It is currently Sun Sep 24, 2017 4:48 pm

All times are UTC - 7 hours [ DST ]

Recent News:



Post new topic Reply to topic  [ 27 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Fri Sep 12, 2008 10:12 am 
Offline
2.5TB storage
2.5TB storage

Joined: Thu Apr 03, 2008 3:52 pm
Posts: 217
Thanks: 12
Thanked: 61 times in 32 posts
This is a post about learning how to hack and reverse engineer a driver that controls the HP MediaSmart Server (MSS) hardware. The source code for this driver is naturally under lock and key. If you are reading this post and you are the manager of the HP MediaSmart Server drivers, please consider releasing the hardware specs (similar to what you've done with the MediaVault 2120 series) to allow third party developers to create custom drivers (either for Linux, FreeBSD, or other Windows variants whose driver model differs from Widows Server 2003). I am not anti Windows Server 2003. I am simply pro going beyond Windows Server 2003.

It doesn't take a genius to figure out that WNAS.sys inside the Windows\System32\Drivers folder does a lot of the magic to make the HP MediaSmart Server come alive. This driver is no doubt responsible for:

* Controlling the hard drive LEDs (both on and off, and purple, blue or red)
* Reading temperature sensors
* The health LED
* The super secret 256 MB flash disk
* Others things yet to be determined...

But what happens if I want to install another operating system (Ubuntu Linux or perhaps a Microsoft Windows variant) in which the WNAS.sys will not function? I'm starting this post with the hopes that others will join and share their knowledge and we can pool together various knowledge from key individuals so that someone can one day create an open source driver, either via the Linux community or the Windows community so that we can use the MSS without being tied to Windows Server 2003.

Also, I'm doing this because it's fun!

Here is the progress that was made so far (which will be continuously updated as progress is made):

Writes
port: 0x1064, value: 0x7FF7D, result: HDD 2 Blue, all others HD LEDs off
port: 0x1064, value: 0x7FD7E: result: HDD 3 Red, HDD 1 Blue
port: 0x1064, value: 0x7FF7F: result: All HD LEDs off
port: 0x1064, value: 0x7FF7E: result: HDD 1 Blue, all others HD LEDs off
port: 0x1064, value: 0x7FF74: result: HDD 1,2,3 Blue, all others HD LEDs off
port: 0x1064, value: 0x7FF76: result: HDD 1 Blue, HDD 3 Blue, all others HD LEDs off
port: 0x1064, value: 0x7FF75: result: HDD 2,3 Blue, all others HD LEDs off
port: 0x1064, value: 0x7FF7C: result: HDD 1,2 Blue, all others HD LEDs off
port: 0x1064, value: 0x7FFFF: result: Enable secret USB Flash Disk (open Windows Explorer and check it out)

Reads
(nothing here yet...wanna help to fill this in?)

Each post hereon out will be a milestone marker and hopefully a learning tool for the community.


Last edited by cakalapati on Fri Sep 12, 2008 11:01 am, edited 2 times in total.

Top
 Profile  
Thanks  
The following user would like to thank cakalapati for this post
adaptation, alexandergeorg, dlmario, GrizzlyAdams, issaqua, SteffJay

Attention Guest: Remove this ad by Registering with the MediaSmartServer.net Forums. It's Free!
 Post subject:
PostPosted: Fri Sep 12, 2008 10:12 am 
Offline
2.5TB storage
2.5TB storage

Joined: Thu Apr 03, 2008 3:52 pm
Posts: 217
Thanks: 12
Thanked: 61 times in 32 posts
If you are interested in joining the hacking, here's what you need to do...

What you will need:
1. A Microsoft Windows desktop computer
2. Your HP MediaSmart Server (you know...the one we want to hack)
3. A VGA cable with serial functionality to do kernel debugging. You can build one here or buy one from here. You will need to connect your desktop computer to your MSS computer via a serial connection.
4. The Intel Assembler Code Table (cheat sheet if you've never done assembly level debugging). You can download it here.

On your desktop computer:
1. Install WinDbg. It's included in a software bundle called "Debugging Tools for Windows" (you can download it here).
2. Install Visual Studio 200x. (You can download the free express edition here).

On your MSS computer:
1. Make sure COM1 is enabled in the BIOS. You can enable it via the instructions here.
2. Install LabVIEW 8.6 (Great for prototyping and testing results via reading and writing raw bits to hardware ports). You can download the evaluation here (571MB). It's good for 30 days. When the evaluation expires, you can uninstall it and reinstall it to restart the counter.
3. Modify the c:\boot.ini file by adding a boot option for debug mode (as seen below). This will allow you to boot Windows Server 2003 with debugging enabled on COM1. When booting, make sure you select the "Windows Server 2003 for Small Business Server [Debug COM1]" option.

Your c:\boot.ini file on the MSS should look like this:
Code:
[boot loader] timeout=5
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003 for Small Business Server" /noexecute=optout /fastdetect /usepmtimer
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003 for Small Business Server [Debug COM1]" /noexecute=optout /fastdetect /usepmtimer /debug /debugport=COM1 /baudrate=115200


Note: To access your boot.ini file, you can goto "Start-->Settings-->Control Panel-->System-->Advanced-->Startup and Recovery-->Settings-->Edit".
You can also access your c:\boot.ini file by going into "Windows Explorer" and de-selecting "Tools-->Folder Options-->View-->Hide protected operating system files".

