..Try them in the ESAFW.
I tried. I changed the text on the first floppy disk (first disk of the upgrade, not loader disk). In the menu for the external mixer, I changed the text: "Presel" to "11974Q". I started the upgrade. After the last floppy disk was loaded, a message was displayed on the SA screen. Nothing special on the serial terminal.
Please don't do changes in the ESALOADR. Try them in the ESAFW.
The reason for this is a FW update takes a very long time, about 30-45 minutes to read all the discs and then flash the firmware.
ESALOADR loads in a minute or so to see if a cksum error occurred there. it sounds like @suj was able to load so we can move on to changing the ESAFW
..Try them in the ESAFW.
I tried. I changed the text on the first floppy disk (first disk of the upgrade, not loader disk). In the menu for the external mixer, I changed the text: "Presel" to "11974Q". I started the upgrade. After the last floppy disk was loaded, a message was displayed on the SA screen. Nothing special on the serial terminal.
Well Pooh
So the LOADER must run a cksum on the FW before continuing
That would mean either find that routine in the loader or find how to patch the active system I would think
On the serial terminal there were only the number of bytes loaded from each disk. Nothing more.
Checksum-relates fields:
+2C db NumInterleavedBanks = 02
+38 db BankSizeH[NumInterleavedBanks] = 00, 00
db BankSizeMH[NumInterleavedBanks] = 2C, 2C
db BankSizeML[NumInterleavedBanks] = 95, 95
db BankSizeL[NumInterleavedBanks] = CE, CE
db ChecksumH[NumInterleavedBanks] = 58, B2
db ChecksumL[NumInterleavedBanks] = 5C, A4
- so BankSize[0]=BankSize[1]=2C95CE, BankSize[0]+BankSize[1]=2C95CE+2C95CE=592B9C - matches file size
Checksum[bank] = sum(all bytes of bank):
Checksum[0] = 585C - matches sum of all even bytes of file
Checksum[1] = B2A4 - matches sum of all odd bytes of file
Edit: note that checksum calculation includes the checksum bytes themselves! (yes, they are not zeroed/skipped)
More info:
"bulk" flash starts from C000000.
How to enter ROM monitor before jumping to FW:
BootROM loads ESALOADER (from floppy) or main fw (from bulk flash) to DRAM then sends a 05 byte (ascii ENQ char) and waits for 06 (ascii ACK) reply with timeout. If this wait times out - jump to DRAM normally, otherwise - bypass jump and enter ROM monitor.
This can be used to try patches without flashing them:
- don't insert ESALOADER floppy
- interrupt normal start by replying to 05 with 06
- modify firmware in RAM (with smem/sbyte/sword/slong cmds)
- jump to modified firmware (with gu cmd)
The timeout is very short, it looks like 0.5 seconds maybe. These are probably those marked with 05, because the transmission stops for a moment at this point.
0D 0A 2A 2A 2A 2A 2A 20 4D 6F 73 71 75 69 74 6F 20 42 6F 6F 74 72 6F 6D
20 2A 2A 2A 2A 2A 0D 0A 43 6F 70 79 72 69 67 68 74 20 31 39 38 38 2D 31
39 39 37 2C 0D 0A 48 65 77 6C 65 74 74 2D 50 61 63 6B 61 72 64 20 43 6F
6D 70 61 6E 79 2C 20 61 6C 6C 20 72 69 67 68 74 73 20 72 65 73 65 72 76
