in schools essays that stray away from topic are often graded strictly. if one applies similar principles to my gsoc work it would probably degrade to “satisfactory” or worse. when i submitted my application for gsoc, most of my time line consisted of reverse engineering tasks. the plan was to quickly implement hardware sequencing and start reversing some vendor tools to find out how they unlock the ME.
what really happened is something i think is at least as useful as working ME unlocking code: flashrom got an almost full-time maintainer.
i am handling a big chunk of the daily work (support requests on the mailing list and on IRC, keeping our database of tested devices up to date etc.) and i try to fix all problems in flashrom that i become aware of. this has led to countless already accepted patches and many which are still not reviewed yet.when we focus on the main assignment i can exhibit the following:
- ichspi.c was cleaned up, refactored and slowly extended to make it easy to integrate hardware sequencing.
- i have posted patches to parse flash descriptors on runtime and by reading flash dumps. this allows for better general debug output on intel chipsets and retrieves some information necessary for hwseq.
- a fully tested hwseq implementation that only needs a review to be mergeable.
- (unpublished) code that talks with the MEI similar to the linux kernel module currently in the staging tree. this will be used to send the ME the necessary unlock commands. i think the only thing missing is the right MEI address and message.
what is still needed for an architecturally clean integration of hwseq is a generic framework for handling opaque programmers that do not allow us to send arbitrary commands. discussion about this has started and will hopefully finish in the next two weeks.
until then i want to clean up the descriptor handling which is based on the descriptormode tool made by Matthias ‘mazzoo’ Wenzel. i have worked on that already extensively, but there remain coding and output style issues and i also want to add decoding of flash descriptor straps for intel’s ibex peak/5 series chipsets. issues with this and other undocumented properties of intel chips will be examined in another blog post in the near future. when all requirements for hwseq are done, i will focus on the main problem of unlocking the ME. i can only give a very terse time plan because it heavily relies on various factors i can’t influence/do not know yet. hwseq and everything related should be completed and possibly merged before suggested ‘pencil down’ date (2011-08-15). heavily depending on the outcome of my next blog post preliminary code for unlocking the ME may be published before GSoC ends.
Below you can find a sample output of the current version of the ich_descriptor_tool when fed with a flash dump from my laptop:
./ich_descriptors_tool -f ../../../testimages/hwseq.bin -c 5 flash image has a size of 4096 [0x1000] bytes. === Content Section === FLVALSIG 0x0ff0a55a FLMAP0 0x03040002 FLMAP1 0x10100206 FLMAP2 0x00000020 --- Details --- 0x03 NR Number of Regions (4) 0x000040 FRBA Flash Region Base Address 0x00 NC Number of Components (1) 0x000020 FCBA Flash Component Base Address 0x00 ISL ICH Strap Length (0) 0x000100 FISBA Flash ICH Strap Base Address 0x02 NM Number of Masters (3) 0x000060 FMBA Flash Master Base Address 0x00 MSL MCH Strap Length (0) 0x000200 FMSBA Flash MCH Strap Base Address === Component Section === FLCOMP 0x0990001c FLILL 0x00000000 --- Details --- 0x01 freq_read_id 33 MHz 0x01 freq_write 33 MHz 0x04 freq_fastread 50 MHz 0x01 fastread supported 0x00 freq_read 20 MHz 0x04 comp 1 density 8 MB 0x03 comp 2 is not used (FLMAP0.NC=0x0) 0x00 invalid instr 0 0x00 invalid instr 1 0x00 invalid instr 2 0x00 invalid instr 3 === Region Section === FLREG0 0x00000000 FLREG1 0x07ff0500 FLREG2 0x04ff0003 FLREG3 0x00020001 --- Details --- Region 0 (Descr.) 0x00000000 - 0x00000fff Region 1 (BIOS) 0x00500000 - 0x007fffff Region 2 (ME) 0x00003000 - 0x004fffff Region 3 (GbE) 0x00001000 - 0x00002fff === Master Section === FLMSTR1 0x0a0b0000 FLMSTR2 0x0c0d0000 FLMSTR3 0x08080118 --- Details --- Descr. BIOS ME GbE BIOS r rw rw ME r rw rw GbE rw === Upper Map Section === FLUMAP1 0x00000aed --- Details --- VTL (length) = 10 VTBA (base address) = 0x000ed0 VSCC Table: JID0 = 0x001720c2 VSCC0 = 0x20052005 Manufacturer ID 0xc2, Device ID 0x2017 BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0 JID1 = 0x001730ef VSCC1 = 0x20052005 Manufacturer ID 0xef, Device ID 0x3017 BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0 JID2 = 0x001740ef VSCC2 = 0x20052005 Manufacturer ID 0xef, Device ID 0x4017 BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0 JID3 = 0x0000481f VSCC3 = 0x20152015 Manufacturer ID 0x1f, Device ID 0x4800 BES=0x1, WG=1, WSR=0, WEWS=1, EO=0x20, VCL=0 JID4 = 0x00177120 VSCC4 = 0x20052005 Manufacturer ID 0x20, Device ID 0x7117 BES=0x1, WG=1, WSR=0, WEWS=0, EO=0x20, VCL=0 === Softstraps === --- PCH --- PCHSTRP0 = 0x48305782 PCHSTRP1 = 0x0000000f PCHSTRP2 = 0x00000000 PCHSTRP3 = 0x00000000 PCHSTRP4 = 0x00c8e102 PCHSTRP5 = 0x00000000 PCHSTRP6 = 0x00000000 PCHSTRP7 = 0x00000000 PCHSTRP8 = 0x00000000 PCHSTRP9 = 0x00000d00 PCHSTRP10 = 0x00050044 PCHSTRP11 = 0x99000097 PCHSTRP12 = 0x00000000 PCHSTRP13 = 0x00000000 PCHSTRP14 = 0x00000000 PCHSTRP15 = 0x00000358