The Plan:
* Run the HP MSS Easter Egg to illuminate the LEDs in a controlled an predictable fashion.
* Set breakpoints inside WNAS to see what reads/writes happen to the hardware when toggling the LEDs

First let's copy WNAS.sys onto our desktop computer and lets run a few Visual Studio commands:

Code:
C:\>dumpbin /headers WNAS.sys
Microsoft (R) COFF/PE Dumper Version 7.10.6030
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file WNAS.sys

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (x86)
               7 number of sections
        4625B89C time date stamp Wed Apr 18 01:20:12 2007
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             10E characteristics
                   Executable
                   Line numbers stripped
                   Symbols stripped
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            7.10 linker version
            9480 size of code
            1680 size of initialized data
               0 size of uninitialized data
            966E entry point (0001966E)
             480 base of code   <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Take note of this !
            8C00 base of data
           10000 image base (00010000 to 0001AF7F) <<<<<<<<<<<<<<<<<<<<<<<<<<<< Take note of this !
              80 section alignment
              80 file alignment
            5.02 operating system version
            5.02 image version
            1.10 subsystem version
               0 Win32 version
            AF80 size of image
             480 size of headers
            B659 checksum
               1 subsystem (Native)
            2400 DLL characteristics
                   No safe exception handler
                   WDM Driver
           40000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
            96B8 [      50] RVA [size] of Import Directory
            9C80 [     D50] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
            AA00 [     468] RVA [size] of Base Relocation Directory
            8CE0 [      1C] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
            8C00 [      D8] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
               0 [       0] RVA [size] of Reserved Directory


SECTION HEADER #1
   .text name
    874C virtual size
     480 virtual address (00010480 to 00018BCB)
    8780 size of raw data
     480 file pointer to raw data (00000480 to 00008BFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
68000020 flags
         Code
         Not Paged
         Execute Read

SECTION HEADER #2
  .rdata name
     189 virtual size
    8C00 virtual address (00018C00 to 00018D88)
     200 size of raw data
    8C00 file pointer to raw data (00008C00 to 00008DFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
48000040 flags
         Initialized Data
         Not Paged
         Read Only

  Debug Directories

        Time Type       Size      RVA  Pointer
    -------- ------ -------- -------- --------
    4625B89C cv           4D 00008D3C     8D3C    Format: RSDS, {6FBA8CD4-9DFD-4
786-9515-067AB2D30A66}, 2, E:\SSafe\070418\Driver\objfre_wnet_x86\i386\WNAS.pdb

SECTION HEADER #3
   .data name
     138 virtual size
    8E00 virtual address (00018E00 to 00018F37)
     180 size of raw data
    8E00 file pointer to raw data (00008E00 to 00008F7F)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C8000040 flags
         Initialized Data
         Not Paged
         Read Write

SECTION HEADER #4
    PAGE name
     5E0 virtual size
    8F80 virtual address (00018F80 to 0001955F)
     600 size of raw data
    8F80 file pointer to raw data (00008F80 to 0000957F)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

SECTION HEADER #5
    INIT name
     6B8 virtual size
    9580 virtual address (00019580 to 00019C37)
     700 size of raw data
    9580 file pointer to raw data (00009580 to 00009C7F)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
E2000020 flags
         Code
         Discardable
         Execute Read Write

SECTION HEADER #6
   .rsrc name
     D50 virtual size
    9C80 virtual address (00019C80 to 0001A9CF)
     D80 size of raw data
    9C80 file pointer to raw data (00009C80 to 0000A9FF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable
         Read Only

SECTION HEADER #7
  .reloc name
     512 virtual size
    AA00 virtual address (0001AA00 to 0001AF11)
     580 size of raw data
    AA00 file pointer to raw data (0000AA00 to 0000AF7F)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable
         Read Only

  Summary

         180 .data
         200 .rdata
         580 .reloc
         D80 .rsrc
        8780 .text
         700 INIT
         600 PAGE


Code:
C:\>dumpbin /imports WNAS.sys
Microsoft (R) COFF/PE Dumper Version 7.10.6030
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file WNAS.sys

File Type: EXECUTABLE IMAGE

  Section contains the following imports:

    NTOSKRNL.EXE
                 18C14 Import Address Table
                 1971C Import Name Table
                     0 time date stamp
                     0 Index of first forwarder reference

                   80 IoReleaseRemoveLockEx
                   43 IoAcquireRemoveLockEx
                   B0 KeInitializeEvent
                   B2 KeInitializeSemaphore
                   73 IoInitializeRemoveLockEx
                   4B IoAttachDeviceToDeviceStack
                   7B IoRegisterDeviceInterface
                   5D IoDeleteDevice
                   56 IoCreateSymbolicLink
                   53 IoCreateDevice
                  139 RtlInitUnicodeString
                   7F IoReleaseRemoveLockAndWaitEx
                   A0 IofCallDriver
                  101 PoCallDriver
                  108 PoStartNextPowerIrp
                   CF KeSetEvent
                   3D InterlockedDecrement
                   D6 KeWaitForSingleObject
                   5E IoDeleteSymbolicLink
                  134 RtlFreeUnicodeString
                   5F IoDetachDevice
                   FF ObfDereferenceObject
                   C5 KeReleaseSemaphore
                  142 RtlQueryRegistryValues
                  154 RtlWriteRegistryValue
                  1A8 swprintf
                   99 IoWMIRegistrationControl
                  1B3 wcslen
                   9F IoWriteErrorLogEntry
                  1B1 wcscpy
                   46 IoAllocateErrorLogEntry
                   3F InterlockedIncrement
                   A1 IofCompleteRequest
                   C4 KeReleaseMutex
                   B1 KeInitializeMutex
                    D ExAllocatePoolWithTag
                  197 memmove
                   86 IoSetDeviceInterfaceState
                  10D PsTerminateSystemThread
                  161 ZwClose
                   FB ObReferenceObjectByHandle
                  10C PsCreateSystemThread
                   D4 KeTickCount
                   A6 KeBugCheckEx
                   15 ExFreePool

    HAL.DLL
                 18C00 Import Address Table <<<<<<<<<<<<<<<   Take note of this ! 0x10000 (Image base above) + 8c00
                 19708 Import Name Table
                     0 time date stamp
                     0 Index of first forwarder reference

                   14 WRITE_PORT_ULONG <<<<<<<<<<<<<<<<<<<<   Take note of this !
                    E READ_PORT_ULONG
                   13 WRITE_PORT_UCHAR
                    D READ_PORT_UCHAR

    WMILIB.SYS
                 18CCC Import Address Table
                 197D4 Import Name Table
                     0 time date stamp
                     0 Index of first forwarder reference

                    0 WmiCompleteRequest
                    2 WmiSystemControl

  Summary

         180 .data
         200 .rdata
         580 .reloc
         D80 .rsrc
        8780 .text
         700 INIT
         600 PAGE


Alright...so reading and writing to the hardware is probably done via READ_PORT_ULONG and WRITE_PORT_ULONG. The key to hacking this is to set breakpoints (via WinDbg) just before we call these kernel functions and see what values we are reading/writing and to what addresses. These functions probably translate into the "in" and "out" assembly call (see the Intel Assembler Code Table) so we may need to look for these if we need to resort to assembly debugging.
Stay tuned for more...