65 64 2E 0D 0A 0D 0A 40 28 23 29 48 45 57 4C 45 54 54 2D 50 41 43 4B 41
52 44 2C 20 45 34 34 30 31 20 42 6F 6F 74 72 6F 6D 2C 20 35 2E 30 30 0D
0A 40 28 23 29 4C 44 53 20 52 65 76 3A 20 33 2E 30 32 20 2D 20 4D 6F 64
75 6C 65 20 49 6E 63 72 65 6D 65 6E 74 61 6C 20 28 53 65 70 20 20 39 20
32 30 30 33 29 0D 0A 40 28 23 29 4C 69 6E 6B 65 64 3A 20 53 65 70 20 20
39 20 32 30 30 33 20 31 34 3A 34 36 3A 34 34 0D 0A 0D 0A 42 6F 6F 74 72
6F 6D 20 43 68 65 63 6B 73 75 6D 20 2E 2E 2E 0D 0A 42 6F 6F 74 72 6F 6D
20 44 52 41 4D 3A 20 20 20 20 20 54 65 73 74 69 6E 67 20 36 39 36 33 32
20 62 79 74 65 73 20 61 74 20 30 78 30 34 30 30 30 30 30 30 0D 0A 4E 6F
6E 20 44 65 73 74 72 75 63 74 69 76 65 20 53 52 41 4D 20 54 65 73 74 20
2E 2E 2E 0D 0A 4D 61 69 6E 20 46 69 72 6D 77 61 72 65 20 44 52 41 4D 3A
20 20 20 20 20 54 65 73 74 69 6E 67 20 33 33 34 38 34 38 30 30 20 62 79
74 65 73 20 61 74 20 30 78 30 34 30 31 31 30 30 30 0D 0A 4D 61 69 6E 20
46 57 20 43 68 65 63 6B 73 75 6D 20 2E 2E 2E 0D 0A 53 65 6C 66 2D 74 65
73 74 73 20 63 6F 6D 70 6C 65 74 65 2E 53 52 41 4D 20 73 65 6C 66 74 65
73 74 20 72 65 73 75 6C 74 73 3A 0D 0A 20 20 20 20 20 20 20 20 53 74 61
72 74 20 20 3D 20 30 78 61 30 30 30 30 30 30 0D 0A 20 20 20 20 20 20 20
20 45 6E 64 20 20 20 20 3D 20 30 78 61 30 30 37 66 61 33 0D 0A 20 20 20
20 20 20 20 20 45 72 72 6F 72 73 20 3D 20 30 78 30 0D 0A 44 52 41 4D 20
73 65 6C 66 74 65 73 74 20 72 65 73 75 6C 74 73 3A 0D 0A 20 20 20 20 20
20 20 20 53 74 61 72 74 20 20 3D 20 30 78 34 30 31 31 30 30 30 0D 0A 20
20 20 20 20 20 20 20 45 6E 64 20 20 20 20 3D 20 30 78 36 30 30 30 30 30
30 0D 0A 20 20 20 20 20 20 20 20 45 72 72 6F 72 73 20 3D 20 30 78 30 0D
0A 68 70 69 62 50 6F 72 74 20 3D 20 30 78 38 30 30 35 30 30 30 20 0D 0A
68 70 69 62 50 6F 72 74 20 3D 20 30 78 38 30 30 35 30 30 30 2C 20 62 75
73 20 41 64 64 72 65 73 73 20 3D 20 31 39 0D 0A 0D 0A 43 61 63 68 65 20
45 6E 61 62 6C 65 64 0D 0A 31 36 4D 42 79 74 65 73 20 6F 66 20 46 4C 41
53 48 0D 0A 0D 0A 44 6F 77 6E 6C 6F 61 64 20 74 6F 20 46 6C 61 73 68 20
53 65 6C 65 63 74 65 64 0D 0A
05
3E 3E 3E 20 6D 61 69 6E 4D 61 69 6E 28
29 0D 0A 05 74 65 78 74 20 73 65 67 6D 65 6E 74 3A 09 09 30 78 34 30 31
31 30 30 30 20 74 68 72 75 20 30 78 34 34 33 35 65 31 34 20 28 20 34 32
34 65 31 34 20 62 79 74 65 73 29 0D 0A 64 61 74 61 20 73 65 67 6D 65 6E
74 3A 09 09 30 78 34 36 30 30 30 30 30 20 74 68 72 75 20 30 78 34 37 36
64 64 38 38 20 28 20 31 36 64 64 38 38 20 62 79 74 65 73 29 0D 0A 62 73
73 20 20 73 65 67 6D 65 6E 74 3A 09 09 30 78 34 37 36 64 64 38 38 20 74
68 72 75 20 30 78 34 38 62 63 63 65 38 20 28 20 31 34 65 66 36 30 20 62
79 74 65 73 29 0D 0A 0D 0A 52 4F 4D 20 73 69 7A 65 3A 09 09 30 78 30 30
35 39 32 62 39 63 20 28 20 35 39 32 62 39 63 20 62 79 74 65 73 20 6F 66
20 34 31 39 34 33 30 34 20 6D 61 78 2E 29 0D 0A 0D 0A 6D 65 6D 6F 72 79
20 70 6F 6F 6C 20 28 61 6C 6C 29 3A 09 30 78 30 34 38 62 63 63 65 38 20
74 68 72 75 20 30 78 30 35 66 66 66 66 66 66 20 28 32 34 33 39 32 34 37
32 20 62 79 74 65 73 29 0D 0A 43 61 6C 6C 69 6E 67 20 73 74 61 72 74 5F
