![[-]](https://www.bios-mods.com/forum/images/black/collapse.png "[-]")
01-04-2013, 08:22 PM
I've decompressed an Insyde BIOS for a trinity laptop, and am trying to find where the boostlock bit is set. It is bit 31 in D0F4x15C.
If this bitlock could be found and removed, trinity laptops could then be forced to run maximum multiplier at all times for a 15%+ frequency boost. It may also be responsible for locking out IGP overclocking.
I've tried looking for code that writes to D0F4x15C specifically. I've looked for code that performs a set of bit 31, then outputs to a PCI config register. I've also searched the BIOS for what and how registers must be set to write to D0F4x15C. I've found a lot of writes to PCI config space, but have identified none for D0F4x15C.
Instead of sticking to one method for writing to PCI config space, the BIOS uses literally every possible method. This has made it difficult to search for where the bit is set, and I'm hoping someone here might have an idea of what to search for in the BIOS files.
Below are the basic methods to write to this register that I am aware of:
1. "out" instruction to write to IO ports 0xcf8 and 0xcfc.
0xcf8 is the PCI config space port address register, and 0xcfc is the data register. The "out" instruction must be used twice, first to set the address, then to set the data. The code "out dx,eax" preforms the config space writing. Prior to setting the address, the dx must be 0xcfc, and the eax must be 0x8100c45c. The dx must be 0xcfc prior to writing the data. The eax must be 0x80000080 for the final data write to D0F4x15C.
2. "outs" instruction to write to IO ports 0xcf8 and 0xcfc.
Similar to "out" usage. The dx register is still used to set the port address, but the data to write now comes from a memory address referenced by the DS register.
3. Direct write to D0F4x15C's MMIO address 0xF80C415C.
This method bypasses the PCI config IO ports and writes directly to the MMIO location. Code for this is along the lines of "mov [qword 0xF80C415C],reg", where the value of the register in the 2nd operand is the data to write (0x80000080).
I have found many instances of "out" and "outs" use to write to PCI config space. I have only found a few places where the direct write method was used.
Usually for "out" the bios does "mov dx,0xcf*" to set the IO port address. There will be some variations like clearing the eax then using "add" instead of "mov", or the DX will have 4 added to it to get to the data port from the address port. Sometimes the BIOS is very nice and has a blatant "mov eax,0x8*00****" for setting the eax, but of course they can't stick to this easy to understand method. The big problem is understanding where and what data is written when functions are used. There are several generic functions (call (d)word 0x****) for writing to PCI config space. They usually use the edx for the device, function, and standard offset, the ecx for data, and the eax for the extended offset, but I saw at least 1 version where this was mixed around (using "pop eax" instead of "mov eax,ecx" for data). When trying to trace back the function calls I'll get lost after 2-3 jumps and still not know where or what data was sent.
I'm pretty lost on understanding the "outsd"s since that requires following indexed pointers, then finding that those values were set by registers and not immediate values, then trying to backtrack those registers...
The few instances of direct MMIO writes are easy to understand, but the fact that I've found so few makes me think that there's also another method used to write them that I just haven't found yet.
I've found a few "bts eax,0x1f"s, "or eax,0x80000000"s, and 16 bit equivalents, but have ruled out all I have found for D0F4x15C. "or eax,0x80000000" is actually used quite often to set 0xcf8 for IO to be routed to the PCI config space instead of other IO. This is very annoying since I also expect this type of operation for setting the boostlock bit, and it is used all the time for the majority of PCI config writes. There are many variants such as "bts ecx,0x1f", and these are difficult to rule out for being used to set eax later on.
I'm getting to the point where it looks like I'll have to try out decompilers in attempt to trace back what many data and addresses are written to. I'm hoping you guys have some advise on what to look for.
BIOS file:
http://www.mediafire.com/?xm96l67qqvbh8vp
Some Trinity documentation:
http://support.amd.com/us/Processor_Tech..._Guide.pdf
I've been using PhoenixTool 2.05 with NASM in cygwin to decompress. Been roughly following the old C2D EIST unlock guide.