Last edited by cakalapati on Wed Sep 17, 2008 11:35 pm, edited 6 times in total.

Top
 Profile  
Thanks  
The following user would like to thank cakalapati for this post
issaqua
 Post subject:
PostPosted: Fri Sep 12, 2008 10:14 am 
Offline
2.5TB storage
2.5TB storage

Joined: Thu Apr 03, 2008 3:52 pm
Posts: 217
Thanks: 12
Thanked: 61 times in 32 posts
Verify your MSS box is booted with the "Windows Server 2003 for Small Business Server [Debug COM1]" menu option we added into the boot.ini file (above).

Now start one of the HP Easter Eggs that does funky things to the LEDs. This will provide visual response as to whether a hardware command actually did something (like turn on or off an LED). I set my Easter Egg configuration to cycle all the hard drive LEDs with different colors. This will allow me to see how LEDs are turned on/off and what bit patterns causes the LED to turn red, blue or purple.

With both your desktop and your MSS running, launch WinDbg from your desktop computer. Make sure your WinDbg is configured to connect via the attached serial cable (via the "File-->Kernel Debug..." configuration screen). When ready, hit "Ctrl-break" (from within WinDbg) to break into your MSS operating system. If you have a VGA connection, verify that your MSS box is not responsive to anything (not even the clock or mouse should move). The Easter Egg LEDs (that you set up in the previous paragraph) should also be frozen. Although your box appears hung, it's not. All you've done is halt the computer such that you control each and every instruction that is run. Cool!

On your desktop, you should see something like this from your WinDbg session:

Code:
Microsoft (R) Windows Debugger Version 6.8.0004.0 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\COM4
Waiting to reconnect...
Connected to Windows Server 2003 3790 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
*********************************************************************
* Symbols can not be loaded because symbol path is not initialized. *
*                                                                   *
* The Symbol Path can be set by:                                    *
*   using the _NT_SYMBOL_PATH environment variable.                 *
*   using the -y <symbol_path> argument when starting the debugger. *
*   using .sympath and .sympath+                                    *
*********************************************************************
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrnlpa.exe -
Windows Server 2003 Kernel Version 3790 (Service Pack 2) UP Free x86 compatible
Product: Server, suite: SmallBusiness TerminalServer SmallBusinessRestricted SingleUserTS <8000>
Built by: 3790.srv03_sp2_gdr.070304-2240
Kernel base = 0x80800000 PsLoadedModuleList = 0x8089ffa8
Debug session time: Fri May 30 17:04:13.562 2008 (GMT-5)
System Uptime: 0 days 0:01:13.132
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!DbgBreakPointWithStatus+0x4:
8086cf14 cc              int     3
kd>



Alright...we have halted Windows Server 2003 at the kernel level. Our MSS box is a sitting brick until we resume. The string "kd>" is our console prompt. Anything after this string is a command that I typed.

So let's load our debug symbols via the ".symfix" and ".reload" command.

Code:
kd> .symfix
No downstream store given, using C:\Program Files\Debugging Tools for Windows\sym
kd> .reload
Connected to Windows Server 2003 3790 x86 compatible target, ptr64 FALSE
Loading Kernel Symbols
................................................................................................
Loading User Symbols

Loading unloaded module list
.......


Let's see what modules (drivers) are loaded on our MSS:

Code:
kd> lm
start    end        module name
80800000 80a4c000   nt         (pdb symbols)          C:\Program Files\Debugging Tools for Windows\sym\ntkrnlpa.pdb\BB346E8288E5412A8AF4763DF1E71B7C1\ntkrnlpa.pdb
80a4c000 80a78000   hal        (deferred)
b947e000 b94a9000   RDPWD      (deferred)
b9661000 b966c000   TDTCP      (deferred)
b9bd9000 b9c36000   srv        (deferred)
b9c86000 b9cd6000   HTTP       (deferred)
b9f76000 b9f87000   dump_SiSRaid2   (deferred)
b9fef000 b9ff9000   Dxapi      (deferred)
ba02f000 ba039000   dump_diskdump   (deferred)
ba09f000 ba0b0000   Fips       (deferred)
ba0b0000 ba126000   mrxsmb     (deferred)
ba126000 ba156000   rdbss      (deferred)
.. (lines omitted)...
baf40000 baf4f000   termdd     (deferred)
baf50000 baf59000   raspti     (deferred)
baf70000 baf7af80   WNAS       (deferred)<<<<<<<<<<<<<<<<<<< Cool, note to self, the driver is loaded at address 'baf70000'
baf80000 baf8b000   ptilink    (deferred)
baf90000 baf9b000   TDI        (deferred)
bf800000 bf9d0000   win32k     (deferred)
.. (lines omitted)...
f7587000 f7590000   watchdog   (deferred)
f7597000 f75a1000   mouclass   (deferred)
f75a7000 f75b2000   kbdclass   (deferred)
f75b7000 f75c0000   ndistapi   (deferred)
f75c7000 f75d6000   raspppoe   (deferred)
f76e1000 f7707000   KSecDD     (deferred)
f7707000 f770f000   kdcom      (deferred)
f770f000 f7717000   BOOTVID    (deferred)
f7717000 f771e000   pciide     (deferred)
f771f000 f7726000   dmload     (deferred)
f77df000 f77e3400   usbohci    (deferred)
f77e7000 f77edb80   usbehci    (deferred)
f77ef000 f77f7000   audstub    (deferred)
f7839000 f7858000   Mup        (deferred)
f7858000 f7897000   NDIS       (deferred)
f79eb000 f79ec280   swenum     (deferred)
f79ef000 f79f0580   USBD       (deferred)
f7a74000 f7a75000   cvintdrv   (deferred)
f7b4a000 f7bdf000   Ntfs       (deferred)


Let's get some more info on WNAS

The "lm" command displays the specified loaded modules. The output includes the status and the path of the module.
The "v" parameter causes the display to be verbose.
The "m" parameter (followed by a pattern) specifies a pattern that the module name must match.

