FM10K/Documentation
FM10K/Documentation
2
0
Fork 0
Code Issues 2 Pull requests 1 Projects Releases Activity

Write ROM Boot State Machine Image Format Decoder / Encoder #13

New issue
Closed
opened 2020-12-14 22:04:06 +00:00 by DataHoarder · 11 comments
DataHoarder commented 2020-12-14 22:04:06 +00:00
Owner
Copy link

According to FM1000 Datasheet, section 9.7.5 (specifically 9.7.5.1 Image Format, and 9.7.5.3 Instruction Table) the boot image format is documented and has a defined instruction set.

A simple decoder / encoder can be written according to specifications for ease of read of any future image dumps.

According to FM1000 Datasheet, section 9.7.5 (specifically 9.7.5.1 Image Format, and 9.7.5.3 Instruction Table) the boot image format is documented and has a defined instruction set. A simple decoder / encoder can be written according to specifications for ease of read of any future image dumps.
DataHoarder added the
enhancement
 label 2020-12-14 22:04:06 +00:00
DataHoarder self-assigned this 2020-12-14 22:04:06 +00:00
DataHoarder commented 2020-12-15 23:41:13 +00:00
Author
Owner
Copy link

1MB image was dumped using direct SPI interface when running the card, through PCIe.

Some info from the header

Image Generated with rrcBig_02.22. EEPROM Image Version: 0x0222 PCIe Master SPICO FW Version: 0x10130001 PCIe SerDes SPICO FW Version: 0x30550043

Seems like it also contains plaintext settings! Maybe this can be used to change boot modes like mgmtPep

