Hi
I did not find this method of bypassing the mainboard flash chip and booting from PCI add-on card documented or discussed before. The nice think in this is that neither mainboard or its flash needs to be modified. Good news in the case of a soldered flash and this method may work with mini-PCI slots on laptops too.
For pre-ICH6 the key is in subtractive PCI decode. This has been supported in 82801 chipset from the early days and is briefly documented in ICH3 datasheet [1], see 5.1.1. PCI Bus interface. This decode mode is on by default and there is no documentation of a hw bootstrap that could disable it.
For ICH7 onwards there are HW bootstraps to select between LPC/SPI/PCI. If you don't know where the bootstraps are, go with SPI and forget about this PCI add-on boot.
To try this, I have modified a PCI PATA-RAID card as follows: I cut the PCI RST# signal from card edge to controller, put a jumper to close it for normal boots and placed a weak 10kOhm pull-up to Vio on the chip side.
With this I have succesfully done the following on a ICH4 based mainboard:
1. I built SerialICE as usual and programmed the option ROM of the modified PCI card with it.
2. I set the PCI config BAR for that option ROM as 0xfffe0000. I had this hacked in flashrom, setpci might work as well. This was 128kB region while my flash was actually 64kB.
3. Reset the machine, but not the PCI card. I simply removed the jumper on the RST# signal on the PCI card before giving reboot command.
4. I got into SerialICE prompt.
Should go without saying: Code run from option ROM must not switch from subtractive to positive PCI decode. I also think the PCI slot used must be directly on the southbridge PCI bus and not behind some other PCI bridge.
To use this on cold boots and as a recovery method some means to default that config BAR for option ROM on cold power-on is required. Custom PCI FPGA can do that for sure, other ideas are welcome.
Kyösti
[1] http://www.intel.com/content/dam/doc/datasheet/82801ca-io-controller-hub-3-d...
Hi
This sounds extremly interesting! Assuming this only works with PCI and not PCI-e, would it also work on wifi mini-pci cards? As you mention laptop's specifically, I think most cards available are wifi cards.
Oliver
On 20-05-12 10:23, Kyösti Mälkki wrote:
Hi
I did not find this method of bypassing the mainboard flash chip and booting from PCI add-on card documented or discussed before. The nice think in this is that neither mainboard or its flash needs to be modified. Good news in the case of a soldered flash and this method may work with mini-PCI slots on laptops too.
For pre-ICH6 the key is in subtractive PCI decode. This has been supported in 82801 chipset from the early days and is briefly documented in ICH3 datasheet [1], see 5.1.1. PCI Bus interface. This decode mode is on by default and there is no documentation of a hw bootstrap that could disable it.
For ICH7 onwards there are HW bootstraps to select between LPC/SPI/PCI. If you don't know where the bootstraps are, go with SPI and forget about this PCI add-on boot.
To try this, I have modified a PCI PATA-RAID card as follows: I cut the PCI RST# signal from card edge to controller, put a jumper to close it for normal boots and placed a weak 10kOhm pull-up to Vio on the chip side.
With this I have succesfully done the following on a ICH4 based mainboard:
- I built SerialICE as usual and programmed the option ROM of the
modified PCI card with it.
- I set the PCI config BAR for that option ROM as 0xfffe0000. I had
this hacked in flashrom, setpci might work as well. This was 128kB region while my flash was actually 64kB.
- Reset the machine, but not the PCI card. I simply removed the jumper
on the RST# signal on the PCI card before giving reboot command.
- I got into SerialICE prompt.
Should go without saying: Code run from option ROM must not switch from subtractive to positive PCI decode. I also think the PCI slot used must be directly on the southbridge PCI bus and not behind some other PCI bridge.
To use this on cold boots and as a recovery method some means to default that config BAR for option ROM on cold power-on is required. Custom PCI FPGA can do that for sure, other ideas are welcome.
Kyösti
[1] http://www.intel.com/content/dam/doc/datasheet/82801ca-io-controller-hub-3-d...
Oliver Schinagl wrote:
would it also work on wifi mini-pci cards?
They don't have a flash chip.
//Peter
On Sun, May 20, 2012 at 1:23 AM, Kyösti Mälkki kyosti.malkki@gmail.com wrote:
Hi
I did not find this method of bypassing the mainboard flash chip and booting from PCI add-on card documented or discussed before.
Maybe I misunderstand, but this is how Etherboot originally worked: flash a new expansion rom onto, e.g., a 3c905 and that could take over the boot process.
ron
On Sun, 2012-05-20 at 11:23 +0300, Kyösti Mälkki wrote:
Hi
I did not find this method of bypassing the mainboard flash chip and booting from PCI add-on card documented or discussed before. The nice think in this is that neither mainboard or its flash needs to be modified. Good news in the case of a soldered flash and this method may work with mini-PCI slots on laptops too.
For pre-ICH6 the key is in subtractive PCI decode. This has been supported in 82801 chipset from the early days and is briefly documented in ICH3 datasheet [1], see 5.1.1. PCI Bus interface. This decode mode is on by default and there is no documentation of a hw bootstrap that could disable it.