Code:
kd> lm vm WNAS
start    end        module name
baf70000 baf7af80   WNAS       (deferred)
    Image path: \SystemRoot\system32\DRIVERS\WNAS.sys
    Image name: WNAS.sys
    Timestamp:        Wed Apr 18 01:20:12 2007 (4625B89C)
    CheckSum:         0000B659
    ImageSize:        0000AF80
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0


Hmmmm...nothing too interesting here except that WNAS is loaded at address 'baf70000'. Let's try to load the symbols for WNAS and see if they are available on some Microsoft Symbol Server.

Code:
kd> .reload /f WNAS.sys
*** ERROR: Module load completed but symbols could not be loaded for WNAS.sys
kd> lm vm WNAS
start    end        module name
baf70000 baf7af80   WNAS       (no symbols)
    Loaded symbol image file: WNAS.sys
    Image path: \SystemRoot\system32\DRIVERS\WNAS.sys
    Image name: WNAS.sys
    Timestamp:        Wed Apr 18 01:20:12 2007 (4625B89C)
    CheckSum:         0000B659
    ImageSize:        0000AF80
    Translations:     0000.04b0 0000.04e0 0409.04b0 0409.04e0


Alright...no symbols for WNAS means that we are gonna have to do assembly debugging. I know that the WRITE_PORT_ULONG is being imported from 'HAL.DLL'. (FYI: If you're not a driver guru, HAL stands for 'hardware abstraction layer'). HAL.DLL is a Microsoft DLL.

From above, I know the WNAS driver is loaded at address 'baf70000' and it uses HAL.DLL to call function WRITE_PORT_ULONG. Let's take a look at the memory at 0xbaf78c00 (which is the start address of baf70000 + offset 8c00, remember 18C00 from above minus the image base equals 8c00). (see memory window screenshot below). Aha, I see that address 0xbaf78c00 is a pointer to WRITE_PORT_ULONG. Now all we have to do is see who dereferences that pointer to call into that function.

Let's use the '#' WinDbg command to search for the disassembly pattern "baf78c00". The number sign (#) command searches for the specified pattern in the disassembly code.
If you previously used the # command and you omit Address, the search begins where the previous search ended. This command works by searching the disassembled text for the specified pattern. You can use this command to find register names, constants, or any other string that appears in the disassembly output. You can repeat the command without the Address parameter to find successive occurrences of the pattern.

From above (see dumpbin command), we see our code section was loaded at offset 480, so we will start our search at baf70480 (baf70000 which is the start address of WNAS + 480 which is the offset of the code section)

Let's see if we can find some sort of a pointer being dereferenced...

Code:
kd> # "baf78c00" baf70480
WNAS+0x6f7d:
baf76f7d ff15008cf7ba    call    dword ptr [WNAS+0x8c00 (baf78c00)]


Eurika! At address 'baf76f7d', we are deferencing a pointer to call into HAL.DLL to do a WRITE_PORT_ULONG function call. Let's set a breakpoint there!

Code:
kd> bp baf76f7d


Are there any other places in the WNAS driver that call WRITE_PORT_ULONG? Let's set breakpoints in those locations as well.

Code:
kd> # "baf78c00"
WNAS+0x6fae:
baf76fae ff15008cf7ba    call    dword ptr [WNAS+0x8c00 (baf78c00)]
kd> bp baf76fae
kd> # "baf78c00"
WNAS+0x7386:
baf77386 ff15008cf7ba    call    dword ptr [WNAS+0x8c00 (baf78c00)]
kd> bp baf77386
kd> # "baf78c00"
WNAS+0x8c00:
baf78c00 1063a5          adc     byte ptr [ebx-5Bh],ah
kd> bp baf78c00


Hey, that last one does not look like a pointer is being dereferenced. I wonder what's happening there? Ah, of course, look at the address. It's the 'baf78c00' address itself. We don't really care about this.

At this point, it looks like we have three breakpoints of interest: Let's use the "bl" command to to list the breakpoints.

Code:
kd> bl
0 e baf76f7d     0001 (0001) WNAS+0x6f7d
1 e baf76fae     0001 (0001) WNAS+0x6fae
2 e baf77386     0001 (0001) WNAS+0x7386


Alright, now let's hit 'g' for go (or continue) and see if we get lucky.

Code:
kd> g


Almost instantly, I break back into WinDbg (which means that we hit one of the breakpoints we just set, inside WNAS, and we are ready to call WRITE_PORT_ULONG with some value)...

Code:
Breakpoint 2 hit
WNAS+0x7386:
baf77386 ff15008cf7ba    call    dword ptr [WNAS+0x8c00 (baf78c00)]


The "t" command executes a single instruction or source line and optionally displays the resulting values of all registers and flags. When subroutine calls or interrupts occur, each of their steps is also traced.

The "p" command executes a single instruction or source line and optionally displays the resulting values of all registers and flags. When subroutine calls or interrupts occur, they are treated as a single step.

The "r" command displays or modifies registers, floating-point registers, flags, pseudo-registers, and fixed-name aliases.

If two dollar signs ( $$ ) appear at the start of a command, then the rest of the line is treated as a comment, unless the comment is terminated by a semicolon.

Code:
kd> t
hal!WRITE_PORT_ULONG:
80a56310 8b542404        mov     edx,dword ptr [esp+4]
kd> p
hal!WRITE_PORT_ULONG+0x4:
80a56314 8b442408        mov     eax,dword ptr [esp+8]
kd> p
hal!WRITE_PORT_ULONG+0x8:
80a56318 ef              out     dx,eax         <<<<<<<<<<<<<<<< Hardware write happened here.  In this case, we wrote the value 'x0007ff7f' to port 'x00001064'
kd> p
hal!WRITE_PORT_ULONG+0x9:
80a56319 c20800          ret     8
kd> r
eax=0007ff7f ebx=00008100 ecx=0000010c edx=00001064 esi=baf78e80 edi=888f4e90
eip=80a56319 esp=b912dbd4 ebp=b912dbf0 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202
hal!WRITE_PORT_ULONG+0x9:
80a56319 c20800          ret     8
kd> $$ bottom hard drive led turned from red to off


The bottom (aka forth) hard drive LED just went from red to off. That means that when writing 'x0007ff7f' to port 'x1064', it turns off the hard drive LEDs. Cool! Let's see if we can find some others. Remember we hit "g" to go on and continue...

