OpenWrt Forum Archive

Topic: Qemu running OpenWrt (MIPS)

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I am pleased to announce a new "router" running OpenWrt:

The MIPS emulator Qemu (see
now runs OpenWrt trunk.

I used the kernel from the AR7 device Sinus 154 DSL Basic SE

MIPS support in Qemu improved a lot last week.

Maybe this is the first time OpenWrt ran on an emulated system.
Emulation offers new possibilities to "watch" a running system -
somehow like an in-circuit-emulator.

~/src/qemu$ mipsel-ar7-softmmu/qemu-system-mips -L boot -kernel ~/src/openwrt/build_mipsel/linux-2.4-ar7/linux-2.4.32/vmlinux -nographic
(qemu) bios_load: load BIOS 'boot/flashimage.bin' size 2097152
bios_load: load BIOS 'boot/0xbfc00000.bin' size 4096
qemu: elf kernel '/home/stefan/src/openwrt/build_mipsel/linux-2.4-ar7/linux-2.4.32/vmlinux' with start address 0x9415a04c

argc = 0
argv = 0x00000000
envp = 0x00000000
prom_vec = 0x00000000

LINUX started...
CPU revision is: 00018448
Primary instruction cache 16kB, physically tagged, 4-way, linesize 16 bytes.
Primary data cache 16kB, 4-way, linesize 16 bytes.
Linux version 2.4.32 (user@linux) (gcc version 3.4.5 (OpenWrt-2.0)) #49 Do Apr 27 22:52:38 CEST 2006
Determined physical RAM map:
 memory: 00000000 @ 14000000 (ROM data)
 memory: 01000000 @ 14000000 (usable)
max_low_pfn = 0x00015000
On node 0 totalpages: 4096
zone(0): 4096 pages.
zone(1): 0 pages.
zone(2): 0 pages.
start = 0x14000000, end = 0x13ffffff, maxmem = 0x20000000
start = 0x14000000, end = 0x14ffffff, maxmem = 0x20000000
Kernel command line: root=/dev/mtdblock4 rootfstype=squashfs debug console=ttyS0,115200 init=/etc/preinit.sinus154 noinitrd
set_except_vector: using long jump via k0 to reach 940051e0
the pacing pre-scalar has been set as 600.
set_except_vector: using long jump via k0 to reach 94135d40
Using 75.000 MHz high precision timer.
Calibrating delay loop... 340.78 BogoMIPS
Memory: 14480k/16384k available (1374k kernel code, 1904k reserved, 88k data, 72k init, 0k highmem)
Dentry cache hash table entries: 2048 (order: 2, 16384 bytes)
Inode cache hash table entries: 1024 (order: 1, 8192 bytes)
Mount cache hash table entries: 512 (order: 0, 4096 bytes)
Buffer cache hash table entries: 1024 (order: 0, 4096 bytes)
Page-cache hash table entries: 4096 (order: 2, 16384 bytes)
Checking for 'wait' instruction...  available.
POSIX conformance testing by UNIFIX
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (
devfs: boot_options: 0x1
squashfs: version 3.0 (2006/03/15) Phillip Lougher
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with no serial options enabled
ttyS00 at 0xa8610e00 (irq = 15) is a 16450
ledmod.c:1030 led_init
gpio.c:354 board_gpio_init
ledmod.c:1078 register_led_drv(25,...)
ledmod.c:1078 register_led_drv(5,...)
ledmod.c:1078 register_led_drv(12,...)
VLYNQ INIT FAILED: Please try cold reboot.
VLYNQ 0 : init failed
VLYNQ 1 : init failed
ar7_wdt: last system reset initiated by hardware reset
ar7_wdt: disabling watchdog timer
ar7_wdtfailed to unlock WDT disable reg
ar7_wdtfailed to unlock WDT prescale reg
ar7_wdtfailed to unlock WDT change reg
ar7_wdt: timer margin 59 seconds (prescale 65535, change 57180, freq 62500000)
psp_config_build.c:130 detected cpmac_phy = 0
Using the MAC with internal PHY
Cpmac driver is allocating buffer memory at init time.
Using the MAC with internal PHY
Cpmac driver Disable TX complete interrupt setting threshold to 20.
ar7 flash device: 0x200000 at 0x10000000.
write access to ROM at vaddr=0xb0000000 paddr=0x10000000
write access to ROM at vaddr=0xb000a000 paddr=0x1000a000
write access to ROM at vaddr=0xb0005000 paddr=0x10005000
write access to ROM at vaddr=0xb0015000 paddr=0x10015000
CFI: Found no Physically mapped flash device at location zero
ar7 flash device: 0x1000 at 0x1fc00000.
Creating 1 MTD partitions on "Boot PROM":
0x00000000-0x00001000 : "Boot PROM"
Sinus154 flash device: 0x200000 at 0x10000000.
CFI: Found no Sinus 154 Flash device at location zero
Sinus154 flash device: no flash found, using fallback to ROM map.
Creating 6 MTD partitions on "Sinus 154 Flash":
0x00000000-0x00020000 : "Boot"
0x00020000-0x00040000 : "Configuration"
0x00040000-0x00050000 : "Web Prefix"
0x00050000-0x00110000 : "Web Image"
0x00110000-0x001f0000 : "Code Image"
0x001f0000-0x00200000 : "Boot Params"
Initializing Cryptographic API
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 1024 bind 2048)
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Can't preserve ADAM2 memory, firstfreeaddress unknown!
Freeing prom memory: 0kb freed
Freeing unused kernel memory: 72k freed
irq.c:172 startup_avalanche_irq(15)
Algorithmics/MIPS FPU Emulator v1.5
irq.c:172 startup_avalanche_irq(27)
Break instruction in kernel code in traps.c::do_bp, line 593:
$0 : 00000000 10008401 00000000 94db0000 94da80b8 00000000 00000019 94f272a0
$8 : 00000000 94131000 00000dcc 00001000 941d4f54 000006e7 941af018 94190000
$16: 94da8000 94160000 94db0000 94db0000 00000100 00000000 00000000 100d0c5c
$24: 9418e6f4 ba2e8ba3                   94db0000 94db1ef0 00000000 940172a0
Hi : 00000000
Lo : 00000001
epc   : 940172a0    Not tainted
Status: 10008403
Cause : 10800024
PrId  : 00018448
Process hotplug (pid: 38, stackpage=94db0000)
Stack:    2ab96bc0 2ab95df0 94f9f9a0 94fa06c0 00000001 100cc994 100cc984
 10002a48 100cc99c 940172e4 2ac22500 10002a48 100cc99c 00000000 94007c00
 9400fb30 100cbb98 100d0c5c 00000000 100cb99d ffffffff 00000000 00000000
 10002a80 00000fa1 2ac22644 00000001 2abdfc88 ffffffff 100cb608 100cb700
 00404e98 2aaad360 2ab8dd64 0000035c 0006cf04 00000001 2ab8fe34 00000001
 100cc994 ...
Call Trace:   [<940172e4>] [<94007c00>] [<9400fb30>]

Code: 3821001e  0d003f73  40816000 <0200000d> 09005b62  00000000  27bdffe8  afb00010  afbf0014
irq.c:172 startup_avalanche_irq(27)
+ . /etc/
+ export PATH=/bin:/sbin:/usr/bin:/usr/sbin
+ mount /dev
mount: Mounting devfs on /dev failed: Device or resource busy
+ mount /proc
+ mount /tmp
+ [ -f /dev/mtdblock/3 ]
+ ifup lan
Segmentation fault
+ arping -c 1 -q
+ [ -f /proc/sys/diag ]
+ [ -f /proc/sys/reset ]
+ exec /sbin/init
irq.c:172 startup_avalanche_irq(15)
irq.c:172 startup_avalanche_irq(15)
init started:  BusyBox v1.1.2 (2006.04.24-20:20+0000) multi-call binary
irq.c:172 startup_avalanche_irq(15)
irq.c:172 startup_avalanche_irq(15)
device eth0 entered promiscuous mode
irq.c:172 startup_avalanche_irq(27)