70 73 6F 73 28 29 20 2E 2E 2E 0D 0A 3E 3E 3E 3E 20 64 65 62 75 67 28 29
20 70 72 6F 63 65 73 73 20 73 74 61 72 74 69 6E 67 0D 0A 44 4C 50 20 4C
6F 61 64 65 64 20 2D 20 50 6F 77 65 72 20 53 75 69 74 65 20 55 74 69 6C
69 74 69 65 73 2C 20 41 2E 30 36 2E 30 35 2C 20 4E 6F 76 20 32 31 20 32
30 30 33 20 31 35 3A 34 35 3A 34 30 0D 0A
I think this should be done with a software, not manually. Short timeout, non-printable characters - this is not for humans.
But. If you have a terminal software capable of sending a 06 char you don't need to wait for 05 and react fast - just send that 06 continuously from power on until you see ROM Monitor command prompt.
I think this should be done with a software, not manually. Short timeout, non-printable characters - this is not for humans.
But. If you have a terminal software capable of sending a 06 char you don't need to wait for 05 and react fast - just send that 06 continuously from power on until you see ROM Monitor command prompt.
And we're in, normal boot, SecureCRT set to expect a 0x05 and send a 0x06 in response
What next?
***** Mosquito Bootrom *****
Copyright 1988-1997,
Hewlett-Packard Company, all rights reserved.
@(#)HEWLETT-PACKARD, E4401 Bootrom, 5.00
@(#)LDS Rev: 3.02 - Module Incremental (Sep 9 2003)
@(#)Linked: Sep 9 2003 14:46:44
Bootrom Checksum ...
Bootrom DRAM: Testing 69632 bytes at 0x04000000
Non Destructive SRAM Test ...
Main Firmware DRAM: Testing 33484800 bytes at 0x04011000
Main FW Checksum ...
Self-tests complete.SRAM selftest results:
Start = 0xa000000
End = 0xa007fa3
Errors = 0x0
DRAM selftest results:
Start = 0x4011000
End = 0x6000000
Errors = 0x0
hpibPort = 0x8005000
hpibPort = 0x8005000, bus Address = 19
Cache Enabled
16MBytes of FLASH
Download to Flash Selected
ROM Monitor
Enter ? for help.
->
->?
bc [<hex boot config>] - set the bootrom configuration (see bchelp)
bootvars- display bootrom variables
bs - force a breakpoint when starting
dbyte [<hex start address> [num bytes]] - display memory using bytes
dlong [<hex start address> [num bytes]] - display memory using longs
dmem [<hex start address> [num bytes]] - display memory using bytes
dword [<hex start address> [num bytes]] - display memory using words
gbreak - force a gdb breakpoint
gdb - enable gdb trapping of exceptions
gu [<hex start addr>] - go to start address
hmon [device] - download into memory
rty test routine
sbyte <hex start address> <hexchars> - set memory using bytes
slong <hex start address> <hexchars> - set memory using longs
smem <hex start address> <hexchars> - set memory using bytes
sword <hex start address> <hexchars> - set memory using words
version - display bootrom version
->
What next?
"In like Flynn...."
Get us the memdump. You can make from 0x0401 1000 up to 0x0490 0000.
Great progress from abyrvalg!
Now I'm in the monitor software too. I will try memory dump.
What next?
"In like Flynn...."
Get us the memdump. You can make from 0x0401 1000 up to 0x0490 0000.
Great progress from abyrvalg!
