Here is my analysis of p5qbios from helps on this forum, not sure it is correct: _4000:9C3A db 1 _4000:9C3B db 2 _4000:9C3C _4000:9C3C ; =============== S U B R O U T I N E ======================================= _4000:9C3C _4000:9C3C _4000:9C3C sub_9C3C proc far _4000:9C3C pushad _4000:9C3E push ds _4000:9C3F push 0F000h _4000:9C42 pop ds _4000:9C43 assume ds:nothing _4000:9C43 mov al, 1 _4000:9C45 mov ds:0A0E0h, al _4000:9C48 push cs _4000:9C49 call near ptr sub_9DB5 ; loop through the PUBKEY+MAKER block _4000:9C49 ; starting from the 2nd byte _4000:9C49 ; plus one byte after it _4000:9C49 ; length = 0x152 _4000:9C4C jb short loc_9C62 ; jump if not all 0xFF _4000:9C4C ; _4000:9C4E mov bx, 9C3Ah _4000:9C51 mov al, cs:[bx] _4000:9C54 cmp al, 0 _4000:9C56 jz short loc_9C5E _4000:9C58 push cs _4000:9C59 call near ptr sub_9DF0 _4000:9C5C jb short loc_9C62 _4000:9C5E _4000:9C5E loc_9C5E: ; CODE XREF: sub_9C3C+1Aj _4000:9C5E push cs _4000:9C5F call near ptr sub_9E7C _4000:9C62 _4000:9C62 loc_9C62: ; CODE XREF: sub_9C3C+10j _4000:9C62 ; sub_9C3C+20j _4000:9C62 pop ds _4000:9C63 assume ds:nothing _4000:9C63 popad _4000:9C65 retf _4000:9C65 sub_9C3C endp _4000:9C65 _4000:9C66 _4000:9C66 ; =============== S U B R O U T I N E ======================================= _4000:9C66 _4000:9C66 _4000:9C66 sub_9C66 proc far _4000:9C66 pushf _4000:9C67 pushad _4000:9C69 push ds _4000:9C6A push cs _4000:9C6B call near ptr sub_9DB5 _4000:9C6E jnb short loc_9C8A ; Jump if all 0xFF _4000:9C70 push cs _4000:9C71 call near ptr sub_9CF6 ; xor the PUBKEY+MAKER block _4000:9C71 ; with 0xFF _4000:9C74 jnb short loc_9C8A ; jump if there is an error _4000:9C76 push cs _4000:9C77 call near ptr sub_9D22 ; copy OEM string to _4000:9C77 ; SLIC header, RSDT, XSDT _4000:9C7A push 2CCFh _4000:9C7D pop ds _4000:9C7E assume ds:nothing _4000:9C7E lea esi, ds:0C25h _4000:9C83 call far ptr 5936h:9EDEh ; Copy SLIC to High Memory _4000:9C83 ; and add it to RSDT, XSDT _4000:9C88 jb short $+2 _4000:9C8A _4000:9C8A loc_9C8A: ; CODE XREF: sub_9C66+8j _4000:9C8A ; sub_9C66+Ej _4000:9C8A pop ds _4000:9C8B assume ds:nothing _4000:9C8B popad _4000:9C8D popf _4000:9C8E retf _4000:9C8E sub_9C66 endp
hnfz THANKS A LOT! I don't have any tools here. So you've removed the config lock? That would be great. Best is to test first mod WITHOUT the additional afudos switches and NOT to update bootblock of bios. Then to try if it boots, AFTER that flash with additional switches to update FC module and Bblock. Do you think it will work and it's a safe mod? I'll have a look when I'm back at home.......
Hi, Yen, I didn't see any configlock. But there is a little piece of code in f000:72bd which pull values at f000:e1a0 (0f00 0000 6201 0000 00) and set al to 0: E1A000F0 => 0F00 0000 6201 0000 00 ds = 0xf000 si = 0xA0E1 bx = [si+2] = 0 cx = [si+4] = 0x162 dx = [si+4]-0x10 = 0x152 al = [si+8] = 0 si = [si+6] = 0 later on the function branched based on the al value. What happens next is the part I am not so sure of. But since the edi was pointing to the PUBKEY+MAKER block, I guess one of the branch will change the data preventing it being copied to high memory. I don't have a eprom programmer. So I need someone test it first. If it is correct, then we can start a new thread I didn't find the configlock. I just skipped it Not sure I am correct. I am not good at assembly language. So don't be surprised if I made a mistake
Here are the flow charts I created when I traced function at f000:72bd. Hope it will help if anyone wants to take a look into it too.
Please post results here. Any further development regarding ASUS config lock, please post here. Thanks!
Me, too! That would be great and allow to make a real dynamic mod. We need somebody who has got two of that boards, or is able to hotflash, re-program the bios chip. Not sure if it's needed or the ASUS crash free bios is supposed to be really crash free...
To introduce the SLIC exactly the same way as ASUS would do it. (Dynamic) This time there is no need to, but for educational purposes it would be great to know if it's possible.
Sorry I cant help because I only have 1 Rampage Formula board and I do not have the skills to recover if it screws up
Hi, Yen, I used 'amimmwin.exe romfile /r 1b 1b-mod' to replace the 1b module I did re-insert ASUSTEK bios signature I didn't flash using 'afudos /ixxxx.rom /pbnc /n'. I only tried the method on P5Q's user manual --- 'afudos /ixxxx.rom' I have the latest MMtool 3.22 available on the internet. BIOS files created by MMtool 3.22 are not flashable by EZ-flash nor afudos. ASUS has their additional verification methods. But the modified BIOS works fine once you flash it in. I found the P5Q BIOS modified by the super static mod 3 had the same problem -- it cannot flashed by EZ-flash nor afudos I only changed the 1B module. Here are the steps: extract 1b using mmtool.exe open it in winhex; find the offset 0x10798; delete everything from offset 0x0 to 0x10798; save it to a new file. open the new file in ida. the first 0x520 bytes are BIOS check points and function pointers --- it is a six-byte structure, if the first word is not 0xffff, it is a bios check point and its value; the second word is the function offset and the third word is the function segment search for the string "System version"; there are hex 0x0, 0x1, 0x1, 0x2 after the string. at the byte after the 0x2 press "c" to convert the rest from binary to code. these are the functions I changed. Your 1b-mod for rampage formula_0701 looks OK to me I checked it in IDA. It is amazing how you did it without a disassembler