cyrozap
commented
1 year ago If I understand your question correctly, you just want to dump the Option ROM from the card. If that's the case, you don't need a full dump of the flash chip (which is what I was referring to in the Readme, and at this time requires either an SPI flash programmer or a logic analyzer to perform) in order to solve your problem. The Option ROM (the firmware you're referring to) is exposed to the operating system in a standard way, so if you're running Linux (don't ask me how to do this on Windows--I don't know), you can dump it from the command line using standard Linux tools. The process to do this is as follows:
First, list the JMB58x devices in your system:
$ lspci -Dd 197b:
0031:04:00.0 SATA controller: JMicron Technology Corp. JMB58x AHCI SATA controllerThen, taking the NNNN:NN:NN.N (domain:bus:slot.function) number you got from the output of the previous command, write a "1" to the device's "rom" file in sysfs:
$ echo 1 | sudo tee '/sys/bus/pci/devices/0031:04:00.0/rom'This enables reading the Option ROM from the card, which you can do with the following command:
$ sudo cat '/sys/bus/pci/devices/0031:04:00.0/rom' > jmb58x.romWith this last step completed, you should have the entire option ROM in a file called jmb58x.rom. Unfortunately, I don't know enough about UEFI to know how to parse and verify that image, so you'll have to find that out on your own. Fortunately, the UEFI specs are open, so that should "simply" be a matter of reading the relevant documentation and writing some code to do that, or finding a tool that someone else has made to do it.
I hope this helps!
Some extra information on the flash image format and dumping methods, in case you (or anyone else reading this) are curious:
As I explained in my notes, the flash image contains more than just the Option ROM. Just before the Option ROM is a sequence of configuration instructions that write to registers inside the chip, to control things like the GPIO pin configurations (e.g., for LED control) and the offset of the Option ROM in the flash chip. As far as I can tell, the JMB58x chip itself doesn't load or execute any firmware.
To read or write this configuration data, and to write to the Option ROM, you need to be able to read and write the whole flash chip. Unfortunately, I'm not aware of any method to read or write the entire flash of these cards over PCIe. While there's probably a way to do it, I haven't been able to find any flashing programs (commonly referred to as "MP tool" or "MPTool") for these cards anywhere, and it would be extremely difficult to reverse engineer that process without one.
Lacking a method to dump the flash over PCIe, in the beginning I just connected a logic analyzer to the SPI flash pins and sniffed the communications--that let me see both the flash contents and access patterns. Later, to get a more thorough dump, I desoldered the flash and stuck it in a cheap SPI flash programmer. So, for now, these are the only methods I know of that can be used to read (and, in the case of the SPI flash programmer, also write) the flash beyond just the Option ROM.
fieryo
I appreciate your research on JMB585 chip, but would you share with us how to dump the flash from a PCIe card (point 2 of README). I have a PCIe 3.0 x1 card with JMB582, that works with CSM ("UEFI only"), but refuses to load when "Secure boot" is on. This means that either the firmware is not signed or it's not the original from JMicron. At least, I want to verify that it's the original firmware. If you share some links to the original firmware would be great as well.
Thanks,