Dell bios, how to decompose / mod.

Discussion in 'BIOS Mods' started by wolf69, Nov 21, 2009.

  1. gabiz_ro

    gabiz_ro MDL Member

    Feb 2, 2010
    173
    12
    10
    #701 gabiz_ro, Nov 6, 2011
    Last edited by a moderator: Apr 20, 2017
    Second module, one starting with LoPo have a similar addressing
    resized number of bytes to be more easy to see
    Code:
    00000000   00 0D 06 10 00 68 00 10  56 73 69 44 55   .....h..VsiDU
    0000000D   00 00 00 00 55 0B 00 10  53 4F 4D 43 56   ....U...SOMCV
    0000001A   00 00 07 10 B4 0B 00 10  72 6D 69 54 57   ....´...rmiTW
    00000027   00 00 08 10 17 0C 00 10  20 41 4D 44 58   ........ AMDX
    00000034   00 00 09 10 99 0C 00 10  65 67 50 44 59   ....™...egPDY
    color still not clear what means
    Red is address of code assuming module is loaded at 10000h
    Blue is name
    black most probably is function number

    Hope this is correct.
     
  2. aascut

    aascut MDL Junior Member

    Feb 10, 2011
    53
    14
    0
    Yes you are right! color-This is a lable.If lable=00000000- there is a direct transition to the address into "oPoL":).If lable not equal 00000000-there is a procedure of asking of a devices on the LPC protocol. But I still have not figured out how it works :(. It's very difficult for me.
     
  3. aascut

    aascut MDL Junior Member

    Feb 10, 2011
    53
    14
    0
    Algorithm of boot in D810,D610,D510 and other

    Continued....
    I have researched only a branch from label 01 as it is the longest and logical. Labeled 02 branch I did not investigate but I think that it is linked to the emergency bios operation. If anyone ever have a desire you can dig deeper.
    Boot block establishes the basic chipset registers and CMOS memory. By and large there is nothing interesting except for one-installing the base address registers of chipset devices.Later I'll show you how important this is.
    And while I "decipher" ASCII codes modules of boot-block. The initial label value = 03.
    1)(#01) "SaDX"-save dx (into dx-CPU ID after start)
    2)(#02) "REI "- SIO chip enable, keyboard enable,sets LPC Generic Decod Range 1 =0900h;set ABAR - ACHI Base Address Register=000D0000,and disables one :D.
    3)(#03)"SIOi"-check and initiates the SIO, if error -seeks floppy
    4)(#0F) "Shdn"- check comp. shutdown condition ; first branching: if shutdown with power_on
    ->lable=03, if soft reset and DRAM was initiates->lable=04:
    5)(#34)"eShn" -execute only if lable=04, jump to DRAM address 000FFFA0, where we have already unpacked module 01_1.rom
    6)(#12)"pre_"-check MCH SMRAM register default value
    7)(#04)"boot"-second branching, check input KBC buffer,if it is empty ->lable=01, full ->02
    8)(#05)"PmAB"-Protect Mode enable
    9)(#08)"Cach"-Processor cash enable
    10)(#0A)"RTCp"-writes CMOS
    11)(#0C)"InAP"- program the LINT0 and LINT1 local APIC pins on a processor
    12)(#10)"uCOD"-processor mircocod update
    13)(#11)"BanF"-check and ban old processor model (P-III)
    14)(#14)"Fdis"-exec if lable=02
    15)(#15)"MIO1"-set Chipset Root Complex Base address=F0008000
    16)(#16)"MIO2"-set Egress Port Base address for PCIEx=F0005000;GMCH Base address=F0000000;
    PCIEx Base address=E0000000;DMI Root Complex Base address=F0004000;and chipset verifies the installation of an external graphics card.
    17)(#44)"Exp1"-Enable PCIEx Grafics mod if there is external graphics card

    To be continued...:)
     
  4. gabiz_ro

    gabiz_ro MDL Member

    Feb 2, 2010
    173
    12
    10
    Very good info.
    As a little question, Fdis as far as I see disassembling is Function disable ,southbridge RCBA offset 3418-341Bh
    And this I think must be done always,or BIOS setup first RCBA and Fdis just restore previous saved registers.
     
  5. aascut

    aascut MDL Junior Member

    Feb 10, 2011
    53
    14
    0
    #705 aascut, Nov 9, 2011
    Last edited by a moderator: Apr 20, 2017
    I see that this makes F segment (000F0000-000FFFFF) - uncashable, look:
    Code:
    D810_A05.rom code
       _F segment disable Uncacheable
    F000:45A6
    F000:45A6                          Fdis:                   ; CODE XREF: F000:429FJ
    F000:45A6 66 33 C0              xor   eax, eax      ; eax=00000000;
    F000:45A9 66 8B D0              mov   edx, eax     ; edx=00000000;
    F000:45AC 66 B9 6E 02 00 00 mov   ecx, 26Eh
    F000:45B2 0F 30                  wrmsr                 ; MTTR_fix_4k F0000=00000000
    F000:45B2                                                   ; 8th 4kB ranges are uncashable:
    F000:45B2                                                   ; F7000-F7FFF,F6000-F6FFF,
    F000:45B2                                                   ; F5000-F5FFF,F4000-F4FFF,
    F000:45B2                                                   ; F3000-F3FFF,F2000-F2FFF,
    F000:45B2                                                   ; F1000-F1FFF,F0000-F0FFF.
    F000:45B4 66 B9 6F 02 00 00 mov   ecx, 26Fh
    F000:45BA 0F 30                  wrmsr                 ; MTTR_fix_4k F8000=00000000
    F000:45BA                                                   ; 8th 4kB ranges are uncashable:
    F000:45BA                                                   ; FF000-FFFFF,FE000-FEFFF,
    F000:45BA                                                   ; FD000-FDFFF,FC000-FCFFF,
    F000:45BA                                                   ; FB000-FBFFF,FA000-FAFFF,
    F000:45BA                                                   ; F9000-F9FFF,F8000-F8FFF.
    F000:45BC C3                       retn                  ; return f000:42A2
    F000:45BC
    
     
  6. aascut

    aascut MDL Junior Member

    Feb 10, 2011
    53
    14
    0
    #706 aascut, Nov 17, 2011
    Last edited: Nov 17, 2011
    Algorithm of boot in D810,D610,D510 and other

    Continued....

    Next blocks executes any lable=01 or 02
    18)(#17)ChDf-this is main block of chipset registers setting aka Chipset Define, very huge. It writes VID and SID to all chipset devices. So sets main registers for MCH, ICH, UHCI, EHCI, PCIeXpress, SATA,IDE,USB, LPT, COM, Power Management itc.
    19)(#18)sata- identification ICH revision & enable SATA ABAR register(makes it R/W)
    Next block executes only with lable=01
    20)(#1A)VIDi-initialization video status ports(registers)
    Next block executes only with lable=02
    21)(#1B)nmiF-port 61(KBC or PPI) read-write
    Next blocks executes any lable=01 or 02
    22)(#1C)SMBd-writes Received Slave Address for SMBus
    23)(#1D)ExCa-sets IRQ for ExCa Card 16 bit I/O legacy mode
    24)(#1E)GPIO-programming GPIO pins
    25)(#1F)CMOp-writing CMOS register 78
    26)(#20)IRQe-master and slave PIC enabled
    27)(#21)A20e-Fast A20 and INIT# enable
    Next blocks executes only with lable=01
    28)(#22)CCMe-Clear CMOS register 69
    29)(#23)CMCU- read MSR-IA32_BIOS_SIGN_ID- Any non-zero value
    is the microcode update signature, writing CMOS register [69]=10h
    30)(#24)LEGi-Timer Counter#1 ini,
    Next blocks executes only with lable=02
    31)(#25)SMBt-SMBus test
    32)(#26)CRFl-Power Management Control and status registers R/W
    Next block executes only with lable=01
    33)(#27)MCH0-DRAM initialization
    Next block executes only with lable=02
    34)(#28)MCH3-DRAM initialization
    Next blocks executes only with lable=01
    35)(#29)rWBf- CMOS register 5B:checking if =0-escape,if not, writing [5B]=0 and writing into DRAM [00000467]=1234(“Alt+Cntr+Del”)
    36)(#2D)SHAD- Copying ROM boot segment F(3000h dwords=C000h bytes) to new address into DRAM 00024000-00030000 And Copying compress ROM segment (61048h bytes) to new DRAM address 00100000-00161048
    37)(#2F)DSpC-NOP
    Next blocks executes any lable=01 or 02
    38)(#30)PMup-Power Memory registers update (ACPI for DRAM )
    39)(#30)ICHu-ICH EHCI controller update
    Next blocks executes only with lable=01
    40)(#31)USB -setting EHCI Memory base address
    41)(#32)Real- jumping to DRAMs_COPY_of ROM boot segment F

    To be continued...
     
