What do you know about BIOS NVRAM hacking?

Only for programmers and BIOS gurus with technical questions.
ordex
New visitors - please read the rules.
Posts: 2
Joined: Tue Apr 15, 2008 1:44 pm

Hi, i'm still looking for BIOS packager to have a look of the code...but i couldn't find it..
my BIOS version is:

Code: Select all

	Version: R1150J9
Does anyone know if it is similar to other bios to llok for?

thank you so much
wep
New visitors - please read the rules.
Posts: 2
Joined: Fri Apr 25, 2008 6:01 pm

me too :D
sony vaio nr21z bios R1150J9

i have tried 027F and 0399 without success. :evil:

any news or technique to get the good bios key are welcome.
wep
New visitors - please read the rules.
Posts: 2
Joined: Fri Apr 25, 2008 6:01 pm

nr21z bios R1150J9

magic key 02D0 found :lol: :lol:

< (02D0) [0000]
---
> (02D0) [0001]
umiki
New visitors - please read the rules.
Posts: 3
Joined: Sun Apr 27, 2008 5:46 pm

IntuitiveNipple wrote:If you had read this entire thread you'd know that the instructions on the Solaris forum you cite, and the examples it gives, were copied from this thread!

Be wary of following the advice to blindly alter entries in NVRAM in a random search for the correct Token. Despite what that article says, it is possible to cause the PC to fail which could result in having to return it to the manufacturer.

The reason I've gone to such lengths to determine a safe way to do this, and am creating a Linux tool for the job, is to ensure that end-users can't brick their PC.
I can only agree with you. I have modified cmos settings directly via /dev/nvram, and my notebook works only in paperweight mode now.

I have a Toshiba A105 notebook. Symcmos.exe does not work on these (for some reason it says NVRAM read error FFFF or similar, and the output file contains only a repeating value), so I thought why not to modify NVRAM directly. I have overwritten some 00 bytes to ff in the second half of the NVRAM, as somebody has mentioned, that setting 0 flags to 1 should be quite safe, and the binary approach should be ok as well. This should not be very different from the symcmos approach, if I understood things correctly.

Well, it did not work :( Now it does not even get to boot. Screen is blank nothing happens, only some keyboard lights are flashing once (as they should). I tried to clear CMOS, but that really is not so easy (I took it apart, and tried, but I am not sure that I have cleared it).

Any ideas would be welcome.
IntuitiveNipple
BIOS Newbie
Posts: 31
Joined: Tue May 29, 2007 12:24 am

umiki wrote:
IntuitiveNipple wrote:I
Be wary of following the advice to blindly alter entries in NVRAM in a random search for the correct Token. Despite what that article says, it is possible to cause the PC to fail which could result in having to return it to the manufacturer.

The reason I've gone to such lengths to determine a safe way to do this, and am creating a Linux tool for the job, is to ensure that end-users can't brick their PC.
I can only agree with you. I have modified cmos settings directly via /dev/nvram, and my notebook works only in paperweight mode now.


Well, it did not work :( Now it does not even get to boot. Screen is blank nothing happens, only some keyboard lights are flashing once (as they should). I tried to clear CMOS, but that really is not so easy (I took it apart, and tried, but I am not sure that I have cleared it).

Any ideas would be welcome.
This is supposed to work on Toshiba A105-s2194. If it does, please post back clear details of the precise steps you take (especially the board markings and possibly a photo of it) so others can benefit.
  1. Power unit off.
  2. Disconnect AC power.
  3. Remove battery.
  4. Remove the memory cover screw, memory cover.
  5. Remove the memory modules.
  6. Peel back mylar from clear-CMOS solder pad.
  7. Short (with small flat-head screwdriver or paper-clip) the clear-CMOS solder pads for a while (~30 seconds).
  8. Replace mylar.
  9. Replace memory modules.
  10. Replace battery.
  11. Power up unit.
  12. If all is well, replace memory cover and screw.
Notes for step 7
The two pads are there so when connected together the positive voltage from the on-board battery is shorted to ground (0 volts) and the CMOS memory circuit and real-time clock (RTC) loses power and 'forgets' its contents.

The pad labels vary depending on PC model. On A135 it is JOPEN1 . I've seen it mentioned that A105 has it marked PAD500. On M105 it may be called cmos_clr1.

