├── ASM2x6x ├── README.md ├── data │ ├── labels-asm2362.txt │ ├── labels-asm2364.txt │ └── labels-asm2464.txt ├── doc │ ├── Notes.md │ ├── USB-descriptor-ASM2364-ORICO-M2PVC3-G20-Gen1x1.txt │ ├── USB-descriptor-ASM2364-ROM-Gen1x1.txt │ └── USB-descriptor-ASM2464-ROM.txt ├── etc │ └── 99-asm2x6x.rules ├── firmware │ ├── download.sh │ ├── downloads │ │ ├── ASM236x │ │ │ └── .gitignore │ │ └── ASM246x │ │ │ └── .gitignore │ └── urls.txt └── tools │ ├── .gitignore │ ├── Makefile │ ├── asm236x_fw.ksy │ ├── asm2464_fw.ksy │ ├── asm2x6x_tool.py │ ├── firmware_tool.py │ ├── ghidra-scripts │ └── Asm236xFirmwareHelper.java │ ├── make_image.py │ ├── requirements.development.txt │ ├── requirements.frozen.txt │ └── seagate_firecuda_led_scanner.py ├── COPYING.txt ├── README.md └── RTL921x ├── Notes.md ├── README.md ├── firmware ├── download.sh ├── downloads │ └── .gitignore └── urls.txt └── rtl921x_tool.py /ASM2x6x/README.md: -------------------------------------------------------------------------------- 1 | # ASM2x6x Reverse Engineering 2 | 3 | 4 | ## Quick start 5 | 6 | 7 | ### Software dependencies 8 | 9 | * Python 3 10 | * Firmware image parser: 11 | * [Kaitai Struct Compiler][ksc] 12 | * [Kaitai Struct Python Runtime][kspr] 13 | * `tools/asm2x6x_tool.py`: 14 | * [cython-sgio][cython-sgio] 15 | 16 | 17 | ### Procedure 18 | 19 | 1. `cd` to the `tools` directory. 20 | 2. Install dependencies. 21 | 3. Run `make` to generate the parser code used by `firmware_tool.py`. 22 | 4. Run `./firmware_tool.py` on the `*.bin` firmware binary. 23 | 24 | 25 | ## Reverse engineering notes 26 | 27 | See [doc/Notes.md](doc/Notes.md). 28 | 29 | 30 | [ksc]: https://github.com/kaitai-io/kaitai_struct_compiler 31 | [kspr]: https://github.com/kaitai-io/kaitai_struct_python_runtime 32 | [cython-sgio]: https://pypi.org/project/cython-sgio/ 33 | -------------------------------------------------------------------------------- /ASM2x6x/data/labels-asm2362.txt: -------------------------------------------------------------------------------- 1 | FLASH_CON_BUF_MAYBE EXTMEM:7000 l 2 | INT_FLAGS_EX0_9084_MAYBE EXTMEM:9084 l 3 | INT_FLAGS_EX0_9085_MAYBE EXTMEM:9085 l 4 | USB_LINK_POWER_MANAGEMENT_MAYBE EXTMEM:90e0 l 5 | USB_TEST_MODE_SELECTOR_MAYBE EXTMEM:90fc l 6 | INT_FLAGS_EX0_9104_MAYBE EXTMEM:9104 l 7 | USB_CONTROL_DATA_LENGTH_MAYBE EXTMEM:9110 l 8 | USB_CONTROL_bmRequestType_MAYBE EXTMEM:9180 l 9 | USB_CONTROL_bRequest_MAYBE EXTMEM:9181 l 10 | USB_CONTROL_wValue_MAYBE EXTMEM:9182 l 11 | USB_CONTROL_wIndex_MAYBE EXTMEM:9184 l 12 | USB_CONTROL_wLength_MAYBE EXTMEM:9186 l 13 | INT_FLAGS_EX0_9201_MAYBE EXTMEM:9201 l 14 | SCSI_DATA_TO_HOST_BUF_LEN_MAYBE EXTMEM:9210 l 15 | INT_FLAGS_EX0_9310_MAYBE EXTMEM:9310 l 16 | INT_FLAGS_EX0_9318_MAYBE EXTMEM:9318 l 17 | ANOTHER_USB_BUFFER_9580_MAYBE EXTMEM:9580 l 18 | USB_CONTROL_DATA_BUFFER_MAYBE EXTMEM:9e00 l 19 | 4K_BUFFER_a000 EXTMEM:a000 l 20 | NVME_ASQ_MAYBE EXTMEM:b000 l 21 | NVME_ACQ_MAYBE EXTMEM:b100 l 22 | PCIE_TLP_REQ_HEADER_BUF_MAYBE EXTMEM:b210 l 23 | PCIE_TLP_DATA_BUF_MAYBE EXTMEM:b220 l 24 | PCIE_TLP_CPL_HEADER_BUF_MAYBE EXTMEM:b224 l 25 | NVME_DOORBELL_STRIDE_DWORD_COUNT_b236_MAYBE EXTMEM:b236 l 26 | NVME_DOORBELL_STRIDE_DWORD_COUNT_b23e_MAYBE EXTMEM:b23e l 27 | NVME_DOORBELL_STRIDE_DWORD_COUNT_TIMES_TWO_b242_MAYBE EXTMEM:b242 l 28 | NVME_DOORBELL_STRIDE_DWORD_COUNT_TIMES_THREE_b246_MAYBE EXTMEM:b246 l 29 | NVME_DOORBELL_STRIDE_DWORD_COUNT_TIMES_TWO_b24a_MAYBE EXTMEM:b24a l 30 | NVME_DOORBELL_STRIDE_DWORD_COUNT_TIMES_THREE_b24e_MAYBE EXTMEM:b24e l 31 | PCIE_NVME_DOORBELL_SQT_CQH_MAYBE EXTMEM:b250 l 32 | PCIE_OP_MAYBE EXTMEM:b254 l 33 | PCIE_PM_ENTER_MAYBE EXTMEM:b255 l 34 | INT_FLAGS_EX0_b294_MAYBE EXTMEM:b294 l 35 | PCIE_CSR_MAYBE EXTMEM:b296 l 36 | MIRROR_B200 EXTMEM:b300 l 37 | PCIE_LANE_COUNT_MAYBE EXTMEM:b424 l 38 | PCIE_LINK_STATUS_MAYBE EXTMEM:b4ae l 39 | PCIE_LANE_MASK_MAYBE EXTMEM:b4c8 l 40 | 2K_BUFFER_b800 EXTMEM:b800 l 41 | UART_THR_MAYBE EXTMEM:c001 l 42 | UART_FCR_MAYBE EXTMEM:c004 l 43 | UART_TFBF_MAYBE EXTMEM:c006 l 44 | UART_LCR_MAYBE EXTMEM:c007 l 45 | C450_DMA_RELATED_MAYBE EXTMEM:c450 l 46 | C451_DMA_ENTRY_MAYBE EXTMEM:c451 l 47 | C462_DMA_ENTRY_MAYBE EXTMEM:c462 l 48 | C468_LEN_MAYBE EXTMEM:c468 l 49 | C46C_START_ID_MAYBE EXTMEM:c46c l 50 | C46D_NEXT_ID_MAYBE EXTMEM:c46d l 51 | C46E_STREAM_ID_MAYBE EXTMEM:c46e l 52 | C470_CMDQ_DIR_END_MAYBE EXTMEM:c470 l 53 | FLASH_CON_c89f EXTMEM:c89f l 54 | FLASH_CON_FLASH_ADDR_LO EXTMEM:c8a1 l 55 | FLASH_CON_FLASH_ADDR_MD EXTMEM:c8a2 l 56 | FLASH_CON_DATA_LEN EXTMEM:c8a3 l 57 | FLASH_CON_DIV_MAYBE EXTMEM:c8a6 l 58 | FLASH_CON_CSR EXTMEM:c8a9 l 59 | FLASH_CON_CMD EXTMEM:c8aa l 60 | FLASH_CON_FLASH_ADDR_HI EXTMEM:c8ab l 61 | FLASH_CON_ADDR_LEN_MAYBE EXTMEM:c8ac l 62 | FLASH_CON_MODE EXTMEM:c8ad l 63 | FLASH_CON_BUF_OFFSET EXTMEM:c8ae l 64 | CPU_MODE_NEXT_MAYBE EXTMEM:ca06 l 65 | CPU_MODE_CURRENT_MAYBE EXTMEM:ca07 l 66 | TIMER0_DIV_MAYBE EXTMEM:cc10 l 67 | TIMER0_CSR_MAYBE EXTMEM:cc11 l 68 | TIMER0_THRESHOLD_MAYBE EXTMEM:cc12 l 69 | TIMER1_DIV_MAYBE EXTMEM:cc16 l 70 | TIMER1_CSR_MAYBE EXTMEM:cc17 l 71 | TIMER1_THRESHOLD_MAYBE EXTMEM:cc18 l 72 | TIMER2_DIV_MAYBE EXTMEM:cc1c l 73 | TIMER2_CSR_MAYBE EXTMEM:cc1d l 74 | TIMER2_THRESHOLD_MAYBE EXTMEM:cc1e l 75 | TIMER3_DIV_MAYBE EXTMEM:cc22 l 76 | TIMER3_CSR_MAYBE EXTMEM:cc23 l 77 | TIMER3_IDLE_TIMER_TIMOUT_HALF_SECONDS_MAYBE EXTMEM:cc24 l 78 | CPU_EXEC_CTRL_MAYBE EXTMEM:cc31 l 79 | NVME_LBADS_MDTS_ce48_MAYBE EXTMEM:ce48 l 80 | ANOTHER_USB_BUFFER_ceb0_MAYBE EXTMEM:ceb0 l 81 | SCSI_RESPONSE_ARRAY_MAYBE EXTMEM:d800 l 82 | USB_PCIE_BUFFER_MAYBE EXTMEM:f000 l 83 | -------------------------------------------------------------------------------- /ASM2x6x/data/labels-asm2364.txt: -------------------------------------------------------------------------------- 1 | FLASH_CON_BUF_MAYBE EXTMEM:7000 l 2 | SCSI_DATA_TO_HOST_BUF_LEN_MAYBE EXTMEM:9007 l 3 | INT_FLAGS_EX0_9091_MAYBE EXTMEM:9091 l 4 | ANOTHER_USB_BUFFER_911b_MAYBE EXTMEM:911b l 5 | 4K_BUFFER_a000 EXTMEM:a000 l 6 | NVME_ASQ_MAYBE EXTMEM:b000 l 7 | NVME_ACQ_MAYBE EXTMEM:b100 l 8 | PCIE_TLP_REQ_HEADER_BUF_MAYBE EXTMEM:b210 l 9 | PCIE_TLP_DATA_BUF_MAYBE EXTMEM:b220 l 10 | PCIE_TLP_CPL_HEADER_BUF_MAYBE EXTMEM:b224 l 11 | PCIE_NVME_DOORBELL_SQT_CQH_MAYBE EXTMEM:b250 l 12 | PCIE_OP_MAYBE EXTMEM:b254 l 13 | PCIE_PM_ENTER_MAYBE EXTMEM:b255 l 14 | PCIE_CSR_MAYBE EXTMEM:b296 l 15 | MIRROR_B200 EXTMEM:b300 l 16 | PCIE_LANE_COUNT_MAYBE EXTMEM:b424 l 17 | PCIE_LINK_STATUS_MAYBE EXTMEM:b4ae l 18 | PCIE_LANE_MASK_MAYBE EXTMEM:b4c8 l 19 | UART_THR_MAYBE EXTMEM:c001 l 20 | UART_FCR_MAYBE EXTMEM:c004 l 21 | UART_TFBF_MAYBE EXTMEM:c006 l 22 | UART_LCR_MAYBE EXTMEM:c007 l 23 | C462_DMA_ENTRY_MAYBE EXTMEM:c462 l 24 | C470_CMDQ_DIR_END_MAYBE EXTMEM:c470 l 25 | I2C_ADDR_c870_MAYBE EXTMEM:c870 l 26 | I2C_MODE_c871_MAYBE EXTMEM:c871 l 27 | I2C_LEN_c873_MAYBE EXTMEM:c873 l 28 | I2C_CSR_c875_MAYBE EXTMEM:c875 l 29 | I2C_SRC_c878_MAYBE EXTMEM:c878 l 30 | I2C_DST_c87c_MAYBE EXTMEM:c87c l 31 | I2C_CSR_c87f_MAYBE EXTMEM:c87f l 32 | FLASH_CON_c89f EXTMEM:c89f l 33 | FLASH_CON_FLASH_ADDR_LO EXTMEM:c8a1 l 34 | FLASH_CON_FLASH_ADDR_MD EXTMEM:c8a2 l 35 | FLASH_CON_DATA_LEN EXTMEM:c8a3 l 36 | FLASH_CON_DIV_MAYBE EXTMEM:c8a6 l 37 | FLASH_CON_CSR EXTMEM:c8a9 l 38 | FLASH_CON_CMD EXTMEM:c8aa l 39 | FLASH_CON_FLASH_ADDR_HI EXTMEM:c8ab l 40 | FLASH_CON_ADDR_LEN_MAYBE EXTMEM:c8ac l 41 | FLASH_CON_MODE EXTMEM:c8ad l 42 | FLASH_CON_BUF_OFFSET EXTMEM:c8ae l 43 | CPU_MODE_NEXT_MAYBE EXTMEM:ca06 l 44 | TIMER0_DIV_MAYBE EXTMEM:cc10 l 45 | TIMER0_CSR_MAYBE EXTMEM:cc11 l 46 | TIMER0_THRESHOLD_MAYBE EXTMEM:cc12 l 47 | TIMER1_DIV_MAYBE EXTMEM:cc16 l 48 | TIMER1_CSR_MAYBE EXTMEM:cc17 l 49 | TIMER1_THRESHOLD_MAYBE EXTMEM:cc18 l 50 | TIMER2_DIV_MAYBE EXTMEM:cc1c l 51 | TIMER2_CSR_MAYBE EXTMEM:cc1d l 52 | TIMER2_THRESHOLD_MAYBE EXTMEM:cc1e l 53 | TIMER3_DIV_MAYBE EXTMEM:cc22 l 54 | TIMER3_CSR_MAYBE EXTMEM:cc23 l 55 | TIMER3_IDLE_TIMER_TIMOUT_HALF_SECONDS_MAYBE EXTMEM:cc24 l 56 | CPU_EXEC_CTRL_MAYBE EXTMEM:cc31 l 57 | SCSI_RESPONSE_ARRAY_MAYBE EXTMEM:d800 l 58 | -------------------------------------------------------------------------------- /ASM2x6x/data/labels-asm2464.txt: -------------------------------------------------------------------------------- 1 | UART_THR_MAYBE EXTMEM:c001 l 2 | UART_FCR_MAYBE EXTMEM:c004 l 3 | UART_TFBF_MAYBE EXTMEM:c006 l 4 | UART_LCR_MAYBE EXTMEM:c007 l 5 | -------------------------------------------------------------------------------- /ASM2x6x/doc/Notes.md: -------------------------------------------------------------------------------- 1 | # ASM2x6x Reverse Engineering Notes 2 | 3 | 4 | ## Feature comparison 5 | 6 | | IC | USB VID:PID | USB SuperSpeed Generation × Lanes | USB4 / Thunderbolt 3 | PCIe Version × Lanes | IC Package | 7 | | --- | --- | --- | --- | --- | --- | 8 | | [ASM2362][ASM2362] | 174c:2362 | Gen 2×1 | No | PCIe 3.x ×2 | QFN-64 | 9 | | [ASM2364][ASM2364] | 174c:236? | Gen 2×2 | No | PCIe 3.x ×4 | QFN-88 | 10 | | [ASM2464PD][ASM2464PD] | 174c:246? | Gen 3×2 | Yes | PCIe 4.x ×4 | FCCSP | 11 | | [ASM2464PDX][ASM2464PDX] | 174c:246? | Gen 3×2 | Yes | PCIe 4.x ×4 | FCCSP | 12 | 13 | 14 | ## Hardware information 15 | 16 | - CPU 17 | - Compatible with the MCS-51 (8051) instruction set. 18 | - One clock cycle per machine cycle ("1T"). 19 | - Instruction cycle counts match the STCmicro STC15 series with the STC-Y5 20 | 8051 core, with the exception of the MOVX instructions, which each seem 21 | to take between 2 and 5 clock cycles. See the instruction set summary 22 | starting on page 340 of [this PDF][stc] for a list of instructions and 23 | their cycle counts. 24 | - Operating frequency: ~114.285714 MHz 25 | - TODO: Confirm frequency of ASM2464PD(X) CPU. 26 | - UART 27 | - 3V3 28 | - 921600 8N1 29 | - Pins: 30 | - ASM2362 31 | - RX: IC pin 63 32 | - TX: IC pin 62 33 | - ASM2364 34 | - RX: IC pin 87 35 | - TX: IC pin 86 36 | - ASM2464PD(X) 37 | - RX: IC ball A21 38 | - TX: IC ball B21 39 | - I2C 40 | - Pins: 41 | - ASM2362 42 | - Data: IC pin 2 43 | - Clock: IC pin 3 44 | - ASM2364 45 | - Data: IC pin 5 46 | - Clock: IC pin 6 47 | 48 | - Memory maps 49 | - ASM2364 50 | - Regions 51 | - `0x0000-0x5FFF`: 24 kB XRAM 52 | - `0x6000-0x6FFF`: 4 kB of unused address space (zero-filled, read-only) 53 | - `0x7000-0x7FFF`: 4 kB XRAM (SPI flash controller read/write buffer) 54 | - `0x8000-0x8FFF`: 4 kB XRAM (USB/SCSI buffers?) 55 | - `0x9000-0x93FF`: MMIO peripherals (USB?) 56 | - `0x9400-0x97FF`: Mirror of MMIO `0x9000-0x93FF`? 57 | - `0x9800-0x9BFF`: Mirror of MMIO `0x9000-0x93FF`? 58 | - `0x9C00-0x9DFF`: Mirror of MMIO `0x9000-0x91FF`? 59 | - `0x9E00-0x9FFF`: 512 B XRAM (USB control transfer buffer) 60 | - `0xA000-0xAFFF`: 4 kB XRAM, PCIe DMA address: `0x00820000` (NVMe I/O Submission Queue) 61 | - `0xB000-0xB1FF`: 512 B XRAM, PCIe DMA address: `0x00800000` (NVMe Admin Submission Queue) 62 | - `0xB200-0xB7FF`: MMIO peripherals (PCIe?) 63 | - `0xB800-0xBFFF`: 2 kB XRAM 64 | - `0xC000-0xCFFF`: MMIO peripherals (UART, flash controller, timers, etc.) 65 | - `0xD000-0xD3FF`: 1 kB XRAM 66 | - `0xD400-0xD7FF`: Mirror of XRAM `0xD000-0xD3FF` 67 | - `0xD800-0xDFFF`: 2 kB XRAM (USB/SCSI buffers?) 68 | - `0xE000-0xE2FF`: Mirror of XRAM `0xD800-0xDAFF` 69 | - `0xE300-0xE7FF`: MMIO peripherals 70 | - `0xE800-0xE9FF`: 512 B XRAM 71 | - `0xEA00-0xEBFF`: Mirror of XRAM `0xE800-0xE9FF` 72 | - `0xEC00-0xEDFF`: Mirror of XRAM `0xE800-0xE9FF` 73 | - `0xEE00-0xEFFF`: Mirror of XRAM `0xE800-0xE9FF` 74 | - `0xF000-0xFFFF`: 4 kB XRAM, PCIe DMA address: `0x00200000` (NVMe generic data buffer) 75 | - Peripherals 76 | - `0xC000`: UART. 77 | - Same memory map as [the one in ASMedia's USB host controllers][uart-regs]. 78 | - Changing the divisor doesn't appear to work. 79 | 80 | 81 | ### IOCrest SY-ENC40231 (ASM2364) 82 | 83 | - 25 MHz crystal oscillator. 84 | - UART 85 | - TX can be accessed at resistor R10 on the pad nearest the ASM2364 IC. 86 | - RX can only be accessed on the ASM2364 IC itself. 87 | 88 | 89 | ### ORICO M2PVC3-G20 (ASM2364) 90 | 91 | - 25 MHz crystal oscillator. 92 | - UART 93 | - TX can be accessed at resistor R18 on the pad nearest the ASM2364 IC. 94 | - RX can only be accessed on the ASM2364 IC itself. 95 | 96 | 97 | ### Seagate FireCuda Gaming SSD (ASM2364) 98 | 99 | - I2C bus is connected to an LED controller ([source][seagate-faze]). 100 | 101 | 102 | ### Blueendless M280U4A (ASM2464PD) 103 | 104 | - 25 MHz crystal oscillator. 105 | - UART header 106 | - Pin 1: Unknown 107 | - Pin 2: Ground 108 | - Pin 3: TX 109 | - Pin 4: Unknown 110 | 111 | 112 | ## USB protocol 113 | 114 | Everything is done over custom SCSI commands. Commands are documented in the 115 | following format: 116 | 117 | - `0xXX`: Command description. 118 | - `T`: Parameter description. 119 | - Returns: Nothing. 120 | 121 | Where `0xXX` is the command byte and `T` is the Python type format character 122 | of the first parameter. So, to send a command with the following format: 123 | 124 | - `0xC0`: Example command. 