D. GDB Remote Serial Protocol

D.1 Overview
D.2 Packets
D.3 Stop Reply Packets
D.4 General Query Packets
D.5 Register Packet Format
D.6 Examples

D.1 Overview

There may be occasions when you need to know something about the protocol--for example, if there is only one serial port to your target machine, you might want your program to do something special if it recognizes a packet meant for GDB.

In the examples below, `->' and `<-' are used to indicate transmitted and received data respectfully.

All GDB commands and responses (other than acknowledgments) are sent as a packet. A packet is introduced with the character `$', the actual packet-data, and the terminating character `#' followed by a two-digit checksum:

$packet-data#checksum

The two-digit checksum is computed as the modulo 256 sum of all characters between the leading `$' and the trailing `#' (an eight bit unsigned checksum).

Implementors should note that prior to GDB 5.0 the protocol specification also included an optional two-digit sequence-id:

$sequence-id:packet-data#checksum

That sequence-id was appended to the acknowledgment. GDB has never output sequence-ids. Stubs that handle packets added since GDB 5.0 must not accept sequence-id.

When either the host or the target machine receives a packet, the first response expected is an acknowledgment: either `+' (to indicate the package was received correctly) or `-' (to request retransmission):

-> $packet-data#checksum <- +

The host (GDB) sends commands, and the target (the debugging stub incorporated in your program) sends a response. In the case of step and continue commands, the response is only sent when the operation has completed (the target has again stopped).

packet-data consists of a sequence of characters with the exception of `#' and `$' (see `X' packet for additional exceptions).

Fields within the packet should be separated using `,' `;' or `:'. Except where otherwise noted all numbers are represented in HEX with leading zeros suppressed.

Implementors should note that prior to GDB 5.0, the character `:' could not appear as the third character in a packet (as it would potentially conflict with the sequence-id).

Response data can be run-length encoded to save space. A `*' means that the next character is an ASCII encoding giving a repeat count which stands for that many repetitions of the character preceding the `*'. The encoding is n+29, yielding a printable character where n >=3 (which is where rle starts to win). The printable characters `$', `#', `+' and `-' or with a numeric value greater than 126 should not be used.

Some remote systems have used a different run-length encoding mechanism loosely refered to as the cisco encoding. Following the `*' character are two hex digits that indicate the size of the packet.

So:

"0* "

means the same as "0000".

The error response returned for some packets includes a two character error number. That number is not well defined.

For any command not supported by the stub, an empty response (`$#00') should be returned. That way it is possible to extend the protocol. A newer GDB can tell if a packet is supported based on that response.

A stub is required to support the `g', `G', `m', `M', `c', and `s' commands. All other commands are optional.

D.2 Packets

The following table provides a complete list of all currently defined commands and their corresponding response data.

! -- extended mode

Enable extended mode. In extended mode, the remote server is made persistent. The `R' packet is used to restart the program being debugged.

Reply:

`OK'

The remote target both supports and has enabled extended mode.

? -- last signal

Indicate the reason the target halted. The reply is the same as for step and continue.

Reply: See section D.3 Stop Reply Packets, for the reply specifications.

a -- reserved

Reserved for future use.

Aarglen,argnum,arg,... -- set program arguments (reserved)

Initialized `argv[]' array passed into program. arglen specifies the number of bytes in the hex encoded byte stream arg. See gdbserver for more details.

Reply:

`OK'

`ENN'

bbaud -- set baud (deprecated)

Change the serial line speed to baud.

JTC: When does the transport layer state change? When it's received, or after the ACK is transmitted. In either case, there are problems if the command or the acknowledgment packet is dropped.

Stan: If people really wanted to add something like this, and get it working for the first time, they ought to modify ser-unix.c to send some kind of out-of-band message to a specially-setup stub and have the switch happen "in between" packets, so that from remote protocol's point of view, nothing actually happened.

Baddr,mode -- set breakpoint (deprecated)

Set (mode is `S') or clear (mode is `C') a breakpoint at addr.

This packet has been replaced by the `Z' and `z' packets (see insert breakpoint or watchpoint packet).

caddr -- continue

addr is address to resume. If addr is omitted, resume at current address.

Reply: See section D.3 Stop Reply Packets, for the reply specifications.

Csig;addr -- continue with signal

Continue with signal sig (hex signal number). If ;addr is omitted, resume at same address.

Reply: See section D.3 Stop Reply Packets, for the reply specifications.

d -- toggle debug (deprecated)

Toggle debug flag.

D -- detach

Detach GDB from the remote system. Sent to the remote target before GDB disconnects.

Reply:

`no response'

GDB does not check for any response after sending this packet.

e -- reserved

Reserved for future use.

