Dell bios, how to decompose / mod.

Hi kizwan!
About TOLUD there is not so simple as I thought at first. Currently, I have decoded about 50% of 64 KB boot block(000F0000-000FFFFF).In the fragment "Pre" I probably made a mistake. So I decided to first decode the entire block, and then work on the bugs.
I just examine the code that allocates the address space and sets all main registers. Definitely i can not say anything, because the values of chipset registers are changed one after another and sometimes several times.As soon as it becomes clear where the code is evaluated (set TOLUD value) I will tell you immediately. The process of decoding is tedious but very interesting for me.

 

Hi aascut,

From Intel 945 chipset, the TOLUD register is 9C:-
5.1.26 TOLUD - Top of Low Used DRAM Register
B/D/F/Type: 0/0/0/PCI
Address Offset: 9Ch
Default Value: 08h
Access: R/W/L; RO
Size: 8 bits

So, the CONFIG_ADDRESS register should be 0x8000009C --> mov eax,0x8000009C. However, look like I'm wrong because when I use brute-force method searching it, I can't find it. Reading MSR register much easier than this.

 

You need to login to view this posts content.

 

Please don't be like kizwan and not say a thing. At least say you don't know the answer to either question or something so I don't think I'm being ignored please.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

That's understandable. In I915 is the same.
Here are mistakes made by me in the beginning and that set me into a dead end in the module "pre_",since I thought that it sends a request to register 9C:

Code:

 code D810_A05.rom
F000:458E ; ---------------------------------------------------------------------------
F000:458E
F000:458E pre_:                                   ; CODE XREF: F000:429FJ
F000:458E                 shl     esp, 10h        ; save old sp value in hi part esp
F000:4592                 mov     sp, 4598h
F000:4595                 jmp     WRite_HB_Reg    ; Jump
....
F000:5D2D ; ---------------------------------------------------------------------------
F000:5D2D Read registers offsets 9C 9D 9E 9F
F000:5D2D defult value: Top of Low Used Dram 9C=00001000b;
F000:5D2D System Management RAM Control 9D=00000010b ;
F000:5D2D Extended System Management RAM Control 9E=00111000b;
F000:5D2D 9F=reserved and not used. Host Bridge device 0, function 0
F000:5D2D
F000:5D2D WRite_HB_Reg:                           ; CODE XREF: F000:4595j
F000:5D2D                 mov     dx, 0CF8h
F000:5D30                 mov     eax, 8000009Ch  ; dev. 0 func.0 Host Bridge
F000:5D36                 out     dx, eax         ; reg. offset #9C,9D,9E,9F
F000:5D36                                         ;
F000:5D38                 mov     dl, 0FDh ; '¤'
F000:5D3A                 in      al, dx          ; read reg offset 9D
F000:5D3A                                         ; from port #0CFDh to al;
F000:5D3A                                         ; default al=02h;This 8-bit register defines
F000:5D3A                                         ; SMRAM-System Management RAM Control
F000:5D3B                 retn                    ; return to f000:4598
....
F000:4595 ; ---------------------------------------------------------------------------
F000:4598                 dw offset loc_F459A
F000:459A ; ---------------------------------------------------------------------------
F000:459A
F000:459A loc_F459A:                              ; DATA XREF: F000:4598o
F000:459A                 shr     esp, 10h        ; Shift Logical Right
F000:459E                 test    al, 8           ; al=02h,
F000:45A0                 jz      short locret_F45A5 ; Jump if Zero (ZF=1)
F000:45A2                 jmp     ready_to_reset  ; if 9D not equal 08h jump to ready_to_ reset
...
and then follows the code is already known to you that ends with Hlt.

So it turns out that in any case, the processor will wait for reset since the value of the register number 9D (SMRAM) bits 2:0 is always equal to 010b (read only). More yet, I have not seen the code to access these registers.

WIND0WS7
I will see, but you must decide yourself. + You have looked for ways to restore the BIOS.

 

Okay I'm now waiting for your response. Thank you sir.

 

aascut, I'm awaiting your response to give me the all clear.

