<div dir="ltr">Hi everyone<div><br></div><div>Thanks a lot for the comments Zoran!</div><div>You are totally right. The way I wrote was not clear. </div><div>At my comments I added the bit number and the name of the bit based on intel's specification:</div><div><br></div><img src="cid:1566fefcb1dd0cad2201" alt="pasted1" class="" style="max-width: 100%;"><div>Thanks for confirming this.</div><div><br></div><div>Just to give you a feedback and for future generation interested on this topic. </div><div>After checking all comments from everyone and studing a little bit I found the reason of the magic jump:</div><div dir="ltr"><div><br></div><div><span style="font-size:12.8px;line-height:19.2px">f000:0fed ffe7 jmp di ; di value is </span><span style="line-height:1.5">0x113 at this point as checked using QEMU</span></div><div><br></div></div><div dir="ltr"><div>Several instruction before this, we have the following:</div><div><br></div><div>f000:0109 b0d0 mov al, 0xd0</div><div>f000:010b e680 out 0x80, al</div><div><font color="#0000ff">f000:010d bf1301 mov di, 0x113</font></div><div>f000:0110 e9ed0d jmp 0xf0f00</div><div><font color="#ff0000">f000:0113 8cc8 mov ax, cs</font></div><div>f000:0115 8ed8 mov ds, ax</div><div>f000:0117 8ec0 mov es, ax <br></div><div><br></div><div>So as it was pointed by you some e-mails ago, the jmps here were used to access other "functions" (in blue), since there is no stack yet.</div><div>And that "jmp di" was the point the call returns to the starting point (in red).</div><div><br></div><div><span style="line-height:1.5">I'll continue my studies and post in case of questions. Soon I'll try to port cb to a system I'm not using.</span><br></div><div>Thanks for the help everyone! </div><div><br></div><div><br></div></div><div dir="ltr"><br><div class="gmail_quote"><div dir="ltr">Em ter, 9 de ago de 2016 às 07:23, Zoran Stojsavljevic <<a href="mailto:zoran.stojsavljevic@gmail.com" target="_blank">zoran.stojsavljevic@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello Rafael,<div><br></div><div>Once again... About your initial email.</div><div><br></div><div>Code you have posted (in <i><u><b><font color="#ff0000">RED</font></b></u></i>):</div></div><div dir="ltr"><div><br></div><div><div style="font-size:12.8px">f000:0fcb 66b9ff020000 mov ecx, 0x2ff</div><div style="font-size:12.8px"><b><i><u><font color="#ff0000">f000:0fd1 0f32 rdmsr ; read register 0x2ff (IA32_MTRR_DEF_TYPE)</font></u></i></b></div><div style="font-size:12.8px"><b><i><u><font color="#ff0000">f000:0fd3 0fbae80b bts ax, 0xb ; Enable bit 11 (MTRR Enable).</font></u></i></b></div><div style="font-size:12.8px"><b><i><u><font color="#ff0000">f000:0fd7 0fbae80a bts ax, 0xa ; Enable bit 10 (Fixed MTRR Enable).</font></u></i></b></div><div style="font-size:12.8px"><b><i><u><font color="#ff0000">f000:0fdb 0f30 wrmsr ; Write changes to MTRR</font></u></i></b></div><div style="font-size:12.8px"><b><i><u><font color="#ff0000">f000:0fdd 0f20c0 mov eax, cr0</font></u></i></b></div><div style="font-size:12.8px"><b><i><u><font color="#ff0000">f000:0fe0 660fbaf01e btr eax, 0x1e ; Bit 30 means CD - Cache disabled.</font></u></i></b></div><div style="font-size:12.8px"><b><i><u><font color="#ff0000">f000:0fe5 660fbaf01d btr eax, 0x1d ; Disable bit 29. NW - No Write-through</font></u></i></b></div><div style="font-size:12.8px"><b><i><u><font color="#ff0000">f000:0fea 0f22c0 mov cr0, eax ; Write changes to CR0</font></u></i></b></div><div style="font-size:12.8px">f000:0fed ffe7 jmp di</div><div style="font-size:12.8px">f000:0fef 0f20c0 mov eax, cr0</div><div style="font-size:12.8px">f000:0ff2 660fbae81e bts eax, 0x1e</div><div style="font-size:12.8px">f000:0ff7 660fbae81d bts eax, 0x1d</div><div style="font-size:12.8px">f000:0ffc 0f22c0 mov cr0, eax</div></div><div style="font-size:12.8px"><br></div></div><div dir="ltr"><div style="font-size:12.8px">I think you have here errors commenting CD and NW. Resetting these bits will be the opposite what you wrote here. Namely, CD = 0 will be Cache Enabled and NW = 0 will be Write-Through. </div><div