Reverse engeneering the SMU (iMac G5, newer single-pro G5)
Hi all,
I don't know if this is the right place to ask this question, but I
don't know of any others, so here it goes:
One of the last critical things missing on my G5 to run Debian is fan
control. To see if I could help understand how it works under Darwin, I
tried to have a look at the corresponding libraries (the whole thing is
called SMU, System Management Unit, a replacement for the older PMU
system).
With 'otool' (disassembling), some ad-hoc awk scripts, and dot (graph
layout), I now get this kind of call graph:
http://ftaiani.ouvaton.org/ressources/SMU_Neo2_PlatformPlugin-exemple.ps
In this graph A->B means the code for A contains an 'jbsr B,0xfoo'
instruction (jump pseudo instruction). I've interpreted it as being a
call from A to B. My knowledge of PPC assembly is pretty limited, so
this might be wrong.
There are far more branching instructions than don't use jbsr, but I
don't know how to interpret them. For instance:
---
lwz r2,__ZN23SMU_Neo2_PlatformPluginC2EPK11OSMetaClass(r3)
lwz r12,0x368(r2)
mtspr ctr,r12
bctrl
---
Looks like a jump to __ZN23SMU_Neo2_PlatformPluginC2EPK11OSMetaClass (is
this right?).
The above graph is an extract of the whole picture (I've used a small
graph manipulation tool). Showing all symbols just yields a big crammed
graph.
My problem is that I can't make much sense of it. I also wonder whether
it can actually be of any use to understand the SMU (I know Ben
Herrenschmidt is working on it). In particular, I suspect that some
symbol entangling is at work:
__ZN23SMU_Neo2_CPUFanCtrlLoop13acquireSampleEv
looks like the method 'acquireSampleEv' of some object
'__ZN23SMU_Neo2_CPUFanCtrlLoop'. Maybe '__ZN23SMU_Neo2_' is also some
kind of name space.
Would someone more knowledgeable than me in the Mac-O object format know
how to interpret such symbol names? Also would someone know how to
extract more information from the assembly code that only the jbsr
jumps?
Many thanks for your help!
Francois
Reply to: