Introduction
Out of nowhere, my system has stopped functioning. I'm not entirely sure why, but both the Gigabyte B450M DS3H V2 and the AMD Ryzen 5 5500, which had been working fine for a few days, are now experiencing issues. I want to mention that I used this motherboard in an unusual way - as a worker for compilations. As a kernel engineer, I have a lot of compiling to do in my daily work, so I decided to purchase a reasonably powerful system to speed up the process. Since a full computer with keyboard and monitor was unnecessary, I opted for just the motherboard. And, being a bit of a nerd, I decided to leave it exposed. To manage the setup, I created a self-made device that acted on ATX controls and interfaced with the serial port. This way, I could bring up the system remotely without leaving my chair. Although I took all possible precautions to make the control device safe, I cannot entirely rule out the possibility that it may be the root cause of the problem. However, I find this to be highly unlikely. In this post, I would like to delve deeper into the malfunctioning of this motherboard and hopefully determine if the cause is my device or something else.
Power on self test (POST)
It's been a while since I've had to troubleshoot these types of problems. In the past, I remember using a POST card to troubleshoot these issues. However, it has been over 20 years since I last used one, and the POST card I made in my high school electronic laboratory is no longer usable. The real question is, given all the technological changes that have occurred, is the POST still implemented in modern BIOSes?
And if so, how can it be used when the CPU bus is no longer exposed?
BTW, what is the POST?
Motherboard POST, or Power-On Self-Test, is a diagnostic mechanism that has been used for decades to detect hardware issues during the boot-up process of a computer.
When a computer is turned on, the BIOS runs a series of tests on the motherboard and connected components to ensure that they are functioning correctly.
POST is effective because it runs before the graphics and text systems are initialized, allowing it to the bios to emit information about hardware faults that prevent the system from booting.
Over the years, the concept of POST has remained largely the same, but the underlying technologies and buses that connect components in Intel based mainboards have changed significantly.
In the early days of computing, motherboards were relatively simple and relied on a standardized bus, the ISA bus.
The ISA bus consisted of a set of parallel signal lines that allowed data, addresses, and control signals to be transmitted between components.
One of the key features of the ISA bus was its simplicity. Unlike more modern buses, such as PCIe, the ISA bus did not use complex packet-based communication or advanced error detection mechanisms. Instead, it relied on a straightforward master-slave architecture, where the CPU was the master and all other devices on the bus were slaves.
This simplicity made it relatively easy to intercept signals from the bus and expose them for diagnostic purposes.
For example, it was common to use a logic analyzer or oscilloscope to capture signals on the ISA bus and analyze them to diagnose hardware faults.
Additionally, the ISA bus pinout was well-defined and standardized, making it easier for technicians to create diagnostic tools and adapters that could interface with the bus using discrete components such as logic gates.
Here is the ISA bus pinout:
| Pin | Name | Dir | Description |
|---|---|---|---|
| A1 | /I/O CH CK | INPUT | I/O channel check; active low=parity error |
| A2 | D7 | BIDIRECTIONAL | Data bit 7 |
| A3 | D6 | BIDIRECTIONAL | Data bit 6 |
| A4 | D5 | BIDIRECTIONAL | Data bit 5 |
| A5 | D4 | BIDIRECTIONAL | Data bit 4 |
| A6 | D3 | BIDIRECTIONAL | Data bit 3 |
| A7 | D2 | BIDIRECTIONAL | Data bit 2 |
| A8 | D1 | BIDIRECTIONAL | Data bit 1 |
| A9 | D0 | BIDIRECTIONAL | Data bit 0 |
| A10 | I/O CH RDY | INPUT | I/O Channel ready, pulled low to lengthen memory cycles |