125 | - `B`: Byte parameter. 126 | - `>H`: Big-endian 16-bit unsigned integer parameter. 127 | - `2x`: Two bytes of padding. 128 | - Returns: One byte of example data. 129 | 130 | Where you want the byte parameter set to `0x01` and the big-endian u16 set to 131 | `0xcafe`, you would use the following `sg_raw` command (replace `/dev/sg0` 132 | with the path of your device's SG\_IO device file): 133 | 134 | ``` 135 | sg_raw -r 1 /dev/sg0 c0 01 ca fe 00 00 136 | ``` 137 | 138 | 139 | ### Commands 140 | 141 | - `0xE0`: Read configuration data. 142 | - `B`: Image index, can be either 0 or 1. 143 | - `4x`: Four bytes of padding. 144 | - Returns: 128 bytes of the configuration data. 145 | - Examples: 146 | - `e0 00 00 00 00 00`: Read image 0 147 | - `e0 01 00 00 00 00`: Read image 1 148 | - `0xE1`: Write configuration data. 149 | - `0xE2`: Flash read. 150 | - `B`: Unknown. 151 | - `>I`: Number of bytes to read from flash. 152 | - Returns: N bytes of flash data starting from address zero. 153 | - `0xE3`: Firmware write. 154 | - `B`: Unknown. 155 | - `>I`: Number of bytes to write to flash. 156 | - Payload: The data to write to flash starting at address 0x80. 157 | - `0xE4`: XDATA read. 158 | - `B`: The number of bytes to read, max 255. 159 | - `x`: Padding byte. 160 | - `>H`: XDATA address. 161 | - `x`: Padding byte. 162 | - Returns: N bytes of XDATA from the address you requested to read from. 163 | - Examples: 164 | - `e4 06 00 07 f0 00`: Read the 6-byte firmware version starting at 165 | address `0x07F0`. 166 | - `0xE5`: XDATA write. 167 | - `B`: The byte of data to write. 168 | - `x`: Padding byte. 169 | - `>H`: XDATA address. 170 | - `x`: Padding byte. 171 | - Returns: Nothing. 172 | - Examples: 173 | - `e5 ff 00 07 f0 00`: Write `0xFF` to XDATA at address `0x07F0`. 174 | - `0xE6`: Send NVMe Admin Command 175 | - `B`: "Opcode (OPC)": 2 or 6 (only "Get Log Page" and "Identify" are supported) 176 | - `x`: Padding byte. 177 | - "Get Log Page" only: 178 | - `B`: "Log Page Identifier (LID)" 179 | - `2x`: 2 bytes of padding. 180 | - `>H`: "Number of Dwords Lower (NUMDL)" 181 | - `>Q`: "Log Page Offset" 182 | - "Identify" only: 183 | - `B`: "Controller or Namespace Structure (CNS)" 184 | - `0xE8`: Reset 185 | - `B`: The type of reset to perform. `0x00` for CPU reset, `0x01` for some 186 | kind of "soft"/PCIe reset? 187 | - `10x`: 10 bytes of padding. 188 | - Returns: Nothing. 189 | - Examples: 190 | - `e8 00 00 00 00 00 00 00 00 00 00 00` 191 | - `e8 01 00 00 00 00 00 00 00 00 00 00` 192 | 193 | 194 | #### Seagate FireCuda Gaming SSD Commands 195 | 196 | - `0xD1`: Get LED 197 | - `6B`: Magic: "GetLed" 198 | - `B`: LED index. Written to `0xE800`. Seen: 0, 1, 2, 3, 4, 5 199 | - 0: Unknown 200 | - 1: Status LED 201 | - 2: RGB LED 0 (the LED furthest from the Seagate logo) 202 | - 3: RGB LED 1 203 | - 4: RGB LED 2 204 | - 5: RGB LED 3 (the LED closest to the Seagate logo) 205 | - `B`: I2C mode? Written to `0xC871`. Seen: `0x03`, `0x20`, `0xff` 206 | - `x`: Padding byte. 207 | - `B`: Read length. Written to `0xE801` and `0xC874`. 208 | - `5x`: 5 bytes of padding. 209 | - Returns: "Read length" bytes of data. See "Data Format" for details. 210 | - `0xD2`: Set LED 211 | - `6B`: Magic: "SetLed" 212 | - `B`: LED index. Written to `0xE800`. 213 | - `B`: I2C mode? `0x21`. Written to `0xC871`. 214 | - `x`: Padding byte. 215 | - `B`: Write length. Written to `0xE801`. 216 | - `5x`: 5 bytes of padding. 217 | - Payload: "Write length" bytes of data. See "Data Format" for details. 218 | - Returns: Nothing. 219 | 220 | 221 | ##### Data Format 222 | 223 | Data format depends on the first byte--the mode index. 224 | 225 | - Mode 4: Custom (Length: 39 bytes) 226 | - `B`: Mode: Custom (0x04) 227 | - `B`: Global brightness: 0-255 228 | - `B`: Number of states for the LED: 1-8 229 | - If this number `N` is less than eight, only the first `N` states are used. The rest are ignored. 230 | - `B`: State hold time, in tenths of one second: 0-255 231 | - `x`: Padding byte. 232 | - `B`: State transition time, in tenths of one second: 0-255 233 | - `x`: Padding byte. 234 | - `8 * 4B`: The eight LED states. Each four-byte state has the following format: 235 | - `B`: Red: 0-255 236 | - `B`: Green: 0-255 237 | - `B`: Blue: 0-255 238 | - `B`: Brightness: 0-255 239 | 240 | 241 | [stc]: https://web.archive.org/web/20200305112930/http://stcmicro.com/datasheet/STC15F2K60S2-en.pdf 242 | [ASM2362]: https://web.archive.org/web/20220608104342/https://www.asmedia.com.tw/product/Ee1YQF9sX7yyajH5/C5cYq34qpByQ6jm6 243 | [ASM2364]: https://web.archive.org/web/20220703204756/https://www.asmedia.com.tw/product/BD5YqfdsPDqXFqi3/BF2yq24XzDuS5Tr4 244 | [ASM2464PD]: https://web.archive.org/web/20231113020255/https://www.asmedia.com.tw/product/802zX91Yw3tsFgm4/C64ZX59yu4sY1GW5 245 | [ASM2464PDX]: https://web.archive.org/web/20231113020241/https://www.asmedia.com.tw/product/bDFzXa0ip1YI7Wj1/C64ZX59yu4sY1GW5 246 | [uart-regs]: https://github.com/cyrozap/asmedia-xhc-re/blob/22fd32c53f7f34f50d659372334a384e269f5458/data/regs-asm1142.yaml#L700-L900 247 | [seagate-faze]: https://web.archive.org/web/20241120033537/https://docs.zephyrproject.org/latest/boards/seagate/faze/doc/index.html 248 | -------------------------------------------------------------------------------- /ASM2x6x/doc/USB-descriptor-ASM2364-ORICO-M2PVC3-G20-Gen1x1.txt: -------------------------------------------------------------------------------- 1 | 2 | Bus xxx Device yyy: ID 174c:2364 ASMedia Technology Inc. ASM236x series 3 | Device Descriptor: 4 | bLength 18 5 | bDescriptorType 1 6 | bcdUSB 3.20 7 | bDeviceClass 0 8 | bDeviceSubClass 0 9 | bDeviceProtocol 0 10 | bMaxPacketSize0 9 11 | idVendor 0x174c ASMedia Technology Inc. 12 | idProduct 0x2364 13 | bcdDevice 1.00 14 | iManufacturer 2 ASMedia 15 | iProduct 3 ASM236x series 16 | iSerial 1 0000000000000000 17 | bNumConfigurations 1 18 | Configuration Descriptor: 19 | bLength 9 20 | bDescriptorType 2 21 | wTotalLength 0x0079 22 | bNumInterfaces 1 23 | bConfigurationValue 1 24 | iConfiguration 0 25 | bmAttributes 0xc0 26 | Self Powered 27 | MaxPower 0mA 28 | Interface Descriptor: 29 | bLength 9 30 | bDescriptorType 4 31 | bInterfaceNumber 0 32 | bAlternateSetting 0 33 | bNumEndpoints 2 34 | bInterfaceClass 8 Mass Storage 35 | bInterfaceSubClass 6 SCSI 36 | bInterfaceProtocol 80 Bulk-Only 37 | iInterface 0 38 | Endpoint Descriptor: 39 | bLength 7 40 | bDescriptorType 5 41 | bEndpointAddress 0x81 EP 1 IN 42 | bmAttributes 2 43 | Transfer Type Bulk 44 | Synch Type None 45 | Usage Type Data 46 | wMaxPacketSize 0x0400 1x 1024 bytes 47 | bInterval 0 48 | bMaxBurst 15 49 | Endpoint Descriptor: 50 | bLength 7 51 | bDescriptorType 5 52 | bEndpointAddress 0x02 EP 2 OUT 53 | bmAttributes 2 54 | Transfer Type Bulk 55 | Synch Type None 56 | Usage Type Data 57 | wMaxPacketSize 0x0400 1x 1024 bytes 58 | bInterval 0 59 | bMaxBurst 15 60 | Interface Descriptor: 61 | bLength 9 62 | bDescriptorType 4 63 | bInterfaceNumber 0 64 | bAlternateSetting 1 65 | bNumEndpoints 4 66 | bInterfaceClass 8 Mass Storage 67 | bInterfaceSubClass 6 SCSI 68 | bInterfaceProtocol 98 69 | iInterface 0 70 | Endpoint Descriptor: 71 | bLength 7 72 | bDescriptorType 5 73 | bEndpointAddress 0x81 EP 1 IN 74 | bmAttributes 2 75 | Transfer Type Bulk 76 | Synch Type None 77 | Usage Type Data 78 | wMaxPacketSize 0x0400 1x 1024 bytes 79 | bInterval 0 80 | bMaxBurst 15 81 | MaxStreams 32 82 | Data-in pipe (0x03) 83 | Endpoint Descriptor: 84 | bLength 7 85 | bDescriptorType 5 86 | bEndpointAddress 0x02 EP 2 OUT 87 | bmAttributes 2 88 | Transfer Type Bulk 89 | Synch Type None 90 | Usage Type Data 91 | wMaxPacketSize 0x0400 1x 1024 bytes 92 | bInterval 0 93 | bMaxBurst 15 94 | MaxStreams 32 95 | Data-out pipe (0x04) 96 | Endpoint Descriptor: 97 | bLength 7 98 | bDescriptorType 5 99 | bEndpointAddress 0x83 EP 3 IN 100 | bmAttributes 2 101 | Transfer Type Bulk 102 | Synch Type None 103 | Usage Type Data 104 | wMaxPacketSize 0x0400 1x 1024 bytes 105 | bInterval 0 106 | bMaxBurst 15 107 | MaxStreams 32 108 | Status pipe (0x02) 109 | Endpoint Descriptor: 110 | bLength 7 111 | bDescriptorType 5 112 | bEndpointAddress 0x04 EP 4 OUT 113 | bmAttributes 2 114 | Transfer Type Bulk 115 | Synch Type None 116 | Usage Type Data 117 | wMaxPacketSize 0x0400 1x 1024 bytes 118 | bInterval 0 119 | bMaxBurst 0 120 | Command pipe (0x01) 121 | Binary Object Store Descriptor: 122 | bLength 5 123 | bDescriptorType 15 124 | wTotalLength 0x002a 125 | bNumDeviceCaps 3 126 | USB 2.0 Extension Device Capability: 127 | bLength 7 128 | bDescriptorType 16 129 | bDevCapabilityType 2 130 | bmAttributes 0x0000f41e 131 | BESL Link Power Management (LPM) Supported 132 | BESL value 1024 us 133 | Deep BESL value 61440 us 134 | SuperSpeed USB Device Capability: 135 | bLength 10 136 | bDescriptorType 16 137 | bDevCapabilityType 3 138 | bmAttributes 0x00 139 | wSpeedsSupported 0x000e 140 | Device can operate at Full Speed (12Mbps) 141 | Device can operate at High Speed (480Mbps) 142 | Device can operate at SuperSpeed (5Gbps) 143 | bFunctionalitySupport 1 144 | Lowest fully-functional device speed is Full Speed (12Mbps) 145 | bU1DevExitLat 10 micro seconds 146 | bU2DevExitLat 2047 micro seconds 147 | SuperSpeedPlus USB Device Capability: 148 | bLength 20 149 | bDescriptorType 16 150 | bDevCapabilityType 10 151 | bmAttributes 0x00000001 152 | Sublink Speed Attribute count 2 153 | Sublink Speed ID count 1 154 | wFunctionalitySupport 0x1100 155 | Min functional Speed Attribute ID: 0 156 | Min functional RX lanes: 1 157 | Min functional TX lanes: 1 158 | bmSublinkSpeedAttr[0] 0x000a4030 159 | Speed Attribute ID: 0 10Gb/s Symmetric RX SuperSpeedPlus 160 | bmSublinkSpeedAttr[1] 0x000a40b0 161 | Speed Attribute ID: 0 10Gb/s Symmetric TX SuperSpeedPlus 162 | Device Status: 0x0001 163 | Self Powered 164 | -------------------------------------------------------------------------------- /ASM2x6x/doc/USB-descriptor-ASM2364-ROM-Gen1x1.txt: -------------------------------------------------------------------------------- 1 | 2 | Bus xxx Device yyy: ID 174c:2364 ASMedia Technology Inc. AS2360 3 | Device Descriptor: 4 | bLength 18 5 | bDescriptorType 1 6 | bcdUSB 3.20 7 | bDeviceClass 0 8 | bDeviceSubClass 0 9 | bDeviceProtocol 0 10 | bMaxPacketSize0 9 11 | idVendor 0x174c ASMedia Technology Inc. 12 | idProduct 0x2364 13 | bcdDevice 0.01 14 | iManufacturer 2 ASMedia 15 | iProduct 3 AS2360 16 | iSerial 1 00000000000000000000 17 | bNumConfigurations 1 18 | Configuration Descriptor: 19 | bLength 9 20 | bDescriptorType 2 21 | wTotalLength 0x002c 22 | bNumInterfaces 1 23 | bConfigurationValue 1 24 | iConfiguration 0 25 | bmAttributes 0xc0 26 | Self Powered 27 | MaxPower 0mA 28 | Interface Descriptor: 29 | bLength 9 30 | bDescriptorType 4 31 | bInterfaceNumber 0 32 | bAlternateSetting 0 33 | bNumEndpoints 2 34 | bInterfaceClass 8 Mass Storage 35 | bInterfaceSubClass 6 SCSI 36 | bInterfaceProtocol 80 Bulk-Only 37 | iInterface 0 38 | Endpoint Descriptor: 39 | bLength 7 40 | bDescriptorType 5 41 | bEndpointAddress 0x81 EP 1 IN 42 | bmAttributes 2 43 | Transfer Type Bulk 44 | Synch Type None 45 | Usage Type Data 46 | wMaxPacketSize 0x0400 1x 1024 bytes 47 | bInterval 0 48 | bMaxBurst 15 49 | Endpoint Descriptor: 50 | bLength 7 51 | bDescriptorType 5 52 | bEndpointAddress 0x02 EP 2 OUT 53 | bmAttributes 2 54 | Transfer Type Bulk 55 | Synch Type None 56 | Usage Type Data 57 | wMaxPacketSize 0x0400 1x 1024 bytes 58 | bInterval 0 59 | bMaxBurst 15 60 | Binary Object Store Descriptor: 61 | bLength 5 62 | bDescriptorType 15 63 | wTotalLength 0x002a 64 | bNumDeviceCaps 3 65 | USB 2.0 Extension Device Capability: 66 | bLength 7 67 | bDescriptorType 16 68 | bDevCapabilityType 2 69 | bmAttributes 0x0000f41e 70 | BESL Link Power Management (LPM) Supported 71 | BESL value 1024 us 72 | Deep BESL value 61440 us 73 | SuperSpeed USB Device Capability: 74 | bLength 10 75 | bDescriptorType 16 76 | bDevCapabilityType 3 77 | bmAttributes 0x00 78 | wSpeedsSupported 0x000e 79 | Device can operate at Full Speed (12Mbps) 80 | Device can operate at High Speed (480Mbps) 81 | Device can operate at SuperSpeed (5Gbps) 82 | bFunctionalitySupport 1 83 | Lowest fully-functional device speed is Full Speed (12Mbps) 84 | bU1DevExitLat 10 micro seconds 85 | bU2DevExitLat 2047 micro seconds 86 | SuperSpeedPlus USB Device Capability: 87 | bLength 20 88 | bDescriptorType 16 89 | bDevCapabilityType 10 90 | bmAttributes 0x00000001 91 | Sublink Speed Attribute count 1 92 | Sublink Speed ID count 0 93 | wFunctionalitySupport 0x1100 94 | bmSublinkSpeedAttr[0] 0x000a4030 95 | Speed Attribute ID: 0 10Gb/s Symmetric RX SuperSpeedPlus 96 | bmSublinkSpeedAttr[1] 0x000a40b0 97 | Speed Attribute ID: 0 10Gb/s Symmetric TX SuperSpeedPlus 98 | Device Status: 0x0001 99 | Self Powered 100 | -------------------------------------------------------------------------------- /ASM2x6x/doc/USB-descriptor-ASM2464-ROM.txt: -------------------------------------------------------------------------------- 1 | 2 | Bus xxx Device yyy: ID 174c:2463 ASMedia Technology Inc. AS2462 3 | Device Descriptor: 4 | bLength 18 5 | bDescriptorType 1 6 | bcdUSB 3.20 7 | bDeviceClass 0 [unknown] 8 | bDeviceSubClass 0 [unknown] 9 | bDeviceProtocol 0 10 | bMaxPacketSize0 9 11 | idVendor 0x174c ASMedia Technology Inc. 12 | idProduct 0x2463 AS2462 13 | bcdDevice 0.01 14 | iManufacturer 2 ASMedia 15 | iProduct 3 AS2462 16 | iSerial 1 00000000000000000000 17 | bNumConfigurations 1 18 | Configuration Descriptor: 19 | bLength 9 20 | bDescriptorType 2 21 | wTotalLength 0x002c 22 | bNumInterfaces 1 23 | bConfigurationValue 1 24 | iConfiguration 0 25 | bmAttributes 0xc0 26 | Self Powered 27 | MaxPower 0mA 28 | Interface Descriptor: 29 | bLength 9 30 | bDescriptorType 4 31 | bInterfaceNumber 0 32 | bAlternateSetting 0 33 | bNumEndpoints 2 34 | bInterfaceClass 8 Mass Storage 35 | bInterfaceSubClass 6 SCSI 36 | bInterfaceProtocol 80 Bulk-Only 37 | iInterface 0 38 | Endpoint Descriptor: 39 | bLength 7 40 | bDescriptorType 5 41 | bEndpointAddress 0x81 EP 1 IN 42 | bmAttributes 2 43 | Transfer Type Bulk 44 | Synch Type None 45 | Usage Type Data 46 | wMaxPacketSize 0x0400 1x 1024 bytes 47 | bInterval 0 48 | bMaxBurst 15 49 | Endpoint Descriptor: 50 | bLength 7 51 | bDescriptorType 5 52 | bEndpointAddress 0x02 EP 2 OUT 53 | bmAttributes 2 54 | Transfer Type Bulk 55 | Synch Type None 56 | Usage Type Data 57 | wMaxPacketSize 0x0400 1x 1024 bytes 58 | bInterval 0 59 | bMaxBurst 15 60 | Binary Object Store Descriptor: 61 | bLength 5 62 | bDescriptorType 15 63 | wTotalLength 0x002a 64 | bNumDeviceCaps 3 65 | USB 2.0 Extension Device Capability: 66 | bLength 7 67 | bDescriptorType 16 68 | bDevCapabilityType 2 69 | bmAttributes 0x0000f41e 70 | BESL Link Power Management (LPM) Supported 71 | BESL value 1024 us 72 | Deep BESL value 61440 us 73 | SuperSpeed USB Device Capability: 74 | bLength 10 75 | bDescriptorType 16 76 | bDevCapabilityType 3 77 | bmAttributes 0x00 78 | wSpeedsSupported 0x000e 79 | Device can operate at Full Speed (12Mbps) 80 | Device can operate at High Speed (480Mbps) 81 | Device can operate at SuperSpeed (5Gbps) 82 | bFunctionalitySupport 1 83 | Lowest fully-functional device speed is Full Speed (12Mbps) 84 | bU1DevExitLat 10 micro seconds 85 | bU2DevExitLat 2047 micro seconds 86 | SuperSpeedPlus USB Device Capability: 87 | bLength 20 88 | bDescriptorType 16 89 | bDevCapabilityType 10 90 | bmAttributes 0x00000001 91 | Sublink Speed Attribute count 2 92 | Sublink Speed ID count 1 93 | wFunctionalitySupport 0x1100 94 | Min functional Speed Attribute ID: 0 95 | Min functional RX lanes: 1 96 | Min functional TX lanes: 1 97 | bmSublinkSpeedAttr[0] 0x000a4030 98 | Speed Attribute ID: 0 10Gb/s Symmetric RX SuperSpeedPlus 99 | bmSublinkSpeedAttr[1] 0x000a40b0 100 | Speed Attribute ID: 0 10Gb/s Symmetric TX SuperSpeedPlus 101 | Device Status: 0x0001 102 | Self Powered 103 | -------------------------------------------------------------------------------- /ASM2x6x/etc/99-asm2x6x.rules: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: 0BSD OR CC0-1.0 2 | 3 | # Copyright (C) 2023-2024 by Forest Crossman 4 | # 5 | # Permission to use, copy, modify, and/or distribute this software for 6 | # any purpose with or without fee is hereby granted. 7 | # 8 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL 9 | # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED 10 | # WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE 11 | # AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL 12 | # DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 13 | # PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 14 | # TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 | # PERFORMANCE OF THIS SOFTWARE. 16 | 17 | # Find all ASMedia ASM236x USB devices 18 | SUBSYSTEMS=="usb", ATTRS{idVendor}=="174c", ATTRS{idProduct}=="236[0-9]", ENV{IS_ASM2X6X}="TRUE" 19 | 20 | # Seagate FireCuda Gaming SSD (ASM2364) 21 | SUBSYSTEMS=="usb", ATTRS{idVendor}=="0bc2", ATTRS{idProduct}=="aa1a", ENV{IS_ASM2X6X}="TRUE" 22 | 23 | # Find all ASMedia ASM246x USB devices 24 | SUBSYSTEMS=="usb", ATTRS{idVendor}=="174c", ATTRS{idProduct}=="246[0-9]", ENV{IS_ASM2X6X}="TRUE" 25 | 26 | # Enable user access to the ASM236x SCSI device 27 | ENV{IS_ASM2X6X}=="TRUE", KERNEL=="sg[0-9]*", SUBSYSTEMS=="scsi_generic", MODE="0666" 28 | -------------------------------------------------------------------------------- /ASM2x6x/firmware/download.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: 0BSD 3 | 4 | # Copyright (C) 2022-2024 by Forest Crossman 5 | # 6 | # Permission to use, copy, modify, and/or distribute this software for 7 | # any purpose with or without fee is hereby granted. 8 | # 9 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL 10 | # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED 11 | # WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE 12 | # AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL 13 | # DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 14 | # PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 15 | # TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16 | # PERFORMANCE OF THIS SOFTWARE. 17 | 18 | 19 | # ASM236x 20 | wget \ 21 | --directory-prefix downloads/ASM236x \ 22 | --content-disposition \ 23 | --user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.111 Safari/537.36" \ 24 | --input-file urls.txt 25 | 26 | # ASM2464 27 | curl -o downloads/ASM246x/JEYI2464_0525.zip https://web.archive.org/web/20231223011853if_/https://cdn.shoplazza.com/3d54d7ae5536d23a120f31065eed2b57.zip 28 | curl -o downloads/ASM246x/JEYI2464_0810_10min.zip https://web.archive.org/web/20231223011833if_/https://cdn.shoplazza.com/4788ee7e011b6f00f2c5f648c802f746.zip 29 | curl -o downloads/ASM246x/JEYI2464_1005_10Min.zip https://web.archive.org/web/20231223011831if_/https://cdn.shoplazza.com/e5816cde2955976ba163965bd067124d.zip 30 | curl -o downloads/ASM246x/ASM2464PD_FW_231218_85_00_00.zip https://web.archive.org/web/20240312061204if_/https://cdn.shoplazza.com/71af6d849f082e2d2e399a33110accb3.zip 31 | curl -o "downloads/ASM246x/JEYI2464_0525(station-drivers.com).zip" "https://web.archive.org/web/20240406174638if_/https://www.station-drivers.com/download/Realtek/JEYI2464_0525(station-drivers.com).zip" 32 | curl -o "downloads/ASM246x/40d1b2d8asmedia_asm2464_230810_85_00_00(station-drivers.com).zip" "https://web.archive.org/web/20240406174651if_/https://www.station-drivers.com/index.php/en/component/remository/func-download/5988/chk,c5c53c1bbb49b8af1fecb852f1ae5926/no_html,1/lang,en-gb/" 33 | curl -o "downloads/ASM246x/40d1b2d8asmedia_asm2464_230810_85.00.00(station-drivers.com).zip" "https://web.archive.org/web/20240406174902if_/https://www.station-drivers.com/index.php/en/component/remository/func-download/5987/chk,71f4f6db0927fc7fa5fc61c675f489da/no_html,1/lang,en-gb/" 34 | curl -o "downloads/ASM246x/40d1b2d8asmedia_ASM246x_231005.85.01.06(station-drivers.com).zip" "https://web.archive.org/web/20240406174824if_/https://www.station-drivers.com/index.php/en/component/remository/func-download/6118/chk,70c46f029ff9766599724c3f7342c9f3/no_html,1/lang,en-gb/" 35 | curl -o "downloads/ASM246x/asmedia_asm2464_231204(station-drivers.com).zip" "https://web.archive.org/web/20240406175016if_/https://www.station-drivers.com/download/asmedia/asmedia_asm2464_231204(station-drivers.com).zip" 36 | curl -o "downloads/ASM246x/40d1b2d8ASM246xMPTool_v1.0.3.8(station-drivers.com).zip" "https://web.archive.org/web/20240406174753if_/https://www.station-drivers.com/index.php/en/component/remository/func-download/5990/chk,60f7f0cdb8d7168ae1ab399447559ff3/no_html,1/lang,en-gb/" 37 | curl -o "downloads/ASM246x/40d1b2d8Asmedia_ASM2464_240129_84_06_06(station-drivers.com).zip" "https://web.archive.org/web/20240406175025if_/https://www.station-drivers.com/index.php/en/component/remository/func-download/6113/chk,d1ca0194a0226fcd5202a7af3c6af9c2/no_html,1/lang,en-gb/" 38 | curl -o "downloads/ASM246x/40d1b2d8asmedia_ASM2464PD_FW_240129_85_00_00(station-drivers.com).zip" "https://web.archive.org/web/20240406175112if_/https://www.station-drivers.com/index.php/en/component/remository/func-download/6080/chk,b5e36774fb2b6384488cd5717e7be251/no_html,1/lang,en-gb/" 39 | curl -o "downloads/ASM246x/40d1b2d8asmedia_ASM2464_240229_85_00_00(station-drivers.com).zip" "https://web.archive.org/web/20240406173459if_/https://www.station-drivers.com/index.php/en/component/remository/func-download/6106/chk,c7393edd3671753eaf5fb109efdd4281/no_html,1/lang,en-gb/" 40 | curl -o "downloads/ASM246x/40d1b2d8asmedia_asm2464_240229_85_00_00bis(station-drivers.zip" "https://web.archive.org/web/20240406174814if_/https://www.station-drivers.com/index.php/en/component/remository/func-download/6117/chk,5f8d9415da037b189d86ed399891eb9b/no_html,1/lang,en-gb/" 41 | wget --directory-prefix downloads/ASM246x https://web.archive.org/web/20241120025326if_/https://www.adt.link/download/ADT_UT3G_ASM246xMPTool.zip 42 | -------------------------------------------------------------------------------- /ASM2x6x/firmware/downloads/ASM236x/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /ASM2x6x/firmware/downloads/ASM246x/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /ASM2x6x/firmware/urls.txt: -------------------------------------------------------------------------------- 1 | https://drv.oemdrivers.com/chipset-asmedia-asm2362/asmedia_asm2362_fw.zip 2 | https://web.archive.org/web/20220704010113if_/https://www.usbdev.ru/?wpfb_dl=9792 3 | https://web.archive.org/web/20220704010142if_/https://www.usbdev.ru/?wpfb_dl=9797 4 | https://web.archive.org/web/20220704010154if_/https://www.usbdev.ru/?wpfb_dl=9793 5 | https://web.archive.org/web/20220704010208if_/https://www.usbdev.ru/?wpfb_dl=9798 6 | https://web.archive.org/web/20220704010212if_/https://www.usbdev.ru/?wpfb_dl=9914 7 | https://web.archive.org/web/20220704010215if_/https://www.usbdev.ru/?wpfb_dl=9913 8 | https://web.archive.org/web/20220704014429if_/https://www.usbdev.ru/?wpfb_dl=10203 9 | https://web.archive.org/web/20220704014436if_/https://www.usbdev.ru/?wpfb_dl=9902 10 | https://web.archive.org/web/20220704050405if_/https://www.usbdev.ru/?wpfb_dl=9800 11 | https://www.silverstonetek.com/en/ajax/download.php?file=/upload/downloads/storage/ASM236xMPTool_v1.1.0.23%20with%20MS12%20FW%20201012910000.zip 12 | -------------------------------------------------------------------------------- /ASM2x6x/tools/.gitignore: -------------------------------------------------------------------------------- 1 | /asm236x_fw.py 2 | -------------------------------------------------------------------------------- /ASM2x6x/tools/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: 0BSD 2 | 3 | # Copyright (C) 2022 by Forest Crossman 4 | # 5 | # Permission to use, copy, modify, and/or distribute this software for 6 | # any purpose with or without fee is hereby granted. 7 | # 8 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL 9 | # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED 10 | # WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE 11 | # AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL 12 | # DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 13 | # PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 14 | # TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 | # PERFORMANCE OF THIS SOFTWARE. 16 | 17 | 18 | all: asm236x_fw.py 19 | 20 | %.py: %.ksy 21 | kaitai-struct-compiler -t python $< 22 | 23 | clean: 24 | rm -f asm236x_fw.py 25 | 26 | .PHONY: all clean 27 | -------------------------------------------------------------------------------- /ASM2x6x/tools/asm236x_fw.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: asm236x_fw 3 | endian: le 4 | title: ASM236x firmware image 5 | license: CC0-1.0 6 | seq: 7 | - id: header 8 | type: header 9 | size: 0x80 10 | - id: body 11 | type: body 12 | types: 13 | usb_info: 14 | seq: 15 | - id: id_vendor 16 | type: u2 17 | - id: id_product 18 | type: u2 19 | - id: bcd_device 20 | type: u2 21 | header: 22 | seq: 23 | - id: unk0 24 | size: 4 25 | - id: serial_number 26 | size: 20 27 | type: str 28 | terminator: 0xff 29 | encoding: "UTF-8" 30 | - id: ep0_manufacturer_string 31 | size: 36 32 | type: str 33 | terminator: 0xff 34 | encoding: "UTF-8" 35 | - id: t10_manufacturer_string 36 | size: 8 37 | type: str 38 | terminator: 0xff 39 | encoding: "UTF-8" 40 | - id: ep0_product_string 41 | size: 32 42 | type: str 43 | terminator: 0xff 44 | encoding: "UTF-8" 45 | - id: t10_product_string 46 | size: 16 47 | type: str 48 | terminator: 0xff 49 | encoding: "UTF-8" 50 | - id: usb_info 51 | type: usb_info 52 | # Offset 0x7a 53 | - id: lp_if_u3 54 | type: b2 55 | - id: lp_if_idle 56 | type: b2 57 | - id: idle_timer 58 | type: b4 59 | # Offset 0x7b 60 | - id: unk7b_76 61 | type: b2 62 | - id: pcie_lane 63 | type: b2 64 | enum: pcie_lane 65 | - id: pcie_speed 66 | type: b2 67 | enum: pcie_speed 68 | - id: pcie_aspm 69 | type: b2 70 | enum: pcie_aspm 71 | doc: "ASPM disable bits. Clearing both bits enables L0s and L1 entry. Setting bit 0 disables L0s entry, setting bit 1 disables L1 entry. Setting both bits sets ASPM to the default for the form factor, which in many cases will mean ASPM is disabled." 