulator::
* Sparc32 System emulator invocation::
* Sparc64 System emulator invocation::
* MIPS System emulator invocation::
* ARM System emulator invocation::
@end menu

@node QEMU PowerPC System emulator
@section QEMU PowerPC System emulator

Use the executable @file{qemu-system-ppc} to simulate a complete PREP
or PowerMac PowerPC system.

QEMU emulates the following PowerMac peripherals:

@itemize @minus
@item 
UniNorth PCI Bridge 
@item
PCI VGA compatible card with VESA Bochs Extensions
@item 
2 PMAC IDE interfaces with hard disk and CD-ROM support
@item 
NE2000 PCI adapters
@item
Non Volatile RAM
@item
VIA-CUDA with ADB keyboard and mouse.
@end itemize

QEMU emulates the following PREP peripherals:

@itemize @minus
@item 
PCI Bridge
@item
PCI VGA compatible card with VESA Bochs Extensions
@item 
2 IDE interfaces with hard disk and CD-ROM support
@item
Floppy disk
@item 
NE2000 network adapters
@item
Serial port
@item
PREP Non Volatile RAM
@item
PC compatible keyboard and mouse.
@end itemize

QEMU uses the Open Hack'Ware Open Firmware Compatible BIOS available at
@url{http://perso.magic.fr/l_indien/OpenHackWare/index.htm}.

@c man begin OPTIONS

The following options are specific to the PowerPC emulation:

@table @option

@item -g WxH[xDEPTH]  

Set the initial VGA graphic mode. The default is 800x600x15.

@end table

@c man end 


More information is available at
@url{http://perso.magic.fr/l_indien/qemu-ppc/}.

@node Sparc32 System emulator invocation
@section Sparc32 System emulator invocation

Use the executable @file{qemu-system-sparc} to simulate a SparcStation 5
(sun4m architecture). The emulation is somewhat complete.

QEMU emulates the following sun4m peripherals:

@itemize @minus
@item
IOMMU
@item
TCX Frame buffer
@item 
Lance (Am7990) Ethernet
@item
Non Volatile RAM M48T08
@item
Slave I/O: timers, interrupt controllers, Zilog serial ports, keyboard
and power/reset logic
@item
ESP SCSI controller with hard disk and CD-ROM support
@item
Floppy drive
@end itemize

The number of peripherals is fixed in the architecture.

Since version 0.8.2, QEMU uses OpenBIOS
@url{http://www.openbios.org/}. OpenBIOS is a free (GPL v2) portable
firmware implementation. The goal is to implement a 100% IEEE
1275-1994 (referred to as Open Firmware) compliant firmware.

A sample Linux 2.6 series kernel and ram disk image are available on
the QEMU web site. Please note that currently NetBSD, OpenBSD or
Solaris kernels don't work.

@c man begin OPTIONS

The following options are specific to the Sparc emulation:

@table @option

@item -g WxH

Set the initial TCX graphic mode. The default is 1024x768.

@end table

@c man end 

@node Sparc64 System emulator invocation
@section Sparc64 System emulator invocation

Use the executable @file{qemu-system-sparc64} to simulate a Sun4u machine.
The emulator is not usable for anything yet.

QEMU emulates the following sun4u peripherals:

@itemize @minus
@item
UltraSparc IIi APB PCI Bridge 
@item
PCI VGA compatible card with VESA Bochs Extensions
@item
Non Volatile RAM M48T59
@item
PC-compatible serial ports
@end itemize

@node MIPS System emulator invocation
@section MIPS System emulator invocation

Use the executable @file{qemu-system-mips} to simulate a MIPS machine.
The emulator is able to boot a Linux kernel and to run a Linux Debian
installation from NFS. The following devices are emulated:

@itemize @minus
@item 
MIPS R4K CPU
@item
PC style serial port
@item
NE2000 network card
@end itemize

More information is available in the QEMU mailing-list archive.

@node ARM System emulator invocation
@section ARM System emulator invocation

Use the executable @file{qemu-system-arm} to simulate a ARM
machine. The ARM Integrator/CP board is emulated with the following
devices:

@itemize @minus
@item
ARM926E or ARM1026E CPU
@item
Two PL011 UARTs
@item 
SMC 91c111 Ethernet adapter
@item
PL110 LCD controller
@item
PL050 KMI with PS/2 keyboard and mouse.
@end itemize

The ARM Versatile baseboard is emulated with the following devices:

@itemize @minus
@item
ARM926E CPU
@item
PL190 Vectored Interrupt Controller
@item
Four PL011 UARTs
@item 
SMC 91c111 Ethernet adapter
@item
PL110 LCD controller
@item
PL050 KMI with PS/2 keyboard and mouse.
@item
PCI host bridge.  Note the emulated PCI bridge only provides access to
PCI memory space.  It does not provide access to PCI IO space.
This means some devices (eg. ne2k_pci NIC) are not useable, and others
(eg. rtl8139 NIC) are only useable when the guest drivers use the memory
mapped control registers.
@item
PCI OHCI USB controller.
@item
LSI53C895A PCI SCSI Host Bus Adapter with hard disk and CD-ROM devices.
@end itemize

The ARM RealView Emulation baseboard is emulated with the following devices:

@itemize @minus
@item
ARM926E CPU
@item
ARM AMBA Generic/Distributed Interrupt Controller
@item
Four PL011 UARTs
@item 
SMC 91c111 Ethernet adapter
@item
PL110 LCD controller
@item
PL050 KMI with PS/2 keyboard and mouse
@item
PCI host bridge
@item
PCI OHCI USB controller
@item
LSI53C895A PCI SCSI Host Bus Adapter with hard disk and CD-ROM devices
@end itemize

A Linux 2.6 test image is available on the QEMU web site. More
information is available in the QEMU mailing-list archive.

