Tracing NVRAM Registers

From Bios Mods -The Best BIOS Update and Modification Source Wik
Jump to: navigation, search

In this tutorial, I will be explaining how to trace NVRAM registers from your symcmos Token Table dump to their respective text strings in STRINGS0.ROM and vice versa.

This tutorial will be divided into two sections. The first section will cover tracing from Default.txt (Token Table dump from symcmos) to the STRINGS0.ROM file. The second section will detail tracing from the STRINGS0.ROM file to Default.txt.

Both methods involve the "TEMPLAT0.ROM" file as an intermediary file.

NOTE: If you wish to discuss this article, please do so in this thread. Questions, comments, and suggestions are also welcome here.


Downloads:

R0070J4_BIOSfiles.rar : This archive contains several files. The included README.txt file explains the significance of each file if you are interested, but for this tutorial, you will only need the "Default.txt" and "bios.wph" files.
AndyP's PhoenixTool v2.54
HxD Hex Editor
Universal BIOS Backup Toolkit v2.0 NOTE: Your Anti-Virus program will probably freak out on this download...
symcmos



Prerequisites:

• HxD Hex Editor : Any hex editor will do, but this one is free and very functional for both novice and experienced users.
• AndyP's PhoenixTool : This program will be used to extract the BIOS image.
• symcmos : You will need this DOS utility if you are planning on tracing and modifying your own NVRAM registers.
• Universal BIOS Backup : Your will need this program if you are performing this process on your own BIOS (which is the ultimate goal of this tutorial).
• Default.txt : This file is the NVRAM Token Table dump obtained from symcmos. This is what I named mine, yours may be different depending on your personal preferences.

Reading/Writing the CMOS NVRAM:

Reading:
symcmos -v2 -LDefault.txt    ; "Default.txt" is an example file name 
Writing:
symcmos -v2 -UModified.txt   ; "Modified.txt" is an example file name 





Tracing NVRAM registers from Default.txt to STRINGS0.ROM


1.) Use PhoenixTool to extract your BIOS image. The extracted BIOS modules will be placed in a directory called "DUMP" which will be under the same folder that the extracted BIOS was in. Example: If you place the image on the desktop and extract it, you will find the DUMP directory on the desktop.

2.) Enter the DUMP directory

3.) There are only 2 files that you will need from this directory. They are called "STRINGS0.ROM" and "TEMPLAT0.ROM". Open these two files in a hex editor. In some BIOS images, the 2 modules will have two 0's in their names instead of one.

The STRINGS module contains the plain text (human readable) strings that will identify the setting's name and, in most cases, the setting's description.

The TEMPLAT module contains the full layout of the entire BIOS menu. It also contains functions, but these are irrelevant to this tutorial (I will be covering these at a later date as I learn more about them, I am currently investigating...). The most important part that the TEMPLAT module contains for this tutorial is the item string (strings of code for each BIOS setting). The registers are contained within these strings.

4.) The STRINGS module contains a header. You will need to delete this header before you begin your "register hunting." If do not, when you are jumping to different offsets, your offsets will be, quite literally, offset. To do this, select the first 1Ch (the "h" means that this is a hex value) bytes of the file and delete them. 1C in hex is equal to "28" in decimal, so you are deleting the first 28 bytes.

In this BIOS image, here are the first 1Ch bytes:

53 54 52 50 41 43 4B 2D 42 49 4F 53 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 00

In the text column, this would be:

STRPACK-BIOS................

5.) Open Default.txt in notepad (or any other text editor).

NOTE: This method of register hunting is the least useful of the two if you are searching for a particular setting name. This method is the most useful method ONLY if you are trying to find the function of ALL of the registers (like I did in my BIOS image).

INFO: You will choose a register that you want to identify the function of, and search for it in little Endian format in TEMPLAT0.ROM (do not do this yet). From there, you will trace it to its text string in STRINGS0.ROM. I will elaborate on how to do this in the following steps.

6.) In this tutorial, I will be using register "0318" as an example. This just so happens to be the VT-x register for this BIOS. Here is the format of the Default.txt file:

(0312) [0005]
(0318) [0000]
(031B) [0000]

The (first column) is the Token ID. The [second column] is the register's current value. "0318" is the register I will be using in this tutorial. It is currently set to [0000].

7.) Before searching for the register in TEMPLAT0.ROM, you will need to convert the value to little Endian format. To do this, switch the high-order (or "most significant") byte with the low-order (or "least significant") byte. Switch the "03" and the "18". You will get "0318" ------> "1803". You will need to do this before every search, with the exception of text searches.

8.) On your keyboard, press "Ctrl+F". This is the keyboard shortcut for the search function in HxD. A little search window will come up. Before entering "1803", click the drop down menu next to "datatype:" and select "Hex-values" as you are performing a hex search. Under search direction, click the "All" radio button.

9.) Search for "1803" (the Endian-formatted NVRAM register).

Please read this reference information BEFORE you continue with this process.

    Code chain [Mode;Length;Stings;Fillers;Token;Strings]

    Mode: (meaning of the first byte)
    00 = Pick Field
    01 = Pick Field
    10 = Generic Text
    11 = Information
    20 = Date
    21 = Time
    22 = Password
    24 = Function
    FF = ???

    Length: (meaning of the second byte)
    Length of the code chain

    Stings:
    call to stings in STRINGS0.ROM

    Fillers:
    "Filler bytes" are offset-jump-tables, calls to some "execution code" below $PDW

    Token:
    Token Value contains media table and more.

    Strings:
    call to stings in STRINGS0.ROM, most "Enable", "Disabled", "Auto", ...
    Shared values, called many times as the text is seen many times in the BIOS Setup Menu.



    Here is an example of one with information field, 'CPU Type'
    -------------------------------------------------------------------------------------
    0x19BD: 11 0C 8802 0000 0A60 1560 2160

    11 = Information
    0C = Length
    0288 = call to sting in STRINGS0.ROM "CPU Type"
    0000 = nop
    600A, 6015, 6021 = offset-jump-table
    -------------------------------------------------------------------------------------


    another example of one with data field, 'VT Feature'
    -------------------------------------------------------------------------------------
    0x134B: 00 14 4203 4403 0A50 FF4F E94F F44F 1803 3E06 4006

    00 = Pick Field
    14 = Length
    0342= call to sting in STRINGS0.ROM "VT Feature"
    0344 = call to sting in STRINGS0.ROM "" (item description, too long too put here)
    500A, 4FFF, 4FE9, 4FF4 = offset-jump-table
    0318 = Token
    063E = call to sting in STRINGS0.ROM "Disabled"
    0640 = call to sting in STRINGS0.ROM "Enabled"

CREDITS: Full credit for this information goes to "bob12x" from notebookreview.com who posted this (post #38) in the thread titled "Acer Laptop with Phoenix BIOS: Enable Virtualization (Test Machine: Acer Aspire 9420)".

NOTE: I have replaced all of the code from his example BIOS with the code from my BIOS image.



As shown above, you will notice that the first result that the hex editor finds is NOT the string that you want. The string you want will be in the second result, so press "F3" on your keyboard (HxD shortcut for "find next"). This occurs randomly for different values depending on how many times the value you searched for shows up.


To help you identify what is a string that you want and what is not, consider the following:
• ALL of the item strings in the TEMPLAT module will follow the format described above, no what their length happens to be. The string will always start with the 1st byte telling you the type of string and the second byte telling you the length of the string (in hex) and so on.

To help you to better identify registers in differently sized strings as well as this one:
• The options of the BIOS setting will ALWAYS come after the register. Likewise, the register will ALWAYS be the word (2 bytes) that comes before the options of the BIOS setting. For the VT-x setting, we know that there are only 2 options; "enabled" and disabled". Each option will take up 1 word (2 bytes). Skip a total of 4 bytes from the end of the VT-x string. The 2 bytes before these 4 end bytes will be the bytes that constitute the register. NOTE: I will be posting another mini-tutorial within this tutorial describing how to trace what you suspect is a setting-name (enabled, auto, etc.) to STRINGS0.ROM to determine where the settings begin/end so that you can easily find the register (It is actually the same process used to trace the register and the item string call).

10.) Now that you are on the second result, your string should look like this:

00 14 42 03 44 03 0A 50 FF 4F E9 4F F4 4F 18 03 3E 06 40 06

"3E06" and "4006" are references to the "disabled" and "enabled" options in the STRINGS module. "1803" is the register that you searched for and should be highlighted in blue at this moment.

INFO: In the following step, you will now need to convert the item sting call to Endian format and use the goto function to go to an offset in STRINGS0.ROM.

11.) Go to the beginning of the string. The first byte "00" is the type of string. The second byte "14" is the length of this string in hex. 14h = 20 in decimal. This string is 20 bytes long. The 3rd and 4th bytes will ALWAYS be the item sting call regardless of the size of the string. The item sting call in this string is "4203". As before, you will need to convert this to little Endian format. Switch the first byte with the second byte to get "0342".

12.) Switch to the STRINGS0.ROM file. This is the file you will be using for the remainder of this "register hunting" method.