72 | # Offset 0x7c 73 | - id: unk7c 74 | type: u1 75 | # Offset 0x7d 76 | - id: disable_slow_enumeration 77 | type: b1 78 | - id: disable_2tb 79 | type: b1 80 | - id: disable_low_power_mode 81 | type: b1 82 | - id: disable_u1u2 83 | type: b1 84 | - id: disable_wtg 85 | type: b1 86 | - id: disable_two_leds 87 | type: b1 88 | - id: disable_eup 89 | type: b1 90 | - id: disable_usb_removable 91 | type: b1 92 | # Offset 0x7e 93 | - id: magic 94 | type: u1 95 | doc: "Must be 0x5A." 96 | # Offset 0x7f 97 | - id: checksum 98 | type: u1 99 | doc: "8-bit sum of all the bytes from offset 0x04 through 0x7E, inclusive." 100 | enums: 101 | pcie_lane: 102 | 0: x1 103 | 1: x2 104 | 2: x4 105 | 3: default 106 | pcie_speed: 107 | 0: gen_1 108 | 1: gen_2 109 | 2: gen_3 110 | 3: max 111 | pcie_aspm: 112 | 0: l0s_and_l1_entry_enabled 113 | 1: l1_entry_enabled 114 | 2: l0s_entry_enabled 115 | 3: default 116 | body: 117 | seq: 118 | - id: size 119 | type: u2 120 | - id: firmware 121 | type: firmware 122 | size: size 123 | - id: magic 124 | type: u1 125 | - id: checksum 126 | type: u1 127 | doc: "8-bit sum of all the code bytes." 128 | types: 129 | firmware: 130 | seq: 131 | - id: code 132 | size-eos: true 133 | instances: 134 | version: 135 | pos: 0x200 136 | size: 6 137 | -------------------------------------------------------------------------------- /ASM2x6x/tools/asm2464_fw.ksy: -------------------------------------------------------------------------------- 1 | meta: 2 | id: asm2464_fw 3 | endian: le 4 | title: ASM2464 firmware image 5 | license: CC0-1.0 6 | seq: 7 | - id: body_len 8 | type: u4 9 | - id: body 10 | size: body_len 11 | - id: magic 12 | type: u1 13 | doc: "0xA5: ASM2464" 14 | - id: checksum 15 | type: u1 16 | doc: "8-bit sum of all the bytes in the firmware body." 17 | - id: crc 18 | type: u4 19 | doc: "CRC-32 of the firmware body (Python `zlib.crc32()`)." 20 | -------------------------------------------------------------------------------- /ASM2x6x/tools/asm2x6x_tool.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | # asm2x6x_tool.py - A tool to interact with ASM2x6x devices over USB. 5 | # Copyright (C) 2022-2024 Forest Crossman 6 | # 7 | # This program is free software: you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License as published by 9 | # the Free Software Foundation, either version 3 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program. If not, see . 19 | 20 | 21 | import argparse 22 | import os 23 | import struct 24 | import sys 25 | import time 26 | from pathlib import Path 27 | 28 | try: 29 | import sgio 30 | except ModuleNotFoundError: 31 | sys.stderr.write("Error: Failed to import \"sgio\". Please install \"cython-sgio\", then try running this script again.\n") 32 | sys.exit(1) 33 | 34 | 35 | class Asm2x6x: 36 | def __init__(self, dev_path): 37 | self._file = os.fdopen(os.open(dev_path, os.O_RDWR | os.O_NONBLOCK)) 38 | 39 | def get_fw_version_data(self): 40 | return self.read(0x07f0, 6) 41 | 42 | class Asm236x(Asm2x6x): 43 | def __init__(self, dev_path): 44 | super().__init__(dev_path) 45 | 46 | def flash_dump(self, read_len): 47 | data = bytearray(read_len) 48 | 49 | cdb = struct.pack('>BBI', 0xe2, 0x00, read_len) 50 | 51 | ret = sgio.execute(self._file, cdb, None, data) 52 | assert ret == 0 53 | 54 | return bytes(data) 55 | 56 | def config_write(self, config_data): 57 | assert len(config_data) == 128 58 | 59 | cdb = struct.pack('>B15x', 0xe1) 60 | 61 | ret = sgio.execute(self._file, cdb, config_data, None) 62 | assert ret == 0 63 | 64 | def fw_write(self, fw_data): 65 | cdb = struct.pack('>BBI', 0xe3, 0x00, len(fw_data)) 66 | 67 | ret = sgio.execute(self._file, cdb, fw_data, None) 68 | assert ret == 0 69 | 70 | def read(self, start_addr, read_len, stride=255): 71 | data = bytearray(read_len) 72 | 73 | for i in range(0, read_len, stride): 74 | remaining = read_len - i 75 | buf_len = min(stride, remaining) 76 | 77 | cdb = struct.pack('>BBBHB', 0xe4, buf_len, 0x00, start_addr + i, 0x00) 78 | 79 | buf = bytearray(buf_len) 80 | ret = sgio.execute(self._file, cdb, None, buf) 81 | assert ret == 0 82 | 83 | data[i:i+buf_len] = buf 84 | 85 | return bytes(data) 86 | 87 | def write(self, start_addr, data): 88 | for offset, value in enumerate(data): 89 | cdb = struct.pack('>BBBHB', 0xe5, value, 0x00, start_addr + offset, 0x00) 90 | ret = sgio.execute(self._file, cdb, None, None) 91 | assert ret == 0 92 | 93 | def reload(self): 94 | cdb = bytes.fromhex("e8 00 00 00 00 00 00 00 00 00 00 00") 95 | ret = sgio.execute(self._file, cdb, None, None) 96 | assert ret == 0 97 | 98 | def flash_read(self, start_addr, read_len, stride=128): 99 | data = bytearray(read_len) 100 | 101 | for i in range(0, read_len, stride): 102 | remaining = read_len - i 103 | buf_len = min(stride, remaining) 104 | 105 | flash_addr = start_addr + i 106 | flash_addr_lo = flash_addr & 0xff 107 | flash_addr_md = (flash_addr >> 8) & 0xff 108 | flash_addr_hi = (flash_addr >> 16) & 0xff 109 | 110 | # Set FLASH_CON_MODE to read, with normal I/O config. 111 | self.write(0xC8AD, bytes([0x00])) 112 | 113 | # Set FLASH_CON_BUF_OFFSET to zero. 114 | self.write(0xC8AE, struct.pack('>H', 0x0000)) 115 | 116 | # Set FLASH_CON_ADDR_LEN_MAYBE to 3. 117 | self.write(0xC8AC, bytes([0x03])) 118 | 119 | # Set the flash address. 120 | self.write(0xC8A1, bytes([flash_addr_lo])) 121 | self.write(0xC8A2, bytes([flash_addr_md])) 122 | self.write(0xC8AB, bytes([flash_addr_hi])) 123 | 124 | # Set FLASH_CON_DATA_LEN to the number of bytes to read. 125 | self.write(0xC8A3, struct.pack('>H', buf_len)) 126 | 127 | # Set FLASH_CON_CSR bit 0 to start the read. 128 | self.write(0xC8A9, bytes([0x01])) 129 | 130 | # Wait for read to finish. 131 | while self.read(0xC8A9, 1)[0] & 1: 132 | continue 133 | 134 | buf = self.read(0x7000, buf_len) 135 | 136 | data[i:i+buf_len] = buf 137 | 138 | return bytes(data) 139 | 140 | def pcie_cfg_req(self, byte_addr, bus=1, dev=0, fn=0, cfgreq_type=1, value=None, size=4): 141 | assert byte_addr >> 12 == 0 142 | 143 | assert bus >> 8 == 0 144 | assert dev >> 5 == 0 145 | assert fn >> 3 == 0 146 | 147 | assert cfgreq_type >> 1 == 0 148 | 149 | fmt_type = 0x04 150 | if value is not None: 151 | fmt_type = 0x44 152 | 153 | fmt_type |= cfgreq_type 154 | address = (bus << 24) | (dev << 19) | (fn << 16) | (byte_addr & 0xfff) 155 | 156 | return self.pcie_gen_req(fmt_type, address, value, size) 157 | 158 | def pcie_mem_req(self, address, value=None, size=4): 159 | fmt_type = 0x00 160 | if value is not None: 161 | fmt_type = 0x40 162 | 163 | return self.pcie_gen_req(fmt_type, address, value, size) 164 | 165 | def pcie_gen_req(self, fmt_type, address, value=None, size=4): 166 | assert fmt_type >> 8 == 0 167 | assert size > 0 and size <= 4 168 | 169 | masked_address = address & 0xfffffffc 170 | offset = address & 0x00000003 171 | 172 | assert size + offset <= 4 173 | 174 | byte_enable = ((1 << size) - 1) << offset 175 | 176 | if value is not None: 177 | assert value >> (8 * size) == 0 178 | shifted_value = value << (8 * offset) 179 | self.write(0xB220, struct.pack('>I', shifted_value)) 180 | 181 | self.write(0xB210, struct.pack('>III', 182 | 0x00000001 | (fmt_type << 24), 183 | byte_enable, 184 | masked_address, 185 | )) 186 | 187 | # Clear timeout bit. 188 | self.write(0xB296, bytes([0x01])) 189 | 190 | # Unknown 191 | self.write(0xB254, bytes([0x0f])) 192 | 193 | # Wait for PCIe to become ready. 194 | while self.read(0xB296, 1)[0] & 4 == 0: 195 | continue 196 | 197 | # Write to CSR bit 2 to send the TLP. 198 | self.write(0xB296, bytes([0x04])) 199 | 200 | if ((fmt_type & 0b11011111) == 0b01000000) or ((fmt_type & 0b10111000) == 0b00110000): 201 | # This is a posted transaction, so there's no completion and we can return early. 202 | return 203 | 204 | # Wait for completion. 205 | while self.read(0xB296, 1)[0] & 2 == 0: 206 | if self.read(0xB296, 1)[0] & 1: 207 | # Clear timeout bit. 208 | self.write(0xB296, bytes([0x01])) 209 | 210 | raise Exception("PCIe timeout!") 211 | 212 | # Clear done bit. 213 | self.write(0xB296, bytes([0x02])) 214 | 215 | b284 = self.read(0xB284, 1)[0] 216 | #print("0xB284: 0x{:02x}".format(b284)) 217 | b284_bit_0 = b284 & 0x01 218 | 219 | completion = struct.unpack('>III', self.read(0xB224, 12)) 220 | #print("Completion TLP: 0x{:08x} 0x{:08x} 0x{:08x}".format(*completion)) 221 | if (fmt_type & 0xbe == 0x04): 222 | # Completion TLPs for configuration requests always have a byte count of 4. 223 | assert completion[1] & 0xfff == 4 224 | else: 225 | assert completion[1] & 0xfff == size 226 | 227 | status_map = { 228 | 0b000: "Successful Completion (SC)", 229 | 0b001: "Unsupported Request (UR)", 230 | 0b010: "Configuration Request Retry Status (CRS)", 231 | 0b100: "Completer Abort (CA)", 232 | } 233 | status = (completion[1] >> 13) & 0x7 234 | if status or ((fmt_type & 0xbe == 0x04) and (((value is None) and (not b284_bit_0)) or ((value is not None) and b284_bit_0))): 235 | raise Exception("Completion status: {}, 0xB284 bit 0: {}".format( 236 | status_map.get(status, "Reserved (0b{:03b})".format(status)), b284_bit_0)) 237 | 238 | if value is None: 239 | full_value = struct.unpack('>I', self.read(0xB220, 4))[0] 240 | shifted_value = full_value >> (8 * offset) 241 | masked_value = shifted_value & ((1 << (8 * size)) - 1) 242 | return masked_value 243 | 244 | class Asm246x(Asm2x6x): 245 | def __init__(self, dev_path): 246 | super().__init__(dev_path) 247 | 248 | def flash_dump(self, read_len): 249 | first_read_len = read_len 250 | second_read_len = 0 251 | if read_len > 0x10000: 252 | first_read_len = 0xff00 253 | second_read_len = read_len - first_read_len 254 | 255 | cdb = struct.pack('>BBI', 0xe2, 0x50, first_read_len) 256 | first_data = bytearray(first_read_len) 257 | ret = sgio.execute(self._file, cdb, None, first_data) 258 | assert ret == 0 259 | 260 | time.sleep(1) 261 | 262 | data = bytes(first_data) 263 | if second_read_len: 264 | cdb = struct.pack('>BBI', 0xe2, 0xd0, second_read_len) 265 | second_data = bytearray(second_read_len) 266 | ret = sgio.execute(self._file, cdb, None, second_data) 267 | assert ret == 0 268 | 269 | time.sleep(1) 270 | 271 | data += bytes(second_data) 272 | 273 | return data 274 | 275 | def read(self, start_addr, read_len, stride=255): 276 | data = bytearray(read_len) 277 | 278 | for i in range(0, read_len, stride): 279 | remaining = read_len - i 280 | buf_len = min(stride, remaining) 281 | 282 | current_addr = start_addr + i 283 | assert current_addr >> 17 == 0 284 | current_addr &= 0x01ffff 285 | current_addr |= 0x500000 286 | 287 | cdb = struct.pack('>BBBHB', 0xe4, buf_len, current_addr >> 16, current_addr & 0xffff, 0x00) 288 | 289 | buf = bytearray(buf_len) 290 | ret = sgio.execute(self._file, cdb, None, buf) 291 | assert ret == 0 292 | 293 | data[i:i+buf_len] = buf 294 | 295 | return bytes(data) 296 | 297 | 298 | def get_asm2x6x_dev(device="auto"): 299 | if device == "auto": 300 | # Search for devices 301 | for path in Path("/sys/bus/scsi/devices").iterdir(): 302 | try: 303 | vendor = open(path.joinpath("vendor"), "rb").read() 304 | if not vendor.startswith(b"ASMT"): 305 | continue 306 | 307 | model = open(path.joinpath("model"), "rb").read() 308 | if not (model.startswith(b"ASM236") or model.startswith(b"ASM246")): 309 | continue 310 | 311 | for sg in path.joinpath("scsi_generic").iterdir(): 312 | device = str(Path("/dev", sg.parts[-1])) 313 | sys.stderr.write("Using {} device at \"{}\".\n".format(model.split(b' ')[0].decode('utf-8'), device)) 314 | break 315 | 316 | if device != "auto": 317 | break 318 | except FileNotFoundError: 319 | continue 320 | 321 | if device == "auto": 322 | return None 323 | 324 | # Initialize the device object. 325 | dev = Asm236x(device) 326 | try: 327 | # This will fail if the device is an ASM246x 328 | dev.get_fw_version_data() 329 | except sgio.CheckConditionError: 330 | dev = Asm246x(device) 331 | 332 | return dev 333 | 334 | def fw_version_bytes_to_string(version): 335 | return "{:02X}{:02X}{:02X}_{:02X}_{:02X}_{:02X}".format(*version) 336 | 337 | def parse_bdf(bdf): 338 | bus = 0 339 | dev = 0 340 | fn = 0 341 | 342 | # [[[[]:]]:][][.[]] 343 | 344 | bdf_split_period = bdf.split('.') 