<html><body><p><tt><font size="2">> From: "Marty E. Plummer" <hanetzer@startmail.com></font></tt><br><tt><font size="2">> To: Alistair Popple <apopple@linux.ibm.com></font></tt><br><tt><font size="2">> Cc: Amit J Tendolkar <amit.tendolkar@in.ibm.com>, Dean Sanner <br>> <dsanner@us.ibm.com>, openpower-firmware@lists.ozlabs.org, Raja Das1<br>> <rajadas2@in.ibm.com>, Sachin Gupta24 <sgupta2m@in.ibm.com></font></tt><br><tt><font size="2">> Date: 09/25/2019 11:40 PM</font></tt><br><tt><font size="2">> Subject: [EXTERNAL] Re: A few questions about early hostboot</font></tt><br><tt><font size="2">> <br>> > Holy crap. Think I finally got it at least loading the faked hbb.<br>> > I managed to (probably) dump the 64b you mentioned, assuming that<br>> > 0x8208000 is the correct address. I was getting consistently:<br>> > <br>> > 00000000 10 30 24 31 41 42 43 e0 e1 e2 e4 f4 34 24 31 41 |.<br>> 0$1ABC.....4$1A| <br>> > 00000010 42 43 e0 e1 e2 e4 f4 00 00 00 00 00 00 00 00 00 |<br>> BC..............| <br>> > 00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <br>> |................|<br>> > <br>> > which is a series of ffs toc errors. So, I moved the backup toc<br>> > from 0x3ff8000 to 0x3ff7000 (which is consistent with the 'stock'<br>> > firmware and src/include/usr/pnor/pnor_const.H:171; I only used<br>> > 0x3ff8000 because it made for easy maths) and I get an entirely<br>> > different result:<br>> > <br>> > 00000000 10 30 24 31 41 42 43 44 45 32 35 11 24 12 16 00 |.<br>> 0$1ABCDE25.$...| <br>> > 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <br>> |................|<br>> > <br>> > which is as far as 'ok, we copied it'. It may have stopped<br>> > here because _start is 'b .', more testing is required, but<br>> > sbe and hbbl are unmodified<br>> > <br>> > I still can't consistently get all the threads to stop or read<br>> > spr 313, but this is at least some form of progress (I think).<br>> <br>> Further developments! getmem 0x8300000 $((128 * 1024)) > log.bin<br>> and strings/hexdump log.bin shows it to be full of my code and<br>> references to coreboot strings! Now I just need to figure out where<br>> this MMIO_SCRATCH_HOSTBOOT_ACTIVE register is and how to read it.<br></font></tt><br><tt><font size="2">Definitely progress -- cool!</font></tt><br><br><tt><font size="2">The MMIO_SCRATCH_HOSTBOOT_ACTIVE is a core accessible SCOM register</font></tt><br><tt><font size="2">via SPRs. It is accessible via getscom via pdbg. Something like </font></tt><br><tt><font size="2">"pdbg -p0 getscom 0x20010A89" (this is the absolute address to</font></tt><br><tt><font size="2">core 0 -- since you are on core 0 it will just work)</font></tt><br><br><tt><font size="2">This is the output from Cronus when Hostboot is running:</font></tt><br><tt><font size="2">p9n.c k0:n0:s0:p00:c2 0000000000000000: 686F7374 626F6F74 [hostboot]</font></tt><br><br><tt><font size="2">> <br>> Further, at this point reading r0 yeilds 0x8200000 (which should be<br>> the hrmor if line 366 of bl_start.S has executed [mfspr r0, HRMOR])<br>> and r9 has 0x8000000008203394, EA[0]=1+HRMOR+switchToHBB from the<br>> hbibl.syms file.<br></font></tt><br><tt><font size="2">On a successful switch your code should be at 0x08000000 (the copy in </font></tt><br><tt><font size="2">0x08300000 is pre secureboot verification). The HBBL runs at an HRMOR</font></tt><br><tt><font size="2">of 0x08200000 and then switches to 08000000 when HBB starts executing.</font></tt><br><br><tt><font size="2">Note that during HBBL only the first core, thread 0 is active. During</font></tt><br><tt><font size="2">early HBB it is still one core, one thread. After the extended image</font></tt><br><tt><font size="2">is loaded then a HWP is used to start threads 1,2,3 of the first core.</font></tt><br><tt><font size="2">Hostboot will then run like that until istep 16 when all the rest of the</font></tt><br><tt><font size="2">cores/threads are activated.</font></tt><br><br><br><font size="2">Dean Sanner<br>dsanner@us.ibm.com<br></font><BR>
</body></html>