Add detailed README.md

2020-12-29 16:22:56 +01:00 · 2020-12-29 16:22:56 +01:00 · a66d9a7b36
parent e1df93fa4c
commit a66d9a7b36
1 changed files with 91 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -1,4 +1,93 @@
 # rrcSmall
-This is a tool used to interact with and decode FM10K Non-Volatile Memory images.

-Currently it extracts configuration values from image, and decode / execute the state machine partially to try to reach every executable code present on image.
+Tool used to decode, generate, patch and encode FM10000 Boot Images. Akin to Intel's rrcBig (FM10000 Boot Image Generator) tool, but open.
+
+## Requirements
+* cmake >= 3.16
+* g++ (GCC C++) or clang
+* make
+
+## Compilation
+* `$ mkdir build && cd build`
+* `$ cmake ../ && make`
+* An executable named `./rrcSmall` should now exist.
+
+## Supported boot image versions
+* **rrcBig_02.22**
+  - `Image Generated with rrcBig_02.22. EEPROM Image Version: 0x0222 PCIe Master SPICO FW Version: 0x10130001 PCIe SerDes SPICO FW Version: 0x30550043`
+* No other images have been found or tested. Please [open an issue](https://git.gammaspectra.live/FM10K/rrcSmall/issues) if you have information about other versions.
+
+## Decoding usage example
+* `$ ./rrcSmall decode image.bin > image.asm`
+* Progress will be output to STDERR
+* This will extract the configuration strings, headers, and disassemble the known code.
+* For disassembly, it'll use a combination of static and dynamic analysis, emulation of opcodes, and other speculation.
+* Output is automatically annotated and split into functions. Please [open a pull request](https://git.gammaspectra.live/FM10K/rrcSmall/pulls) if you have annotations to contribute.
+
+### Output example
+```asm
+; ================   FUNCTION    config_systimeClockSource   ================
+080600  00 00 00 09   WRITE custom_RETURN_TO, 1                                  ; <config_systimeClockSource> XREF.CallFrom: 080004(Absolute), 
+080604  00 08 06 0c       custom_RETURN_TO = 0x0008060c                          ; RETURN location for load_bootCfg_systimeClockSource
+080608  e8 08 90 00   JUMP <load_bootCfg_systimeClockSource>                    
+08060c  d4 00 00 08   BRANCH custom_RETURN_VALUE ==                              ; <loc_08060c> XREF.CallFrom: 08900c(Return), 0c900c(Return), 
+080610  00 00 00 00       VALUE 0x00000000                                      
+080614  00 00 00 01       MASK 0x00000001                                       
+080618  00 08 06 28       JUMP_ADDRESS <loc_080628>                             
+08061c  f8 00 00 04   SET DEVICE_CFG                                             ; set DEVICE_CFG.SystimeClockSource to IEEE1588_REFCLK (default PCIE_REFCLK)
+080620  00 01 00 00       VALUE 0x00010000                                      
+080624  00 01 00 00       MASK 0x00010000                                       
+080628  e8 08 00 08   JUMP <loc_080008>                                          ; <loc_080628> XREF.CallFrom: 08060c(Branch), 
+```
+
+## Encoding / patching usage example
+* `$ ./rrcSmall encode image.bin config.cfg patchedImage.bin`
+  * (Optional) Check the resulting diff: `$ diff -u <(hd -v image.bin) <(hd -v patchedImage.bin)`
+    * Also works using decoder `$ diff -u <(./rrcSmall decode image.bin) <(./rrcSmall decode patchedImage.bin)`
+* Options will be read from image to be applied.
+* Provide any options to be overridden into _config.cfg_.
+* Supported directives:
+  * `api.platform.config.switch.0.bootCfg.systimeClockSource` bool
+  * `api.platform.config.switch.0.bootCfg.spiTransferMode` int
+  * `api.platform.config.switch.0.bootCfg.spiTransferSpeed` int
+  * `api.platform.config.switch.0.bootCfg.customMac.%` text
+  * `api.platform.config.switch.0.bootCfg.mgmtPep` int
+  * `api.platform.config.switch.0.bootCfg.pep.%.bar4Allowed` bool
+  * `api.platform.config.switch.0.bootCfg.pep.%.serialNumber` text
+  * `api.platform.config.switch.0.bootCfg.pep.%.vendorId` int
+  * `api.platform.config.switch.0.bootCfg.pep.%.deviceId` int
+  * `api.platform.config.switch.0.bootCfg.pep.%.subVendorId` int
+  * `api.platform.config.switch.0.bootCfg.pep.%.subDeviceId` int
+  * `api.platform.config.switch.0.bootCfg.pep.%.numberOfLanes` int
+  * `api.platform.config.switch.0.bootCfg.pep.%.gen` int
+  * `api.platform.config.switch.0.bootCfg.pep.%.ASPMEnable` bool
+  * `api.platform.config.switch.0.bootCfg.pep.%.enable` bool
+  * `api.platform.config.switch.0.bootCfg.pep.%.mode` bool
+* If you want to add support for other directives, please [open a pull request](https://git.gammaspectra.live/FM10K/rrcSmall/pulls).
+
+### config.cfg example
+
+```
+#Enable management port on all PEP that have bar4Allowed true
+api.platform.config.switch.0.bootCfg.mgmtPep int -1
+#api.platform.config.switch.0.bootCfg.mgmtPep int 6
+
+#Enable access to management resources (BAR4) on specific PEP
+api.platform.config.switch.0.bootCfg.pep.0.bar4Allowed bool 1
+api.platform.config.switch.0.bootCfg.pep.1.bar4Allowed bool 1
+api.platform.config.switch.0.bootCfg.pep.2.bar4Allowed bool 1
+api.platform.config.switch.0.bootCfg.pep.3.bar4Allowed bool 1
+api.platform.config.switch.0.bootCfg.pep.4.bar4Allowed bool 1
+api.platform.config.switch.0.bootCfg.pep.5.bar4Allowed bool 1
+api.platform.config.switch.0.bootCfg.pep.6.bar4Allowed bool 1
+api.platform.config.switch.0.bootCfg.pep.7.bar4Allowed bool 0
+api.platform.config.switch.0.bootCfg.pep.8.bar4Allowed bool 0
+
+```
+
+## librrcimage
+* Besides `rrcSmall`, a static library named `librrcimage.a` will be generated for use in your own projects.
+
+## License
+* BSD-3-Clause
+* See [COPYING](COPYING) for the full license.