Guide to patch your chipset through BIOS modification

Only for programmers and BIOS gurus with technical questions.
Post Reply
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia

The purpose of this mod is to patch certain chipset regs (i.e. Host bridge). There are 2 ways to accomplish the task:
1. By modding original.tmp (main bios file extracted from a bios file) chipset register default value.
2. By adding a new ‘modified‘ bios rom file by means of CBROM to the original bios file (target bios)

detailed description:
1. To mod original.tmp, first extract original.tmp from the original bios file using awardmod , modbin or other toolz . In this case I use awardmod. Then edit the chipset register default value by searching the following bytes:
02 07 00 ;the value means :
02 ó somekind of separator between registers value
07 ó register number 70
00 ó device number 0 function 0 or hostbridge main function device
the complete bytes value depends on your bios but at most you’ll find this bytes only once in original.tmp. The address where you’ll find these bytes may vary but in my case it’s around 10e30 or segment 2 address 0e30.
The above value have the format:
02 70 00 xx xx yy yy
where : 02 ó somekind of regs separator
07 ó register number 70
00 ó dev 0 function 0
xx xx ó mask of the register’s default value
yy yy ó Default value of the reg (offset)
The mask bit were ANDed w/ default value to obtain the desired chipset register default value . Most of the time I modded the mask bit and the default value to get the desired tweaked value.
Note: èBefore u use the modded bios (of course after packing the original .tmp and other components back by using awardmod in my case) , check wheter it is GOOD or BAD by using modbin and cbrom (just open it, and see if it’s not odd looking)
èI Use HEXWORKSHOP and Hiew.exe to edit the original.tmp

2. To mod in the secondway. Ido the following procedure:
a. Get a working rom bios, in my case I use isa.bin (an isa rom bios) from SnakeEye ( BBS). Actually we could use another rom bios (I’ll try this).
b. Reverse engineer the rom bios, add, the routine u wish to add in the form of hex values. I do the following to SnakeEye’s isa.bin:
· I mod the rom bios using biosmod.exe, a program to mod NVIDIA’s card rom bios, available from Using biosmod , open the rom file (there possibly an error message since this is not nvidia’s native bios, tha’s o.k.,don’t worry). Open the HEXDUMP window from the view menu, then mod (add ur code) there.
· This is the partial code that I add:

Line no. Mnemonic HEX CODE Comment

1 pushad 66 60 Save all register
2 mov eax,80000064 66 B8 64 00 00 80 Put the address of the offset
in eax (offset 64 of device
00:00:00 <host bridge>)
3 mov dx,0CF8 BA F8 0C Enable pci config space
read/write (port CF8)
4 out dx,eax 66 EF Contd.
5 mov dx,0CFC BA FC 0C Data (offset values ) in the
regs accessed using this
routine (port CFC – CFF)
6 in eax,dx 66 ED Put the obtained reg value
(from address pointed by
above routine) to eax
register. The value that u’ll
find in eax are values of
offset 64,65, 66, and 67
7 or eax, 00020202 66 0D 02 02 02 00 Mask the bits data, offset
64,65, and 66 with 02 (set bit
1 of those offsets), offset 67
w/ 00 (do nothing to ofsett
8 out dx,eax 66 EF Set the value to the offsets
9 popad 66 61 Pop all initial regs values
10 ret C3 Return to main bios routine

After adding the routine, save the rom file (of course in biosmod.exe program).
Note: if you want to add extra tweaking value just repeat lines 2 through line 8 (of course by changing the offset addresses and values to the desired one), but remember that pci config space access always use 32 bits as the return value, so one access to the config space could mod 4 consecutive offsets.
· Add the patched rom file to the main bios file , in my case the modded rom is isa.bin and the main bios file is VD30224.bin so I invoke the following:
Cbrom207.exe VD30224.bin /isa isa.bin
to add the modded bios to main bios file, and it worked.

===> I'd like to thank to SnakeEye for his 'editable' patch :)
Post Reply