Code:
kd> g


Once again, almost as soon as I hit 'g' to continue, I broke back into WinDbg

Code:
Breakpoint 2 hit
WNAS+0x7386:
baf77386 ff15008cf7ba    call    dword ptr [WNAS+0x8c00 (baf78c00)]
kd> t
hal!WRITE_PORT_ULONG:
80a56310 8b542404        mov     edx,dword ptr [esp+4]
kd> p
hal!WRITE_PORT_ULONG+0x4:
80a56314 8b442408        mov     eax,dword ptr [esp+8]
kd> p
hal!WRITE_PORT_ULONG+0x8:
80a56318 ef              out     dx,eax         <<<<<<<<<<<<<<<< Hardware write happened here.  In this case, we wrote the value 'x0007ff7d' to port 'x00001064'
kd> t
hal!WRITE_PORT_ULONG+0x9:
80a56319 c20800          ret     8
kd> r
eax=0007ff7d ebx=00008103 ecx=00000101 edx=00001064 esi=baf78e80 edi=888f4e90
eip=80a56319 esp=b912dbd4 ebp=b912dbf0 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206
hal!WRITE_PORT_ULONG+0x9:
80a56319 c20800          ret     8
kd> $$ third hard drive LED turned blue


The third hard drive LED just went from off to blue. That means that when writing 'x0007ff7d' to port 'x1064', it turns on the third hard drive LED and has to rest powered off. Cool! Let's see if we can find some others. Remember we hit "g" to go on and continue... (you get the idea)

Code:
Breakpoint 19 hit
WNAS+0x7386:
baf77386 ff15008cf7ba    call    dword ptr [WNAS+0x8c00 (baf78c00)]
kd> t
hal!WRITE_PORT_ULONG:
80a56310 8b542404        mov     edx,dword ptr [esp+4]
kd> p
hal!WRITE_PORT_ULONG+0x4:
80a56314 8b442408        mov     eax,dword ptr [esp+8]
kd> p
hal!WRITE_PORT_ULONG+0x8:
80a56318 ef              out     dx,eax
kd> p
hal!WRITE_PORT_ULONG+0x9:
80a56319 c20800          ret     8
kd> $$ third LED went from blue to pink
kd> r
eax=0007fe7d ebx=00008103 ecx=00000108 edx=00001064 esi=baf78e80 edi=888f4e90
eip=80a56319 esp=b912dbd4 ebp=b912dbf0 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000206
hal!WRITE_PORT_ULONG+0x9:
80a56319 c20800          ret     8
kd> p
WNAS+0x738c:
baf7738c 33ff            xor     edi,edi
kd> g
Breakpoint 19 hit
WNAS+0x7386:
baf77386 ff15008cf7ba    call    dword ptr [WNAS+0x8c00 (baf78c00)]
kd> t
hal!WRITE_PORT_ULONG:
80a56310 8b542404        mov     edx,dword ptr [esp+4]
kd> p
hal!WRITE_PORT_ULONG+0x4:
80a56314 8b442408        mov     eax,dword ptr [esp+8]
kd> p
hal!WRITE_PORT_ULONG+0x8:
80a56318 ef              out     dx,eax
kd> p
hal!WRITE_PORT_ULONG+0x9:
80a56319 c20800          ret     8
kd> $$ third LED went from pink to red
kd> r
eax=0007fe7f ebx=00008100 ecx=00000101 edx=00001064 esi=baf78e80 edi=888f4e90
eip=80a56319 esp=b912dbd4 ebp=b912dbf0 iopl=0         nv up ei pl nz na po nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00000202


So you can see how with WinDbg, you can do assembly level programming to reverse engineer the (in this case) writes to hardware.

Interested in helping out? Build or buy a cable with serial functionality and join the fun. Report your results to this forum and help us out.


Attachments:
File comment: This is the WinDbg memory window. Notice the address that points to WRITE_PORT_ULONG.
WinDbg-WNAS-Memory-Window.PNG
WinDbg-WNAS-Memory-Window.PNG [ 99.62 KiB | Viewed 22407 times ]
File comment: We use WinDbg (a free debugging tool from Microsoft) to do driver-level debugging. It's not as pretty as Visual Studio but it is very effective none-the-less. We cannot use Visual Studio because Visual Studio cannot do driver debugging.
WinDbg-screenshot-small.PNG
WinDbg-screenshot-small.PNG [ 163.8 KiB | Viewed 22402 times ]


Last edited by cakalapati on Wed Sep 17, 2008 11:40 pm, edited 6 times in total.
Top
 Profile  
Thanks  
The following user would like to thank cakalapati for this post
issaqua, yakuza
 Post subject:
PostPosted: Fri Sep 12, 2008 10:15 am 
Offline
2.5TB storage
2.5TB storage

Joined: Thu Apr 03, 2008 3:52 pm
Posts: 217
Thanks: 12
Thanked: 61 times in 32 posts
Now let's talk about prototyping...

If you've never heard about LabVIEW, it's a graphical programming language. Instead of writing code with black-and-white text, you write code with pictures and colors. What makes LabVIEW cool here is that buried deep in its palette, there are primitives that can read/write bits to raw hardware addresses. It makes prototyping and testing our findings real easy. So we are going to use LabVIEW to test various writes to the hardware to double check our results from WinDbg.

According to WinDbg, writing to address port:0x1064, the value:0x7FF7F: will turn all the hard drive LEDs off. Let's test this to make sure this is correct.

If you have not already downloaded LabVIEW, go ahead and download it now (571MB).
This is evaluation copy that is good for 30 days. If the 30 day counter expires, you can either buy it or uninstall it and reinstall it to restart the 30 day counter. While waiting for the download to complete, a good LabVIEW tutorial can be found here.

Launch LabVIEW and select "Ctrl-N" (or menuitem "File-->New VI") to create a new VI. Goto the block diagram (aka the code portion of the VI) by hitting "Ctrl-E" (or menuitem "Window-->Show Block Diagram"). Now drop the primitive "OutPort32" and wire up some constants (that we figured out from WinDbg). To run the VI, either hit "Ctrl-R", (or menuitem "Operate-->Run") or just click on the "run button" in the toolbar (see screenshot). Now verify that your MSS box did what you expected (via the WinDbg session).

