Tool used to decode, generate, patch and encode FM10000 Boot Images. Akin to Intel's rrcBig tool, but open.
Find a file
DataHoarder 875f6588d9
All checks were successful
continuous-integration/drone/push Build is passing
Implement proper Init OutputContext
2021-08-05 16:29:07 +02:00
src Implement proper Init OutputContext 2021-08-05 16:29:07 +02:00
.drone.yml Force drone to build on linux-amd64 2020-12-31 01:22:14 +01:00
.gitignore Add static library librrcimage build output 2020-12-25 22:18:02 +01:00
CMakeLists.txt Disable exceptions on build 2020-12-29 13:53:00 +01:00
COPYING Initial commit 2020-12-17 20:01:57 +01:00
README.md Added notice about fm10k-dump https://git.gammaspectra.live/FM10K/fm10k-dump on README.md 2020-12-29 16:32:30 +01:00

rrcSmall

Tool used to decode, generate, patch and encode FM10000 Boot Images. Akin to Intel's rrcBig (FM10000 Boot Image Generator) tool, but open.

Requirements

  • cmake >= 3.16
  • g++ (GCC C++) or clang
  • make

Compilation

  • $ mkdir build && cd build
  • $ cmake ../ && make
  • An executable named ./rrcSmall should now exist.

Supported boot image versions

  • rrcBig_02.22
    • Image Generated with rrcBig_02.22. EEPROM Image Version: 0x0222 PCIe Master SPICO FW Version: 0x10130001 PCIe SerDes SPICO FW Version: 0x30550043
  • No other images have been found or tested. Please open an issue if you have information about other versions.

Image dumping and flashing

Decoding usage example

  • $ ./rrcSmall decode image.bin > image.asm
  • Progress will be output to STDERR
  • This will extract the configuration strings, headers, and disassemble the known code.
  • For disassembly, it'll use a combination of static and dynamic analysis, emulation of opcodes, and other speculation.
  • Output is automatically annotated and split into functions. Please open a pull request if you have annotations to contribute.

Output example

; ================   FUNCTION    config_systimeClockSource   ================
080600  00 00 00 09   WRITE custom_RETURN_TO, 1                                  ; <config_systimeClockSource> XREF.CallFrom: 080004(Absolute), 
080604  00 08 06 0c       custom_RETURN_TO = 0x0008060c                          ; RETURN location for load_bootCfg_systimeClockSource
080608  e8 08 90 00   JUMP <load_bootCfg_systimeClockSource>                    
08060c  d4 00 00 08   BRANCH custom_RETURN_VALUE ==                              ; <loc_08060c> XREF.CallFrom: 08900c(Return), 0c900c(Return), 
080610  00 00 00 00       VALUE 0x00000000                                      
080614  00 00 00 01       MASK 0x00000001                                       
080618  00 08 06 28       JUMP_ADDRESS <loc_080628>                             
08061c  f8 00 00 04   SET DEVICE_CFG                                             ; set DEVICE_CFG.SystimeClockSource to IEEE1588_REFCLK (default PCIE_REFCLK)
080620  00 01 00 00       VALUE 0x00010000                                      
080624  00 01 00 00       MASK 0x00010000                                       
080628  e8 08 00 08   JUMP <loc_080008>                                          ; <loc_080628> XREF.CallFrom: 08060c(Branch), 

Encoding / patching usage example

  • $ ./rrcSmall encode image.bin config.cfg patchedImage.bin
    • (Optional) Check the resulting diff: $ diff -u <(hd -v image.bin) <(hd -v patchedImage.bin)
      • Also works using decoder $ diff -u <(./rrcSmall decode image.bin) <(./rrcSmall decode patchedImage.bin)
  • Options will be read from image to be applied.
  • Provide any options to be overridden into config.cfg.
  • Supported directives:
    • api.platform.config.switch.0.bootCfg.systimeClockSource bool
    • api.platform.config.switch.0.bootCfg.spiTransferMode int
    • api.platform.config.switch.0.bootCfg.spiTransferSpeed int
    • api.platform.config.switch.0.bootCfg.customMac.% text
    • api.platform.config.switch.0.bootCfg.mgmtPep int
    • api.platform.config.switch.0.bootCfg.pep.%.bar4Allowed bool
    • api.platform.config.switch.0.bootCfg.pep.%.serialNumber text
    • api.platform.config.switch.0.bootCfg.pep.%.vendorId int
    • api.platform.config.switch.0.bootCfg.pep.%.deviceId int
    • api.platform.config.switch.0.bootCfg.pep.%.subVendorId int
    • api.platform.config.switch.0.bootCfg.pep.%.subDeviceId int
    • api.platform.config.switch.0.bootCfg.pep.%.numberOfLanes int
    • api.platform.config.switch.0.bootCfg.pep.%.gen int
    • api.platform.config.switch.0.bootCfg.pep.%.ASPMEnable bool
    • api.platform.config.switch.0.bootCfg.pep.%.enable bool
    • api.platform.config.switch.0.bootCfg.pep.%.mode bool
  • If you want to add support for other directives, please open a pull request.

config.cfg example

#Enable management port on all PEP that have bar4Allowed true
api.platform.config.switch.0.bootCfg.mgmtPep int -1
#api.platform.config.switch.0.bootCfg.mgmtPep int 6

#Enable access to management resources (BAR4) on specific PEP
api.platform.config.switch.0.bootCfg.pep.0.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.1.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.2.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.3.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.4.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.5.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.6.bar4Allowed bool 1
api.platform.config.switch.0.bootCfg.pep.7.bar4Allowed bool 0
api.platform.config.switch.0.bootCfg.pep.8.bar4Allowed bool 0

librrcimage

  • Besides rrcSmall, a static library named librrcimage.a will be generated for use in your own projects.

License

  • BSD-3-Clause
  • See COPYING for the full license.