Second module, one starting with LoPo have a similar addressing resized number of bytes to be more easy to see Code: 00000000 00 0D 06 10 00 68 00 10 56 73 69 44 55 .....h..VsiDU 0000000D 00 00 00 00 55 0B 00 10 53 4F 4D 43 56 ....U...SOMCV 0000001A 00 00 07 10 B4 0B 00 10 72 6D 69 54 57 ....´...rmiTW 00000027 00 00 08 10 17 0C 00 10 20 41 4D 44 58 ........ AMDX 00000034 00 00 09 10 99 0C 00 10 65 67 50 44 59 ....™...egPDY color still not clear what means Red is address of code assuming module is loaded at 10000h Blue is name black most probably is function number Hope this is correct.
Yes you are right! color-This is a lable.If lable=00000000- there is a direct transition to the address into "oPoL".If lable not equal 00000000-there is a procedure of asking of a devices on the LPC protocol. But I still have not figured out how it works . It's very difficult for me.
Algorithm of boot in D810,D610,D510 and other Continued.... I have researched only a branch from label 01 as it is the longest and logical. Labeled 02 branch I did not investigate but I think that it is linked to the emergency bios operation. If anyone ever have a desire you can dig deeper. Boot block establishes the basic chipset registers and CMOS memory. By and large there is nothing interesting except for one-installing the base address registers of chipset devices.Later I'll show you how important this is. And while I "decipher" ASCII codes modules of boot-block. The initial label value = 03. 1)(#01) "SaDX"-save dx (into dx-CPU ID after start) 2)(#02) "REI "- SIO chip enable, keyboard enable,sets LPC Generic Decod Range 1 =0900h;set ABAR - ACHI Base Address Register=000D0000,and disables one . 3)(#03)"SIOi"-check and initiates the SIO, if error -seeks floppy 4)(#0F) "Shdn"- check comp. shutdown condition ; first branching: if shutdown with power_on ->lable=03, if soft reset and DRAM was initiates->lable=04: 5)(#34)"eShn" -execute only if lable=04, jump to DRAM address 000FFFA0, where we have already unpacked module 01_1.rom 6)(#12)"pre_"-check MCH SMRAM register default value 7)(#04)"boot"-second branching, check input KBC buffer,if it is empty ->lable=01, full ->02 8)(#05)"PmAB"-Protect Mode enable 9)(#08)"Cach"-Processor cash enable 10)(#0A)"RTCp"-writes CMOS 11)(#0C)"InAP"- program the LINT0 and LINT1 local APIC pins on a processor 12)(#10)"uCOD"-processor mircocod update 13)(#11)"BanF"-check and ban old processor model (P-III) 14)(#14)"Fdis"-exec if lable=02 15)(#15)"MIO1"-set Chipset Root Complex Base address=F0008000 16)(#16)"MIO2"-set Egress Port Base address for PCIEx=F0005000;GMCH Base address=F0000000; PCIEx Base address=E0000000;DMI Root Complex Base address=F0004000;and chipset verifies the installation of an external graphics card. 17)(#44)"Exp1"-Enable PCIEx Grafics mod if there is external graphics card To be continued...
Very good info. As a little question, Fdis as far as I see disassembling is Function disable ,southbridge RCBA offset 3418-341Bh And this I think must be done always,or BIOS setup first RCBA and Fdis just restore previous saved registers.