13.) Use the goto function (shortcut key in HxD = "Ctrl+G") and type in "0342". Press enter. This will take you to the offset 0x0342.

NOTE: The leading "0" is not actually required in this case, but I very highly recommend keeping it there to avoid confusions.

14.) Look at where the cursor landed (and is now blinking). Take the two bytes after the cursor "2E2E" and convert them to little Endian format. Conveniently, your result will be "2E2E".

15.) Use the goto function again to go to the offset that you obtained in Step #14.

16.) Look in the text column of the hex editor. You will see a dotted box around a letter. Read the text string that you see starting at the boxed letter. You should see "VT Feature" without the quotes. This will be separated from other text strings by dots. This is the setting that the register "0318" controls. To enable this setting, simply change (0318) [0000] to (0318) [0001] . To disable this setting, you would set it to (0318) [0000] . After the value change, you would save the file, boot into DOS, and apply it with symcmos. I will be updating this tutorial with the proper commands for reading from and writing to the CMOS NVRAM.

If you did not see this text, you likely made one of two mistakes:

• You mistyped a character somewhere in the process
• You forgot to delete the 28 byte header of the STRINGS0.ROM file. This is an extremely common mistake.

If you did see this text, congratulations! You have successfully identified the function of the "0318" register.





Tracing NVRAM registers from STRINGS0.ROM to Default.txt

NOTE: This process is identical to the process for tracing from Default.txt to STRINGS0.ROM up to Step #5.


1.) Use PhoenixTool to extract your BIOS image. The extracted BIOS modules will be placed in a directory called "DUMP" which will be under the same folder that the extracted BIOS was in. Example: If you place the image on the desktop and extract it, you will find the DUMP directory on the desktop.

2.) Enter the DUMP directory

3.) There are only 2 files that you will need from this directory. They are called "STRINGS0.ROM" and "TEMPLAT0.ROM". Open these two files in a hex editor. In some BIOS images, the 2 modules will have two 0's in their names instead of one.

The STRINGS module contains the plain text (human readable) strings that will identify the setting's name and, in most cases, the setting's description.

The TEMPLAT module contains the full layout of the entire BIOS menu. It also contains functions, but these are irrelevant to this tutorial (I will be covering these at a later date as I learn more about them, I am currently investigating...). The most important part that the TEMPLAT module contains for this tutorial is the item string (strings of code for each BIOS setting). The registers are contained within these strings.

4.) The STRINGS module contains a header. You will need to delete this header before you begin your "register hunting." If do not, when you are jumping to different offsets, your offsets will be, quite literally, offset. To do this, select the first 1Ch (the "h" means that this is a hex value) bytes of the file and delete them. 1C in hex is equal to "28" in decimal, so you are deleting the first 28 bytes.

In this BIOS image, here are the first 1Ch bytes:

53 54 52 50 41 43 4B 2D 42 49 4F 53 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 00

In the text column, this would be:

STRPACK-BIOS................

5.) Open Default.txt in notepad (or any other text editor). This will be used to verify that you are identifying the correct values when deducing the setting's register.

6.) Go to the STRINGS0.ROM file that you opened with HxD in Step #3. This will be the file that you search for the STRINGS in.

7.) Search for the name of the option that you want. In this tutorial, I will be using the option named "VT Feature". To search in HxD, press "Ctrl+F" (keyboard shortcut for HxD's built-in search function). Make sure that the data type is on "Text-string" and that the search direction radio button is set to "All". Your result will be highlighted in blue.

Take not of the offset (the value to the right of the "Offset:" text) in the bottom left corner of the HxD window. You will be converting this value to Endian format.

Excursion: [quote]Occasionally, between BIOS versions, you will find that the same option can have similar, but slightly different names. You will have to take this into account when searching for the strings. If you are searching for "Data Execute Prevention," it can go by several names including, but not limited to: "No Mem Protection" "No Execute" "Disable Bit" "No Mem" "No Execute" etc. A universally accepted search term is "no execute" or "execute." [/quote]


[I am currently writing up this method and I will post my progress when I have completed enough of the steps for them to be followable.]




I will be adding to this tutorial over time. Please stay tuned for updates.


Future additions to this tutorial:

• Finish writing up the second method of "Register Hunting"
• Add a better definition of the NVRAM registers and their uses.
• Create a table of contents for this article



I have created a thread dedicated to the finding and documentation of Phoenix NVRAM registers on bios-mods. Here is the link to the NVRAM Register Master List. So far, the list includes VT-x, AHCI, & DEP registers. I am taking requests on the thread for registers other than the three previously mentioned as well. If you wish to contact me directly, my bios-mods username is Sml6397.