Hello, I am trying to dump my vendor bios through SerialICE. It seems to freeze here (full log attached):
[f000:3a5c] -- IO: outl 0cf8 <= 8000f844 [f000:3a5c] -- IO: inb 0cfc => 00 PCI 0:1f.0 R.44 [f000:3a5c] -- IO: outb 0cfc <= 10 PCI 0:1f.0 R.44 [f000:3a5c] -- IO: inw 1004 => 0000 [f000:0013] -- IO: outw 0080 <= fea0 [f000:0024] -- IO: outl 0cf8 <= 800000fc [f000:0024] -- IO: outw 0cfc <= 0109 PCI 0:00.0 R.fc [f000:0024] -- IO: outb 0080 <= 01 [f000:0078] -- IO: outb 0080 <= 02 [f000:009a] -- IO: outw 0080 <= eee3 <------FREEZE
So, through gdb debugging I think I traced it back to the source.
0xf3af0: mov $0x8000f844,%eax 0xf3af6: mov $0xcf8,%dx 0xf3af9: out %eax,(%dx) 0xf3afb: mov $0xcfc,%dx 0xf3afe: in (%dx),%al 0xf3aff: or $0x10,%al 0xf3b01: out %al,(%dx) 0xf3b02: mov %es:(%edi),%dx 0xf3b06: add $0x4,%dx 0xf3b09: in (%dx),%ax 0xf3b0a: shr $0xa,%ax 0xf3b0d: and $0x7,%ax 0xf3b10: cmp $0x5,%ax 0xf3b13: jne 0xf3b1b 0xf3b15: mov $0x80000000,%ebp 0xf3b1b: jmp 0xf0013
0xf0013: mov $0xfea0,%ax 0xf0016: out %ax,$0x80 0xf0018: mov %cr4,%eax 0xf001b: or $0x200,%eax 0xf0021: mov %eax,%cr4 0xf0024: mov $0x109,%ax 0xf0027: mov %ax,%bx 0xf0029: mov $0xfc,%al 0xf002b: and $0xff,%eax 0xf0031: or $0x80000000,%eax 0xf0037: mov %ax,%dx 0xf0039: bswap %edx 0xf003c: mov $0xcf8,%dx 0xf003f: and $0xfffffffc,%eax 0xf0043: out %eax,(%dx) 0xf0045: bswap %edx 0xf0048: mov %dx,%ax 0xf004a: bswap %edx 0xf004d: and $0x2,%ax 0xf0050: add %ax,%dx 0xf0052: add $0x4,%dx 0xf0055: mov %bx,%ax 0xf0057: out %ax,(%dx) 0xf0058: xor %ecx,%ecx 0xf005b: or $0x3,%ebp 0xf005f: mov $0x1,%al 0xf0061: out %al,$0x80 0xf0063: bswap %esp 0xf0066: mov $0x6c,%sp 0xf0069: jmp 0xf17b9 0xf006c: bswap %esp 0xf006f: jae 0xf0078 0xf0071: mov $0xeee1,%ax 0xf0074: out %ax,$0x80 0xf0076: jmp 0xf0076 0xf0078: mov $0x2,%al 0xf007a: out %al,$0x80 0xf007c: bswap %esp 0xf007f: mov $0x85,%sp 0xf0082: jmp 0xf17dc 0xf0085: bswap %esp 0xf0088: jae 0xf0091 0xf008a: mov $0xeee2,%ax 0xf008d: out %ax,$0x80 0xf008f: jmp 0xf008f 0xf0091: test $0x3,%ebp 0xf0098: jne 0xf00a1 0xf009a: mov $0xeee3,%ax 0xf009d: out %ax,$0x80 0xf009f: jmp 0xf009f 0xf00a1: mov $0x3,%al 0xf00a3: out %al,$0x80 ----bla, bla, bla
So I think it all points back to the PMBASE + 4 (0x1004) register.
0xf3b0a: shr $0xa,%ax 0xf3b0d: and $0x7,%ax 0xf3b10: cmp $0x5,%ax
I tried to set PMBASE + 4 (0x1004) to 0x0005 in my serialice mainboard config but when the bios re-enables PMBASE it seems to get wiped out (reset to 0).
#define PMBASE 0x1000
/* Set ACPI base address (I/O space). */ pci_write_config32(PCI_ADDR(0, 0x1f, 0, 0x40), (PMBASE | 1)); outw(0x0005, PMBASE + 4);
At this point I am not sure what to do or if I am looking at this correctly, I am not so good at assembly.....Help? Ideas?