  7. gabiz_ro

    gabiz_ro MDL Member

    Feb 2, 2010
    173
    12
    10
    #707 gabiz_ro, Nov 23, 2011
    Last edited by a moderator: Apr 20, 2017
    First time,and because I didn't look at D810 BIOS and I know Dx10 series use IDE disk I think it was a lost piece of code left behind by BIOS programmers at Dell

    Now I take a look on some schematics and see that is used a SATA to IDE bridge (Marvell 88SA8040)

    So
    2)(#02) "REI " in the end set map value to 0,define ABAR adress as D0000h,enable I/O space , memory space and Bus master then make a HBA reset and then disable I/O space , memory space , bus master.
    Code:
    F000:73FA                 mov     eax, 8000FA90h  ; set map value to 0
    F000:7400                 out     dx, eax
    F000:7402                 mov     dl, 0FCh ; 'n'
    F000:7404                 mov     al, 0
    F000:7406                 out     dx, al
    F000:7407                 mov     dx, 0CF8h
    F000:740A                 mov     eax, 8000FA24h  ; set ABAR address to D0000
    F000:7410                 out     dx, eax
    F000:7412                 mov     dl, 0FCh ; 'n'
    F000:7414                 mov     eax, 0D0000h
    F000:741A                 out     dx, eax
    F000:741C                 mov     dx, 0CF8h
    F000:741F                 mov     eax, 8000FA04h  ; offset 04h default value is 0000h
    F000:741F                                         ; enable I/O space , memory space , Bus master
    F000:741F                                         ; bits 0,1,2
    F000:7425                 out     dx, eax
    F000:7427                 mov     dl, 0FCh ; 'n'
    F000:7429                 mov     al, 7
    F000:742B                 out     dx, al
    F000:742C                 mov     ax, 0D000h      ; focus to ABAR
    F000:742F                 mov     fs, ax
    F000:7431                 assume fs:D000
    F000:7431                 mov     al, fs:byte_D0004 ; make a HBA reset
    F000:7435                 or      al, 1
    F000:7437                 mov     fs:byte_D0004, al
    F000:743B                 mov     dx, 0CF8h
    F000:743E                 mov     eax, 8000FA04h  ; disable I/O space , memory space , bus master
    F000:7444                 out     dx, eax
    F000:7446                 mov     dl, 0FCh ; 'n'
    F000:7448                 mov     al, 0
    F000:744A                 out     dx, al
    F000:744B                 retn
    F000:744B REI             endp
    

    Next is SATA part from D810 A05 but seems like is crippled by Dell to be not OK.
    Code:
    F000:72AF ; =============== S U B R O U T I N E =======================================
    F000:72AF
    F000:72AF
    F000:72AF SATA            proc near
    F000:72AF                 mov     edi, 0E00F8008h
    F000:72B5                 mov     al, es:[edi]
    F000:72B9                 mov     edi, 0E00FA000h
    F000:72BF                 cmp     al, 0
    F000:72C1                 ja      short loc_F72DB
    F000:72C3                 mov     ax, es:[edi+94h]
    F000:72CB                 and     ax, 0FBFFh
    F000:72CE                 or      ax, 400h
    F000:72D1                 mov     es:[edi+94h], ax
    F000:72D9                 jmp     short locret_F7301
    F000:72DB ; ---------------------------------------------------------------------------
    F000:72DB
    F000:72DB loc_F72DB:                              ; CODE XREF: SATA+12j
    F000:72DB                 mov     byte ptr es:[edi+0A0h], 28h ; '('
    F000:72E4                 mov     al, es:[edi+0A6h]
    F000:72EC                 and     al, 33h
    F000:72EE                 or      al, 8Ch
    F000:72F0                 mov     es:[edi+0A6h], al
    F000:72F8                 mov     byte ptr es:[edi+0A0h], 0
    F000:7301
    F000:7301 locret_F7301:                           ; CODE XREF: SATA+2Aj
    F000:7301                 retn
    F000:7301 SATA            endp
    
    Seems like depending on some value of D31:F0 (0E00F8008h could be 8000F808h ? but offset 08h is revision id)
    - 1-st case set bit 10 offset 94h of SATA controller (but this bit according to datasheet of ICH6 is reserved,bit 9 is SCRAE to enable RW on offset 24h si 04h)
    - 2-nd case set some value at offset A0h of SATA controller and A6h but A6h I see doesn't exist ,I think it must be A4h in place.
     
  8. aascut

    aascut MDL Junior Member

    Feb 10, 2011
    53
    14
    0
    #708 aascut, Nov 24, 2011
    Last edited by a moderator: Apr 20, 2017
    I agree. In any case AHCIi been initialized and is enough to make I/O visible again to enable it function.Perhaps it makes the OS driver just.



