The Care and Feeding of the Sage SmartProbe.
Note: Please read the FAQ!!!
If you cured your Sage SmartProbe of its congenital disease as per the last article on the subject, you may now be wondering what to do with it.
The vendor supplied a massive Java shitware with the thing, which does not merit any discussion whatsoever. Instead, we will use the probe's very spiffy GDB-compatible interface. Configure your GDB as follows:
### log all instructions set logging on set logging file gdb_out.txt ### only if you want to see the raw gdb packets... #set debug remote 1 ### if you're debugging the BIOS set architecture i386 ### if you are debugging a warmed-up OS # set architecture i386:x86-64 ### where the probe is: target remote /dev/ttyACM0 ### or, if it is connected to your LAN, ### let's say at 192.168.1.111, # target remote 192.168.1.111:2159 # Show instructions on single-step set disassemble-next-line on # Disable evil, heretical GAS syntax #set disassembly-flavor intel ### if you want the ncurses gui in gdb # layout asm |
So, for instance, let's connect to a freshly-booted AMD G-series box spinning in Coreboot's boot selector menu,
$ gdb --command=gdbinit.txt GNU gdb (Gentoo 7.8.1 vanilla) 7.8.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: . Find the GDB manual and other documentation resources online at: . For help, type "help". Type "apropos word" to search for commands related to "word". The target architecture is assumed to be i386 (gdb) si 0x001015ae in ?? () => 0x001015ae: c3 ret (gdb) 0x001035a9 in ?? () => 0x001035a9: 29 f0 sub %esi,%eax (gdb) 0x001035ab in ?? () => 0x001035ab: 19 fa sbb %edi,%edx (gdb) 0x001035ad in ?? () => 0x001035ad: 39 ea cmp %ebp,%edx (gdb) 0x001035af in ?? () => 0x001035af: 72 f3 jb 0x1035a4 (gdb) 0x001035b1 in ?? () => 0x001035b1: 77 04 ja 0x1035b7 (gdb) 0x001035b3 in ?? () => 0x001035b3: 39 d8 cmp %ebx,%eax (gdb) 0x001035b5 in ?? () => 0x001035b5: 72 ed jb 0x1035a4 (gdb) 0x001035b7 in ?? () => 0x001035b7: 83 c4 0c add $0xc,%esp (gdb) 0x001035ba in ?? () => 0x001035ba: 5b pop %ebx (gdb) c Continuing. ^C Program received signal SIGTRAP, Trace/breakpoint trap. 0x001035b5 in ?? () => 0x001035b5: 72 ed jb 0x1035a4 (gdb) q A debugging session is active. Inferior 1 [Remote target] will be killed. Quit anyway? (y or n) y |
I will add that the probe also works great with IDA Pro's GDB interface. Or whatever other, similar front-end you might fancy.
But! In order to make proper use of the probe, you will need the vendor-specific command set for manipulating the DC power, PCI bus, JTAG chain, and so forth. These were at one point published on the vendor's site, which has vanished without a trace. I have made a cleaned-up HTML version:
Sage Smartprobe GDB Command Manual.
Note that I have discovered certain undocumented commands. These will be the subject of a later article!
Another thing that could be done is discover the jtag debugging protocol of the amd processor 🙂
Thre is also the website http://www.hardice.org, but its mostly dead
Hello! I know this is a bit mercenary of me, but I came across one of these SmartProbes at Goodwill, and I'm wondering if they're worth any money! I'm not sure if it's been cured but it does at least power up.
Any help or information is appreciated, thanks!
Dear Brendan,
Quite certainly worth something -- no new ones are being made, and the cheapest analogous device is the very inferior (needs thousands of $ worth of closed shitware to work) Arium.
Yours,
-S
Hey! Thanks for the reply. I'll toss it up on eBay and maybe some lucky seeker will find it. It's a bit beyond my abilities as I'm more of a "get Arduino to talk to another Arduino and maybe make it blink" guy.
Anyhow, thanks for your reply!