Given it looks like it interupted the flash did it have a chance to copy it?
can we dump a smaller segment to verify before spending many hours reading out something that may not be good?
IMO there is no point in 0x4011000 dump, that should be an exact copy of ESAFW image. I see BootROM getting the image size from the same offset 0x38 (from flash at C000000), then just copying that amount of bytes from C000000 to 4011000. Dumping first 0x80-0x100 bytes and comparing them against ESAFW start should be enough to verify this.
IMO there is no point in 0x4011000 dump, that should be an exact copy of ESAFW image. I see BootROM getting the image size from the same offset 0x38 (from flash at C000000), then just copying that amount of bytes from C000000 to 4011000. Dumping first 0x80-0x100 bytes and comparing them against ESAFW start should be enough to verify this.
What’s our next step then?
What’s our next step then?
OK, do a memdump from 0x045A 0000 up to 0x0490 0000.
Before doing it, try to license 1 or 2 options, as you did before.
Your msg raised me a doubt: when you are in ROM Monitor, the equipment is not running? I ask this because we need to take the dump AFTER the licensing attempt. So if going into ROM monitor stopped the boot process we still need to finish booting.
If it's not like this then we need to setup a breakpoint. Tell me and I'll suggest an address.
What’s our next step then?
...when you are in ROM Monitor, the equipment is not running?...
The application does not appear to be running. Nothing is displayed on the SA screen, the off button does not work and you need to disconnect the mains plug to turn off the SA.
The application does not appear to be running. Nothing is displayed on the SA screen, the off button does not work and you need to disconnect the mains plug to turn off the SA.
Damn. Then we need to place a breakpoint and try to continue booting.
@abyrvalg, any suggestion for the restart address?
If we didn't intersect boot, where would the next addresses be?
Or, if you can say where is the address of ROM Monitor function, we can patch ESAFW to safely run monitor after it has tried licensing.
"gu" command without parameters should start the loaded image (without parameter it jumps to "image entry point" variable that is set to 4011000. That's where the normal uninterrupted start goes).
But there is one problem that I didn't noticed before: depending on some peripheral reg bit (addr 200200C, mask 100) the jump function will reload the firmware image from flash before jumping (resetting any patches). And it looks like this bit is in wrong (for us) state: "Download to Flash Selected" message in log depends on it (otherwise it will say "Download to DRAM Selected").
This hw bit looks like one of the DIP switches. Someone please try this:
- enter ROM monitor
- dump reg with "dword 200200C" command
- flip one of the DIP switches
- dump reg again to check if it is changed
- repeat with the next switch
@tv84, ROM Monitor address is D8A4. Interesting, there is a "syscall" to execute a single ROM Monitor command from the main app (at 04132418: trap #0E with arg=0A. All "trap #0E" functions are BootROM calls leading to handler at D1EC), but I see no refs to it.
Interesting, there is a "syscall" to execute a single ROM Monitor command from the main app (at 04132418: trap #0E with arg=0A. All "trap #0E" functions are BootROM calls leading to handler at D1EC), but I see no refs to it.
What about patching one of the ones that we (I mean you!
)know how to trigger, like arg=03, 04, 05 ?
Invoking a single command via syscall would require a command string to be prepared somewhere in memory and passed to the syscall. If the goal is to capture the data section contents after a single action then it should be easier just to jump to the monitor.
Or do this:
- start the ESA normally
- do the action (enter license key)
- prepare 05-06 boot interruption
- reset the ESA to go to ROM mon
- dump the data section (4600000+)
The data section gets reinitialized by ESAFW, so if we don't start it after reboot - there will be previous content available for dump.
Another option (if you want to watch some specific var and do it many times) is to patch some debug printf to output the desired data.
give me a few minutes please
I have a MB reset connected with an external button, it should work.
To verify that RAM content is still alive (before going for long dumps) you can do this: dlong 4600020 - should display 04028318
To verify that RAM content is still alive (before going for long dumps) you can do this: dlong 4600020 - should display 04028318
It's god tip. I'm not sure about DRAM refreshing after reset.
Not working. I Will try one's more but after reset (using motherboard reset connector) I have this result:
->dlong 0x04600020
04600020 00000000 00000000 00000000 00000000 ................