    No there all right. I myself have long puzzled until I realized how it works.:biggrin:
    Code:
    D810_A05.rom
    SATA ABAR ENABLE
    FOR ICH rev.ID=00
    F000:72AF
    F000:72AF  sata: ; CODE XREF: F000:429FJ
    F000:72AF  mov   edi, 0E00F8008h ;
    ;E0000000-PCIEx Address Space
    F000:72AF; +F8000=1F*8000=Device31;
    F000:72AF; +0*1000=Function0;
    F000:72AF; I.e. we have addressed to
    F000:72AF; Bus0,D31:F0,reg.off.08
    F000:72AF; PCI Configuration RID-
    F000:72AF; Revision Identification
    F000:72AF; Register(LPC Interface);
    F000:72B5  mov   al, es:[edi] ;
     al=03(ICH6M-B0);=04(ICH6M-B1);
    F000:72B5 ; =xx(ICH6M-C0)
    F000:72B9  mov   edi, 0E00FA000h ;
     E0000000-PCIEx Address Space;
    F000:72B9 ; +F8000=1F*8000=Device31;
    F000:72B9 ; +2000=2*1000=Function2;
    F000:72B9 ; I.e. we have addressed to
    F000:72B9 ; Bus0,D31:F2,reg.off.08
    F000:72B9 ; SATA Controller RID-Revision
    F000:72B9 ; Identification Register;
    F000:72BF   cmp   al, 0                   ; 
    Compare Two Operands
    F000:72C1   ja    short loc_F72DB         ;
    ;Jump if Above (CF=0 & ZF=0)
    F000:72C1
    F000:72C3   mov   ax, es:[edi+94h]        ;
    ;If D31:F0 PCI RID reg.al=00(default),
    F000:72C3; read Bus0 D31:F2 reg.off.94-95,
    F000:72C3; SATA Initialization register SIR,
    F000:72C3; bits(15:0),ax=0182h
    F000:72CB   and   ax, 0FBFFh              ; ax=0182h
    F000:72CE   or    ax, 400h  ;
    ; set bits:
    F000:72CE ; ...
    F000:72CE ; 9=1-SCR Access Enable(SCRAE)-
    F000:72CE ; The ABAR(D31:F2:off.24) register
    F000:72CE ; & MSE bit field(D31:F2:off.04:bit1)
    F000:72CE ; are forced to be READ/WRITE
    F000:72CE ; ...
    F000:72D1   mov   es:[edi+94h], ax        ; 
    ;write ax=382h to reg.off.94-95
    F000:72D1 ; SATA Initialisation Register.
    F000:72D9   jmp   short locret_F7301      ; Jump
    F000:72D9
    F000:72DB                          ---------------------------------------------------------------------------
    F000:72DB If D31:F0 PCI RID reg.al not equal 00
    F000:72DB   loc_F72DB: ; CODE XREF: F000:72C1j
    F000:72DB   mov   byte ptr es:[edi+0A0h], 28h ;
    ; write 28h to D31:F2 reg.off.A0
    F000:72DB; SATA Indexed Registers Index bits
    F000:72DB; 7=0-reserved
    F000:72DB; 6:2=01010-Index=28,SIR28
    F000:72DB; 1:0=00-reserved
    F000:72E4    mov   al, es:[edi+0A6h] ;
    ; read reg.off.A4-A7,bits(23:16);
    F000:72E4; SATA STRD-Idexed Register Data,
    F000:72E4; Data from SIR28,al=8C
    F000:72EC    and   al, 33h                 ; al=00;
    F000:72EE    or    al, 8Ch                  ; al=8C;
    F000:72F0    mov   es:[edi+0A6h], al ;
    ; write al=8C to SATA SIR28
    F000:72F0 ; bits(23:16)=(off.A6 into A4-A7):
    F000:72F0 ; ..
    F000:72F0 ; bit22=0-BIOS leaves this bit as default
    F000:72F0 ; ...
    F000:72F0 ; bit18=1-BIOS leaves this bit as default
    F000:72F0 ; ...
    F000:72F8    mov   byte ptr es:[edi+0A0h], 0
    F000:72F8 
    F000:7301
    F000:7301    locret_F7301:             ; CODE XREF: F000:72D9j
    F000:7301    retn                          ; to f000:42A2
    F000:7301
    
     
  9. aascut

    aascut MDL Junior Member

    Feb 10, 2011
    53
    14
    0
    #709 aascut, Dec 8, 2011
    Last edited by a moderator: Apr 20, 2017
    Algorithm of boot in D810,D610,D510 and other