E -- reserved

Reserved for future use.

f -- reserved

Reserved for future use.

F -- reserved

Reserved for future use.

g -- read registers

Read general registers.

Reply:

`XX...'

Each byte of register data is described by two hex digits. The bytes with the register are transmitted in target byte order. The size of each register and their position within the `g' packet are determined by the GDB internal macros REGISTER_RAW_SIZE and REGISTER_NAME macros. The specification of several standard g packets is specified below.

`ENN'

for an error.

GXX... -- write regs

See read registers packet, for a description of the XX... data.

Reply:

`OK'

for success

`ENN'

for an error

h -- reserved

Reserved for future use.

Hct... -- set thread

Set thread for subsequent operations (`m', `M', `g', `G', et.al.). c depends on the operation to be performed: it should be `c' for step and continue operations, `g' for other operations. The thread designator t... may be -1, meaning all the threads, a thread number, or zero which means pick any thread.

Reply:

`OK'

for success

`ENN'

for an error

iaddr,nnn -- cycle step (draft)

Step the remote target by a single clock cycle. If ,nnn is present, cycle step nnn cycles. If addr is present, cycle step starting at that address.

I -- signal then cycle step (reserved)

See step with signal packet. See cycle step packet.

j -- reserved

Reserved for future use.

J -- reserved

Reserved for future use.

k -- kill request

FIXME: There is no description of how to operate when a specific thread context has been selected (i.e. does 'k' kill only that thread?).

K -- reserved

Reserved for future use.

l -- reserved

Reserved for future use.

L -- reserved

Reserved for future use.

maddr,length -- read memory

Read length bytes of memory starting at address addr. Neither GDB nor the stub assume that sized memory transfers are assumed using word aligned accesses. FIXME: A word aligned memory transfer mechanism is needed.

Reply:

`XX...'

XX... is mem contents. Can be fewer bytes than requested if able to read only part of the data. Neither GDB nor the stub assume that sized memory transfers are assumed using word aligned accesses. FIXME: A word aligned memory transfer mechanism is needed.

`ENN'

NN is errno

Maddr,length:XX... -- write mem

Write length bytes of memory starting at address addr. XX... is the data.

Reply:

`OK'

for success

`ENN'

for an error (this includes the case where only part of the data was written).

n -- reserved

Reserved for future use.

N -- reserved

Reserved for future use.

o -- reserved

Reserved for future use.

O -- reserved

Reserved for future use.

pn... -- read reg (reserved)

See write register packet.

Reply:

`r....'

The hex encoded value of the register in target byte order.

Pn...=r... -- write register

Write register n... with value r..., which contains two hex digits for each byte in the register (target byte order).

Reply:

`OK'

for success

`ENN'

for an error

qquery -- general query

Request info about query. In general GDB queries have a leading upper case letter. Custom vendor queries should use a company prefix (in lower case) ex: `qfsf.var'. query may optionally be followed by a `,' or `;' separated list. Stubs must ensure that they match the full query name.

Reply:

`XX...'

Hex encoded data from query. The reply can not be empty.

`ENN'

error reply

`'

Indicating an unrecognized query.

Qvar=val -- general set

Set value of var to val.

See general query packet, for a discussion of naming conventions.

r -- reset (deprecated)

Reset the entire system.

RXX -- remote restart

Restart the program being debugged. XX, while needed, is ignored. This packet is only available in extended mode.

Reply:

`no reply'

The `R' packet has no reply.

saddr -- step

addr is address to resume. If addr is omitted, resume at same address.

Reply: See section D.3 Stop Reply Packets, for the reply specifications.

Ssig;addr -- step with signal

Like `C' but step not continue.

Reply: See section D.3 Stop Reply Packets, for the reply specifications.

taddr:PP,MM -- search

Search backwards starting at address addr for a match with pattern PP and mask MM. PP and MM are 4 bytes. addr must be at least 3 digits.

TXX -- thread alive

Find out if the thread XX is alive.

Reply:

`OK'

thread is still alive

`ENN'

thread is dead

u -- reserved

Reserved for future use.

U -- reserved

Reserved for future use.

v -- reserved

Reserved for future use.

V -- reserved

Reserved for future use.

w -- reserved

Reserved for future use.

W -- reserved

Reserved for future use.

x -- reserved

Reserved for future use.

Xaddr,length:XX... -- write mem (binary)

addr is address, length is number of bytes, XX... is binary data. The characters $, #, and 0x7d are escaped using 0x7d.

Reply:

`OK'

for success

`ENN'

for an error

y -- reserved

Reserved for future use.

