Hacking BIOS and NVRAM
This project came about as a way to enable the CPU's hardware virtualisation (VT) support which is disabled and locked by the Sony/Phoenix? BIOS. VT is very useful for running guest operating systems in virtual machines at close to full speed with host CPU support.
This article is a concatenation of my posts to Wims BIOS forums where I originally discussed and reported my progress.
It required about 3 weeks reverse-engineering to figure out the simple steps to actually make the change to enable VT. This is the way it is done:
- Identify the correct Token number for the BIOS version in your system (search online for "symcmos <BIOS-version>" e.g. "symcmos R0200J3"). For mine the Token number is 0195
- Obtain the Phoenix 'symcmos.exe' DOS program and put it on bootable DOS media (floppy, USB, or CD - depending on what the target system will boot from)
- Boot the Sony laptop into the DOS environment
- Save the current Non-Volatile RAM variables using the "-l" (list) option
symcmos -v2 -lnvram.txt
- Move the bootable media to a PC with a text-editor available
- Make a copy of the file which you will modify
cp nvram.txt vtenable.txt
- Edit the file "vtenable.txt". Locate the line containing the Token number (the R0200J3 token is 0195). Currently the value alongside it is expected to be 0000.
(0195) [0000]
- Change that to 0001.
(0195) [0001]
- Save the file.
- Return the bootable media to the Sony laptop
- Load the modified setting into the PC's NV-RAM using the "-u" (upload) option
symcmos -v2 -uvtenable.txt
- Remove the media and do a cold reboot of the system
- Check that KVM is enabled. e.g.
sudo apt-get install qemu-system-x86 kvm-ok INFO: /dev/kvm exists KVM acceleration can be used
Do you have any code to write/read the BIOS NVRAM ?
I'm working on a hack for the Phoenix BIOS on a Sony Vaio VGN-FE41Z laptop to enable the VMX capabilities of the Intel Core 2 Duo T7200 CPU. The Sony BIOS doesn't enable VMX, and locks MSR 0x3A so it can't be enabled by the operating system later.
I've traced the BIOS and got the bit of code that sets the bits in MSR 0x3A. In that code (in module BIOSCOD6) it conditionally jumps over the instruction that sets the VMX bit (bit-2) based on the result of a far call to a standard location.
To prove it works I've created a custom BIOS with the conditional jump opcode replaced by two NOPs so that the BIOS sets the VMX bit.
Here's the unmodified code:
A866 mov ecx,0x3a ; MSR 0x3A A86C rdmsr ; read A86E bt eax,0x0 ; don't try to change it if it is already locked A873 jc 0xa88d ; skip MSR 0x3A logic A875 push ax A876 mov ax,0x195 ; NVRAM setting to check A879 call 0xf000:0x4120 ; check NVRAM stored setting A87E pop ax A87F jz 0xa886 ; If VMX disabled, skip ** replace with 2 NOPs (0x90) ** A881 bts eax,0x2 ; Enable VMX A886 bts eax,0x0 ; Lock MSR 0x3A A88B wrmsr ; write
Unfortunately that location (0xF000:4120 aka 0xF4120) is in a part of the BIOS memory range that is paged in and out as various BIOS modules are needed and so far I've been unable to identify the jump target in the unpacked BIOS modules.
From analysing the complete BIOS this far-call looks like a call to a library function (there are many calls to it with differing values of AX) that reads a value from the system settings stored in the EISA NVRAM (also used by the ESCD extension), with AX set to indicate the flag/value to read.
This isn't the 128 bytes of CMOS battery-backed RAM used by the RTC, but the 8KB of NVRAM that is mapped to FFFF80000.
=BCPNVS PnP NVRAM Storage= NVRAM Total Size: 0x2000 NVRAM Max. Config Space: 0x1FFF NVRAM Base Address: 0xFFF80000 ESCD Total Size: 0x2000 ESCD Segment Address: 0x8000 NVRAM Leading Control Area: 0x00000000 NVRAM Leading Data Area: 0x0000
When I can find this code I should be able to work out which bit/byte in NVRAM is used to control VMX, and then write a program to set this value from within a running operating system (my main target is Linux) so that on subsequent reboots the BIOS automatically enables VMX.
I found it pretty easily in BIOSCOD6.rom in the Vaio BIOS.
I use
$ ndisasm -a -p intel -b 16 input.bin > output.dasm
The code looks like this:
0000A855 0FA2 cpuid 0000A857 25FF0F and ax,0xfff 0000A85A 3DE106 cmp ax,0x6e1 0000A85D 722E jc 0xa88d 0000A85F 660FBAE105 bt ecx,0x5 0000A864 7327 jnc 0xa88d 0000A866 66B93A000000 mov ecx,0x3a ; MSR VMX control 0000A86C 0F32 rdmsr 0000A86E 660FBAE000 bt eax,0x0 0000A873 7218 jc 0xa88d 0000A875 50 push ax 0000A876 B89501 mov ax,0x0195 0000A879 9A204100F0 call 0xf000:0x4120 0000A87E 58 pop ax 0000A87F 7405 jz 0xa886 ; ZF set == VMX disabled 0000A881 660FBAE802 bts eax,0x2 ; Enable VMX 0000A886 660FBAE800 bts eax,0x0 ; Lock MSR until power cycle 0000A88B 0F30 wrmsr
By tracking the far call 0xF000:4120 I was able to discover the VMX flag is CMOS NVRAM byte 0x11, bit 6. bit 6 set is VMX enabled.
Accessing it with Linux is easy; load the nvram module and open /dev/nvram as a file. The thing to remember is that CMOS checksums need updating.
That is where I'm stuck presently. Although I update the CMOS checksum in registers 0x2E-0x2F it seems there's another checksum or a CRC that also needs updating because the BIOS resets the CMOS settings on restart, but I've not been able to locate it or find it documented.
I wrote a trivial program to set the VMX bit and update the checksum. If I can find the remaining protection we'll have workable almost-generic control without needing to hack the BIOS itself.
What is great is that I don't need to write a kernel module - simply load the NVRAM module and access it through /dev/nvram:
$ sudo su $ modprobe nvram $ hexdump -C /dev/nvram $ vmx-enable -e VMX-enable version 0.1 © 2007 TJ http://intuitivenipple.net Licensed on the terms of GPL version 3 Enables VMX (for supported BIOS's only). Enabling VMX 114 bytes read CMOS VMX flag: 0 (disabled) CMOS Checksum (calculated): 0x06C6 CMOS Checksum (stored): 0x06C6 **Simulation only** Doing VMX enable with mask 0x40 Byte 3 (before updating flag): 0x87 Change mask 0x40 Byte 3 ( after updating flag): 0xC7 CMOS VMX flag: 1 (enabled) Checksum (calculated): 0x0706 Finished
I used the nvram source code as a guide. Writing to the device does indeed call nvram_set_checksum() but I wanted to make sure of things in developing the utility - not least ensuring I could calculate the same value as the BIOS does.
As well as using /dev/mem to grab the actively loaded BIOS pages (location & size from dmidecode) I have the BIOS image extracted into its component modules and disassembled.
From that data I was able to work out which BIOS module pages are mapped into the live BIOS once setup/POST are complete and the relocation addresses.
The active BIOS image doesn't contain the setup module or other POST modules so scanning it won't necessarily locate the VMX bit-set code.
Since I've got some free time I'm currently working on identifying the other checksum/CRC protection. I've started by identifying all CMOS writes (out 0x71) and using a process of elimination, narrowing the possibilities.
I've noticed there's some intriguing stuff going on where a CMOS write is immediately followed by a read/write at 0x1072 (and other places):
ROMEXEC1.rom.dasm-394-00000541 B08D mov al,0x8d ROMEXEC1.rom.dasm-395-00000543 E670 out 0x70,al ROMEXEC1.rom.dasm-396-00000545 E471 in al,0x71 ROMEXEC1.rom.dasm-397-00000547 2480 and al,0x80 ROMEXEC1.rom.dasm-398-00000549 B48D mov ah,0x8d ROMEXEC1.rom.dasm-399-0000054B 86C4 xchg al,ah ROMEXEC1.rom.dasm-400-0000054D E670 out 0x70,al ROMEXEC1.rom.dasm-401-0000054F 86C4 xchg al,ah ROMEXEC1.rom.dasm:402:00000551 E671 out 0x71,al ; CMOS write ROMEXEC1.rom.dasm-403-00000553 BA7210 mov dx,0x1072 ROMEXEC1.rom.dasm-404-00000556 ED in ax,dx ROMEXEC1.rom.dasm-405-00000557 2500FC and ax,0xfc00 ROMEXEC1.rom.dasm-406-0000055A 0DFF03 or ax,0x3ff ROMEXEC1.rom.dasm-407-0000055D EF out dx,ax
I've grabbed symcmos.exe so I'll reverse-engineer it and we can find out what it is doing.
Just looking through SymCMOS.exe and saw this code. It refers to a CRC not a checksum, so if we can trust that the programmers didn't mix the meanings up, this may point the way to the other check:
seg004:0E6E updateCRC proc far ; CODE XREF: sub_4462+B2 seg004:0E6E ; sub_45A6+EA ... seg004:0E6E seg004:0E6E ptrPDM = dword ptr -0Ah seg004:0E6E seg004:0E6E enter 0Ah, 0 seg004:0E72 push 0Ah seg004:0E74 push 4E56h seg004:0E77 push 0Ch seg004:0E79 mov ax, word ptr addrPDM seg004:0E7C mov dx, word ptr addrPDM+2 seg004:0E80 mov word ptr [bp+ptrPDM+2], dx seg004:0E83 mov word ptr [bp+ptrPDM], ax seg004:0E86 call [bp+ptrPDM] seg004:0E89 add sp, 6 seg004:0E8C or ax, ax seg004:0E8E jz short exit seg004:0E90 push ax ; char seg004:0E91 push seg seg004 seg004:0E94 push offset errorUpdatingCRC ; "Error %X updating NVRAM CRC\n" seg004:0E97 nop seg004:0E98 push cs seg004:0E99 call near ptr printError seg004:0E9C seg004:0E9C exit: ; CODE XREF: updateCRC+20 seg004:0E9C leave seg004:0E9D retf seg004:0E9D updateCRC endp
addrPDM is filled by:
seg004:0BBE getDispatchManager proc far ; CODE XREF: _main+22 seg004:0BBE seg004:0BBE value = word ptr -8 seg004:0BBE address = dword ptr -4 seg004:0BBE seg004:0BBE enter 0Ch, 0 seg004:0BC2 mov [bp+address], 0F0000000h ; Scan in steps of 0x0010 from here seg004:0BCA mov [bp+value], 0FFF0h ; End Of Table marker? seg004:0BCF jmp short isValidModuleEntry seg004:0BD1 ; --------------------------------------------------------------------------- seg004:0BD1 seg004:0BD1 isModulePDM: ; CODE XREF: getDispatchManager+61 seg004:0BD1 push 4 ; size_t seg004:0BD3 push seg seg004 ; string2 seg004:0BD6 push offset signaturePDM ; "$PDM" seg004:0BD9 push word ptr [bp+address+2] ; MSW seg004:0BDC push ax ; string1 seg004:0BDD call _strncmp seg004:0BE2 add sp, 0Ah seg004:0BE5 or ax, ax ; Is it Phoenix Dispatch Manager? seg004:0BE7 jnz short next seg004:0BE9 mov ax, word ptr [bp+address] ; LSW seg004:0BEC mov dx, word ptr [bp+address+2] ; MSW seg004:0BEF mov bx, ax seg004:0BF1 mov es, dx seg004:0BF3 mov cl, es:[bx+5] ; count seg004:0BF7 sub ch, ch seg004:0BF9 push cx ; count seg004:0BFA push dx ; PDM table entry seg004:0BFB push ax seg004:0BFC nop seg004:0BFD push cs seg004:0BFE call near ptr calcModuleTableEntryChecksum seg004:0C01 add sp, 6 seg004:0C04 or al, al ; table entry checksum 0? seg004:0C06 jnz short next seg004:0C08 les bx, [bp+address] seg004:0C0B mov ecx, es:[bx+7] ; address of Phoenix Dispatch Manager seg004:0C10 mov addrPDM, ecx seg004:0C15 seg004:0C15 next: ; CODE XREF: getDispatchManager+29 seg004:0C15 ; getDispatchManager+48 seg004:0C15 add word ptr [bp+address], 10h seg004:0C19 seg004:0C19 isValidModuleEntry: ; CODE XREF: getDispatchManager+11 seg004:0C19 mov ax, word ptr [bp+address] seg004:0C1C cmp [bp+value], ax ; end of table? seg004:0C1F ja short isModulePDM seg004:0C21 leave seg004:0C22 retf seg004:0C22 getDispatchManager endp
Here, addrPDM is 0xF000:9802 which contains:
jmp far ptr 6CE8h:0E6FE4313h
The CRC call looks something like:
extern unsigned short dispatchManager(unsigned char, unsigned short, unsigned char);
In the case of CRC, it is:
if ( (err = dispatchManager(12, 0x4E56, 10)) != 0) {
printError("Error %X updating NVRAM CRC\n", err);
}
It seems Phoenix think it's worth patenting.
Yes, I use IDA Pro extensively. I recently used it to reverse-engineer the Sony Notebook Control Windows driver, and am using that as the basis to write a complete implementation for Linux: a kernel-driver (snc.ko) and user-space + Gnome control apps.
In real-mode 6CE8h:0E6FE4313h is the address of the Phoenix Dispatch Manager - dispatchManager(...) described above.
I had a novel experience earlier. I fetched the FreeDOS floppy boot image and put it on a real floppy diskette, with symcmos.exe on another diskette. Rebooted the laptop with 'Boot from External Drive' enabled using a USB diskette drive.
Had some issues working out what to do with symcmos.exe.
A:\ symcmos.exe -Ssymbol.txt
failed with a one-line report about a return code. I forgot to pipe the error report to a file so I can't reproduce it here (until I reboot again). However
A:\ symcmos.exe -Lreport.txt
did work and I have the file to hand. The first thing I noticed was the CRC reported:
( SYMBOLIC CMOS EDITOR - Version 643710-032 ) ( BIOS Version: NAPA0001.86C.0032.D.0702051952 ) CRC = 2786
and the other thing is 0x0676 (1656) bytes of NVRAM reported.
I'm writing a simple script to write the values to a binary file and then run the 'standard' checksum algorithm on them, see if it comes up with 0x2786 (I assume that is hex).
If it does we don't need to hunt for the algorithm, we just need to find where the checksum is stored! It apparently being a 16-bit value gives me hope on that.
It seems strange how the offsets increment by 3, but the values reported are 16-bit.
How did you decide/discover to change 0x0399 to enable VT for your R0092N0 ?
From what I've seen of all the Vaio BIOS images I've explored Phoenix make everything modular so storage locations in NVRAM should be the same across all similar Phoenix versions.
That said, I have:
(0381) [0001] (0384) [0000] (0387) [0000] (038D) [0001] (0399) [0003] (039C) [0000] (039F) [0002] (03A2) [3FFF] (03A5) [000F] (03A8) [003F] (03AB) [0000] (03AE) [0000]
What does yours show for that same range?
In symcmos.exe getModuleAddress() (aka sub_3F3A) makes a call to the PDM using a slightly different prototype to the one I deduced previously:
extern unsigned short dispatchManager(unsigned char, unsigned short, unsigned long, unsigned short);
unsigned long getModuleAddress(unsigned short moduleID) {
unsigned long moduleAddress;
unsigned short err;
unsigned long ptr_dwPDM;
unsigned long ptrDispatchManager;
ptr_dwPDM = addrPDM;
ptrPDM = addrPDM;
if ( (err = dispatchManager(1, moduleID, moduleAddress, register_SS)) != 0) {
printError("Return code = %X, Module ID = %X, Module Address = %lX\n", err, moduleID, moduleAddress);
}
return moduleAddress;
}
So it appears the 3rd argument (in this case at least) receives a return value.
Coincidentally that is also the error report I saw trying to use the command-line option "-S".
I'm working through reverse-engineering all of symcmos so I can write a Linux version that can be run from the boot menu rather like memtest86 is.
I was looking at bobsmit's comments (over at VMTN) and yours about ESID. I infer that ESID[3:2] = 01b means:
"Set bits 3 and 2 to the binary value 01 in register location ESID"
I'm not sure right now where or what ESID is (I assume it is the symbol for one of the NVRAM locations).
In the context of memory management ESID is Effective Segment ID.
I checked the R0200J3 BIOS modules and there's no string similar to the reported "Debug Intel Menu" - I didn't remember seeing anything like that when using Phoenix BIOS Editor either. Do you have it in your BIOS? If so, in which module?
Also, are you able to get symbolic names using symcmos -S ? From my reverse-engineering I can see the symbols are loaded from BIOS but as I said earlier, with the FE41Z and R0200J3 it throws an error.
I think I've cracked how it all hangs together.
The (Token) numbers reported in the output of symcmos.exe:
A:\ symcmos.exe -Lliteral.txt ( SYMBOLIC CMOS EDITOR - Version 643710-032 ) ( BIOS Version: NAPA0001.86C.0032.D.0702051952 ) CRC = 2786 (0000) [0001] (0003) [0001] (0006) [0001] (0009) [0000] (000C) [0000] (000F) [0000] (0012) [0000] (0015) [0000]
are the same numbers that are used by the BIOS configuration calls to 0xF000:4120, and the prototype will be something like
boolean is_nvram_token_enabled(unsigned short Token);
Here's the R0200J3 BIOSCOD6.ROM extract:
mov ecx,0x3a ; MSR 0x3A
rdmsr ; get current value
bt eax,0x0
jc nextSetting ; MSR 0x3A locked so skip trying to change it
push ax
mov ax,0x195 ; NVRAM Token # 0x0195
call 0xf000:0x4120 ; boolean is_nvram_token_enabled(unsigned short Token);
pop ax
jz lockMSR ; skip enabling VT if Token # 0x0195 == 0
bts eax,0x2 ; Enable VT
lockMSR:
bts eax,0x0 ; Lock MSR until power cycle
wrmsr
nextSetting:
xor eax,eax
I scanned all the BIOS modules for "call 0xF000:0x4120" and checked the value placed in the AX register as the parameter to the call. In all cases I've found so far, this number is a multiple of 3 and matches the Token numbers in the output from symcmos.
Some Token-numbers appear in the BIOS that aren't reported by symcmos but that is easily explained by the modular nature of the BIOS - some Token-numbers simply won't be used by the particular PC.
Based on this I am predicting that on this R0200J3 Vaio that Token 0x0195 is the one controlling VT. I've created a custom literal.txt and will be rebooting to FreeDOS shortly to try loading this.
I'm not yet clear how the CRC is handled - presumably symcmos first compares the current CRC with the one in the file, and if they match, then goes ahead and makes the changes to NVRAM. It then updates the system CRC.
If that is correct then when I do:
A:\ symcmos.exe -L
again the CRC should reflect the change and Token 0x0195 should be 0x0001.
From looking at the symcmos -SSYMBOL.TXT command it appears that originally it was intended that the BIOS contain the symbol-set but it has since been removed. I'll do more digging on this since if we can find a way to match Tokens with symbols we have a sure-fire way to confidently alter settings.
I'm going to extract the BIOS modules from the R0092N0 BIOS image later and confirm that it uses AX=0x0399 in its call to is_nvram_token_enabled(AX).
If all this proves out, getting a Linux version of symcmos written will provide much-needed hacker capability around Phoenix BIOS configuration.
The only mention I could find of VT in the R0200J3 BIOS is this in STRINGS0.ROM:
When enabled, a VMM can utilize the additional hardware capabilities provided by Vanderpool Technology Virtualization Technology
Happily it worked.
$ rdmsr 0x3A 5
That shows bit-2 (0x04) and bit-0 (0x01) of MSR 0x3A are set. bit-2 is the VT enable bit.
Loading the Linux KVM modules works and there are no error reports in /var/log/kern.log:
$ sudo modprobe kvm-intel $ lsmod | grep kvm kvm_intel 24720 0 kvm 74448 1 kvm_intel
If VT wasn't enabled, kern.log would have shown:
kernel: [ 227.215440] kvm: disabled by bios
So now my intention is to complete the reverse-engineering of symcmos and create a Linux version, and to try and track down as many symbols from Phoenix BIOS images as I can.
I've been doing some scanning of /dev/mem with a userspace application with superuser privileges and made quite a bit of progress in finding the location of the Phoenix Dispatch Manager routine in a generic way.
After opening /dev/mem as a file with open() I use the same technique that symcmos uses to locate the PDM structure, but starting at 0 rather than 0xF0000000 as it does.
- for ( pos = 0; pos < max_address; pos += 16)
- Look for the signature "$PDM" at pos
- Check the byte_count value (pos + 0x05) is > 0
- Calculate the checksum of bytes pos to pos+byte_count-1
- If the checksum is correct (== 0) then:
- Read the (far) address of dispatchManager() from pos+7 (4 bytes)
- Seek to the address and read the asm JMP seg:offset
- Seek to seg:offset and scan asm instructions looking for 'call near [cs:di+OFFSET]' (byte-codes 2E FF 95)
- Seek to OFFSET and read 0x0E word entries from the table
The resulting table is the near call offsets for dispatchManager() sub-functions 0 - 0x0D.
Here's an example of the output from the R0200J3 BIOS:
$ sudo ./find-pdm find-pdm version 0.1 © 2007 TJ http://intuitivenipple.net Licensed on the terms of GPL version 3 Finds Phoenix Dispatch Manager (for supported BIOS's only). 0xFFFFFFFFFFFFFFFF Memory size 0x00000000000F7300 2450444D010B65029800F00000000000 PDM @ 00000000F0009802 sum: 0 Seek to 0x000F9802 readable Jump to 0xE6FE:4313 (0x000EB2F3) Table starts at 0xEB2D7 00 (0x000EB2D7) 0x4340 01 (0x000EB2D9) 0x435C 02 (0x000EB2DB) 0x4363 03 (0x000EB2DD) 0x436A 04 (0x000EB2DF) 0x4383 05 (0x000EB2E1) 0x4435 06 (0x000EB2E3) 0x4442 07 (0x000EB2E5) 0x444F 08 (0x000EB2E7) 0x445C 09 (0x000EB2E9) 0x4396 0A (0x000EB2EB) 0x4469 0B (0x000EB2ED) 0x43AE 0C (0x000EB2EF) 0x43CC 0D (0x000EB2F1) 0x4349
It looks from this as if it will be possible to have a user-space application in a regular linux session (not a separate real-mode boot) that can make calls to dispatchManager().
I've got to test calling into it yet but assuming I can figure that out, It looks like it is relatively straightforward to write a utility that can call dispatchManager() that can work with almost all Phoenix BIOSs.
The next step is to use the same memory-search mechanism to scan the full 1MB BIOS image, find the setup module, locate the correct rdmsr/wrmsr 0x3A instructions and the related Token value loaded into AX.
If this works across BIOS versions then the utility can quickly and easily detect the correct VT Token without needing CMOS symbols, or needing to recreate the symcmos utility.
So far, so good. I'm working with libx86 so the utility can run on 32- or 64-bit systems and make real-mode calls into the BIOS. It is the same library used by vbetool.
libx86 combines Linux Real Mode Interface (LRMI) for x86 32-bit and x86emu for 64-bit.
I'm fixing up some 64-bit bugs in libx86 right now. Once I'm happy with it I can link it to VT-enable.
From that point on, assuming the calls into the BIOS complete correctly (in the same way as symcmos calls in) then it is simply a case of tidying it up, documenting, and preparing the Debian/Ubuntu? package.
I have a Sony SZ370P with the same processor and same problem. (Rant: why they disable a key feature on a premium laptop I cannot understand. /Rant)
I suspect it's to simplify their support options, since VT is variable across individual models (in the FE41 range, only the "Z" suffix has a CPU with hardware VT).
I used to do this kind of system design/hacking a number of years ago but am a little out of touch as to what tools to use.
I downloaded all the integrated BIOS image-installers (.exe executable CAB files) from the Sony Japan FTP site ( ftp.vaio.sony.co.jp), and then use cabextract to extract the BIOS image.
It goes something like this:
$ ls PHBSYS-01101528-UN.exe $ cabextract PHBSYS-01101528-UN.exe PHBSYS-01101528-UN.exe: library not compiled to support large files. PHBSYS-01101528-UN.exe: library not compiled to support large files. Extracting cabinet: PHBSYS-01101528-UN.exe extracting PhlashNT.sys extracting R0200J3.WPH extracting WBFLASH.exe extracting WBFLASH.SCR extracting WinPhlash.exe All done, no errors. $ ls PHBSYS-01101528-UN.exe PhlashNT.sys R0200J3.WPH WBFLASH.exe WBFLASH.SCR WinPhlash.exe
R0200J3.WPH is the binary image. WPH is the acronym for WinPHlash, the Windows BIOS utility Phoenix provide. You can feed this file into Phoenix BIOS Editor v2.2 (using Wine) and extract the individual modules, images, and relocation information.
So I just thought I should try it in the Sony first. Short story is that each of the memory banks correctly can use it as a full 2G module. The bad news is that if you put two 2G modules in, that the system will only see 3Gs of RAM.
Assuming this isn't a hardware limit (address lines tied to zero) then there are two configuration services I can think of that might enable the BIOS recognition of the additional memory:
- BIOS Interrupt 0x15 0xE820 function report (aka BIOS-e820)
- ACPI DSDT system memory maps (load a custom DSDT)
Do you get the same 3GB limit using a 64-bit operating system? I ask since 32-bit Linux will usually limit userspace to 3GB of RAM because the kernel relocates to the area above that.
What size are the Bios images on your FE? If this is a partial image, what tool would you suggest I use to grab the bios image. (I primarily use Linux but will run XP if needed.)
The R0xxxJ3 BIOSs are 1 megabyte. I described above how I usually isolate them. You could read directly from /dev/mem but since a subset of the BIOS modules is paged into the traditional memory space (0xC8000-0x100000), you would have to identify the mapped location of the entire 1MB image and be sure it hadn't had any run-time fix-ups applied.
Let me know what I can do to help. In the meantime I'll work on getting tools and getting back up to speed. (If you have suggestions for specific tools that also would be appreciated. I'm happy to write a few tools (on linux only, prefer using LGPL) if you have any ideas for something useful that does not exist (on unix/linux).)
If you're interested in taking this further then I'd suggest a valuable contribution could be made by developing on my original idea to identify and use the NVRAM Token symbols. That work could be incorporated into a support library that other tools (such as my vt-enable) could call upon for symbolic access to BIOS settings.
It would provide all compatible Phoenix BIOS users with a safe method of interacting with their NVRAM settings using a generic tool. Currently it requires quite a bit of hacking (as you've seen) to identify even one Token with confidence.
From what I've seen so far it'd mainly be a big job of collecting older Phoenix BIOS images from all manufacturers and extracting the symbol tables and then deducing how to apply the information to newer BIOS images that don't contain those symbol tables (The DOS symcmos utility looks for them, and will use the symbols if available - ask me if you want my symcmos code notes). I started the quest but those symbol tables are rare so I suspended my search in favour of more productive hacking.
If it proves infeasible to do it that way, then it'll need a tool that extracts the BIOS modules and then parses them to identify which Token represents which function. My idea would be to do that once on the collected Phoenix BIOS images and create an array of lookup tables in the library code that uses DMI to obtain the running BIOS version and from that determines which entry in the table array matches the BIOS.
You could possibly build on my SNC driver research in doing that.
Now I've got a mechanism to identify the specific NVRAM Token used to enable VT I don't intend taking the Token identification further since I've achieved what I set out to do.
I'll be releasing my vt-enable tool once the Ubuntu Gutsy release is over and I can relax for a while. Some polishing of libx86 has been done so I should be able to use it without a hitch now.
Here's an example of the NVRAM token symbols. In the following two comments I'm going to include the full text of the files mentioned here since they are so rare - hopefully search engines will index them and help others find this information.
When compiling the Phoenix BIOS a couple of files are created. Sometimes one or both of these files are included in the BIOS update packages shipped by motherboard manufacturers.
- nvtoken.lst - the symbols and related Token IDs
- nvram.lst - the symbols, location in CMOS, bit-size, and optionally the Token ID
Example from nvtoken.lst:
cmosInstalledOS EQU 002A6h cmosCPU_VT_Sup EQU 002A9h cmosCPU_VT_Ena EQU 002ACh cmosCPU_NX_Dis EQU 002AFh cmosCPU_ATM EQU 002B2h
Example from nvram.lst:
.D = DEFAULTS F = FIXEDFIELD L = STACKLESS S = STRUCFIELD B = BYTESTRING .O = OVERRIDE C = CRC/CKSM M = MEMBERFIELD K = CHECKSUM R = READONLY .E = OEMOVERRIDE .Token Start Std Attributes . Media Width Mfg Name 02a3 0 00f8 04 0000 0000 K cmosLanguage 02ac 0 00fc 01 0000 0001 O K cmosCPU_VT_Ena 02dc 0 00fd 05 0007 0000 K cmosCpuFreqStrapHi
.[NVRAMMAP-002] .D = DEFAULTS F = FIXEDFIELD L = STACKLESS S = STRUCFIELD B = BYTESTRING .O = OVERRIDE C = CRC/CKSM M = MEMBERFIELD K = CHECKSUM R = READONLY .E = OEMOVERRIDE .Token Start Std Attributes . Media Width Mfg Name 01d1 0 0000 50 0000 0000 F rsvd_0_0 01d4 0 0050 08 0000 0000 F cmosRegA 01d7 0 0058 01 0000 0000 F cmosDaylightSavings 01da 0 0059 07 0000 0000 F L cmosRegB 01dd 0 0060 08 0000 0000 F L cmosRegC 01e0 0 0068 07 0000 0000 F rsvd_D_0 01e3 0 006f 01 0000 0000 F L cmosValidRamBit 01e6 0 0070 02 0000 0000 F rsvd_E_0 01e9 0 0072 01 0000 0000 F L cmosTimeFailedBit 01ec 0 0073 01 0000 0000 F L cmosDiskFailedBit 01ef 0 0074 01 0000 0000 F rsvd_E_4 01f2 0 0075 01 0000 0000 F L cmosBadConfigBit 01f5 0 0076 01 0000 0000 F L cmosBadChecksumBit 01f8 0 0077 01 0000 0000 F L cmosBadPowerbit 01fb 0 0078 08 0000 0000 F L cmosShutdown 01fe 0 0080 08 0040 0044 F S K cmosFddType 0201 0 0080 04 0000 0000 OF M K cmosFdd1Type 0204 0 0084 04 0000 0004 OF M K cmosFdd0Type 0009 0 0088 01 0001 0001 LK cmosAGPEnabled 0114 0 0089 01 0001 0001 LK cmosAPICEnable 01a7 0 008a 01 0001 0001 LK cmosSmscUart1Address 01aa 0 008b 01 0000 0000 LK cmosSmscUart2Address 02af 0 008c 01 0000 0000 LK cmosCPU_NX_Dis 02b2 0 008d 01 0000 0000 LK cmosCPU_ATM 02b5 0 008e 01 0000 0000 LK cmosCPU_CPUID 02b8 0 008f 01 0000 0000 O LK cmosCPU_FastStrn 0207 0 0090 04 0000 0000 F K cmosFdisk1Type 020a 0 0094 04 0000 0000 F K cmosFdisk0Type 02bb 0 0098 01 0000 0000 LK cmosCPU_CompFPU 02be 0 0099 01 0000 0000 LK cmosCPU_SpltLk 02c1 0 009a 01 0000 0000 LK cmosCPU_MachCheck 02c4 0 009b 01 0000 0000 LK cmosCPU_AdjSector 02c7 0 009c 01 0001 0001 O LK cmosCPU_EchoTPR 02ca 0 009d 02 0000 0000 LK cmosCPU_GV 03e7 0 009f 01 0000 0000 LK cmosSLPEnable 020d 0 00a0 08 0001 0001 F K cmosEquipment 0210 0 00a8 10 0000 0000 F K cmosBaseRam 0213 0 00b8 10 0000 0000 F K cmosExtRam 0216 0 00c8 08 0000 0000 F K cmosFdisk0ExtType 0219 0 00d0 08 0000 0000 F K cmosFdisk1ExtType 02d9 0 00d8 05 0000 0000 LK cmosCpuFreqStrap 03f9 0 00dd 01 0001 0001 LK cmosHTEnable 047d 0 00de 01 0000 0000 O LK cmosInvCfg 04aa 0 00df 01 0001 0001 LK cmosPegPortEnable 046e 0 00e0 04 0002 0002 LK cmosIGDPanelType 047a 0 00e4 04 0000 0000 LK cmosIGDBootType 0480 0 00e8 02 0001 0001 LK cmosIGDStolenMemorySize 0483 0 00ea 02 0000 0000 LK cmosIGDTotalMemorySize 04ad 0 00ec 01 0001 0001 LK cmosIGDF0Enable 0666 0 00ed 01 0001 0001 O LK cmosPort80hCycles 06d2 0 00ee 01 0000 0000 LK cmosOnesAll 016e 0 00ef 01 0001 0001 K cmosFastC4Enable 06d5 0 00f0 02 0002 0002 O LK cmosOnAcLoss 027c 0 00f2 05 0000 0000 K cmosFirstWareLanguage 0297 0 00f7 01 0000 0000 K cmosS5PMEDisable 02a3 0 00f8 04 0000 0000 K cmosLanguage 02ac 0 00fc 01 0000 0001 O K cmosCPU_VT_Ena 02dc 0 00fd 05 0007 0000 K cmosCpuFreqStrapHi 02df 0 0102 01 0000 0000 K cmosKeyclick 02e2 0 0103 03 0000 0000 K cmosKeyboardRate 02e5 0 0106 02 0001 0001 K cmosKeyboardDelay 0318 0 0108 01 0000 0000 K cmosPciHpEnable 031b 0 0109 03 0001 0000 K cmosPciHpBusGap 031e 0 010c 03 0005 0000 O K cmosPciHpIO 0321 0 010f 03 0006 0000 O K cmosPciHpMem 0330 0 0112 03 0000 0000 K cmosFirstSpaceDriveNum 0333 0 0115 05 001f 001f K cmosFirstSpacePsaIndex 0336 0 011a 01 0000 0000 K cmosDiagScreenOnly 0339 0 011b 02 0001 0001 K cmosPostMemTest 033f 0 011d 01 0000 0001 K cmosQkBootEnable 0342 0 011e 01 0000 0000 K cmosOpenVaultPsa 0345 0 011f 01 0000 0000 K cmosOpenCustomPsa 0348 0 0120 01 0000 0000 K cmosVaultPsaStatus 034b 0 0121 01 0000 0000 K cmosMaintenanceMode 034e 0 0122 01 0000 0000 K CmosS4wakeupmode 0351 0 0123 03 0002 0000 K CmosVideoMode 0354 0 0126 02 0000 0000 K cmosFwAuthLevel 035a 0 0128 01 0001 0001 K cmosacpiEnable 03cf 0 0129 01 0001 0001 K cmosFddAccess 03d2 0 012a 01 0001 0001 K cmosMpSpecRev 03d5 0 012b 01 0000 0000 K cmosMpDirectPCIEntries 03ea 0 012c 03 0000 0000 K cmosHddPreDelay 03f3 0 012f 01 0000 0000 K cmosPasswordOnBoot 03f6 0 0130 01 0000 0000 K cmosHddProtect 03ff 0 0131 01 0001 0001 K cmosCacheL3Enb 040b 0 0132 03 0000 0000 K cmosCacheA000 040e 0 0135 03 0000 0000 K cmosCacheB000 041a 0 0138 03 0000 0000 K cmosCacheD000 041d 0 013b 03 0000 0000 K cmosCacheD400 0420 0 013e 03 0000 0000 K cmosCacheD800 0423 0 0141 03 0000 0000 K cmosCacheDC00 0426 0 0144 03 0005 0005 K cmosCacheE000 0447 0 0147 03 0007 0007 S K cmosEventLogControl 044a 0 0147 01 0001 0001 M K cmosEventLogEnable 044d 0 0148 01 0001 0001 M K cmosECCLogEnable 0450 0 0149 01 0001 0001 M K cmosPostLogEnable 0453 0 014a 01 0000 0000 K cmosSetupEvntLogClr 0462 0 014b 10 ffff ffff K cmosGPNVLockValue 0465 0 015b 10 0000 0000 K cmosStructTableLength 0468 0 016b 01 0001 0001 K cmosIGDF1Enable 04bc 0 016c 01 0000 0000 O K cmosSummaryScreen 04e6 0 016d 01 0000 0000 K cmosMbExtraRemovable0 04e9 0 016e 01 0000 0000 K cmosMbExtraRemovable1 04ec 0 016f 01 0000 0000 K cmosMbExtraRemovable2 021c 0 0170 08 0000 0000 FC cmosChecksumHi 021f 0 0178 08 0000 0000 FC cmosChecksumLo 0222 0 0180 10 0000 0000 F cmosExtended 0225 0 0190 08 0020 0020 OF cmosCentury 0228 0 0198 01 0000 0000 F L cmosInPostBit 022b 0 0199 01 0000 0000 F L cmosConfigFailedBit 022e 0 019a 01 0000 0000 F L cmosResume 0231 0 019b 01 0000 0000 F L cmosExtCachePresent 0234 0 019c 02 0000 0000 F SL cmosCR0 0237 0 019c 01 0000 0000 F M L cmosCR0NW 023a 0 019d 01 0000 0000 F M L cmosCR0CD 023d 0 019e 01 0000 0000 F L cmosCoprocessor387 0240 0 019f 01 0000 0000 F L cmosExpansionInstalled 0243 0 01a0 08 0000 0000 F SL cmosCpuType 0246 0 01a0 06 0000 0000 F M L cmosCpuTypeNumber 0249 0 01a6 02 0000 0000 F M L cmosCpuTypeFamily 02a0 0 01a8 01 0000 0000 L cmosA20EnableStatus 02e8 0 01a9 01 0000 0000 L cmosDontClearMem 02eb 0 01aa 01 0000 0000 L cmosProcessWarmStart 035d 0 01ab 01 0000 0000 L cmosacpiSaveMode 03e4 0 01ac 01 0001 0001 L cmosCPU_Multi_Cr 06f6 0 01ad 03 0000 0000 L cmosRFDAttemptsPlus1 0360 0 01b0 08 0086 0086 L cmosSBF 0369 0 01b8 08 0000 0000 L cmosacpiHwSignature 02f1 0 01c0 10 0000 0000 F cmosSecurNvIch1 02f4 0 01d0 10 0000 0000 F cmosSecurNvIch2 02f7 0 01e0 10 0000 0000 F cmosSecurNvIch3 02fa 0 01f0 10 0000 0000 F cmosSecurNvIch4 03d8 0 0200 08 0000 0000 L cmosBspBistLow0 03db 0 0208 08 0000 0000 L cmosBspBistLow8 03de 0 0210 08 0000 0000 L cmosBspBistHigh0 03e1 0 0218 08 0000 0000 L cmosBspBistHigh8 06f9 0 0220 01 0000 0000 L cmosacpiS4BiosEnable 027f 0 0221 01 0000 0000 ssRESET 0285 0 0222 10 0000 0000 cmosCSRSavedCRC 0288 0 0232 10 0000 0000 cmosCSRSavedChecksum 029a 0 0242 02 0000 0000 cmosCsrRestoreCondition 029d 0 0244 10 0000 0000 cmosExtMemCnt 02a9 0 0254 01 0000 0000 cmosCPU_VT_Sup 02cd 0 0255 01 0000 0000 cmosCPU_SMX_Sup 02d3 0 0256 10 0000 0000 C cmosCRC 02d6 0 0266 01 0000 0000 cmosCpuFreqReset 02ee 0 0267 10 0000 0000 cmosAbove4GBSize 0327 0 0277 01 0000 0000 cmosBootFirstSpace 032a 0 0278 01 0000 0000 cmosFirstSpaceFound 032d 0 0279 01 0000 0000 cmosFirstSpaceMfgMode 033c 0 027a 01 0000 0000 cmosQkBootErrStat 0363 0 027b 02 0000 0000 cmosLastBootedOS 0366 0 027d 01 0000 0000 cmosIntelViivDrvr 03ed 0 027e 10 0000 0000 cmosUserPassword 03f0 0 028e 10 0000 0000 cmosSuperPassword 0402 0 029e 01 0000 0000 cmosCacheL3Present 0438 0 029f 02 0001 0001 S cmosSmbiosLogStatus 043b 0 029f 01 0001 0001 M cmosSmbiosLogValid 043e 0 02a0 01 0000 0000 M cmosSmbiosLogFull 0441 0 02a1 08 0000 0000 cmosSmbiosLogChangeToken 0444 0 02a9 01 0000 0000 cmosSmbiosUnreadEvents 04bf 0 02aa 06 0009 0009 O K cmosIPLOrder0 04c2 0 02b0 06 0005 0005 O K cmosIPLOrder1 04c5 0 02b6 06 000d 000d O K cmosIPLOrder2 04c8 0 02bc 06 0022 0022 O K cmosIPLOrder3 04cb 0 02c2 06 0011 0011 O K cmosIPLOrder4 04ce 0 02c8 06 0000 0000 O K cmosIPLOrder5 04d1 0 02ce 06 0014 0014 O K cmosIPLOrder6 04d4 0 02d4 06 00ff 00ff K cmosIPLOrder7 04dd 0 02da 08 0000 0000 K cmosCurrentIPL 04e0 0 02e2 08 00fe 00fe K cmosSelectionIPL 04e3 0 02ea 01 0000 0000 cmosInBootMenu 04ef 0 02eb 01 0000 0000 K cmosMbExtraRemovable3 04f2 0 02ec 01 0000 0000 K cmosMbExtraRemovable4 04f5 0 02ed 01 0000 0000 K cmosMbExtraRemovable5 04f8 0 02ee 01 0000 0000 K cmosMbExtraRemovable6 04fb 0 02ef 01 0000 0000 K