api.platform.config.switch.0.bootCfg.spiTransferMode int 0
api.platform.config.switch.0.bootCfg.spiTransferSpeed int 7
api.platform.config.switch.0.bootCfg.mgmtPep int 6
api.platform.config.switch.0.bootCfg.pep.0.mode bool 0
api.platform.config.switch.0.bootCfg.pep.2.mode bool 0
api.platform.config.switch.0.bootCfg.pep.4.mode bool 0
api.platform.config.switch.0.bootCfg.pep.6.mode bool 0
api.platform.config.switch.0.bootCfg.pep.0.xclkMode int 2
api.platform.config.switch.0.bootCfg.pep.2.xclkMode int 2
api.platform.config.switch.0.bootCfg.pep.4.xclkMode int 2
api.platform.config.switch.0.bootCfg.pep.6.xclkMode int 2
api.platform.config.switch.0.bootCfg.pep.0.xclkTerm bool 1
api.platform.config.switch.0.bootCfg.pep.2.xclkTerm bool 1
api.platform.config.switch.0.bootCfg.pep.4.xclkTerm bool 1
api.platform.config.switch.0.bootCfg.pep.6.xclkTerm bool 1
api.platform.config.switch.0.bootCfg.pep.0.enable bool 1
api.platform.config.switch.0.bootCfg.pep.1.enable bool 0
api.platform.config.switch.0.bootCfg.pep.2.enable bool 1
api.platform.config.switch.0.bootCfg.pep.3.enable bool 0
api.platform.config.switch.0.bootCfg.pep.4.enable bool 1
api.platform.config.switch.0.bootCfg.pep.5.enable bool 0
api.platform.config.switch.0.bootCfg.pep.6.enable bool 1
api.platform.config.switch.0.bootCfg.pep.7.enable bool 0
api.platform.config.switch.0.bootCfg.pep.8.enable bool 0
api.platform.config.switch.0.bootCfg.pep.0.numberOfLanes int 8
api.platform.config.switch.0.bootCfg.pep.1.numberOfLanes int 0
api.platform.config.switch.0.bootCfg.pep.2.numberOfLanes int 8
api.platform.config.switch.0.bootCfg.pep.3.numberOfLanes int 0
api.platform.config.switch.0.bootCfg.pep.4.numberOfLanes int 8
api.platform.config.switch.0.bootCfg.pep.5.numberOfLanes int 0
api.platform.config.switch.0.bootCfg.pep.6.numberOfLanes int 8
api.platform.config.switch.0.bootCfg.pep.7.numberOfLanes int 0
api.platform.config.switch.0.bootCfg.pep.8.numberOfLanes int 0
api.platform.config.switch.0.bootCfg.pep.0.gen int 3
api.platform.config.switch.0.bootCfg.pep.1.gen int 3
api.platform.config.switch.0.bootCfg.pep.2.gen int 3
api.platform.config.switch.0.bootCfg.pep.3.gen int 3
api.platform.config.switch.0.bootCfg.pep.4.gen int 3
api.platform.config.switch.0.bootCfg.pep.5.gen int 3
api.platform.config.switch.0.bootCfg.pep.6.gen int 3
api.platform.config.switch.0.bootCfg.pep.7.gen int 3
api.platform.config.switch.0.bootCfg.pep.8.gen int 3
api.platform.config.switch.0.bootCfg.pep.0.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.1.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.2.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.3.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.4.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.5.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.6.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.7.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.8.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.customMac.0 text 00:00:00:FF:FF:00:00:00
api.platform.config.switch.0.bootCfg.customMac.1 text 00:00:00:FF:FF:00:00:00
api.platform.config.switch.0.bootCfg.customMac.2 text 00:00:00:FF:FF:00:00:00
api.platform.config.switch.0.bootCfg.customMac.3 text 00:00:00:FF:FF:00:00:00
api.platform.config.switch.0.bootCfg.pep.0.vendorId int 0x8086
api.platform.config.switch.0.bootCfg.pep.1.vendorId int 0x8086
api.platform.config.switch.0.bootCfg.pep.2.vendorId int 0x8086
api.platform.config.switch.0.bootCfg.pep.3.vendorId int 0x8086
api.platform.config.switch.0.bootCfg.pep.4.vendorId int 0x8086
api.platform.config.switch.0.bootCfg.pep.5.vendorId int 0x8086
api.platform.config.switch.0.bootCfg.pep.6.vendorId int 0x8086
api.platform.config.switch.0.bootCfg.pep.7.vendorId int 0x8086
api.platform.config.switch.0.bootCfg.pep.8.vendorId int 0x8086
api.platform.config.switch.0.bootCfg.pep.0.deviceId int 0x15A4