If this fails, you can try replacing step 7 by locating the CMOS battery (usually soldered onto the PCB) and temporarily de-soldering it so power to the CMOS memory circuit is lost.

As with anything like this, everything you do is at your risk. If you are unsure, contact Toshiba support.
IntuitiveNipple
BIOS Newbie
Posts: 31
Joined: Tue May 29, 2007 12:24 am

I found an alternative method described for the A105 after posting my previous advice, so if that doesn't work, try this:
1) like always with anything that you do when taking your computer apart, take out the battery and unplug it (common sense)

2) Remove the plastic cover piece above the keyboard, called the "keyboard bezel". this is the piece where you can see the speakers. This page gives several pictures as to how to do this.
http://www.irisvista.com/tech/laptops/t ... emove-main...

**I found it a little bit difficult to get the plastic retaining clips to "pop" loose, but if you are careful, you can use a small screw driver and slowly "wiggle-pry" between the two screen mounts. this is done with the screen all the way back. you could use a paper clip with a little 1/8" bend at tip to do this also. (it is a tight working area) Once these three retaining clips have come loose the others are fairly easy to "pop" Just be patient and work it slowly. once this is bezel is off the rest is super easy.**

3) Remove the keyboard. Remove the two screws that are evident once the bezel has been removed. These hold the keyboard in place. Lift the keyboard up from the screw side and the retaining clips at the front of the keyboard will lift out. (there is no need to pry here). Once the keyboard is loose you will have to either leave it connected, just off to the side, or disconnect it from the mother board. The keyboard cable connector has a black clip along the top of it. just lift this clip up a little and the keyboard cable will slide out. (the keyboard cable does not have a fixed connector, but is just a ribbon that is held in place by the black clip along the top of the keyboard cable connector) Once you have removed it you will better understand what I mean.

4) Remove the wireless card. It is the only card visible at this point. It is connected by metal spring clips. just unclip in a similar fashion as removing ram. You do not need to disconnect the wires connected to card, just move card over to expose area below card.

5) This is where the magic is... you will see C88 clearly labeled right next the jack that the wireless card plugs into. There are two little solder squares (approx 1/16") at this location.

*** At this point plug the power adapter to your computer again. ***

You will have to jump the two solder squares at label C88. I used a paper clip to do this. I used pliers to bend a 1/8" long "L" and then "scuffed" up the paperclip with the teeth of the pliers. (my first try at this did not work because the paperclip had a varnish coating on it and did not adequately conduct electricity).

Once you have your paperclip set up (or the one you used to pry the bezel with) hold it in place on these two solder contact squares and press the power button to boot your computer.
umiki
New visitors - please read the rules.
Posts: 3
Joined: Sun Apr 27, 2008 5:46 pm

Thanks for the tips. None of those worked unfortunately. On this model there is no jumper to clear cmos ram under the memory modules, and the C88 did not do the job.

I have followed the instructions on http://www.irisvista.com/tech/laptops/T ... oard-1.htm and took it almost completely apart (to step 19, except from removing the display panel). I don't know why they need all those plastic latches, when the whole thing is held together by 10+ screws anyway. It took me at least 3 hours (and some of the latches I'm afraid).

It seems after removing all the cables, and the small battery, it gets to POST (I haven't assembled it yet, just connected the display panel)

So warranty and a complete sunday is gone, and AHCI is still not enabled. (I don't know if AHCI worths so much trouble?)

So thanks again for the help. If somebody has any idea why symcmos does not work, or even better, how to enable AHCI (there is no BIOS option obviously :) ), please share the information.
IntuitiveNipple
BIOS Newbie
Posts: 31
Joined: Tue May 29, 2007 12:24 am

umiki wrote:Thanks for the tips. None of those worked unfortunately. On this model there is no jumper to clear cmos ram under the memory modules, and the C88 did not do the job.

It seems after removing all the cables, and the small battery, it gets to POST (I haven't assembled it yet, just connected the display panel)

So thanks again for the help. If somebody has any idea why symcmos does not work, or even better, how to enable AHCI (there is no BIOS option obviously :) ), please share the information.
If it's POSTing then you've cleared the NVRAM, which is success in my book!

As for AHCI, although it's nice to have all the latest acronyms, in reality there's little to be gained from using AHCI on that PC. You're not going to be hot-plugging the drive and there's little to be gained from NCQ - in fact it might reduce performance.
umiki
New visitors - please read the rules.
Posts: 3
Joined: Sun Apr 27, 2008 5:46 pm

Well it did not work. After putting it back together nothing seems to be changed (blank screen, etc). If I disconnect most of the cables (Bluetooth etc.) than it will display the Toshiba logo, but it will stop and the blue bar will not move any further (it will stay at a bit under 1/4). Pressing F12 doesn't help. Pressing ESC will display some of the usual text stuff, but in French.
BIOS is Phoenix 6.00
zii
New visitors - please read the rules.
Posts: 2
Joined: Wed Jul 02, 2008 3:01 pm

Dear all,

I have a Sony Vaio SZ90PS and would like to locate the register to enable the VT. However, I cannot use the later BIOS revisions for this laptop because, being a Japanese market sold notebook, the US BIOS won't load. These perform a check on the machine name and this fails.

Current BIOS information is:

BIOS Ver: R0073N0
EC BIOS Ver: RK073N0
Machine name: VGN-SZ90PS

I have a copy of BIOS version R0083N0 for the Sz90PS and could load this if someone can tell me where the register lies for BIOS R0083N0.

I would be very grateful if someone knew the register number for this.

Best regards, z.
zii
New visitors - please read the rules.
Posts: 2
Joined: Wed Jul 02, 2008 3:01 pm

IntuitiveNipple wrote:S

I'm fixing up some 64-bit bugs in libx86 right now. Once I'm happy with it I can link it to VT-enable.
Hi, IntuitiveNipple!

Did you ever progress with that project. The site:
https://launchpad.net/vt-enable
...does not list any code nor packages.
brightidea
New visitors - please read the rules.
Posts: 2
Joined: Wed Jul 23, 2008 8:04 am

Just a little contribution to this topic (although I know the thread's very old and probably inactive):

Bios image file R2101Q0.ROM

VT enable register found at 0x5BB. Change the value from [0000] to [0001] to switch it on

Hope this helps. Best of Luck to all of you.
brightidea
New visitors - please read the rules.
Posts: 2
Joined: Wed Jul 23, 2008 8:04 am

Hi Zi:

You may try register 38D or 390, check whichever is [0000] make it [0001] using symcmos on a boot disk.

I can't gurantee anything and you may risk losing your computer. I'm Just trying to help. You're on your own pal.

Good luck.
zii wrote:Dear all,

I have a Sony Vaio SZ90PS and would like to locate the register to enable the VT. However, I cannot use the later BIOS revisions for this laptop because, being a Japanese market sold notebook, the US BIOS won't load. These perform a check on the machine name and this fails.

Current BIOS information is:

BIOS Ver: R0073N0
EC BIOS Ver: RK073N0
Machine name: VGN-SZ90PS

I have a copy of BIOS version R0083N0 for the Sz90PS and could load this if someone can tell me where the register lies for BIOS R0083N0.

I would be very grateful if someone knew the register number for this.

Best regards, z.
Dhalsim
New visitors - please read the rules.
Posts: 4
Joined: Sat Oct 20, 2007 3:01 pm

I've done some investigation about enabling AHCI on my acer 5684.

First of all I upgrade to 3.6 version and I found that the token's order is not changed compared to the version 3.5.
I've read some informations about AHCI and seem that to be able to USE NCQ you must have an AHCI enabled controller and an NCQ enabled HD (of course). I upgraded the notebook with a goot seagate 320gb and I would be very happy to use NCQ feature. The Linux sata Driver (ata_PIIX) recognize the NCQ queue, also hdparm -I suggest the device support NCQ but seems the NCQ is not used (queue depth 0/32 message reported by dmesg). So i decided to find the token and enable AHCI and use AHCI driver coming from linux kernel that should be able to use NCQ queue. I look at http://forum.notebookreview.com/showthread.php?t=189228 and I downloaded the two bioses. I decompress those files using Phoenix bios editor and I look in the disassembly of some BIOSCOD.ROM. Here it is what I found:

The santa rosa vaio's BIOS:

