One of my current projects, modifying gxemul to be able to "boot" a smp86xx bootloader (currently only zboot, final target is the wince bootloader)
Working so far:
-remap registers
-uart0 (output only, no irq)
This is enough to succesfully execute zboot stage 0, due to missing pflash/xenv emulation stage1 fails.
Currently configured for cygwin, building under linux works, too, but you might have to fix some scripts because I modified some stuff to speed up compiling (make clean will break it !).
Usage:./gxemul.exe -J -vvv -V -M 0 -Q -E testsmp86xx 0xb0800000:zboot.bin
This is just a highly unstable quick and dirty preliminary release.
I'll have to try this with the custom Netgem bootloader.
Nice work! It's alive :)
No valid XENV block found ... system stopped.
Some thoughts: shouldn't any smp86xx emulation have to emulate two cpu's (smp86xx and XPU) to work properly?
You can't emulate the xpu because no one knows what it does, the xos and the xtasks are encrypted, the only thing you could emulate are the xrpc calls (http://www.t-hack.com/wiki/index.php/Xrpc_call_list).
My goal is to get the bootloader running with as little effort as possible, so as soon as the BL needs a new feature I add it.
Due to my attempt to get my bachelor degree before 2020 I'll have to put this on hold for the next two weeks ;)
+CPU localram
+PFLASH @ CS2 (expects a flash dump called flash.bin)
+dram0 first megabyte
+xpu xrpc emulation (only XRPC_ID_XLOAD so far)
This means zboot starts, parses the xenv + loads the yamon romfs/xrpc-xload file from the flash dump, extracts the zbf, starty yamon, and then the emulated machine crashes because yamon does some strange stuff.
I can start netgem xenv to a point. Too bad I don't have a zboot.bin from Netgem.
[ CPU lram: write to 0x60000 + 0x1f28 PC 0xffffffff91160d58: 0x54 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1f30 PC 0xffffffff91160d58: 0x59 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1f38 PC 0xffffffff91160d58: 0x20 (len=4) ]
cpu0: warning: write to unimplemented coproc0 register 15 (prid), data = 0xfffff
fff91000000
cpu0: warning: write to READONLY coproc0 register 15 ignored
device at 0x000006c100: smp86xxcpuuart
device at 0x0010000000: dram0_20k
remapregs enabled: 0x1
r0 0x10800000
r1 0xbaadf00d
r2 0xbaadf00d
r3 0xbaadf00d
r4 0xbaadf00d
device at 0x0000060000: CPUlram
[ PFLASH: successfully loaded flash.bin to 0x48000000 size 0x400000 flas
hsize 0x1000000
device at 0x0048000000: PFLASH
device at 0x00000e0000: xpu
machine: smp8634 test machine
console slaves (xterms): no
console handles:
0: "MAIN"
1: "smp86xxcpuuart" [MAIN CONSOLE]
loading 0xb0800000:zboot.bin:
RAW: 0xdd4c bytes @ 0xffffffffb0800000
cpu0: starting at 0xb0800000
-------------------------------------------------------------------------------
**********************************
* SMP863x zboot start ...
* Version: 2.2.0
* Started at 0x91000000.
* Configurations (chip revision: 6):
* Use 8KB DRAM as stack.
* Support XLoad format.
* Enabled BIST mode.
* Enabled memory test mode.
* Use internal memory for stage0/1.
**********************************
Boot from flash (0x48000000) mapped to 0xac000000.
Found XENV block at 0xac000000.
[ sysblock: unimplemented read from offset 0x3c ]
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented read from offset 0x10 ]
CPU clock frequency: 0.00MHz.
[ sysblock: unimplemented read from offset 0x3c ]
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented read from offset 0x10 ]
System clock frequency: 0.00MHz.
DRAM0 dunit_cfg/delay0_ctrl (NA/NA).
DRAM1 dunit_cfg/delay0_ctrl (NA/NA).
Using UART port 0 as console.
Board ID.: "Pirelli STB HY100"
Chip Revision: 0x8634:0x82 .. Mismatched.
Setting up H/W from XENV block at 0xac000000.