I see that this makes F segment (000F0000-000FFFFF) - uncashable, look: Code: D810_A05.rom code _F segment disable Uncacheable F000:45A6 F000:45A6 Fdis: ; CODE XREF: F000:429FJ F000:45A6 66 33 C0 xor eax, eax ; eax=00000000; F000:45A9 66 8B D0 mov edx, eax ; edx=00000000; F000:45AC 66 B9 6E 02 00 00 mov ecx, 26Eh F000:45B2 0F 30 wrmsr ; MTTR_fix_4k F0000=00000000 F000:45B2 ; 8th 4kB ranges are uncashable: F000:45B2 ; F7000-F7FFF,F6000-F6FFF, F000:45B2 ; F5000-F5FFF,F4000-F4FFF, F000:45B2 ; F3000-F3FFF,F2000-F2FFF, F000:45B2 ; F1000-F1FFF,F0000-F0FFF. F000:45B4 66 B9 6F 02 00 00 mov ecx, 26Fh F000:45BA 0F 30 wrmsr ; MTTR_fix_4k F8000=00000000 F000:45BA ; 8th 4kB ranges are uncashable: F000:45BA ; FF000-FFFFF,FE000-FEFFF, F000:45BA ; FD000-FDFFF,FC000-FCFFF, F000:45BA ; FB000-FBFFF,FA000-FAFFF, F000:45BA ; F9000-F9FFF,F8000-F8FFF. F000:45BC C3 retn ; return f000:42A2 F000:45BC
Algorithm of boot in D810,D610,D510 and other Continued.... Next blocks executes any lable=01 or 02 18)(#17)ChDf-this is main block of chipset registers setting aka Chipset Define, very huge. It writes VID and SID to all chipset devices. So sets main registers for MCH, ICH, UHCI, EHCI, PCIeXpress, SATA,IDE,USB, LPT, COM, Power Management itc. 19)(#18)sata- identification ICH revision & enable SATA ABAR register(makes it R/W) Next block executes only with lable=01 20)(#1A)VIDi-initialization video status ports(registers) Next block executes only with lable=02 21)(#1B)nmiF-port 61(KBC or PPI) read-write Next blocks executes any lable=01 or 02 22)(#1C)SMBd-writes Received Slave Address for SMBus 23)(#1D)ExCa-sets IRQ for ExCa Card 16 bit I/O legacy mode 24)(#1E)GPIO-programming GPIO pins 25)(#1F)CMOp-writing CMOS register 78 26)(#20)IRQe-master and slave PIC enabled 27)(#21)A20e-Fast A20 and INIT# enable Next blocks executes only with lable=01 28)(#22)CCMe-Clear CMOS register 69 29)(#23)CMCU- read MSR-IA32_BIOS_SIGN_ID- Any non-zero value is the microcode update signature, writing CMOS register [69]=10h 30)(#24)LEGi-Timer Counter#1 ini, Next blocks executes only with lable=02 31)(#25)SMBt-SMBus test 32)(#26)CRFl-Power Management Control and status registers R/W Next block executes only with lable=01 33)(#27)MCH0-DRAM initialization Next block executes only with lable=02 34)(#28)MCH3-DRAM initialization Next blocks executes only with lable=01 35)(#29)rWBf- CMOS register 5B:checking if =0-escape,if not, writing [5B]=0 and writing into DRAM [00000467]=1234(“Alt+Cntr+Del”) 36)(#2D)SHAD- Copying ROM boot segment F(3000h dwords=C000h bytes) to new address into DRAM 00024000-00030000 And Copying compress ROM segment (61048h bytes) to new DRAM address 00100000-00161048 37)(#2F)DSpC-NOP Next blocks executes any lable=01 or 02 38)(#30)PMup-Power Memory registers update (ACPI for DRAM ) 39)(#30)ICHu-ICH EHCI controller update Next blocks executes only with lable=01 40)(#31)USB -setting EHCI Memory base address 41)(#32)Real- jumping to DRAMs_COPY_of ROM boot segment F To be continued...
First time,and because I didn't look at D810 BIOS and I know Dx10 series use IDE disk I think it was a lost piece of code left behind by BIOS programmers at Dell Now I take a look on some schematics and see that is used a SATA to IDE bridge (Marvell 88SA8040) So 2)(#02) "REI " in the end set map value to 0,define ABAR adress as D0000h,enable I/O space , memory space and Bus master then make a HBA reset and then disable I/O space , memory space , bus master. Code: F000:73FA mov eax, 8000FA90h ; set map value to 0 F000:7400 out dx, eax F000:7402 mov dl, 0FCh ; 'n' F000:7404 mov al, 0 F000:7406 out dx, al F000:7407 mov dx, 0CF8h F000:740A mov eax, 8000FA24h ; set ABAR address to D0000 F000:7410 out dx, eax F000:7412 mov dl, 0FCh ; 'n' F000:7414 mov eax, 0D0000h F000:741A out dx, eax F000:741C mov dx, 0CF8h F000:741F mov eax, 8000FA04h ; offset 04h default value is 0000h F000:741F ; enable I/O space , memory space , Bus master F000:741F ; bits 