api.platform.config.switch.0.bootCfg.pep.1.deviceId int 0x15A4
api.platform.config.switch.0.bootCfg.pep.2.deviceId int 0x15A4
api.platform.config.switch.0.bootCfg.pep.3.deviceId int 0x15A4
api.platform.config.switch.0.bootCfg.pep.4.deviceId int 0x15A4
api.platform.config.switch.0.bootCfg.pep.5.deviceId int 0x15A4
api.platform.config.switch.0.bootCfg.pep.6.deviceId int 0x15A4
api.platform.config.switch.0.bootCfg.pep.7.deviceId int 0x15A4
api.platform.config.switch.0.bootCfg.pep.8.deviceId int 0x15A4
api.platform.config.switch.0.bootCfg.pep.0.subVendorId int 0x1374
api.platform.config.switch.0.bootCfg.pep.1.subVendorId int 0x1374
api.platform.config.switch.0.bootCfg.pep.2.subVendorId int 0x1374
api.platform.config.switch.0.bootCfg.pep.3.subVendorId int 0x1374
api.platform.config.switch.0.bootCfg.pep.4.subVendorId int 0x1374
api.platform.config.switch.0.bootCfg.pep.5.subVendorId int 0x1374
api.platform.config.switch.0.bootCfg.pep.6.subVendorId int 0x1374
api.platform.config.switch.0.bootCfg.pep.7.subVendorId int 0x1374
api.platform.config.switch.0.bootCfg.pep.8.subVendorId int 0x1374
api.platform.config.switch.0.bootCfg.pep.0.subDeviceId int 0x01C2
api.platform.config.switch.0.bootCfg.pep.1.subDeviceId int 0
api.platform.config.switch.0.bootCfg.pep.2.subDeviceId int 0x01C2
api.platform.config.switch.0.bootCfg.pep.3.subDeviceId int 0
api.platform.config.switch.0.bootCfg.pep.4.subDeviceId int 0x01C2
api.platform.config.switch.0.bootCfg.pep.5.subDeviceId int 0
api.platform.config.switch.0.bootCfg.pep.6.subDeviceId int 0x01C2
api.platform.config.switch.0.bootCfg.pep.7.subDeviceId int 0
api.platform.config.switch.0.bootCfg.pep.8.subDeviceId int 0
api.platform.config.switch.0.bootCfg.systimeClockSource bool 0
api.platform.config.switch.0.bootCfg.enableSwitchRdySignal bool 0
api.platform.config.switch.0.bootCfg.pep.0.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.1.bar4Allowed bool 0
api.platform.config.switch.0.bootCfg.pep.2.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.3.bar4Allowed bool 0
api.platform.config.switch.0.bootCfg.pep.4.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.5.bar4Allowed bool 0
api.platform.config.switch.0.bootCfg.pep.6.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.7.bar4Allowed bool 0
api.platform.config.switch.0.bootCfg.pep.8.bar4Allowed bool 0
api.platform.config.switch.0.bootCfg.pep.0.ASPMEnable bool 0
api.platform.config.switch.0.bootCfg.pep.1.ASPMEnable bool 0
api.platform.config.switch.0.bootCfg.pep.2.ASPMEnable bool 0
api.platform.config.switch.0.bootCfg.pep.3.ASPMEnable bool 0
api.platform.config.switch.0.bootCfg.pep.4.ASPMEnable bool 0
api.platform.config.switch.0.bootCfg.pep.5.ASPMEnable bool 0
api.platform.config.switch.0.bootCfg.pep.6.ASPMEnable bool 0
api.platform.config.switch.0.bootCfg.pep.7.ASPMEnable bool 0
api.platform.config.switch.0.bootCfg.pep.8.ASPMEnable bool 0
api.platform.config.switch.0.bootCfg.pep.0.serialNumber text 00:E0:ED:FF:FF:9A:10:36
api.platform.config.switch.0.bootCfg.pep.1.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.2.serialNumber text 00:E0:ED:FF:FF:9A:10:37
api.platform.config.switch.0.bootCfg.pep.3.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.4.serialNumber text 00:E0:ED:FF:FF:9A:10:38
api.platform.config.switch.0.bootCfg.pep.5.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.6.serialNumber text 00:E0:ED:FF:FF:9A:10:39
api.platform.config.switch.0.bootCfg.pep.7.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
api.platform.config.switch.0.bootCfg.pep.8.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF
1MB image was dumped using direct SPI interface when running the card, through PCIe. Some info from the header > Image Generated with rrcBig_02.22. EEPROM Image Version: 0x0222 PCIe Master SPICO FW Version: 0x10130001 PCIe SerDes SPICO FW Version: 0x30550043 Seems like it also contains plaintext settings! Maybe this can be used to change boot modes like mgmtPep ``` api.platform.config.switch.0.bootCfg.spiTransferMode int 0 api.platform.config.switch.0.bootCfg.spiTransferSpeed int 7 api.platform.config.switch.0.bootCfg.mgmtPep int 6 api.platform.config.switch.0.bootCfg.pep.0.mode bool 0 api.platform.config.switch.0.bootCfg.pep.2.mode bool 0 api.platform.config.switch.0.bootCfg.pep.4.mode bool 0 api.platform.config.switch.0.bootCfg.pep.6.mode bool 0 api.platform.config.switch.0.bootCfg.pep.0.xclkMode int 2 api.platform.config.switch.0.bootCfg.pep.2.xclkMode int 2 api.platform.config.switch.0.bootCfg.pep.4.xclkMode int 2 api.platform.config.switch.0.bootCfg.pep.6.xclkMode int 2 api.platform.config.switch.0.bootCfg.pep.0.xclkTerm bool 1 api.platform.config.switch.0.bootCfg.pep.2.xclkTerm bool 1 api.platform.config.switch.0.bootCfg.pep.4.xclkTerm bool 1 api.platform.config.switch.0.bootCfg.pep.6.xclkTerm bool 1 api.platform.config.switch.0.bootCfg.pep.0.enable bool 1 api.platform.config.switch.0.bootCfg.pep.1.enable bool 0 api.platform.config.switch.0.bootCfg.pep.2.enable bool 1 api.platform.config.switch.0.bootCfg.pep.3.enable bool 0 api.platform.config.switch.0.bootCfg.pep.4.enable bool 1 api.platform.config.switch.0.bootCfg.pep.5.enable bool 0 api.platform.config.switch.0.bootCfg.pep.6.enable bool 1 api.platform.config.switch.0.bootCfg.pep.7.enable bool 0 api.platform.config.switch.0.bootCfg.pep.8.enable bool 0 api.platform.config.switch.0.bootCfg.pep.0.numberOfLanes int 8 api.platform.config.switch.0.bootCfg.pep.1.numberOfLanes int 0 api.platform.config.switch.0.bootCfg.pep.2.numberOfLanes int 8 api.platform.config.switch.0.bootCfg.pep.3.numberOfLanes int 0 api.platform.config.switch.0.bootCfg.pep.4.numberOfLanes int 8 api.platform.config.switch.0.bootCfg.pep.5.numberOfLanes int 0 api.platform.config.switch.0.bootCfg.pep.6.numberOfLanes int 8 api.platform.config.switch.0.bootCfg.pep.7.numberOfLanes int 0 api.platform.config.switch.0.bootCfg.pep.8.numberOfLanes int 0 api.platform.config.switch.0.bootCfg.pep.0.gen int 3 api.platform.config.switch.0.bootCfg.pep.1.gen int 3 api.platform.config.switch.0.bootCfg.pep.2.gen int 3 api.platform.config.switch.0.bootCfg.pep.3.gen int 3 api.platform.config.switch.0.bootCfg.pep.4.gen int 3 api.platform.config.switch.0.bootCfg.pep.5.gen int 3 api.platform.config.switch.0.bootCfg.pep.6.gen int 3 api.platform.config.switch.0.bootCfg.pep.7.gen int 3 api.platform.config.switch.0.bootCfg.pep.8.gen int 3 api.platform.config.switch.0.bootCfg.pep.0.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.1.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.2.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.3.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.4.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.5.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.6.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.7.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.8.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.customMac.0 text 00:00:00:FF:FF:00:00:00 api.platform.config.switch.0.bootCfg.customMac.1 text 00:00:00:FF:FF:00:00:00 api.platform.config.switch.0.bootCfg.customMac.2 text 00:00:00:FF:FF:00:00:00 api.platform.config.switch.0.bootCfg.customMac.3 text 00:00:00:FF:FF:00:00:00 api.platform.config.switch.0.bootCfg.pep.0.vendorId int 0x8086 api.platform.config.switch.0.bootCfg.pep.1.vendorId int 0x8086 api.platform.config.switch.0.bootCfg.pep.2.vendorId int 0x8086 api.platform.config.switch.0.bootCfg.pep.3.vendorId int 0x8086 api.platform.config.switch.0.bootCfg.pep.4.vendorId int 0x8086 api.platform.config.switch.0.bootCfg.pep.5.vendorId int 0x8086 api.platform.config.switch.0.bootCfg.pep.6.vendorId int 0x8086 api.platform.config.switch.0.bootCfg.pep.7.vendorId