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented write to offset 0x34 ]
Setting <SYSCLK premux> to 0x00000203.
[ sysblock: unimplemented read from offset 0x38 ]
[ sysblock: unimplemented write to offset 0x38 ]
Setting <SYSCLK avclk_mux> to 0x00000000.
[ sysblock: unimplemented read from offset 0x30 ]
[ sysblock: unimplemented write to offset 0x30 ]
Setting <SYSCLK hostclk_mux> to 0x00000100.
Setting <IRQ rise edge trigger lo> to 0xff28ca00.
Setting <IRQ fall edge trigger lo> to 0x0000c000.
Setting <IRQ rise edge trigger hi> to 0x0000009f.
Setting <IRQ fall edge trigger hi> to 0x00000000.
[ sysblock: unimplemented read from offset 0x508 ]
Keeping <IRQ GPIO map> to 0x0d000a00.
Setting <PB default timing> to 0x010e0008.
Setting <PB timing0> to 0x010e0008.
Setting <PB Use timing0> to 0x000003fc.
Setting <PB timing1> to 0x00110101.
Setting <PB Use timing1> to 0x000003f3.
PB cs config: 0x000c10c0 (use 0x000c1080)
Enabled Devices: 0x00023efe
BM/IDE PCIHost Ethernet IR FIP I2CM I2CS USB PCIDev1 PCIDev2 PCIDev3 PCIDev4
SCARD
MAC: 00:17:c2:f0:37:dd
[ CPU lram: write to 0x60000 + 0x1ce4 PC 0xffffffff910052c0: 0x4d0017 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1ce0 PC 0xffffffff910052c0: 0xc2f037dd (len=4)
]
[ CPU lram: write to 0x60000 + 0x1ce4 PC 0xffffffff910052c0: 0xdd4d0017 (len=4)
]
PCI IRQ routing:
IDSEL 1: INTA(#14) INTB(#14) INTC(#14) INTD(#14)
IDSEL 2: INTA(#14) INTB(#14) INTC(#14) INTD(#14)
IDSEL 3: INTA(#14) INTB(#14) INTC(#14) INTD(#14)
IDSEL 4: INTA(#15) INTB(#15) INTC(#15) INTD(#15)
Smartcard pin assignments:
OFF pin = 0
5V pin = 1
CMD pin = 2
[ sysblock: unimplemented write to offset 0x80 ]
[ sysblock: unimplemented write to offset 0x88 ]
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented read from offset 0x0 ]
Skipped setting up Clean Divider 2 to 96000000Hz.
[ sysblock: unimplemented write to offset 0x98 ]
[ sysblock: unimplemented write to offset 0x38 ]
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented read from offset 0x0 ]
Skipped setting up Clean Divider 4 to 33333333Hz.
[ sysblock: unimplemented write to offset 0xa8 ]
[ sysblock: unimplemented write to offset 0xb0 ]
[ sysblock: unimplemented write to offset 0xb8 ]
[ sysblock: unimplemented write to offset 0xc0 ]
[ sysblock: unimplemented write to offset 0xc8 ]
[ sysblock: unimplemented write to offset 0xd0 ]
GPIO dir/data = 0x00000000/0x00000000
[ irqc: WARNING! write to CPU_UART_GPIOMODE ]
UART0 GPIO mode/dir/data = 0x6e/0x00/0x00
[ irqc: WARNING! write to CPU_UART_GPIOMODE ]
UART1 GPIO mode/dir/data = 0x6e/0x00/0x00
XENV block processing completed.
[ dram0_20k: FM_MEMCFG read from 0xfc0, len=4 PC 0xffffffff91000424 ]
Setting up memcfg at 0xb0000fc0.
