Hello, I am here
It's true that I have given up a little, but I look again because there is a interesting new, the ssh access to a netgem box.
I was interested to try to build our own firmware for these netgem boxes, but I don't want to crash my box, so the first thing I absolutly want to do is to have the ability to save and restore the flash with the original data.
I passed a lot of time to try to activate the jtag but it's not possible, they shorted all jtag signal to gnd directly under the smp8634.
After that I found how to activate the serial console but we can just see the debug message from the XPU (see zfeet message).
However, these netgem boxes doesn't work as other smp8634 boxes, and there is no yamon but a curious bootloader named LinBios.
To investigate more seriously, zfeet sent me an old netbox 7600, and I disoldered the flash, I wanted to dump it. But it's a very small bga component and I never found the time to try to solder wire and dump the flash. Some day ago, someone tell me he have an ssh access on his netbox7600, and have access to the 3 first block of the flash in /dev/mtd2 (named the BIOS). Thus I resoldered the flash on the zfeet's netbox, and I don't know hown but it work again
From the begining, I am sure that netgem have a way to pur the firmware in the flash after production, or after an upgrade failure. Because it's possible to have an upgrade failure, they don't keep an old firmware if the new update fail !!
Surely to keep a small flash....
The guy who have an ssh access send me the BIOS dump, and below 0x20000 there is the XENV structure at 0x00, a small encryted (I think) zone, a code zone (I think).
And there are 2 LinBios instance, one at 0x20000, and the other at 0x40000
Surely to switch after each bios upgrade. It's why I really think there is a way to flash an image in the flash from the bios : the 2 bios are here to be sure a bios still work, if no bios is working, the card is surely completely dead.
I think the encrypted code below 0x20000 is zboot, which lauchn the other code zone below 0x20000. This code probably search which linbios it must launch.
After Linbios launch the kernel, and surely can do more, look at the strings :
Inconsistant offsets %08lx %08lx - %08lx
Invalid offsets %08lx %08lx - %08lx %08lx
%08lx .
Failed to read 0x%08lx
Failed to write 0x%08lx
Read error
Flashing error
get romimage...
%08lx: saving
Failed to save 0x%08lx
Dumping error
Could not load '%s'
invalid bios size: %d
Could not save '%s'
Invalid partition %c
Read error bloc %ld
Write error bloc %ld
append
append_prod
append_dbg
dbg_lvls
tvstd
ntsc
palm
paln
tvout
svhs
allow_serial_line
allow_interactive_bios
vidmem
NOAPP=1
File not found / empty (%d)
NGZ ERROR: erroneous block
Unable to allocate NGZ buffer
Loading %s
(not found %d)
(load error %d)
(%d bytes)
Saving %s
(save error %d)
/dev/memdisk
%c Partition %02d - %05d Kbytes
read error
write error
sector 0x%4x:
Block device init error
No valid system partition
0123456789abcdefghijklmnopqrstuvwxyz
0123456789abcdef
0x%02x,
MTD: base=%p size=%d MB erasesize=%d kB
boot
args...
usage: %s %s
%08X
%c%02X
%04X
%08X
boot.cfg
Unable to parse boot file !
LinBios 4.7.38 (C) Copyright Netgem 1996-2007 (Thu Jul 31 18:00:00 UTC 2008)
boot
TRACE_RC=1 console=ttyS0,115200n8
memtest
FORMATHOME=y
Press [enter] to stop boot
$system.cmdline$
$system.prod.bin$
$romimage.prod.ngz$
Boot failed.
%02X
%02X:
Read error: code: %d
flash base: %08lx width %d interleave %d
CFIcheck: %d
AMDcheck: %d
AMD5check: %d
status: fail %x %x %x
write error offset=%d size=%d
write error size=%d
Patching memory image's serial.
Overwrite serial from image.
Write BIOS
done
Write error
invalid bios size: %d
No MTD device
Invalid offsets %08lx %08lx
Failed to read BIOS
Updating config.
FTL100
FTL header not found
Found FTL header in bloc %d
Invalid header %d
Transfer unit %d
Erase unit %d
Logical unit %d
bloc %d => %d (%08x)
Block allocation: %d control, %d data, %d free, %d deleted
/dev/ftla
Memory error
Can't get the MBR
File don't contain any SDpl mapping (%08X) !
CRC error got %08X instead of %08X (%08X)
SDPL layer version %02d - %04d sects/bloc - %04d blocs - size: %05d Kbytes
host interface
ethernet
USB
audio engine 0
audio engine 1
mpeg engine 0
mpeg engine 1
demux
mem=%ld@0x%08lx panic=10 ro
initrd
Load ELF file %s failed
root=/dev/sla%c sdpl_map=%s ROOTDEV=/dev/sla%c
ROOTDEV=/dev/sla%c
root=%s%c ROOTDEV=%s%c
ROOTDEV=%s%c
NBPARTS=%d
Warm boot
Cold boot
REBOOT=%d
RAMSTART=0x%08lx
RAMSIZE=0x%08lx
VRAMSTART=0x%08lx
VRAMSIZE=0x%08lx
MEMSTART=0x%08lx
MEMSIZE=0x%08lx
VMEMSTART=0x%08lx
VMEMSIZE=0x%08lx
MACADDR=%02x:%02x:%02x:%02x:%02x:%02x
HW_TYPE=0x%08x
HW_OPTIONS=0x%08x
SEC_BOOT=%d
USR_AUTH=%d
BISTRES=0x%08x
BISTMASK=0x%08x
Not setting for CD8-10.
CD %d not using XTAL !!!
Unknown RAM size (%01x) - defaulting to %d MB
Board version N%d-%d rev %d - Board options %08x
detected %ld + %ld MB of RAM
BIST %d %s: res %08x mask %08x => %s
BIST RES %08x MASK %08x
init
reset
Open file %s failed
Read elf header error
Error : not an ELF file...
Read program header error
Invalid PLL number %d
PLL %d plldiv %d pllmul %d PLL %08x sysmux %08x
PLL %d clk %d.%03d MHz CPU clk %d.%03d MHz sysclk %d.%03d MHz
PLL %d clk %d.%03d MHz
PLL clock out of range: %d MHz
Set up new clock: PLL %d MHz CPU %d MHz sys %d MHz
PLL %08x plldiv %d pllmul %d
=> PLL %d.%03d MHz CPU %d.%03d MHz sys %d.%03d MHz
Error setting GPIO %d to %d
GPIO %d set to %d
Error getting GPIO %d
GPIO %d direction %d value %d
Error setting GPIO %d direction to %s
GPIO %d set to %s
Usage: do_xrpc [-h|-S|-s|-a <addr>]
-h: print this help
-S: print XOS SHA1
-v: print XOS version
-s: print CPU serial ID
-a: execute xtask located at address <addr>
do_xrpc: SHA1 failed (%d)
XOS SHA1: %08x%08x%08x%08x%08x
do_xrpc: XOS version failed
XOS version: %02x
do_xrpc: serial ID failed (%d)
XOS serial ID: %08x%08x%08x%08x
do_xrpc: bad number of arguments
do_xrpc: exec failed (%d)
do_xrpc OK: %08x %08x %08x %08x %08x
do_xrpc: unknown / malformed argument
i2c_sd_wait_status
NAK error
%s: timeout: status %08x %08x
Wait pending failed
i2c_sd_hw_init
%s: devnum > MAX: %d
Failed to read byte %d of %d
Failed to write byte %d of %d
xos_upgrade: SHA1 failed
XOS upgrade is disabled on this board
No automatic upgrades for development XOS
Unknown XOS version - skip upgrade
Unknown XOS SHA1 - Trying to upgrade
/lib/hotplug/firmware/xos_Rev
/lib/hotplug/firmware/xos_ES
Trying to upgrade with XOS '%s'
Could not find any XOS upgrade
Invalid XOS upgrade file: size mismatch %d %d
XOS is up-to-date
Start XOS upgrade from version %02x to %02x.
XOS upgrade failed...
fixed pattern
self address
walking ones
walking zeroes
random0
random1
random2
random3
len=
blen
write loop
rd:
n:
wr:
read loop
Full memory test from
memory bloc test from
PLL
MHz CPU
MHz sys
MHz
ERROR in DDRAM 1 (b 0 c 0)
ERROR in DDRAM 2 (b 0 c 1)
ERROR in DDRAM 3 (b 1 c 0)
ERROR in DDRAM 4 (b 1 c 1)
No DDR errors
Error aline
Bank 0 D
Bank 1 D
Bank 0 A
Bank 1 A
vmlinuz
Linbios has access to the root partition and read /boot.cfg. It looks for these options :
append
append_prod
append_dbg
dbg_lvls
tvstd
ntsc
palm
paln
tvout
svhs
allow_serial_line
allow_interactive_bios
The 2 last option are very interesting, the bios can be interactive. I asked to the guy with the ssh acces to add these option to /boot.cfg but no luck, he crashed his box with a failed upgrade
But I continue to believe there is another way to activate the console and the interactive mode. Because /boot.cfg can be missing if an upgrade failed for example.
The emulator can be a good way to understand linbios and what he need to activate the console and interactive mode.
It also can be interresting to decompile it, but I don't know if it's possible ?