[Openec] Few questions about KB3700/3926

Frieder Ferlemann frieder.ferlemann at web.de
Tue Jul 22 17:35:16 EDT 2008 

Hi Maxim,

Maxim Levitsky schrieb:
> Accidentally I discovered that my laplop has an KB3926 embedded controller.
> It seems that it is quite popular since both olps and eee use some 
> variations of it.

Fine:)

> KB3700 is very similar to this chip, for example its datasheet reference 
> s KB3925 several times
> 
> I was looking for that hardware that powers o/b IR port, and found out 
> that EC powers it.
> 
> I also found that EC can be accessed via 0xFF2C-0xFF2F ports
> Using the data sheet I was able to download all EC memory to a file, now
> I want to have fun and disassemble some of it.
> 
> 
> but I face a problem now that I almost solved brute-force way.
> 
> I found that dump of 0x0000-0x4000 isn't consistent nor makes any sense 
> in disassembly (and this part is the most interesting part because it 
> contains interrupts and initialization vectors)
> 
> Reading at those addresses returns different values all the time, and I 
> feel I know why, I think there is a race accessing memory between KB3926
> debug port and controller itself.
> 
> So I wrote a program that reads this range 64 bytes a time are gathers 
> statistics about which value is returned most frequently for each address.

:) good work !)

> And resulting memory dump looks very good, it has sane assembly (all 
> interrupt vectors start with jump instruction, and overall it looks like 
> good assembly, for example there are lots of accesses to 0xF400-0xFFFF 
> range.
> 
> Also resulting dump has large range of all zeros (unused area I think)
> 
> Do you know anything about this?
> 
> Does this chip have ram (I don't mean 128 bytes of standard ram, but 
> some large range of it like maybe this 0x0000-0x4000 range?) ?

I do not know but if the KB3926 closely resembles the KB3700 then
the different readings you are observing might be related to a
bank switching mechanism:

There is a register XBISEG0 mentioned in the KB3700 documentation
which can be used to map the 8051 code memory within the SPI flash.
Maybe you can index your statistics by the readings of XBISEG0 at
0xfea0? - (this might still be racy though)

(OpenEC makes use of XBISEG1 to access memory outside of its usual window.
http://dev.laptop.org/git?p=projects/openec;a=blob;f=flash.c;hb=HEAD )

> All addition information is welcome

you might be interested in the file openec.ctl at the above location
which is used to check the infamous openec.do_not_use.bin
file and contains a list of KB3700 registers and IRQ vectors.

Greetings,
Frieder

More information about the Openec mailing list