[ dram0_20k: FM_MEMCFG write to 0xfc0 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc1 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc2 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc3 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc4 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc5 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc6 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc7 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc8 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc9 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfca PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfcb PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfcc PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfcd PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfce PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfcf PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd0 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd1 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd2 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd3 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd4 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd5 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd6 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd7 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd8 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd9 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfda PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfdb PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfdc PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfdd PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfde PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfdf PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe0 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe1 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe2 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe3 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe4 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe5 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe6 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe7 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe8 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe9 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfea PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfeb PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfec PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfed PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfee PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfef PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff0 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff1 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff2 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff3 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff4 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff5 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff6 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff7 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff8 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff9 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffa PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffb PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffc PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffd PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffe PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfff PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc0 PC 0xffffffff91000464: 0x6766636d (len=4)
]
[ dram0_20k: FM_MEMCFG write to 0xfe8 PC 0xffffffff91000470: 0x20000 (len=4) ]
[ dram0_20k: FM_MEMCFG write to 0xfc4 PC 0xffffffff91000474: 0x4000000 (len=4) ]
[ dram0_20k: FM_MEMCFG write to 0xfc8 PC 0xffffffff91000478: 0x0 (len=4) ]
[ dram0_20k: FM_MEMCFG write to 0xfec PC 0xffffffff9100047c: 0x0 (len=4) ]
[ dram0_20k: FM_MEMCFG read from 0xfc0, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfc4, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfc8, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfcc, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfd0, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfd4, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfd8, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfdc, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfe0, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfe4, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfe8, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfec, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xff0, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xff4, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xff8, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xffc, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG write to 0xfec PC 0xffffffff910004a0: 0x94979c93 (len=4)
]
[ CPU lram: write to 0x60000 + 0x1c8c PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1c90 PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1c94 PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1c98 PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1c9c PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1ca0 PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1ca4 PC 0xffffffff910052c0: 0x0 (len=4) ]
Default boot index: 0
[ CPU lram: read from 0x60000 + 0x1ff0, len=4 PC 0xffffffff910050f0 ]
Scanning ROMFS image at 0xac280000 (0x00280000) .. Found.
ROMFS found at 0xac280000, Volume name = YAMON_XRPC
Found 1 file(s) to be processed in ROMFS.
Processing xrpc_xload_yamon_ES4_prod.bin (start: 0xac280090, size: 0x00036d74)
Checking zboot file signature .. Not found.
Trying xrpc_xload format .. [ CPU lram: write to 0x60000 + 0x1ffc PC 0xfffffff
f910052c0: 0x11800000 (len=4) ]
[ xpu: CPU_irq_softset 0x10
[ CPU lram: read from 0x60000 + 0x1ffc, len=4 PC 0xffffffff910052c0 ]
[ xpu: xrpc addr 0x11800000
[ xpu: xrpc id 0x5 decsize 0x36a50 loadto 0x13000000 secid 0x1
[ CPU lram: write to 0x60000 + 0x1ffc PC 0xffffffff910052c0: 0x6 (len=4) ]
[ CPU lram: read from 0x60000 + 0x1ffc, len=4 PC 0xffffffff910050f0 ]
OK
Checking zboot file signature at 0x13000000 .. OK
Warning: header version mismatched.
Decompressing to 0x91160000 .. OK (752304/0xb7ab0).
Load time total 0/0 msec.
Execute at 0x91160000 ..
[ CPU lram: write to 0x60000 + 0x1f00 PC 0xffffffff91160d58: 0x43 (len=4) ]
Here's the xenv I am trying to boot. The interesting part starts from 0x20000 which looks like to be a bios of some sort, it even has a string "linbios". It is responsible for starting the Netgem vmlinuz.
I have absolutely no idea how the netgem bootloader works, but it's valid mips code at 0x20000 which sets some gpios to 0, enables all IRQs, sets up the stack pointer, zeros some memory, sets KSEG0 to uncached and then jumps to 0x900A71FC, so a dump of 0x900A71FC, 0x1fc00000 and of the remap registers at 0x6f000,0x6f004,0x6f008,0x6f00c,0x6f010 would help. Is anyone else working on the netgem box ?
I have absolutely no idea how the netgem bootloader works, but it's valid mips code at 0x20000 which sets some gpios to 0, enables all IRQs, sets up the stack pointer, zeros some memory, sets KSEG0 to uncached and then jumps to 0x900A71FC, so a dump of 0x900A71FC, 0x1fc00000 and of the remap registers at 0x6f000,0x6f004,0x6f008,0x6f00c,0x6f010 would help. Is anyone else working on the netgem box ?