 

Checksum-OK
Execute .rom code-OK:

Code:

 D4700A10_newbios.rom (this rom code into newbios.hdr from 00000054-00070057)
disassembly fragment "uCOD" 
Attention!
all addresses are relative and it's obtained by copy-paste from newbios.hdr
seg000:69B87 ; ---------------------------------------------------------------------------
seg000:69B87                 mov     ecx, 26h ; '&'
seg000:69B8D                 mov     esi, 0FFF90000h ; esi=00000000
seg000:69B93                 cmp     byte ptr es:[esi+2], 14h ; 1)es:[00000002]=01<14
seg000:69B93                                         ; 2)es:[000065CE]=02<14
seg000:69B93                                         ; 3)es:[0000C21B]=03<14
seg000:69B93                                         ; 4)es:[000148E0]=12<14
seg000:69B93                                         ; 5)es:[00015033]=05<14
seg000:69B93                                         ; 6)es:[0001DBDE]=26>14
seg000:69B93                                         ; 7)es:[00024C90]=08<14
seg000:69B93                                         ; 8)es:[0002C76D]=0B<14
seg000:69B93                                         ; 9)es:[000325D5]=17>14
seg000:69B93                                         ; 10)es:[000347E1]=15>14
seg000:69B93                                         ; 11)es:[0003788E]=14=14
seg000:69B99                 jz      short loc_9BAB  ; jump to 00069BAB
seg000:69B9B                 movzx   eax, word ptr [esi] ; eax=1)000065C9;2)=00005C4A;3)=000086C2;
seg000:69B9B                                         ; 4)=00000750;5)=00008BA8;6)=000070AF;
seg000:69B9B                                         ; 7)=00007ADA;8)=00005E65;9)=00002209;
seg000:69B9B                                         ; 10)=000030AA;
seg000:69BA0                 add     eax, 3          ; 1)eax=000065CC;2)=00005C4D;3)=000086C5;
seg000:69BA0                                         ; 4)=00000753;5)=00008BAB;6)=000070B2;
seg000:69BA0                                         ; 7)=00007ADD;8)=00005E68;9)=0000220C;
seg000:69BA0                                         ; 10)=000030AD;
seg000:69BA0                                         ;
seg000:69BA4                 add     esi, eax        ; 2)esi=00065CC;3)=0000C219;4)=000148DE;
seg000:69BA4                                         ; 5)=00015031;6)=0001DBDC;7)=00024C8E;
seg000:69BA4                                         ; 8)=0002C76B;9)=000325D3;10)=000347DF;
seg000:69BA4 ; 11)=0003788C-address begining microcode update module #14 with length and #
seg000:69BA7                 loop    near ptr unk_9B93
seg000:69BA9                 jmp     short near ptr loc_9BFB+1
seg000:69BAB ; ---------------------------------------------------------------------------

You can flash, at your own risk!

 

good works! thanks

 

You flashed the 4700 BIOS I modded for mine on yours and it's working?
Are you running a previously unsupported CPU now?

 

Hi there,
maybe BIOS modding won't be my solution, but I've faced following trouble:

I've owned Dell Latitude E6400 (ServiceTag 5V4GV2X) with broken LCD (AUO B141EW05). I ordered the replacement, but it's from another vendor (LG LP141WX5) - works well, but only in windows - that is I can't see Bios settings, all text mode info, etc.
Does this mean that Bios does't allow LCD to work cos it just can't recognize it?
Is it possible to solve this with bios modding?

At this point, I have A29 bios unpacked with PhoenixTool, found list of possible lcd types, found nvidia bios... but have no idea where to dig next.

 

about jump far F000:FFA0

I graduated from the decoding boot block 000F0000:000FFFFF (last 64 kb) of D810_A05.rom.The Mystery of FFFA0 is opened. This address is the entry point of first decompress BIOS block aka 01_1.rom for all DELLs BIOS (1998-2006).

 

Congratulations!

 

Congratulations!

I see you are commented a lot on disassembly.
Will be useful if you share that.

Isn't more easy to dump 1-st MB of RAM and then use this? (FFFA0 wont be FF .. .. then ,but real first BIOS block module)

 

kizwan,gabiz_ro Thanks!

Yes, if you know what to look for.
Boot block makes the following after DRAM initialization(for D810_A05):
-copies the compress segment of BIOS to DRAM offsets 00100000-001xxxxx (xxxxx-size of compressed block);
-copies the itself to DRAM offsets 00024000-0002FFFF and after this works from this DRAM segment;
-decompresses fist (tag 01) compressed module from DRAM offset 00100000-0010xxxx to DRAM segment 000F0000-000FFFFF;
-jump far to 000FFFA0
I.e. 01_1.rom becomes second boot main module.
The first thing that makes this module is look for compress module #08 (aka 08_7.rom signature "LoPo")at the DRAM 00100000-0010xxxx and decompresses module #08 to DRAM segment 00010000-0001xxxx .

