WYSE thin client Reverse Engineering

    What actually is the VSA?      The VSA is the heart of any Geode CPU System. The Geode, rather than carrying lots of legacy hardware interfaces that are presumed to exist on x86 systems, that might be painful to implement on a highly integrated, low power processor, the Geode often emulates such interfaces by use of software that is invoked by special traps that take place when the processor accesses these devices.      Virtual System Architecture (VSA) is a System Management Mode (SMM) software. VSA virtualizes PCI BARs (Base Allocation Registers) and headers for GeodeLink modules (IDE controller, AC97 codec, network, etc), it acts as an OS kernel interfacing the real hardware to the software hardware.      This VSA ROM is composed by the VSAInit code (2096 bytes) and many VSMs (Virtual Support Modules). Every VSM has a dedicated scope. There is a VSM for Audio, a VSM for Video, etc. Here is a list of possible VSMs that mi...

CMOS offset // Value // Description 0 34 1 00 2 54 3 00 4 00 5 00 6 00 7 05 Date of Month 8 05 Month 9 06 Year A 26 B 02 C 50 D 80 E 44 F 00 10 40 11 00 12 FF 13 00 14 03 15 7F 16 02 17 00 18 FC 19 31 1A 31 1B 00 1C 00 1D 00 1E 00 1F 00 20 D0 21 03 22 07 23 FF 24 FF 25 FF 26 FF 27 20 28 00 29 00 2A 00 2B 00 2C 00 2D 00 2E 08 2F 17 30 00 31 FC 32 20 33 00 34 00 35 4F 36 03 37 3F 38 FF 39 FF 3A FF 3B FF 3C 20 3D 00 3E 00 3F 86 40 00 41 00 42 BC 43 FA 44 4F 45 00 46 18 47 80 48 DB 49 0E 4A FB 4B 00 4C 80 4D 01 4E 82 4F 2A 50 09 51 08 52 00 53 00 54 00 55 00 56 00 57 00 58 08 59 5B 5A AA 5B 09 5C 3A 5D 21 5E 4E 5F ...

 Here is a list with all discovered NVRAM Tokens found in the BIOS. Some of them are documented in here .      All of this tokens are used for getting or setting a variable value when BIOS needs to set something up like the Audio IRQ for example.      This values are stored in the virtual CMOS of the system that is 512 bytes long. For saving more than 512 variable values, a masking technique was used to store more than 1 token value per byte. One byte from the CMOS will keep 3 or 4 NVRAM tokens values. Every NVRAM token has a mask that is applied to a CMOS byte to get the desired variable value.      So a NVRAM Token will define the CMOS offset for a specific byte and the mask to extract only the needed bites from that byte. ********************************************     For example to get the Audio IRQ from the NVRAM Token "AI" next computations are made: 3E4F                  mov...

       Reversing this WYSE machine BIOS I have learned that this CS5536 chipset together with the VSA software can emulate a Sound Blaster 16. By default the BIOS exposes the audio AC97 device directly to the OS on the PCI bus. But there are settings to be made for the BIOS to hide this AC97 and emulate a Sound Blaster 16.       This will be great, because all the DOS games and software are compatible to SB16 by default, and there are already made drivers for SB16 for the MS-DOS. This way it might be possible to have real sound on the DOS.     At some time there was an XpressAUDIO ROM, provided by the AMD, that had made this emulation possible. XpressAudio is actually a VSM (Virtual Support Module) that was not included in this VSA ROM of this WYSE BIOS.     For short, the VSA ROM is loaded by the BIOS at system power up. The VSA is searching for all included VSMs and is copying them to separate segments in higher memory (CPU i...

     Another day had passed and I’ve remembered that I have BIOS dumps of other machines like this WYSE.  There are many Single Board Computers (SBCs) that use this Geode CPUs and CS5536 companions from where you can get a BIOS dump. I have an extracted DiskROM image for a known system EPX-GX500 that is made to work with DOS 6.      In the DiskROM image is the Interrupt 13 ISR.  So the easiest way to make this WYSE boot DOS 6 was to swap this DiskROM in the BIOS.  This will replace the INT 13 ISR with a good working one. I have done just that! Hurray !!! the WYSE booted into DOS 6.22. The final patched BIOS for WYSE Sx0 - S50 can be found here .      Now for someone to make this WYSE work like this, it needs to find a way to burn this BIOS to the SST49LF020A chip , either by using my Arduino programmer , or by the mean of some software.      For other WYSE terminals that have similar problems the same method...

     After a week I’ve stared to reverse the MS-DOS boot process to find the bug that is keeping this WYSE tin client from booting DOS 6 from the DOM and is sitting there only with a blinking cursor.      So I decided to build a new image, only with DOS 6 on it, extract the MBR from there and disassembly this code in IDA.  The new DOS 6 image was booting well on Bochs virtual machine so I know that the image is good. The MBR: MBR structure  On the left image you can see the MBR structure. From the 512 bytes that it has, 446 bytes are just code that is executed after the BIOS passes control to the MBR. The last 66 bytes represent the Partition Table and the Magic Word: 55AAh.     MS-DOS 6 MBR code does not print anything on the screen by default, but it doesn’t mean that is not working on the WYSE machine. I have found that it has a function to print an error if it encounters one.      This was good, because I have used thi...