int 0x8086 api.platform.config.switch.0.bootCfg.pep.8.vendorId int 0x8086 api.platform.config.switch.0.bootCfg.pep.0.deviceId int 0x15A4 api.platform.config.switch.0.bootCfg.pep.1.deviceId int 0x15A4 api.platform.config.switch.0.bootCfg.pep.2.deviceId int 0x15A4 api.platform.config.switch.0.bootCfg.pep.3.deviceId int 0x15A4 api.platform.config.switch.0.bootCfg.pep.4.deviceId int 0x15A4 api.platform.config.switch.0.bootCfg.pep.5.deviceId int 0x15A4 api.platform.config.switch.0.bootCfg.pep.6.deviceId int 0x15A4 api.platform.config.switch.0.bootCfg.pep.7.deviceId int 0x15A4 api.platform.config.switch.0.bootCfg.pep.8.deviceId int 0x15A4 api.platform.config.switch.0.bootCfg.pep.0.subVendorId int 0x1374 api.platform.config.switch.0.bootCfg.pep.1.subVendorId int 0x1374 api.platform.config.switch.0.bootCfg.pep.2.subVendorId int 0x1374 api.platform.config.switch.0.bootCfg.pep.3.subVendorId int 0x1374 api.platform.config.switch.0.bootCfg.pep.4.subVendorId int 0x1374 api.platform.config.switch.0.bootCfg.pep.5.subVendorId int 0x1374 api.platform.config.switch.0.bootCfg.pep.6.subVendorId int 0x1374 api.platform.config.switch.0.bootCfg.pep.7.subVendorId int 0x1374 api.platform.config.switch.0.bootCfg.pep.8.subVendorId int 0x1374 api.platform.config.switch.0.bootCfg.pep.0.subDeviceId int 0x01C2 api.platform.config.switch.0.bootCfg.pep.1.subDeviceId int 0 api.platform.config.switch.0.bootCfg.pep.2.subDeviceId int 0x01C2 api.platform.config.switch.0.bootCfg.pep.3.subDeviceId int 0 api.platform.config.switch.0.bootCfg.pep.4.subDeviceId int 0x01C2 api.platform.config.switch.0.bootCfg.pep.5.subDeviceId int 0 api.platform.config.switch.0.bootCfg.pep.6.subDeviceId int 0x01C2 api.platform.config.switch.0.bootCfg.pep.7.subDeviceId int 0 api.platform.config.switch.0.bootCfg.pep.8.subDeviceId int 0 api.platform.config.switch.0.bootCfg.systimeClockSource bool 0 api.platform.config.switch.0.bootCfg.enableSwitchRdySignal bool 0 api.platform.config.switch.0.bootCfg.pep.0.bar4Allowed bool 1 api.platform.config.switch.0.bootCfg.pep.1.bar4Allowed bool 0 api.platform.config.switch.0.bootCfg.pep.2.bar4Allowed bool 1 api.platform.config.switch.0.bootCfg.pep.3.bar4Allowed bool 0 api.platform.config.switch.0.bootCfg.pep.4.bar4Allowed bool 1 api.platform.config.switch.0.bootCfg.pep.5.bar4Allowed bool 0 api.platform.config.switch.0.bootCfg.pep.6.bar4Allowed bool 1 api.platform.config.switch.0.bootCfg.pep.7.bar4Allowed bool 0 api.platform.config.switch.0.bootCfg.pep.8.bar4Allowed bool 0 api.platform.config.switch.0.bootCfg.pep.0.ASPMEnable bool 0 api.platform.config.switch.0.bootCfg.pep.1.ASPMEnable bool 0 api.platform.config.switch.0.bootCfg.pep.2.ASPMEnable bool 0 api.platform.config.switch.0.bootCfg.pep.3.ASPMEnable bool 0 api.platform.config.switch.0.bootCfg.pep.4.ASPMEnable bool 0 api.platform.config.switch.0.bootCfg.pep.5.ASPMEnable bool 0 api.platform.config.switch.0.bootCfg.pep.6.ASPMEnable bool 0 api.platform.config.switch.0.bootCfg.pep.7.ASPMEnable bool 0 api.platform.config.switch.0.bootCfg.pep.8.ASPMEnable bool 0 api.platform.config.switch.0.bootCfg.pep.0.serialNumber text 00:E0:ED:FF:FF:9A:10:36 api.platform.config.switch.0.bootCfg.pep.1.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.2.serialNumber text 00:E0:ED:FF:FF:9A:10:37 api.platform.config.switch.0.bootCfg.pep.3.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.4.serialNumber text 00:E0:ED:FF:FF:9A:10:38 api.platform.config.switch.0.bootCfg.pep.5.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.6.serialNumber text 00:E0:ED:FF:FF:9A:10:39 api.platform.config.switch.0.bootCfg.pep.7.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF api.platform.config.switch.0.bootCfg.pep.8.serialNumber text FF:FF:FF:FF:FF:FF:FF:FF ```
SPI NVM 8Mbit.bin
1 MiB
DataHoarder commented 2020-12-16 00:03:35 +00:00
Author
Owner
Copy link