Code:

 01_1.rom (D810)
F000:FFA0                          ; ---------------------------------------------------------------------------
F000:FFA0 EA 30 63 00 F0                           jmp     START_01_IN_DRAM_F ; Jump
F000:FFA0                          ; ---------------------------------------------------------------------------
...
F000:6330                          ; ---------------------------------------------------------------------------
F000:6330                   ; START OF FUNCTION CHUNK FOR sub_FAA7E
F000:6330
F000:6330  START_01_IN_DRAM_F:     ; CODE XREF: sub_FAA7E-E9CCCJ
F000:6330                                                                        ; F000:E310j ...
F000:6330 000 FA                            cli                          ; clear interrupt
F000:6331 000 FC                            cld                         ; clear direction
F000:6332 000 B8 40 00                    mov     ax, 40h ; '@'
F000:6335 000 8E D8                        mov     ds, ax          ; ds=0040;
F000:6337 000 2E 0F B2 26 A8 E7       lss     sp, cs:dword_FE7A8 ; load ss:sp segment =0000:FF00
F000:633D 000 E8 98 00                   call    near ptr sub_F63D8 ; Call Procedure
F000:6340
F000:6340                  loc_F6340:                         ; CODE XREF: sub_F63D8:locret_F6458J
F000:6340                                                          ; sub_FAA7E+5J
F000:6340 -02 6A 40                        push    40h ; '@'
F000:6342 000 1F                            pop     ds              ; ds=40
F000:6343 -02 8B 1E 72 00                mov     bx, ds:72h   ; bx=[0472]=????? into DRAM
F000:6347 -02 66 2B C0                    sub     eax, eax       ; eax=0
F000:634A -02 8E C0                        mov     es, ax          ; es=0
F000:634C -02 8B F8                        mov     di, ax           ; di=0
F000:634E -02 B9 00 40                    mov     cx, 4000h
fill memory with zeros
F000:6351 -02 F3 66 AB                    rep stosd               ; Copies 8000h bytes = 00 to DRAM (L1)
F000:6351                                                                  ; offsets 0000:0000-0000:7FFF=0
F000:6354 -02 68 00 10                     push    1000h
F000:6357 000 07                             pop     es              ; es=1000h
F000:6358                                       assume es:nothing
F000:6358 -02 B9 00 40                     mov     cx, 4000h
F000:635B -02 8B F8                         mov     di, ax          ; di=0
F000:635D -02 F3 66 AB                    rep stosd               ; Copies 8000h bytes = 00 to DRAM (L1)
F000:635D                                                                  ; offsets 1000:0000-1000:7FFF=0
 

 

Algorithm of boot in D810,D610,D510 and other

Look at this data block which is located in the last 64kb segment of the memory BIOS chip
addressed as a segment "F"(000F0000:000FFFFF)
Boot block is essentially a program of transition to address calculation module that reads or writes data to registers or CMOS memory chip.

Code:

