Let's get in touch with the hardware stuff
FMAP
Hands-on: Dumping the vendor firmware
Hands-on: Flashing the BIOS region
Build coreboot for fsp_broadwell_de
Hands-on: Build coreboot for wedge100s
Hands-on: Run coreboot on wedge100s
Debugging techniques on Wedge100s
CC-by-SA Raimond Spekking
CC-by-SA Tobias ToMar Maier
CC-by-SA MOS6502
1980
Today
64KB
512KB
4MB
16MB
512MB
hardware based
software based
SPI controller
SPI flash
SMM
hardware write protection on Chromebooks
WP-Screw
internal
external
internal
external
Baseboard Management Controller
SF100
CC-By-SA Patrick Rudolph
for developers: EM100Pro
CC-By-SA Patrick Rudolph
CC-By-SA Patrick Rudolph
for hackers: Raspberry PI
CC-By-SA Patrick Rudolph
buspirate and SPI compatible
wiring
rules for wiring
general
advice reading firmware
Task:
What you need:
20min
Preparations for flashing:
$ source /usr/local/bin/openbmc-utils.sh
$ devmem_set_bit $(scu_addr 70) 12
$ gpio_set COM6_BUF_EN 0
$ gpio_set COM_SPI_SEL 1
$ [ -c /dev/spidev5.0 ] || mknod /dev/spidev5.0 c 153 0
$ modprobe spidev
Using flashrom:
$ flashrom -V -p linux_spi:dev=/dev/spidev5.0 ...
$ ... -r firmware.bin
$ ... -w firmware.bin
Clean up after flashing:
$ source /usr/local/bin/openbmc-utils.sh
$ devmem_set_bit $(scu_addr 70) 12
$ gpio_set COM6_BUF_EN 1
$ gpio_set COM_SPI_SEL 0
Boot from ext flash:
$ source /usr/local/bin/openbmc-utils.sh
$ gpio_set BRG_COM_BIOS_DIS0_N 1
$ gpio_set BRG_COM_BIOS_DIS1_N 0
$ gpio_set COM_SPI_SEL 0
$ wedge_power.sh reset
Just copy the scripts:
$ git clone git@github.com:zaolin/FB-Workshop-Samples.git $ cd FB-Workshop-Samples/wedge100s/scripts/
Run doit.sh:
$ ./doit.sh -r firmwaredump.rom
Verify what you got:
$ cd coreboot/util/ifdtool $ make $ ./ifdtool -d firmwaredump.rom
...
Found Region Section
FLREG0: 0x00000000
Flash Region 0 (Flash Descriptor): 00000000 - 00000fff
FLREG1: 0x0bff0500
Flash Region 1 (BIOS): 00500000 - 00bfffff
FLREG2: 0x04ff0003
Flash Region 2 (Intel ME): 00003000 - 004fffff
FLREG3: 0x00020001
Flash Region 3 (GbE): 00001000 - 00002fff
FLREG4: 0x00001fff
Flash Region 4 (Platform Data): 00fff000 - 00000fff (unused)
...
but ...
Task:
What you need:
5min
$ util/ifdtool/ifdtool -f layout dumpedfirmware.rom
Extract the layout from IFD:
Use the layout in flashrom:
$ ./doit.sh -w dumpedfirmware.com -l layout -i bios
Starting with flashrom 1.0:
$ ./doit.sh -w dumpedfirmware.com --ifd -i bios
HOST_FIRMWARE@0xff800000 8M {
SI_ALL@0 2M {
# Firmware Descriptor section of the Intel
# Firmware Descriptor image.
SI_DESC 4K
# Intel Management Engine section of the Intel Firmware
# Descriptor image.
SI_ME 1,9M
}
SI_BIOS@2M 6M {
RW_SECTION_A@0 0xf0000 {
# Alignment: 4K (for updating) and must be in
# start of each RW_SECTION.
VBLOCK_A 64K
FW_MAIN_A
RW_FWID_A 64
}
RW_SECTION_B@0xf0000 0xf0000 {
...