If this bitlock could be found and removed, trinity laptops could then be forced to run maximum multiplier at all times for a 15%+ frequency boost. It may also be responsible for locking out IGP overclocking.
I've tried looking for code that writes to D0F4x15C specifically. I've looked for code that performs a set of bit 31, then outputs to a PCI config register. I've also searched the BIOS for what and how registers must be set to write to D0F4x15C. I've found a lot of writes to PCI config space, but have identified none for D0F4x15C.
Instead of sticking to one method for writing to PCI config space, the BIOS uses literally every possible method. This has made it difficult to search for where the bit is set, and I'm hoping someone here might have an idea of what to search for in the BIOS files.
Below are the basic methods to write to this register that I am aware of:
1. "out" instruction to write to IO ports 0xcf8 and 0xcfc.
0xcf8 is the PCI config space port address register, and 0xcfc is the data register. The "out" instruction must be used twice, first to set the address, then to set the data. The code "out dx,eax" preforms the config space writing. Prior to setting the address, the dx must be 0xcfc, and the eax must be 0x8100c45c. The dx must be 0xcfc prior to writing the data. The eax must be 0x80000080 for the final data write to D0F4x15C.
2. "outs" instruction to write to IO ports 0xcf8 and 0xcfc.
Similar to "out" usage. The dx register is still used to set the port address, but the data to write now comes from a memory address referenced by the DS register.
3. Direct write to D0F4x15C's MMIO address 0xF80C415C.
This method bypasses the PCI config IO ports and writes directly to the MMIO location. Code for this is along the lines of "mov [qword 0xF80C415C],reg", where the value of the register in the 2nd operand is the data to write (0x80000080).
I have found many instances of "out" and "outs" use to write to PCI config space. I have only found a few places where the direct write method was used.
Usually for "out" the bios does "mov dx,0xcf*" to set the IO port address. There will be some variations like clearing the eax then using "add" instead of "mov", or the DX will have 4 added to it to get to the data port from the address port. Sometimes the BIOS is very nice and has a blatant "mov eax,0x8*00****" for setting the eax, but of course they can't stick to this easy to understand method. The big problem is understanding where and what data is written when functions are used. There are several generic functions (call (d)word 0x****) for writing to PCI config space. They usually use the edx for the device, function, and standard offset, the ecx for data, and the eax for the extended offset, but I saw at least 1 version where this was mixed around (using "pop eax" instead of "mov eax,ecx" for data). When trying to trace back the function calls I'll get lost after 2-3 jumps and still not know where or what data was sent.
I'm pretty lost on understanding the "outsd"s since that requires following indexed pointers, then finding that those values were set by registers and not immediate values, then trying to backtrack those registers...
The few instances of direct MMIO writes are easy to understand, but the fact that I've found so few makes me think that there's also another method used to write them that I just haven't found yet.
I've found a few "bts eax,0x1f"s, "or eax,0x80000000"s, and 16 bit equivalents, but have ruled out all I have found for D0F4x15C. "or eax,0x80000000" is actually used quite often to set 0xcf8 for IO to be routed to the PCI config space instead of other IO. This is very annoying since I also expect this type of operation for setting the boostlock bit, and it is used all the time for the majority of PCI config writes. There are many variants such as "bts ecx,0x1f", and these are difficult to rule out for being used to set eax later on.
I'm getting to the point where it looks like I'll have to try out decompilers in attempt to trace back what many data and addresses are written to. I'm hoping you guys have some advise on what to look for.
BIOS file:
http://www.mediafire.com/?xm96l67qqvbh8vp
Some Trinity documentation:
http://support.amd.com/us/Processor_Tech..._Guide.pdf
I've been using PhoenixTool 2.05 with NASM in cygwin to decompress. Been roughly following the old C2D EIST unlock guide.
![[Valid RSS]](valid-rss.png "Validate my RSS feed")