Y reserved

Reserved for future use.

ztype,addr,length -- remove breakpoint or watchpoint (draft)

Ztype,addr,length -- insert breakpoint or watchpoint (draft)

Insert (Z) or remove (z) a type breakpoint or watchpoint starting at address address and covering the next length bytes.

Each breakpoint and watchpoint packet type is documented separately.

Implementation notes: A remote target shall return an empty string for an unrecognized breakpoint or watchpoint packet type. A remote target shall support either both or neither of a given Ztype... and ztype... packet pair. To avoid potential problems with duplicate packets, the operations should be implemented in an idempotent way.

z0,addr,length -- remove memory breakpoint (draft)

Z0,addr,length -- insert memory breakpoint (draft)

Insert (Z0) or remove (z0) a memory breakpoint at address addr of size length.

A memory breakpoint is implemented by replacing the instruction at addr with a software breakpoint or trap instruction. The length is used by targets that indicates the size of the breakpoint (in bytes) that should be inserted (e.g., the ARM and MIPS can insert either a 2 or 4 byte breakpoint).

Implementation note: It is possible for a target to copy or move code that contains memory breakpoints (e.g., when implementing overlays). The behavior of this packet, in the presence of such a target, is not defined.

Reply:

`OK'

success

`'

not supported

`ENN'

for an error

z1,addr,length -- remove hardware breakpoint (draft)

Z1,addr,length -- insert hardware breakpoint (draft)

Insert (Z1) or remove (z1) a hardware breakpoint at address addr of size length.

A hardware breakpoint is implemented using a mechanism that is not dependant on being able to modify the target's memory.

Implementation note: A hardware breakpoint is not affected by code movement.

Reply:

`OK'

success

`'

not supported

`ENN'

for an error

z2,addr,length -- remove write watchpoint (draft)

Z2,addr,length -- insert write watchpoint (draft)

Insert (Z2) or remove (z2) a write watchpoint.

Reply:

`OK'

success

`'

not supported

`ENN'

for an error

z3,addr,length -- remove read watchpoint (draft)

Z3,addr,length -- insert read watchpoint (draft)

Insert (Z3) or remove (z3) a read watchpoint.

Reply:

`OK'

success

`'

not supported

`ENN'

for an error

z4,addr,length -- remove access watchpoint (draft)

Z4,addr,length -- insert access watchpoint (draft)

Insert (Z4) or remove (z4) an access watchpoint.

Reply:

`OK'

success

`'

not supported

`ENN'

for an error

D.3 Stop Reply Packets

The `C', `c', `S', `s' and `?' packets can receive any of the below as a reply. In the case of the `C', `c', `S' and `s' packets, that reply is only returned when the target halts. In the below the exact meaning of `signal number' is poorly defined. In general one of the UNIX signal numbering conventions is used.

`SAA'

AA is the signal number

`TAAn...:r...;n...:r...;n...:r...;'

AA = two hex digit signal number; n... = register number (hex), r... = target byte ordered register contents, size defined by REGISTER_RAW_SIZE; n... = `thread', r... = thread process ID, this is a hex integer; n... = (`watch' | `rwatch' | `awatch', r... = data address, this is a hex integer; n... = other string not starting with valid hex digit. GDB should ignore this n..., r... pair and go on to the next. This way we can extend the protocol.

`WAA'

The process exited, and AA is the exit status. This is only applicable to certain targets.

`XAA'

The process terminated with signal AA.

`NAA;t...;d...;b... (obsolete)'

AA = signal number; t... = address of symbol _start; d... = base of data section; b... = base of bss section. Note: only used by Cisco Systems targets. The difference between this reply and the `qOffsets' query is that the `N' packet may arrive spontaneously whereas the `qOffsets' is a query initiated by the host debugger.

`OXX...'

XX... is hex encoding of ASCII data. This can happen at any time while the program is running and the debugger should continue to wait for `W', `T', etc.

D.4 General Query Packets

The following set and query packets have already been defined.

qC -- current thread

Return the current thread id.

Reply:

`QCpid'

Where pid is a HEX encoded 16 bit process id.

`*'

Any other reply implies the old pid.

qfThreadInfo -- all thread ids

qsThreadInfo

Obtain a list of active thread ids from the target (OS). Since there may be too many active threads to fit into one reply packet, this query works iteratively: it may require more than one query/reply sequence to obtain the entire list of threads. The first query of the sequence will be the qfThreadInfo query; subsequent queries in the sequence will be the qsThreadInfo query.

NOTE: replaces the qL query (see below).

Reply:

`mid'

A single thread id

`mid,id...'

a comma-separated list of thread ids

`l'

(lower case 'el') denotes end of list.