cmosMbExtraRemovable7 04fe 0 02f0 01 0000 0000 K cmosMbExtraRemovable8 0501 0 02f1 01 0000 0000 K cmosMbExtraRemovable9 0504 0 02f2 01 0000 0000 K cmosMbExtraRemovableA 0507 0 02f3 01 0000 0000 K cmosMbExtraRemovableB 050a 0 02f4 01 0001 0001 K cmosSystemBIOS 050d 0 02f5 01 0001 0001 K cmosVideoBIOS 0510 0 02f6 01 0000 0000 K cmosMemoryHole 0513 0 02f7 01 0000 0000 K cmosCsShadowC800 0516 0 02f8 01 0000 0000 K cmosCsShadowCC00 0519 0 02f9 01 0000 0000 K cmosCsShadowD000 051c 0 02fa 01 0000 0000 K cmosCsShadowD400 051f 0 02fb 01 0000 0000 K cmosCsShadowD800 0522 0 02fc 01 0000 0000 K cmosCsShadowDC00 062d 0 02fd 01 0001 0001 K cmosHddDosCompat 0630 0 02fe 10 0000 0000 K cmosCylinders0 0633 0 030e 04 0000 0000 K cmosHeads0 0636 0 0312 06 0000 0000 K cmosSectors0 0639 0 0318 03 0000 0000 K cmosProtocolType0 063c 0 031b 10 0000 0000 K cmosCylinders1 063f 0 032b 04 0000 0000 K cmosHeads1 0642 0 032f 06 0000 0000 K cmosSectors1 0645 0 0335 03 0000 0000 K cmosProtocolType1 0648 0 0338 02 0002 0002 K cmosHdd0Sel 064b 0 033a 02 0002 0002 K cmosHdd1Sel 064e 0 033c 02 0001 0001 K cmosFdiskIdeEnable 0669 0 033e 01 0001 0001 O K cmosUsbLegacy 0672 0 033f 01 0001 0001 O K cmosUSB3Enable 0675 0 0340 01 0001 0001 O K cmosUSB4Enable 067b 0 0341 01 0001 0001 O K cmosPnpClearESCD 0684 0 0342 04 0001 0001 K cmosPciIrq1 069c 0 0346 01 0000 0000 K cmosExcludeIRQ3 0270 0 0347 01 0000 0000 F cmosfailflag 0273 0 0348 08 0000 0000 F cmoscounter 067e 0 0350 08 0000 0000 cmosPnpMaxCsn 0681 0 0358 08 0000 0000 cmosPnpReadDataPort 0687 0 0360 04 0001 0001 K cmosPciIrq2 068a 0 0364 04 0001 0001 K cmosPciIrq3 068d 0 0368 04 0001 0001 K cmosPciIrq4 0690 0 036c 04 0001 0001 K cmosPciIrq5 0693 0 0370 04 0001 0001 K cmosPciIrq6 0696 0 0374 04 0001 0001 K cmosPciIrq7 0699 0 0378 04 0001 0001 K cmosPciIrq8 069f 0 037c 01 0000 0000 K cmosExcludeIRQ4 06a2 0 037d 01 0000 0000 K cmosExcludeIRQ5 06a5 0 037e 01 0000 0000 K cmosExcludeIRQ7 06a8 0 037f 01 0000 0000 K cmosExcludeIRQ9 06ab 0 0380 01 0000 0000 K cmosExcludeIRQ10 06ae 0 0381 01 0000 0000 K cmosExcludeIRQ11 06b1 0 0382 01 0000 0000 K cmosExcludeIRQ12 06b4 0 0383 01 0000 0000 K cmosExcludeIRQ14 06b7 0 0384 01 0000 0000 K cmosExcludeIRQ15 06ba 0 0385 02 0000 0000 K cmosConsoleConfig 06bd 0 0387 03 0004 0004 K cmosConsoleBaudRate 06c0 0 038a 03 0003 0003 K cmosConsoleType 06c3 0 038d 02 0000 0000 O K cmosConsoleFlowControl 06c6 0 038f 01 0000 0000 K cmosConsoleConnect 06c9 0 0390 01 0000 0000 K cmosConsoleEnAftPst 06cc 0 0391 03 0000 0000 K cmosConsoleVidPages 06cf 0 0394 01 0000 0000 K cmosPwrBtn 06d8 0 0395 01 0000 0000 cmosCalledInPOST 06db 0 0396 03 0001 0001 O K cmosPmPMMode 06de 0 0399 03 0000 0000 K cmosPmStandbyTimer 06e1 0 039c 03 0000 0000 K cmosPmSuspendTimer 06e4 0 039f 01 0000 0000 K cmosPmResTime 06e7 0 03a0 07 0000 0000 K cmosPmResTimeSec 06ea 0 03a7 07 0000 0000 K cmosPmResTimeMin 06ed 0 03ae 06 0000 0000 K cmosPmResTimeHour 06f0 0 03b4 04 0000 0000 K cmosPmHDDTimer 06f3 0 03b8 04 0000 0000 K cmosPmVideoTimer 06fc 0 03bc 01 0000 0000 K cmosPmSuspendMode 06ff 0 03bd 01 0000 0000 K cmosPmResRing 0702 0 03be 02 0000 0000 K cmosPmIntrdsel 0705 0 03c0 02 0002 0002 K cmossions374ComAConfig 0708 0 03c2 02 0000 0000 K cmossions374ComAAddr 070b 0 03c4 01 0001 0001 K cmossions374ComAIrq 070e 0 03c5 02 0002 0002 K cmosSioNs374ComBConfig 0711 0 03c7 03 0000 0000 K cmosSioNs374ComBMode 0714 0 03ca 02 0001 0001 K cmosSioNs374ComBAddr 0717 0 03cc 01 0000 0000 K cmosSioNs374ComBIrq 071a 0 03cd 02 0001 0001 K cmossions374FdcConfig 071d 0 03cf 01 0000 0000 K cmossions374FdcAddr 0720 0 03d0 02 0002 0002 K cmossions374LptConfig 0723 0 03d2 02 0003 0003 K cmossions374LptMode 0729 0 03d4 01 0001 0001 K cmossions374LptIrq 072f 0 03d5 01 0000 0000 K cmosMcdSecured 0456 0 03e0 08 0000 0000 F S cmosEventLogClrByte 0459 0 03e0 01 0000 0000 F M cmosEventLogClr 045c 0 03e1 07 0000 0000 F M cmosEventLogClrRsvd 045f 0 03e8 10 0000 0000 F cmosEventLogClrCksum 012f 0 03ff 01 0001 0001 F cmosDummy 026a 1 0000 20 0000 0000 F cmossaveebp 026d 1 0020 20 0000 0000 F cmossaveebx 0159 1 0040 01 0001 0001 LK cmosCmpEnable 0282 1 0041 01 0001 0001 LK cmosEnableDevE2Oprom 03fc 1 0042 01 0001 0001 O L cmosMemCacheEnable 046b 1 0043 02 0000 0000 LK cmosIGDPanelScaling 0000 1 0045 03 0000 0000 K cmosDviSSEnable 0252 1 0048 08 0000 0000 L cmosCSReg_EBP0 0255 1 0050 08 0000 0000 L cmosCSReg_EBP1 0258 1 0058 08 0001 0001 L cmosCSReg_EBP2 025b 1 0060 08 0000 0000 L cmosCSReg_EBP3 025e 1 0068 08 0000 0000 L cmosCSReg_EBX2 0261 1 0070 08 0000 0000 L cmosCSReg_EBX3 0264 1 0078 08 0000 0000 L cmosCSReg_SSKPD0 0267 1 0080 08 0000 0000 L cmosCSReg_SSKPD1 04b0 1 0088 08 0000 0000 L cmosCH0RCVENSlave 04b3 1 0090 08 0000 0000 L cmosCH1RCVENSlave 04b6 1 0098 08 0000 0000 L cmosCoarseRCVEN 04b9 1 00a0 08 0000 0000 L cmosMediumRCVEN 0003 1 00a8 01 0000 0000 O K cmosAC97AudioEnable 0006 1 00a9 01 0001 0001 K cmosAC97ModemEnable 000c 1 00aa 08 0000 0000 S K cmosCommandByte1 000f 1 00aa 01 0000 0000 M K cmosEnableDev1Oprom 0012 1 00ab 01 0000 0000 M K cmosEnable1 0015 1 00ac 01 0000 0000 M K cmosPciDev1Master 0018 1 00ad 01 0000 0000 M K cmosCh1NativeIde1 001b 1 00ae 01 0000 0000 M K cmosCh2NativeIde1 001e 1 00af 03 0000 0000 M K cmosPciDev1Latency 0021 1 00b2 08 0000 0000 S K cmosCommandByte2 0024 1 00b2 01 0000 0000 M K cmosEnableDev2Oprom 0027 1 00b3 01 0000 0000 M K cmosEnable2 002a 1 00b4 01 0000 0000 M K cmosPciDev2Master 002d 1 00b5 01 0000 0000 M K cmosCh1NativeIde2 0030 1 00b6 01 0000 0000 M K cmosCh2NativeIde2 0033 1 00b7 03 0000 0000 M K cmosPciDev2Latency 0036 1 00ba 08 0000 0000 S K cmosCommandByte3 0039 1 00ba 01 0000 0000 M K cmosEnableDev3Oprom 003c 1 00bb 01 0000 0000 