Hi all, I am trying to debug why the grub crashed (under usbrom) after loading certain blocks into the memory. My new found is that while usbrom is trying to load (block lba=0x0019a9e0). it crashed. the flow is usb_new_read(0,0x0019a9e0,0x20,0xfffa2000), 0x20 is the count which should be read, and the 0xfffa2000 is the virtual address of (0x70000). usb_new_read call readwrite_blocks then execute_command. after executed wrap_cbw in execute_command. it should call dev->controller->bulk, this address is a wrong address. my debug information are below:
BIOS Debugger Node : 0, Core : 0 rAX= 8020425D rBX= 00000000 rCX= 00108F15 rDX= 50588214 rSI= 00108FE8 rDI= FFF97D20 rBP= 00108F38 rSP= 00108EF0 rIP= 00006F22 CS Sel= 0008 DS Sel= 0010 ES Sel= 0010 FS Sel= 0000 GS Sel= 0000 SS Sel= 0010 CF PF AF ZF SF TF IF DF OF IOPL NT RF VM AC VIF VIP ID 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0008:00006EC3 C7 45 FC 01 00 00 00 mov [ebp-04h],00000001h 0008:00006ECA 8B 45 14 mov eax,[ebp+14h] 0008:00006ECD 89 44 24 10 mov [esp+10h],eax 0008:00006ED1 8B 45 10 mov eax,[ebp+10h] 0008:00006ED4 89 44 24 0C mov [esp+0ch],eax 0008:00006ED8 8B 45 0C mov eax,[ebp+0ch] 0008:00006EDB 89 44 24 08 mov [esp+08h],eax 0008:00006EDF 8B 45 1C mov eax,[ebp+1ch] 0008:00006EE2 89 44 24 04 mov [esp+04h],eax 0008:00006EE6 8D 45 DD lea eax,[ebp-23h] 0008:00006EE9 89 04 24 mov [esp],eax 0008:00006EEC E8 CF FE FF FF call loc_00006dc0h /*this is wrap_cbw*/ 0008:00006EF1 8B 45 08 mov eax,[ebp+08h] 0008:00006EF4 8B 00 mov eax,[eax] 0008:00006EF6 8B 90 20 02 00 00 mov edx,[eax+00000220h] 0008:00006EFC 8D 4D DD lea ecx,[ebp-23h] 0008:00006EFF 8B 45 08 mov eax,[ebp+08h] 0008:00006F02 8B 80 18 03 00 00 mov eax,[eax+00000318h] 0008:00006F08 8B 40 0C mov eax,[eax+0ch] 0008:00006F0B C7 44 24 0C 00 00 00 00 mov [esp+0ch],00000000h 0008:00006F13 89 4C 24 08 mov [esp+08h],ecx 0008:00006F17 C7 44 24 04 1F 00 00 00 mov [esp+04h],0000001fh 0008:00006F1F 89 04 24 mov [esp],eax 0008:00006F22 FF D2 call edx /*here it will jump into 50588214*/ 0008:00006F24 85 C0 test eax,eax 0008:00006F26 74 20 jz loc_00006f48h 0008:00006F28 8B 45 08 mov eax,[ebp+08h] 0008:00006F2B 8B 80 18 03 00 00 mov eax,[eax+00000318h] 0008:00006F31 8B 40 0C mov eax,[eax+0ch] 0008:00006F34 89 04 24 mov [esp],eax 0008:00006F37 E8 8C CF FF FF call loc_00003ec8h 0008:00006F3C C7 45 CC 01 00 00 00 mov [ebp-34h],00000001h 0008:00006F43 E9 1C 01 00 00 jmp loc_00007064h 0008:00006F48 C7 04 24 0A 00 00 00 mov [esp],0000000ah 0008:00006F4F E8 5F 9C FF FF call loc_00000bb3h 0008:00006F54 81 7D 0C 80 00 00 00 cmp [ebp+0ch],00000080h 0008:00006F5B 75 56 jnz loc_00006fb3h 0008:00006F5D 8B 45 08 mov eax,[ebp+08h] 0008:00006F60 8B 00 mov eax,[eax] 0008:00006F62 8B 88 20 02 00 00 mov ecx,[eax+00000220h] 0008:00006F68 8B 45 08 mov eax,[ebp+08h] 0008:00006F6B 8B 80 18 03 00 00 mov eax,[eax+00000318h] 0008:00006F71 8B 50 08 mov edx,[eax+08h] 0008:00006F74 C7 44 24 0C 00 00 00 00 mov [esp+0ch],00000000h 0008:00006F7C 8B 45 18 mov eax,[ebp+18h] 0008:00006F7F 89 44 24 08 mov [esp+08h],eax 0008:00006F83 8B 45 1C mov eax,[ebp+1ch] 0008:00006F86 89 44 24 04 mov [esp+04h],eax 0008:00006F8A 89 14 24 mov [esp],edx 0008:00006F8D FF D1 call ecx
Kevin allow remind me that usbrom have an 1M heap which will overwrite SeaBIOS in the 0xf0000. That may also a problem. any suggestion is welcome.