style="font-size:12.8px"><br></div><div style="font-size:12.8px">This code very closely matches the code in Coreboot's <span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.6667px">src/soc/intel/skylake/</span><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.6667px">bootblock/cache_as_ram.S:</span></div><div style="font-size:12.8px"><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.6667px"><br></span></div><div style="font-size:12.8px"><span style="color:rgb(31,73,125);font-family:Calibri,sans-serif;font-size:14.6667px">Line 128:</span></div><div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>/* Enable variable MTRRs */</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>mov <span style="white-space:pre-wrap"> </span>$MTRR_DEF_TYPE_MSR, %ecx</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>rdmsr</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>or<span style="white-space:pre-wrap"> </span>$MTRR_DEF_TYPE_EN, %eax</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>wrmsr</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><br></span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>/* Enable caching */</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>mov<span style="white-space:pre-wrap"> </span>%cr0, %eax</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>and<span style="white-space:pre-wrap"> </span>$~(CR0_CD | CR0_NW), %eax</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>invd</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><span style="white-space:pre-wrap"> </span>mov<span style="white-space:pre-wrap"> </span>%eax, %cr0</span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><br></span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px">Please, also look into the file mtrr.h (src/include/cpu/x86/mtrr.h) . <i>It starts making (lot of) sense... ;-)</i></span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px"><br></span></font></div><div><font color="#1f497d" face="Calibri, sans-serif"><span style="font-size:14.6667px">Zoran</span></font></div></div></div><div class="gmail_extra"><br><div class="gmail_quote"></div></div><div class="gmail_extra"><div class="gmail_quote">On Mon, Jul 25, 2016 at 6:03 PM, Rafael Machado <span dir="ltr"><<a href="mailto:rafaelrodrigues.machado@gmail.com" target="_blank">rafaelrodrigues.machado@gmail.com</a>></span> wrote:<br></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi guys. Long time since my last e-mail.<div><br><div>It's hard to synchronize my day work with my firmware studies. Since my projects are more UEFI related I usually do not have to much time to study the legacy way, but It's really cool and Ill not give up :)</div><div><br></div><div>Since the last talk I was doing what everyone kindly proposed. (by the way thank you all for the guidance.)</div><div><br></div><div>Now I'm disassembly an old systems bios I have, but I cannot understand what is happening in a specific section of the code. (I'm using radare2 for my studies)</div><div><br></div><div>The code is:</div><div><br></div><div><div>f000:0fcb 66b9ff020000 mov ecx, 0x2ff</div><div>f000:0fd1 0f32 rdmsr ; read register 0x2ff (IA32_MTRR_DEF_TYPE)</div><div>f000:0fd3 0fbae80b bts ax, 0xb ; Enable bit 11 (MTRR Enable).</div><div>f000:0fd7 0fbae80a bts ax, 0xa ; Enable bit 10 (Fixed MTRR Enable).</div><div>f000:0fdb 0f30 wrmsr ; Write changes to MTRR</div><div>f000:0fdd 0f20c0 mov eax, cr0</div><div>f000:0fe0 660fbaf01e btr eax, 0x1e ; Bit 30 means CD - Cache disabled.</div><div>f000:0fe5 660fbaf01d btr eax, 0x1d ; Disable bit 29. NW - No Write-through</div><div>f000:0fea 0f22c0 mov cr0, eax ; Write changes to CR0</div><div>f000:0fed ffe7 jmp di</div><div>f000:0fef 0f20c0 mov eax, cr0</div><div>f000:0ff2 660fbae81e bts eax, 0x1e</div><div>f000:0ff7 660fbae81d bts eax, 0x1d</div><div>f000:0ffc 0f22c0 mov cr0, eax</div><div><br></div></div><div><br></div><div>Here is the code with my notes. I understand that some MTRR were set, and now the processor will be "configured".