D810_A05.rom code
 Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F


000F4040   B0 4A 58 44 61 53 01 03  AA 73 20 49 45 52 02 03   °JXDaS  ªs IER  
000F4050   CD 4A 69 4F 49 53 03 03  9E 4E 6E 64 68 53 0F 01   ÍJiOIS  žNndhS  
000F4060   E2 4F 6E 68 53 65 34 04  8E 45 20 65 72 70 12 01   âOnhSe4 ŽE erp  
000F4070   05 43 74 6F 6F 62 04 03  39 4E 42 41 6D 50 05 03    Ctoob  9NBAmP  
000F4080   63 4E 68 63 61 43 08 03  5E 74 70 43 54 52 0A 01   cNhcaC  ^tpCTR  
000F4090   10 89 50 41 6E 49 0C 03  70 44 44 4F 43 75 10 03    ‰PAnI  pDDOCu  
000F40A0   FB 44 46 6E 61 42 11 03  A6 45 73 69 64 46 14 02   ûDFnaB  ¦EsidF  
000F40B0   5A 75 31 4F 49 4D 15 03  7A 62 32 4F 49 4D 16 03   Zu1OIM  zb2OIM  
000F40C0   00 88 31 70 78 45 44 03  4C 47 66 44 68 43 17 03    ˆ1pxED LGfDhC  
000F40D0   AF 72 61 74 61 73 18 03  BD 45 69 44 49 56 1A 01   ¯ratas  ½EiDIV  
000F40E0   ED 53 46 69 6D 6E 1B 02  02 73 64 42 4D 53 1C 03   íSFimn   sdBMS  
000F40F0   B8 78 61 43 78 45 1D 03  0A 73 4F 49 50 47 1E 03   ¸xaCxE   sOIPG  
000F4100   D8 45 70 4F 4D 43 1F 03  EE 74 65 51 52 49 20 03   ØEpOMC  îteQRI  
000F4110   EB 45 65 30 32 41 21 03  F2 4E 65 4D 43 43 22 01   ëEe02A! òNeMCC" 
000F4120   FB 4E 55 43 4D 43 23 01  38 4F 69 47 45 4C 24 01   ûNUCMC# 8OiGEL$ 
000F4130   F7 74 74 42 4D 53 25 02  4C 74 6C 46 52 43 26 02   ÷ttBMS% LtlFRC& 
000F4140   3C 5D 30 48 43 4D 27 01  46 5D 33 48 43 4D 28 02   <]0HCM' F]3HCM( 
000F4150   53 4F 66 42 57 72 29 01  F2 48 44 41 48 53 2D 01   SOfBWr) òHDAHS- 
000F4160   03 5F 43 70 53 44 2F 01  93 63 70 75 4D 50 30 03    _CpSD/ “cpuMP0 
000F4170   83 75 75 48 43 49 30 03  77 4F 20 42 53 55 31 01   ƒuuHCI0 wO BSU1 
000F4180   A6 42 6C 61 65 52 32 01  30 43 74 53 33 53 33 02   ¦BlaeR2 0CtS3S3 
000F4190   04 5F 20 62 6D 75 36 01  21 61 73 79 53 53 37 01    _ bmu6 !asySS7 
000F41A0   0F 50 72 31 35 4B 39 01  6B 50 6F 43 49 4E 3A 01    Pr15K9 kPoCIN: 
000F41B0   8C 50 6F 45 44 49 3B 01  F2 58 63 63 34 50 3D 01   ŒPoEDI; òXcc4P= 
000F41C0   F7 75 43 6B 6C 43 3E 03  C5 51 20 42 51 63 40 01   ÷uCklC> ÅQ BQc@ 
000F41D0   6F 57 31 35 6B 6D 41 01  FA 51 73 67 44 45 43 01   oW15kmA úQsgDEC 
000F41E0   00 7A 45 49 43 50 45 03  CA 61 46 78 66 47 46 03    zEICPE ÊaFxfGF 
000F41F0   E9 88 44 49 72 47 47 03  72 49 72 72 74 6D 48 01   éˆDIrGG rIrrtmH 
000F4200   FA 53 44 58 54 44 49 03  C6 43 4F 49 42 4A 4B 01   úSDXTDI ÆCOIBJK 
000F4210   2D 52 4B 33 61 53 4C 02  C4 52 6F 6C 65 52 4D 02   -RK3aSL ÄRoleRM 
000F4220   A0 53 4B 33 65 52 4F 02  C4 53 69 6D 73 41 50 02   *SK3eRO ÄSimsAP 
000F4230   CE 53 65 68 63 52 51 00  A6 42 6C 61 65 52 52 00   ÎSehcRQ ¦BlaeRR 
000F4240   CE 43 49 50 43 41 53 02                            ÎCIPCAS  [/SIZE]                        

Each line contains 16 bytes of data .. 8 bytes for each module. These data indicate the following:
Red - the start offset in the segment of module executing code;
Blue-ASCII code to understand what is happening (reading from right to left)
Black - # (number) of module in the segment
Green-label for the calculation of the branch:
If the label = 03 then the module is executed when all conditions
If the label = 01 then the module is executed on condition that the computer was turned off as standard and included with the Power_On button
If the label = 02 module that runs under the condition that the computer was rebooted soft but DRAM power was lost
If the label = 04 module is executed when a soft reset, provided that the memory has already been initialized and the power is not turned off for example: when you changes in the initial setup BIOS and save the new settings. All modules are executed strictly in order from top to bottom. But since the module #0F aka "Shdn" the branching BIOS is start.
To be continued...

