[Openec] Few questions about KB3700/3926

Maxim Levitsky maximlevitsky at gmail.com
Wed Jul 23 07:18:15 EDT 2008

Frieder Ferlemann wrote:
> Hi Maxim,
> Maxim Levitsky schrieb:
>> Accidentally I discovered that my laplop has an KB3926 embedded 
>> controller.
>> It seems that it is quite popular since both olps and eee use some 
>> variations of it.
> Fine:)
>> KB3700 is very similar to this chip, for example its datasheet 
>> reference s KB3925 several times
>> I was looking for that hardware that powers o/b IR port, and found out 
>> that EC powers it.
>> I also found that EC can be accessed via 0xFF2C-0xFF2F ports
>> Using the data sheet I was able to download all EC memory to a file, now
>> I want to have fun and disassemble some of it.
>> but I face a problem now that I almost solved brute-force way.
>> I found that dump of 0x0000-0x4000 isn't consistent nor makes any 
>> sense in disassembly (and this part is the most interesting part 
>> because it contains interrupts and initialization vectors)
>> Reading at those addresses returns different values all the time, and 
>> I feel I know why, I think there is a race accessing memory between 
>> KB3926
>> debug port and controller itself.
>> So I wrote a program that reads this range 64 bytes a time are gathers 
>> statistics about which value is returned most frequently for each 
>> address.
> :) good work !)
>> And resulting memory dump looks very good, it has sane assembly (all 
>> interrupt vectors start with jump instruction, and overall it looks 
>> like good assembly, for example there are lots of accesses to 
>> 0xF400-0xFFFF range.
>> Also resulting dump has large range of all zeros (unused area I think)
>> Do you know anything about this?
>> Does this chip have ram (I don't mean 128 bytes of standard ram, but 
>> some large range of it like maybe this 0x0000-0x4000 range?) ?
> I do not know but if the KB3926 closely resembles the KB3700 then
> the different readings you are observing might be related to a
> bank switching mechanism:
> There is a register XBISEG0 mentioned in the KB3700 documentation
> which can be used to map the 8051 code memory within the SPI flash.
> Maybe you can index your statistics by the readings of XBISEG0 at
> 0xfea0? - (this might still be racy though)
Thanks a million.
Now I got perfect memory dumps of first 4K of memory.

It turns out that 4 segments are mapped there : XBISEG=0x00 0x84 0x85 0x86

I got dump of all of them, and I did the dump several times and got 
exactly the same result
(I first wait for XBISEG to be non-correct value, then wait for it to be 
correct value, so I am at beginning of window, and I repeat this process 
4 times until I got same results all 4 times.

Btw, I probably will extract EC firmware from bios now since I know its 
contents I can just search in bios range (last few megabytes of 4GB range).

I also know now whenever this chip has ram, it has it at SRAM window on 
top of registers.

> (OpenEC makes use of XBISEG1 to access memory outside of its usual window.
> http://dev.laptop.org/git?p=projects/openec;a=blob;f=flash.c;hb=HEAD )
>> All addition information is welcome
> you might be interested in the file openec.ctl at the above location
> which is used to check the infamous openec.do_not_use.bin
> file and contains a list of KB3700 registers and IRQ vectors.
> Greetings,
> Frieder

Best regards,
	Maxim Levitsky


I have seen on your website that you still can't power the XO.
Can you disassemble the EC firmware for that? Or there are legal problems?

