Investigate Qemu MIPS Malta Serial Communication

On one of my task session, I want to explore whether Qemu’s MIPS Malta Serial Communication is functioning properly as it is said from their documentations. The emulator should properly shows the transmitted character to the emulated serial port.

To achieve the above goal, I’ve found small program called the barebone from It is basically a program that transmit the hello world string to the designated serial port.

Since the emulator is emulating CBUS UART (a TI 16C550C) chipset, I have to revise the port base and offset address in according to the malta board specification.

The serial port for malta board is registered at 0x1F000900 physical address. In the application it the base register address should be revised to 0xBF000900, because the MIPS is using the virtual to physical address translation.

The register offset should to proper address also, for example the line control register which is used by the program should be revised to:


After compiling using make:


And test the result using parameters below:


The hello world string output should show in the file, but it did not.

I decided to perform detailed examination by debugging and I arrived at the callstack below:


The null_chr_write function is just an empty function which emulate the “null” state.

When I specify the parameter -serial file:mySerial.txt the emulator is trying to register the device by doing series of call sequences below (qemu-char.c) :


At the end of the above sequence, the write function is initialized with the statement chr->chr_write = win_chr_write and the specified device is added to the chardevs list.

But why the emulator still call the null_chr_write instead of of win_chr_write ?

Here is the access path of the null_chr_write function:

MemoryRegion *mr
SerialState *s = opaque
(CharDriverState*) s->chr

The MemoryRegion for serial interface is initialized at serial_mm_init with callstack sequence as follow:


The causes of a null_chr_write can be found by checking the call to malta_fpga_init which has the function prototype:


This function is used at mips_malta_init (mips_malta.c) by passing the serial_hds[2] as its fourth parameter. The serial_hds array value is also initialized at mips_malta_init as follows:


From the above routines, the emulator will automatically create the null character device when it is not found one. When I passed the -serial file:mySerial.txt, it will registered as “serial0” in the serial name description at serial_parse function (vl.c).

Based on the above clue, the proper parameters for serial output redirection for MIPS Malta emulator is:


Here’s the output in the mySerial.txt:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: