Friday, March 27, 2015

Windows IoT requires Intel Galileo 2 firmware update

The current release of Windows IoT  ( released on 12 March 2015, OS image  9600.16384.x86fre.winblue_rtm_iotbuild.150309-310_galileo_v2.wim ) requires Intel Galileo 2 firmware update to version 1.0.4. Without update some functionality is unavailable, for example a GPIO device can't be opened for communication.

The new firmware and update instructions can be found at  https://downloadcenter.intel.com/download/24748

Thursday, March 26, 2015

A snapshot of registers for Windows IoT running on Intel Galileo 2

Just for the record. A snapshot was made via JTAG debugger

> reg
===== lakemont registers
(0) eax (/32): 0x86FB2D92
(1) ecx (/32): 0x803CF2D8
(2) edx (/32): 0x00000000
(3) ebx (/32): 0x803CEAE8
(4) esp (/32): 0x82DB5C24
(5) ebp (/32): 0x82DB5CCC
(6) esi (/32): 0x8201A120
(7) edi (/32): 0x00000000
(8) eip (/32): 0x86FB2D96
(9) eflags (/32): 0x00000246
(10) cs (/32): 0x00000008
(11) ss (/32): 0x00000010
(12) ds (/32): 0x00000023
(13) es (/32): 0x00000023
(14) fs (/32): 0x00000030
(15) gs (/32): 0x00000000
(16) st0 (/32)
(17) st1 (/32)
(18) st2 (/32)
(19) st3 (/32)
(20) st4 (/32)
(21) st5 (/32)
(22) st6 (/32)
(23) st7 (/32)
(24) fctrl (/32)
(25) fstat (/32)
(26) ftag (/32)
(27) fiseg (/32)
(28) fioff (/32)
(29) foseg (/32)
(30) fooff (/32)
(31) fop (/32)
(32) cr0 (/32): 0x80010033
(33) cr2 (/32): 0x00C6F52C
(34) cr3 (/32): 0x001A5000
(35) cr4 (/32): 0x001000A8
(36) dr0 (/32): 0x00000000
(37) dr1 (/32): 0x00000000
(38) dr2 (/32): 0x00000000
(39) dr3 (/32): 0x00000000
(40) dr6 (/32): 0xFFFF0FF0
(41) dr7 (/32): 0x00000000
(42) idtbase (/32): 0x82680FC8
(43) idtlimit (/32): 0x000007FF
(44) idtar (/32): 0xFFFFFFFF
(45) gdtbase (/32): 0x81269000
(46) gdtlimit (/32): 0x000003FF
(47) gdtar (/32): 0xFFFFFFFF
(48) tr (/32): 0x00000028
(49) ldtr (/32): 0x00000000
(50) ldbase (/32): 0x00000000
(51) ldlimit (/32): 0x0000FFFF
(52) ldtar (/32): 0xFFFF7FFF
(53) csbase (/32): 0x00000000
(54) cslimit (/32): 0xFFFFFFFF
(55) csar (/32): 0xFFFF9BFF
(56) dsbase (/32): 0x00000000
(57) dslimit (/32): 0xFFFFFFFF
(58) dsar (/32): 0xFFFFF3FF
(59) esbase (/32): 0x00000000
(60) eslimit (/32): 0xFFFFFFFF
(61) esar (/32): 0xFFFFF3FF
(62) fsbase (/32): 0x8201A000
(63) fslimit (/32): 0x00004628
(64) fsar (/32): 0xFF7F93FF
(65) gsbase (/32): 0x00000000
(66) gslimit (/32): 0xFFFFFFFF
(67) gsar (/32): 0xFF3F11FF
(68) ssbase (/32): 0x00000000
(69) sslimit (/32): 0xFFFFFFFF
(70) ssar (/32): 0xFFFF93FF
(71) tssbase (/32): 0x81266000
(72) tsslimit (/32): 0x000020AB
(73) tssar (/32): 0xFFFFFFFF
(74) pmcr (/32): 0x00000000

JTAG: Windows IoT debugging on Intel Galileo 2

As it was promised I will outline the steps to debug Windows IoT kernel running on Intel Galileo using JTAG interface .  Why does somebody need this? JTAG interface gives more power over hardware and provides deeper insight into hardware state.

