[coreboot] [flashrom] emit a warning if first byte of flash is 0x02?
frieder.ferlemann at web.de
Tue May 12 09:39:09 CEST 2009
Carl-Daniel Hailfinger schrieb:
> On 11.05.2009 19:44, Frieder Ferlemann wrote:
>> I don't know whether this proposal really makes sense
>> but 8051 based Embedded Controlers are very likely to
>> have 0x02 (the opcode for LJMP) at address 0x0000 and
>> at some of its IRQ entry points at address 0x0003 + n*8
>> It might be worth warning about because erasing/writing
>> the flash while the EC is running might not be a good idea.
> Right. How big can n get? I'd simply read address 0x0000 and all IRQ
> entry points and check if more than m of them are 0x02.
For the ENE KB3700 n <= 0x1f (so the IRQ entry points
fit within the first 256 bytes).
Interrupt vectors table is at 4.12.1).
>> This posting was triggered by todays publication of:
>> "Flash Programming for Dummies", A book by Carl-Daniel Hailfinger
>> which specifically mentions interactions with embedded controlers.
I like the book:)
> Yes indeed. If you have more ideas about EC detection heuristics, please
> tell us. Emitting a warning may be appropriate if we can make reasonably
> sure that it won't trigger too many false positives.
False positives: If all values bytes for the first byte were equally
likely (which is a wrong assumption) then around 0.5% false positives
could be expected. If one would further require at least two of the 32
IRQ entry points to hold 0x02 (m=2, it's probably a good assumption
that at least one timer IRQ and a host interface IRQ is in use) this
would likely reduce false positives by around a factor of 60.
False negatives: yes, likely few. F.e. the 8051 knows three different
jump instructions ljmp, sjmp, ajmp and while ljmp is the one that
would almost always be used here there is no guarantee.
(And there might be EC firmware without IRQ - probably depends on
the direction the NDA'ed sample code or SDK that comes with the EC
pushes EC firmware developers:)
More information about the coreboot