 

Great info
So in my case, E1705 (that's from module 02-01-44 )

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000E4000   44 65 6C 6C 20 53 79 73  74 65 6D 20 4D 50 30 36   Dell System MP06
000E4010   31 00 00 00 00 00 00 00  00 00 00 00 00 00 CD 01   1.............Í.
000E4020   41 31 30 FE 00 00 00 00  00 00 00 00 00 00 00 00   A10þ............
000E4030   E9 05 02 00 00 00 00 00  00 00 00 00 00 00 00 00   é...............
000E4040   F6 4B 6E 64 68 53 11 01  B2 4C 6E 68 53 65 34 04   öKndhS..²LnhSe4.
000E4050   10 47 20 65 72 70 14 01  36 8B 64 50 4D 43 0B 03   .G erp..6‹dPMC..
000E4060   8E 6D 70 43 54 52 0C 01  8E 89 46 6E 61 42 13 03   ŽmpCTR..Ž‰FnaB..
000E4070   21 8A 63 61 43 41 12 02  62 8A 73 69 64 46 16 02   !ŠcaCA..bŠsidF..
000E4080   09 48 66 44 68 43 17 03  61 6B 61 74 61 73 18 03   .HfDhC..akatas..
000E4090   74 70 69 44 49 56 1A 01  80 4E 46 69 6D 6E 1B 02   tpiDIV..€NFimn..
000E40A0   E3 6B 64 42 4D 53 1C 03  EB 6B 4F 49 50 47 1E 03   ãkdBMS..ëkOIPG..
000E40B0   4E 47 70 4F 4D 43 1F 03  0B 6E 65 51 52 49 20 03   NGpOMC...neQRI .
000E40C0   61 47 65 30 32 41 21 03  58 4C 65 4D 43 43 22 01   aGe02A!.XLeMCC".
000E40D0   65 4C 69 47 45 4C 24 01  14 6E 74 42 4D 53 25 02   eLiGEL$..ntBMS%.
000E40E0   7C 6D 6C 46 52 43 26 02  96 59 30 48 43 4D 27 01   |mlFRC&.–Y0HCM'.
000E40F0   F6 59 33 48 43 4D 28 02  80 4C 66 42 57 72 2A 01   öY3HCM(.€LfBWr*.
000E4100   40 48 44 41 48 53 2D 01  F3 5A 43 70 53 44 2F 01   @HDAHS-.óZCpSD/.
000E4110   90 42 6C 61 65 52 32 01  75 43 74 53 33 53 33 02   .BlaeR2.uCtS3S3.
000E4120   B8 8A 68 63 61 43 0A 03  CC 6E 20 42 53 55 31 01   ¸ŠhcaC..Ìn BSU1.
000E4130   2A 70 75 48 43 49 30 03  50 8B 50 41 6E 49 0E 03   *puHCI0.P‹PAnI..
000E4140   F4 5A 20 62 6D 75 36 01  FD 5B 73 79 53 53 37 01   ôZ bmu6.ý[sySS7.
000E4150   D5 4C 72 31 35 4B 39 01  22 6F 6F 45 44 49 3B 01   ÕLr15K9."ooEDI;.
000E4160   24 89 63 63 34 50 3D 01  99 4D 20 42 51 63 40 01   $‰cc4P=.™M BQc@.
000E4170   E8 56 31 35 6B 6D 41 01  D2 4D 73 50 4D 73 42 01   èV15kmA.ÒMsPMsB.
000E4180   41 4E 73 67 44 45 43 01  75 5C 47 74 6E 49 47 03   ANsgDEC.u\GtnIG.
000E4190   B8 5D 47 74 78 45 47 03  6F 63 53 6B 6F 4C 28 02   ¸]GtxEG.ocSkoL(.
000E41A0   C8 70 43 6B 6C 43 3E 03  80 B7 4D 50 43 4D 27 03   ÈpCklC>.€·MPCM'.
000E41B0   40 81 31 70 78 45 44 03  99 61 46 78 66 47 46 03   @.1pxED.™aFxfGF.
000E41C0   B0 72 45 49 43 50 45 03  30 70 44 49 72 47 47 03   °rEICPE.0pDIrGG.
000E41D0   CD 83 72 72 74 6D 48 01  16 8B 44 58 54 44 49 03   ̓rrtmH..‹DXTDI.
000E41E0   BD 43 4F 49 42 4A 4C 01  D2 82 44 4F 43 75 4D 02   ½COIBJL.Ò‚DOCuM.
000E41F0   1F 88 4B 33 61 53 4E 02  64 85 6F 6C 65 52 4F 02   .ˆK3aSN.d…oleRO.
000E4200   F7 8A 65 68 63 52 50 02  78 86 73 20 31 50 51 02   ÷ŠehcRP.x†s 1PQ.
000E4210   DD 88 4B 33 65 52 52 02  76 4E 69 6D 73 41 53 02   ݈K3eRR.vNimsAS.
000E4220   FA 43 49 44 4E 53 53 02  90 42 6C 61 65 52 54 00   úCIDNSS..BlaeRT.
000E4230   C5 43 49 50 43 41 55 02  FA FC 0F 7E C3 66 C1 C3   ÅCIPCAU.úü.~ÃfÁÃ
000E4240   10 BB 38 40 66 C1 C3 10  0F 6E C3 66 B8 9E 00 00   .»8@fÁÃ..nÃf¸ž..