Please press Enter to activate this console. Jan  1 01:00:34 crond[175]: crond 2.3.2 dillon, started, log level 8

BusyBox v1.1.2 (2006.04.24-20:20+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 KAMIKAZE (bleeding edge, r3704) -------------------
  * 10 oz Vodka       Shake well with ice and strain
  * 10 oz Triple sec  mixture into 10 shot glasses.
  * 10 oz lime juice  Salute!
root@OpenWrt:/# ls -l
drwxr-xr-x    2 root     root          546 Apr  5  2006 bin
drwxr-xr-x    1 root     root            0 Jan  1  1970 dev
drwxr-xr-x    7 root     root          317 Mar  6  2006 etc
drwxr-xr-x    2 root     root            3 Apr  5  2006 jffs
drwxr-xr-x    2 root     root          374 Apr 24  2006 lib
drwxr-xr-x    2 root     root            3 Apr  5  2006 mnt
drwxr-xr-x    2 root     root            3 Apr 24  2006 net
dr-xr-xr-x   32 root     root            0 Jan  1 01:00 proc
drwxr-xr-x    2 root     root           21 Apr 24  2006 rom
drwxr-xr-x    2 root     root          332 Mar  6  2006 sbin
drwxr-xr-x    2 root     root            3 Apr  5  2006 sys
drwxrwxrwt    5 root     root          100 Jan  1 01:00 tmp
drwxr-xr-x    6 root     root           47 Apr  5  2006 usr
lrwxrwxrwx    1 root     root            4 Apr 24  2006 var -> /tmp
drwxr-xr-x    2 root     root           38 Apr 24  2006 www

I am still looking for people who help to improve the AR7 simulation
(flash simulation, ethernet, ...).

Qemu also boots ADAM2 based systems (at least to the first kernel messages.


(Last edited by sw on 14 May 2006, 08:05)

Damn, you made a great work ! Does it also work for brcm boards ? Keep on doing this great job.

florian_ wrote:

Does it also work for brcm boards ?

Merci, Florian.

Broadcom based routers might work with some smaller modifications, too:

* The Broadcom chips are MIPS32 - this is supported

* The serial ports are compatible - they are supported but
   I need the memory addresses to support them with Qemu.
   For full operation, interrupt handling needs additional information.

* All other devices (ethernet, usb, ...) won't work, but I must
   know the memory range of these devices.

With these modifications, the kernel (vmlinux ELF file) should
start booting, but will fail when it tries to find the root filesystem.

To test a complete system, Qemu needs a complete dump of all
ROM (0xbfc00000) / FLASH memory blocks. This will also test
the boot loader (ADAM2 works with AR7).

(20071119) The latest versions no longer need the ROM dump. Without ROM,
they just jump to address 0xb0000000.

MTD partitions need a small kernel modification. The current
Qemu does not emulate flash, so we need a fallback which
accepts ROM when it does not find FLASH. Here is the code I
used for AR7:

    sinus154_mtd_info = do_map_probe("cfi_probe", &sinus154_map);
    if (sinus154_mtd_info == 0) {
        printk(KERN_NOTICE "Sinus154 flash device: no flash found, using fallback to ROM map.\n");
        sinus154_mtd_info = do_map_probe("map_rom", &sinus154_map);

Of course, ROM support for MTD must be enabled in the kernel configuration.
With this modification, a serial Linux console might work.



(Last edited by sw on 19 Nov 2007, 23:15)

florian_ wrote:

Damn, you made a great work ! Does it also work for brcm boards ? Keep on doing this great job.

I just quote about the good work.