Guy called nlc used to work with Netgem boxes but I think he has given up. The problem is that no JTAG is possible, UART gives only following output so the only option to get to the files has been by decrypting the Netgem firmware upgrades and trying to find a some way in. Which is why I have been investigating if it would be possible to run an emulated Netgem device.
xosPe0 serial#0d5d855bf2d98c2dadb72cd65d569e5f subid 0x5f
xenv cs2 ok
power supply: ok
dram0 ok (a)
dram1 ok (a)
zboot (0) ok
Guy called nlc used to work with Netgem boxes but I think he has given up.
:( Too bad.
Guy called nlc used to work with Netgem boxes but I think he has given up.
:( Too bad.
Yes, it is. Anyway, could you identify something from attached file. I am not sure if it is encrypted and/or compressed but this is basically the only thing from the upgrade that I haven't been able to decompress/decrypt. Attachment has two files from two different upgrades. It does look like encryption, for example in file part_firm.img offset 0x312 starts some sort of padding, it might be just zeroes or it might be something else.
No idea, both files look like some sort of file system, but the whole netgem firmware is a mess. There is a encrypted xrpc-xload binary at offset 0x200 in your xenv/linbios dump, but to dump the decrypted data you would need a smp86xx based box without any cert bindings and jtag access, which is something I don't have.
I guess I am fighting a lost cause. The only chance to get a root access would be to exploit a buffer overflow on the Netgem browser which is basically a normal net browser.
Ok, now we have a method to gain shell access to Netgem boxes. Is it possible somehow to dump xenv from a running SMP8634 box?
Any progress on the emulator?
The xenv can be dumped from the flash, but why would you want to do that ? I thought you already had the env ?
Here's the xenv I am trying to boot.
I didn't really continue to work on the emulator, the goal was to understand the inital boot process a bit better, so it has served its purpose.
The Netgem boxes behave differently from other SMP863x based devices that I have seen. It seems that xenv/zboot is only used to boot Netgem's own bios which in turn boots the kernel.
After the initial booting I am not sure how the box accesses the XPU as there doesn't seem to be the usual utils (xrpc etc.) and libraries that come with other manufacturer's devices.
I would like to know how can I dump xenv so I can compare it to the one that comes with firmware upgrades and also I would like to use your emulator so maybe I could get more information on the actual boot process.
You could try to dump the bootloader from 0x10100000, the pflash/xenv should be at 0x40000000 + 0x08000000 (physical addresses, so you need to use the gbus stuff to access them)
Hello, I am here ;)
It's true that I have given up a little, but I look again because there is a interesting new, the ssh access to a netgem box.
I was interested to try to build our own firmware for these netgem boxes, but I don't want to crash my box, so the first thing I absolutly want to do is to have the ability to save and restore the flash with the original data.
I passed a lot of time to try to activate the jtag but it's not possible, they shorted all jtag signal to gnd directly under the smp8634.
After that I found how to activate the serial console but we can just see the debug message from the XPU (see zfeet message).
However, these netgem boxes doesn't work as other smp8634 boxes, and there is no yamon but a curious bootloader named LinBios.
To investigate more seriously, zfeet sent me an old netbox 7600, and I disoldered the flash, I wanted to dump it. But it's a very small bga component and I never found the time to try to solder wire and dump the flash. Some day ago, someone tell me he have an ssh access on his netbox7600, and have access to the 3 first block of the flash in /dev/mtd2 (named the BIOS). Thus I resoldered the flash on the zfeet's netbox, and I don't know hown but it work again 8)
From the begining, I am sure that netgem have a way to pur the firmware in the flash after production, or after an upgrade failure. Because it's possible to have an upgrade failure, they don't keep an old firmware if the new update fail !! ::)
Surely to keep a small flash....
The guy who have an ssh access send me the BIOS dump, and below 0x20000 there is the XENV structure at 0x00, a small encryted (I think) zone, a code zone (I think).