M K cmosEnable3 003f 1 00bc 01 0000 0000 M K cmosPciDev3Master 0042 1 00bd 01 0000 0000 M K cmosCh1NativeIde3 0045 1 00be 01 0000 0000 M K cmosCh2NativeIde3 0048 1 00bf 03 0000 0000 M K cmosPciDev3Latency 004b 1 00c2 08 0000 0000 S K cmosCommandByte4 004e 1 00c2 01 0000 0000 M K cmosEnableDev4Oprom 0051 1 00c3 01 0000 0000 M K cmosEnable4 0054 1 00c4 01 0000 0000 M K cmosPciDev4Master 0057 1 00c5 01 0000 0000 M K cmosCh1NativeIde4 005a 1 00c6 01 0000 0000 M K cmosCh2NativeIde4 005d 1 00c7 03 0000 0000 M K cmosPciDev4Latency 0060 1 00ca 08 0000 0000 S K cmosCommandByte5 0063 1 00ca 01 0000 0000 M K cmosEnableDev5Oprom 0066 1 00cb 01 0000 0000 M K cmosEnable5 0069 1 00cc 01 0000 0000 M K cmosPciDev5Master 006c 1 00cd 01 0000 0000 M K cmosCh1NativeIde5 006f 1 00ce 01 0000 0000 M K cmosCh2NativeIde5 0072 1 00cf 03 0000 0000 M K cmosPciDev5Latency 0075 1 00d2 08 0000 0000 S K cmosCommandByte6 0078 1 00d2 01 0000 0000 M K cmosEnableDev6Oprom 007b 1 00d3 01 0000 0000 M K cmosEnable6 007e 1 00d4 01 0000 0000 M K cmosPciDev6Master 0081 1 00d5 01 0000 0000 M K cmosCh1NativeIde6 0084 1 00d6 01 0000 0000 M K cmosCh2NativeIde6 0087 1 00d7 03 0000 0000 M K cmosPciDev6Latency 008a 1 00da 08 0000 0000 S K cmosCommandByte7 008d 1 00da 01 0000 0000 M K cmosEnableDev7Oprom 0090 1 00db 01 0000 0000 M K cmosEnable7 0093 1 00dc 01 0000 0000 M K cmosPciDev7Master 0096 1 00dd 01 0000 0000 M K cmosCh1NativeIde7 0099 1 00de 01 0000 0000 M K cmosCh2NativeIde7 009c 1 00df 03 0000 0000 M K cmosPciDev7Latency 009f 1 00e2 08 0000 0000 S K cmosCommandByte8 00a2 1 00e2 01 0000 0000 M K cmosEnableDev8Oprom 00a5 1 00e3 01 0000 0000 M K cmosEnable8 00a8 1 00e4 01 0000 0000 M K cmosPciDev8Master 00ab 1 00e5 01 0000 0000 M K cmosCh1NativeIde8 00ae 1 00e6 01 0000 0000 M K cmosCh2NativeIde8 00b1 1 00e7 03 0000 0000 M K cmosPciDev8Latency 00b4 1 00ea 08 0000 0000 S K cmosCommandByte9 00b7 1 00ea 01 0000 0000 M K cmosEnableDev9Oprom 00ba 1 00eb 01 0000 0000 M K cmosEnable9 00bd 1 00ec 01 0000 0000 M K cmosPciDev9Master 00c0 1 00ed 01 0000 0000 M K cmosCh1NativeIde9 00c3 1 00ee 01 0000 0000 M K cmosCh2NativeIde9 00c6 1 00ef 03 0000 0000 M K cmosPciDev9Latency 00c9 1 00f2 08 0000 0000 S K cmosCommandByteA 00cc 1 00f2 01 0000 0000 M K cmosEnableDevAOprom 00cf 1 00f3 01 0000 0000 M K cmosEnableA 00d2 1 00f4 01 0000 0000 M K cmosPciDevAMaster 00d5 1 00f5 01 0000 0000 M K cmosCh1NativeIdeA 00d8 1 00f6 01 0000 0000 M K cmosCh2NativeIdeA 00db 1 00f7 03 0000 0000 M K cmosPciDevALatency 00de 1 00fa 08 0000 0000 S K cmosCommandByteB 00e1 1 00fa 01 0000 0000 M K cmosEnableDevBOprom 00e4 1 00fb 01 0000 0000 M K cmosEnableB 00e7 1 00fc 01 0000 0000 M K cmosPciDevBMaster 00ea 1 00fd 01 0000 0000 M K cmosCh1NativeIdeB 00ed 1 00fe 01 0000 0000 M K cmosCh2NativeIdeB 00f0 1 00ff 03 0000 0000 M K cmosPciDevBLatency 00f3 1 0102 01 0000 0000 K cmosSATACombinedMode 00f6 1 0103 01 0000 0000 K cmosSataAhciMode 00f9 1 0104 01 0001 0000 O K cmosSataVacantPortDisable 00fc 1 0105 01 0000 0000 K cmosSataPort0HPMode 00ff 1 0106 01 0000 0000 K cmosSataPort0ISMode 0102 1 0107 01 0000 0000 K cmosSataPort1HPMode 0105 1 0108 01 0000 0000 K cmosSataPort1ISMode 0108 1 0109 01 0000 0000 K cmosSataPort2HPMode 010b 1 010a 01 0000 0000 K cmosSataPort2ISMode 010e 1 010b 01 0000 0000 K cmosSataPort3HPMode 0111 1 010c 01 0000 0000 K cmosSataPort3ISMode 0117 1 010d 02 0002 0002 K cmosPort1Enb 011a 1 010f 02 0002 0002 K cmosPort2Enb 011d 1 0111 02 0002 0002 K cmosPort3Enb 0120 1 0113 02 0002 0002 K cmosPort4Enb 0123 1 0115 02 0002 0002 K cmosPort5Enb 0126 1 0117 02 0001 0001 O K cmosPort6Enb 0129 1 0119 03 0000 0000 K cmosIGDBrightValue 0132 1 011c 08 0033 0033 K cmosISTConfig 0135 1 0124 02 0000 0000 K cmosAlsEnable 0138 1 0126 04 0006 0006 K cmosATEMPValue 013b 1 012a 04 0000 0000 K cmosCTEMPValue 013e 1 012e 01 0000 0000 K cmosEmaEnable 0141 1 012f 01 0000 0000 K cmosMefEnable 0144 1 0130 01 0001 0001 K cmosPmTimerInOsEnable 0147 1 0131 04 0000 0000 K cmosPTC1Value 014a 1 0135 04 000a 000a K cmosPTC2Value 014d 1 0139 04 000b 000b K cmosPTEMPValue 0150 1 013d 04 0002 0002 K cmosPTSPValue 0153 1 0141 01 0001 0001 K cmosRTCS4Wake 0156 1 0142 02 0003 0003 K cmosAutoThermal 015c 1 0144 02 0000 0000 K cmosDtsCalibrate 015f 1 0146 06 0000 0000 K cmosDts1Scf 0162 1 014c 06 0000 0000 K cmosDts2Scf 0165 1 0152 08 0000 0000 K cmosDiodeScfTemp 0168 1 015a 01 0001 0000 K cmosDtsEnable 016b 1 015b 01 0001 0000 K cmosEnhCStatesEnable 0171 1 015c 02 0003 0003 O K cmosPpm 0174 1 015e 01 0001 0000 K cmosProcHotEnable 0177 1 015f 01 0000 0000 O K cmosEnThrmMon 017a 1 0160 01 0001 0000 K cmosThermalOffset 017d 1 0161 01 0001 0001 K cmosTscUpdtEnable 0180 1 0162 01 0001 0001 K cmosAc97ModemPmeEnable 0183 1 0163 01 0000 0000 K cmosAmtEnable 0186 1 0164 01 0001 0001 K cmosPcieClkReqEnable 0189 1 0165 01 0001 0001 K cmosCStatePopDownEnable 018c 1 0166 01 0001 0001 K cmosCStatePopUpEnable 018f 1 0167 01 0000 0000 O K cmosClockRunEnable 0192 1 0168 01 0000 0000 K cmosPcieForceWxEnable 0195 1 0169 01 0000 0000 K cmosIchChapEnable 0198 1 016a 02 0000 0000 O K cmosLanEnable 019b 1 016c 01 0001 0000 K cmosRpxAspm 019e 1 016d 01 0001 0000 K cmosSerialIrqMode 01a1 1 016e 01 0000 0000 K cmosPxeOprom 01a4 1 016f 01 0001 0001 K cmosAspmLatCheck 01ad 1 0170 01 0000 0000 K cmosDTSPD 01b0 1 0171 01 0000 0000 K cmosPegPortMda 01b3 1 0172 01 0000 0000 K cmosThermalThrottle 01b6 1 0173 01 0001 0000 K cmosPegAspm 01b9 1 0174 01 0001 0001 K cmosPegGpllPdEnable 01bc 1 0175 01 0000 0000 K cmosPegForceX1 01bf 1 0176 01 0000 0000 K cmosTSSPD 01c2 1 0177 01 0001 0001 K cmosCk410Enable 01c5 1 0178 01 0000 0000 K cmosCompatRevID 01c8 1 0179 01 0000 0000 K cmosCk410SscEnable 01cb 1 