Hi All,
On to the next big research effort...that I need all your help with... offline Fuel Mainboard PROM firmware flashing (recovering from bad flash or CPU change).
Jumping off of this conversation:
https://forums.irixnet.org/thread-2164-p...l#pid22877
I used a damaged Fuel mainboard that had an 800Mhz PIMM on it from jwhat, that was ruined in shipping, originally purchased from Hamei. I removed three AMD AM29LV160DT-120EC chips from the board, two (with stickers) above the XIO slot, and a third on the rear side of the board, under the first stickered chip.
The encoding needed to word-flipped to read, I'm not sure of endianness at this time, but I THINK it's Big-endian encoded on the chips.
I have confirmed several things:
The chip labelled with a 1 on it's numerical tag, (closest to the coldfire IC) is the L1 firmware.
The chip across from that is the PROM firmware.
The chip under the L1 firmware (underside of board) has the word BEDROCK in it's firmware several times...but it mostly
EMPTY and seems to contain only error messages and small amount of string storage (this is very perplexing). I expected a lot more, that worries me.
The PROM image contains TWO copies of the partial magic number "ip27config", however one of them appears to match the string and struct for
ip27config_T @ address 0x60 offset. It's for an 800Mhz, which matches the two hex struct values on the thread link above from jwhat. The other partial magic number copy (@ 0x165b00) isn't recognised by myself.
I cannot find any CPU or spec references in the "bedrock" firmware image...I'm calling it that for now, until I know more.
I need help fully decoding the ip27config_T @ address 0x60 offset back into it's struct. I having issues keeping it straight..because I've yet to find the cache size. I've not found the the PROM version string either.
So looking back on the other threads when going from a 600Mhz to 800Mhz...All values except for CPU speed and Hub speed are the same...so it seems a SINGLE line change of the firmware may in fact do that much! A 500Mhz & 900 mhz have unique cache sizes so "altering" firmware from a 600Mhz or higher requires changing more values to get 500Mhz or 900Mhz working. If I had a research subject (part) that was a 500Mhz, I'd just do that as well..I don't right now. I might be able to flash one down later...but I have 600Mhz and 700Mhz PIMMs on hand...so I can handle that, at least.
So my biggest concern comes from any synchronize information that is set up between the various firmware's when the Irix flash utility does its work. I don't think the L1 has any real CPU information in it judging from what I've seen and also the fact that the L1 can run even when the CPU specs are totally wrong. So an L1 offline reflashing recovery seems like a slam dunk (in theory, unknown in practice, at this time). But anyone that has a totally corrupt oh one that constantly crashing and can't use either images, this may be the answer for you so contact me and we can try that.
That just leaves the bedrock and the PROM's relationship. Because I don't think I really found true PROM storage, the possible problem emanates from not synchronizing these two elements when replacing firmware on a fuel mainboard. If I knew what the board had before and it was between 600 MHz and 800 MHz I could probably just hack the PROM firmware for the two aforementioned values and it would probably work fine. But if I'm changing what the board had more radically then it's possible that those values exists somewhere else on the board and now they're out of sync and things will just crash and not work.
So I'd like help on the following:
Please look through these firmware images and see if you can find any additional information that I either haven't mentioned here or that support or don't support my concerns. I have a client with what I believe is a bad PROM flash because of some other aligned symptoms, that I'm going to try a PROM donor on. The board I was going to use as a donor turns out to have a 12V rail short on it. So I need to address that first to see if I can get both boards coming along.
Both boards are the exact same part revision so they're actually sister boards. They only have their two rightmost numbers off on the serial number as well. So I was hoping that a complete clone of one could overwrite the other and I know it would probably work. But I am obviously concerned with the fact that I may not want to or need to replace all three chips for a board recovery or even a PIMM change. I have no idea what the original CPU speed was on either board and cannot start L1 to PROM POD to query that! That's what prevents a partial relfash at this time...until I understand the sync issue.
As I summarized before, I have not found the cache size storage yet. And I've not found any of the other values you put in to the flash utility outside of CPU speed and hub speed. As I mentioned several processors share a majority of this information so moving between those subset of processors would likely be fine. But I still don't know where all the info goes and that's where my synchronization worry ties in. So that's what I would like help with so I'm going to post these firmware dumps right now and you can all play with them and tell me what's what. I have no idea what version these are because I never saw the board running that they came from. It be nice if we could figure out where the version numbers are to tell as I collect firmware images what versions I have or potentially what versions I can use. Obviously flashing the very last every PROM firmware would be a good idea (if possible)...else I'll need to get a collection of the firmware to mix and match existing versions on a mainboard under repair.
One incredibly interesting thing I found in the PROM from me just skimming for English language strings was the fact there is a fair amount of coding here and English sentence strings that directly inform you about incorrect L1 versions, obsolete L1 versions, and a warning about running the L1 in what it calls "raw mode". It seems that the production PROMs were designed to put up with a lot of testing or prototype L1 firmware and then had to be plugged with various logic that detects and reacts to "obsolete firmware". I know Jan-Jaap has talked about this in the past and you would assume that the first ever customer/production released L1 firmware for Fuel was obviously not test firmware so you have to wonder why the problem required this level of work to prevent anomalous L1 versions from being installed. But there is more than a few descriptions that directly talk about the L1 being in an unsupported mode or an unsupported firmware or detection of incomplete L1 compatibility. I found that extremely interesting given the restricted releases SGI did.
So there you have it, I've taken the first steps and here are the fruits of that so far. I will need to do a little work so I probably won't revisit this for a few weeks and I've also attempted to order new old stock of this exact chip in order to flash fresh ships and work with them for my upcoming board work. In the meantime the issue of partial copy versus full three chip copy to a like revision mainboard is going to be the hot topic here.
Please help me in tracking down other sections in this firmware that may need calling out or altering for the purposes of messing with existing firmware, if I was doing a partial copy for donor transplant, or just information in general that could be useful to the recovery situation. Obviously this may be like jumpstarting a car or not everything goes correctly. My hope is that it goes correctly enough that we can still jump in to Irix and do a flash of firmware specifying all the values we want and have everything override itself and re-synchronize. As long as it'll start without major crashing or other problems and we can perform a flash after the fact I'd still call that a giant win.
Also jwhat, could you please fish out your hex files and do a diff for me on the PROM against the irix PROM dumps you did for the above linked thread? I'd be very interested to see if both the old 800Mhz and your new 800Mhz still are nearly alike or not (what's the difference between systems).
Since I can't upload them to the forum I'll use my Google Drive for now. But it won't be indefinite so get them while you can.
https://drive.google.com/drive/folders/1...sp=sharing
Cheers and don't fill up on dump-lings...you'll spoil your dinner.
NEED -> 