@node QEMU User space emulator 
@chapter QEMU User space emulator 

@menu
* Supported Operating Systems ::
* Linux User space emulator::
* Mac OS X/Darwin User space emulator ::
@end menu

@node Supported Operating Systems
@section Supported Operating Systems

The following OS are supported in user space emulation:

@itemize @minus
@item
Linux (refered as qemu-linux-user)
@item
Mac OS X/Darwin (refered as qemu-darwin-user)
@end itemize

@node Linux User space emulator
@section Linux User space emulator

@menu
* Quick Start::
* Wine launch::
* Command line options::
* Other binaries::
@end menu

@node Quick Start
@subsection Quick Start

In order to launch a Linux process, QEMU needs the process executable
itself and all the target (x86) dynamic libraries used by it. 

@itemize

@item On x86, you can just try to launch any process by using the native
libraries:

@example 
qemu-i386 -L / /bin/ls
@end example

@code{-L /} tells that the x86 dynamic linker must be searched with a
@file{/} prefix.

@item Since QEMU is also a linux process, you can launch qemu with
qemu (NOTE: you can only do that if you compiled QEMU from the sources):

@example 
qemu-i386 -L / qemu-i386 -L / /bin/ls
@end example

@item On non x86 CPUs, you need first to download at least an x86 glibc
(@file{qemu-runtime-i386-XXX-.tar.gz} on the QEMU web page). Ensure that
@code{LD_LIBRARY_PATH} is not set:

@example
unset LD_LIBRARY_PATH 
@end example

Then you can launch the precompiled @file{ls} x86 executable:

@example
qemu-i386 tests/i386/ls
@end example
You can look at @file{qemu-binfmt-conf.sh} so that
QEMU is automatically launched by the Linux kernel when you try to
launch x86 executables. It requires the @code{binfmt_misc} module in the
Linux kernel.

@item The x86 version of QEMU is also included. You can try weird things such as:
@example
qemu-i386 /usr/local/qemu-i386/bin/qemu-i386 \
          /usr/local/qemu-i386/bin/ls-i386
@end example

@end itemize

@node Wine launch
@subsection Wine launch

@itemize

@item Ensure that you have a working QEMU with the x86 glibc
distribution (see previous section). In order to verify it, you must be
able to do:

@example
qemu-i386 /usr/local/qemu-i386/bin/ls-i386
@end example

@item Download the binary x86 Wine install
(@file{qemu-XXX-i386-wine.tar.gz} on the QEMU web page). 

@item Configure Wine on your account. Look at the provided script
@file{/usr/local/qemu-i386/@/bin/wine-conf.sh}. Your previous
@code{$@{HOME@}/.wine} directory is saved to @code{$@{HOME@}/.wine.org}.

@item Then you can try the example @file{putty.exe}:

@example
qemu-i386 /usr/local/qemu-i386/wine/bin/wine \
          /usr/local/qemu-i386/wine/c/Program\ Files/putty.exe
@end example

@end itemize

@node Command line options
@subsection Command line options

@example
usage: qemu-i386 [-h] [-d] [-L path] [-s size] program [arguments...]
@end example

@table @option
@item -h
Print the help
@item -L path   
Set the x86 elf interpreter prefix (default=/usr/local/qemu-i386)
@item -s size
Set the x86 stack size in bytes (default=524288)
@end table

Debug options:

@table @option
@item -d
Activate log (logfile=/tmp/qemu.log)
@item -p pagesize
Act as if the host page size was 'pagesize' bytes
@end table

@node Other binaries
@subsection Other binaries

@command{qemu-arm} is also capable of running ARM "Angel" semihosted ELF
binaries (as implemented by the arm-elf and arm-eabi Newlib/GDB
configurations), and arm-uclinux bFLT format binaries.

@command{qemu-m68k} is capable of running semihosted binaries using the BDM
(m5xxx-ram-hosted.ld) or m68k-sim (sim.ld) syscall interfaces, and
coldfire uClinux bFLT format binaries.

The binary format is detected automatically.

