[Openec] Few questions about KB3700/3926

Maxim Levitsky maximlevitsky at gmail.com
Wed Jul 23 07:18:15 EDT 2008


Frieder Ferlemann wrote:
> Hi Maxim,
> 
> Maxim Levitsky schrieb:
>> Accidentally I discovered that my laplop has an KB3926 embedded 
>> controller.
>> It seems that it is quite popular since both olps and eee use some 
>> variations of it.
> 
> Fine:)
> 
>> KB3700 is very similar to this chip, for example its datasheet 
>> reference s KB3925 several times
>>
>> I was looking for that hardware that powers o/b IR port, and found out 
>> that EC powers it.
>>
>> I also found that EC can be accessed via 0xFF2C-0xFF2F ports
>> Using the data sheet I was able to download all EC memory to a file, now
>> I want to have fun and disassemble some of it.
>>
>>
>> but I face a problem now that I almost solved brute-force way.
>>
>> I found that dump of 0x0000-0x4000 isn't consistent nor makes any 
>> sense in disassembly (and this part is the most interesting part 
>> because it contains interrupts and initialization vectors)
>>
>> Reading at those addresses returns different values all the time, and 
>> I feel I know why, I think there is a race accessing memory between 
>> KB3926
>> debug port and controller itself.
>>
>> So I wrote a program that reads this range 64 bytes a time are gathers 
>> statistics about which value is returned most frequently for each 
>> address.
> 
> :) good work !)
> 
>> And resulting memory dump looks very good, it has sane assembly (all 
>> interrupt vectors start with jump instruction, and overall it looks 
>> like good assembly, for example there are lots of accesses to 
>> 0xF400-0xFFFF range.
>>
>> Also resulting dump has large range of all zeros (unused area I think)
>>
>> Do you know anything about this?
>>
>> Does this chip have ram (I don't mean 128 bytes of standard ram, but 
>> some large range of it like maybe this 0x0000-0x4000 range?) ?
> 
> I do not know but if the KB3926 closely resembles the KB3700 then
> the different readings you are observing might be related to a
> bank switching mechanism:
> 
> There is a register XBISEG0 mentioned in the KB3700 documentation
> which can be used to map the 8051 code memory within the SPI flash.
> Maybe you can index your statistics by the readings of XBISEG0 at
> 0xfea0? - (this might still be racy though)
Thanks a million.
Now I got perfect memory dumps of first 4K of memory.

It turns out that 4 segments are mapped there : XBISEG=0x00 0x84 0x85 0x86

I got dump of all of them, and I did the dump several times and got 
exactly the same result
(I first wait for XBISEG to be non-correct value, then wait for it to be 
correct value, so I am at beginning of window, and I repeat this process 
4 times until I got same results all 4 times.

Btw, I probably will extract EC firmware from bios now since I know its 
contents I can just search in bios range (last few megabytes of 4GB range).

I also know now whenever this chip has ram, it has it at SRAM window on 
top of registers.


> 
> (OpenEC makes use of XBISEG1 to access memory outside of its usual window.
> http://dev.laptop.org/git?p=projects/openec;a=blob;f=flash.c;hb=HEAD )
> 
>> All addition information is welcome
> 
> you might be interested in the file openec.ctl at the above location
> which is used to check the infamous openec.do_not_use.bin
> file and contains a list of KB3700 registers and IRQ vectors.
> 
> Greetings,
> Frieder
> 


Best regards,
	Maxim Levitsky


PS:

I have seen on your website that you still can't power the XO.
Can you disassemble the EC firmware for that? Or there are legal problems?


More information about the Openec mailing list