I don't know if I'm doing this correct, if if I have the debugger setup correct, however:
It seem the closest point in the trampoline I can find a breakpoint for, before we get to the memory overlap is a breakpoint 0x20dccc
Breakpoint 2, 0x000000000020dccc in ?? ()
(gdb) display/i $pc
1: x/i $pc
=> 0x20dccc: stwu r1,-80(r1)
(gdb) stepi
0x000000000020dcd0 in ?? ()
1: x/i $pc
=> 0x20dcd0: stw r6,116(r1)
(gdb)
0x000000000020dcd4 in ?? ()
1: x/i $pc
=> 0x20dcd4: stw r7,120(r1)
(gdb)
0x000000000020dcd8 in ?? ()
1: x/i $pc
=> 0x20dcd8: stw r8,124(r1)
(gdb)
0x000000000020dcdc in ?? ()
1: x/i $pc
=> 0x20dcdc: stw r9,128(r1)
(gdb)
0x000000000020dce0 in ?? ()
1: x/i $pc
=> 0x20dce0: stw r10,132(r1)
(gdb)
0x000000000020dce4 in ?? ()
1: x/i $pc
=> 0x20dce4: lwz r30,-12(r2)
(gdb)
0x000000000020dce8 in ?? ()
1: x/i $pc
=> 0x20dce8: mr r29,r5
(gdb)
0x000000000020dcec in ?? ()
1: x/i $pc
=> 0x20dcec: addi r6,r2,26808
(gdb)
0x000000000020dcf0 in ?? ()
1: x/i $pc
=> 0x20dcf0: addi r8,r29,2
(gdb)
0x000000000020dcf4 in ?? ()
1: x/i $pc
=> 0x20dcf4: stw r6,0(r30)
(gdb)
0x000000000020dcf8 in ?? ()
1: x/i $pc
=> 0x20dcf8: cmpwi r29,0
(gdb)
0x000000000020dcfc in ?? ()
1: x/i $pc
=> 0x20dcfc: stw r8,4(r30)
(gdb)
0x000000000020dd00 in ?? ()
1: x/i $pc
=> 0x20dd00: addi r31,r1,120
(gdb)
0x000000000020dd04 in ?? ()
1: x/i $pc
=> 0x20dd04: lwz r9,116(r1)
(gdb)
0x000000000020dd08 in ?? ()
1: x/i $pc
=> 0x20dd08: addi r7,r30,20
(gdb)
0x000000000020dd0c in ?? ()
1: x/i $pc
=> 0x20dd0c: addi r9,r9,1
(gdb)
0x000000000020dd10 in ?? ()
1: x/i $pc
=> 0x20dd10: stw r9,8(r30)
(gdb)
0x000000000020dd14 in ?? ()
1: x/i $pc
=> 0x20dd14: stw r3,12(r30)
(gdb)
0x000000000020dd18 in ?? ()
1: x/i $pc
=> 0x20dd18: stw r4,16(r30)
(gdb)
0x000000000020dd1c in ?? ()
1: x/i $pc
That maybe just gibberish, I don't know PPC assembly and I've only used gdb a few times to step though some C code, and never tried to debug a running target in Qemu.
Let me know if I'm barking up the wrong tree here?
The trampoline seem to hit that address a few times, so it breaks @ 0x20dccc a few times before it gets to this point:
Hardware info:
Dumping 192 bytes @ 0x3FEE4000
3FEE4000: 00C00000 6400000C 64048084 00003000
3FEE4010: 3FEDD000 3FEDF000 80040000 00000000
3FEE4020: 00000000 00000000 00000000 00000000
3FEE4030: 00000000 00000000 00000000 00001400
3FEE4040: 00000000 00000000 00000000 00000000
3FEE4050: 00000000 00000000 00000000 00000000
3FEE4060: 00000000 00000000 00000000 00000000
3FEE4070: 486E666F 00403035 00250024 08000800
3FEE4080: 00190000 08000800 00400000 00000000
3FEE4090: 00000000 00000004 00000000 00410000
3FEE40A0: 1A05D66A 00000000 3FEDE000 00000000
3FEE40B0: 00000000 00000000 00000000 00000000
HardwareInit info:
Dumping 32 bytes @ 0x3FEE7000
3FEE7000: 3FEE5000 3FEE6000 00000000 3FEE4000
3FEE7010: 00000000 00000080 00F10000 80012000
Cascade Info:
Dumping 516 bytes @ 0x00117818
00117818: 00000000 FFFFFFFF FFFFFFFF FFFFFFFF
00117828: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117838: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117848: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
00117858: FFFFFFFF 01040404 04040402 04020402
00117868: 02000000 00000000 00000000 00000000
00117878: 00000000 00000000 00000000 00000000
00117888: 00000000 00000000 00000000 00000000
00117898: 00000000 00000000 00000000 00000000
001178A8: 00000000 00000000 00000000 00000000
001178B8: 00000000 00000000 00000000 00000000
001178C8: 00000000 00000000 00000000 00000000
001178D8: 00000000 00000000 00000000 00000000
001178E8: 00000000 00000000 00000000 00000000
001178F8: 00000000 00000000 00000000 00000000
00117908: 00000000 00000000 00000000 00000000
00117918: 00000000 00000000 00000000 00000000
00117928: 00000000 00000000 00000000 00000000
00117938: 00000000 00000000 00000000 00000000
00117948: 00000000 00000000 00000000 00000000
00117958: 00000000 00000000 00000000 00000000
00117968: 00000000 00000000 00000000 00000000
00117978: 00000000 00000000 00000000 00000000
00117988: 00000000 00000000 00000000 00000000
00117998: 00000000 00000000 00000000 00000000
001179A8: 00000000 00000000 00000000 00000000
001179B8: 00000000 00000000 00000000 00000000
001179C8: 00000000 00000000 00000000 00000000
001179D8: 00000000 00000000 00000000 00000000
001179E8: 00000000 00000000 00000000 00000000
001179F8: 00000000 00000000 00000000 00000000
00117A08: 00000000 00000000 00000000 00000000
00117A18: 00000000
The next continue gives:
IsKeyDown: no keys held down
Overlap in AddMemoryRelocationEntry().
- dst = 0x00003000, dstLength = 0x0000052C, entry->dst = 0x00000000, entry->dst_len = 0x00048298.
Overlap in AddMemoryRelocationEntry().
- dst = 0x00003F80, dstLength = 0x00000080, entry->dst = 0x00000000, entry->dst_len = 0x00048298.
Overlap in AddMemoryRelocationEntry().
- dst = 0x00003F40, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x00048298.
Overlap in AddMemoryRelocationEntry().
- dst = 0x00003CFC, dstLength = 0x00000204, entry->dst = 0x00000000, entry->dst_len = 0x00048298.
Overlap in AddMemoryRelocationEntry().
- dst = 0x00003F00, dstLength = 0x00000040, entry->dst = 0x00000000, entry->dst_len = 0x00048298.