@node Mac OS X/Darwin User space emulator
@section Mac OS X/Darwin User space emulator

@menu
* Mac OS X/Darwin Status::
* Mac OS X/Darwin Quick Start::
* Mac OS X/Darwin Command line options::
@end menu

@node Mac OS X/Darwin Status
@subsection Mac OS X/Darwin Status

@itemize @minus
@item
target x86 on x86: Most apps (Cocoa and Carbon too) works. [1]
@item
target PowerPC on x86: Not working as the ppc commpage can't be mapped (yet!)
@item
target PowerPC on PowerPC: Most apps (Cocoa and Carbon too) works. [1]
@item
target x86 on PowerPC: most utilities work. Cocoa and Carbon apps are not yet supported.
@end itemize

[1] If you're host commpage can be executed by qemu.

@node Mac OS X/Darwin Quick Start
@subsection Quick Start

In order to launch a Mac OS X/Darwin process, QEMU needs the process executable
itself and all the target dynamic libraries used by it. If you don't have the FAT
libraries (you're running Mac OS X/ppc) you'll need to obtain it from a Mac OS X
CD or compile them by hand.

@itemize

@item On x86, you can just try to launch any process by using the native
libraries:

@example 
qemu-i386 /bin/ls
@end example

or to run the ppc version of the executable:

@example 
qemu-ppc /bin/ls
@end example

@item On ppc, you'll have to tell qemu where your x86 libraries (and dynamic linker)
are installed:

@example 
qemu-i386 -L /opt/x86_root/ /bin/ls
@end example

@code{-L /opt/x86_root/} tells that the dynamic linker (dyld) path is in
@file{/opt/x86_root/usr/bin/dyld}.

@end itemize

@node Mac OS X/Darwin Command line options
@subsection Command line options

@example
usage: qemu-i386 [-h] [-d] [-L path] [-s size] program [arguments...]
@end example

@table @option
@item -h
Print the help
@item -L path   
Set the library root path (default=/)
@item -s size
Set the stack size in bytes (default=524288)
@end table

Debug options:

@table @option
@item -d
Activate log (logfile=/tmp/qemu.log)
@item -p pagesize
Act as if the host page size was 'pagesize' bytes
@end table

@node compilation
@chapter Compilation from the sources

@menu
* Linux/Unix::
* Windows::
* Cross compilation for Windows with Linux::
* Mac OS X::
@end menu

@node Linux/Unix
@section Linux/Unix

@subsection Compilation

First you must decompress the sources:
@example
cd /tmp
tar zxvf qemu-x.y.z.tar.gz
cd qemu-x.y.z
@end example

Then you configure QEMU and build it (usually no options are needed):
@example
./configure
make
@end example

Then type as root user:
@example
make install
@end example
to install QEMU in @file{/usr/local}.

@subsection GCC version

In order to compile QEMU successfully, it is very important that you
have the right tools. The most important one is gcc. On most hosts and
in particular on x86 ones, @emph{gcc 4.x is not supported}. If your
Linux distribution includes a gcc 4.x compiler, you can usually
install an older version (it is invoked by @code{gcc32} or
@code{gcc34}). The QEMU configure script automatically probes for
these older versions so that usally you don't have to do anything.

@node Windows
@section Windows

@itemize
@item Install the current versions of MSYS and MinGW from
@url{http://www.mingw.org/}. You can find detailed installation
instructions in the download section and the FAQ.

@item Download 
the MinGW development library of SDL 1.2.x
(@file{SDL-devel-1.2.x-@/mingw32.tar.gz}) from
@url{http://www.libsdl.org}. Unpack it in a temporary place, and
unpack the archive @file{i386-mingw32msvc.tar.gz} in the MinGW tool
directory. Edit the @file{sdl-config} script so that it gives the
correct SDL directory when invoked.

@item Extract the current version of QEMU.
 
@item Start the MSYS shell (file @file{msys.bat}).

@item Change to the QEMU directory. Launch @file{./configure} and 
@file{make}.  If you have problems using SDL, verify that
@file{sdl-config} can be launched from the MSYS command line.

@item You can install QEMU in @file{Program Files/Qemu} by typing 
@file{make install}. Don't forget to copy @file{SDL.dll} in
@file{Program Files/Qemu}.

@end itemize

@node Cross compilation for Windows with Linux
@section Cross compilation for Windows with Linux

@itemize
@item
Install the MinGW cross compilation tools available at
@url{http://www.mingw.org/}.

@item 
Install the Win32 version of SDL (@url{http://www.libsdl.org}) by
unpacking @file{i386-mingw32msvc.tar.gz}. Set up the PATH environment
variable so that @file{i386-mingw32msvc-sdl-config} can be launched by
the QEMU configuration script.

@item 
Configure QEMU for Windows cross compilation:
@example
./configure --enable-mingw32
@end example
If necessary, you can change the cross-prefix according to the prefix
choosen for the MinGW tools with --cross-prefix. You can also use
--prefix to set the Win32 install path.

@item You can install QEMU in the installation directory by typing 
@file{make install}. Don't forget to copy @file{SDL.dll} in the
installation directory. 

@end itemize

Note: Currently, Wine does not seem able to launch
QEMU for Win32.

@node Mac OS X
@section Mac OS X

The Mac OS X patches are not fully merged in QEMU, so you should look
at the QEMU mailing list archive to have all the necessary
information.

@node Index
@chapter Index
@printindex cp

@bye