}
$ flashrom --fmap -i RW_SECTION_B -w coreboot.rom
Use flashrom -r backup.rom to read the full image
Use ifdtool -x backup.rom to extract Intel IFD and Intel ME
Copy BLOBs to 3rdparty
Integrate them into the build
Task:
What you need:
45min
Get the blobs:
Set the following path in menuconfig:
git clone git@github.com:zaolin/FB-Workshop-Samples.git
Or extract them from the existing blobs
and go the hard way ;)
$ git clone git@github.com:zaolin/FB-Workshop-Samples.git
Get the microcode headers:
Build the coreboot.rom:
Task:
What you need:
10min
Reset main CPU:
Flashing coreboot on wedge100s:
$ ./doit.sh -l layout -i bios -w /tmp/coreboot.rom
$ /usr/local/bin/wedge_power.sh reset
Start serial terminal to verify that it worked:
$ sol.sh
CC by SA 3.0 AFrank99
not sold any more
FT2232H + FT2232H + lunch box + tape = 30 €
HOST_FIRMWARE@0xff800000 8M {
SI_ALL@0 2M {
# Firmware Descriptor section of the Intel
# Firmware Descriptor image.
SI_DESC 4K
# Intel Management Engine section of the Intel Firmware
# Descriptor image.
SI_ME 1,9M
}
SI_BIOS@2M 6M {
RW_SECTION_A@0 0xf0000 {
# Alignment: 4K (for updating) and must be in
# start of each RW_SECTION.
VBLOCK_A 64K
FW_MAIN_A
RW_FWID_A 64
}
CONSOLE@0xf0000 0x10000
...
}
Add CONSOLE to your RW FMAP:
Extract console from dump:
$ flashrom -V -p linux_spi:dev=/dev/spidev5.0 -r dump.rom
Read complete firmware image using flashrom:
$ ./util/cbfstool/cbfstool dump.rom read -r CONSOLE -f spiconsole.log
Boot SPI console enabled device
Shut it down
Stages can be relocatable
If stage is relocatable:
stage is placed in CBMEM
S3 resume will load ramstage from CBMEM
add an offset to symbol file when starting gdb
Wrote coreboot table at: 00000500, 0x10 bytes, checksum efe3 Writing coreboot table at 0x7ffa9000 0. 0000000000000000-0000000000000fff: CONFIGURATION TABLES 1. 0000000000001000-000000000009ffff: RAM 2. 00000000000c0000-000000007ff83fff: RAM 3. 000000007ff84000-000000007ffb1fff: CONFIGURATION TABLES 4. 000000007ffb2000-000000007ffddfff: RAMSTAGE 5. 000000007ffde000-000000007fffffff: CONFIGURATION TABLES 6. 00000000b0000000-00000000bfffffff: RESERVED
coreboot log:
$ gdb (gdb) add-symbol-file build/cbfs/fallback/ramstage.debug 0x7ffb2000 add symbol table from file "build/cbfs/fallback/ramstage.debug" at .text_addr = 0x7ffb2000 (y or n) y (gdb) b main Breakpoint 1 at 0x60030f80: file src/lib/hardwaremain.c, line 438. (gdb) target remote localhost:1234
$ qemu-system-i386 -m 1024 -S -s -bios build/coreboot.rom -M q35
Start qemu and wait for gdb connection:
Start gdb and connect to qemu:
$ gdb build/cbfs/fallback/ramstage.debug (gdb) b main Breakpoint 1 at 0x60030f80: file src/lib/hardwaremain.c, line 438. (gdb) target remote localhost:1234
$ qemu-system-arm -m 1024 -S -s -bios build/coreboot.rom -M vexpress-a9 -nographic
Example with non relocatable ramstage on ARM vexpress-a9:
but ...
but ...
Payloads that use libpayload
Situation in comercial BIOS:
Situation in comercial EFI:
Community efforts in coreboot:
Replaced by libgfxinit on x86:
In general:
#define LB_TAG_FRAMEBUFFER 0x0012
struct lb_framebuffer {
uint32_t tag;
uint32_t size;
uint64_t physical_address;
uint32_t x_resolution;
uint32_t y_resolution;
uint32_t bytes_per_line;
uint8_t bits_per_pixel;
uint8_t red_mask_pos;
uint8_t red_mask_size;
uint8_t green_mask_pos;
uint8_t green_mask_size;
uint8_t blue_mask_pos;
uint8_t blue_mask_size;
uint8_t reserved_mask_pos;
uint8_t reserved_mask_size;
};
secondary payloads:
facts
facts
Task:
What you need:
Enable secondary payloads
15min
Note: memtest86 is VGA text mode only
Note: CMOS support is needed by sub-payloads
Task:
What you need:
(No Blobs)
15min
Select Tianocore as payload and select "debug build":
Select "high-resolution" frambuffer in Devices > Display :
Remove the file:
$ rm payloads/external/tianocore/patches/05_CorebootPayloadPkg_noserial.patch
Build coreboot.rom
Run it in qemu:
$ make
$ qemu-system-x64_86 -m 2048 -M q35 -bios build/coreboot.rom
linuxboot.org
u-root.tk
systemboot.org
Task:
What you need:
45min
Build u-root
Build systemboot
Configure the kernel
Modify LinuxBoot parameters and build the coreboot image
10min