And there are 2 LinBios instance, one at 0x20000, and the other at 0x40000
Surely to switch after each bios upgrade. It's why I really think there is a way to flash an image in the flash from the bios : the 2 bios are here to be sure a bios still work, if no bios is working, the card is surely completely dead.
I think the encrypted code below 0x20000 is zboot, which lauchn the other code zone below 0x20000. This code probably search which linbios it must launch.
After Linbios launch the kernel, and surely can do more, look at the strings :
Inconsistant offsets %08lx %08lx - %08lx
Invalid offsets %08lx %08lx - %08lx %08lx
%08lx .
Failed to read 0x%08lx
Failed to write 0x%08lx
Read error
Flashing error
get romimage...
%08lx: saving
Failed to save 0x%08lx
Dumping error
Could not load '%s'
invalid bios size: %d
Could not save '%s'
Invalid partition %c
Read error bloc %ld
Write error bloc %ld
append
append_prod
append_dbg
dbg_lvls
tvstd
ntsc
palm
paln
tvout
svhs
allow_serial_line
allow_interactive_bios
vidmem
NOAPP=1
File not found / empty (%d)
NGZ ERROR: erroneous block
Unable to allocate NGZ buffer
Loading %s
(not found %d)
(load error %d)
(%d bytes)
Saving %s
(save error %d)
/dev/memdisk
%c Partition %02d - %05d Kbytes
read error
write error
sector 0x%4x:
Block device init error
No valid system partition
0123456789abcdefghijklmnopqrstuvwxyz
0123456789abcdef
0x%02x,
MTD: base=%p size=%d MB erasesize=%d kB
boot
args...
usage: %s %s
%08X
%c%02X
%04X
%08X
boot.cfg
Unable to parse boot file !
LinBios 4.7.38 (C) Copyright Netgem 1996-2007 (Thu Jul 31 18:00:00 UTC 2008)
boot
TRACE_RC=1 console=ttyS0,115200n8
memtest
FORMATHOME=y
Press [enter] to stop boot
$system.cmdline$
$system.prod.bin$
$romimage.prod.ngz$
Boot failed.
%02X
%02X:
Read error: code: %d
flash base: %08lx width %d interleave %d
CFIcheck: %d
AMDcheck: %d
AMD5check: %d
status: fail %x %x %x
write error offset=%d size=%d
write error size=%d
Patching memory image's serial.
Overwrite serial from image.
Write BIOS
done
Write error
invalid bios size: %d
No MTD device
Invalid offsets %08lx %08lx
Failed to read BIOS
Updating config.
FTL100
FTL header not found
Found FTL header in bloc %d
Invalid header %d
Transfer unit %d
Erase unit %d
Logical unit %d
bloc %d => %d (%08x)
Block allocation: %d control, %d data, %d free, %d deleted
/dev/ftla
Memory error
Can't get the MBR
File don't contain any SDpl mapping (%08X) !
CRC error got %08X instead of %08X (%08X)
SDPL layer version %02d - %04d sects/bloc - %04d blocs - size: %05d Kbytes
host interface
ethernet
USB
audio engine 0
audio engine 1
mpeg engine 0
mpeg engine 1
demux
mem=%ld@0x%08lx panic=10 ro
initrd
Load ELF file %s failed
root=/dev/sla%c sdpl_map=%s ROOTDEV=/dev/sla%c
ROOTDEV=/dev/sla%c
root=%s%c ROOTDEV=%s%c
ROOTDEV=%s%c
NBPARTS=%d
Warm boot
Cold boot
REBOOT=%d
RAMSTART=0x%08lx
RAMSIZE=0x%08lx
VRAMSTART=0x%08lx
VRAMSIZE=0x%08lx
MEMSTART=0x%08lx
MEMSIZE=0x%08lx
VMEMSTART=0x%08lx
VMEMSIZE=0x%08lx
MACADDR=%02x:%02x:%02x:%02x:%02x:%02x
HW_TYPE=0x%08x
HW_OPTIONS=0x%08x
SEC_BOOT=%d
USR_AUTH=%d
BISTRES=0x%08x
BISTMASK=0x%08x
Not setting for CD8-10.
CD %d not using XTAL !!!
Unknown RAM size (%01x) - defaulting to %d MB
Board version N%d-%d rev %d - Board options %08x
detected %ld + %ld MB of RAM
BIST %d %s: res %08x mask %08x => %s
BIST RES %08x MASK %08x
init
reset
Open file %s failed
Read elf header error
Error : not an ELF file...
Read program header error
Invalid PLL number %d
PLL %d plldiv %d pllmul %d PLL %08x sysmux %08x
PLL %d clk %d.%03d MHz CPU clk %d.%03d MHz sysclk %d.%03d MHz
PLL %d clk %d.%03d MHz
PLL clock out of range: %d MHz
Set up new clock: PLL %d MHz CPU %d MHz sys %d MHz
PLL %08x plldiv %d pllmul %d
=> PLL %d.%03d MHz CPU %d.%03d MHz sys %d.%03d MHz
Error setting GPIO %d to %d
GPIO %d set to %d
Error getting GPIO %d
GPIO %d direction %d value %d
Error setting GPIO %d direction to %s
GPIO %d set to %s
Usage: do_xrpc [-h|-S|-s|-a <addr>]
-h: print this help
-S: print XOS SHA1
-v: print XOS version
-s: print CPU serial ID
-a: execute xtask located at address <addr>
do_xrpc: SHA1 failed (%d)
XOS SHA1: %08x%08x%08x%08x%08x
do_xrpc: XOS version failed
XOS version: %02x
do_xrpc: serial ID failed (%d)
XOS serial ID: %08x%08x%08x%08x
do_xrpc: bad number of arguments
do_xrpc: exec failed (%d)
do_xrpc OK: %08x %08x %08x %08x %08x
do_xrpc: unknown / malformed argument
i2c_sd_wait_status
NAK error
%s: timeout: status %08x %08x
Wait pending failed
i2c_sd_hw_init
%s: devnum > MAX: %d
Failed to read byte %d of %d
Failed to write byte %d of %d
xos_upgrade: SHA1 failed
XOS upgrade is disabled on this board
No automatic upgrades for development XOS
Unknown XOS version - skip upgrade
Unknown XOS SHA1 - Trying to upgrade
/lib/hotplug/firmware/xos_Rev
/lib/hotplug/firmware/xos_ES
Trying to upgrade with XOS '%s'
Could not find any XOS upgrade
Invalid XOS upgrade file: size mismatch %d %d
XOS is up-to-date
Start XOS upgrade from version %02x to %02x.
XOS upgrade failed...
fixed pattern
self address
walking ones
walking zeroes
random0
random1
random2
random3
len=
blen
write loop
rd:
n:
wr:
read loop
Full memory test from
memory bloc test from
PLL
MHz CPU
MHz sys
MHz
ERROR in DDRAM 1 (b 0 c 0)
ERROR in DDRAM 2 (b 0 c 1)
ERROR in DDRAM 3 (b 1 c 0)
ERROR in DDRAM 4 (b 1 c 1)
No DDR errors
Error aline
Bank 0 D
Bank 1 D
Bank 0 A
Bank 1 A
vmlinuz
Linbios has access to the root partition and read /boot.cfg. It looks for these options :
append
append_prod
append_dbg
dbg_lvls
tvstd
ntsc
palm
paln
tvout
svhs
allow_serial_line
allow_interactive_bios
The 2 last option are very interesting, the bios can be interactive. I asked to the guy with the ssh acces to add these option to /boot.cfg but no luck, he crashed his box with a failed upgrade :(
But I continue to believe there is another way to activate the console and the interactive mode. Because /boot.cfg can be missing if an upgrade failed for example.
The emulator can be a good way to understand linbios and what he need to activate the console and interactive mode.
It also can be interresting to decompile it, but I don't know if it's possible ?
There's biosupgrade.o /usr/lib/modules and there is a string "docbios" which might refer to Disk-On-Chip. Netgem's previous models used Disk-On-Chip.
Devices:
http://www.neufbox4.org/wiki/index.php?title=Neuftv#Devices
149 docbios