345 | if len(bdf_split_period) > 2: 346 | raise Exception("Too many periods in BDF string \"{}\".".format(bdf)) 347 | if len(bdf_split_period) > 1: 348 | fn_str = bdf_split_period[-1] 349 | if len(fn_str) > 0: 350 | try: 351 | fn = int(fn_str, 16) 352 | except Exception as e: 353 | raise Exception("Function number \"{}\" is invalid: {}".format(fn_str, e)) 354 | assert fn >> 3 == 0 355 | 356 | bd_str = bdf_split_period[0] 357 | bd_str_split_colon = bd_str.split(":") 358 | if len(bd_str_split_colon) > 2: 359 | raise Exception("Too many colons in BDF string \"{}\".".format(bdf)) 360 | if len(bd_str_split_colon) > 1: 361 | bus_str = bd_str_split_colon[0] 362 | if len(bus_str) > 0: 363 | try: 364 | bus = int(bus_str, 16) 365 | except Exception as e: 366 | raise Exception("Bus number \"{}\" is invalid: {}".format(bus_str, e)) 367 | 368 | dev_str = bd_str_split_colon[-1] 369 | if len(dev_str) > 0: 370 | try: 371 | dev = int(dev_str, 16) 372 | except Exception as e: 373 | raise Exception("Device number \"{}\" is invalid: {}".format(dev_str, e)) 374 | assert dev >> 5 == 0 375 | 376 | return (bus, dev, fn) 377 | 378 | def dump(args, dev): 379 | start_addr = 0x0000 380 | read_len = 1 << 16 381 | stride = 128 382 | 383 | start_ns = time.perf_counter_ns() 384 | data = dev.read(start_addr, read_len, stride) 385 | end_ns = time.perf_counter_ns() 386 | elapsed = end_ns - start_ns 387 | print("Read {} bytes in {:.6f} seconds ({} bytes per second).".format( 388 | len(data), elapsed/1e9, int(len(data)*1e9) // elapsed)) 389 | 390 | open(args.dump_file, 'wb').write(data) 391 | 392 | return 0 393 | 394 | def flash_dump(args, dev): 395 | read_len = args.length 396 | 397 | start_ns = time.perf_counter_ns() 398 | data = dev.flash_dump(read_len) 399 | end_ns = time.perf_counter_ns() 400 | elapsed = end_ns - start_ns 401 | print("Read {} bytes in {:.6f} seconds ({} bytes per second).".format( 402 | len(data), elapsed/1e9, int(len(data)*1e9) // elapsed)) 403 | 404 | open(args.flash_dump_file, 'wb').write(data) 405 | 406 | return 0 407 | 408 | def fw_write(args, dev): 409 | fw_file = open(args.fw_file, 'rb').read() 410 | 411 | config_data = b'' 412 | fw_data = fw_file 413 | if not args.raw: 414 | config_data = b'\xff' * 4 + fw_file[4:0x80] 415 | fw_data = fw_file[0x80:] 416 | 417 | if config_data: 418 | config_magic = config_data[-2] 419 | if config_magic != 0x5a: 420 | print("Error: Bad config magic. Expected 0x5a, got 0x{:02x}.".format(fw_magic)) 421 | return 1 422 | config_checksum = config_data[-1] 423 | config_checksum_calc = sum(config_data[4:-1]) & 0xff 424 | if config_checksum_calc != config_checksum: 425 | print("Error: Bad config checksum. Expected 0x{:02x}, calculated 0x{:02x}.".format(config_checksum, config_checksum_calc)) 426 | return 1 427 | 428 | fw_size = struct.unpack_from(' 0: 480 | print("Error: Verification failed with {} errors!".format(errors)) 481 | return 1 482 | 483 | return 0 484 | 485 | def info(args, dev): 486 | print("Firmware version: {}".format(fw_version_bytes_to_string(dev.get_fw_version_data()))) 487 | 488 | return 0 489 | 490 | def read(args, dev): 491 | start_addr = int(args.address, 16) 492 | read_len = args.length 493 | stride = args.stride 494 | assert stride > 0 495 | assert stride < 256 496 | 497 | start_ns = time.perf_counter_ns() 498 | data = dev.read(start_addr, read_len, stride) 499 | end_ns = time.perf_counter_ns() 500 | elapsed = end_ns - start_ns 501 | print("Read {} bytes in {:.6f} seconds ({} bytes per second).".format( 502 | len(data), elapsed/1e9, int(len(data)*1e9) // elapsed)) 503 | 504 | range_end_string = "" 505 | if read_len > 1: 506 | range_end_string = ":0x{:04X}".format(start_addr + read_len - 1) 507 | print("XDATA[0x{:04X}{}]: {} {}".format(start_addr, range_end_string, data.hex(), data)) 508 | 509 | return 0 510 | 511 | def write(args, dev): 512 | start_addr = int(args.address, 16) 513 | data = b"".join([bytes.fromhex(x) for x in args.data]) 514 | 515 | if args.read_before: 516 | read_len = len(data) 517 | stride = min(read_len, 255) 518 | start_ns = time.perf_counter_ns() 519 | read_data = dev.read(start_addr, read_len, stride) 520 | end_ns = time.perf_counter_ns() 521 | elapsed = end_ns - start_ns 522 | print("Read {} bytes in {:.6f} seconds ({} bytes per second).".format( 523 | len(read_data), elapsed/1e9, int(len(read_data)*1e9) // elapsed)) 524 | 525 | range_end_string = "" 526 | if read_len > 1: 527 | range_end_string = ":0x{:04X}".format(start_addr + read_len - 1) 528 | print("XDATA[0x{:04X}{}]: {} {}".format( 529 | start_addr, range_end_string, read_data.hex(), read_data)) 530 | 531 | start_ns = time.perf_counter_ns() 532 | dev.write(start_addr, data) 533 | end_ns = time.perf_counter_ns() 534 | elapsed = end_ns - start_ns 535 | print("Wrote {} bytes in {:.6f} seconds ({} bytes per second).".format( 536 | len(data), elapsed/1e9, int(len(data)*1e9) // elapsed)) 537 | 538 | range_end_string = "" 539 | if len(data) > 1: 540 | range_end_string = ":0x{:04X}".format(start_addr + len(data) - 1) 541 | print("XDATA[0x{:04X}{}]: {} {}".format(start_addr, range_end_string, data.hex(), data)) 542 | 543 | if args.read_after: 544 | read_len = len(data) 545 | stride = min(read_len, 255) 546 | start_ns = time.perf_counter_ns() 547 | read_data = dev.read(start_addr, read_len, stride) 548 | end_ns = time.perf_counter_ns() 549 | elapsed = end_ns - start_ns 550 | print("Read {} bytes in {:.6f} seconds ({} bytes per second).".format( 551 | len(read_data), elapsed/1e9, int(len(read_data)*1e9) // elapsed)) 552 | 553 | range_end_string = "" 554 | if read_len > 1: 555 | range_end_string = ":0x{:04X}".format(start_addr + read_len - 1) 556 | print("XDATA[0x{:04X}{}]: {} {}".format( 557 | start_addr, range_end_string, read_data.hex(), read_data)) 558 | 559 | return 0 560 | 561 | def reload(args, dev): 562 | dev.reload() 563 | 564 | return 0 565 | 566 | def memtest(args, dev): 567 | start_addr = int(args.address, 16) 568 | test_len = args.length 569 | stride = args.stride 570 | 571 | print("Testing data from 0x{:04x} to 0x{:04x}, inclusive...".format(start_addr, start_addr+test_len-1)) 572 | 573 | zeros = bytes(test_len) 574 | 575 | tests = ( 576 | ("Random 1", os.urandom(test_len)), 577 | ("Zeros 1", zeros), 578 | ("Random 2", os.urandom(test_len)), 579 | ("Zeros 2", zeros), 580 | ) 581 | 582 | for test_name, test_data in tests: 583 | print("Running test \"{}\"...".format(test_name)) 584 | 585 | before = dev.read(start_addr, test_len, stride) 586 | dev.write(start_addr, test_data) 587 | after = dev.read(start_addr, test_len, stride) 588 | 589 | if after != test_data: 590 | print("Error: Failed test \"{}\"!".format(test_name)) 591 | for i in range(test_len): 592 | if after[i] != test_data[i]: 593 | print(" + Mismatch at address 0x{:04x}: Expected 0x{:02x}, got 0x{:02x} instead.".format( 594 | start_addr + i, test_data[i], after[i])) 595 | break 596 | 597 | if after == before: 598 | print(" + Write had no effect--this is likely read-only memory.") 599 | 600 | return 1 601 | 602 | return 0 603 | 604 | def flash_read(args, dev): 605 | start_addr = int(args.address, 16) 606 | read_len = args.length 607 | stride = args.stride 608 | assert stride > 0 609 | assert stride <= 4096 610 | 611 | start_ns = time.perf_counter_ns() 612 | data = dev.flash_read(start_addr, read_len, stride) 613 | end_ns = time.perf_counter_ns() 614 | elapsed = end_ns - start_ns 615 | print("Read {} bytes in {:.6f} seconds ({} bytes per second).".format( 616 | len(data), elapsed/1e9, int(len(data)*1e9) // elapsed)) 617 | 618 | range_end_string = "" 619 | if read_len > 1: 620 | range_end_string = ":0x{:04X}".format(start_addr + read_len - 1) 621 | print("FLASH[0x{:04X}{}]: {} {}".format(start_addr, range_end_string, data.hex(), data)) 622 | 623 | return 0 624 | 625 | def pcie(args, dev): 626 | value = None 627 | if args.value: 628 | value = int(args.value, 16) 629 | 630 | size = 4 631 | 632 | addr_parts = args.address.split('.') 633 | if len(addr_parts) == 2: 634 | size = { 635 | 'b': 1, 636 | 'w': 2, 637 | 'l': 4, 638 | }.get(addr_parts[-1].lower()) 639 | if not size: 640 | raise ValueError("Invalid address specifier \"{}\"".format(args.address)) 641 | elif len(addr_parts) > 2: 642 | raise ValueError("Invalid address specifier \"{}\"".format(args.address)) 643 | byte_addr = int(addr_parts[0], 16) 644 | 645 | if args.bdf: 646 | mem_type = "CFG" 647 | 648 | bdf = parse_bdf(args.bdf) 649 | 650 | cfgreq_type = 0 651 | if bdf[0] != 0: 652 | cfgreq_type = 1 653 | 654 | addr_str = "0x{:04X}".format(byte_addr) 655 | 656 | data = dev.pcie_cfg_req(byte_addr, bus=bdf[0], dev=bdf[1], fn=bdf[2], cfgreq_type=cfgreq_type, value=value, size=size) 657 | 658 | else: 659 | mem_type = "MEM" 660 | 661 | addr_str = "0x{:08X}".format(byte_addr) 662 | 663 | data = dev.pcie_mem_req(byte_addr, value, size) 664 | 665 | if value is None: 666 | data_str = { 667 | 1: "0x{:02x}", 668 | 2: "0x{:04x}", 669 | 4: "0x{:08x}", 670 | }[size].format(data) 671 | print("{}[{}]: {}".format(mem_type, addr_str, data_str)) 672 | 673 | return 0 674 | 675 | def pcie_cfg_dump(args, dev): 676 | bdf = parse_bdf(args.bdf) 677 | 678 | cfgreq_type = 0 679 | if bdf[0] != 0: 680 | cfgreq_type = 1 681 | 682 | buf = bytearray(4096) 683 | start_ns = time.perf_counter_ns() 684 | for addr in range(0, len(buf), 4): 685 | struct.pack_into(' 6 | # 7 | # This program is free software: you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License as published by 9 | # the Free Software Foundation, either version 3 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program. If not, see . 19 | 20 | 21 | import argparse 22 | import sys 23 | 24 | try: 25 | import asm236x_fw 26 | except ModuleNotFoundError: 27 | sys.stderr.write("Error: Failed to import \"asm236x_fw.py\". Please run \"make\" in this directory to generate that file, then try running this script again.\n") 28 | sys.exit(1) 29 | 30 | 31 | IDLE_TIMER_STRINGS = { 32 | 0x1: "3 minutes", 33 | 0x2: "5 minutes", 34 | 0x3: "10 minutes", 35 | 0x4: "15 minutes", 36 | 0x5: "20 minutes", 37 | 0x6: "30 minutes", 38 | 0x7: "1 hour", 39 | 0x8: "2 hours", 40 | 0x9: "3 hours", 41 | 0xa: "4 hours", 42 | 0xb: "5 hours", 43 | 0xf: "Never", 44 | } 45 | 46 | PCIE_SPEEDS = { 47 | 0: (1, "2.5"), 48 | 1: (2, "5"), 49 | 2: (3, "8"), 50 | } 51 | 52 | PCIE_LANES = { 53 | 0: "1", 54 | 1: "2", 55 | 2: "4", 56 | } 57 | 58 | EXPECTED_HEADER_MAGIC = 0x5a 59 | 60 | BODY_MAGICS = { 61 | 0x4b: "ASM2364", 62 | 0x5a: "ASM2362", 63 | } 64 | 65 | 66 | def fw_version_bytes_to_string(version): 67 | return "{:02X}{:02X}{:02X}_{:02X}_{:02X}_{:02X}".format(*version) 68 | 69 | def extract(filename=None, fw=None, **kwargs): 70 | split = filename.split('.') 71 | basename = '.'.join(split[:-1]) 72 | dest_name = "{}.code.bin".format(basename) 73 | 74 | print("Extracting {} bytes of firmware code from \"{}\" and writing it to \"{}\"...".format(fw.body.size, filename, dest_name)) 75 | 76 | f = open(dest_name, "wb") 77 | f.write(fw.body.firmware.code) 78 | f.close() 79 | 80 | print("Done!") 81 | 82 | return 0 83 | 84 | def info(filename=None, fw=None, fw_bin=None, **kwargs): 85 | version_string = fw_version_bytes_to_string(fw.body.firmware.version) 86 | print("Firmware version: {}".format(version_string)) 87 | 88 | usb_info = fw.header.usb_info 89 | print("USB IDs: {:04x}:{:04x}".format(usb_info.id_vendor, usb_info.id_product)) 90 | print("USB Device Revision: {:04x}".format(usb_info.bcd_device)) 91 | print("EP0 Manufacturer String: {}".format(fw.header.ep0_manufacturer_string)) 92 | print("EP0 Product String: {}".format(fw.header.ep0_product_string)) 93 | print("T10 Manufacturer String: {}".format(fw.header.t10_manufacturer_string)) 94 | print("T10 Product String: {}".format(fw.header.t10_product_string)) 95 | print("Serial number: {}".format(fw.header.serial_number)) 96 | print("Idle timer: {}".format(IDLE_TIMER_STRINGS.get(fw.header.idle_timer, "Unknown value: 0x{:x}".format(fw.header.idle_timer)))) 97 | print("PCIe Lanes: {}".format(PCIE_LANES.get(fw.header.pcie_lane.value, "Default (varies by chip and firmware version)"))) 98 | print("PCIe Speed: Gen {} ({} GT/s)".format(*PCIE_SPEEDS.get(fw.header.pcie_speed.value, (3, "8")))) 99 | 100 | header_magic_messages = { 101 | True: "OK (0x{:02x})".format(fw.header.magic), 102 | False: "ERROR: Expected 0x{:02x}, got 0x{:02x}.".format(EXPECTED_HEADER_MAGIC, fw.header.magic), 103 | } 104 | print("Header magic: {}".format(header_magic_messages[fw.header.magic == EXPECTED_HEADER_MAGIC])) 105 | 106 | calculated_csum = sum(fw_bin[0x04:0x7f]) & 0xff 107 | expected_csum = fw.header.checksum 108 | header_checksum_messages = { 109 | True: "OK (0x{:02x})".format(calculated_csum), 110 | False: "ERROR: Expected 0x{:02x}, calculated: 0x{:02x}.".format(expected_csum, calculated_csum), 111 | } 112 | print("Header checksum: {}".format(header_checksum_messages[expected_csum == calculated_csum])) 113 | 114 | print("Image size: {} bytes".format(fw.body.size)) 115 | 116 | formatted_magics = "[{}]".format(", ".join("0x{:02x}".format(x) for x in BODY_MAGICS.keys())) 117 | image_magic_messages = { 118 | True: "OK (0x{:02x}: {})".format(fw.body.magic, BODY_MAGICS.get(fw.body.magic, "Unknown")), 119 | False: "ERROR: Expected one of {}, got 0x{:02x}.".format(formatted_magics, fw.body.magic), 120 | } 121 | print("Image magic: {}".format(image_magic_messages[fw.body.magic in BODY_MAGICS.keys()])) 122 | 123 | calculated_csum = sum(fw.body.firmware.code) & 0xff 124 | expected_csum = fw.body.checksum 125 | firmware_checksum_messages = { 126 | True: "OK (0x{:02x})".format(calculated_csum), 127 | False: "ERROR: Expected 0x{:02x}, calculated: 0x{:02x}.".format(expected_csum, calculated_csum), 128 | } 129 | print("Image checksum: {}".format(firmware_checksum_messages[expected_csum == calculated_csum])) 130 | 131 | return 0 132 | 133 | def raw_info(fw_bin=None, **kwargs): 134 | version_string = fw_version_bytes_to_string(fw_bin[0x200:0x200+6]) 135 | print("Firmware version: {}".format(version_string)) 136 | 137 | return 0 138 | 139 | def unsupported(command=None, fw_type=None, **kwargs): 140 | print("Error: Command \"{}\" is not supported for image type \"{}\".".format(command, fw_type), file=sys.stderr) 141 | 142 | return 1 143 | 144 | def main(): 145 | commands = { 146 | "extract": { 147 | "image": extract, 148 | }, 149 | "info": { 150 | "image": info, 151 | "raw": raw_info, 152 | }, 153 | } 154 | 155 | parser = argparse.ArgumentParser() 156 | parser.add_argument("-t", "--type", choices=("auto", "image", "raw"), default="auto", help="The image type. Default: auto") 157 | parser.add_argument("command", choices=commands.keys(), help="Subcommands.") 