  For debugging over JTAG using Windows host you will need

    - a hardware JTAG debugger, I use OLIMEX ARM-USB-OCD-H
    - an adapter from JTAG debugger to 10 pin connector, e.g. ARM-JTAG-20-10
    - OpenOCD to communicate with JTAG debugger and provide a debug server connection for GDB
    - MinGW for GDB

After everything have been assembled it looks like this
  


Then you need to start OpenOCD from cmd prompt by executing the following command
openocd-x64-0.9.0-dev.exe -f interface/ftdi/olimex-arm-usb-ocd-h.cfg  -f target/quark_x10xx.cfg

For example this is an output om my PC


this provides you with a GDB server on the port 3333 and telnet connection with the OpenOCD on the port 4444. So you can connect GDB to the server by providing a command target remote localhost:3333 to GDB, for example


 
you can also connect to OpenOCD via your favorite telnet client, mine is PuTTY







Monday, March 23, 2015

IRP dispatching in WDF

Just for the record. A call stack for PnP IRP dispatching by WDF.

Wdf01000!FxPkgPnp::Dispatch
Wdf01000!FxDevice::DispatchPreprocessedIrp
Wdf01000!imp_WdfDeviceWdmDispatchPreprocessedIrp
msisadrv!MsIsaPnPIrpPreProcessingCallback
Wdf01000!FxDevice::DispatchWithLock
nt!IovCallDriver
nt!IopSynchronousCall
nt!IopQueryLegacyBusInformation
nt!PipCallDriverAddDevice
nt!PipProcessDevNodeTree
nt!PnpDeviceActionWorker
nt!PnpRequestDeviceAction
nt!IopInitializeBootDrivers
nt!IoInitSystem
nt!Phase1InitializationDiscard
nt!Phase1Initialization
nt!PspSystemThreadStartup
nt!KiStartSystemThread

WDF: When is WdfDriverGlobals allocated?

Just for the record, a call stack when WdfDriverGlobals was allocated for a driver loaded at system boot.

 # Child-SP          RetAddr           Call Site
00 ffffd000`201a6188 fffff800`0047eaf9 Wdf01000!FxAllocateDriverGlobals
01 ffffd000`201a6190 fffff800`0047ea1a Wdf01000!FxLibraryCommonRegisterClient+0xa5
02 ffffd000`201a61d0 fffff800`0052b0ce Wdf01000!LibraryRegisterClient+0x5b
03 ffffd000`201a62e0 fffff800`0053109a WDFLDR!WdfVersionBind+0xce
04 ffffd000`201a6350 fffff800`9d91ab66 acpiex!FxDriverEntryWorker+0x6a
05 ffffd000`201a6380 fffff800`9d91a74f nt!IopInitializeBuiltinDriver+0x35a
06 ffffd000`201a6460 fffff800`9d919817 nt!PnpInitializeBootStartDriver+0x197
07 ffffd000`201a6590 fffff800`9d919c7c nt!IopInitializeCoreDrivers+0xdb
08 ffffd000`201a6610 fffff800`9d910026 nt!IopInitializeBootDrivers+0x134
09 ffffd000`201a68b0 fffff800`9d8fe94d nt!IoInitSystem+0x91e
0a ffffd000`201a69d0 fffff800`9d702ed1 nt!Phase1InitializationDiscard+0xe61
0b ffffd000`201a6bd0 fffff800`9d2f5c80 nt!Phase1Initialization+0x9
0c ffffd000`201a6c00 fffff800`9d3662c6 nt!PspSystemThreadStartup+0x58
0d ffffd000`201a6c60 00000000`00000000 nt!KiStartSystemThread+0x16


and for a driver loaded after the system boot after a USB stick had been plugged in

