gxemul smp86xx emu

Started by Hoernchen, 05. Jul 2009, 01:51

previous topic - next topic
Go Down

Hoernchen

05. Jul 2009, 01:51 Last Edit: 10. Jul 2009, 23:38 by Hoernchen
One of my current projects, modifying gxemul to be able to "boot" a smp86xx bootloader (currently only zboot, final target is the wince bootloader)

Working so far:
-remap registers
-uart0 (output only, no irq)

This is enough to succesfully execute zboot stage 0, due to missing pflash/xenv emulation stage1 fails.
Currently configured for cygwin, building under linux works, too, but you might have to fix some scripts because I modified some stuff to speed up compiling (make clean will break it !).

Usage:
Code: [Select]
./gxemul.exe -J -vvv -V -M 0 -Q -E testsmp86xx 0xb0800000:zboot.bin

This is just a highly unstable quick and dirty preliminary release.
bringer of linux, conqueror of hdmi, jack of all trades.

zfeet

I'll have to try this with the custom Netgem bootloader.

zfeet

Nice work! It's alive :)

Code: [Select]
No valid XENV block found ... system stopped.

zfeet

Some thoughts: shouldn't any smp86xx emulation have to emulate two cpu's (smp86xx and XPU) to work properly?

Hoernchen

You can't emulate the xpu because no one knows what it does, the xos and the xtasks are encrypted, the only thing you could emulate are the xrpc calls.
My goal is to get the bootloader running with as little effort as possible, so as soon as the BL needs a new feature I add it.

Due to my attempt to get my bachelor degree before 2020 I'll have to put this on hold for the next two weeks ;)
bringer of linux, conqueror of hdmi, jack of all trades.

Hoernchen

+CPU localram
+PFLASH @ CS2 (expects a flash dump called flash.bin)
+dram0 first megabyte
+xpu xrpc emulation (only XRPC_ID_XLOAD so far)

This means zboot starts, parses the xenv + loads the yamon romfs/xrpc-xload file from the flash dump, extracts the zbf, starty yamon, and then the emulated machine crashes because yamon does some strange stuff.
bringer of linux, conqueror of hdmi, jack of all trades.

zfeet

I can start netgem xenv to a point. Too bad I don't have a zboot.bin from Netgem.

Quote
[ CPU lram: write to 0x60000 + 0x1f28 PC 0xffffffff91160d58: 0x54 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1f30 PC 0xffffffff91160d58: 0x59 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1f38 PC 0xffffffff91160d58: 0x20 (len=4) ]
cpu0: warning: write to unimplemented coproc0 register 15 (prid), data = 0xfffff
fff91000000
cpu0: warning: write to READONLY coproc0 register 15 ignored
        device at 0x000006c100: smp86xxcpuuart
        device at 0x0010000000: dram0_20k
        remapregs enabled: 0x1
        r0 0x10800000
        r1 0xbaadf00d
        r2 0xbaadf00d
        r3 0xbaadf00d
        r4 0xbaadf00d
        device at 0x0000060000: CPUlram
        [ PFLASH: successfully loaded flash.bin to 0x48000000 size 0x400000 flas
hsize 0x1000000
        device at 0x0048000000: PFLASH
        device at 0x00000e0000: xpu
        machine: smp8634 test machine
        console slaves (xterms): no
        console handles:
            0: "MAIN"
            1: "smp86xxcpuuart" [MAIN CONSOLE]
        loading 0xb0800000:zboot.bin:
            RAW: 0xdd4c bytes @ 0xffffffffb0800000
        cpu0: starting at 0xb0800000
-------------------------------------------------------------------------------