In response to each query, the target will reply with a list of one or more thread ids, in big-endian hex, separated by commas. GDB will respond to each reply with a request for more thread ids (using the qs form of the query), until the target responds with l (lower-case el, for 'last').

qThreadExtraInfo,id -- extra thread info

Where id is a thread-id in big-endian hex. Obtain a printable string description of a thread's attributes from the target OS. This string may contain anything that the target OS thinks is interesting for GDB to tell the user about the thread. The string is displayed in GDB's `info threads' display. Some examples of possible thread extra info strings are "Runnable", or "Blocked on Mutex".

Reply:

`XX...'

Where XX... is a hex encoding of ASCII data, comprising the printable string containing the extra information about the thread's attributes.

qLstartflagthreadcountnextthread -- query LIST or threadLIST (deprecated)

Obtain thread information from RTOS. Where: startflag (one hex digit) is one to indicate the first query and zero to indicate a subsequent query; threadcount (two hex digits) is the maximum number of threads the response packet can contain; and nextthread (eight hex digits), for subsequent queries (startflag is zero), is returned in the response as argthread.

NOTE: this query is replaced by the qfThreadInfo query (see above).

Reply:

`qMcountdoneargthreadthread...'

Where: count (two hex digits) is the number of threads being returned; done (one hex digit) is zero to indicate more threads and one indicates no further threads; argthreadid (eight hex digits) is nextthread from the request packet; thread... is a sequence of thread IDs from the target. threadid (eight hex digits). See remote.c:parse_threadlist_response().

qCRC:addr,length -- compute CRC of memory block

Reply:

`ENN'

An error (such as memory fault)

`CCRC32'

A 32 bit cyclic redundancy check of the specified memory region.

qOffsets -- query sect offs

Get section offsets that the target used when re-locating the downloaded image. Note: while a Bss offset is included in the response, GDB ignores this and instead applies the Data offset to the Bss section.

Reply:

`Text=xxx;Data=yyy;Bss=zzz'

qPmodethreadid -- thread info request

Returns information on threadid. Where: mode is a hex encoded 32 bit mode; threadid is a hex encoded 64 bit thread ID.

Reply:

`*'

See remote.c:remote_unpack_thread_info_response().

qRcmd,command -- remote command

command (hex encoded) is passed to the local interpreter for execution. Invalid commands should be reported using the output string. Before the final result packet, the target may also respond with a number of intermediate Ooutput console output packets. Implementors should note that providing access to a stubs's interpreter may have security implications.

Reply:

`OK'

A command response with no output.

`OUTPUT'

A command response with the hex encoded output string OUTPUT.

`ENN'

Indicate a badly formed request.

``''

When `q'`Rcmd' is not recognized.

qSymbol:: -- symbol lookup

Notify the target that GDB is prepared to serve symbol lookup requests. Accept requests from the target for the values of symbols.

Reply:

`OK'

The target does not need to look up any (more) symbols.

`qSymbol:sym_name'

The target requests the value of symbol sym_name (hex encoded). GDB may provide the value by using the qSymbol:sym_value:sym_name message, described below.

qSymbol:sym_value:sym_name -- symbol value

Set the value of sym_name to sym_value.

sym_name (hex encoded) is the name of a symbol whose value the target has previously requested.

sym_value (hex) is the value for symbol sym_name. If GDB cannot supply a value for sym_name, then this field will be empty.

Reply:

`OK'

The target does not need to look up any (more) symbols.

`qSymbol:sym_name'

The target requests the value of a new symbol sym_name (hex encoded). GDB will continue to supply the values of symbols (if available), until the target ceases to request them.

D.5 Register Packet Format

The following `g'/`G' packets have previously been defined. In the below, some thirty-two bit registers are transferred as sixty-four bits. Those registers should be zero/sign extended (which?) to fill the space allocated. Register bytes are transfered in target byte order. The two nibbles within a register byte are transfered most-significant - least-significant.

MIPS32

All registers are transfered as thirty-two bit quantities in the order: 32 general-purpose; sr; lo; hi; bad; cause; pc; 32 floating-point registers; fsr; fir; fp.

MIPS64

All registers are transfered as sixty-four bit quantities (including thirty-two bit registers such as sr). The ordering is the same as MIPS32.

D.6 Examples

Example sequence of a target being re-started. Notice how the restart does not get any direct output:

-> R00 <- + target restarts -> ? <- + <- T001:1234123412341234 -> +

Example sequence of a target being stepped by a single instruction:

-> G1445... <- + -> s <- + time passes <- T001:1234123412341234 -> + -> g <- + <- 1455... -> +