00 ffffd000`20912fe8 fffff800`0047eaf9 Wdf01000!FxAllocateDriverGlobals
01 ffffd000`20912ff0 fffff800`0047ea1a Wdf01000!FxLibraryCommonRegisterClient+0xa5
02 ffffd000`20913030 fffff800`0052b0ce Wdf01000!LibraryRegisterClient+0x5b
03 ffffd000`20913140 fffff800`02d2b3f7 WDFLDR!WdfVersionBind+0xce
04 ffffd000`209131b0 fffff800`9d646742 WpdUpFltr!FxDriverEntryWorker+0x77
05 ffffd000`209131e0 fffff800`9d653b47 nt!IopLoadDriver+0x5e2
06 ffffd000`209134a0 fffff800`9d604e45 nt!PipCallDriverAddDeviceQueryRoutine+0x25f
07 ffffd000`209135c0 fffff800`9d604b1c nt!PnpCallDriverQueryServiceHelper+0x121
08 ffffd000`20913630 fffff800`9d603f9f nt!PipCallDriverAddDevice+0x59c
09 ffffd000`209137d0 fffff800`9d69eb17 nt!PipProcessDevNodeTree+0x1cf
0a ffffd000`20913a50 fffff800`9d2fc033 nt!PiRestartDevice+0xaf
0b ffffd000`20913aa0 fffff800`9d24c65d nt!PnpDeviceActionWorker+0x3a3
0c ffffd000`20913b50 fffff800`9d2f5c80 nt!ExpWorkerThread+0x2b5
0d ffffd000`20913c00 fffff800`9d3662c6 nt!PspSystemThreadStartup+0x58
0e ffffd000`20913c60 00000000`00000000 nt!KiStartSystemThread+0x16

FxDriverEntryWorker is called by FxDriverEntry via jmp instruction, so there is no call frame on the stack, FxDriverEntry is a real driver entry function for WDF drivers.

Thursday, March 19, 2015

WDF is now open source

Finally, the WDF has been made an open source project as a preparation for Windows 10 and Windows IoT release.

https://github.com/Microsoft/Windows-driver-frameworks

 It took nearly 10 years after the first promise to open source WDF.

Thursday, March 12, 2015

WinDBG: Kernel Debugging Windows for IoT on Intel Galileo 2

When I read about Windows IoT my first question was  "Can I debug it in the kernel mode?". It happened "yes I can". Officially there is no information about kernel debugging. But Windows IoT is a subset of Windows 10 so theoretically it looked as possible.
 There were two options
   - debugging via JTAG
   - debugging via WinDBG

I will elaborate on JTAG debugging later. Now let's talk about WinDBG options and it happened that Microsoft left the door open , the image of Windows IoT released in November 2014 for Intel Galileo 2 had kernel debugging enabled via serial port at a speed 115200 bps .

This is a picture of a board with an attached serial-to-USB converter. 



Be cautious as Intel Galileo 2 uses an Arduino style pinout that differs from a standard FTDI adapters. Also, Intel Galileo 2 uses 3.3v TTL logic for serial port communication, while some FTDI adapters have 5v TTL logic, do not confuse it with 5v VOUT which is not connected to anything on Intel Galileo 2 . 

I use a USB Serial Adapter from Freetronics, which has 3.3-5v switch and Arduino pinout.


After setting everything WinDBG shows a familiar output and you can break into the kernel, though there are no symbol files on the Microsoft symbol files server as Microsoft did not suppose that anybody outside MS would perform kernel mode debugging for Windows IoT.