That means?
Shutdown is at E000:4BF6
sata is at E000:6B61
S3 standby is at E000:4375

Or I'm wrong?
Some names area easy to figure out but other not.Would be nice to find somewhere what each abreviation means.

In my Dell seems to be two of such modules.
This one,02-01-44.bin (47.9kb) and another one 05-01-44.bin (24kb)

That's from module 05-01-44

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000FA000   44 65 6C 6C 20 53 79 73  74 65 6D 20 4D 50 30 36   Dell System MP06
000FA010   31 00 00 00 00 00 00 00  00 00 00 00 00 00 CD 01   1.............Í.
000FA020   41 31 30 FE 00 00 00 00  00 00 00 00 00 00 00 00   A10þ............
000FA030   E9 AD 00 00 00 00 00 00  EB 00 B8 00 00 8E C0 8E   é*......ë.¸..ŽÀŽ
000FA040   D8 66 56 66 BE 00 00 FF  FF E8 70 09 66 5E EA 28   ØfVf¾..ÿÿèp.f^ê(
000FA050   40 00 30 C3 00 00 00 00  00 00 00 00 00 00 00 00   @.0Ã............
000FA060   87 BE 53 6B 6C 42 00 01  3B BF 31 4F 49 4D 01 03   ‡¾SklB..;¿1OIM..
000FA070   62 B5 32 4F 49 4D 02 03  48 BE 20 49 45 52 04 03   bµ2OIM..H¾ IER..
000FA080   18 A6 69 4F 49 53 05 03  C6 A1 74 6F 4F 42 06 03   .¦iOIS..Æ¡toOB..
000FA090   9A A1 3F 70 6D 6A 08 03  B8 A5 66 44 68 43 17 03   š¡?pmj..¸¥fDhC..
000FA0A0   A1 BD 4F 49 50 47 1E 03  32 BF 65 51 52 49 20 03   ¡½OIPG..2¿eQRI .
000FA0B0   10 A5 65 30 32 41 21 03  39 A9 69 47 45 4C 24 01   .¥e02A!.9©iGEL$.
000FA0C0   E6 B3 30 48 43 4D 27 01  54 A9 42 42 68 53 2B 01   æ³0HCM'.T©BBhS+.
000FA0D0   25 A1 6C 61 65 52 32 01  C8 A9 72 76 63 52 35 01   %¡laeR2.È©rvcR5.
000FA0E0   FA FC 0F 09 E9 2B 4B E8  8A 1C E8 0E 14 BB 58 A0   úü..é+KèŠ.è..»X*

But IDA give this

shutdown

Code:

E000:4BF6 ; ---------------------------------------------------------------------------
E000:4BF6                 in      al, 64h         ; AT Keyboard controller 8042.
E000:4BF8                 test    al, 4
E000:4BFA                 jz      short locret_E4C1C
E000:4BFC                 mov     al, 8Fh ; 'Å'
E000:4BFE                 out     74h, al
E000:4C00                 in      al, 75h
E000:4C02                 cmp     al, 4
E000:4C04                 jb      short locret_E4C1C
E000:4C06                 cmp     al, 0Bh
E000:4C08                 jz      short locret_E4C1C
E000:4C0A                 cmp     al, 0Ch
E000:4C0C                 ja      short locret_E4C1C
E000:4C0E                 movd    eax, mm0
E000:4C11                 and     eax, 0FFFFFFFCh
E000:4C15                 or      eax, 4
E000:4C19                 movd    mm0, eax
E000:4C1C
E000:4C1C locret_E4C1C:                           ; CODE XREF: E000:4BFAj
E000:4C1C                                         ; E000:4C04j ...
E000:4C1C                 retn
E000:4C1C ; ---------------------------------------------------------------------------

sata

Code:

E000:6B61 ; ---------------------------------------------------------------------------
E000:6B61                 mov     edi, 0F00FA000h
E000:6B67                 mov     byte ptr es:[edi+0A0h], 40h ; '@'
E000:6B70                 mov     byte ptr es:[edi+0A6h], 22h ; '"'
E000:6B79                 mov     byte ptr es:[edi+0A0h], 78h ; 'x'
E000:6B82                 mov     byte ptr es:[edi+0A6h], 22h ; '"'
E000:6B8B                 mov     byte ptr es:[edi+0A0h], 88h ; 'ê'
E000:6B94                 mov     eax, es:[edi+0A4h]
E000:6B9D                 and     eax, 0C0C0C0C0h
E000:6BA3                 or      eax, 1B1B1212h
E000:6BA9                 mov     es:[edi+0A4h], eax
E000:6BB2                 mov     byte ptr es:[edi+0A0h], 8Ch ; 'î'
E000:6BBB                 mov     eax, es:[edi+0A4h]
E000:6BC4                 and     eax, 0C0C0FF00h
E000:6BCA                 or      eax, 121200AAh
E000:6BD0                 mov     es:[edi+0A4h], eax
E000:6BD9                 mov     byte ptr es:[edi+0A0h], 0
E000:6BE2                 retn
E000:6BE2 ; ---------------------------------------------------------------------------

S3 standby

Code:

E000:4BF6 ; ---------------------------------------------------------------------------
E000:4BF6                 in      al, 64h         ; AT Keyboard controller 8042.
E000:4BF8                 test    al, 4
E000:4BFA                 jz      short locret_E4C1C
E000:4BFC                 mov     al, 8Fh ; 'Å'
E000:4BFE                 out     74h, al
E000:4C00                 in      al, 75h
E000:4C02                 cmp     al, 4
E000:4C04                 jb      short locret_E4C1C
E000:4C06                 cmp     al, 0Bh
E000:4C08                 jz      short locret_E4C1C
E000:4C0A                 cmp     al, 0Ch
E000:4C0C                 ja      short locret_E4C1C
E000:4C0E                 movd    eax, mm0
E000:4C11                 and     eax, 0FFFFFFFCh
E000:4C15                 or      eax, 4
E000:4C19                 movd    mm0, eax
E000:4C1C
E000:4C1C locret_E4C1C:                           ; CODE XREF: E000:4BFAj
E000:4C1C                                         ; E000:4C04j ...
E000:4C1C                 retn
E000:4C1C ; ---------------------------------------------------------------------------

Boot

Code:

F000:A1C6 ; ---------------------------------------------------------------------------
F000:A1C6                 movd    ebx, mm0
F000:A1C9                 in      al, 64h         ; AT Keyboard controller 8042.
F000:A1CB                 in      al, 64h         ; AT Keyboard controller 8042.
F000:A1CD                 and     al, 81h
F000:A1CF                 cmp     al, 81h ; 'ü'
F000:A1D1                 mov     ax, 0DCDCh
F000:A1D4                 jnz     short loc_FA1E2
F000:A1D6                 in      al, 60h         ; AT Keyboard controller 8042.
F000:A1D8                 xchg    al, ah
F000:A1DA                 out     74h, al
F000:A1DC                 xchg    al, ah
F000:A1DE                 out     75h, al
F000:A1E0                 jmp     short loc_FA1E6
F000:A1E2 ; ---------------------------------------------------------------------------
F000:A1E2
F000:A1E2 loc_FA1E2:                              ; CODE XREF: F000:A1D4j
F000:A1E2                 out     74h, al
F000:A1E4                 in      al, 75h
F000:A1E6
F000:A1E6 loc_FA1E6:                              ; CODE XREF: F000:A1E0j
F000:A1E6                 and     al, 2
F000:A1E8                 cmp     al, 2
F000:A1EA                 jnz     short loc_FA1F2
F000:A1EC                 and     ebx, 0FFFFFFFEh
F000:A1F0                 jmp     short loc_FA1F6
F000:A1F2 ; ---------------------------------------------------------------------------
F000:A1F2
F000:A1F2 loc_FA1F2:                              ; CODE XREF: F000:A1EAj
F000:A1F2                 and     ebx, 0FFFFFFFDh
F000:A1F6
F000:A1F6 loc_FA1F6:                              ; CODE XREF: F000:A1F0j
F000:A1F6                 movd    mm0, ebx
F000:A1F9                 retn
F000:A1F9 ; ---------------------------------------------------------------------------