FM10K only needs 1MB of the flash, there's a few bytes on the rest of the 8MB of flash after dumping it whole, will check more.

FM10K only needs 1MB of the flash, there's a few bytes on the rest of the 8MB of flash after dumping it whole, will check more.
SPI NVM 32Mbit.bin
8 MiB
DataHoarder commented 2020-12-16 16:30:29 +00:00
Author
Owner
Copy link

Here's fm10k-dump.c for dumping the SPI NVM without having to compile IES or using Silicom propietary tools, except it requires the FM10K kernel module with UIO enabled.

Maybe we should create a tools repository for these small utilities? @q3k

Here's [fm10k-dump.c](https://git.gammaspectra.live/WeebDataHoarder/fm10k-dump/src/branch/master/fm10k-dump.c) for dumping the SPI NVM without having to compile IES or using Silicom propietary tools, except it requires the [FM10K kernel module](https://git.gammaspectra.live/FM10K/fm10k) with UIO enabled. Maybe we should create a tools repository for these small utilities? @q3k
DataHoarder commented 2020-12-16 17:22:40 +00:00
Author
Owner
Copy link

SPI NVM image of another card, the one that pictures have been taken of.

SPI NVM image of another card, the one that pictures have been taken of.
SPI NVM 32Mbit B.bin
8 MiB
DataHoarder commented 2020-12-17 19:09:54 +00:00
Author
Owner
Copy link

This has been achieved partially by rrcSmall, currently decoding such images.

Attached is an example of what the program outputs.

It uses a mix of static decoding/analysis and actually trying to execute the state machine partially, and finding new branches to decode.
This is due to not having a static area that contains instructions, and instead being spread across the whole image with just an entrypoint.

This has been achieved partially by [rrcSmall](https://git.gammaspectra.live/FM10K/rrcSmall), currently decoding such images. Attached is an example of what the program outputs. It uses a mix of static decoding/analysis and actually trying to execute the state machine partially, and finding new branches to decode. This is due to not having a static area that contains instructions, and instead being spread across the whole image with just an entrypoint.
decodedInstructions.txt
684 KiB
DataHoarder commented 2020-12-21 04:43:10 +00:00
Author
Owner
Copy link

Flashed a new image to my FM10K, and it enabled all management system on all ports!

root@pve:~# ls -lah /dev/uio*
crw------- 1 root root 242, 0 Dec 21 05:32 /dev/uio0
crw------- 1 root root 242, 1 Dec 21 05:32 /dev/uio1

here's the diff applied to original

--- backup.hex	2020-12-21 05:41:26.233106503 +0100
+++ mod.hex	2020-12-21 05:41:17.609173411 +0100
@@ -2045,9 +2045,9 @@
 000891c0  c4 00 08 40 00 00 00 09  00 00 00 00 00 00 00 00  |...@............|
 000891d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 000891e0  00 00 00 00 00 00 00 00  00 00 00 00 f0 00 00 09  |................|
-000891f0  c4 00 08 2e 00 00 00 09  00 00 00 00 00 00 00 00  |................|
-00089200  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00089210  00 00 00 01 00 00 00 00  00 00 00 00 f0 00 00 09  |................|
+000891f0  c4 00 08 2e 00 00 00 09  00 00 00 01 00 00 00 01  |................|
+00089200  00 00 00 01 00 00 00 01  00 00 00 01 00 00 00 01  |................|
+00089210  00 00 00 01 00 00 00 01  00 00 00 01 f0 00 00 09  |................|
 00089220  c0 00 00 08 00 00 00 01  00 00 00 00 f0 00 00 09  |................|
 00089230  c4 00 08 49 00 00 00 09  15 a4 80 86 15 a4 80 86  |...I............|
 00089240  15 a4 80 86 15 a4 80 86  15 a4 80 86 15 a4 80 86  |................|
Flashed a new image to my FM10K, and it enabled all management system on all ports! ``` root@pve:~# ls -lah /dev/uio* crw------- 1 root root 242, 0 Dec 21 05:32 /dev/uio0 crw------- 1 root root 242, 1 Dec 21 05:32 /dev/uio1 ``` here's the diff applied to original ``` --- backup.hex 2020-12-21 05:41:26.233106503 +0100 +++ mod.hex 2020-12-21 05:41:17.609173411 +0100 @@ -2045,9 +2045,9 @@ 000891c0 c4 00 08 40 00 00 00 09 00 00 00 00 00 00 00 00 |...@............| 000891d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000891e0 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 09 |................| -000891f0 c4 00 08 2e 00 00 00 09 00 00 00 00 00 00 00 00 |................| -00089200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| -00089210 00 00 00 01 00 00 00 00 00 00 00 00 f0 00 00 09 |................| +000891f0 c4 00 08 2e 00 00 00 09 00 00 00 01 00 00 00 01 |................| +00089200 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 01 |................| +00089210 00 00 00 01 00 00 00 01 00 00 00 01 f0 00 00 09 |................| 00089220 c0 00 00 08 00 00 00 01 00 00 00 00 f0 00 00 09 |................| 00089230 c4 00 08 49 00 00 00 09 15 a4 80 86 15 a4 80 86 |...I............| 00089240 15 a4 80 86 15 a4 80 86 15 a4 80 86 15 a4 80 86 |................| ```
DataHoarder commented 2020-12-21 05:21:39 +00:00
Author
Owner
Copy link

A new release of fm10k-dump was made that includes fm10k-flash, with such tool a patch made with the diff above can be applied.

