Adventures of reverse engineering the WYSE Sx0 – S50
A few months ago I've bought this WYSE thin client model Sx0 - S50. I wanted to make a retro game machine from it but soon I've realized that I can't make it boot from the DOM with MS-DOS 6.22. This was interesting because the system was able to boot MS-DOS 6.22 from a USB memory stick. So I've started to investigate the cause for this.
On
the first hardware inspection I’ve found a small memory chip on the back of the
PCB, an 8 pin SOIC EEPROM “93C46A” that is not
bigger than 128 bytes. I’ve dumped the content of this chip using the CH341A
(mod-ed to read 93C chips) and all I’ve found was the serial number of the
machine: 6IFDGB03427. You can find the contents of this chip in here.
Then
I’ve start to read more, searched all the internet for documents that might
help me understand this machine, and I’ve found some that I’ve put in here.
There you can find documents about the CPU, the CS5536 Companion that is actually a Platform Controller
HUB and about the BIOS.
Long
story short, all the system is controlled by this CS5536: when you power up the machine, this PCH is
connecting the LPC BUS directly to the internal physical address BUS of the CPU
core. The BIOS chip (SST49LF020A - LPC Flash) that is connected on the LPC
bus is responding to addresses from FFFC:0000 to FFFF:FFFF. In this way, when
the PCH releases the RESET signal line, the CPU will execute it’s first code
from FFFF:FFF0 like all the x86 CPU’s do.
From now on I had to continue by reversing the actual BIOS boot block (physical memory from FFFF:0000 to FFFF:FFFF). 65,536 bytes of pure 16bit code.
The Programmer:
 |
| Parallel flash programmer |
It
is a very slow programmer but it does the job. The Arduino PCB is patched to
work only on 3.3v to be compatible with this Flash memory chip.
In
this way I’ve dumped the entire BIOS flash chip. You can find this file here.
This
is the original BIOS found on this WYSE Sx0 – S50 machine.
There is this Flash
ROM Device Update Utility "FLASHROM.COM" that it might work for BIOS dumping, but I don't trust it because the SST49LF020A
chip is
not listed in the supported chips list for FLASHROM.
The BIOS boot block:
After
this was done, I’ve opened this dump with a hex editor and looked around for
some obvious things. The BIOS boot block started with “$XPR” ascii code at offset
30000h in the file and ended at 3FFFFh.
Looking around in the BIOS dump file I've also found other blobs of code that had one of this tags: “$IMG”, “$BMP” and “$PAL”. This are different option ROMs that have been archived and added there. Later I've found an important piece of information: this ROMs where compressed with an algorithm made by some “Jeremy Collake”.
JCALG1 Compression Library - Copyright (C) 1999,2000 Jeremy Collake..http://www.collakesoftware.com
The
website doesn’t exist anymore, but I’ve found a fork of his work on some
website (can't remember now). You can find the source code and the windows executable in here.
“jcalg1_test.exe” is a windows console tool that can be
used to expand and compress this ROMs.
All this ROMs have a header of 32 bytes composed from:
ASCII tag: $IMG
Archive type: 04h
RAM address to be expanded to: 0006:0000
Image size before compression: 00024E49
Image size after compression: 0001348A
(this is not exact data, some computations are made to determine the size of the archive + size of the header)
Checksum of compressed file CF7C8E00
(this checksum is not used by any code)
Unused bytes: FF FF FF FF FF FF FF FF FF FF FF
You can find all of this ROMs in the compressed form without headers in here and in expanded form with IDA disassembly files in here.
This WYSE thin client reverse will be continued in the next posts.
Comments
Post a Comment