But since I'm not a programmer and my knowledge in that area is very poor don't understant too much,but maybe I do something wrong since none of them seems to be related to their name.

 

Data structure is different between laptops generation and destops.

Code:

E1705 laptop
Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000E4080   09 48 66 44 68 43 17 03  61 6B 61 74 61 73 18 03   .HfDhC..akatas..

XPS200
000F8D30            83 BD 2D 31 43  54 1E 00 DB B5 74 61 53      ƒ½-1CT..ÛµtaS
000F8D40   69 1E 00                                           i..                           00 is always 00

D630
001E4790                                                 9B                  ›
001E47A0   55 FE FF 69 47 43 54 01  45 86 FE FF 61 74 61 73   UþÿiGCT.E†þÿatas               not clear,what is 01 and 03, is number or label
001E47B0   03                                                 .                                              .                                                .

Also on desktops each of those functions jump to

Code:

                 add     bp, 8
                 cmp     bp, 8E73h
                 jb      short loc_F8E9A
                 xor     esp, esp
                 jmp     far ptr loc_FFFA0

on laptops functions end with return.

I found sata function in BIOS,looks like Dell just write some bulls**t in place of working code (compared with other BIOS version and things are different) I don't know why.

Code:

E000:6B61 ; ---------------------------------------------------------------------------
E000:6B61                 mov     edi, 0F00FA000h                                                ;wrong
E000:6B67                 mov     byte ptr es:[edi+0A0h], 40h ; '@'
E000:6B70                 mov     byte ptr es:[edi+0A6h], 22h ; '"'                           ;could be also wrong,others have 0A4h
E000:6B79                 mov     byte ptr es:[edi+0A0h], 78h ; 'x'
E000:6B82                 mov     byte ptr es:[edi+0A6h], 22h ; '"'
E000:6B8B                 mov     byte ptr es:[edi+0A0h], 88h ; 'ê'
E000:6B94                 mov     eax, es:[edi+0A4h]
E000:6B9D                 and     eax, 0C0C0C0C0h
E000:6BA3                 or      eax, 1B1B1212h
E000:6BA9                 mov     es:[edi+0A4h], eax
E000:6BB2                 mov     byte ptr es:[edi+0A0h], 8Ch ; 'î'
E000:6BBB                 mov     eax, es:[edi+0A4h]
E000:6BC4                 and     eax, 0C0C0FF00h
E000:6BCA                 or      eax, 121200AAh
E000:6BD0                 mov     es:[edi+0A4h], eax
E000:6BD9                 mov     byte ptr es:[edi+0A0h], 0
E000:6BE2                 retn
E000:6BE2 ; ---------------------------------------------------------------------------

Compared with code from XPS 200 and Precision 380 (similar with XPS200 but does a check on CMOS and depending on that leave controller in legacy mode or switch it to AHCI and write to "function disable" of ICH7 bit to disable IDE) and then added to my laptop BIOS.

Still not working.
ICH7 is in AHCI mode,but disk not detected by BIOS or by windows but under linux works fine.

(I'm not using any integrated ports of ICH7,no HDD no optical unit,I have expresscard with RAID0 for OS and storage)

Now after make BIOS to activate AHCI,POST take a long time and in the end complain about a problem with device in media bay,but like I said earlier media bay is empty and unused.

Maybe BIOS try to identify device in bay (IDE connector,but since enablig SATA AHCI disable IDE port BIOS get jammed.