interesting.
e8 matters.
here is the first round, where it comes up and patches from MCH registers and restarts. reset:SerialICE-hlp: outl 00e8 <= 44656c6c reset:SerialICE-hlp: outl 00e8 <= 50726f74
here is post rest postreset:SerialICE-hlp: outl 00e8 <= 44656c6c postreset:SerialICE-hlp: outl 00e8 <= 50726f74 postreset:SerialICE-hlp: outl 00e8 <= 496e6974 <=== this one kills serialice
If I disable writes to 00e8, then Things Don't Work Right. At some point the factory bios just goes into a jump . style loop.
I wonder what e8 is?
ron
On Tue, Oct 6, 2009 at 12:45 PM, Myles Watson mylesgw@gmail.com wrote:
here is post rest postreset:SerialICE-hlp: outl 00e8 <= 44656c6c
Dell
postreset:SerialICE-hlp: outl 00e8 <= 50726f74
Prot
postreset:SerialICE-hlp: outl 00e8 <= 496e6974 <=== this one kills serialice
Init
so weird. Where's it going?
ron
On 06.10.2009 21:49, ron minnich wrote:
On Tue, Oct 6, 2009 at 12:45 PM, Myles Watson mylesgw@gmail.com wrote:
here is post rest postreset:SerialICE-hlp: outl 00e8 <= 44656c6c
Dell
postreset:SerialICE-hlp: outl 00e8 <= 50726f74
Prot
postreset:SerialICE-hlp: outl 00e8 <= 496e6974 <=== this one kills serialice
Init
so weird. Where's it going?
Management console on LPC? TPM? "Init" could reenable/reinitialize the management console or cause the management console to issue a reset command to the CPU and then act as LPC master, presenting a totally different firmware to the CPU. That would mean all serialice logs until then are just misdirection (but then again, this is not a gaming console and such tricks are not that likely).
Of course, you could be hitting something entirely different: If the management console starts reading commands or data from flash after the "Init" command, it may fail to find anything useful there (after all, only serialice is in that ROM) and simply go nuts. What happens if you use a ROM with original size and have serialice at the end and the old ROM contents everywhere else at the original address? (Pick old ROM, overwrite the end with serialice, reflash). This could change behaviour quite a bit. Of course, hooking up a LPC/FWH bus analyzer might help you find out if there are any accesses not caused by serialice.
Regards, Carl-Daniel
ron minnich wrote:
here is post rest postreset:SerialICE-hlp: outl 00e8 <= 44656c6c
Dell
postreset:SerialICE-hlp: outl 00e8 <= 50726f74
Prot
postreset:SerialICE-hlp: outl 00e8 <= 496e6974 <=== this one kills serialice
Init
so weird. Where's it going?
BMC?
//Peter
ron minnich wrote:
interesting.
e8 matters.
here is the first round, where it comes up and patches from MCH registers and restarts. reset:SerialICE-hlp: outl 00e8 <= 44656c6c reset:SerialICE-hlp: outl 00e8 <= 50726f74
here is post rest postreset:SerialICE-hlp: outl 00e8 <= 44656c6c postreset:SerialICE-hlp: outl 00e8 <= 50726f74 postreset:SerialICE-hlp: outl 00e8 <= 496e6974 <=== this one kills serialice
If I disable writes to 00e8, then Things Don't Work Right. At some point the factory bios just goes into a jump . style loop.
I wonder what e8 is?
Ron,
try adding the following code to the output filter function in Qemu:
hw/serialice.c: static int serialice_out_filter(uint32_t data, uint16_t port, int size)
for example, right under the cf8 / cfc filters:
/* Dell 1850 BMC filter */ if (port == 0xe8) { if (data == 0x44656c6c) { printf("BMC: Dell\n") } if (data == 0x50726f74) { printf("BMC: Prot\n"); } if (data == 0x496e6974) { printf("BMC: Init (filtered)\n"); return 1; } }
It will prevent the critical command from being sent and allow you to continue.
Stefan
Thanks, i did something like this. Ahh, serialice is so wonderful.
Turns out that was not it, it was just a coincidence. The problem is that the bios is doing a lgdt and going off into nirvana (or its opposite), as qemu does not handle that too well (which makes no sense; of course qemu can handle it). Oh well.
ron
ron minnich wrote:
Thanks, i did something like this. Ahh, serialice is so wonderful.
Turns out that was not it, it was just a coincidence. The problem is that the bios is doing a lgdt and going off into nirvana (or its opposite), as qemu does not handle that too well (which makes no sense; of course qemu can handle it). Oh well.
So, the serialice shell is still alive when qemu goes to nirvana?
Stefan
On Tue, Oct 6, 2009 at 4:36 PM, Stefan Reinauer stepan@coresystems.de wrote:
ron minnich wrote:
Thanks, i did something like this. Ahh, serialice is so wonderful.
Turns out that was not it, it was just a coincidence. The problem is that the bios is doing a lgdt and going off into nirvana (or its opposite), as qemu does not handle that too well (which makes no sense; of course qemu can handle it). Oh well.
So, the serialice shell is still alive when qemu goes to nirvana?
Stupid me. I should have tried that and did not think of it. Will let you know.
qemu has not really gone to nirvana. But it's fetching code from a strange place.
ron
ron minnich wrote:
interesting.
e8 matters.
here is the first round, where it comes up and patches from MCH registers and restarts. reset:SerialICE-hlp: outl 00e8 <= 44656c6c reset:SerialICE-hlp: outl 00e8 <= 50726f74
here is post rest postreset:SerialICE-hlp: outl 00e8 <= 44656c6c postreset:SerialICE-hlp: outl 00e8 <= 50726f74 postreset:SerialICE-hlp: outl 00e8 <= 496e6974 <=== this one kills serialice
If I disable writes to 00e8, then Things Don't Work Right. At some point the factory bios just goes into a jump . style loop.
Can you post a full log of that case (possibly with the filter I sent in my last mail.. It may be enough to only prevent Init from being sent, while Dell and Prot may be crucial)
It would be interesting what the code does before going into that loop. Maybe an input filter is needed, faking a BMC response.
Stefan
I'll get that tomorrow I hope. The gateway just went away for a bit.
ron
-
Carl-Daniel Hailfinger -
Myles Watson -
Peter Stuge -
ron minnich -
Stefan Reinauer