BIOS NVRAM Tokens

-

 Here is a list with all discovered NVRAM Tokens found in the BIOS. Some of them are documented in here.

    All of this tokens are used for getting or setting a variable value when BIOS needs to set something up like the Audio IRQ for example.

    This values are stored in the virtual CMOS of the system that is 512 bytes long. For saving more than 512 variable values, a masking technique was used to store more than 1 token value per byte. One byte from the CMOS will keep 3 or 4 NVRAM tokens values. Every NVRAM token has a mask that is applied to a CMOS byte to get the desired variable value.

    So a NVRAM Token will define the CMOS offset for a specific byte and the mask to extract only the needed bites from that byte.

********************************************

    For example to get the Audio IRQ from the NVRAM Token "AI" next computations are made:

3E4F                 mov     cx, 4149h                       ; select Token ASCII: AI
3E52                 call      NVRAM_get_token_data_sub_8156

- at 8156 all the CPU registers are saved in the stack and then execution is transferred to NVRAM_read_data_loc_8437
- at 843F the token is tested to see what type is it: 1, 2, 3 or 4. Token "AI" is a type 1.
- next, token is searched in the NVRAM tokens list at 7810
- next, at 845B execution is passed to other function at 83EE:

845B                 jmp     short NVRAM_Token_type_1_2_3_get_CMOS_loc_83EE
.................
83F2                 mov     ax, cs:[si+3]                  ; get CMOS offset // AX = 0021
83F6                 add      ax, cs:[di+3]                  ; add 2 bytes from the token type list // + 0040
                  
- at CS:SI there is the "AI" token with all of its data.
- at CS:[SI+3] is the CMOS offset address (21h) that need to be added to a fixed offset (40h), for all type 1 tokens, to get the real CMOS address where is the byte that keeps the data for the AI token.

83FA                 shl      eax, 8                             ; AH = AL // prepare for CMOS read
8405                 jmp     word ptr cs:[di+7]         ; jump to 445D - read register 61h from CMOS

At CMOS address 61h there is this byte that keeps the Audio IRQ number. This byte keeps data (68h) for other 2 tokens too, so further computations are made to extract the exact Audio IRQ number.

8424                 and     ax, cs:[si+6]

- at 8424 we are applying the Audio IRQ mask (38h) from CS:[SI+6]. The result is 68h and 38h = 28h // AX = 28h

8428                 mov     cl, cs:[si+8]                       ; CL = 3
842C                shr        ax, cl                                 ; 28h right shift 3 bits = 5 // AX = 0005

- AX = 0005 is the final value for the Audio IRQ number. From now on we are returning from this functions to the beginning of this call at address 3E55.

To understand this better you can look at the CMOS value in the binary form:
68h = 01101000 // bit 5, 4 and 3 are the value for Audio IRQ number = 101 = 5
The 28h mask is already defining the 5 value. 28h = 00101000, bits 5, 4, 3 are 101 = 5.

********************************************

Tokens with their data found at 3CE0h offset in the BIOS Boot Block:

  • TY =  Power Management - STANDBY_TIMEOUT   // 1 byte
  • TS =  Power Management - SUSPEND_TIMEOUT   // 1 byte
  • TI =  Power Management - DOZE_TIMEOUT (idle) // 1 byte
  • T1 =  Power Management - DISK_TIMEOUT   // 1 byte
  • TF =  Power Management - FLOPPY_TIMEOUT   //1 byte
  • TK =  Power Management -  PS2_TIMEOUT (keyboard, mouse)   // 1 byte
  • TV =  Power Management - VIDEO_TIMEOUT   // 1 byte
  • TC =  Power Management - SERIAL_TIMEOUT
  • TP  =  Power Management - PARALLEL_TIMEOUT  // 1 byte
  • PM = Power management enable   // 1 bit
  • W1 = Wakeup mask PIC1   // 1 byte
  • W2 = Wakeup mask PIC2   // 1 byte
  • P7 =  Advanced Power Management - APM_PRESENT
  • P8 =  Advanced Configuration and Power Interface - ACPI_PRESENT
  • P9 =  Power Management - PM_S1_CLOCKS
  • PB = CHIPSET - VRC_CS_PWRBTN
  • .........................................
  • AI =  Audio IRQ = 2bits -> 05h value
  • AU = Audio enable = 1 bit
  • AA = Audio base address = 2 bits
  • A1 = Audio 8-bit DMA = 2 bits
  • A2 = Audio 16-bit DMA = 2 bits

Comments

Post a Comment

Popular posts from this blog

Part Two - BIOS ROMs of the WYSE Sx0 - S50

-
Image
  The ROMs:      VSA Init ROM:  (Virtual Systems Architecture)  is a piece of software that is hiding the real hardware from the OS and is emulating standard hardware like keyboard controller, IDE controller, CMOS and other legacy hardware.       The Geode, rather than carrying lots of legacy hardware interfaces that are presumed to exist on x86 systems that might be painful to implement on a highly integrated, low power processor, the Geode often emulates such interfaces by use of software that is invoked by special traps that take place when the processor accesses these devices.     This emulation is made at the hardware level by setting some Model Specific Registers (MSRs) that control the GeodeLink Interface Units (GLIUs). This GLIUs can trap CPU access to some defined memory regions and run some ISRs from VSA software instead, or route the access to some other devices. VSA system is a TSR software(Terminate and Stay Resident).     In the image above you can see the real hardware a
Read more

Adventures of reverse engineering the WYSE Sx0 – S50

-
Image
     A few months ago I've bought this WYSE thin client model Sx0 - S50. I wanted to make a retro game machine from it but soon I've realized that I can't make it boot from the DOM with MS-DOS 6.22.      This was interesting because the system was able to boot MS-DOS 6.22 from a USB memory stick. So I've started to investigate the cause for this.      On the first hardware inspection I’ve found a small memory chip on the back of the PCB, an 8 pin SOIC EEPROM “ 93C46A ” that is not bigger than 128 bytes. I’ve dumped the content of this chip using the CH341A (mod-ed to read 93C chips) and all I’ve found was the serial number of the machine: 6IFDGB03427.  You can find the contents of this chip in  here .      Then I’ve start to read more, searched all the internet for documents that might help me understand this machine, and I’ve found some that I’ve put in here .         There you can find documents  about the CPU , the CS5536 Companion that is actually a Platform Contr
Read more

Sound Blaster 16 emulation for DOS 6.22

-
Image
       Reversing this WYSE machine BIOS I have learned that this CS5536 chipset together with the VSA software can emulate a Sound Blaster 16. By default the BIOS exposes the audio AC97 device directly to the OS on the PCI bus. But there are settings to be made for the BIOS to hide this AC97 and emulate a Sound Blaster 16.       This will be great, because all the DOS games and software are compatible to SB16 by default, and there are already made drivers for SB16 for the MS-DOS. This way it might be possible to have real sound on the DOS.     At some time there was an XpressAUDIO ROM, provided by the AMD, that had made this emulation possible. XpressAudio is actually a VSM (Virtual Support Module) that was not included in this VSA ROM of this WYSE BIOS.     For short, the VSA ROM is loaded by the BIOS at system power up. The VSA is searching for all included VSMs and is copying them to separate segments in higher memory (CPU is in real mode and this memory is hidden from the OS).  The
Read more