[Openec] Few questions about KB3700/3926
Maxim Levitsky
maximlevitsky at gmail.com
Tue Jul 22 15:51:18 EDT 2008
Hi,
Accidentally I discovered that my laplop has an KB3926 embedded controller.
It seems that it is quite popular since both olps and eee use some
variations of it.
KB3700 is very similar to this chip, for example its datasheet reference
s KB3925 several times
I was looking for that hardware that powers o/b IR port, and found out
that EC powers it.
I also found that EC can be accessed via 0xFF2C-0xFF2F ports
Using the data sheet I was able to download all EC memory to a file, now
I want to have fun and disassemble some of it.
but I face a problem now that I almost solved brute-force way.
I found that dump of 0x0000-0x4000 isn't consistent nor makes any sense
in disassembly (and this part is the most interesting part because it
contains interrupts and initialization vectors)
Reading at those addresses returns different values all the time, and I
feel I know why, I think there is a race accessing memory between KB3926
debug port and controller itself.
So I wrote a program that reads this range 64 bytes a time are gathers
statistics about which value is returned most frequently for each address.
And resulting memory dump looks very good, it has sane assembly (all
interrupt vectors start with jump instruction, and overall it looks like
good assembly, for example there are lots of accesses to 0xF400-0xFFFF
range.
Also resulting dump has large range of all zeros (unused area I think)
Do you know anything about this?
Does this chip have ram (I don't mean 128 bytes of standard ram, but
some large range of it like maybe this 0x0000-0x4000 range?) ?
All addition information is welcome
Thanks in advance
Best regards,
Maxim Levitsky
More information about the Openec
mailing list