Author: stepan Date: 2009-12-07 18:05:07 +0100 (Mon, 07 Dec 2009) New Revision: 90

Modified: trunk/SerialICE/scripts/serialice.lua Log: Update SerialICE LUA script. It is really time that we start using the device model.

- add global variable "ip_logging" to enable/disable logging [CS:IP] for every access. - only register physical memory for RAM if it did not happen before - reset Qemu CPU when target is reset with 0xcf9 - Implement Intel CPU microcode update faking in the MSR read/write filters. It would be a relatively easy hack to add microcodes to the SerialICE image and even run them, by having the msr write point to the correct address, in case that should ever be needed. - add a lot of automation triggers to increase SerialICE speed on my test hardware.

Signed-off-by: Stefan Reinauer stepan@coresystems.de

Modified: trunk/SerialICE/scripts/serialice.lua =================================================================== --- trunk/SerialICE/scripts/serialice.lua 2009-12-05 16:37:58 UTC (rev 89) +++ trunk/SerialICE/scripts/serialice.lua 2009-12-07 17:05:07 UTC (rev 90) @@ -41,10 +41,14 @@

ram_is_initialized = false

--- Whether to log read access (code fetches) to 0xe0000 to 0xfffff +-- Set to "true" to log read access (code fetches) to 0xe0000 to 0xfffff

log_rom_access = false

+-- Set to "true" to log CS:IP for each access + +ip_logging = false + -- Remember the PCI device selected via IO CF8

SerialICE_pci_device = 0 @@ -84,6 +88,15 @@ -- ********************************************************** --

+ if ( port == 0x60 and data_size == 1 ) then + if ( regs.eip == 0xbd6d and regs.eax == 0x8aa and regs.ecx == 0x00fffff0 ) then + -- f000:bd6d + printf("Skipping keyboard timeout...\n") + regs.eax = 0x01aa + regs.ecx = 0x0010 + end + end + return caught, data end

@@ -227,15 +240,40 @@ -- permanently from the target (several reads/writes per -- decompressed byte).

- if port == 0x80 and data == 0xff37 then + if port == 0x80 and data == 0xff37 and ram_is_initialized == false then ram_is_initialized = true -- Register low RAM 0x00000000 - 0x000dffff SerialICE_register_physical(0x00000000, 0xa0000) -- SMI/VGA memory should go to the target... SerialICE_register_physical(0x000c0000, 0x20000) printf("\nLow RAM accesses are now directed to Qemu.\n") + + return false, data end

+ if port == 0xcf9 and data == 0x06 then + SerialICE_system_reset() + return false, data + end + + if ( port == 0xed and data == 0x40 ) then + if ( regs.eip == 0x3ed and regs.ecx == 0x00000290 ) then + printf("Skipping IO delay...\n") + -- f100:03ed + regs.ecx = 0x05 + end + end + + if ( port == 0xed and data == 0x83 ) + then + if ( regs.eip == 0x1bb and regs.ecx == 0x0000fff0 ) then + printf("Skipping IO delay...\n") + -- e002:01bb + regs.ecx = 0x10 + regs.ebx = 0x01 + end + end + return false, data end

@@ -384,6 +422,17 @@ -- Don't send writes to the target for speed reasons. return false, true, data elseif addr >= 0x00100000 and addr <= 0xcfffffff then + if addr == 0x00100000 then + if regs.cs == 0xe002 and regs.eip == 0x07fb then + -- skip high memory wipe + regs.ecx = 0x10 + end + if regs.cs == 0xe002 and regs.eip == 0x076c and regs.edi == 0x3f then + -- skip high memory test + regs.edi=1; + end + end + -- 3.25 GB RAM ... This is handled by SerialICE return true, false, data else @@ -394,16 +443,31 @@ return true, false, data end

+ +function log_cs_ip() + if (ip_logging) then printf("[%04x:%04x] -- ", regs.cs, regs.eip) end +end + function SerialICE_msr_read_filter(addr, hi, lo) + -- Intel CPU microcode revision check. + if addr == 0x8b then + -- fake microcode revision of my 0x6f6 Core 2 Duo Mobile + return true, 0xc7, 0x00 + end + return false, hi, lo end

function SerialICE_msr_write_filter(addr, hi, lo) + -- Intel CPU microcode update + if addr == 0x79 then + return true, 0, 0xffff0000 + end + return false, hi, lo end

function SerialICE_cpuid_filter(in_eax, in_ecx, eax, ebx, ecx, edx) - -- Set number of cores to 1 on Core Duo and Atom to trick the -- firmware into not trying to wake up non-BSP nodes. if in_eax == 1 then @@ -428,6 +492,8 @@ return end

+ log_cs_ip() + if size == 1 then printf("MEM: writeb %08x <= %02x", addr, data) elseif size == 2 then printf("MEM: writew %08x <= %04x", addr, data) elseif size == 4 then printf("MEM: writel %08x <= %08x", addr, data) @@ -463,6 +529,8 @@ return end

+ log_cs_ip() + if size == 1 then printf("MEM: readb %08x => %02x", addr, data) elseif size == 2 then printf("MEM: readw %08x => %04x", addr, data) elseif size == 4 then printf("MEM: readl %08x => %08x", addr, data) @@ -485,6 +553,8 @@ end

function SerialICE_io_write_log(port, size, data, target) + log_cs_ip() + if size == 1 then printf("IO: outb %04x <= %02x\n", port, data) elseif size == 2 then printf("IO: outw %04x <= %04x\n", port, data) elseif size == 4 then printf("IO: outl %04x <= %08x\n", port, data) @@ -500,9 +570,18 @@ bit.band(0x7,bit.rshift(SerialICE_pci_device, 8)), bit.band(0xff,SerialICE_pci_device + (port - 0xcfc) )) end + + -- ********************************************************** + -- + + if port == 0xcf9 then + printf("Reset triggered at %04x:%04x\n", regs.cs, regs.eip); + end end

function SerialICE_io_read_log(port, size, data, target) + log_cs_ip() + if size == 1 then printf("IO: inb %04x => %02x\n", port, data) elseif size == 2 then printf("IO: inw %04x => %04x\n", port, data) elseif size == 4 then printf("IO: inl %04x => %08x\n", port, data) @@ -521,14 +600,17 @@ end

function SerialICE_msr_write_log(addr, hi, lo, filtered) + log_cs_ip() printf("CPU: wrmsr %08x <= %08x.%08x\n", addr, hi, lo) end

function SerialICE_msr_read_log(addr, hi, lo, filtered) + log_cs_ip() printf("CPU: rdmsr %08x => %08x.%08x\n", addr, hi, lo) end

function SerialICE_cpuid_log(in_eax, in_ecx, out_eax, out_ebx, out_ecx, out_edx, filtered) + log_cs_ip() printf("CPU: CPUID eax: %08x; ecx: %08x => %08x.%08x.%08x.%08x\n", in_eax, in_ecx, out_eax, out_ebx, out_ecx, out_edx) end