Hi
This sounds extremly interesting! Assuming this only works with PCI and not PCI-e, would it also work on wifi mini-pci cards? As you mention laptop's specifically, I think most cards available are wifi cards.
Oliver
On 20-05-12 10:23, Kyösti Mälkki wrote:
Hi
I did not find this method of bypassing the mainboard flash chip and booting from PCI add-on card documented or discussed before. The nice think in this is that neither mainboard or its flash needs to be modified. Good news in the case of a soldered flash and this method may work with mini-PCI slots on laptops too.
For pre-ICH6 the key is in subtractive PCI decode. This has been supported in 82801 chipset from the early days and is briefly documented in ICH3 datasheet [1], see 5.1.1. PCI Bus interface. This decode mode is on by default and there is no documentation of a hw bootstrap that could disable it.
For ICH7 onwards there are HW bootstraps to select between LPC/SPI/PCI. If you don't know where the bootstraps are, go with SPI and forget about this PCI add-on boot.
To try this, I have modified a PCI PATA-RAID card as follows: I cut the PCI RST# signal from card edge to controller, put a jumper to close it for normal boots and placed a weak 10kOhm pull-up to Vio on the chip side.
With this I have succesfully done the following on a ICH4 based mainboard:
- I built SerialICE as usual and programmed the option ROM of the
modified PCI card with it.
- I set the PCI config BAR for that option ROM as 0xfffe0000. I had
this hacked in flashrom, setpci might work as well. This was 128kB region while my flash was actually 64kB.
- Reset the machine, but not the PCI card. I simply removed the jumper
on the RST# signal on the PCI card before giving reboot command.
- I got into SerialICE prompt.
Should go without saying: Code run from option ROM must not switch from subtractive to positive PCI decode. I also think the PCI slot used must be directly on the southbridge PCI bus and not behind some other PCI bridge.
To use this on cold boots and as a recovery method some means to default that config BAR for option ROM on cold power-on is required. Custom PCI FPGA can do that for sure, other ideas are welcome.
Kyösti
[1] http://www.intel.com/content/dam/doc/datasheet/82801ca-io-controller-hub-3-d...