    Continued..
    Next code is executed from DRAM address 00024000-00030000 only if the label = 01 :
    42) (#33)S3St- block skipped, because the label = 02.
    43)(#36)umb-Do all reads and writes are serviced by DRAM address from 000C0000 to 000EFFFF, fill this segment with zeros, and do all R/W from this segment are serviced by DMI
    44)(#37) SSys-do all R/W are serviced by DRAM address from 000F0000-000FFFFF, decompress fist(#01) module from compress BIOS block (00100000-00161048) to this address
    45)(#39) K51r- “8051” controller initialization ???(see Note*)
    46)(#3A)NICo-net adapter initialization ???(see Note*)
    47)(#3B)IDEo- Test and Set SATA(IDE) ports Primary0,Primary2 and ENABLED devices DVD-ROM,HARD DISK
    48)(#3D)P4cc-Pentium4 what is..i don’t know???
    49)(#3E)ClkC-transmit six bytes (HEX:F1 00 01 00 18 BA) to SMBus slave address =1101001b ??(SMBus protocol): Clock Contlol?
    50)(#40) cQB –check Quard Bus?; write CMOS register #67 with value 02 (QB-OK?)
    51)(#41)mk51-controller 8051 programming (I didn’t see)??
    52)(#43)EDgs-r/w CMOS register 4C?? egress port evaluable?
    53)(#45)PCIe-check video (external or internal)& set chip registers (I did not look in detail)
    54)(#46)GfxF-video setting (I did not look in detail)
    55)(#47)GrID-set video priority (internal-high)
    56)(#48)mtrr-Set next memory addresses to:
    a) IA32_MTRR_FIX64K_00000-memory address 00000-7FFFF- WriteBack,valid;
    b)IA32_MTRR_FIX16K_80000 memory address 80000-9FFFF-WriteBack,valid;
    c)00100000-003FFFFF-Write Back,valid
    d) IA32_MTRR_FIX4K_F0000: 000F0000-000F7FFF-write protect
    e) IA32_MTRR_FIX4K_F8000: 000F8000-000FFFFF-write protect
    f) IA32_MTRR_FIX4K_C0000: 000C0000-000C7FFF-write protect
    g) IA32_MTRR_FIX4K_C8000: 000C8000-000CBFFF-Write Protect,
    000CC000-000CFFFF-Uncashable
    57)(#49) DTXD-check processor ID
    58)(#4B) GBIO-jump to DRAM address 000FFFA0 -entry point of first decompress BIOS block.

    Note*: Low-level access to the components of the motherboard done via a “LPC Generic IO decode range1 (program input/output)”: 00000900h-0000097Fh with the model code
    Code:
    2000:5036 000 BA 10 09                       mov   dx, 910h
    _2000:5039 000 B0 85                          mov   al, 85h ; 'Å'
    _2000:503B 000 EE                             out   dx, al
    _2000:503C 000 42                             inc   dx                      ; Increment by 1
    _2000:503D 000 B0 00                          mov   al, 0
    _2000:503F 000 EE                             out   dx, al
    _2000:5040 000 BA 10 09                       mov   dx, 910h
    _2000:5043 000 B0 94                          mov   al, 94h ; 'Ô'
    _2000:5045 000 EE                             out   dx, al
    _2000:5046 000 42                             inc   dx                      ; Increment by 1
    _2000:5047 000 EC                             in    al, dx
    _2000:5048 000 A8 01                          test  al, 1                   ; Logical Compare
    _2000:504A 000 74 1E                          jz    short locret_2506A      ; Jump if Zero (ZF=1)
    _2000:504A
    _2000:504C 000 BA 10 09                       mov   dx, 910h
    _2000:504F 000 B0 94                          mov   al, 94h ; 'Ô'
    _2000:5051 000 EE                             out   dx, al
    _2000:5052 000 42                             inc   dx                      ; Increment by 1
    _2000:5053 000 B0 00                          mov   al, 0
    _2000:5055 000 EE                             out   dx, al
    _2000:5056 000 BA 10 09                       mov   dx, 910h
    _2000:5059 000 B0 94                          mov   al, 94h ; 'Ô'
    _2000:505B 000 EE                             out   dx, al
    _2000:505C 000 42                             inc   dx                      ; Increment by 1
    _2000:505D 000 EC                             in    al, dx
    _2000:505D
    _2000:505E
    _2000:505E                          loc_2505E:                              ; CODE XREF: sub_25036+32j
    _2000:505E 000 BA 10 09                       mov   dx, 910h
    _2000:5061 000 B0 84                          mov   al, 84h ; 'Ä'
    _2000:5063 000 EE                             out   dx, al
    _2000:5064 000 42                             inc   dx                      ; Increment by 1
    _2000:5065 000 EC                             in    al, dx
    _2000:5066 000 A8 01                          test  al, 1                   ; Logical Compare
    _2000:5068 000 75 F4                          jnz   short loc_2505E         ; Jump if Not Zero (ZF=0)
    _2000:5068
    
    I could not understand how it works.:confused: Maybe someone knows the ropes.
     
  10. Zhekov

    Zhekov MDL Novice

    Dec 13, 2011
    2
    0
    0
    #710 Zhekov, Dec 13, 2011
    Last edited: Dec 13, 2011
    Hello, I have a dead DELL GX240 BIOS. What file should I use to program it with external programmer. I have extracted .rom and .hdr file from the .exe using -writehdrfile and -writeromfile commands. I guess it is the .rom file I should use but I am new to BIOS programming.
     