Now you can see how with LabVIEW, you can test and prototype the results you got from your WinDbg session.


Attachments:
File comment: LabVIEW is a graphical programming language. Here, you can see that we are testing the results we got from WinDbg to make sure they are correct.
LabVIEW-OutPort32.PNG
LabVIEW-OutPort32.PNG [ 39.25 KiB | Viewed 22406 times ]


Last edited by cakalapati on Fri Sep 12, 2008 11:50 am, edited 3 times in total.
Top
 Profile  
Thanks  
The following user would like to thank cakalapati for this post
opensvr
 Post subject:
PostPosted: Fri Sep 12, 2008 10:44 am 
Offline
2.5TB storage
2.5TB storage

Joined: Thu Apr 03, 2008 3:52 pm
Posts: 217
Thanks: 12
Thanked: 61 times in 32 posts
Interested in helping out? The best way to learn is by doing. Build or buy a cable with serial functionality and join the fun. Report your results to this forum and help us out. Feel free to ask questions.


Last edited by cakalapati on Fri Sep 12, 2008 11:06 am, edited 1 time in total.

Top
 Profile  
Thanks  
 Post subject:
PostPosted: Fri Sep 12, 2008 11:04 am 
Offline
2.5TB storage
2.5TB storage

Joined: Thu Apr 03, 2008 3:52 pm
Posts: 217
Thanks: 12
Thanked: 61 times in 32 posts
Reserved.


Top
 Profile  
Thanks  
 Post subject:
PostPosted: Fri Sep 12, 2008 9:30 pm 
Offline
Founder
Founder
User avatar

Joined: Tue Jul 31, 2007 11:54 am
Posts: 10680
Location: Fort Collins, Colorado
Thanks: 620
Thanked: 911 times in 867 posts
Gotta give you props and kudos for undertaking this venture. 8) I sincerely hope others join in to further this effort.

I can almost 100% guarantee you that HP will not release the specs or source on the driver. :(

_________________
Alex Kuretz
Remote Notification: Monitoring and alerting for your Home Server via email, Twitter, text message, RSS, push notifications, and on your Mac desktop
Have you tried our Add-Ins? If so, be sure to Rate them at WeGotServed.


Top
 Profile  
Thanks  
 Post subject:
PostPosted: Sat Sep 13, 2008 11:52 am 
Offline
1TB storage
1TB storage

Joined: Thu Sep 04, 2008 2:01 pm
Posts: 40
Location: Sofia, Bulgaria
Thanks: 0
Thanked: 4 times in 3 posts
I have some success mapping the blue/red leds to the individual bits in the register.

Here is some primitive program that produces nice lightshow on freebsd :)


Code:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <unistd.h>
#include <machine/cpufunc.h>

#define ADDR   0x1064 // io address
#define CTL   0xffff // defaults
#define   BL1   0x0001 // first blue led
#define   BL2   0x0002 // second blue led
#define LEDOFF   0x0004 // turns off all leds
#define   BL3   0x0008 // third blue led
#define LEDOFF2   0x0010 // turns off all leds
#define   BL4   0x0020 // fourth blue led
#define LEDOFF3   0x0040 // turns off all leds
#define FLASH   0x0080 // hides/shows onboard flash disk
#define RL2   0x0100 // second red led
#define RL3   0x0200 // third red led
#define RL4   0x0400 // fourth red led
#define W4   0x0800 // led off ?
#define RL1   0x1000 // first red led
#define W6   0x2000 // led off ?
#define W7   0x4000 // led off ?
#define W8   0x8000 // led off ?

#define HDD1   1
#define HDD2   2
#define HDD3   3
#define HDD4   4

/* enclosure control register */
u_int16_t   encreg;

/* blue led toggle */
int
blt(int led)
{
   switch (led) {
      case HDD1:
         encreg = encreg ^ BL1;
         break;
      case HDD2:
         encreg = encreg ^ BL2;
         break;
      case HDD3:
         encreg = encreg ^ BL3;
         break;
      case HDD4:
         encreg = encreg ^ BL4;
         break;
   }
   outw(ADDR, encreg);
   return(0);
}

/* red led toggle */
int
rlt(int led)
{
   switch (led) {
      case HDD1:
         encreg = encreg ^ RL1;
         break;
      case HDD2:
         encreg = encreg ^ RL2;
         break;
      case HDD3:
         encreg = encreg ^ RL3;
         break;
      case HDD4:
         encreg = encreg ^ RL4;
         break;
   }
   outw(ADDR, encreg);
   return(0);
}

int
main ()
{
   int io;
   int i;

   io = open("/dev/io", 000);

   encreg = CTL;
   outw(ADDR, encreg);

   while (1) {
   for (i=1; i<=4; i++) {
      blt(i);
      usleep(100000);
      rlt(i);
   }
   }

   close(io);

   return(0);
}



Top
 Profile  
Thanks  
The following user would like to thank ndenev for this post
dlmario, GrizzlyAdams
PostPosted: Sun Sep 14, 2008 8:29 am 
Offline
1TB storage
1TB storage

Joined: Thu Sep 04, 2008 2:01 pm
Posts: 40
Location: Sofia, Bulgaria
Thanks: 0
Thanked: 4 times in 3 posts
Hi cakalapati,

Have you been able to see what values are written to the address when the LED brightness
is changed in the control center?

Thanks.


Top
 Profile  
Thanks  
PostPosted: Mon Sep 15, 2008 9:03 am 
Offline
2.5TB storage
2.5TB storage

Joined: Thu Apr 03, 2008 3:52 pm
Posts: 217
Thanks: 12
Thanked: 61 times in 32 posts
@yakuza: If that is truly what HP thinks, then this is unfortunate. Since they are a company that derives revenue from hardware (not software), they have nothing to gain by being secretive on how their hardware works. On the other hand, releasing the specs would allow developers to take their product to a new level and do thing that they never originally thought possible. People would buy the HP MediaSmart server not for the onboard software, but the hardware. HP does not lose a dime. They gain additional revenue.