| A11 | AEN | OUTPUT | Address enable; active high when DMA controls bus |
| A12 | A19 | OUTPUT | Address bit 19 |
| A13 | A18 | OUTPUT | Address bit 18 |
| A14 | A17 | OUTPUT | Address bit 17 |
| A15 | A16 | OUTPUT | Address bit 16 |
| A16 | A15 | OUTPUT | Address bit 15 |
| A17 | A14 | OUTPUT | Address bit 14 |
| A18 | A13 | OUTPUT | Address bit 13 |
| A19 | A12 | OUTPUT | Address bit 12 |
| A20 | A11 | OUTPUT | Address bit 11 |
| A21 | A10 | OUTPUT | Address bit 10 |
| A22 | A9 | OUTPUT | Address bit 9 |
| A23 | A8 | OUTPUT | Address bit 8 |
| A24 | A7 | OUTPUT | Address bit 7 |
| A25 | A6 | OUTPUT | Address bit 6 |
| A26 | A5 | OUTPUT | Address bit 5 |
| A27 | A4 | OUTPUT | Address bit 4 |
| A28 | A3 | OUTPUT | Address bit 3 |
| A29 | A2 | OUTPUT | Address bit 2 |
| A30 | A1 | OUTPUT | Address bit 1 |
| A31 | A0 | OUTPUT | Address bit 0 |
| B1 | GND | Ground | |
| B2 | RESET | OUTPUT | Active high to reset or initialize system logic |
| B3 | +5V | +5 VDC | |
| B4 | IRQ2 | INPUT | Interrupt Request 2 |
| B5 | -5VDC | -5 VDC | |
| B6 | DRQ2 | INPUT | DMA Request 2 |
| B7 | -12VDC | -12 VDC | |
| B8 | /NOWS | INPUT | No WaitState |
| B9 | +12VDC | +12 VDC | |
| B10 | GND | Ground | |
| B11 | /SMEMW | OUTPUT | System Memory Write |
| B12 | /SMEMR | OUTPUT | System Memory Read |
| B13 | /IOW | OUTPUT | I/O Write |
| B14 | /IOR | OUTPUT | I/O Read |
| B15 | /DACK3 | OUTPUT | DMA Acknowledge 3 |
| B16 | DRQ3 | INPUT | DMA Request 3 |
| B17 | /DACK1 | OUTPUT | DMA Acknowledge 1 |
| B18 | DRQ1 | INPUT | DMA Request 1 |
| B19 | /REFRESH | BIDIRECTIONAL | Refresh |
| B20 | CLOCK | OUTPUT | System Clock (67 ns, 8-8.33 MHz, 50% duty cycle) |
| B21 | IRQ7 | INPUT | Interrupt Request 7 |
| B22 | IRQ6 | INPUT | Interrupt Request 6 |
| B23 | IRQ5 | INPUT | Interrupt Request 5 |
| B24 | IRQ4 | INPUT | Interrupt Request 4 |
| B25 | IRQ3 | INPUT | Interrupt Request 3 |
| B26 | /DACK2 | OUTPUT | DMA Acknowledge 2 |
| B27 | T/C | OUTPUT | Terminal count; pulses high when DMA term. count reached |
| B28 | ALE | OUTPUT | Address Latch Enable |
| B29 | +5V | +5 VDC | |
| B30 | OSC | OUTPUT | High-speed Clock (70 ns, 14.31818 MHz, 50% duty cycle) |
| B31 | GND | Ground | |
| C1 | SBHE | BIDIRECTIONAL | System bus high enable (data available on SD8-15) |
| C2 | LA23 | BIDIRECTIONAL | Address bit 23 |
| C3 | LA22 | BIDIRECTIONAL | Address bit 22 |
| C4 | LA21 | BIDIRECTIONAL | Address bit 21 |
| C5 | LA20 | BIDIRECTIONAL | Address bit 20 |
| C6 | LA19 | BIDIRECTIONAL | Address bit 19 |
| C7 | LA18 | BIDIRECTIONAL | Address bit 18 |
| C8 | LA17 | BIDIRECTIONAL | Address bit 17 |
| C9 | /MEMR | BIDIRECTIONAL | Memory Read (Active on all memory read cycles) |
| C10 | /MEMW | BIDIRECTIONAL | Memory Write (Active on all memory write cycles) |
| C11 | SD08 | BIDIRECTIONAL | Data bit 8 |
| C12 | SD09 | BIDIRECTIONAL | Data bit 9 |
| C13 | SD10 | BIDIRECTIONAL | Data bit 10 |
| C14 | SD11 | BIDIRECTIONAL | Data bit 11 |
| C15 | SD12 | BIDIRECTIONAL | Data bit 12 |
| C16 | SD13 | BIDIRECTIONAL | Data bit 13 |
| C17 | SD14 | BIDIRECTIONAL | Data bit 14 |
| C18 | SD15 | BIDIRECTIONAL | Data bit 15 |
| D1 | /MEMCS16 | INPUT | Memory 16-bit chip select (1 wait, 16-bit memory cycle) |
| D2 | /IOCS16 | INPUT | I/O 16-bit chip select (1 wait, 16-bit I/O cycle) |
| D3 | IRQ10 | INPUT | Interrupt Request 10 |
| D4 | IRQ11 | INPUT | Interrupt Request 11 |
| D5 | IRQ12 | INPUT | Interrupt Request 12 |
| D6 | IRQ15 | INPUT | Interrupt Request 15 |
| D7 | IRQ14 | INPUT | Interrupt Request 14 |
| D8 | /DACK0 | OUTPUT | DMA Acknowledge 0 |
| D9 | DRQ0 | INPUT | DMA Request 0 |
| D10 | /DACK5 | OUTPUT | DMA Acknowledge 5 |
| D11 | DRQ5 | INPUT | DMA Request 5 |
| D12 | /DACK6 | OUTPUT | DMA Acknowledge 6 |
| D13 | DRQ6 | INPUT | DMA Request 6 |
| D14 | /DACK7 | OUTPUT | DMA Acknowledge 7 |
| D15 | DRQ7 | INPUT | DMA Request 7 |
| D16 | +5 V | ||
| D17 | /MASTER | INPUT | Used with DRQ to gain control of system |
| D18 | GND | Ground |
Is post still implemented in BIOSes?
