SerialICE dump freezing - SerialICE

6 Jan 2011


      Hello,
I am trying to dump my vendor bios through SerialICE. It seems to freeze 
here (full log attached):
[f000:3a5c] -- IO: outl 0cf8 <= 8000f844
[f000:3a5c] -- IO:  inb 0cfc => 00
PCI 0:1f.0 R.44
[f000:3a5c] -- IO: outb 0cfc <= 10
PCI 0:1f.0 R.44
[f000:3a5c] -- IO:  inw 1004 => 0000
[f000:0013] -- IO: outw 0080 <= fea0
[f000:0024] -- IO: outl 0cf8 <= 800000fc
[f000:0024] -- IO: outw 0cfc <= 0109
PCI 0:00.0 R.fc
[f000:0024] -- IO: outb 0080 <= 01
[f000:0078] -- IO: outb 0080 <= 02
[f000:009a] -- IO: outw 0080 <= eee3 <------FREEZE
So, through gdb debugging I think I traced it back to the source.
0xf3af0:	mov    $0x8000f844,%eax
    0xf3af6:	mov    $0xcf8,%dx
    0xf3af9:	out    %eax,(%dx)
    0xf3afb:	mov    $0xcfc,%dx
    0xf3afe:	in     (%dx),%al
    0xf3aff:	or     $0x10,%al
    0xf3b01:	out    %al,(%dx)
    0xf3b02:	mov    %es:(%edi),%dx
    0xf3b06:	add    $0x4,%dx
    0xf3b09:	in     (%dx),%ax
    0xf3b0a:	shr    $0xa,%ax
    0xf3b0d:	and    $0x7,%ax
    0xf3b10:	cmp    $0x5,%ax
    0xf3b13:	jne    0xf3b1b
    0xf3b15:	mov    $0x80000000,%ebp
    0xf3b1b:	jmp    0xf0013
0xf0013:	mov    $0xfea0,%ax
    0xf0016:	out    %ax,$0x80
    0xf0018:	mov    %cr4,%eax
    0xf001b:	or     $0x200,%eax
    0xf0021:	mov    %eax,%cr4
    0xf0024:	mov    $0x109,%ax
    0xf0027:	mov    %ax,%bx
    0xf0029:	mov    $0xfc,%al
    0xf002b:	and    $0xff,%eax
    0xf0031:	or     $0x80000000,%eax
    0xf0037:	mov    %ax,%dx
    0xf0039:	bswap  %edx
    0xf003c:	mov    $0xcf8,%dx
    0xf003f:	and    $0xfffffffc,%eax
    0xf0043:	out    %eax,(%dx)
    0xf0045:	bswap  %edx
    0xf0048:	mov    %dx,%ax
    0xf004a:	bswap  %edx
    0xf004d:	and    $0x2,%ax
    0xf0050:	add    %ax,%dx
    0xf0052:	add    $0x4,%dx
    0xf0055:	mov    %bx,%ax
    0xf0057:	out    %ax,(%dx)
    0xf0058:	xor    %ecx,%ecx
    0xf005b:	or     $0x3,%ebp
    0xf005f:	mov    $0x1,%al
    0xf0061:	out    %al,$0x80
    0xf0063:	bswap  %esp
    0xf0066:	mov    $0x6c,%sp
    0xf0069:	jmp    0xf17b9
    0xf006c:	bswap  %esp
    0xf006f:	jae    0xf0078
    0xf0071:	mov    $0xeee1,%ax
    0xf0074:	out    %ax,$0x80
    0xf0076:	jmp    0xf0076
    0xf0078:	mov    $0x2,%al
    0xf007a:	out    %al,$0x80
    0xf007c:	bswap  %esp
    0xf007f:	mov    $0x85,%sp
    0xf0082:	jmp    0xf17dc
    0xf0085:	bswap  %esp
    0xf0088:	jae    0xf0091
    0xf008a:	mov    $0xeee2,%ax
    0xf008d:	out    %ax,$0x80
    0xf008f:	jmp    0xf008f
    0xf0091:	test   $0x3,%ebp
    0xf0098:	jne    0xf00a1
    0xf009a:	mov    $0xeee3,%ax
    0xf009d:	out    %ax,$0x80
    0xf009f:	jmp    0xf009f
    0xf00a1:	mov    $0x3,%al
    0xf00a3:	out    %al,$0x80
    ----bla, bla, bla
So I think it all points back to the PMBASE + 4 (0x1004) register.
0xf3b0a:	shr    $0xa,%ax
    0xf3b0d:	and    $0x7,%ax
    0xf3b10:	cmp    $0x5,%ax
I tried to set PMBASE + 4 (0x1004) to 0x0005 in my serialice mainboard 
config but when the bios re-enables PMBASE it seems to get wiped out 
(reset to 0).
#define PMBASE 0x1000
/* Set ACPI base address (I/O space). */
pci_write_config32(PCI_ADDR(0, 0x1f, 0, 0x40), (PMBASE | 1));
outw(0x0005, PMBASE + 4);
At this point I am not sure what to do or if I am looking at this 
correctly, I am not so good at assembly.....Help? Ideas?
-- 
Thanks,
Joseph Smith
Set-Top-Linux
www.settoplinux.org