BIOS NVRAM Tokens

-

 Here is a list with all discovered NVRAM Tokens found in the BIOS. Some of them are documented in here.

    All of this tokens are used for getting or setting a variable value when BIOS needs to set something up like the Audio IRQ for example.

    This values are stored in the virtual CMOS of the system that is 512 bytes long. For saving more than 512 variable values, a masking technique was used to store more than 1 token value per byte. One byte from the CMOS will keep 3 or 4 NVRAM tokens values. Every NVRAM token has a mask that is applied to a CMOS byte to get the desired variable value.

    So a NVRAM Token will define the CMOS offset for a specific byte and the mask to extract only the needed bites from that byte.

********************************************

    For example to get the Audio IRQ from the NVRAM Token "AI" next computations are made:

3E4F                 mov     cx, 4149h                       ; select Token ASCII: AI
3E52                 call      NVRAM_get_token_data_sub_8156

- at 8156 all the CPU registers are saved in the stack and then execution is transferred to NVRAM_read_data_loc_8437
- at 843F the token is tested to see what type is it: 1, 2, 3 or 4. Token "AI" is a type 1.
- next, token is searched in the NVRAM tokens list at 7810
- next, at 845B execution is passed to other function at 83EE:

845B                 jmp     short NVRAM_Token_type_1_2_3_get_CMOS_loc_83EE
.................
83F2                 mov     ax, cs:[si+3]                  ; get CMOS offset // AX = 0021
83F6                 add      ax, cs:[di+3]                  ; add 2 bytes from the token type list // + 0040
                  
- at CS:SI there is the "AI" token with all of its data.
- at CS:[SI+3] is the CMOS offset address (21h) that need to be added to a fixed offset (40h), for all type 1 tokens, to get the real CMOS address where is the byte that keeps the data for the AI token.

83FA                 shl      eax, 8                             ; AH = AL // prepare for CMOS read
8405                 jmp     word ptr cs:[di+7]         ; jump to 445D - read register 61h from CMOS

At CMOS address 61h there is this byte that keeps the Audio IRQ number. This byte keeps data (68h) for other 2 tokens too, so further computations are made to extract the exact Audio IRQ number.

8424                 and     ax, cs:[si+6]

- at 8424 we are applying the Audio IRQ mask (38h) from CS:[SI+6]. The result is 68h and 38h = 28h // AX = 28h

8428                 mov     cl, cs:[si+8]                       ; CL = 3
842C                shr        ax, cl                                 ; 28h right shift 3 bits = 5 // AX = 0005

- AX = 0005 is the final value for the Audio IRQ number. From now on we are returning from this functions to the beginning of this call at address 3E55.

To understand this better you can look at the CMOS value in the binary form:
68h = 01101000 // bit 5, 4 and 3 are the value for Audio IRQ number = 101 = 5
The 28h mask is already defining the 5 value. 28h = 00101000, bits 5, 4, 3 are 101 = 5.

********************************************

Tokens with their data found at 3CE0h offset in the BIOS Boot Block:

  • TY =  Power Management - STANDBY_TIMEOUT   // 1 byte
  • TS =  Power Management - SUSPEND_TIMEOUT   // 1 byte
  • TI =  Power Management - DOZE_TIMEOUT (idle) // 1 byte
  • T1 =  Power Management - DISK_TIMEOUT   // 1 byte
  • TF =  Power Management - FLOPPY_TIMEOUT   //1 byte
  • TK =  Power Management -  PS2_TIMEOUT (keyboard, mouse)   // 1 byte
  • TV =  Power Management - VIDEO_TIMEOUT   // 1 byte
  • TC =  Power Management - SERIAL_TIMEOUT
  • TP  =  Power Management - PARALLEL_TIMEOUT  // 1 byte
  • PM = Power management enable   // 1 bit
  • W1 = Wakeup mask PIC1   // 1 byte
  • W2 = Wakeup mask PIC2   // 1 byte
  • P7 =  Advanced Power Management - APM_PRESENT
  • P8 =  Advanced Configuration and Power Interface - ACPI_PRESENT
  • P9 =  Power Management - PM_S1_CLOCKS
  • PB = CHIPSET - VRC_CS_PWRBTN
  • .........................................
  • AI =  Audio IRQ = 2bits -> 05h value
  • AU = Audio enable = 1 bit
  • AA = Audio base address = 2 bits
  • A1 = Audio 8-bit DMA = 2 bits
  • A2 = Audio 16-bit DMA = 2 bits

Comments

Post a Comment

Popular posts from this blog

Adventures of reverse engineering the WYSE Sx0 – S50

-
Image
     A few months ago I've bought this WYSE thin client model Sx0 - S50. I wanted to make a retro game machine from it but soon I've realized that I can't make it boot from the DOM with MS-DOS 6.22.      This was interesting because the system was able to boot MS-DOS 6.22 from a USB memory stick. So I've started to investigate the cause for this.      On the first hardware inspection I’ve found a small memory chip on the back of the PCB, an 8 pin SOIC EEPROM “ 93C46A ” that is not bigger than 128 bytes. I’ve dumped the content of this chip using the CH341A (mod-ed to read 93C chips) and all I’ve found was the serial number of the machine: 6IFDGB03427.  You can find the contents of this chip in  here .      Then I’ve start to read more, searched all the internet for documents that might help me understand this machine, and I’ve found some that I’ve put in here .         There you can find docu...
Read more

Part Two - BIOS ROMs of the WYSE Sx0 - S50

-
Image
  The ROMs:      VSA Init ROM:  (Virtual Systems Architecture)  is a piece of software that is hiding the real hardware from the OS and is emulating standard hardware like keyboard controller, IDE controller, CMOS and other legacy hardware.       The Geode, rather than carrying lots of legacy hardware interfaces that are presumed to exist on x86 systems that might be painful to implement on a highly integrated, low power processor, the Geode often emulates such interfaces by use of software that is invoked by special traps that take place when the processor accesses these devices.     This emulation is made at the hardware level by setting some Model Specific Registers (MSRs) that control the GeodeLink Interface Units (GLIUs). This GLIUs can trap CPU access to some defined memory regions and run some ISRs from VSA software instead, or route the access to some other devices. VSA system is a TSR software(Terminate and Stay Reside...
Read more

Part three - SST49LF020A BIOS chip Memory Map

-
Image
Now I will present the BIOS chip memory map. The hex values represent the offset address in the chip. All ROM images are compressed with "CALG1 Compression Library" and all have a header of 32 bytes where is described the location where every ROM needs to be extracted, the size of the ROM before was compressed, the size after compression + some checksum that is not used. The data in this table is for the original BIOS. Patched ones are different. Header + Padding - all zeroes 0 ROM header 9CC0 Compressed VSA Init ROM 9CE0 ROM header 1:D170 Compressed JVGA BIOS 1:D190 ROM header 2:1110 Compressed PXE ROM 2:1130 ROM header 2:6F50 Compressed UHCI ROM 2:6F70 ROM header 2:70D0 Compressed GUI ROM 2:70F0 ROM header 2...
Read more