The Care and Feeding of the Sage SmartProbe.

Note: Please read the FAQ!!!

If you cured your Sage SmartProbe of its congenital disease as per the last article on the subject, you may now be wondering what to do with it.

The vendor supplied a massive Java shitware with the thing, which does not merit any discussion whatsoever. Instead, we will use the probe's very spiffy GDB-compatible interface. Configure your GDB as follows:

gdbinit.txt:

### log all instructions
set logging on
set logging file gdb_out.txt
 
### only if you want to see the raw gdb packets...
#set debug remote 1
 
### if you're debugging the BIOS
set architecture i386
 
### if you are debugging a warmed-up OS
# set architecture i386:x86-64
 
### where the probe is:
target remote /dev/ttyACM0
 
### or, if it is connected to your LAN,
### let's say at 192.168.1.111,
# target remote 192.168.1.111:2159
 
# Show instructions on single-step
set disassemble-next-line on
 
# Disable evil, heretical GAS syntax
#set disassembly-flavor intel
 
### if you want the ncurses gui in gdb
# layout asm

So, for instance, let's connect to a freshly-booted AMD G-series box spinning in Coreboot's boot selector menu,

$ gdb --command=gdbinit.txt
GNU gdb (Gentoo 7.8.1 vanilla) 7.8.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
.
Find the GDB manual and other documentation resources online at:
.
For help, type "help".
Type "apropos word" to search for commands related to "word".
The target architecture is assumed to be i386
(gdb) si
0x001015ae in ?? ()
=> 0x001015ae:  c3      ret
(gdb)
0x001035a9 in ?? ()
=> 0x001035a9:  29 f0   sub    %esi,%eax
(gdb)
0x001035ab in ?? ()
=> 0x001035ab:  19 fa   sbb    %edi,%edx
(gdb)
0x001035ad in ?? ()
=> 0x001035ad:  39 ea   cmp    %ebp,%edx
(gdb)
0x001035af in ?? ()
=> 0x001035af:  72 f3   jb     0x1035a4
(gdb)
0x001035b1 in ?? ()
=> 0x001035b1:  77 04   ja     0x1035b7
(gdb)
0x001035b3 in ?? ()
=> 0x001035b3:  39 d8   cmp    %ebx,%eax
(gdb)
0x001035b5 in ?? ()
=> 0x001035b5:  72 ed   jb     0x1035a4
(gdb)
0x001035b7 in ?? ()
=> 0x001035b7:  83 c4 0c        add    $0xc,%esp
(gdb)
0x001035ba in ?? ()
=> 0x001035ba:  5b      pop    %ebx
(gdb) c
Continuing.
^C
Program received signal SIGTRAP, Trace/breakpoint trap.
0x001035b5 in ?? ()
=> 0x001035b5:  72 ed   jb     0x1035a4
(gdb) q
A debugging session is active.
 
        Inferior 1 [Remote target] will be killed.
 
Quit anyway? (y or n) y

I will add that the probe also works great with IDA Pro's GDB interface. Or whatever other, similar front-end you might fancy.

But! In order to make proper use of the probe, you will need the vendor-specific command set for manipulating the DC power, PCI bus, JTAG chain, and so forth. These were at one point published on the vendor's site, which has vanished without a trace. I have made a cleaned-up HTML version:

Sage Smartprobe GDB Command Manual.

Note that I have discovered certain undocumented commands. These will be the subject of a later article!

This entry was written by Stanislav , posted on Saturday October 01 2016 , filed under Cold Air, Computation, Copyrasty, Hardware, NonLoper, Reversing, ShouldersGiants, SoftwareArchaeology, SoftwareSucks . Bookmark the permalink . Post a comment below or leave a trackback: Trackback URL.

4 Responses to “The Care and Feeding of the Sage SmartProbe.”

  • afriend says:

    Another thing that could be done is discover the jtag debugging protocol of the amd processor 🙂

    Thre is also the website http://www.hardice.org, but its mostly dead

  • Brendan says:

    Hello! I know this is a bit mercenary of me, but I came across one of these SmartProbes at Goodwill, and I'm wondering if they're worth any money! I'm not sure if it's been cured but it does at least power up.

    Any help or information is appreciated, thanks!

    • Stanislav says:

      Dear Brendan,

      Quite certainly worth something -- no new ones are being made, and the cheapest analogous device is the very inferior (needs thousands of $ worth of closed shitware to work) Arium.

      Yours,
      -S

      • Brendan says:

        Hey! Thanks for the reply. I'll toss it up on eBay and maybe some lucky seeker will find it. It's a bit beyond my abilities as I'm more of a "get Arduino to talk to another Arduino and maybe make it blink" guy.

        Anyhow, thanks for your reply!

Leave a Reply to Stanislav

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre lang="" line="" escaped="" highlight="">


MANDATORY: Please prove that you are human:

81 xor 128 = ?

What is the serial baud rate of the FG device ?


Answer the riddle correctly before clicking "Submit", or comment will NOT appear! Not in moderation queue, NOWHERE!