0,1,2 F000:7425 out dx, eax F000:7427 mov dl, 0FCh ; 'n' F000:7429 mov al, 7 F000:742B out dx, al F000:742C mov ax, 0D000h ; focus to ABAR F000:742F mov fs, ax F000:7431 assume fs:D000 F000:7431 mov al, fs:byte_D0004 ; make a HBA reset F000:7435 or al, 1 F000:7437 mov fs:byte_D0004, al F000:743B mov dx, 0CF8h F000:743E mov eax, 8000FA04h ; disable I/O space , memory space , bus master F000:7444 out dx, eax F000:7446 mov dl, 0FCh ; 'n' F000:7448 mov al, 0 F000:744A out dx, al F000:744B retn F000:744B REI endp Next is SATA part from D810 A05 but seems like is crippled by Dell to be not OK. Code: F000:72AF ; =============== S U B R O U T I N E ======================================= F000:72AF F000:72AF F000:72AF SATA proc near F000:72AF mov edi, 0E00F8008h F000:72B5 mov al, es:[edi] F000:72B9 mov edi, 0E00FA000h F000:72BF cmp al, 0 F000:72C1 ja short loc_F72DB F000:72C3 mov ax, es:[edi+94h] F000:72CB and ax, 0FBFFh F000:72CE or ax, 400h F000:72D1 mov es:[edi+94h], ax F000:72D9 jmp short locret_F7301 F000:72DB ; --------------------------------------------------------------------------- F000:72DB F000:72DB loc_F72DB: ; CODE XREF: SATA+12j F000:72DB mov byte ptr es:[edi+0A0h], 28h ; '(' F000:72E4 mov al, es:[edi+0A6h] F000:72EC and al, 33h F000:72EE or al, 8Ch F000:72F0 mov es:[edi+0A6h], al F000:72F8 mov byte ptr es:[edi+0A0h], 0 F000:7301 F000:7301 locret_F7301: ; CODE XREF: SATA+2Aj F000:7301 retn F000:7301 SATA endp Seems like depending on some value of D31:F0 (0E00F8008h could be 8000F808h ? but offset 08h is revision id) - 1-st case set bit 10 offset 94h of SATA controller (but this bit according to datasheet of ICH6 is reserved,bit 9 is SCRAE to enable RW on offset 24h si 04h) - 2-nd case set some value at offset A0h of SATA controller and A6h but A6h I see doesn't exist ,I think it must be A4h in place.
I agree. In any case AHCIi been initialized and is enough to make I/O visible again to enable it function.Perhaps it makes the OS driver just. No there all right. I myself have long puzzled until I realized how it works. Code: D810_A05.rom SATA ABAR ENABLE FOR ICH rev.ID=00 F000:72AF F000:72AF sata: ; CODE XREF: F000:429FJ F000:72AF mov edi, 0E00F8008h ; ;E0000000-PCIEx Address Space F000:72AF; +F8000=1F*8000=Device31; F000:72AF; +0*1000=Function0; F000:72AF; I.e. we have addressed to F000:72AF; Bus0,D31:F0,reg.off.08 F000:72AF; PCI Configuration RID- F000:72AF; Revision Identification F000:72AF; Register(LPC Interface); F000:72B5 mov al, es:[edi] ; al=03(ICH6M-B0);=04(ICH6M-B1); F000:72B5 ; =xx(ICH6M-C0) F000:72B9 mov edi, 0E00FA000h ; E0000000-PCIEx Address Space; F000:72B9 ; +F8000=1F*8000=Device31; F000:72B9 ; +2000=2*1000=Function2; F000:72B9 ; I.e. we have addressed to F000:72B9 ; Bus0,D31:F2,reg.off.08 F000:72B9 ; SATA Controller RID-Revision F000:72B9 ; Identification Register; F000:72BF cmp al, 0 ; Compare Two Operands F000:72C1 ja short loc_F72DB ; ;Jump if Above (CF=0 & ZF=0) F000:72C1 F000:72C3 mov ax, es:[edi+94h] ; ;If D31:F0 PCI RID reg.al=00(default), F000:72C3; read Bus0 D31:F2 reg.off.94-95, F000:72C3; SATA Initialization register SIR, F000:72C3; bits(15:0),ax=0182h F000:72CB and ax, 0FBFFh ; ax=0182h F000:72CE or ax, 400h ; ; set bits: F000:72CE ; ... F000:72CE ; 9=1-SCR Access Enable(SCRAE)- F000:72CE ; The ABAR(D31:F2:off.24) register F000:72CE ; & MSE bit field(D31:F2:off.04:bit1) F000:72CE ; are forced to be READ/WRITE F000:72CE ; ... F000:72D1 mov es:[edi+94h], ax ; ;write ax=382h to reg.off.94-95 F000:72D1 ; SATA Initialisation Register. F000:72D9 jmp short locret_F7301 ; Jump F000:72D9 F000:72DB --------------------------------------------------------------------------- F000:72DB If D31:F0 PCI RID reg.al not equal 00 F000:72DB loc_F72DB: ; CODE XREF: F000:72C1j F000:72DB mov byte ptr es:[edi+0A0h], 28h ; ; write 28h to D31:F2 reg.off.A0 F000:72DB; SATA Indexed Registers Index bits F000:72DB; 7=0-reserved F000:72DB; 6:2=01010-Index=28,SIR28 F000:72DB; 1:0=00-reserved F000:72E4 mov al, es:[edi+0A6h] ; ; read reg.off.A4-A7,bits(23:16); F000:72E4; SATA STRD-Idexed Register Data, F000:72E4; Data from SIR28,al=8C F000:72EC and al, 33h ; al=00; F000:72EE or al, 8Ch ; al=8C; F000:72F0 mov es:[edi+0A6h], al ; ; write al=8C to SATA SIR28 F000:72F0 ; bits(23:16)=(off.A6 into A4-A7): F000:72F0 ; .. F000:72F0 ; bit22=0-BIOS leaves this bit as default F000:72F0 ; ... F000:72F0 ; bit18=1-BIOS leaves this bit as default F000:72F0 ; ... F000:72F8 mov byte ptr es:[edi+0A0h], 0 F000:72F8 F000:7301 F000:7301 locret_F7301: ; CODE XREF: F000:72D9j F000:7301 retn ; to f000:42A2 F000:7301
Algorithm of boot in D810,D610,D510 and other Continued.. Next code is executed from DRAM address 00024000-00030000 only if the label = 01 : 42) (#33)S3St- block skipped, because the label = 02. 43)(#36)umb-Do all reads and writes are serviced by DRAM address from 000C0000 to 000EFFFF, fill this segment with zeros, and do all R/W from this segment are serviced by DMI 44)(#37) SSys-do all R/W are serviced by DRAM address from 000F0000-000FFFFF, decompress fist(#01) module from compress BIOS block (00100000-00161048) to this address 45)(#39) K51r- “8051” controller initialization ???(see Note*) 46)(#3A)NICo-net adapter initialization ???(see Note*) 47)(#3B)IDEo- Test and Set SATA(IDE) ports Primary0,Primary2 and ENABLED devices DVD-ROM,HARD DISK 48)(#3D)P4cc-Pentium4 what is..i don’t know??? 49)(#3E)ClkC-transmit six bytes (HEX:F1 00 01 00 18 BA) to SMBus slave address =1101001b ??(SMBus protocol): Clock Contlol? 50)(#40) cQB –check Quard Bus?; write CMOS register #67 with value 02 (QB-OK?) 51)(#41)mk51-controller 8051 programming (I didn’t see)?? 52)(#43)EDgs-r/w CMOS register 4C?? egress port evaluable? 53)(#45)PCIe-check video (external or internal)& set chip registers (I did not look in detail) 54)(#46)GfxF-video setting (I did not look in detail) 55)(#47)GrID-set video priority (internal-high) 56)(#48)mtrr-Set next memory addresses to: a) IA32_MTRR_FIX64K_00000-memory address 00000-7FFFF- WriteBack,valid; b)IA32_MTRR_FIX16K_80000 memory address 80000-9FFFF-WriteBack,valid; c)00100000-003FFFFF-Write Back,valid d) IA32_MTRR_FIX4K_F0000: 000F0000-000F7FFF-write protect e) IA32_MTRR_FIX4K_F8000: 000F8000-000FFFFF-write protect f) IA32_MTRR_FIX4K_C0000: 000C0000-000C7FFF-write protect g) IA32_MTRR_FIX4K_C8000: 000C8000-000CBFFF-Write Protect, 000CC000-000CFFFF-Uncashable 57)(#49) DTXD-check processor ID 58)(#4B) GBIO-jump to DRAM address 000FFFA0 -entry point of first decompress BIOS block. Note*: Low-level access to the components of the motherboard done via a “LPC Generic IO decode range1 (program input/output)”: 00000900h-0000097Fh with the model code Code: 2000:5036 000 BA 10 09 mov dx, 910h _2000:5039 000 B0 85 mov al, 85h ; 'Å' _2000:503B 000 EE out dx, al _2000:503C 000 42 inc dx ; Increment by 1 _2000:503D 000 B0 00 mov al, 0 _2000:503F 000 EE out dx, al _2000:5040 000 BA 10 09 mov dx, 910h _2000:5043 000 B0 94 mov al, 94h ; 'Ô' _2000:5045 000 EE out dx, al _2000:5046 000 42 inc dx ; Increment by 1 _2000:5047 000 EC in al, dx _2000:5048 000 A8 01 test al, 1 ; Logical Compare _2000:504A 000 74 1E jz short locret_2506A ; Jump if Zero (ZF=1) _2000:504A _2000:504C 000 BA 10 09 mov dx, 910h _2000:504F 000 B0 94 mov al, 94h ; 'Ô' _2000:5051 000 EE out dx, al _2000:5052 000 42 inc dx ; Increment by 1 _2000:5053 000 B0 00 mov al, 0 _2000:5055 000 EE out dx, al _2000:5056 000 BA 10 09 mov dx, 910h _2000:5059 000 B0 94 mov al, 94h ; 'Ô' _2000:505B 000 EE out dx, al _2000:505C 000 42 inc dx ; Increment by 1 _2000:505D 000 EC in al, dx _2000:505D _2000:505E _2000:505E loc_2505E: ; CODE XREF: sub_25036+32j _2000:505E 000 BA 10 09 mov dx, 910h _2000:5061 000 B0 84 mov al, 84h ; 'Ä' _2000:5063 000 EE out dx, al _2000:5064 000 42 inc dx ; Increment by 1 _2000:5065 000 EC in al, dx _2000:5066 000 A8 01 test al, 1 ; Logical Compare _2000:5068 000 75 F4 jnz short loc_2505E ; Jump if Not Zero (ZF=0) _2000:5068 I could not understand how it works. Maybe someone knows the ropes.
Hello, I have a dead DELL GX240 BIOS. What file should I use to program it with external programmer. I have extracted .rom and .hdr file from the .exe using -writehdrfile and -writeromfile commands. I guess it is the .rom file I should use but I am new to BIOS programming.
GX240? That like 10 years old machine... Not the best candidate for modding (it was hardly ever running XP) sebus
Can not agree more. The BIOS just died after wrong flash procedure. I never intended to mod it but to have it up and running again. It's working fine as a mp3 player with 512MB RAM. Thank you aascut for your reply I'll try it right away...
DELL boot memory map I drew a map, it may be helpful to someone. State after working out of BIOS boot block : Code: Memory allocation in boot for DELL D810 (1Mb bios code,as example) ->the upper limit4 Gigabytes |address range |?| Dec.Range |alias addres |size kB| --------------------------------------------------------------------- |FFFF0000-FFFFFFFF|BIOS CODE|Firware Hub|000F0000-000FFFFF|64 | |FFFE0000-FFFEFFFF|BIOS CODE|Firware Hub|000E0000-000EFFFF|64 | |FFFD0000-FFFDFFFF|BIOS CODE|Firware Hub|000D0000-000DFFFF|64 | |FFFC0000-FFFCFFFF|BIOS CODE|Firware Hub|000C0000-000CFFFF|64 | |FFFB0000-FFFBFFFF|BIOS CODE|Firware Hub|000B0000-000BFFFF|64 | |FFFA0000-FFFAFFFF|BIOS CODE|Firware Hub|000A0000-000AFFFF|64 | |FFF90000-FFF9FFFF|BIOS CODE|Firware Hub|00090000-0009FFFF|64 | |FFF80000-FFF8FFFF|BIOS CODE|Firware Hub|00080000-0008FFFF|64 | |FFF70000-FFF7FFFF|BIOS CODE|Firware Hub|00070000-0007FFFF|64 | |FFF60000-FFF6FFFF|BIOS CODE|Firware Hub|00060000-0006FFFF|64 | |FFF50000-FFF5FFFF|BIOS CODE|Firware Hub|00050000-0005FFFF|64 | |FFF40000-FFF4FFFF|BIOS CODE|Firware Hub|00040000-0004FFFF|64 | |FFF30000-FFF3FFFF|BIOS CODE|Firware Hub|00030000-0003FFFF|64 | |FFF20000-FFF2FFFF|BIOS CODE|Firware Hub|00020000-0002FFFF|64 | |FFF10000-FFF1FFFF|BIOS CODE|Firware Hub|00010000-0001FFFF|64 | |FFF00000-FFF0FFFF|BIOS CODE|Firware Hub|00000000-0000FFFF|64 | ..................................................................... --------------------------------------------------------------------- |address range | comments |size kB| --------------------------------------------------------------------- |FFE80000-FFEFFFFF|IDSEL=3 Firware Hub Decode Range |512 | |FFE00000-FFE7FFFF|IDSEL=1 Firware Hub Decode Range |512 | |FFB80000-FFBFFFFF|Firware Hub Decode Range |512 | |FFB00000-FFB7FFFF|Firware Hub Decode Range |512 | |FFA80800-FFA80BFF|BAR EHCI Controller USB 2.0 |1 | |FFA80000-FFAFFFFF|IDSEL=3 Firware Hub Decode Range |512 | |FFA00000-FFA7FFFF|IDSEL=1 Firware Hub Decode Range |512 | |FF000000-FFFFFFFF|PCI_TO_PCI Bridge memory space |? | ..................................................................... |FEDA0000-FEDBFFFF| Extended SMRAM Write Through |128 | |FED00000-FED003FF| High Precision Timer Config address |1 | |FEC00000 |APIC Direct Index register |8bit | |FEC00010 |APIC Direct Data register |32bit | |FEC00040 |APIC Direct EOI register |32bit | ..................................................................... |F0008000-F000BFFF|Chipset Root Complex Base address |16 | |F0007000-F0007FFF|Empty |4 | |F0006000-F0006FFF|Egress Port Root Complex Base address |4 | |F0005000-F0005FFF|Egress Port Root Complex Base address |4 | |F0004000-F0004FFF|DMI Root Complex Base address |4 | |F0000000-F0003FFF|GMCH Base address |16 | |E0000000-EFFFFFFF|PClEx Base address |256000 | ..................................................................... |10E00000 |I/O Trap Register 1 address RW trap cycle| | ..................................................................... |08000000 |I/O Trap Register 2 address RW trap cycle| | ..................................................................... |03F40000 |I/O Trap Register 3 addressW trap cycle| | ..................................................................... |00600000 |I/O Trap Register 0 address RW trap cycle| | ..................................................................... |00100000-00161048|copy BIOS Compressed Block into DRAM |388?? | ..................................................................... |000FF000-000FFFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000FE000-000FEFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000FD000-000FDFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000FC000-000FCFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000FB000-000FBFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000FA000-000FAFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F9000-000F9FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F8000-000F8FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F7000-000F7FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F6000-000F6FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F5000-000F5FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F4000-000F4FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F3000-000F3FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F2000-000F2FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F1000-000F1FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000F0000-000F0FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4 | |000EC000-000EFFFF|write protect,RW direct DMI |16 | |000E8000-000EBFFF|write protect,RW direct DMI |16 | |000E4000-000E7FFF|write protect,RW direct DMI |16 | |000E0000-000E3FFF|write protect,RW direct DMI |16 | |000DC000-000DFFFF|write protect,RW direct DMI |16 | |000D8000-000DBFFF|write protect,RW direct DMI |16 | |000D4000-000D7FFF|write protect,RW direct DMI |16 | |000D0000-000D3FFF|AHCI BASE ADDRESS,write pr.,RW direct DMI|16 | |000CC000-000CFFFF|write protect,RW direct DMI |16 | |000C8000-000CBFFF|write protect,RW direct DMI |16 | |000C4000-000C7FFF|write protect,RW direct DMI |16 | |000C0000-000C3FFF|write protect,RW direct DMI |16 | |000B8000-000BFFFF|SMM (default) |32 | |000B0000-000B7FFF|SM RAM (default) or Monochrome Device |32 | | |Adapter (MDA) resurses for 10 port B4h, | | | |3B5h,3B8h,3B9h,3BAh,3BFh;write protect | | |A0000-000AFFFF |SM RAM (default) or Legacy Video |64 | ..................................................................... |00024000-00030000|CopyBIOS Boot Block into DRAM | | |000010С0-000010DF|SMBUS Base Address(IO port) |32bytes| |00001080-000010BF|GPIO Base Address(IO port) |64bytes| |00001000-0000107F|Power Management Base Address(IO port) |128byte| ..................................................................... |00000BFA-00000BFF|SATA Legasy Base Address (I/O port) |6 bytes| ..................................................................... |00000900-0000097F|LPC Generic I/O decode range 1 |128byte| | | (program input/output)??? | | ..................................................................... |000003F8-000003FF|ComA&ComB decode range(I/O port) |8bytes | ..................................................................... |000003E0 |PC Card 16-bit I/F legacy-mode |64bytes| | |base address for the ExCA index register | | ..................................................................... |00000378-0000037F|LPT decode range(I/O port) |8bytes | |00000377 |FDD decode range(secondary) |1byte | |00000370-00000375|FDD decode range(I/O port) |6bytes | ..................................................................... |8C,8D,8E |Addresses sends to PCI for generate POST CODES | |88 |Addresses sends to PCI for generate POST CODES | |84,85,86 |Addresses sends to PCI for generate POST CODES | |80 |Addresses sends to PCI for generate POST CODES | |70,71 |CMOS decode range(I/O port) | |62;66 |Embedded Controller I/O port | |60;64 |KBC decode range (I/O port) | |4E;4F |Microcontroller decode range(I/O port) | |2E;2F |Super IO decod range (I/O port) | .....................................................................
This was post #692 in this thread. Its from 6 mos ago when user "WINDOWS 7" was trying to flash a modified bios to his Dell 4700 to enable Cedar Mill support. I would also like to know whether it worked and how a .hdr file is flashed to a Dell. I have tried seemingly everything and can't get the hdr file to flash.
I found how it works! It turns out I did not go looking in the code and missed the point. Look "SIOi" module: Code: D810_A05.rom: F000:4ACD ; --------------------------------------------------------------------------- F000:4ACD Super IO chip programm turn F000:4ACD F000:4ACD SIOi: ; CODE XREF: F000:429FJ F000:4ACD BA 2E 00 mov dx, 2Eh ; '.' F000:4AD0 B0 55 mov al, 55h ; 'U' F000:4AD2 EE out dx, al F000:4AD3 EE out dx, al ; ENTER CONFIGURATION MODE: F000:4AD3 ; write key"55h" to port 2Eh F000:4AD3 ; Configuration state enable! .....bla-bla-bla .... F000:4AF2 B4 09 mov ah, 9 F000:4AF4 BA 2E 00 mov dx, 2Eh ; '.' F000:4AF7 B0 07 mov al, 7 F000:4AF9 EE out dx, al F000:4AFA 42 inc dx ; Increment by 1 F000:4AFB 8A C4 mov al, ah F000:4AFD EE out dx, al ; write 09 to reg.#07: F000:4AFD ; select Logical Device #9 F000:4AFD ; F000:4AFE BA 2E 00 mov dx, 2Eh ; '.' F000:4B01 B0 30 mov al, 30h ; '0' F000:4B03 EE out dx, al ; Logical Device #9,reg#30: F000:4B04 42 inc dx ; Increment by 1 F000:4B05 B0 01 mov al, 1 F000:4B07 EE out dx, al ; write 01 to reg.30- F000:4B07 ; activate Logical Device #9 F000:4B07 ; -Mailbox Registers F000:4B08 B8 10 09 mov ax, 910h F000:4B0B BA 2E 00 mov dx, 2Eh ; '.' F000:4B0E B0 60 mov al, 60h ; '`' F000:4B10 EE out dx, al ; Config mode: Logical Device #9 F000:4B10 ; -Mailbox Registers F000:4B11 42 inc dx ; Increment by 1 F000:4B12 8A C4 mov al, ah ; al=09; F000:4B14 EE out dx, al ; write I/O base address bits 15:8 F000:4B14 ; al=09 F000:4B15 B8 10 09 mov ax, 910h F000:4B18 8A E0 mov ah, al ; ah=10 F000:4B1A BA 2E 00 mov dx, 2Eh ; '.' F000:4B1D B0 61 mov al, 61h ; 'a' F000:4B1F EE out dx, al ; write I/O base address bits 7:0 F000:4B20 42 inc dx ; Increment by 1 F000:4B21 8A C4 mov al, ah F000:4B23 EE out dx, al ; write I/O base address bits 7:0 F000:4B23 ; al=10 F000:4B23 ; Base address for Mailbox F000:4B23 ; (Logical device#9)=910h .....i.t.c.. i.e. port 910(index)/911 data is LPC interface "from-to" ICH and 8051(Embedded Controller or Super IO controller). They communicate with each other through mailboxes registers (MBX**).