Gitiles
Code Review Sign In
review.coreboot.org / coreboot / f00e446e746da54b7cf967deae73cf090f3835eb / . / util / intelmetool / intelmetool.c
blob: 45e8c8f7bab8a0a4bcb4e1c2a7b77f58c73e1238 [file] [log] [blame]
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]1/* intelmetool Dump interesting things about Management Engine even if hidden
2 * Copyright (C) 2014 Damien Zammit <damien@zamaudio.com>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; version 2 of the License.
7 *
8 * This program is distributed in the hope that it will be useful,
9 * but WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 * GNU General Public License for more details.
12 */
13
14#include <stdio.h>
15#include <inttypes.h>
16#include <stdlib.h>
17#include <getopt.h>
18#include <unistd.h>
19
20#ifdef __NetBSD__
21#include <machine/sysarch.h>
22#endif
23
24#include "me.h"
25#include "mmap.h"
26#include "intelmetool.h"
27
28#define FD2 0x3428
29#define ME_COMMAND_DELAY 10000
30
31extern int fd_mem;
32int debug = 0;
33
34static uint32_t fd2 = 0;
35static const int size = 0x4000;
36static volatile uint8_t *rcba;
37
38static void dumpmem(uint8_t *phys, uint32_t size)
39{
40 uint32_t i;
41 printf("Dumping cloned ME memory:\n");
42 for (i = 0; i < size; i++) {
43 printf("%02X",*((uint8_t *) (phys + i)));
44 }
45 printf("\n");
46}
47
48static void zeroit(uint8_t *phys, uint32_t size)
49{
50 uint32_t i;
51 for (i = 0; i < size; i++) {
52 *((uint8_t *) (phys + i)) = 0x00;
53 }
54}
55
56static void dumpmemfile(uint8_t *phys, uint32_t size)
57{
58 FILE *fp = fopen("medump.bin", "w");
59 uint32_t i;
60 for (i = 0; i < size; i++) {
61 fprintf(fp, "%c", *((uint8_t *) (phys + i)));
62 }
63 fclose(fp);
64}
65
66static void rehide_me() {
67 if (fd2 & 0x2) {
68 printf("Re-hiding MEI device...");
69 fd2 = *(uint32_t *)(rcba + FD2);
70 *(uint32_t *)(rcba + FD2) = fd2 | 0x2;
Dan Elkoubye8ad3c72017-01-16 20:04:51 +0200[diff] [blame]71 printf("done\n");
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]72 }
73}
74
75/* You need >4GB total ram, in kernel cmdline, use 'mem=1000m'
76 * then this code will clone to absolute memory address 0xe0000000
77 * which can be read using a mmap tool at that offset.
78 * Real ME memory is located around top of memory minus 64MB. (I think)
79 * so we avoid cloning to this part.
80 */
81static void dump_me_memory() {
82 uint32_t me_clone = 0x60000000;
83 uint8_t *dump;
84
Paul Menzel1e7911e2016-12-27 15:24:02 +0100[diff] [blame]85 dump = map_physical_exact((off_t)me_clone, (void *)me_clone, 0x2000000);
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]86 zeroit(dump, 0x2000000);
87 printf("Send magic command for memory clone\n");
88
89 mei_reset();
90 usleep(ME_COMMAND_DELAY);
91 void* ptr = &me_clone;
92 int err = mkhi_debug_me_memory(ptr);
93
94 if (!err) {
95 printf("Wait a second...");
96 usleep(ME_COMMAND_DELAY);
97 printf("done\n\nHere are the first bytes:\n");
98 dumpmemfile(dump, 0x2000000);
99 //printf("Try reading 0x%zx with other mmap tool...\n"
100 // "Press enter to quit, you only get one chance to run this tool before reboot required for some reason\n", me_clone);
101 while (getc(stdin) != '\n') {};
102 unmap_physical(dump, 0x2000000);
103 }
104}
105
106static int pci_platform_scan() {
107 struct pci_access *pacc;
108 struct pci_dev *dev;
109 char namebuf[1024], *name;
110
111 pacc = pci_alloc();
112 pacc->method = PCI_ACCESS_I386_TYPE1;
113
114 pci_init(pacc);
115 pci_scan_bus(pacc);
116
117 for (dev=pacc->devices; dev; dev=dev->next) {
118 pci_fill_info(dev, PCI_FILL_IDENT | PCI_FILL_BASES | PCI_FILL_SIZES | PCI_FILL_CLASS);
119 name = pci_lookup_name(pacc, namebuf, sizeof(namebuf),