@ndenev: You are the man! Thanks for that sample app. I have not had time to test LED brightness yet. I don't have a lot of time devoted to this, but I will see what I can pull off in the next week. Others can help too (using the instructions above).


Top
 Profile  
Thanks  
PostPosted: Tue Sep 16, 2008 3:11 pm 
Offline
Founder
Founder
User avatar

Joined: Tue Jul 31, 2007 11:54 am
Posts: 10680
Location: Fort Collins, Colorado
Thanks: 620
Thanked: 911 times in 867 posts
cakalapati wrote:
@yakuza: If that is truly what HP thinks, then this is unfortunate. Since they are a company that derives revenue from hardware (not software), they have nothing to gain by being secretive on how their hardware works. On the other hand, releasing the specs would allow developers to take their product to a new level and do thing that they never originally thought possible. People would buy the HP MediaSmart server not for the onboard software, but the hardware. HP does not lose a dime. They gain additional revenue.


While as an engineer I agree with you, the "bigger picture" is almost always much more complicated. Keep in mind that HP was the "premier" development and launch partner for WHS and is very tightly coupled with MS in development of the MSS, in fact WHS is the sole reason for the existence of the MSS. Do you think Microsoft wants Linux running on the MSS? :lol:

_________________
Alex Kuretz
Remote Notification: Monitoring and alerting for your Home Server via email, Twitter, text message, RSS, push notifications, and on your Mac desktop
Have you tried our Add-Ins? If so, be sure to Rate them at WeGotServed.


Top
 Profile  
Thanks  
PostPosted: Fri Sep 19, 2008 11:47 pm 
Offline
2.5TB storage
2.5TB storage

Joined: Thu Apr 03, 2008 3:52 pm
Posts: 217
Thanks: 12
Thanked: 61 times in 32 posts
I've updated the #defines with my findings.

Code:
#define BL1      0x0001     // first blue led                           1
#define BL2      0x0002     // second blue led                          2
#define UNKNOWN1 0x0004     // unknown                                  3
#define BL3      0x0008     // third blue led                           4
#define UNKNOWN2 0x0010     // unknown                                  5
#define BL4      0x0020     // fourth blue led                          6
#define UNKNOWN3 0x0040     // unknown                                  7
#define FLASH    0x0080     // hides (0)/shows(1) onboard flash disk    8
#define RL2      0x0100     // second red led                           9
#define RL3      0x0200     // third red led                            10
#define RL4      0x0400     // fourth red led                           11
#define UNKNOWN4 0x0800     // unknown                                  12
#define RL1      0x1000     // first red led                            13
#define PL1      (BL1 | RL1)// first purple led
#define PL2      (BL2 | RL2)// second purple led
#define PL2      (BL3 | RL3)// third purple led
#define PL2      (BL4 | RL4)// forth purple led


Note that bits 3,5,7,12 and anything above 13, I have no clue of their purpose. I have not managed to figure out how the brightness is controlled either. None of my WRITE_PORT_ULONG breakpoints are hit with the "Pulsing System Colors" Easter egg is on.

There are some WRITE_PORT_UCHAR happening continuously on port 0x295, followed by an immediate READ_PORT_UCHAR on port 0x296. I imagine perhaps this is to get info like fan speed, but it's only a guess.


Attachments:
File comment: A LabVIEW VI that allows you to toggle the bits on port 0x1064.
LabVIEW-PortBits.PNG
LabVIEW-PortBits.PNG [ 29.18 KiB | Viewed 21837 times ]
Top
 Profile  
Thanks  
PostPosted: Sun Mar 08, 2009 12:45 pm 
Offline
Newbie
Newbie
User avatar

Joined: Sun Mar 08, 2009 12:20 pm
Posts: 2
Thanks: 3
Thanked: 2 times in 1 post
Hi Freaks,

I have no idea of reverse engineering at all but I know a little about c so if anybody needs a status LED just follow my howto here for linux:

1.) Be sure that you have the sata_sis driver instead of ahci (yes, sata_sis is also hot-plug aware)

2.) Create a shell script for example in /root/bin/checkdrives.sh
Code:
#!/bin/bash

## Here are my 4 disk paths in sysfs
HD0="/sys/class/scsi_host/host0/device/target0:0:0/0:0:0:0"
HD1="/sys/class/scsi_host/host0/device/target0:0:1/0:0:1:0"
HD2="/sys/class/scsi_host/host1/device/target1:0:0/1:0:0:0"
HD3="/sys/class/scsi_host/host1/device/target1:0:1/1:0:1:0"


## First lets check if all drives are responding to hdparm
DRIVES_OK=1
for drive in $(ls /dev/disk/by-id/ata-*|grep -v part)
do
 /sbin/hdparm -i $drive >/dev/null 2>&1 || DRIVES_OK=0
done
if [ 0 -eq $DRIVES_OK ]
then
  # not all drives are talking with hdparm, rescan needed
  echo 0 0 0 > /sys/class/scsi_host/host0/scan
  echo 0 1 0 > /sys/class/scsi_host/host0/scan
  echo 0 0 0 > /sys/class/scsi_host/host1/scan
  echo 0 1 0 > /sys/class/scsi_host/host1/scan
fi

# set default color (faulty drive)
STATE0=red
STATE1=red
STATE2=red
STATE3=red

# check each drive using sysfs. Set LED to blue if disk is ok
if [ -f  "$HD0/state" ]
then
 cat "$HD0/state" | grep -q running && STATE0=blue
fi
if [ -f  "$HD1/state" ]
then
 cat "$HD1/state" | grep -q running && STATE1=blue
fi
if [ -f  "$HD2/state" ]
then
 cat "$HD2/state" | grep -q running && STATE2=blue
fi
if [ -f  "$HD3/state" ]
then
 cat "$HD3/state" | grep -q running && STATE3=blue
fi