**********************************
* SMP863x zboot start ...
* Version: 2.2.0
* Started at 0x91000000.
* Configurations (chip revision: 6):
*    Use 8KB DRAM as stack.
*    Support XLoad format.
*    Enabled BIST mode.
*    Enabled memory test mode.
*    Use internal memory for stage0/1.
**********************************
Boot from flash (0x48000000) mapped to 0xac000000.
Found XENV block at 0xac000000.
[ sysblock: unimplemented read from offset 0x3c ]
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented read from offset 0x10 ]
CPU clock frequency: 0.00MHz.
[ sysblock: unimplemented read from offset 0x3c ]
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented read from offset 0x10 ]
System clock frequency: 0.00MHz.
DRAM0 dunit_cfg/delay0_ctrl (NA/NA).
DRAM1 dunit_cfg/delay0_ctrl (NA/NA).
Using UART port 0 as console.
Board ID.: "Pirelli STB HY100"
Chip Revision: 0x8634:0x82 .. Mismatched.
Setting up H/W from XENV block at 0xac000000.
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented write to offset 0x34 ]
  Setting <SYSCLK premux> to 0x00000203.
[ sysblock: unimplemented read from offset 0x38 ]
[ sysblock: unimplemented write to offset 0x38 ]
  Setting <SYSCLK avclk_mux> to 0x00000000.
[ sysblock: unimplemented read from offset 0x30 ]
[ sysblock: unimplemented write to offset 0x30 ]
  Setting <SYSCLK hostclk_mux> to 0x00000100.
  Setting <IRQ rise edge trigger lo> to 0xff28ca00.
  Setting <IRQ fall edge trigger lo> to 0x0000c000.
  Setting <IRQ rise edge trigger hi> to 0x0000009f.
  Setting <IRQ fall edge trigger hi> to 0x00000000.
[ sysblock: unimplemented read from offset 0x508 ]
  Keeping <IRQ GPIO map> to 0x0d000a00.
  Setting <PB default timing> to 0x010e0008.
  Setting <PB timing0> to 0x010e0008.
  Setting <PB Use timing0> to 0x000003fc.
  Setting <PB timing1> to 0x00110101.
  Setting <PB Use timing1> to 0x000003f3.
  PB cs config: 0x000c10c0 (use 0x000c1080)
  Enabled Devices: 0x00023efe
    BM/IDE PCIHost Ethernet IR FIP I2CM I2CS USB PCIDev1 PCIDev2 PCIDev3 PCIDev4
SCARD
  MAC: 00:17:c2:f0:37:dd
[ CPU lram: write to 0x60000 + 0x1ce4 PC 0xffffffff910052c0: 0x4d0017 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1ce0 PC 0xffffffff910052c0: 0xc2f037dd (len=4)
]
[ CPU lram: write to 0x60000 + 0x1ce4 PC 0xffffffff910052c0: 0xdd4d0017 (len=4)
]
  PCI IRQ routing:
    IDSEL 1: INTA(#14) INTB(#14) INTC(#14) INTD(#14)
    IDSEL 2: INTA(#14) INTB(#14) INTC(#14) INTD(#14)
    IDSEL 3: INTA(#14) INTB(#14) INTC(#14) INTD(#14)
    IDSEL 4: INTA(#15) INTB(#15) INTC(#15) INTD(#15)
  Smartcard pin assignments:
    OFF pin = 0
    5V pin = 1
    CMD pin = 2
[ sysblock: unimplemented write to offset 0x80 ]
[ sysblock: unimplemented write to offset 0x88 ]
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented read from offset 0x0 ]
  Skipped setting up Clean Divider 2 to 96000000Hz.
[ sysblock: unimplemented write to offset 0x98 ]
[ sysblock: unimplemented write to offset 0x38 ]
[ sysblock: unimplemented read from offset 0x34 ]
[ sysblock: unimplemented read from offset 0x0 ]
  Skipped setting up Clean Divider 4 to 33333333Hz.
[ sysblock: unimplemented write to offset 0xa8 ]
[ sysblock: unimplemented write to offset 0xb0 ]
[ sysblock: unimplemented write to offset 0xb8 ]
[ sysblock: unimplemented write to offset 0xc0 ]
[ sysblock: unimplemented write to offset 0xc8 ]
[ sysblock: unimplemented write to offset 0xd0 ]
  GPIO dir/data = 0x00000000/0x00000000
[ irqc: WARNING! write to CPU_UART_GPIOMODE ]
  UART0 GPIO mode/dir/data = 0x6e/0x00/0x00
[ irqc: WARNING! write to CPU_UART_GPIOMODE ]
  UART1 GPIO mode/dir/data = 0x6e/0x00/0x00
XENV block processing completed.
[ dram0_20k: FM_MEMCFG read from 0xfc0, len=4 PC 0xffffffff91000424 ]
Setting up memcfg at 0xb0000fc0.
[ dram0_20k: FM_MEMCFG write to 0xfc0 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc1 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc2 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc3 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc4 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc5 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc6 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc7 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc8 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc9 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfca PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfcb PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfcc PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfcd PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfce PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfcf PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd0 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd1 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd2 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd3 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd4 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd5 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd6 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd7 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd8 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfd9 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfda PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfdb PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfdc PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfdd PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfde PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfdf PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe0 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe1 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe2 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe3 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe4 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe5 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe6 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe7 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe8 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfe9 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfea PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfeb PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfec PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfed PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfee PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfef PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff0 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff1 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff2 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff3 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff4 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff5 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff6 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff7 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff8 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xff9 PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffa PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffb PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffc PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffd PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xffe PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfff PC 0xffffffff91004f84: 00 (len=1) ]
[ dram0_20k: FM_MEMCFG write to 0xfc0 PC 0xffffffff91000464: 0x6766636d (len=4)
]
[ dram0_20k: FM_MEMCFG write to 0xfe8 PC 0xffffffff91000470: 0x20000 (len=4) ]
[ dram0_20k: FM_MEMCFG write to 0xfc4 PC 0xffffffff91000474: 0x4000000 (len=4) ]

