-
Notifications
You must be signed in to change notification settings - Fork 37
The ME Boot ROM is the fist code which executes in ME on power-on and reset. It contains the code which intializes the ME execution environment, does basic hardware intialization, parses and checks the FPT, loads and verifies the signature of the startup module (ROMP or BUP) and passes execution to it. The ROM also contains many standard functions available for use by other modules:
- compiler helpers (register saving/restoring functions, arithmetic helpers (long multiplication/division/etc.))
- standard libc functions (e.g.
memcpy,strcpy,printfand so on) - Thread X RTOS API functions
- Cryptographic library functions (RSA, SHA, AES, PRNG)
- memory management (MMU, DMA, UMA)
These functions are exported as a jump table at a fixed address in the ROM memory area (address 0x20000000). Until ME 9.0, an alias of the page with the jump table was added as an alias at the beginning of each module's address space. In ME 9.x and 10.x, all modules share the same page in the ROM.
On pre-production hardware which may contain bugs, it is possible to ask the PCH to boot from flash intead of boot ROM. For such hardware, sometimes Intel provides to OEMs a so-called ROM Bypass firmware with bugfixes, which contains a partition called ROMB, and the first bytes of the ME region contain a jump instruction which jumps into ROMB, which effectively becomes a replacement for the Boot ROM. Since ROM bypass needs to provide the same functionality as the original ROM, disassembling it gives a glimpse into the functionality of the actual ROM.
The available ROM API (RAPI) functions and the jump table layout changes between ME generations, however the API groups remain pretty similar with the same order. For details per version see the ROM API page.