017a 01 0001 0000 K cmosDb800Enable 01ce 1 017b 02 0000 0000 K cmosSscEnable 024c 1 017d 08 0000 0000 cmosCsrStatus 0276 1 0185 01 0000 0000 K cmosLanPower 0279 1 0186 07 0064 0064 cmosBlcValue 028b 1 018d 02 0000 0000 K cmosUsbHddCapacityType 028e 1 018f 01 0001 0001 K cmosFanTachoMultiplier1 0291 1 0190 01 0001 0001 K cmosFanTachoMultiplier3 0294 1 0191 01 0001 0001 K cmosFanTachoMultiplier4 02a6 1 0192 03 0005 0005 O K cmosInstalledOS 02d0 1 0195 02 0001 0001 O K cmosNumlock 0312 1 0197 01 0000 0000 O K cmos1394Support 0315 1 0198 01 0001 0001 K cmos1394Enable 0324 1 0199 03 0006 0000 O K cmosPciHpPreMem 036c 1 019c 08 0000 0000 K cmosFdisk2ExtType 036f 1 01a4 03 0000 0000 K cmosProtocolType2 0372 1 01a7 02 0002 0002 K cmosHdd2Sel 0375 1 01a9 10 0000 0000 K cmosCylinders2 0378 1 01b9 04 0000 0000 K cmosHeads2 0381 1 01bd 03 0000 0000 K cmosProtocolType3 02fd 1 01c0 10 0000 0000 F cmosSecurNvIch5 0300 1 01d0 10 0000 0000 F cmosSecurNvIch6 0303 1 01e0 10 0000 0000 F cmosSecurNvIch7 0306 1 01f0 10 0000 0000 F cmosSecurNvIch8 0309 1 0200 10 0000 0000 F cmosSecurNvIch9 030c 1 0210 08 0000 0000 F cmosSecurNvIchA 030f 1 0218 02 0000 0000 F cmosSecurNvIchB 037b 1 021a 06 0000 0000 K cmosSectors2 037e 1 0220 08 0000 0000 K cmosFdisk3ExtType 0384 1 0228 02 0002 0002 K cmosHdd3Sel 0387 1 022a 10 0000 0000 K cmosCylinders3 038a 1 023a 04 0000 0000 K cmosHeads3 038d 1 023e 06 0000 0000 K cmosSectors3 0390 1 0244 01 0000 0000 K cmos48BitAddr0 0393 1 0245 01 0000 0000 K cmos48BitAddr1 0396 1 0246 01 0000 0000 K cmos48BitAddr2 0399 1 0247 01 0000 0000 K cmos48BitAddr3 039c 1 0248 01 0000 0000 K cmos48BitAddr4 039f 1 0249 01 0000 0000 K cmos48BitAddr5 03a2 1 024a 01 0000 0000 K cmos48BitAddr6 03a5 1 024b 01 0000 0000 K cmos48BitAddr7 03a8 1 024c 01 0001 0001 K cmosSmartMonitor 03ab 1 024d 08 0000 0000 K cmosFdisk4ExtType 03ae 1 0255 03 0000 0000 K cmosProtocolType4 03b1 1 0258 02 0002 0002 K cmosHdd4Sel 03b4 1 025a 08 0000 0000 K cmosFdisk5ExtType 03b7 1 0262 03 0000 0000 K cmosProtocolType5 03ba 1 0265 02 0002 0002 K cmosHdd5Sel 03bd 1 0267 08 0000 0000 K cmosFdisk6ExtType 03c0 1 026f 03 0000 0000 K cmosProtocolType6 03c3 1 0272 02 0002 0002 K cmosHdd6Sel 03c6 1 0274 08 0000 0000 K cmosFdisk7ExtType 03c9 1 027c 03 0000 0000 K cmosProtocolType7 03cc 1 027f 02 0002 0002 K cmosHdd7Sel 0405 1 0281 03 0006 0006 O cmosCache512 0408 1 0284 03 0006 0006 O cmosCache640 0411 1 0287 03 0005 0005 O cmosCacheVid 0414 1 028a 03 0005 0005 O cmosCacheC800 0417 1 028d 03 0005 0005 O cmosCacheCC00 0429 1 0290 03 0005 0005 O cmosCacheE400 042c 1 0293 03 0005 0005 O cmosCacheE800 042f 1 0296 03 0005 0005 O cmosCacheEC00 0432 1 0299 03 0005 0005 O cmosCacheSys 0435 1 029c 03 0006 0006 O cmosCacheExtended 0471 1 029f 01 0000 0000 K cmosS3PopupEnable 0474 1 02a0 03 0001 0001 K cmosBiaCfg 0477 1 02a3 02 0001 0001 K cmosIGDDvmtMode 0486 1 02a5 04 0001 0001 K cmosSscPercent 0489 1 02a9 02 0000 0000 K cmosIGDSdtvStandard 048c 1 02ab 02 0000 0000 K cmosIGDTvMinorNTSC 048f 1 02ad 04 0000 0000 K cmosIGDTvMinorPAL 0492 1 02b1 03 0000 0000 K cmosIGDTvMinorSECAM 0495 1 02b4 03 0000 0000 K cmosIGDHdtvStandard 0498 1 02b7 01 0000 0000 K cmosIGDTvMinorSMPTE240M 049b 1 02b8 01 0000 0000 K cmosIGDTvMinorSMPTE295M 049e 1 02b9 02 0000 0000 K cmosIGDTvMinorSMPTE296M 04a1 1 02bb 02 0000 0000 K cmosIGDHdtvMinorCEA7702 04a4 1 02bd 03 0000 0000 K cmosIGDHdtvMinorCEA7703 04a7 1 02c0 01 0000 0000 K cmosIGDHdtvMinorBT 04d7 1 02c1 01 0001 0000 O K cmosDisplaySetupPrompt 04da 1 02c2 01 0001 0000 O K cmosDisplayF1Prompt 0525 1 02c3 01 0000 0000 K cmosSmartEnable0 0528 1 02c4 01 0000 0000 K cmosSmartEnable1 052b 1 02c5 01 0000 0000 K cmosSmartEnable2 052e 1 02c6 01 0000 0000 K cmosSmartEnable3 0531 1 02c7 01 0000 0000 K cmosSmartEnable4 0534 1 02c8 01 0000 0000 K cmosSmartEnable5 0537 1 02c9 01 0000 0000 K cmosSmartEnable6 053a 1 02ca 01 0000 0000 K cmosSmartEnable7 053d 1 02cb 03 0000 0000 K cmosUdmaMode0 0540 1 02ce 03 0000 0000 K cmosUdmaMode1 0543 1 02d1 03 0000 0000 K cmosUdmaMode2 0546 1 02d4 03 0000 0000 K cmosUdmaMode3 0549 1 02d7 03 0000 0000 K cmosUdmaMode4 054c 1 02da 03 0000 0000 K cmosUdmaMode5 054f 1 02dd 03 0000 0000 K cmosUdmaMode6 0552 1 02e0 03 0000 0000 K cmosUdmaMode7 0555 1 02e3 01 0001 0001 K cmosHdd0Auto 0558 1 02e4 04 0000 0000 D S K cmosHdd0MultiInfo 055b 1 02e4 03 0000 0000 D M K cmosHddBlockSize0 055e 1 02e7 01 0000 0000 D M K cmosHdd0MaxMulti 0561 1 02e8 04 0000 0000 K cmosXferMode0 0564 1 02ec 06 0000 0000 K cmosFDCycleTimedrv0 0567 1 02f2 01 0000 0000 K cmosHdd0LBAMode 056a 1 02f3 01 0000 0000 K cmosRemovable0 056d 1 02f4 01 0000 0000 K cmosHdd32BitIO0 0570 1 02f5 01 0001 0001 K cmosHdd1Auto 0573 1 02f6 04 0000 0000 D S K cmosHdd1MultiInfo 0576 1 02f6 03 0000 0000 D M K cmosHddBlockSize1 0579 1 02f9 01 0000 0000 D M K cmosHdd1MaxMulti 057c 1 02fa 04 0000 0000 K cmosXferMode1 057f 1 02fe 06 0000 0000 K cmosFDCycleTimedrv1 0582 1 0304 01 0000 0000 K cmosHdd1LBAMode 0585 1 0305 01 0000 0000 K cmosRemovable1 0588 1 0306 01 0000 0000 K cmosHdd32BitIO1 058b 1 0307 01 0001 0001 K cmosHdd2Auto 058e 1 0308 04 0000 0000 D S K cmosHdd2MultiInfo 0591 1 0308 03 0000 0000 D M K cmosHddBlockSize2 0594 1 030b 01 0000 0000 D M K cmosHdd2MaxMulti 0597 1 030c 04 0000 0000 K cmosXferMode2 059a 1 0310 06 0000 0000 K cmosFDCycleTimedrv2 059d 1 0316 01 0000 0000 K cmosHdd2LBAMode 05a0 1 0317 01 0000 0000 K cmosRemovable2 05a3 1 0318 01 0000 0000 K cmosHdd32BitIO2 05a6 1 0319 01 0001 0001 K cmosHdd3Auto 05a9 1 031a 04 0000 0000 D S K cmosHdd3MultiInfo 05ac 1 031a 03 0000 0000 D M K cmosHddBlockSize3 05af 1 031d 01 0000 0000 D M K cmosHdd3MaxMulti 05b2 1 031e 04 0000 0000 K cmosXferMode3 05b5 1 0322 06 000