For example a list of drivers and kernel modules reported by WinDBG

kd> lm n t
start    end        module name
77450000 775b5000   ntdll    ntdll.dll    Fri Nov 14 19:41:52 2014 (5466CB80)
8043d000 80487000   CLFS     CLFS.SYS     Fri Nov 14 19:39:46 2014 (5466CB02)
80487000 804a2000   tm       tm.sys       Fri Nov 14 17:30:37 2014 (5466ACBD)
804a2000 804b5000   PSHED    PSHED.dll    Fri Nov 14 20:24:25 2014 (5466D579)
804b5000 804be000   BOOTVID  BOOTVID.dll  Fri Nov 14 19:40:17 2014 (5466CB21)
804be000 804c7000   ksecext  ksecext.sys  Fri Nov 14 19:40:14 2014 (5466CB1E)
804c7000 80541000   CI       CI.dll       Fri Nov 14 19:37:50 2014 (5466CA8E)
80541000 80572000   msrpc    msrpc.sys    Fri Nov 14 19:39:02 2014 (5466CAD6)
80572000 805aa000   pci      pci.sys      Fri Nov 14 19:38:15 2014 (5466CAA7)
805aa000 805dc000   sdbus    sdbus.sys    Fri Nov 14 19:39:00 2014 (5466CAD4)
80a8a000 80a93000   kdcom    kdcom.dll    Fri Nov 14 19:40:18 2014 (5466CB22)
8161b000 81674000   hal      halmacpi.dll Fri Nov 14 19:40:32 2014 (5466CB30)
81674000 81c22000   nt       ntkrpamp.exe Fri Nov 14 17:36:32 2014 (5466AE20)
81e00000 81e11000   mup      mup.sys      Fri Nov 14 19:40:18 2014 (5466CB22)
81e11000 81e19000   minvol   minvol.sys   Fri Nov 14 19:40:05 2014 (5466CB15)
81e19000 81e30000   disk     disk.sys     Fri Nov 14 19:39:39 2014 (5466CAFB)
81e33000 81e79000   fltmgr   fltmgr.sys   Fri Nov 14 19:40:05 2014 (5466CB15)
81e79000 81e8b000   fileinfo fileinfo.sys Fri Nov 14 19:38:31 2014 (5466CAB7)
81e8b000 81e9e000   WimFsf   WimFsf.sys   Fri Nov 14 19:38:57 2014 (5466CAD1)
81e9e000 81ecc000   fastfat  fastfat.sys  Fri Nov 14 19:40:10 2014 (5466CB1A)
81ecc000 81ee2000   ksecdd   ksecdd.sys   Fri Nov 14 19:39:08 2014 (5466CADC)
81ee2000 81efe000   usbccgp  usbccgp.sys  Fri Nov 14 19:37:55 2014 (5466CA93)
81efe000 81f08000   USBD     USBD.SYS     Fri Nov 14 19:40:11 2014 (5466CB1B)
81f08000 81f5e000   usbhub   usbhub.sys   Fri Nov 14 19:38:43 2014 (5466CAC3)
81f5e000 81f72000   usbehci  usbehci.sys  Fri Nov 14 19:39:04 2014 (5466CAD8)
81f72000 81fd3000   USBPORT  USBPORT.SYS  Fri Nov 14 19:39:42 2014 (5466CAFE)
81fd3000 81fe1000   pcw      pcw.sys      Fri Nov 14 17:30:36 2014 (5466ACBC)
81fe1000 81fff000   USBSTOR  USBSTOR.SYS  Fri Nov 14 19:37:52 2014 (5466CA90)
82000000 82014000   partmgr  partmgr.sys  Fri Nov 14 19:40:03 2014 (5466CB13)
82018000 820f2000   ndis     ndis.sys     Fri Nov 14 19:38:11 2014 (5466CAA3)
820f2000 82146000   NETIO    NETIO.SYS    Fri Nov 14 19:37:24 2014 (5466CA74)
82146000 8216d000   ksecpkg  ksecpkg.sys  Fri Nov 14 19:37:22 2014 (5466CA72)
8216d000 82180000   wfplwfs  wfplwfs.sys  Fri Nov 14 19:36:35 2014 (5466CA43)
82180000 821c8000   fwpkclnt fwpkclnt.sys Fri Nov 14 19:36:53 2014 (5466CA55)
821c8000 821d5000   condrv   condrv.sys   Fri Nov 14 19:40:07 2014 (5466CB17)
821d5000 821dc400   vmstorfl vmstorfl.sys Fri Nov 14 19:37:01 2014 (5466CA5D)
821dd000 821eaa00   vmbkmcl  vmbkmcl.sys  Fri Nov 14 19:38:37 2014 (5466CABD)
821eb000 821fd000   sdstor   sdstor.sys   Fri Nov 14 19:39:19 2014 (5466CAE7)
