Part Two - BIOS ROMs of the WYSE Sx0 - S50

-

 The ROMs:

    VSA Init ROM: (Virtual Systems Architecture) is a piece of software that is hiding the real hardware from the OS and is emulating standard hardware like keyboard controller, IDE controller, CMOS and other legacy hardware. 

    The Geode, rather than carrying lots of legacy hardware interfaces that are presumed to exist on x86 systems that might be painful to implement on a highly integrated, low power processor, the Geode often emulates such interfaces by use of software that is invoked by special traps that take place when the processor accesses these devices.



   This emulation is made at the hardware level by setting some Model Specific Registers (MSRs) that control the GeodeLink Interface Units (GLIUs). This GLIUs can trap CPU access to some defined memory regions and run some ISRs from VSA software instead, or route the access to some other devices. VSA system is a TSR software(Terminate and Stay Resident).

    In the image above you can see the real hardware architecture of a Geode CPU package. The physical address bus of the CPU core is directly connected to the GLIU 1.

All the 4Gb memory space that the CPU can access is provided and managed by the GLIU 1.

    There are hundreds of MSRs inside this GLIUs that are programmed by the BIOS code for the system to act as you wish. Without VSA, MS-DOS will be unable to access a USB memory stick as a HDD, or read a USB keyboard buffer (MS-DOS doesn’t have USB support but you can read and write data from or to a USB mem. stick).
    For more information about the VSA I have provided datasheets here and source code of the VSA system that I hardly gathered from the internet.

    JVGA BIOS - Version 5.30a – video BIOS subsystem software – not explored yet.

    PXE ROM - Preboot Execution Environment PXE-2.0 + Realtek RTL8139 BIOS functions – not explored yet. This software is used to boot the thin client from a network.

    UHCI ROM – this ROM provides Interrupt Service Routines (ISR) for USB HIDs like keyboard, mouse and ISR for USB Disks INT 13, etc.

    GUI ROM – this is the graphic user interface of the BIOS. This ROM is loaded when you press “DEL” key at system startup. The code is obfuscated to discourage reverse engineering on this. They used the stack as general registers to compute things. Is not hard to reverse but it consumes a lot of time when you need to keep track of the stack.

 I’ve tried to swap this ROM with another ROM made for other CS5536 system that had all the settings in the GUI but NVRAM tokens where not the same.

Lots of token errors like this one have shown at startup.

After pressing "any key" for about 20 times the new GUI have been displayed:

    I had to revert this and stick with the original one. If anybody will like to trace this code and add features to the GUI it will be nice. There is an IDA  disassembly of the GUI started by me in here.

    Some people might ask: “why not swap the entire BIOS if you have one alike” –>  Because this might end up in fire. GPIOs are defined in software: if they are Inputs or Outputs. If one BIOS sets one GPIO as output when it is needed to be an input.. then a lot of current might flow true that pin... so fire might happen).

Bitmap – this is the WYSE logo.

Xpress ROM – this, by the name, is an interesting ROM. Datasheets refer to Xpress ROM as the BIOS GUI but is not. This is just a “Summary Screen” that was disabled and I’ve managed to patch it to enable it to show at the system startup. By default if a boot device was detected, the “Summary Screen” was disabled. The extra delay before loading the OS is intentional, it can be adjusted by patching the ROM.
Patch applied to the Xpress ROM







The result of this patch is this info being displayed before OS boot














The patched BIOS file can be found in here.
(Don't download this now, I've made more better patches to this BIOS. Now I'm just trying to put all this story in this blog)

Disk  ROM – this ROM is overwriting the Disk ISRs with the right ones depending from where the system will be booted: DOM, USB, Flash. (need to study more, here might be where DOS hangs for DOM and not for USB - indeed here was the problem - the final solution will be presented in the final post of this blog).

XPACPI – ACPI functions

text data – unknown ROM

$PAL image video palettes – colors for the WYSE bitmap image

You can find all of this ROMs in the expanded and compressed form in here.

In the next post of this blog I'll present the BIOS chip memory map where all of this ROMs have been found.

Previous part                                                                       Next part

Comments

Post a Comment

Popular posts from this blog

Adventures of reverse engineering the WYSE Sx0 – S50

-
Image
     A few months ago I've bought this WYSE thin client model Sx0 - S50. I wanted to make a retro game machine from it but soon I've realized that I can't make it boot from the DOM with MS-DOS 6.22.      This was interesting because the system was able to boot MS-DOS 6.22 from a USB memory stick. So I've started to investigate the cause for this.      On the first hardware inspection I’ve found a small memory chip on the back of the PCB, an 8 pin SOIC EEPROM “ 93C46A ” that is not bigger than 128 bytes. I’ve dumped the content of this chip using the CH341A (mod-ed to read 93C chips) and all I’ve found was the serial number of the machine: 6IFDGB03427.  You can find the contents of this chip in  here .      Then I’ve start to read more, searched all the internet for documents that might help me understand this machine, and I’ve found some that I’ve put in here .         There you can find documents  about the CPU , the CS5536 Companion that is actually a Platform Contr
Read more

Sound Blaster 16 emulation for DOS 6.22

-
Image
       Reversing this WYSE machine BIOS I have learned that this CS5536 chipset together with the VSA software can emulate a Sound Blaster 16. By default the BIOS exposes the audio AC97 device directly to the OS on the PCI bus. But there are settings to be made for the BIOS to hide this AC97 and emulate a Sound Blaster 16.       This will be great, because all the DOS games and software are compatible to SB16 by default, and there are already made drivers for SB16 for the MS-DOS. This way it might be possible to have real sound on the DOS.     At some time there was an XpressAUDIO ROM, provided by the AMD, that had made this emulation possible. XpressAudio is actually a VSM (Virtual Support Module) that was not included in this VSA ROM of this WYSE BIOS.     For short, the VSA ROM is loaded by the BIOS at system power up. The VSA is searching for all included VSMs and is copying them to separate segments in higher memory (CPU is in real mode and this memory is hidden from the OS).  The
Read more