Code: Select all

0000070D  B88901            mov ax,0x189 //AHCI ENABLE Token
00000710  9AE04F00F0        call 0xf000:0x4fe0
00000715  0AC0              or al,al
00000717  74AE              jz 0x6c7
00000719  B140              mov cl,0x40
0000071B  0E                push cs
0000071C  E87300            call 0x792
0000071F  75A6              jnz 0x6c7
00000721  B8AE06            mov ax,0x6ae
00000724  9AE04F00F0        call 0xf000:0x4fe0
00000729  0AC0              or al,al
0000072B  7402              jz 0x72f
0000072D  B180              mov cl,0x80
0000072F  8AC1              mov al,cl
00000731  BBFA00            mov bx,0xfa
00000734  BA9003            mov dx,0x390
00000737  9A126800F0        call 0xf000:0x6812
0000073C  0AC9              or cl,cl
0000073E  740A              jz 0x74a
00000740  B03F              mov al,0x3f
00000742  BA9203            mov dx,0x392
00000745  9A126800F0        call 0xf000:0x6812
0000074A  E8C000            call 0x80d
0000074D  6661              popad
0000074F  CB                retf
The napa vaio's bios:

Code: Select all

00001803  B85C01            mov ax,0x15c // AHCI ENABLE TOKEN
00001806  9AF24800F0        call 0xf000:0x48f2
0000180B  0AC0              or al,al
0000180D  74A9              jz 0x17b8
0000180F  B140              mov cl,0x40
00001811  0E                push cs
00001812  E82300            call 0x1838
00001815  75A1              jnz 0x17b8
00001817  B85D06            mov ax,0x65d
0000181A  9AF24800F0        call 0xf000:0x48f2
0000181F  0AC0              or al,al
00001821  7402              jz 0x1825
00001823  B180              mov cl,0x80
00001825  8AC1              mov al,cl
00001827  BBFA00            mov bx,0xfa
0000182A  BA9003            mov dx,0x390
0000182D  9AC75D00F0        call 0xf000:0x5dc7
00001832  E87700            call 0x18ac
00001835  6661              popad
00001837  CB                retf
Assuming those token from bogart post are correct I disassembled the corresponding BIOSCODX.ROM in my acer BIOS and I found the same branch of code:

Code: Select all

00000BF3  B80C00            mov ax,0xc // AHCI Enable token
00000BF6  9A403D00F0        call 0xf000:0x3d40
00000BFB  0AC0              or al,al
00000BFD  74A9              jz 0xba8
00000BFF  B140              mov cl,0x40
00000C01  0E                push cs
00000C02  E82300            call 0xc28
00000C05  75A1              jnz 0xba8
00000C07  B8F705            mov ax,0x5f7
00000C0A  9A403D00F0        call 0xf000:0x3d40
00000C0F  0AC0              or al,al
00000C11  7402              jz 0xc15
00000C13  B180              mov cl,0x80
00000C15  8AC1              mov al,cl
00000C17  BBFA00            mov bx,0xfa
00000C1A  BA9003            mov dx,0x390
00000C1D  9A3C5400F0        call 0xf000:0x543c
00000C22  E87700            call 0xc9c
00000C25  6661              popad
00000C27  CB                retf
Unfortunately enabling the corresponding token 0x000C do not enable AHCI on my laptop. I'm investigating some of the subroutines called by those pieces of code with no succes. Any suggestion ?

Althought this method fails on the acer bios should be tried for other Vaio's bioses. In fact the vaio's bios and acer one's are pretty much different (in the acer bios are only six files BIOSCODX.ROM instead of seven for example).

As the hardware are similar Is it possible to flash vaio's napa bios on the acer notebook ? Anyone has tried before ?


Edit - Removed errant [/code] tag. KW.
wagDj
New visitors - please read the rules.
Posts: 1
Joined: Thu Oct 23, 2008 1:28 am

Hi,

I have a cr-520E and i want to enable vt as well. Can you help me?

My Bios is R3041Q0

thanks
brightidea wrote:Just a little contribution to this topic (although I know the thread's very old and probably inactive):

Bios image file R2101Q0.ROM

VT enable register found at 0x5BB. Change the value from [0000] to [0001] to switch it on

Hope this helps. Best of Luck to all of you.
Post Reply