8221b000 82266000   CLASSPNP CLASSPNP.SYS Fri Nov 14 17:30:57 2014 (5466ACD1)
82289000 82293000   Fs_Rec   Fs_Rec.SYS   Fri Nov 14 17:30:36 2014 (5466ACBC)
82293000 8229b000   Null     Null.SYS     Fri Nov 14 19:40:13 2014 (5466CB1D)
8229b000 822ab000   BasicDisplay BasicDisplay.sys Fri Nov 14 19:39:16 2014 (5466CAE4)
822ab000 822b8000   watchdog watchdog.sys Fri Nov 14 19:39:37 2014 (5466CAF9)
822b8000 823e1000   dxgkrnl  dxgkrnl.sys  Fri Nov 14 19:37:36 2014 (5466CA80)
84600000 84611000   volmgr   volmgr.sys   Fri Nov 14 19:39:39 2014 (5466CAFB)
84611000 84627000   mountmgr mountmgr.sys Fri Nov 14 19:39:48 2014 (5466CB04)
84628000 846be000   Wdf01000 Wdf01000.sys Fri Nov 14 19:38:59 2014 (5466CAD3)
846be000 846cc000   WDFLDR   WDFLDR.SYS   Fri Nov 14 19:38:43 2014 (5466CAC3)
846cc000 846dd000   acpiex   acpiex.sys   Fri Nov 14 19:37:36 2014 (5466CA80)
846dd000 846e7000   WppRecorder WppRecorder.sys Fri Nov 14 19:39:30 2014 (5466CAF2)
846e7000 84752000   ACPI     ACPI.sys     Fri Nov 14 19:39:10 2014 (5466CADE)
84752000 8475b000   WMILIB   WMILIB.SYS   Fri Nov 14 19:40:12 2014 (5466CB1C)
8475b000 847d0000   cng      cng.sys      Fri Nov 14 19:37:40 2014 (5466CA84)
847d0000 847d8000   msisadrv msisadrv.sys Fri Nov 14 19:38:48 2014 (5466CAC8)
847d8000 847e3000   vdrvroot vdrvroot.sys Fri Nov 14 19:38:36 2014 (5466CABC)
847e3000 847fb000   pdc      pdc.sys      Fri Nov 14 17:30:38 2014 (5466ACBE)
8700f000 87060000   dxgmms1  dxgmms1.sys  Fri Nov 14 19:37:18 2014 (5466CA6E)
87060000 8706c000   BasicRender BasicRender.sys Fri Nov 14 19:39:04 2014 (5466CAD8)
8706c000 8707c000   Npfs     Npfs.SYS     Fri Nov 14 19:40:15 2014 (5466CB1F)
8707c000 87087000   Msfs     Msfs.SYS     Fri Nov 14 19:40:14 2014 (5466CB1E)
87087000 870a1000   tdx      tdx.sys      Fri Nov 14 19:36:46 2014 (5466CA4E)
870a1000 87118000   afd      afd.sys      Fri Nov 14 19:36:56 2014 (5466CA58)
87118000 8716d000   rdbss    rdbss.sys    Fri Nov 14 19:37:30 2014 (5466CA7A)
8716d000 87178000   npsvctrig npsvctrig.sys Fri Nov 14 19:38:19 2014 (5466CAAB)
87178000 87195000   dfsc     dfsc.sys     Fri Nov 14 19:37:59 2014 (5466CA97)
87195000 871ae000   intelppm intelppm.sys Fri Nov 14 17:30:38 2014 (5466ACBE)
871ae000 871d1000   quarkserial quarkserial.sys Mon Mar 17 15:47:17 2014 (53277B75)
871d1000 871dc000   usbohci  usbohci.sys  Fri Nov 14 19:39:14 2014 (5466CAE2)
871dc000 871e6000   stmac6x  stmac6x.sys  Fri Nov 14 19:38:22 2014 (5466CAAE)
871e6000 871ee000   dmap     dmap.sys     Fri Nov 14 19:38:03 2014 (5466CA9B)
871ee000 871f6000   quarklgpio quarklgpio.sys Fri Nov 14 19:38:04 2014 (5466CA9C)
87200000 8720c000   nsiproxy nsiproxy.sys Fri Nov 14 19:36:39 2014 (5466CA47)
87213000 873ea000   tcpip    tcpip.sys    Fri Nov 14 19:39:10 2014 (5466CADE)
873ea000 873f6000   TDI      TDI.SYS      Fri Nov 14 19:38:38 2014 (5466CABE)
873f6000 87400000   kdnic    kdnic.sys    Fri Nov 14 19:38:13 2014 (5466CAA5)

Unloaded modules:
82266000 82289000   cdrom.sys
    Timestamp: unavailable (00000000)
    Checksum:  00000000
    ImageSize:  00023000