  11. aascut

    aascut MDL Junior Member

    Feb 10, 2011
    53
    14
    0
    it is the .rom file
     
  12. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,225
    1,958
    210
    GX240? That like 10 years old machine...
    Not the best candidate for modding (it was hardly ever running XP)

    sebus
     
  13. Zhekov

    Zhekov MDL Novice

    Dec 13, 2011
    2
    0
    0
    Can not agree more. The BIOS just died after wrong flash procedure. I never intended to mod it but to have it up and running again. It's working fine as a mp3 player with 512MB RAM.

    Thank you aascut for your reply I'll try it right away...
     
  14. alqaim145

    alqaim145 MDL Novice

    Nov 25, 2011
    5
    0
    0
    anyone help me i want dell e610 bin file
     
  15. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,225
    1,958
    210
    One mighty BIG mp3 player that is!

    sebus
     
  16. xrouted

    xrouted MDL Novice

    Dec 17, 2011
    8
    0
    0
    Thank you very very much
     
  17. aascut

    aascut MDL Junior Member

    Feb 10, 2011
    53
    14
    0
    #717 aascut, Feb 15, 2012
    Last edited by a moderator: Apr 20, 2017
    DELL boot memory map

    I drew a map, it may be helpful to someone.:smile3:
    State after working out of BIOS boot block :
    Code:
    Memory allocation in boot for DELL D810 (1Mb bios code,as example)
    ->the upper limit4 Gigabytes
    |address range  |?| Dec.Range |alias addres     |size kB|
    ---------------------------------------------------------------------
    |FFFF0000-FFFFFFFF|BIOS CODE|Firware Hub|000F0000-000FFFFF|64     |
    |FFFE0000-FFFEFFFF|BIOS CODE|Firware Hub|000E0000-000EFFFF|64     |
    |FFFD0000-FFFDFFFF|BIOS CODE|Firware Hub|000D0000-000DFFFF|64     |
    |FFFC0000-FFFCFFFF|BIOS CODE|Firware Hub|000C0000-000CFFFF|64     |
    |FFFB0000-FFFBFFFF|BIOS CODE|Firware Hub|000B0000-000BFFFF|64     |
    |FFFA0000-FFFAFFFF|BIOS CODE|Firware Hub|000A0000-000AFFFF|64     |
    |FFF90000-FFF9FFFF|BIOS CODE|Firware Hub|00090000-0009FFFF|64     |
    |FFF80000-FFF8FFFF|BIOS CODE|Firware Hub|00080000-0008FFFF|64     |
    |FFF70000-FFF7FFFF|BIOS CODE|Firware Hub|00070000-0007FFFF|64     |
    |FFF60000-FFF6FFFF|BIOS CODE|Firware Hub|00060000-0006FFFF|64     |
    |FFF50000-FFF5FFFF|BIOS CODE|Firware Hub|00050000-0005FFFF|64     |
    |FFF40000-FFF4FFFF|BIOS CODE|Firware Hub|00040000-0004FFFF|64     |
    |FFF30000-FFF3FFFF|BIOS CODE|Firware Hub|00030000-0003FFFF|64     |
    |FFF20000-FFF2FFFF|BIOS CODE|Firware Hub|00020000-0002FFFF|64     |
    |FFF10000-FFF1FFFF|BIOS CODE|Firware Hub|00010000-0001FFFF|64     |
    |FFF00000-FFF0FFFF|BIOS CODE|Firware Hub|00000000-0000FFFF|64     |
    .....................................................................
    ---------------------------------------------------------------------
    |address range    | comments                                |size kB|
    ---------------------------------------------------------------------
    |FFE80000-FFEFFFFF|IDSEL=3 Firware Hub Decode Range         |512    |
    |FFE00000-FFE7FFFF|IDSEL=1 Firware Hub Decode Range         |512    |
    |FFB80000-FFBFFFFF|Firware Hub Decode Range                 |512    |
    |FFB00000-FFB7FFFF|Firware Hub Decode Range                 |512    |
    |FFA80800-FFA80BFF|BAR EHCI Controller USB 2.0              |1      |
    |FFA80000-FFAFFFFF|IDSEL=3 Firware Hub Decode Range         |512    |
    |FFA00000-FFA7FFFF|IDSEL=1 Firware Hub Decode Range         |512    |
    |FF000000-FFFFFFFF|PCI_TO_PCI Bridge memory space           |?      |
    .....................................................................
    |FEDA0000-FEDBFFFF| Extended SMRAM Write Through            |128    |    
    |FED00000-FED003FF| High Precision Timer Config address     |1      |
    |FEC00000         |APIC Direct Index register               |8bit   |
    |FEC00010         |APIC Direct Data register                |32bit  |
    |FEC00040         |APIC Direct EOI register                 |32bit  |
    .....................................................................
    |F0008000-F000BFFF|Chipset Root Complex Base address        |16     |
    |F0007000-F0007FFF|Empty                                    |4      |
    |F0006000-F0006FFF|Egress Port Root Complex Base address    |4      |
    |F0005000-F0005FFF|Egress Port Root Complex Base address    |4      |
    |F0004000-F0004FFF|DMI Root Complex Base address            |4      |
    |F0000000-F0003FFF|GMCH Base address                        |16     |
    |E0000000-EFFFFFFF|PClEx Base address                       |256000 |
    .....................................................................
    |10E00000         |I/O Trap Register 1 address RW trap cycle|       |
    .....................................................................
    |08000000         |I/O Trap Register 2 address RW trap cycle|       |
    .....................................................................