[ dram0_20k: FM_MEMCFG write to 0xfc8 PC 0xffffffff91000478: 0x0 (len=4) ]
[ dram0_20k: FM_MEMCFG write to 0xfec PC 0xffffffff9100047c: 0x0 (len=4) ]
[ dram0_20k: FM_MEMCFG read from 0xfc0, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfc4, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfc8, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfcc, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfd0, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfd4, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfd8, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfdc, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfe0, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfe4, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfe8, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xfec, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xff0, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xff4, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xff8, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG read from 0xffc, len=4 PC 0xffffffff91000488 ]
[ dram0_20k: FM_MEMCFG write to 0xfec PC 0xffffffff910004a0: 0x94979c93 (len=4)
]
[ CPU lram: write to 0x60000 + 0x1c8c PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1c90 PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1c94 PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1c98 PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1c9c PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1ca0 PC 0xffffffff910052c0: 0x0 (len=4) ]
[ CPU lram: write to 0x60000 + 0x1ca4 PC 0xffffffff910052c0: 0x0 (len=4) ]
Default boot index: 0
[ CPU lram: read from 0x60000 + 0x1ff0, len=4 PC 0xffffffff910050f0 ]
Scanning ROMFS image at 0xac280000 (0x00280000) .. Found.
ROMFS found at 0xac280000, Volume name = YAMON_XRPC
Found 1 file(s) to be processed in ROMFS.
Processing xrpc_xload_yamon_ES4_prod.bin (start: 0xac280090, size: 0x00036d74)
  Checking zboot file signature .. Not found.
  Trying xrpc_xload format .. [ CPU lram: write to 0x60000 + 0x1ffc PC 0xfffffff
f910052c0: 0x11800000 (len=4) ]
[ xpu: CPU_irq_softset 0x10
[ CPU lram: read from 0x60000 + 0x1ffc, len=4 PC 0xffffffff910052c0 ]
[ xpu: xrpc addr 0x11800000
[ xpu: xrpc id 0x5 decsize 0x36a50 loadto 0x13000000 secid 0x1
[ CPU lram: write to 0x60000 + 0x1ffc PC 0xffffffff910052c0: 0x6 (len=4) ]
[ CPU lram: read from 0x60000 + 0x1ffc, len=4 PC 0xffffffff910050f0 ]
OK
  Checking zboot file signature at 0x13000000 .. OK
  Warning: header version mismatched.
  Decompressing to 0x91160000 .. OK (752304/0xb7ab0).
  Load time total 0/0 msec.
  Execute at 0x91160000 ..
[ CPU lram: write to 0x60000 + 0x1f00 PC 0xffffffff91160d58: 0x43 (len=4) ]