120 PCI_LOOKUP_DEVICE, dev->vendor_id, dev->device_id);
121 if (dev->vendor_id == 0x8086) {
122 if (PCI_DEV_HAS_ME_DISABLE(dev->device_id)) {
123 printf(CGRN "Good news, you have a `%s` so ME is present but can be disabled, continuing...\n\n" RESET, name);
124 break;
125 } else if (PCI_DEV_HAS_ME_DIFFICULT(dev->device_id)) {
126 printf(CRED "Bad news, you have a `%s` so you have ME hardware on board and you can't control or disable it, continuing...\n\n" RESET, name);
127 break;
128 } else if (PCI_DEV_CAN_DISABLE_ME_IF_PRESENT(dev->device_id)) {
129 printf(CYEL "Not sure if ME hardware is present because you have a `%s`, but it is possible to disable it if you do, continuing...\n\n" RESET, name);
130 break;
131 } else if (PCI_DEV_ME_NOT_SURE(dev->device_id)) {
132 printf(CYEL "Found `%s`. Not sure whether you have ME hardware, exiting\n\n" RESET, name);
133 pci_cleanup(pacc);
134 return 1;
135 break;
136 }
137 }
138 }
139
Huan Truong2a1ae052017-03-05 02:24:51 -0600[diff] [blame]140 if (dev != NULL &&
141 !PCI_DEV_HAS_ME_DISABLE(dev->device_id) &&
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]142 !PCI_DEV_HAS_ME_DIFFICULT(dev->device_id) &&
143 !PCI_DEV_CAN_DISABLE_ME_IF_PRESENT(dev->device_id) &&
144 !PCI_DEV_ME_NOT_SURE(dev->device_id)) {
145 printf(CCYN "ME is not present on your board or unkown\n\n" RESET);
146 pci_cleanup(pacc);
147 return 1;
148 }
149
150 pci_cleanup(pacc);
151
152 return 0;
153}
154
155static struct pci_dev *pci_me_interface_scan(char **name) {
156 struct pci_access *pacc;
157 struct pci_dev *dev;
158 char namebuf[1024];
Damien Zammit711a4782016-04-12 20:35:16 +1000[diff] [blame]159 int me = 0;
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]160
161 pacc = pci_alloc();
162 pacc->method = PCI_ACCESS_I386_TYPE1;
163
164 pci_init(pacc);
165 pci_scan_bus(pacc);
166
167 for (dev=pacc->devices; dev; dev=dev->next) {
168 pci_fill_info(dev, PCI_FILL_IDENT | PCI_FILL_BASES | PCI_FILL_SIZES | PCI_FILL_CLASS);
169 *name = pci_lookup_name(pacc, namebuf, sizeof(namebuf),
170 PCI_LOOKUP_DEVICE, dev->vendor_id, dev->device_id);
171 if (dev->vendor_id == 0x8086) {
172 if (PCI_DEV_HAS_SUPPORTED_ME(dev->device_id)) {
Damien Zammit711a4782016-04-12 20:35:16 +1000[diff] [blame]173 me = 1;
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]174 break;
175 }
176 }
177 }
178
Damien Zammit711a4782016-04-12 20:35:16 +1000[diff] [blame]179 if (!me) {
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]180 rehide_me();
181
182 printf("MEI device not found\n");
183 pci_cleanup(pacc);
184 return NULL;
185 }
186
187 return dev;
188}
189
190static int activate_me() {
191 struct pci_access *pacc;
192 struct pci_dev *sb;
193 uint32_t rcba_phys;
194
195 pacc = pci_alloc();
196 pacc->method = PCI_ACCESS_I386_TYPE1;
197
198 pci_init(pacc);
199 pci_scan_bus(pacc);
200
201 sb = pci_get_dev(pacc, 0, 0, 0x1f, 0);
202 if (!sb) {
203 printf("Uh oh, southbridge not on BDF(0:31:0), please report this error, exiting.\n");
204 pci_cleanup(pacc);
205 return 1;
206 }
207 pci_fill_info(sb, PCI_FILL_IDENT | PCI_FILL_BASES | PCI_FILL_SIZES | PCI_FILL_CLASS);
208
209 rcba_phys = pci_read_long(sb, 0xf0) & 0xfffffffe;
Paul Menzel1e7911e2016-12-27 15:24:02 +0100[diff] [blame]210 rcba = map_physical((off_t)rcba_phys, size);
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]211
212 //printf("RCBA at 0x%08" PRIx32 "\n", (uint32_t)rcba_phys);
213 fd2 = *(uint32_t *)(rcba + FD2);
214 *(uint32_t *)(rcba + FD2) = fd2 & ~0x2;
215 if (fd2 & 0x2) {
216 printf("MEI was hidden on PCI, now unlocked\n");
217 } else {
218 printf("MEI not hidden on PCI, checking if visible\n");
219 }
220