# Check all RAID devices of sane disk-pairs
# In my configuration md0, md1 and md2 are running mirrored on the lower both disk
# md3 is running on the upper diskpair
# this check is setting both LEDs to purple if a mirrir has a faulty disk
if [ $STATE0 = "blue" -a $STATE1 = "blue" ]
then
  MSTATE=blue
  # fill in here your md devices for the lower diskpair
  /sbin/mdadm -D /dev/md0 |grep "Failed Devices" |grep -q 0$ || MSTATE=purple
  /sbin/mdadm -D /dev/md1 |grep "Failed Devices" |grep -q 0$ || MSTATE=purple
  /sbin/mdadm -D /dev/md2 |grep "Failed Devices" |grep -q 0$ || MSTATE=purple
  STATE0=$MSTATE
  STATE1=$MSTATE
fi

if [ $STATE2 = "blue" -a $STATE3 = "blue" ]
then
  MSTATE=blue
  # fill in here your md devices for the upper diskpair
  /sbin/mdadm -D /dev/md3 |grep "Failed Devices" |grep -q 0$ || MSTATE=purple
  STATE2=$MSTATE
  STATE3=$MSTATE
fi

# Execute the binary to update LED status :)
/root/bin/e47x_setleds $STATE0 $STATE1 $STATE2 $STATE3
exit 0


3.) Make your changes in this file to your setup (maybe you have a different RAID setup or not 4 disks)

4.) Create a file (in example leds.c)
Code:
#include <stdio.h>
#include <unistd.h>
#include <sys/io.h>
#include <stdlib.h>

#define ADDR   0x1064 // io address
#define CTL   0xffff // defaults
#define BL1      0x0001     // first blue led                           1
#define BL2      0x0002     // second blue led                          2
#define BL3      0x0008     // third blue led                           4
#define BL4      0x0020     // fourth blue led                          6
#define RL2      0x0100     // second red led                           9
#define RL3      0x0200     // third red led                            10
#define RL4      0x0400     // fourth red led                           11
#define RL1      0x1000     // first red led                            13
#define PL1      (BL1 | RL1)// first purple led
#define PL2      (BL2 | RL2)// second purple led
#define PL3      (BL3 | RL3)// third purple led
#define PL4      (BL4 | RL4)// forth purple led

#define HDD1   1
#define HDD2   2
#define HDD3   3
#define HDD4   4

/* enclosure control register */
u_int16_t   encreg;

void pr_help()
{
   printf("e47x_setleds 0.1b by Mario Lombardo - mediaserver (at) marioli.de\n\n");
   printf("Usage: e47x_setleds <color0> <color1> <color2> <color3>\n\n");
   printf("   color can be: red, blue, purple\n");
}

int main (int argc, char **argv)
{
   encreg = CTL;
   if ( argc != 5 ) pr_help();
   else
   {
     if (strncmp((char *)argv[1], "red",3) == 0) encreg = encreg ^ RL1;
     else if (strncmp((char *)argv[1], "blue",4) == 0) encreg = encreg ^ BL1;
     else if (strncmp((char *)argv[1], "purple",6) == 0) encreg = encreg ^ PL1;

     if (strncmp((char *)argv[2], "red",3) == 0) encreg = encreg ^ RL2;
     else if (strncmp((char *)argv[2], "blue",4) == 0) encreg = encreg ^ BL2;
     else if (strncmp((char *)argv[2], "purple",6) == 0) encreg = encreg ^ PL2;

     if (strncmp((char *)argv[3], "red",3) == 0) encreg = encreg ^ RL3;
     else if (strncmp((char *)argv[3], "blue",4) == 0) encreg = encreg ^ BL3;
     else if (strncmp((char *)argv[3], "purple",6) == 0) encreg = encreg ^ PL3;

     if (strncmp((char *)argv[4], "red",3) == 0) encreg = encreg ^ RL4;
     else if (strncmp((char *)argv[4], "blue",4) == 0) encreg = encreg ^ BL4;
     else if (strncmp((char *)argv[4], "purple",6) == 0) encreg = encreg ^ PL4;

     if (ioperm(ADDR,16,1)) {perror("ioperm"); exit(1);}
     outw(encreg, ADDR);
     ioperm(ADDR,16,0);
    }
   return(0);
}


5.) compile it
Code:
cc -O2 leds.c -o /root/bin/e47x_setleds


6.) test it as root:
Code:
/root/bin/e47x_setleds


7.) add it into the roots crontab (crontab -e)
Code:
*   *  *   *   *     /root/bin/checkdrives.sh # Check disks every minute


8.) Enjoy :)

Thanks a lot to everybody investigated a lot into the reversing!

Comments are welcome.

Cheers,
Mario

PS: Everything is quick and dirty - I know but I wanted to have a result :)


Top
 Profile  
Thanks  
The following user would like to thank dlmario for this post
cakalapati, GrizzlyAdams
PostPosted: Sun May 10, 2009 9:53 pm 
Offline
.5TB storage
.5TB storage

Joined: Tue Feb 03, 2009 10:02 am
Posts: 21
Thanks: 2
Thanked: 0 time in 0 post
Does this mean if I take your program I don't need to buy a serial cable??
I already have a VGA cable and the serial cable is now 95$ (Yikes).

All I want is at startup to turn on some drive lights and maybe stop that damn blinking light (I run Win2008). I would love for some kind of DLL I could call into with VS2008 perhaps.

Please let me know what you think about this.


Top
 Profile  
Thanks  
PostPosted: Thu May 14, 2009 3:02 pm 
Offline
Newbie
Newbie
User avatar

Joined: Sun Mar 08, 2009 12:20 pm
Posts: 2
Thanks: 3
Thanked: 2 times in 1 post
Hi DoubleDown,

I don´t know if I understood you right. For what reason do you need a serial cable? For debugging?

I´m not very familar with windows but if the WNAS.sys is working on w2k8 (have you tried it?) there are other tools for changing the lights state. I had to look to find the software - but feel free to ask if you need it.

If the WNAS.sys does not work on w2k8 you may make some changes in my src to be able to compile it on Windows. The code I posted is to build a Linux program (userspace - not a driver). Unfortunately I have no idea to switch off the damn blinking of the health LED.

By the way - where are you living? If it is near to Germany I could create a serial/vga cable for less hen 95$ (the parts for my vga cable cost about 10€). I could help you and you cold help me with the debug of dim the LEDs and switch off the health-LED and so on ;-)

Cheers,
Mario


Top
 Profile  
Thanks  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 27 posts ]  Go to page 1, 2  Next

All times are UTC - 7 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group