GSoC 2011: flashrom part 3 – Midterm Evaluation

in schools essays that stray away from topic are often graded strictly. if one applies similar principles to my gsoc work it would probably degrade to “satisfactory” or worse. when i submitted my application for gsoc, most of my time line consisted of reverse engineering tasks. the plan was to quickly implement hardware sequencing and start reversing some vendor tools to find out how they unlock the ME.

what really happened is something i think is at least as useful as working ME unlocking code: flashrom got an almost full-time maintainer. ;)
i am handling a big chunk of the daily work (support requests on the mailing list and on IRC, keeping our database of tested devices up to date etc.) and i try to fix all problems in flashrom that i become aware of. this has led to countless already accepted patches and many which are still not reviewed yet.when we focus on the main assignment i can exhibit the following:

  • ichspi.c was cleaned up, refactored and slowly extended to make it easy to integrate hardware sequencing.
  • i have posted patches to parse flash descriptors on runtime and by reading flash dumps. this allows for better general debug output on intel chipsets and retrieves some information necessary for hwseq.
  • a fully tested hwseq implementation that only needs a review to be mergeable.
  • (unpublished) code that talks with the MEI similar to the linux kernel module currently in the staging tree. this will be used to send the ME the necessary unlock commands. i think the only thing missing is the right MEI address and message.

what is still needed for an architecturally clean integration of hwseq is a generic framework for handling opaque programmers that do not allow us to send arbitrary commands. discussion about this has started and will hopefully finish in the next two weeks.

until then i want to clean up the descriptor handling which is based on the descriptormode tool made by Matthias ‘mazzoo’ Wenzel. i have worked on that already extensively, but there remain coding and output style issues and i also want to add decoding of flash descriptor straps for intel’s ibex peak/5 series chipsets. issues with this and other undocumented properties of intel chips will be examined in another blog post in the near future. when all requirements for hwseq are done, i will focus on the main problem of unlocking the ME. i can only give a very terse time plan because it heavily relies on various factors i can’t influence/do not know yet. hwseq and everything related should be completed and possibly merged before suggested ‘pencil down’ date (2011-08-15). heavily depending on the outcome of my next blog post preliminary code for unlocking the ME may be published before GSoC ends.

Below you can find a sample output of the current version of the ich_descriptor_tool when fed with a flash dump from my laptop:

./ich_descriptors_tool -f ../../../testimages/hwseq.bin -c 5
flash image has a size of 4096 [0x1000] bytes.
=== Content Section ===
FLVALSIG 0x0ff0a55a
FLMAP0   0x03040002
FLMAP1   0x10100206
FLMAP2   0x00000020

--- Details ---
0x03      NR    Number of Regions (4)
0x000040  FRBA  Flash Region Base Address
0x00      NC    Number of Components (1)
0x000020  FCBA  Flash Component Base Address

0x00      ISL   ICH Strap Length (0)
0x000100  FISBA Flash ICH Strap Base Address
0x02      NM    Number of Masters (3)
0x000060  FMBA  Flash Master Base Address

0x00      MSL   MCH Strap Length (0)
0x000200  FMSBA Flash MCH Strap Base Address

=== Component Section ===
FLCOMP   0x0990001c
FLILL    0x00000000

--- Details ---
0x01    freq_read_id   33 MHz
0x01    freq_write     33 MHz
0x04    freq_fastread  50 MHz
0x01    fastread       supported
0x00    freq_read      20 MHz
0x04    comp 1 density 8 MB
0x03    comp 2 is not used (FLMAP0.NC=0x0)

0x00    invalid instr 0
0x00    invalid instr 1
0x00    invalid instr 2
0x00    invalid instr 3

=== Region Section ===
FLREG0   0x00000000
FLREG1   0x07ff0500
FLREG2   0x04ff0003
FLREG3   0x00020001

--- Details ---
Region 0 (Descr.) 0x00000000 - 0x00000fff
Region 1 (BIOS)   0x00500000 - 0x007fffff
Region 2 (ME)     0x00003000 - 0x004fffff
Region 3 (GbE)    0x00001000 - 0x00002fff

=== Master Section ===
FLMSTR1  0x0a0b0000
FLMSTR2  0x0c0d0000
FLMSTR3  0x08080118

--- Details ---
      Descr. BIOS ME GbE
BIOS    r     rw      rw
ME      r         rw  rw
GbE                   rw

=== Upper Map Section ===
FLUMAP1  0x00000aed

--- Details ---
VTL  (length)       = 10
VTBA (base address) = 0x000ed0

VSCC Table:
  JID0  = 0x001720c2
  VSCC0 = 0x20052005
    Manufacturer ID 0xc2, Device ID 0x2017
    BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0
  JID1  = 0x001730ef
  VSCC1 = 0x20052005
    Manufacturer ID 0xef, Device ID 0x3017
    BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0
  JID2  = 0x001740ef
  VSCC2 = 0x20052005
    Manufacturer ID 0xef, Device ID 0x4017
    BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0
  JID3  = 0x0000481f
  VSCC3 = 0x20152015
    Manufacturer ID 0x1f, Device ID 0x4800
    BES=0x1, WG=1, WSR=0, WEWS=1, EO=0x20, VCL=0
  JID4  = 0x00177120
  VSCC4 = 0x20052005
    Manufacturer ID 0x20, Device ID 0x7117
    BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0

=== Softstraps ===
--- PCH ---
PCHSTRP0  = 0x48305782
PCHSTRP1  = 0x0000000f
PCHSTRP2  = 0x00000000
PCHSTRP3  = 0x00000000
PCHSTRP4  = 0x00c8e102
PCHSTRP5  = 0x00000000
PCHSTRP6  = 0x00000000
PCHSTRP7  = 0x00000000
PCHSTRP8  = 0x00000000
PCHSTRP9  = 0x00000d00
PCHSTRP10 = 0x00050044
PCHSTRP11 = 0x99000097
PCHSTRP12 = 0x00000000
PCHSTRP13 = 0x00000000
PCHSTRP14 = 0x00000000
PCHSTRP15 = 0x00000358

One thought on “GSoC 2011: flashrom part 3 – Midterm Evaluation”

Comments are closed.