N.b.: As soon as you get more order in your testbed can you write some docs for us dumb users? wink

I uploaded the patched QEMU sources, a README, kernel and filesystem
so everybody can run OpenWrt without need for a router. Get the files from … up_id=3721

All you need is a PC running Linux. You will get an emulation of an
AR7 based router with serial console. Sorry, ethernet is still not working.

The emulation can also run different bootloaders (e.g. ADAM2 and BRN).
Because of copyright, you will have to get firmware from your real hardware
to test this.


your files boot beautifully !
I tried to rebuild from svn openwrt ar7,do get things like
openwrt-ar7-2.4-squashfs.bin 2939160
1560576 2006-05-15 14:04 vmlinux
but it won't boot !
the mesg stops as follows :
bios_load: load BIOS './flashimage.bin' size 2939160
mips_r4k_init: ram_base = 0xaee81000, ram_size = 0x08000000, bios_offset = 0x086cd918
mips_r4k_init: load BIOS './mips_bios.bin' size 8388608
Could you please ,give some more details how and what to be done with openwrt_svn_ar7
to obtain as yours?

The AR7 kernel vmlinux should start booting when you use command line option
"-kernel vmlinux" (add path for vmlinux if needed). It will fail when it tries
to mount the root filesystem.

A full boot needs a working root filesystem which is usually in flash.
My demo files are based on the flash layout for Sinus 154 DSL Basic SE,
so the AR7 port of OpenWrt trunk won't work without the patches
for the Sinus router.

The unpatched OpenWrt needs the flash layout of one of the supported routers.
The flash is divided in logical partitions. Two partitions are always needed:
ADAM2 environment settings and root filesystem. All other partitions may be filled
with dummy data (0xff).

The easiest way to get a flash image is to make a copy from a real router.
The precompiled QEMU expects a flashimage.bin of 2 MiB or 4 MiB.
If your flash image is 8 MiB or larger, you must recompile QEMU.


Thank you sw for your work. It has been very usefull to me.



Hi all,

sw, congratulations for your great work ! I would like being able to emulate with qemu the version of openwrt for rb532 (mipsel) but I acknowledge not too much to know by what to start. Would have you indications to provide me ? Thanks in advance.



(Last edited by toboz on 4 Aug 2007, 11:23)

I wanted to say this is great work!  Is there anything newer than the almost 2 year since?

RoundSparrow wrote:

Is there anything newer than the almost 2 year since?

There is something newer: the latest source code in SVN is 2 days old.

And it works with the latest kernels ( ...

Update: QEMU switched from svn to git, so QEMU for AR7 had to switch, too.
Get the latest code here: (tested and working with linux

(Last edited by sw on 12 May 2009, 17:44)

does not works sad

./qemu-system-mipsel -M ar7
mips_ar7_common_init: ram_base = 0x7ff7aa96e000, ram_size = 0x08000000
Not enough memory (requested_size = 4096, max memory = 134217728 134217728

Guys, i am new to this, is it possible to install the OpenWrt to the Fritzbox for example? Am i in the right place, please advice

I am trying to run brcm47xx elf image via qemu-system-mips, but I get this message:

rom: requested regions overlap (rom prom. free=0x00000000004670cc, addr=0x0000000000002000)
rom loading failed

The command I used was -

qemu-system-mips -kernel openwrt-brcm47xx....elf


qemu-system-mips -M malta- kernel openwrt-brcm47xx....elf

I have no problem runing elf image for ARM architecture.
Should I make some special settings when creating elf image for brcm47xx?

Thank you,

there is a dedicated Malta target but there is a ticket open:

I don't know about the differences between the elf images but maybe select a different machine in qemu or different parameters ?

Hi All!

Can somebody help me with this? I'm new to OpenWRT, just built couple of images and I want to try them out in emulator before flashing them.
- platform, AR71xx -> mips (TP-Link Archer C5)
- Ubuntu 14.04 Lts
- qemu 2.0.0

I don't really know what to do, so a small guide would be pretty useful! (I tried to search the net as well)


The discussion might have continued from here.