Thanks, I've been looking into this. HP's F.59 A Bios: Code: ( SYMBOLIC CMOS EDITOR - Version 643710-035 ) System_Configuration Language ( token 0x28B start 0x10A width 0x4 ) ( maximum 0xF default 0x0 PICK_FIELD ) =* [0] English_(US) = [1] Franáais(FR) = [2] Espa§ol_(SP) System_Configuration Button_Sound ( token 0x1CE start 0x1E8 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled System_Configuration Virtualization_Technology ( token 0x14D start 0xF7 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disabled = [1] Enabled System_Configuration Processor_C4_state ( token 0x1D1 start 0x1E9 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled System_Configuration Boot_Options F10_and_F12_Delay_(sec) ( token 0x177 start 0xFF width 0x3 ) ( maximum 0x7 default 0x0 PICK_FIELD ) =* [0] 0 = [1] 5 = [2] 10 = [3] 15 = [4] 20 System_Configuration Boot_Options CD-ROM_Boot ( token 0x17A start 0x102 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled System_Configuration Boot_Options Floppy_Boot ( token 0x17D start 0x103 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled System_Configuration Boot_Options Internal_Network_Adapter_Boot ( token 0xF9 start 0xC9 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disabled = [1] Enabled Gateway's Godzilla DUMPED on the HP( I know it's no good ): Code: ( SYMBOLIC CMOS EDITOR - Version 643710-035 ) Advanced Legacy_USB_Support: ( token 0x450 start 0x154 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled Advanced Extreme_CPU_Speed ( token 0x1EF start 0x60 width 0x8 ) ( maximum 0xFF default 0x0 PICK_FIELD ) = [0] _2.6_GHz = [1] _2.8_GHz = [2] _3.0_GHz = [3] _3.2_GHz = [4] _3.4_GHz = [5] _3.6_GHz Advanced SATA_Controller_Mode_Option: ( token 0x58E start 0x320 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Compatibility = [1] AHCI Advanced Auto_Dim ( token 0x1B start 0x56 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disabled = [1] Enabled Advanced Boot_Display ( token 0x1E6 start 0x50 width 0x8 ) ( maximum 0xFF default 0x0 PICK_FIELD ) = [0] Auto = [1] Both Advanced Quiet_Boot: ( token 0x1EC start 0x59 width 0x7 ) ( maximum 0x7F default 0x0 PICK_FIELD ) = [0] Enabled =* [1] Disabled Advanced _SATA_RAID_Enable ( token 0x5BB start 0x324 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disabled = [1] Enabled Security Password_on_boot ( token 0x31E start 0x170 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disabled = [1] Enabled I'm working on Adding Support for the X9000/X7800/X7900 to HP's F59 A Bios.
If the option has a token id then you can edit the hard coded nvram table for the std defaults and mfg defaults. The BIOS setup maps the values from the NVRAM tokens. Once you make the changes, you must reset the bios to load defaults to take effect. For instance the VT bit on mine is hidden in the setup menu, I can see it in PBE but not when I run the setup menu at boot up. So no menu to change the settings but the settings can be changed by editing the defaults in the NVRAM table. Make the changes, rebuild the rom, flash it and reset to defaults. Some of the bit can be controlled by using the symcmos tool. Use the -L option to dump the stored bits. Then use the -U option to set those bits that need changed from the literal dump file. Some functions are locked though. Some require more than one bit enabled. Some settings are lost soon as the power cycle happens. This can only be determined by disassemble the module making the call. On my VT bit a check on another token value was made before even checking the VT bit token. If the first token is disabled it won't even check the VT bit. Enabling the bit in std and mfg defaults over rode that check.
I noted the same thing for the VT enable Menu, shows when I Emulate in PBE, but not in the Bios Setup.(F59A) I assumed that it was my T5550, as it does not Support VT. I've been looking for the MSR bit that disables/enables it, maybe it can be hacked. I've also been looking to see if I could Unlock the Multiplier on the T5550, it seems to be set in MSR @17h the IA32_PLATFORM_ID for Merom. A 64bit Register, Bits 52 51 50 are for the Intended Platform, I think 1 1 1 is Santa Rosa. Bit 28 a value of 1 = Mobile CPU Bit 27 1=ES 0=Production CPU Bit 26 25 24 are the L2 Cache Size (0 1 0 is 2MB) (0 0 0 is 4MB) Bit 15 is Ratio Locked<---This is an odd one, I can give the description, if anyone wants to know. Bits 12 11 10 09 08 are the Maximum Frequency( Bus Ratio ) Bit 12 is the 1/2 multiplier 11-08 are full multipliers Bits 0-5 are the Vcc Max This MSR seems to be Locked, however poking around in the UPDATED0.ROM at the CPU MicroCode (patches), it looks like the Bios writes 9A708B24 to the first 32bits of MSR@17h. I edited the UPDATED0.ROM and flashed it, however no change, but it could be that I'd have to Change the CPUID value in NVRAM, as I understand it the Bios only Uploads the MicroCode if the CPUID has Changed.
Here is a small example color coded to help see the code. The screen shots are from Toshiba Sat P105-S9722 4.70, before and after mod. 00 00 byte was replaced with 8F 09 in templat0.rom, the menu offset location for VT Bit. 098F is not linked to any other node. Inserting the byte at the termination 0000 for menu Advanced. Because no 0000 0000 follows the bytes being replaced the node continues to other menus that were not visible before either... Because this enabled the menu in the BIOS Setup, there is no need to modify the token bit table in ROMEXEC. Let the BIOS Setup, enable or disable the bit. You can enable and disable on every reboot. If you had modified the token bit table, the menu would not be enabled in the BIOS. The defaults would change but the VT bit would not be enabled until you reset the defaults or cleared the CMOS. You can not disable the VT bit unless you flash the bios again with older bios. Using the symcmos tool with -U -L option (0219) [0001] may or may not enable VT. some tokens can be set, some can't.
Ah ok it all makes sense looking at those notes now, but instead of adding 8F 09 at 0x20c can't you overwrite one of the blank spaces (05 16) at 0x204 and get the same result but without those extra options that show up? It doesn't show in PBE, but those extra options make a scrollbar show up on the side and it cuts off the last character of "Performance". I made the change on mine and it no longer has that problem, the virtualization option shows up between Execute-Disable Bit and Core Multi-Processing. Thanks again for your help
Yeah you can substitute it in place of a call to blank space. You could substitute any item in the bios menu you don't want. I have not tested inserting padding bytes yet, making the templat0.rom larger for custom menus. If there is a large submenu that is hidden, there is probably room to add it as part of the root menu if it was intentionally left out. Part of the documentation from Phoenix states the format allows them to quickly integrate into another machine. Of course you can not just swap out a template and strings from another machine. Like many of the offbrand notebooks, the same internals are often found in brand name machines. Sold the same parts from same mfg. The firmware strings are rebadged with the oem name. Comparing some of the templates and strings they are very close to being the same. Looked a few Acer's and they use the same crippled firmware on several models. Fujitsu, some firmware are the same on different models going back for last two years. Yet a newer model may post an update for Win 7 but they don't update the older model. Point being, you can make assumptions some items like the token ID's will match. Observe what is the same and what makes them different across the firmware modules, ie bootblock, romexec, dmi, hole roms and templates. - excluding the info that is preloaded into hole roms. These values can be seen by using the bios dump tool found in the tools thread. Create a dump rom and unpack it into modules. Compare that with the oem unpacked firmware, you will find the hole roms now contain info about your machine shipped from oem. part numbers, serial number, uid, os installation, configurations, etc. This is not the same as what can be found in DMI but does contain some matching items.
Hi rbjack, I have successfully enabled VT on my Acer Aspire 9420 by setting the bit enabled in the NVRAM. After reading your post (especially post #6) I found out that it is possible to add "Intel Virtualization Technology" menu in BIOS. It will be nice to have ability to turn ON/OFF VT in the BIOS menu. I traced "Intel Virtualization Technology" in STRINGS0.ROM to Loc 2330. But I can't find Loc which contains offset location (30 23) for text. Can you help me how to find it? "Intel Virtualization Technology" menu is not visible in PBE but the text exist in STRINGS0.ROM. kizwan
Hi rbjack, Sorry for the previous post. I didn't realize that I forgot to remove the header from STRINGS0.ROM. Now I'm able to enable Intel Virtualization Technology menu in BIOS on my Acer Aspire 9420. Thank you for the information you provided here. It is very useful. I'm going to post my BIOS mod at notebook review forum. kizwan
I found out how to do the SYMCMOS.EXE -Sxxxxx.txt stuff and was looking for the AHCI settings, but found none. Code: ( SYMBOLIC CMOS EDITOR - Version 643710-035 ) Main Language: ( token 0x171 start 0x3E8 width 0x4 ) ( maximum 0xF default 0x0 PICK_FIELD ) =* [0] English_(US) = [1] Fran‡ais Advanced Dynamic_CPU_Frequency_Mode: ( token 0x90 start 0x99 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Always_Low =* [1] Dynamic Advanced Pointing_Devices: ( token 0x87 start 0x10A width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Enabled = [1] Disabled Advanced Built-in_LAN: ( token 0x165 start 0x88 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled Advanced Wake-up_on_LAN: ( token 0x8A start 0x97 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disabled = [1] Enabled Advanced Critical_Battery_Wake-up: ( token 0x8D start 0x98 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled Advanced Internal_CIR: ( token 0x99 start 0x9B width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Enabled = [1] Disabled Advanced Legacy_USB_Support: ( token 0x2B2 start 0x14F width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled Display Power_On_Display: ( token 0xC start 0x78 width 0x3 ) ( maximum 0x7 default 0x0 PICK_FIELD ) =* [0] Auto = [5] LCD+AnalogRGB Display LCD_Display_Stretch: ( token 0x1B start 0x109 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled Display TV_Type: ( token 0x15 start 0x87 width 0x3 ) ( maximum 0x7 default 0x0 PICK_FIELD ) =* [0] NTSC(US) = [1] PAL = [4] NTSC(JAPAN) Security Built-in_HDD_Password: ( token 0x9F start 0x10B width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] User_Only = [1] User+Master Security Cannot_Find_String ( token 0x153 start 0x122 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Cannot_Find_String ( token 0x153 start 0x122 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Built-in_HDD_Password: ( token 0xA2 start 0x10C width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] User_Only = [1] User+Master Security Cannot_Find_String ( token 0x156 start 0x123 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Cannot_Find_String ( token 0x156 start 0x123 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Built-in_HDD1_Password_Select: ( token 0x9F start 0x10B width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] User_Only = [1] User+Master Security Cannot_Find_String ( token 0x153 start 0x122 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Cannot_Find_String ( token 0x153 start 0x122 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Built-in_HDD2_Password: ( token 0xA2 start 0x10C width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] User_Only = [1] User+Master Security Cannot_Find_String ( token 0x156 start 0x123 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Cannot_Find_String ( token 0x156 start 0x123 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable
how can i add: Advanced SATA_Controller_Mode_Option: ( token 0x58E start 0x320 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Compatibility = [1] AHCI to my system.
Code: ( SYMBOLIC CMOS EDITOR - Version 643710-035 ) Main Language: ( token 0x171 start 0x3E8 width 0x4 ) ( maximum 0xF default 0x0 PICK_FIELD ) =* [0] English_(US) = [1] Fran‡ais Advanced Dynamic_CPU_Frequency_Mode: ( token 0x90 start 0x99 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Always_Low =* [1] Dynamic Advanced Pointing_Devices: ( token 0x87 start 0x10A width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Enabled = [1] Disabled Advanced Built-in_LAN: ( token 0x165 start 0x88 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled Advanced Wake-up_on_LAN: ( token 0x8A start 0x97 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disabled = [1] Enabled Advanced Critical_Battery_Wake-up: ( token 0x8D start 0x98 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled Advanced Internal_CIR: ( token 0x99 start 0x9B width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Enabled = [1] Disabled Advanced Legacy_USB_Support: ( token 0x2B2 start 0x14F width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled Display Power_On_Display: ( token 0xC start 0x78 width 0x3 ) ( maximum 0x7 default 0x0 PICK_FIELD ) =* [0] Auto = [5] LCD+AnalogRGB Display LCD_Display_Stretch: ( token 0x1B start 0x109 width 0x1 ) ( maximum 0x1 default 0x1 PICK_FIELD ) = [0] Disabled =* [1] Enabled Display TV_Type: ( token 0x15 start 0x87 width 0x3 ) ( maximum 0x7 default 0x0 PICK_FIELD ) =* [0] NTSC(US) = [1] PAL = [4] NTSC(JAPAN) Security Built-in_HDD_Password: ( token 0x9F start 0x10B width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] User_Only = [1] User+Master Security Cannot_Find_String ( token 0x153 start 0x122 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Cannot_Find_String ( token 0x153 start 0x122 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Built-in_HDD_Password: ( token 0xA2 start 0x10C width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] User_Only = [1] User+Master Security Cannot_Find_String ( token 0x156 start 0x123 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Cannot_Find_String ( token 0x156 start 0x123 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Built-in_HDD1_Password_Select: ( token 0x9F start 0x10B width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] User_Only = [1] User+Master Security Cannot_Find_String ( token 0x153 start 0x122 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Cannot_Find_String ( token 0x153 start 0x122 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Built-in_HDD2_Password: ( token 0xA2 start 0x10C width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] User_Only = [1] User+Master Security Cannot_Find_String ( token 0x156 start 0x123 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable Security Cannot_Find_String ( token 0x156 start 0x123 width 0x1 ) ( maximum 0x1 default 0x0 PICK_FIELD ) =* [0] Disable = [1] Enable The list of options, like the above, dump using SYMCMOS tool are options that exist in BIOS setup menu. It doesn't list the hidden options. For hidden options, you'll need to read rbjack's post. However, you can't add option(s) that doesn't exist (use strings in STRINGS.ROM as reference).
this laptop has Virtualization, but it is not listed in the menu nor the symcmos files. all i need now is the sata to AHCI settings. rbjack's post is not a step-by-step intro, and for a newbie like me to try and follow his post is just too hash, i did read it, about 11 times, ican follow a little and the boom a cliff. I will post the parts i can't understand, so anyone can give a helping hand. find attach! the symcmos -v2 commands in his post! View attachment LITERAL.TXT View attachment LITERAL_.TXT View attachment SYMBOL.TXT View attachment SYMBOL_.TXT
rbjack try-to: system: Toshiba Satellite A215-S5802 BIOS v2.00 OS: windows Xp Sp3 HexEditor: WinHex 16.1 biosfile: safgv200.exe (m10a200.rom) tools: Phonixtool190.exe (need .netfx2.0), IDA Pro 5.0 free (change "z80" to "" in the cfg/ida.cfg file) Code: 1) start safgv200.exe and select the default extraction location: c:\safgv200 2) start PhoenixTool.exe, beside "Original BIOS" click the ".." button, now browse to c:\safgv200 and select m10a200.rom. 2a) you may be a popup error message just click ok (dry winxp sp3, no drivers, only .net2.0 & java) 2b) next popup will say "Complete SLIC (2.1) (TOSINVTOSINV00 INV) in BIOSCOD01.ROM (x1)", click ok 2c) now close the program, by clicking on the "X" 3) and did not get this section? 3a) open c:\sagv200\m10a200.rom in IDA Pro, select 80x86:8086 then 32bit. selected Hex View-A: did a search BCPNVS @ seg000:000E F6B4 BCPNV @ seg000:000E F3F0 $PDM @ seg000:000E EFF0 3b) open c:\sagv200\DUMP\ROMEXEC00.ROM in IDA Pro, select 80x86:8086 then 32bit. selected Hex View-A: did a search BCPNVS @ seg000:7300 BCPNV @ seg000:75C4 $PDM @ seg000:6E00 how did you get E649:177D ? what address is it located? ( i am lose here !!!!) romexec00 - seg000:6200 24 50 44 4D 01 0B 00 FD A4 B9 E6 00 00 00 00 00 seg000:7300 42 43 50 4E 56 53 00 02 1C 00 00 20 FF 1F 00 00 seg000:75C0 42 43 50 4E 56 20 00 01 1F 00 00 24 :75D0 8B 24 8B 00 00 6D 12 FF FF 15 8E 5A 94 0D 8C 0D ( close IDA Pro, and skip ) 4) Now start WinHex and open file "c:\safgv200\DUMP\ROMEXEC00.ROM" do a search for BCPNV, you will find BCPNVS, just press F3 to search again. 75C0: 00 00 00 00 42 43 50 4E 56 20 00 01 1F 00 00 24 75D0: 8B 24 8B 00 00 6D 12 FF FF 15 8E 5A 94 0D 8C 0D 8B24 = CMOS DTO, 8B24 = size 126D = CMOS checksum FFFF = CRC Mask 8E15 = starts the Token Table. 945A = ends the Token Table. 8C0D = starts the SD for NVRAM 8D0D = starts the MD for NVRAM 4430 = starts media for NVRAM physical Location = (8E15 - 8B24) = 2F1 + 75C4 = 78B5 78B0: 01 58 F0 01 68 F0 00 D4 01 00 D5 98C0: 01 51 78 20 51 7B 50 51 81 50 51 87 20 51 53 10 I was going to ask how did you find the Token table size, but it is there! Token Size = (end token - start token) - 1 = (945A - 8E15) - 1 = 644h 5) now copy from physical location (78B5) to physical location + Token Size (78B5+644=7EF9) and paste it into a new hex file. (it's best to highlight with the keypad, anyway click Edit -> Copy Block -> Into New File, save as token table.rom) Why did we start off at token '0C' ? why not token '00'? Standard Defaults Table Size = 8D0D - 8C0D -1 = FF Standard Defaults Table Ofset start = 8E15 - 8C0D -1 = 0207 Standard Defaults Table Ofset end = 0207 + FF = 0306 ( i am not sure if i am right at this point ? ) 6) Now in your Token table.rom file locate offset: 00000207 select from that point untill you reach offset: 00000307 now lick edit ... into new file name it SDT.rom some thing is wrong, in the text area on my screen there is a lot of P's & Q's, while rbjack own is only showing a few "@". Grab it from what? from where? what address? (close all open programs. SKIP) 0010h: 00 00 00 00 00 00 00 00 03 00 02 00 E7 4F 52 03 how did you get this address 0674: 09 67? my search for Main got 406F: 4D 61 69 6E 00 now open c:\safgv200\DUMP\TEMPLAT00.ROM in winhex and search for hex value: 6F40 found @ 0B19 tried to find hex value: 190B, but it was not found. WHY ? LOSE AGAIN !!! ----------------------------------------------------------------------------------------------
It's a Toshiba Satellite A215-S5802 BIOS: v2.00 the strings00.rom file header starts at 00 and ends at 1B. so it's 1B do you see the F9 8D 52 03 now look at the same code, what address is that code at now, see it's 1B. in the PDF to unhide menu items, i get stuck at step 15), its like the Main string for the menu is not in STRINGS.ROM
Yes, the header in STRINGS0.ROM start from offset 0x00 & end at offset 0x1B. So, the length is 1C. If you don't believe me, open STRINGS0.ROM with HEX editor, select from offset 0x00 to 0x1B, the HEX editor will report the length (usually at status bar). You'll see the HEX editor will agree with me.