Before proceeding with any further investigations, it's important to confirm whether POST is still implemented in modern BIOSes. To do this, the first step would be to dump a BIOS and analyze it to see if POST is present.
sudo dd if=/dev/mem of=bios.bin bs=1M count=1
Executing the command may encounter difficulties due to security measures in modern Linux kernels. For instance, if the kernel is started with secureboot, a Linux Security Module (LSM) called lockdown would prevent any read operation from
/dev/mem. However, if the command succeeds, it will produce a file containing the first megabyte of memory. It is worth noting that BIOS mapping is quite intricate, but it is possible to start with the reset vector, which is located at f000:fff0. This address was used by the old i8086, the precursor of the entire x86 family, and is still used by modern processors such as the AMD Ryzen, 40 years later.Do you recall the famous quote often attributed to Bill Gates, "640K is enough for anyone"?
This statement stemmed from the memory allocation limitations of the old i8086 machines, where the bus was only 20 bits wide, resulting in just one megabyte of addressable memory.
As the upper memory was reserved for the ROM, the system could only utilize the lower 640k of RAM.
Because modern x86 systems start in real mode, which operates in the same way as an i8086 with the same limitations, the downloaded megabyte must contain both the reset vector and a portion of the BIOS, including at least the initial instructions.
Upon further investigation of the BIOS I downloaded from my computer, I have discovered that modern BIOSes still utilize the traditional method of sending POST codes through port 0x80. Furthermore, additional tests performed on the BIOS update downloaded from the malfunctioning motherboard producer's website revealed that it also employs this same method of emitting POST codes.
Investing a few dollars in a modern POST card would be a sensible decision, but the choice of technology depends on the system being tested. Based on the code observed in the BIOS, it seems impractical to invest in a PCI board. Unless the PCI bridge has complex logic, these instructions won't reach any PCI device. Since it's impossible to assume the type of PCI bridge present, alternative options must be explored.
LPC bus
Given that ISA is no longer available and the CPU bus is no longer accessible, the question arises as to how the "out 80h, al" data can be retrieved.
One possible solution is to use what makes the SuperIO chip work. SuperIO still supports legacy functions such as the FDC controller or the legacy PIC that needs to use signals the same as a POST card would need.
Looking at how SuperIO chip communicates with the PCH, you can see a dedicated bus exists: the LPC bus.
The Low Pin Count (LPC) bus was introduced in the mid-1990s as a replacement for the ISA bus in desktop and mobile computers. The LPC bus was designed to be a low-cost, low-speed bus that could be used for simple I/O operations, system management functions, and firmware updates.
The LPC bus was integrated directly into the Southbridge chip, which was responsible for managing the I/O operations of the motherboard.
On modern motherboards, the LPC bus is typically located near the edge of the motherboard, close to the BIOS chip and the Super I/O chip.
The LPC bus can be used for a variety of system management functions, such as power management, temperature monitoring, and fan control. The Southbridge chip communicates with the BIOS and the Super I/O chip over the LPC bus, allowing it to monitor system activity and adjust settings as needed. Additionally, some modern motherboards also include a TPM (Trusted Platform Module) chip, which is also connected to the LPC bus. The TPM chip provides hardware-based security functions, such as data encryption and secure boot, and is used to protect sensitive data on the system.
Worth note that in newer motherboard architectures, the Northbridge and Southbridge chips have been replaced by the Platform Controller Hub (PCH). The PCH is a single chip that integrates many of the functions that were previously handled by separate chips, including the Southbridge, PCIe controllers, and system management functions. Like the Southbridge, the PCH includes an LPC bus interface, allowing it to communicate with the BIOS and other components on the motherboard. Despite this change in architecture, the LPC bus remains a critical component of modern motherboards, providing important system management and firmware updating functions.
The only known point in which the LPC bus is exposed is in TPM connectors, let's try to exploit
Epilogue
In summary, it turns out that the same POST method used in the 1980s is still being used in modern BIOSes today. The most dependable port for accessing the POST is the TPM port, which is present on most modern motherboards because it provides access to the LPC bus.
This means that any LPC-enabled POST card can provide the POST service and deliver the POST codes for analysis.
However, it seems that the mainboard in question is currently stuck in a loop within the BIOS.
Referring to the GIGABYTE postcodes source, it is revealed that my motherboard is displaying the codes
de, ad, a1, 35, 02, 56 repeatedly, indicating a problem with the CPU (56 Invalid CPU type or speed). Therefore, I can safely assume that the device I used to manage the mainboard is not responsible for this issue.
No comments:
Post a Comment