221 pci_cleanup(pacc);
222
223 return 0;
224}
225
226static void dump_me_info() {
227 struct pci_dev *dev;
228 uint32_t stat, stat2;
229 char *name;
230
231 if (pci_platform_scan()) {
232 exit(1);
233 }
234
Dan Elkoubye8ad3c72017-01-16 20:04:51 +0200[diff] [blame]235 if (activate_me()) {
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]236 exit(1);
237 }
238
Dan Elkoubye8ad3c72017-01-16 20:04:51 +0200[diff] [blame]239 dev = pci_me_interface_scan(&name);
240 if (!dev) {
Philipp Deppenwiesed8fe4432016-03-18 00:52:54 +0100[diff] [blame]241 exit(1);
242 }
243
244 printf("MEI found: [%x:%x] %s\n\n", dev->vendor_id, dev->device_id, name);
245 stat = pci_read_long(dev, 0x40);
246 printf("ME Status : 0x%x\n", stat);
247 stat2 = pci_read_long(dev, 0x48);
248 printf("ME Status 2 : 0x%x\n\n", stat2);
249
250 intel_me_status(stat, stat2);
251 printf("\n");
252 intel_me_extend_valid(dev);
253 printf("\n");
254
255 if ((stat & 0xf000) >> 12 != 0) {
256 printf("ME: has a broken implementation on your board with this BIOS\n");
257 }
258
259 intel_mei_setup(dev);
260 usleep(ME_COMMAND_DELAY);
261 mei_reset();
262 usleep(ME_COMMAND_DELAY);
263 mkhi_get_fw_version();
264 usleep(ME_COMMAND_DELAY);
265 mei_reset();
266 usleep(ME_COMMAND_DELAY);
267 mkhi_get_fwcaps();
268 usleep(ME_COMMAND_DELAY);
269
270 rehide_me();
271
272 munmap((void*)rcba, size);
273}
274
275static void print_version(void)
276{
277 printf("intelmetool v%s -- ", INTELMETOOL_VERSION);
278 printf("Copyright (C) 2015 Damien Zammit\n\n");
279 printf(
280 "This program is free software: you can redistribute it and/or modify\n"
281 "it under the terms of the GNU General Public License as published by\n"
282 "the Free Software Foundation, version 2 of the License.\n\n"
283 "This program is distributed in the hope that it will be useful,\n"
284 "but WITHOUT ANY WARRANTY; without even the implied warranty of\n"
285 "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n"
286 "GNU General Public License for more details.\n\n");
287}
288
289static void print_usage(const char *name)
290{
291 printf("usage: %s [-vh?sd]\n", name);
292 printf("\n"
293 " -v | --version: print the version\n"
294 " -h | --help: print this help\n\n"
295 " -s | --show: dump all me information on console\n"
296 " -d | --debug: enable debug output\n"
297 "\n");
298 exit(1);
299}
300
301int main(int argc, char *argv[])
302{
303 int opt, option_index = 0;
304 unsigned cmd_exec = 0;
305
306 static struct option long_options[] = {
307 {"version", 0, 0, 'v'},
308 {"help", 0, 0, 'h'},
309 {"show", 0, 0, 's'},
310 {"debug", 0, 0, 'd'},
311 {0, 0, 0, 0}
312 };
313
314 while ((opt = getopt_long(argc, argv, "vh?sd",
315 long_options, &option_index)) != EOF) {
316 switch (opt) {
317 case 'v':
318 print_version();
319 exit(0);
320 break;
321 case 's':
322 cmd_exec = 1;
323 break;
324 case 'd':
325 debug = 1;
326 break;
327 case 'h':
328 case '?':
329 default:
330 print_usage(argv[0]);
331 exit(0);
332 break;
333 }
334 }
335
336 #if defined(__FreeBSD__)
337 if (open("/dev/io", O_RDWR) < 0) {
338 perror("/dev/io");
339 #elif defined(__NetBSD__)
340 # ifdef __i386__
341 if (i386_iopl(3)) {
342 perror("iopl");
343 # else
344 if (x86_64_iopl(3)) {
345 perror("iopl");
346 # endif
347 #else
348 if (iopl(3)) {
349 perror("iopl");
350 #endif
351 printf("You need to be root.\n");
352 exit(1);
353 }
354
355 #ifndef __DARWIN__
356 if ((fd_mem = open("/dev/mem", O_RDWR)) < 0) {
357 perror("Can not open /dev/mem");
358 exit(1);
359 }
360 #endif
361
362 switch(cmd_exec) {
363 case 1:
364 dump_me_info();
365 break;
366 default:
367 print_usage(argv[0]);
368 break;
369 }
370
371 return 0;
372}