zfeet

Here's the xenv I am trying to boot. The interesting part starts from 0x20000 which looks like to be a bios of some sort, it even has a string "linbios". It is responsible for starting the Netgem vmlinuz.


Hoernchen

#8
11. Jul 2009, 13:04 Last Edit: 11. Jul 2009, 15:13 by Hoernchen
I have absolutely no idea how the netgem bootloader works, but it's valid mips code at 0x20000 which sets some gpios to 0, enables all IRQs, sets up the stack pointer, zeros some memory, sets KSEG0 to uncached and then jumps to 0x900A71FC, so a dump of 0x900A71FC, 0x1fc00000 and of the remap registers at 0x6f000,0x6f004,0x6f008,0x6f00c,0x6f010 would help. Is anyone else working on the netgem box ?
bringer of linux, conqueror of hdmi, jack of all trades.

zfeet


I have absolutely no idea how the netgem bootloader works, but it's valid mips code at 0x20000 which sets some gpios to 0, enables all IRQs, sets up the stack pointer, zeros some memory, sets KSEG0 to uncached and then jumps to 0x900A71FC, so a dump of 0x900A71FC, 0x1fc00000 and of the remap registers at 0x6f000,0x6f004,0x6f008,0x6f00c,0x6f010 would help. Is anyone else working on the netgem box ?


Guy called nlc used to work with Netgem boxes but I think he has given up. The problem is that no JTAG is possible, UART gives only following output so the only option to get to the files has been by decrypting the Netgem firmware upgrades and trying to find a some way in. Which is why I have been investigating if it would be possible to run an emulated Netgem device.

Code: [Select]
xosPe0 serial#0d5d855bf2d98c2dadb72cd65d569e5f subid 0x5f
xenv cs2 ok
power supply: ok
dram0 ok (a)
dram1 ok (a)
zboot (0) ok

Hoernchen


Guy called nlc used to work with Netgem boxes but I think he has given up.

:( Too bad.
bringer of linux, conqueror of hdmi, jack of all trades.

zfeet



Guy called nlc used to work with Netgem boxes but I think he has given up.

:( Too bad.


Yes, it is. Anyway, could you identify something from attached file. I am not sure if it is encrypted and/or compressed but this is basically the only thing from the upgrade that I haven't been able to decompress/decrypt. Attachment has two files from two different upgrades. It does look like encryption, for example in file part_firm.img offset 0x312 starts some sort of padding, it might be just zeroes or it might be something else.

Hoernchen

No idea, both files look like some sort of file system, but the whole netgem firmware is a mess. There is a encrypted xrpc-xload binary at offset 0x200 in your xenv/linbios dump, but to dump the decrypted data you would need a smp86xx based box without any cert bindings and jtag access, which is something I don't have.
bringer of linux, conqueror of hdmi, jack of all trades.

zfeet

I guess I am fighting a lost cause. The only chance to get a root access would be to exploit a buffer overflow on the Netgem browser which is basically a normal net browser.

zfeet

Ok, now we have a method to gain shell access to Netgem boxes. Is it possible somehow to dump xenv from a running SMP8634 box?

Any progress on the emulator?

Go Up