Above is not accurate, ICH6 has hardware bootstrap.
For ICH7 onwards there are HW bootstraps to select between LPC/SPI/PCI. If you don't know where the bootstraps are, go with SPI and forget about this PCI add-on boot.
The bootstrap is latched on power cycle, but not PCI reset, and the config bit is writeable. So if one has a booting system it should be possible to switch to PCI add-on for next reboot. The setting will default back to mainboard flash after power-cycle.
Note that "hard/cold" reboot is required to toggle the PCI RST#. If vendor BIOS does set the write-protection lock bit, it should be cleared on PCI RST#. At least for ICH4 that is the case.
Kyösti
Having been quite intrigued by this I coincidentally found an old raid controller of mine.
http://www.highpoint-tech.cn/USA/rr454.htm
Though it only has 64kb flash I'm guessing (the bios image is about 55k) after a swap of that chip, it may theoretically be possible, correct? Hi all,
So why would this only work on ICH based boards? What are changes of this working on older chipsets other then intel? Say VIA?
Oliver
On 26-05-12 10:15, Kyösti Mälkki wrote:
On Sun, 2012-05-20 at 11:23 +0300, Kyösti Mälkki wrote:
Hi
I did not find this method of bypassing the mainboard flash chip and booting from PCI add-on card documented or discussed before. The nice think in this is that neither mainboard or its flash needs to be modified. Good news in the case of a soldered flash and this method may work with mini-PCI slots on laptops too.
For pre-ICH6 the key is in subtractive PCI decode. This has been supported in 82801 chipset from the early days and is briefly documented in ICH3 datasheet [1], see 5.1.1. PCI Bus interface. This decode mode is on by default and there is no documentation of a hw bootstrap that could disable it.
Above is not accurate, ICH6 has hardware bootstrap.
For ICH7 onwards there are HW bootstraps to select between LPC/SPI/PCI. If you don't know where the bootstraps are, go with SPI and forget about this PCI add-on boot.
The bootstrap is latched on power cycle, but not PCI reset, and the config bit is writeable. So if one has a booting system it should be possible to switch to PCI add-on for next reboot. The setting will default back to mainboard flash after power-cycle.
Note that "hard/cold" reboot is required to toggle the PCI RST#. If vendor BIOS does set the write-protection lock bit, it should be cleared on PCI RST#. At least for ICH4 that is the case.
Kyösti
On Sat, 2012-06-09 at 18:13 +0200, Oliver Schinagl wrote:
Having been quite intrigued by this I coincidentally found an old raid controller of mine.
http://www.highpoint-tech.cn/USA/rr454.htm
Though it only has 64kb flash I'm guessing (the bios image is about 55k) after a swap of that chip, it may theoretically be possible, correct? Hi all,
So why would this only work on ICH based boards? What are changes of this working on older chipsets other then intel? Say VIA?
Oliver
Hi
64 kB is enough for SerialICE. I would first check the raid controller datasheet and PCB if you have more than 16 address lines in the first place.
Chances are there was something similar on most PCI chipsets, as it was one practical method for production-line programming in the case of soldered flash chips. Just don't expect that the possible hardware bootstrap is labeled or easily accessible on the mainboard.
Kyösti
Having been quite intrigued by this I coincidentally found an old raid controller of mine.
http://www.highpoint-tech.cn/USA/rr454.htm
Though it only has 64kb flash I'm guessing (the bios image is about 55k) after a swap of that chip, it may theoretically be possible, correct? Hi all,
So why would this only work on ICH based boards? What are changes of this working on older chipsets other then intel? Say VIA?
Oliver
On 26-05-12 10:15, Kyösti Mälkki wrote:
On Sun, 2012-05-20 at 11:23 +0300, Kyösti Mälkki wrote:
Hi
I did not find this method of bypassing the mainboard flash chip and booting from PCI add-on card documented or discussed before. The nice think in this is that neither mainboard or its flash needs to be modified. Good news in the case of a soldered flash and this method may work with mini-PCI slots on laptops too.
For pre-ICH6 the key is in subtractive PCI decode. This has been supported in 82801 chipset from the early days and is briefly documented in ICH3 datasheet [1], see 5.1.1. PCI Bus interface. This decode mode is on by default and there is no documentation of a hw bootstrap that could disable it.
Above is not accurate, ICH6 has hardware bootstrap.
For ICH7 onwards there are HW bootstraps to select between LPC/SPI/PCI. If you don't know where the bootstraps are, go with SPI and forget about this PCI add-on boot.
The bootstrap is latched on power cycle, but not PCI reset, and the config bit is writeable. So if one has a booting system it should be possible to switch to PCI add-on for next reboot. The setting will default back to mainboard flash after power-cycle.
Note that "hard/cold" reboot is required to toggle the PCI RST#. If vendor BIOS does set the write-protection lock bit, it should be cleared on PCI RST#. At least for ICH4 that is the case.
Kyösti
-
Kyösti Mälkki -
Oliver Schinagl -
Oliver Schinagl -
Peter Stuge -
ron minnich