    |03F40000         |I/O Trap Register 3 addressW trap cycle|       |
    .....................................................................
    |00600000         |I/O Trap Register 0 address RW trap cycle|       |
    .....................................................................      
    |00100000-00161048|copy BIOS Compressed Block into DRAM     |388??  |
    .....................................................................
    |000FF000-000FFFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000FE000-000FEFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000FD000-000FDFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000FC000-000FCFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000FB000-000FBFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000FA000-000FAFFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F9000-000F9FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F8000-000F8FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F7000-000F7FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F6000-000F6FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F5000-000F5FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F4000-000F4FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F3000-000F3FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F2000-000F2FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F1000-000F1FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000F0000-000F0FFF|WP,RW-direct DMI,decom. #01_l.rom in DRAM|4      |
    |000EC000-000EFFFF|write protect,RW direct DMI              |16     |
    |000E8000-000EBFFF|write protect,RW direct DMI              |16     |
    |000E4000-000E7FFF|write protect,RW direct DMI              |16     |
    |000E0000-000E3FFF|write protect,RW direct DMI              |16     |
    |000DC000-000DFFFF|write protect,RW direct DMI              |16     |
    |000D8000-000DBFFF|write protect,RW direct DMI              |16     |
    |000D4000-000D7FFF|write protect,RW direct DMI              |16     |
    |000D0000-000D3FFF|AHCI BASE ADDRESS,write pr.,RW direct DMI|16     |
    |000CC000-000CFFFF|write protect,RW direct DMI              |16     |
    |000C8000-000CBFFF|write protect,RW direct DMI              |16     |
    |000C4000-000C7FFF|write protect,RW direct DMI              |16     |
    |000C0000-000C3FFF|write protect,RW direct DMI              |16     |
    |000B8000-000BFFFF|SMM (default)                            |32     |
    |000B0000-000B7FFF|SM RAM (default) or Monochrome Device    |32     |
    |                 |Adapter (MDA) resurses for 10 port B4h,  |       |                 
    |                 |3B5h,3B8h,3B9h,3BAh,3BFh;write protect   |       |
    |A0000-000AFFFF   |SM RAM (default) or Legacy Video         |64     |
    .....................................................................
    |00024000-00030000|CopyBIOS Boot Block into DRAM           |       |
    |000010С0-000010DF|SMBUS Base Address(IO port)              |32bytes|
    |00001080-000010BF|GPIO Base Address(IO port)               |64bytes|
    |00001000-0000107F|Power Management Base Address(IO port)   |128byte|
    .....................................................................
    |00000BFA-00000BFF|SATA Legasy Base Address (I/O port)      |6 bytes|
    .....................................................................
    |00000900-0000097F|LPC Generic I/O decode range 1           |128byte|
    |                 | (program input/output)???    |       |
    .....................................................................
    |000003F8-000003FF|ComA&ComB decode range(I/O port)    |8bytes |
    .....................................................................
    |000003E0         |PC Card 16-bit I/F legacy-mode           |64bytes|
    |                 |base address for the ExCA index register |       |
    .....................................................................          
    |00000378-0000037F|LPT decode range(I/O port)               |8bytes |
    |00000377         |FDD decode range(secondary)          |1byte  |
    |00000370-00000375|FDD decode range(I/O port)               |6bytes |
    .....................................................................
    |8C,8D,8E  |Addresses sends to PCI for generate POST CODES   |
    |88          |Addresses sends to PCI for generate POST CODES   |
    |84,85,86         |Addresses sends to PCI for generate POST CODES   |
    |80          |Addresses sends to PCI for generate POST CODES   |
    |70,71         |CMOS decode range(I/O port)                      |
    |62;66            |Embedded Controller I/O port                     |
    |60;64          |KBC decode range (I/O port)                      |
    |4E;4F            |Microcontroller decode range(I/O port)           |
    |2E;2F            |Super IO decod range (I/O port)                  |
    .....................................................................
     
  18. Radarrange

    Radarrange MDL Novice

    Jan 9, 2012
    13
    3
    0
    This was post #692 in this thread. Its from 6 mos ago when user "WINDOWS 7" was trying to flash a modified bios to his Dell 4700 to enable Cedar Mill support. I would also like to know whether it worked and how a .hdr file is flashed to a Dell. I have tried seemingly everything and can't get the hdr file to flash.
     
  19. aascut

    aascut MDL Junior Member

    Feb 10, 2011
    53
    14
    0
    #719 aascut, Feb 29, 2012
    Last edited by a moderator: Apr 20, 2017
    I found how it works! It turns out I did not go looking in the code and missed the point. Look "SIOi" module:
    Code:
    D810_A05.rom:
    F000:4ACD                          ; ---------------------------------------------------------------------------
    F000:4ACD                          Super IO chip programm turn
    F000:4ACD
    F000:4ACD                          SIOi:                                   ; CODE XREF: F000:429FJ
    F000:4ACD BA 2E 00                           mov   dx, 2Eh ; '.'
    F000:4AD0 B0 55                              mov   al, 55h ; 'U'
    F000:4AD2 EE                                 out   dx, al
    F000:4AD3 EE                                 out   dx, al                  ; ENTER CONFIGURATION MODE:
    F000:4AD3                                                                  ; write key"55h" to port 2Eh
    F000:4AD3                                                                  ; Configuration state enable!
    .....bla-bla-bla
    ....
    F000:4AF2 B4 09                              mov   ah, 9
    F000:4AF4 BA 2E 00                           mov   dx, 2Eh ; '.'
    F000:4AF7 B0 07                              mov   al, 7
    F000:4AF9 EE                                 out   dx, al
    F000:4AFA 42                                 inc   dx                      ; Increment by 1
    F000:4AFB 8A C4                              mov   al, ah
    F000:4AFD EE                                 out   dx, al                  ; write 09 to reg.#07:
    F000:4AFD                                                                  ; select Logical Device #9
    F000:4AFD                                                                  ;
    F000:4AFE BA 2E 00                           mov   dx, 2Eh ; '.'
    F000:4B01 B0 30                              mov   al, 30h ; '0'
    F000:4B03 EE                                 out   dx, al                  ; Logical Device #9,reg#30:
    F000:4B04 42                                 inc   dx                      ; Increment by 1
    F000:4B05 B0 01                              mov   al, 1
    F000:4B07 EE                                 out   dx, al                  ; write 01 to reg.30-
    F000:4B07                                                                  ; activate Logical Device #9
    F000:4B07                                                                  ; -Mailbox Registers
    F000:4B08 B8 10 09                           mov   ax, 910h
    F000:4B0B BA 2E 00                           mov   dx, 2Eh ; '.'
    F000:4B0E B0 60                              mov   al, 60h ; '`'
    F000:4B10 EE                                 out   dx, al                  ; Config mode:  Logical Device #9
    F000:4B10                                                                  ; -Mailbox Registers
    F000:4B11 42                                 inc   dx                      ; Increment by 1
    F000:4B12 8A C4                              mov   al, ah                  ; al=09;
    F000:4B14 EE                                 out   dx, al                  ; write I/O base address bits 15:8
    F000:4B14                                                                  ; al=09
    F000:4B15 B8 10 09                           mov   ax, 910h
    F000:4B18 8A E0                              mov   ah, al                  ; ah=10
    F000:4B1A BA 2E 00                           mov   dx, 2Eh ; '.'
    F000:4B1D B0 61                              mov   al, 61h ; 'a'
    F000:4B1F EE                                 out   dx, al                  ; write I/O base address bits 7:0
    F000:4B20 42                                 inc   dx                      ; Increment by 1
    F000:4B21 8A C4                              mov   al, ah
    F000:4B23 EE                                 out   dx, al                  ; write I/O base address bits 7:0
    F000:4B23                                                                  ; al=10
    F000:4B23                                                                  ; Base address for Mailbox
    F000:4B23                                                                  ; (Logical device#9)=910h
    .....i.t.c..
    i.e. port 910(index)/911 data is LPC interface "from-to" ICH and 8051(Embedded Controller or Super IO controller). They communicate with each other through mailboxes registers (MBX**).:)
     
  20. Somebody777

    Somebody777 MDL Novice

    Feb 27, 2012
    4
    0
    0
    Hi, I know that isn't Dell but can anyone help me to enable SATA in bios ASUS A6Jc (AMI)?