158 | parser.add_argument("firmware", type=str, help="The firmware image file.") 159 | args = parser.parse_args() 160 | 161 | fw_bin = open(args.firmware, 'rb').read() 162 | 163 | fw_type = args.type 164 | if fw_type != "auto": 165 | print("Firmware type set to \"{}\".".format(fw_type)) 166 | else: 167 | print("Trying to guess firmware type...") 168 | threshold = 3 169 | points = 0 170 | 171 | # Is the serial number string present? 172 | try: 173 | bytes.fromhex(fw_bin[4:4+12].decode('ascii')) 174 | points += 1 175 | except Exception: 176 | pass 177 | 178 | # Is "ASMT" present? 179 | try: 180 | if fw_bin[0x3c:0x3c+4].decode('ascii') == "ASMT": 181 | points += 1 182 | except Exception: 183 | pass 184 | 185 | # Is the magic value present? 186 | try: 187 | if fw_bin[0x7e] == 0x5a: 188 | points += 1 189 | except Exception: 190 | pass 191 | 192 | # Are the exception vector long jump instructions all present? 193 | try: 194 | vector_offsets = (0x82, 0x85, 0x8d, 0x95) 195 | vectors_present = 0 196 | for offset in vector_offsets: 197 | vectors_present += 1 198 | if vectors_present == len(vector_offsets): 199 | points += 1 200 | except Exception: 201 | pass 202 | 203 | if points >= threshold: 204 | fw_type = "image" 205 | else: 206 | fw_type = "raw" 207 | print("Guessed firmware type is \"{}\".".format(fw_type)) 208 | 209 | if fw_type == "image": 210 | fw = asm236x_fw.Asm236xFw.from_bytes(fw_bin) 211 | return commands[args.command].get(fw_type, unsupported)(command=args.command, filename=args.firmware, fw=fw, fw_bin=fw_bin, fw_type=fw_type) 212 | elif fw_type == "raw": 213 | return commands[args.command].get(fw_type, unsupported)(command=args.command, filename=args.firmware, fw_bin=fw_bin, fw_type=fw_type) 214 | else: 215 | print("Error: Unknown image type: {}".format(fw_type), file=sys.stderr) 216 | return 1 217 | 218 | 219 | if __name__ == "__main__": 220 | sys.exit(main()) 221 | -------------------------------------------------------------------------------- /ASM2x6x/tools/ghidra-scripts/Asm236xFirmwareHelper.java: -------------------------------------------------------------------------------- 1 | // Script that analyzes ASMedia ASM236x firmware. 2 | // @author cyrozap 3 | // @category ASMedia.ASM236x 4 | 5 | // SPDX-License-Identifier: GPL-3.0-or-later 6 | 7 | // Copyright (C) 2023 Forest Crossman 8 | // 9 | // This program is free software: you can redistribute it and/or modify 10 | // it under the terms of the GNU General Public License as published by 11 | // the Free Software Foundation, either version 3 of the License, or 12 | // (at your option) any later version. 13 | // 14 | // This program is distributed in the hope that it will be useful, 15 | // but WITHOUT ANY WARRANTY; without even the implied warranty of 16 | // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 | // GNU General Public License for more details. 18 | // 19 | // You should have received a copy of the GNU General Public License 20 | // along with this program. If not, see . 21 | 22 | import java.util.ArrayList; 23 | import java.util.Arrays; 24 | import java.util.List; 25 | 26 | import ghidra.app.script.GhidraScript; 27 | import ghidra.program.model.address.Address; 28 | import ghidra.program.model.data.DataType; 29 | import ghidra.program.model.data.DataTypeManager; 30 | import ghidra.program.model.data.DataTypePath; 31 | import ghidra.program.model.lang.Register; 32 | import ghidra.program.model.listing.Data; 33 | import ghidra.program.model.listing.Instruction; 34 | import ghidra.program.model.listing.Listing; 35 | import ghidra.program.model.listing.Program; 36 | import ghidra.program.model.scalar.Scalar; 37 | import ghidra.program.model.symbol.Reference; 38 | import ghidra.program.model.symbol.ReferenceManager; 39 | import ghidra.program.model.symbol.RefType; 40 | import ghidra.program.model.symbol.SourceType; 41 | import ghidra.program.model.symbol.Symbol; 42 | import ghidra.program.model.util.CodeUnitInsertionException; 43 | import ghidra.util.bytesearch.GenericMatchAction; 44 | import ghidra.util.bytesearch.GenericByteSequencePattern; 45 | import ghidra.util.bytesearch.Match; 46 | import ghidra.util.bytesearch.MemoryBytePatternSearcher; 47 | import ghidra.util.bytesearch.Pattern; 48 | import ghidra.util.exception.CancelledException; 49 | import ghidra.util.task.TaskDialog; 50 | 51 | public class Asm236xFirmwareHelper extends GhidraScript { 52 | private Register DPTR; 53 | private Register DPL; 54 | private Register DPH; 55 | private Register R1; 56 | private Register R2; 57 | private Register R3; 58 | private Register R4; 59 | private Register R5; 60 | private Register R6; 61 | private Register R7; 62 | private Address DPL_addr; 63 | private Address DPH_addr; 64 | 65 | private Address createDataXrefsForU32WriteFunction(Instruction startInstruction) { 66 | Instruction prevInst = startInstruction.getPrevious(); 67 | 68 | String mnemonic = prevInst.getMnemonicString(); 69 | if (!mnemonic.equals("MOV")) { 70 | return null; 71 | } 72 | 73 | Object[] resultObjects = prevInst.getResultObjects(); 74 | if (resultObjects.length < 1) { 75 | return null; 76 | } 77 | 78 | Object[] inputObjects = prevInst.getInputObjects(); 79 | if (inputObjects.length < 1) { 80 | return null; 81 | } 82 | 83 | Object dst = resultObjects[0]; 84 | Object src = inputObjects[0]; 85 | if (!(dst instanceof Register && src instanceof Scalar)) { 86 | return null; 87 | } 88 | 89 | Register reg = (Register)dst; 90 | Scalar value = (Scalar)src; 91 | 92 | //printf("Register %s: 0x%04x\n", reg, value.getUnsignedValue()); 93 | 94 | if (reg != DPTR) { 95 | return null; 96 | } 97 | 98 | long xdataRefAddrInt = value.getUnsignedValue() & 0xffff; 99 | Address xdataRefAddr = toAddr(String.format("EXTMEM:%04x", xdataRefAddrInt)); 100 | ReferenceManager refManager = currentProgram.getReferenceManager(); 101 | 102 | Address movAddress = prevInst.getAddress(); 103 | refManager.removeAllReferencesFrom(movAddress); 104 | refManager.addMemoryReference(movAddress, xdataRefAddr, RefType.DATA, SourceType.USER_DEFINED, 1); 105 | printf(getScriptName() + "> Added reference from %s to %s.\n", movAddress, xdataRefAddr); 106 | 107 | Address startAddress = startInstruction.getAddress(); 108 | refManager.addMemoryReference(startAddress, xdataRefAddr, RefType.WRITE, SourceType.USER_DEFINED, 1); 109 | printf(getScriptName() + "> Added reference from %s to %s.\n", startAddress, xdataRefAddr); 110 | 111 | return xdataRefAddr; 112 | } 113 | 114 | private Address findAddressByBytesMaskAndOffset(byte[] bytes, byte[] mask, int offset) throws CancelledException { 115 | List
results = new ArrayList
(); 116 | GenericMatchAction
action = new GenericMatchAction
(null) { 117 | @Override 118 | public void apply(Program prog, Address addr, Match match) { 119 | results.add(addr); 120 | } 121 | }; 122 | GenericByteSequencePattern pattern = new GenericByteSequencePattern(bytes, mask, action); 123 | MemoryBytePatternSearcher searcher = new MemoryBytePatternSearcher("findAddressByBytesMaskAndOffset", 124 | new ArrayList(Arrays.asList(pattern))); 125 | searcher.setSearchExecutableOnly(true); 126 | searcher.search(currentProgram, currentProgram.getMemory(), new TaskDialog("findAddressByBytesMaskAndOffset", true, false, true)); 127 | 128 | if (results.size() < 1) { 129 | return null; 130 | } 131 | 132 | return results.get(0).add(offset); 133 | } 134 | 135 | private Address findCopyDwordLiteralFunction() throws CancelledException { 136 | // Get the function address. 137 | Address functionAddr = findAddressByBytesMaskAndOffset( 138 | new byte[] { (byte)0xa8, (byte)0x82, 139 | (byte)0x85, (byte)0x83, (byte)0xf0, 140 | (byte)0xd0, (byte)0x83, 141 | (byte)0xd0, (byte)0x82, 142 | (byte)0x12, (byte)0x00, (byte)0x00, 143 | (byte)0x12, (byte)0x00, (byte)0x00, 144 | (byte)0x12, (byte)0x00, (byte)0x00, 145 | (byte)0x12, (byte)0x00, (byte)0x00, 146 | (byte)0xe4, (byte)0x73 }, 147 | new byte[] { (byte)0xff, (byte)0xff, 148 | (byte)0xff, (byte)0xff, (byte)0xff, 149 | (byte)0xff, (byte)0xff, 150 | (byte)0xff, (byte)0xff, 151 | (byte)0xff, (byte)0x00, (byte)0x00, 152 | (byte)0xff, (byte)0x00, (byte)0x00, 153 | (byte)0xff, (byte)0x00, (byte)0x00, 154 | (byte)0xff, (byte)0x00, (byte)0x00, 155 | (byte)0xff, (byte)0xff }, 156 | 0); 157 | if (functionAddr == null) { 158 | printf(getScriptName() + "> Failed to find copy dword literal function!\n"); 159 | return null; 160 | } 161 | 162 | printf(getScriptName() + "> Found copy dword literal function: %s\n", functionAddr); 163 | 164 | return functionAddr; 165 | } 166 | 167 | private Address findSwitchCaseFunction() throws CancelledException { 168 | // Get the function address. 169 | Address functionAddr = findAddressByBytesMaskAndOffset( 170 | new byte[] { (byte)0xd0, (byte)0x83, 171 | (byte)0xd0, (byte)0x82, 172 | (byte)0xf8, 173 | (byte)0xe4, 174 | (byte)0x93 }, 175 | new byte[] { (byte)0xff, (byte)0xff, 176 | (byte)0xff, (byte)0xff, 177 | (byte)0xff, 178 | (byte)0xff, 179 | (byte)0xff }, 180 | 0); 181 | if (functionAddr == null) { 182 | printf(getScriptName() + "> Failed to find switch-case function!\n"); 183 | return null; 184 | } 185 | 186 | printf(getScriptName() + "> Found switch-case function: %s\n", functionAddr); 187 | 188 | return functionAddr; 189 | } 190 | 191 | private Address findU32WriteFunction() throws CancelledException { 192 | // Get the function address. 193 | Address functionAddr = findAddressByBytesMaskAndOffset( 194 | new byte[] { (byte)0xec, (byte)0xf0, (byte)0xa3, 195 | (byte)0xed, (byte)0xf0, (byte)0xa3, 196 | (byte)0xee, (byte)0xf0, (byte)0xa3, 197 | (byte)0xef, (byte)0xf0, (byte)0x22 }, 198 | new byte[] { (byte)0xff, (byte)0xff, (byte)0xff, 199 | (byte)0xff, (byte)0xff, (byte)0xff, 200 | (byte)0xff, (byte)0xff, (byte)0xff, 201 | (byte)0xff, (byte)0xff, (byte)0xff }, 202 | 0); 203 | if (functionAddr == null) { 204 | printf(getScriptName() + "> Failed to find U32 write function!\n"); 205 | return null; 206 | } 207 | 208 | printf(getScriptName() + "> Found U32 write function: %s\n", functionAddr); 209 | 210 | return functionAddr; 211 | } 212 | 213 | private void addCrossReferencesForU32Writes(Address functionAddr) throws CancelledException, CodeUnitInsertionException { 214 | if (functionAddr == null) { 215 | return; 216 | } 217 | 218 | DataTypeManager dtm = currentProgram.getDataTypeManager(); 219 | DataTypePath u32DataTypePath = new DataTypePath("/stdint.h", "uint32_t"); 220 | DataType u32DataType = dtm.getDataType(u32DataTypePath); 221 | if (u32DataType == null) { 222 | printf(getScriptName() + "> Failed to find data type \"%s\".\n", u32DataTypePath); 223 | return; 224 | } 225 | Listing listing = currentProgram.getListing(); 226 | 227 | int referencedCount = 0; 228 | int definedCount = 0; 229 | 230 | // Loop over all the locations where the function is called. 231 | Reference[] calls = getReferencesTo(functionAddr); 232 | for (Reference call : calls) { 233 | Address callSite = call.getFromAddress(); 234 | Instruction inst = getInstructionAt(callSite); 235 | 236 | Address u32Addr = createDataXrefsForU32WriteFunction(inst); 237 | if (u32Addr == null) { 238 | continue; 239 | } 240 | 241 | referencedCount += 1; 242 | 243 | // This skips all the non-null, defined data whose type doesn't start with "undefined". 