A new release of [fm10k-dump](https://git.gammaspectra.live/FM10K/fm10k-dump/releases/tag/v0.2) was made that includes fm10k-flash, with such tool a patch made with the diff above can be applied.
usefulll commented 2020-12-21 15:05:02 +00:00
Copy link

I dumped the FM10420QDA2 ROM ,use my workstation with 2X4 +1X8 split options, but ip link only show one , but it can dump flash rom , so I dump it , hope it useful for you
btw ,since I lose connection to freenode time to time , could you tell me howto mod it to enable all management funciton ?

I dumped the FM10420QDA2 ROM ,use my workstation with 2X4 +1X8 split options, but ip link only show one , but it can dump flash rom , so I dump it , hope it useful for you btw ,since I lose connection to freenode time to time , could you tell me howto mod it to enable all management funciton ?
fm10420qda2.bin
1 MiB
DataHoarder commented 2020-12-21 17:03:05 +00:00
Author
Owner
Copy link

@usefulll nah don't apply the patch for the other cards. Seems like your card has custom boot config to probably make it work by default! I have attached the disassembled version and the diffe between the crads (it's a fairly large diff).

With this I can probably create a better mapping of such settings so cards can be configured to autoboot. At the moment it seems like the card will do either 40GBase-CR4 or 100GBase-CR4 on passive copper DAC only (api.platform.config.switch.0.portIndex.1.an73Ability text 40GBase-CR4,100GBase-CR4)

@usefulll nah don't apply the patch for the other cards. Seems like your card has custom boot config to probably make it work by default! I have attached the disassembled version and the diffe between the crads (it's a fairly large diff). With this I can probably create a better mapping of such settings so cards can be configured to autoboot. At the moment it seems like the card will do either 40GBase-CR4 or 100GBase-CR4 on passive copper DAC only (`api.platform.config.switch.0.portIndex.1.an73Ability text 40GBase-CR4,100GBase-CR4`)
fm10420qda2.asm
1.2 MiB
fm10420.diff
52 KiB
DataHoarder commented 2020-12-21 19:52:02 +00:00
Author
Owner
Copy link

also @usefulll when possible can you list what it showed when dumping the image?

For example on mine

root@pve:~/fm10k-dump# ./fm10k-dump /dev/uio0 backup12.bin 
Manufacturer Info 0x0101271f :: JEDEC Manufacturer ID 0x1f family 0x01 density 0x07 00:01
Device: Adesto AT45DB321E 32-Mbit
read @ 0x003ffe00 / 0x00400000 512 bytes
Read 4194304 bytes

This contains information on the SPI chip used on the card.

also @usefulll when possible can you list what it showed when dumping the image? For example on mine ``` root@pve:~/fm10k-dump# ./fm10k-dump /dev/uio0 backup12.bin Manufacturer Info 0x0101271f :: JEDEC Manufacturer ID 0x1f family 0x01 density 0x07 00:01 Device: Adesto AT45DB321E 32-Mbit read @ 0x003ffe00 / 0x00400000 512 bytes Read 4194304 bytes ``` This contains information on the SPI chip used on the card.
DataHoarder commented 2020-12-25 22:25:18 +00:00
Author
Owner
Copy link

This is considered solved with both fm10k-dump used to dump/flash images, and rrcSmall doing both decoding and encoding, after FM10K/rrcSmall#1 is finished.

This is considered solved with both [fm10k-dump](https://git.gammaspectra.live/FM10K/fm10k-dump) used to dump/flash images, and [rrcSmall](https://git.gammaspectra.live/FM10K/rrcSmall) doing both decoding and encoding, after FM10K/rrcSmall#1 is finished.
DataHoarder added a new dependency 2020-12-25 22:25:29 +00:00
FM10K/rrcSmall#1 - Rewrite instructions and Patch images
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
q3k/1607966867
No results found.
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

  
bug

Something is not working

  
documentation

New information or documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
bug
documentation
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
DataHoarder
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Depends on
#1 Rewrite instructions and Patch images
FM10K/rrcSmall
Reference: FM10K/Documentation#13
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?