</div><div>We see at address <span style="line-height:1.5">f000:0fe0 and </span><span style="line-height:1.5">f000:0fe5 that the CR0 register is being changed and after that the changes are saved.</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">Now I have two questions.</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">1 - After CR0 changes get completed there is a "jmp di" instruction. This does not make any </span>sense<span style="line-height:1.5"> to me. Does anyone know why this is needed ? As far as I could check di value is 0x0 at this point. I think</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">2 - After the "jmp di" a "CR0 Déjà vu" code is executed. Any idea why this is needed ?</span></div><div><span style="line-height:1.5"><br></span></div><div><span style="line-height:1.5">Thanks everyone</span></div><div><span style="line-height:1.5">Rafael R. Machado</span></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr">Em seg, 11 de jan de 2016 às 03:57, Alex G. <<a href="mailto:mr.nuke.me@gmail.com" target="_blank">mr.nuke.me@gmail.com</a>> escreveu:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On 01/10/2016 10:23 AM, ron minnich wrote:<br>
> One thing I think you'd enjoy doing is building the qemu target, setting<br>
> up qemu with gdb, and just watching what happens, instruction by<br>
> instruction, as the system boots.<br>
<br>
One exercise I liked doing was to rewrite the entire boot flow, from<br>
reset vector to protected mode entry. Tested on qemu, put it on<br>
hardware, nothing burned.<br>
<br>
Alex<br>
<br>
> ron<br>
><br>
> On Sun, Jan 10, 2016 at 3:28 AM Rafael Machado<br>
> <<a href="mailto:rafaelrodrigues.machado@gmail.com" target="_blank">rafaelrodrigues.machado@gmail.com</a><br>
> <mailto:<a href="mailto:rafaelrodrigues.machado@gmail.com" target="_blank">rafaelrodrigues.machado@gmail.com</a>>> wrote:<br>
><br>
> Hi Peter and Rudolf.<br>
> Thanks for the answers and tips. They are realy helpfull !<br>
> I'll take a look.<br>
><br>
> Rafael R. Machado<br>
><br>
><br>
> Em Sáb, 9 de jan de 2016 17:19, Rudolf Marek <<a href="mailto:r.marek@assembler.cz" target="_blank">r.marek@assembler.cz</a><br>
> <mailto:<a href="mailto:r.marek@assembler.cz" target="_blank">r.marek@assembler.cz</a>>> escreveu:<br>
><br>
> Hi,<br>
><br>
> I guess your question is more general than the coreboot related<br>
> right?<br>
><br>
> If you have a firmware image dump of the flash (not the file you<br>
> download from<br>
> board vendor) then yes, first location to be executed is the<br>
> instruction located<br>
> 16 bytes before end of the image.<br>
><br>
> In coreboot see in build/ bootblock_inc.S which also has<br>
> reset16.inc and<br>
> entry16.inc which is a real start. Consult the Intel or AMD<br>
> manual to see the<br>
> CPU state after reset. The CPU starts in real mode, but CS base<br>
> is shifted to<br>
> last 64KB before end of 4GB address space. In general your CPU<br>
> starts in<br>
> compatible mode with 8086 manufactured in 1978.<br>
><br>
> Thanks<br>
> Rudolf<br>
><br>
> --<br>
> coreboot mailing list: <a href="mailto:coreboot@coreboot.org" target="_blank">coreboot@coreboot.org</a><br>
> <mailto:<a href="mailto:coreboot@coreboot.org" target="_blank">coreboot@coreboot.org</a>><br>
> <a href="http://www.coreboot.org/mailman/listinfo/coreboot" rel="noreferrer" target="_blank">http://www.coreboot.org/mailman/listinfo/coreboot</a><br>
><br>
><br>
><span><font color="#888888"><br>
<br>
--<br>
coreboot mailing list: <a href="mailto:coreboot@coreboot.org" target="_blank">coreboot@coreboot.org</a><br>
<a href="http://www.coreboot.org/mailman/listinfo/coreboot" rel="noreferrer" target="_blank">http://www.coreboot.org/mailman/listinfo/coreboot</a><br>
</font></span></blockquote></div>
<br>--<br>
coreboot mailing list: <a href="mailto:coreboot@coreboot.org" target="_blank">coreboot@coreboot.org</a><br>
</blockquote></div></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><a href="https://www.coreboot.org/mailman/listinfo/coreboot" rel="noreferrer" target="_blank">https://www.coreboot.org/mailman/listinfo/coreboot</a><br></blockquote></div><br></div>
</blockquote></div></div></div>