244 | Data u32Data = getDataAt(u32Addr); 245 | if ( (u32Data != null) && !u32Data.getDataType().getName().startsWith("undefined") ) { 246 | continue; 247 | } 248 | 249 | // This is necessary to avoid destroying defined arrays. 250 | // 251 | // Addresses in the middle of an array are not undefined, but there's no Data object there 252 | // (u32Data == null), so the previous check won't catch them. To skip over those addresses in 253 | // arrays without defined data, We'll use the "isUndefined()" function. 254 | // 255 | // "isUndefined()" means u32Data is null and the address is not in an array. Conversely, 256 | // "!isUndefined()" then means there's either a Data object at that address (u32Data != null) 257 | // or the address is in an array. "NOT Data AND (Data OR in an array)" can be expanded to 258 | // "(NOT Data AND Data) OR (NOT Data AND in an array)", which simplifies to 259 | // "NOT Data AND in an array", which is exactly what we want to filter out to avoid clobbering 260 | // anything. 261 | if ( (u32Data == null) && !listing.isUndefined(u32Addr, u32Addr.add(u32DataType.getLength()-1)) ) { 262 | continue; 263 | } 264 | 265 | listing.clearCodeUnits(u32Addr, u32Addr.add(u32DataType.getLength()-1), false); 266 | listing.createData(u32Addr, u32DataType); 267 | 268 | printf(getScriptName() + "> Defined uint32_t at %s.\n", u32Addr); 269 | 270 | definedCount += 1; 271 | } 272 | 273 | printf(getScriptName() + "> Created references %d times and defined data %d times.\n", referencedCount, definedCount); 274 | } 275 | 276 | private void copyDwordFunctionHelper() throws CancelledException, CodeUnitInsertionException { 277 | Address functionAddr = findCopyDwordLiteralFunction(); 278 | if (functionAddr == null) { 279 | return; 280 | } 281 | 282 | DataTypeManager dtm = currentProgram.getDataTypeManager(); 283 | DataTypePath u32DataTypePath = new DataTypePath("/stdint.h", "uint32_t"); 284 | DataType u32DataType = dtm.getDataType(u32DataTypePath); 285 | if (u32DataType == null) { 286 | printf(getScriptName() + "> Failed to find data type \"%s\".\n", u32DataTypePath); 287 | return; 288 | } 289 | Listing listing = currentProgram.getListing(); 290 | int definedCount = 0; 291 | int disassembled = 0; 292 | 293 | // Loop over all the locations where the function is called. 294 | Reference[] calls = getReferencesTo(functionAddr); 295 | for (Reference call : calls) { 296 | Address callSite = call.getFromAddress(); 297 | 298 | Address u32Addr = callSite.add(3); 299 | Data u32Data = getDataAt(u32Addr); 300 | if ( ( (u32Data == null) || u32Data.getDataType().getName().startsWith("undefined") ) && 301 | ( (u32Data != null) || listing.isUndefined(u32Addr, u32Addr.add(u32DataType.getLength()-1)) || 302 | (listing.getCodeUnitAt(u32Addr) != null) ) ) { 303 | listing.clearCodeUnits(u32Addr, u32Addr.add(u32DataType.getLength()-1), false); 304 | listing.createData(u32Addr, u32DataType); 305 | 306 | printf(getScriptName() + "> Defined uint32_t at %s.\n", u32Addr); 307 | 308 | definedCount += 1; 309 | } 310 | 311 | Address codeAddr = u32Addr.add(u32DataType.getLength()); 312 | if (listing.isUndefined(codeAddr, codeAddr)) { 313 | listing.clearCodeUnits(codeAddr, codeAddr.add(2), false); 314 | disassemble(codeAddr); 315 | 316 | printf(getScriptName() + "> Disassembled code at %s.\n", codeAddr); 317 | 318 | disassembled += 1; 319 | } 320 | } 321 | 322 | printf(getScriptName() + "> Defined data %d times and disassembled %d times.\n", definedCount, disassembled); 323 | } 324 | 325 | private void switchTableFunctionHelper() throws CancelledException, CodeUnitInsertionException { 326 | Address functionAddr = findSwitchCaseFunction(); 327 | if (functionAddr == null) { 328 | return; 329 | } 330 | 331 | DataTypeManager dtm = currentProgram.getDataTypeManager(); 332 | DataType pointerDataType = dtm.getDataType(new DataTypePath("/", "pointer")); 333 | if (pointerDataType == null) { 334 | printf(getScriptName() + "> Failed to find \"pointer\" data type.\n"); 335 | return; 336 | } 337 | DataType byteDataType = dtm.getDataType(new DataTypePath("/", "byte")); 338 | if (byteDataType == null) { 339 | printf(getScriptName() + "> Failed to find \"byte\" data type.\n"); 340 | return; 341 | } 342 | DataType ushortDataType = dtm.getDataType(new DataTypePath("/", "ushort")); 343 | if (ushortDataType == null) { 344 | printf(getScriptName() + "> Failed to find \"ushort\" data type.\n"); 345 | return; 346 | } 347 | 348 | Listing listing = currentProgram.getListing(); 349 | int definedCount = 0; 350 | 351 | // Loop over all the locations where the function is called. 352 | Reference[] calls = getReferencesTo(functionAddr); 353 | for (Reference call : calls) { 354 | Address callSite = call.getFromAddress(); 355 | 356 | Address currentAddr = callSite.add(3); 357 | printf(getScriptName() + "> Parsing jump table: %s\n", currentAddr); 358 | while (true) { 359 | listing.clearCodeUnits(currentAddr, currentAddr.add(1), false); 360 | listing.createData(currentAddr, ushortDataType); 361 | if (((Scalar)listing.getDataAt(currentAddr).getValue()).getValue() == (long)0) { 362 | // This is the end of the table, so create the pointer to the default case. 363 | currentAddr = currentAddr.add(2); 364 | listing.clearCodeUnits(currentAddr, currentAddr.add(1), false); 365 | listing.createData(currentAddr, pointerDataType); 366 | createFunction((Address)listing.getDataAt(currentAddr).getValue(), null); 367 | break; 368 | } 369 | 370 | listing.clearCodeUnits(currentAddr, currentAddr.add(2), false); 371 | listing.createData(currentAddr, pointerDataType); 372 | createFunction((Address)listing.getDataAt(currentAddr).getValue(), null); 373 | currentAddr = currentAddr.add(2); 374 | listing.createData(currentAddr, byteDataType); 375 | currentAddr = currentAddr.add(1); 376 | } 377 | 378 | definedCount += 1; 379 | } 380 | 381 | printf(getScriptName() + "> Found %d jump tables.\n", definedCount); 382 | } 383 | 384 | public void run() throws Exception { 385 | // Get the registers we care about. 386 | DPTR = currentProgram.getRegister("DPTR"); 387 | DPL = currentProgram.getRegister("DPL"); 388 | DPH = currentProgram.getRegister("DPH"); 389 | R1 = currentProgram.getRegister("R1"); 390 | R2 = currentProgram.getRegister("R2"); 391 | R3 = currentProgram.getRegister("R3"); 392 | R4 = currentProgram.getRegister("R4"); 393 | R5 = currentProgram.getRegister("R5"); 394 | R6 = currentProgram.getRegister("R6"); 395 | R7 = currentProgram.getRegister("R7"); 396 | 397 | // Get the addresses of the SFRs. 398 | DPL_addr = toAddr("SFR:82"); 399 | DPH_addr = toAddr("SFR:83"); 400 | 401 | copyDwordFunctionHelper(); 402 | //switchTableFunctionHelper(); 403 | //addCrossReferencesForU32Writes(findCopyDwordLiteralFunction()); 404 | //addCrossReferencesForU32Writes(findU32WriteFunction()); 405 | } 406 | } 407 | -------------------------------------------------------------------------------- /ASM2x6x/tools/make_image.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | # make_image.py - Script to generate a firmware image from a raw binary. 5 | # Copyright (C) 2022-2023 Forest Crossman 6 | # 7 | # This program is free software: you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License as published by 9 | # the Free Software Foundation, either version 3 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program. If not, see . 19 | 20 | 21 | import argparse 22 | import struct 23 | import sys 24 | 25 | from datetime import datetime, UTC 26 | 27 | 28 | CHIP_INFO = { 29 | "ASM2362": (0x5a, 0x2362), 30 | "ASM2364": (0x4b, 0x2364), 31 | } 32 | 33 | 34 | def checksum(data : bytes): 35 | return sum(data) & 0xff 36 | 37 | def gen_string(s : str, size : int): 38 | s = s.encode('ascii') 39 | if len(s) > size: 40 | raise ValueError("String of size {} is too large for field of size {}".format(len(s), size)) 41 | 42 | padding = b'\xff' * (size - len(s)) 43 | return s + padding 44 | 45 | def gen_config(chip : str): 46 | usb_pid = CHIP_INFO[chip][1] 47 | 48 | # Unknown 49 | config = b'\xff' * 4 50 | 51 | # Strings 52 | config += gen_string("0" * 16, 20) # Serial number 53 | config += gen_string("ASMedia", 36) # EP0 Manufacturer String 54 | config += gen_string("ASMT", 8) # T10 Manufacturer String 55 | config += gen_string("ASM236x series", 32) # EP0 Product String 56 | config += gen_string("ASM236x NVMe", 16) # T10 Product String 57 | 58 | # USB VID, PID, and device BCD 59 | config += struct.pack(' 5 | # 6 | # Permission to use, copy, modify, and/or distribute this software for 7 | # any purpose with or without fee is hereby granted. 8 | # 9 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL 10 | # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED 11 | # WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE 12 | # AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL 13 | # DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 14 | # PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 15 | # TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16 | # PERFORMANCE OF THIS SOFTWARE. 17 | 18 | 19 | import struct 20 | 21 | 22 | BRIGHTNESS: int = 255 23 | HOLD_TIME: int = 0 24 | TRANSITION_TIME: int = 2 25 | 26 | #LEVELS: tuple[int, int, int, int] = (0, 0, 0, 255) 27 | #LEVELS: tuple[int, int, int, int] = (0x00, 0x55, 0xaa, 0xff) 28 | #LEVELS: tuple[int, int, int, int] = (0, 22, 61, 255) 29 | LEVELS: tuple[int, int, int, int] = (0, 28, 113, 255) 30 | #LEVELS: tuple[int, int, int, int] = (0, 0, 17, 255) 31 | 32 | LEVEL_PATTERNS: tuple[tuple[int, int, int, int], tuple[int, int, int, int]] = ( 33 | (LEVELS[3], LEVELS[2], LEVELS[1], LEVELS[0]), 34 | (LEVELS[2], LEVELS[3], LEVELS[2], LEVELS[1]), 35 | ) 36 | 37 | 38 | def main() -> None: 39 | for i in range(4): 40 | brightness_pattern: tuple[int, int, int, int, int, int, int, int] 41 | if i < 2: 42 | brightness_pattern = LEVEL_PATTERNS[i] + LEVEL_PATTERNS[i][::-1] 43 | else: 44 | brightness_pattern = LEVEL_PATTERNS[3-i][::-1] + LEVEL_PATTERNS[3-i] 45 | 46 | red: int = 255 47 | green: int = 0 48 | blue: int = 0 49 | color_pattern: list[int] = [((red << 24) | (green << 16) | (blue << 8) | brightness) for brightness in brightness_pattern] 50 | 51 | # Command format: 52 | # - Command: 0xD2 53 | # - Magic: "SetLed" 54 | # - LED index: 2-5 55 | # - I2C mode (?): 0x21 56 | # - Padding byte: 0 57 | # - Data size: 39 bytes 58 | # - Padding bytes: Five null bytes 59 | # 60 | # Data format: 61 | # - Mode: Custom (0x04) 62 | # - Global brightness: 0-255 63 | # - Number of states for the LED: 1-8 64 | # - State hold time (tenths of one second): 0-255 65 | # - Padding byte: 0 66 | # - State transition time (tenths of one second): 0-255 67 | # - Padding byte: 0 68 | # - LED states (1-8): 69 | # - Red: 0-255 70 | # - Green: 0-255 71 | # - Blue: 0-255 72 | # - Brightness: 0-255 73 | print("echo {} | xxd -r -ps | sg_raw -s 39 /dev/sg0 d2 53 65 74 4c 65 64 {:02x} 21 00 27 00 00 00 00 00".format( 74 | struct.pack('>BBBBxBxIIIIIIII', 4, BRIGHTNESS, 8, HOLD_TIME, TRANSITION_TIME, *color_pattern).hex(), 2+i)) 75 | 76 | 77 | if __name__ == "__main__": 78 | main() 79 | -------------------------------------------------------------------------------- /COPYING.txt: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | 623 | How to Apply These Terms to Your New Programs 624 | 625 | If you develop a new program, and you want it to be of the greatest 626 | possible use to the public, the best way to achieve this is to make it 627 | free software which everyone can redistribute and change under these terms. 628 | 629 | To do so, attach the following notices to the program. It is safest 630 | to attach them to the start of each source file to most effectively 631 | state the exclusion of warranty; and each file should have at least 632 | the "copyright" line and a pointer to where the full notice is found. 633 | 634 | 635 | Copyright (C) 636 | 637 | This program is free software: you can redistribute it and/or modify 638 | it under the terms of the GNU General Public License as published by 639 | the Free Software Foundation, either version 3 of the License, or 640 | (at your option) any later version. 641 | 642 | This program is distributed in the hope that it will be useful, 643 | but WITHOUT ANY WARRANTY; without even the implied warranty of 644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 645 | GNU General Public License for more details. 646 | 647 | You should have received a copy of the GNU General Public License 648 | along with this program. If not, see . 649 | 650 | Also add information on how to contact you by electronic and paper mail. 651 | 652 | If the program does terminal interaction, make it output a short 653 | notice like this when it starts in an interactive mode: 654 | 655 | Copyright (C) 656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 657 | This is free software, and you are welcome to redistribute it 658 | under certain conditions; type `show c' for details. 659 | 660 | The hypothetical commands `show w' and `show c' should show the appropriate 661 | parts of the General Public License. Of course, your program's commands 662 | might be different; for a GUI interface, you would use an "about box". 663 | 664 | You should also get your employer (if you work as a programmer) or school, 665 | if any, to sign a "copyright disclaimer" for the program, if necessary. 666 | For more information on this, and how to apply and follow the GNU GPL, see 667 | . 668 | 669 | The GNU General Public License does not permit incorporating your program 670 | into proprietary programs. If your program is a subroutine library, you 671 | may consider it more useful to permit linking proprietary applications with 672 | the library. If this is what you want to do, use the GNU Lesser General 673 | Public License instead of this License. But first, please read 674 | . 675 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # USB to PCIe Reverse Engineering 2 | 3 | 4 | ## Introduction 5 | 6 | There are several chips on the market that support translating USB to NVMe/PCIe: 7 | 8 | * ASMedia 9 | * [ASM2362][ASM2362]: USB 3.x Gen 2×1 to PCIe 3.x ×2 10 | * [ASM2364][ASM2364]: USB 3.x Gen 2×2 to PCIe 3.x ×4 11 | * [ASM2464PD][ASM2464PD]: USB4 Gen 3×2 / Thunderbolt 3 to PCIe 4.x ×4 12 | * [ASM2464PDX][ASM2464PDX]: USB4 Gen 3×2 / Thunderbolt 3 to PCIe 4.x ×4 + 13 | integrated PCIe switch with up to four downstream ports (one ×4 port, two ×2 ports, four ×1 ports, or one ×2 port + two ×1 ports) 14 | * JMicron 15 | * [JMS581][JMS581]: USB 3.x Gen 2×1 to PCIe 3.x ×2 (NVMe) / SATA 3 / SD Express 16 | * [JMS583][JMS583]: USB 3.x Gen 2×1 to PCIe 3.x ×2 (NVMe) 17 | * [JMS586A][JMS586A]: USB 3.x Gen 2×2 to PCIe 3.x ×2 (NVMe) + PCIe 3.x ×2 (AHCI) 18 | * [JMS586U][JMS586U]: USB 3.x Gen 2×2 to PCIe 3.x ×2 (NVMe) + PCIe 3.x ×2 (NVMe/AHCI) 19 | * Realtek 20 | * [RTL9210B-CG][RTL9210B]: USB 3.x Gen 2×1 to PCIe 3.x ×2 / SATA 3 21 | * [RTL9211DS-CG][RTL9211DS]: USB 3.x Gen 2×1 to PCIe 3.x ×2 / SD Express 22 | 23 | This project will focus on the ASMedia controllers, for now. 24 | 25 | 26 | ## Sub-projects 27 | 28 | * [ASM2x6x](ASM2x6x) 29 | * [RTL921x](RTL921x) 30 | 31 | 32 | ## License 33 | 34 | Except where otherwise stated: 35 | 36 | * All software in this repository (e.g., tools for unpacking and generating 37 | firmware, etc.) is made available under the 38 | [GNU General Public License, version 3 or later][gpl]. 39 | * All copyrightable content that is not software (e.g., reverse engineering 40 | notes, this README file, etc.) is licensed under the 41 | [Creative Commons Attribution-ShareAlike 4.0 International License][cc-by-sa]. 42 | 43 | 44 | [ASM2362]: https://web.archive.org/web/20220608104342/https://www.asmedia.com.tw/product/Ee1YQF9sX7yyajH5/C5cYq34qpByQ6jm6 45 | [ASM2364]: https://web.archive.org/web/20220703204756/https://www.asmedia.com.tw/product/BD5YqfdsPDqXFqi3/BF2yq24XzDuS5Tr4 46 | [ASM2464PD]: https://web.archive.org/web/20231113020255/https://www.asmedia.com.tw/product/802zX91Yw3tsFgm4/C64ZX59yu4sY1GW5 47 | [ASM2464PDX]: https://web.archive.org/web/20231113020241/https://www.asmedia.com.tw/product/bDFzXa0ip1YI7Wj1/C64ZX59yu4sY1GW5 48 | [JMS581]: https://web.archive.org/web/20210511190218if_/https://www.jmicron.com/file/download/1081/Product+Brief+of+JMS581LT.pdf 49 | [JMS583]: https://web.archive.org/web/20201218070451if_/https://www.jmicron.com/file/download/1012/JMS583_Product+Brief.pdf 50 | [JMS586A]: https://web.archive.org/web/20220703210408if_/https://www.jmicron.com/file/download/1171/Product+Brief+of+JMS586A+%28Rev.1.00%29.pdf 51 | [JMS586U]: https://web.archive.org/web/20220703210414if_/https://www.jmicron.com/file/download/1172/Product+Brief+of+JMS586U+%28Rev.1.00%29.pdf 52 | [RTL9210B]: https://web.archive.org/web/20220407194447/https://www.realtek.com/en/products/communications-network-ics/item/rtl9210b-cg 53 | [RTL9211DS]: https://web.archive.org/web/20230414021200/https://www.realtek.com/en/products/communications-network-ics/item/rtl9211ds-cg 54 | [gpl]: COPYING.txt 55 | [cc-by-sa]: https://creativecommons.org/licenses/by-sa/4.0/ 56 | -------------------------------------------------------------------------------- /RTL921x/Notes.md: -------------------------------------------------------------------------------- 1 | # RTL921x Reverse Engineering Notes 2 | 3 | 4 | ## Hardware information 5 | 6 | - CPU is some variant of MIPS. 7 | - UART 8 | - Runs at 9600 baud by default. 9 | - 25 MHz clock. 10 | - Memory map 11 | - `0x8C000000-0x8C1FFFFF`: 2 MB Mask ROM? 12 | - `0x8C200000-0x8C3FFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 13 | - `0x8C400000-0x8C5FFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 14 | - `0x8C600000-0x8C7FFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 15 | - `0x8C800000-0x8C9FFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 16 | - `0x8CA00000-0x8CBFFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 17 | - `0x8CC00000-0x8CDFFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 18 | - `0x8CE00000-0x8CFFFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 19 | - `0x8D000000-0x8D1FFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 20 | - `0x8D200000-0x8D3FFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 21 | - `0x8D400000-0x8D5FFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 22 | - `0x8D600000-0x8D7FFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 23 | - `0x8D800000-0x8D9FFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 24 | - `0x8DA00000-0x8DBFFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 25 | - `0x8DC00000-0x8DDFFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 26 | - `0x8DE00000-0x8DFFFFFF`: Mirror of `0x8C000000-0x8C1FFFFF` 27 | 28 | 29 | ## Firmware information 30 | 31 | - Firmware is based on µC/OS-II. 32 | - Some of the firmware exists in mask ROM. 33 | - The firmware on flash is either loaded into RAM or executed in place (XIP). 34 | - Need to confirm with SPI trace. 35 | 36 | 37 | ## USB protocol 38 | 39 | Vendor SCSI commands. 40 | 41 | - `e2 00 00 00 a2 00 00 00 c8 00 50 b3 04 00 00 00` 42 | - Get "IC Ver" 43 | - 4B response: `01 00 01 a0 (0xa0010001)` 44 | - `e2 00 00 00 92 00 00 00 c4 00 50 b3 04 00 00 00` 45 | - 4B response: `00 00 00 00` 46 | - `e2 00 00 00 a2 00 00 00 5c 00 50 b3 04 00 00 00` 47 | - 4B response: `b0 65 d9 03 (0x03d965b0)` 48 | - `e2 00 00 00 92 00 00 00 00 40 00 ac 60 00 00 00` 49 | - Get NVDATA? 50 | - 96B response 51 | - `e2 00 00 00 92 00 00 00 00 40 00 ac 00 10 00 00` 52 | - Get NVDATA? 53 | - 4096B response 54 | - `e2 00 00 00 a2 00 00 00 0c c7 00 b3 04 00 00 00` 55 | - 4B response: `8c ae 82 00 (0x0082ae8c)` 56 | - `e2 00 00 00 a2 00 00 00 f8 00 50 b3 01 00 00 00` 57 | - 1B response: `00` 58 | - `e2 00 00 00 a6 00 00 00 00 00 00 00 01 00 00 00` 59 | - 1B response: `01` 60 | - `e2 00 00 00 96 00 00 00 00 00 00 00 c0 00 00 00` 61 | - Get EFUSE 62 | - 192B response 63 | -------------------------------------------------------------------------------- /RTL921x/README.md: -------------------------------------------------------------------------------- 1 | # RTL921x Reverse Engineering 2 | 3 | 4 | ## Quick start 5 | 6 | 7 | ### Software dependencies 8 | 9 | * Python 3 10 | * `rtl921x_tool.py`: 11 | * [cython-sgio][cython-sgio] 12 | 13 | 14 | ## Reverse engineering notes 15 | 16 | See [Notes.md](Notes.md). 17 | 18 | 19 | [cython-sgio]: https://pypi.org/project/cython-sgio/ 20 | -------------------------------------------------------------------------------- /RTL921x/firmware/download.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # SPDX-License-Identifier: 0BSD 3 | 4 | # Copyright (C) 2023 by Forest Crossman 5 | # 6 | # Permission to use, copy, modify, and/or distribute this software for 7 | # any purpose with or without fee is hereby granted. 8 | # 9 | # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL 10 | # WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED 11 | # WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE 12 | # AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL 13 | # DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 14 | # PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER 15 | # TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16 | # PERFORMANCE OF THIS SOFTWARE. 17 | 18 | 19 | wget \ 20 | --directory-prefix downloads \ 21 | --content-disposition \ 22 | --input-file urls.txt 23 | 24 | curl -o downloads/JEYI_TFT-ScreenTFT显示屏-黑豹.zip https://web.archive.org/web/20231223012213if_/https://cdn.shoplazza.com/2dcf436d7b82d3b29b2ba0e1456bf083.zip 25 | curl -o downloads/JEYI_With_Screen带显示屏i9x[1].zip https://web.archive.org/web/20231223013545if_/https://cdn.shoplazza.com/fa7dd28e3727765b4c29e90a9f677d0f.zip 26 | -------------------------------------------------------------------------------- /RTL921x/firmware/downloads/.gitignore: -------------------------------------------------------------------------------- 1 | * 2 | !.gitignore 3 | -------------------------------------------------------------------------------- /RTL921x/firmware/urls.txt: -------------------------------------------------------------------------------- 1 | https://plugable.s3.amazonaws.com/bin/Realtek/USBC-NVME_RealtekFirmware202003.zip 2 | https://media.plugable.com/downloads/drivers/products/usbc-nvme/usbc-nvme_realtekfirmware202101.zip 3 | https://media.plugable.com/downloads/drivers/products/usbc-nvme/usbc-nvme_realtekfirmware202112.zip 4 | -------------------------------------------------------------------------------- /RTL921x/rtl921x_tool.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # SPDX-License-Identifier: GPL-3.0-or-later 3 | 4 | # rtl921x_tool.py - A tool to interact with RTL921x devices over USB. 5 | # Copyright (C) 2023 Forest Crossman 6 | # 7 | # This program is free software: you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License as published by 9 | # the Free Software Foundation, either version 3 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program. If not, see . 19 | 20 | 21 | import argparse 22 | import os 23 | import struct 24 | import sys 25 | import time 26 | 27 | try: 28 | import sgio 29 | except ModuleNotFoundError: 30 | sys.stderr.write("Error: Failed to import \"sgio\". Please install \"cython-sgio\", then try running this script again.\n") 31 | sys.exit(1) 32 | 33 | 34 | class Rtl921x: 35 | def __init__(self, dev_path): 36 | self._file = os.fdopen(os.open(dev_path, os.O_RDWR | os.O_NONBLOCK)) 37 | 38 | def read(self, start_addr, read_len, stride=4096): 39 | data = bytearray(read_len) 40 | 41 | for i in range(0, read_len, stride): 42 | remaining = read_len - i 43 | buf_len = min(stride, remaining) 44 | 45 | cdb = struct.pack(' 0 75 | 76 | output = None 77 | if args.output: 78 | output = open(args.output, 'wb') 79 | 80 | start_ns = time.perf_counter_ns() 81 | data = bytearray(read_len) 82 | for i in range(0, read_len, stride): 83 | remaining = read_len - i 84 | buf_len = min(stride, remaining) 85 | 86 | buf = dev.read(start_addr + i, buf_len, stride) 87 | 88 | if output: 89 | output.write(buf) 90 | end_ns = time.perf_counter_ns() 91 | elapsed = end_ns - start_ns 92 | print("Read {} bytes in {:.6f} seconds ({} bytes per second).".format( 93 | len(data), elapsed/1e9, int(len(data)*1e9) // elapsed)) 94 | 95 | if not args.quiet: 96 | print("MEM[0x{:04X}:0x{:04X}]: {} {}".format(start_addr, start_addr+read_len, data.hex(), data)) 97 | 98 | return 0 99 | 100 | def main(): 101 | parser = argparse.ArgumentParser() 102 | parser.add_argument("-d", "--device", default="/dev/sg0", help="The RTL921x SCSI/SG_IO device. Default: /dev/sg0") 103 | 104 | subparsers = parser.add_subparsers(dest="command", required=True, help="Subcommands.") 105 | 106 | parser_info = subparsers.add_parser("info") 107 | parser_info.set_defaults(func=info) 108 | 109 | parser_read = subparsers.add_parser("read") 110 | parser_read.add_argument("-o", "--output", type=str, default=None, help="The file to write the memory to.") 111 | parser_read.add_argument("-q", "--quiet", action='store_true', default=False, help="Don't print memory contents. Default: False") 112 | parser_read.add_argument("-s", "--stride", type=int, default=4096, help="The number of bytes to read with each SCSI command. Min: 1, Max: Unknown, Default: 4096") 113 | parser_read.add_argument("-l", "--length", type=int, default=1, help="The total number of bytes to read. Default: 1") 114 | parser_read.add_argument("address", type=str, help="The address to start the read from, in hexadecimal.") 115 | parser_read.set_defaults(func=read) 116 | 117 | args = parser.parse_args() 118 | 119 | # Initialize the device object. 120 | dev = Rtl921x(args.device) 121 | 122 | return args.func(args, dev) 123 | 124 | 125 | if __name__ == "__main__": 126 | sys.exit(main()) 127 | --------------------------------------------------------------------------------