To help hackers learn more about how it all hangs together I'm going to attach the contents of the Phoenix BIOS Editor's compilation log (
ROM.LOG) for the BIOS related to the nvram.lst and nvtoken.lst reported here.
I'm also linking to
the raw files and in particular the 23,000-line
bios.map that contains all the public symbols and addresses/offsets (of real help in understanding the internal structure of the BIOS modules themselves).
In particular, you'll see that the BIOS function I've been calling
dispatchManager() is, in fact, called
dispatchLocalCall (E140:1BC1h) and it indirectly calls the real dispatchManager (DMCG:015Ch).
You'll also see that BIOS module
BCG (in bcg.rom module) contains
NVTOKENSEG, which contains (amongst others) the symbol
_nvTokenSegStart_ (F000:745Bh). Following this trail you'll discover the symbol
nvTokenLabel (F000:7463h) denotes the base (index 0) of the BIOS Token-table - the first entry is
cmosDviSSEnable. The end of the table is marked by
nvTokenLabelEnd.
From
nvtoken.lst we know that
cmosCPU_VT_Ena = 002ACh. We can calculate the location in the table of this Token using:
nvtokenLabel + cmos_CPU_VT_Ena
F000:7463 + 002AC = F000:770F
From what little analysis I've done of this so far I'm expecting that the table containing groups of 3-byte entries that hold the data (start, width, media, and flags) reported in
nvram.lst.
The BIOS would need start and width to translate a Token ID into the bits used in NVRAM.
From nvram.lst, it appears that:
media uses 4 bits (0 - 7)
start uses up to 16 bits (0 - 65535/32767/16383/8191)
width uses 8 bits (0 - 255)
flags uses 8 bits (00000000 - 11111111)
To fit those into 24 bits (3 bytes) I'd guess they can do away with either:
- width (8 bits), since it can be calculated from next_start - this_start
- start (16 bits), since it can be calculated by summing the widths of Token[0] ... Token[n-1]
Or possibly start only uses 12 bits.
This would explain why the Token IDs increment by 3. I guess originally the Token IDs were byte indexes. As NVRAM was required to store many more settings than the original CMOS RAM in the RTC, it looks as if the table was extended to contain 3-byte elements but to maintain backward compatibility the indexing remained based on 1-byte blocks. In other words, each index into the table needs to be a multiple of 3.
The binary ROM images I've looked at so far appear to have these offsets zeroed but I suspect there's some translation at work and we need to locate an alternate starting offset within the BIOS images.
ROM.LOG
Code: Select all
Prepare v2.08.16.00 Mar 7 2005
(c) Phoenix Technologies Ltd.
SCRIPT FILE: rom.scr
EXECUTION TIMESTAMP: Mon Feb 12 17:26:06 2007
PREPARE/CATENATE Command Parser Ver 2.05.03.00 Mar 7 2005
Parsing: 'rom.scr'
Line: 87 BANKS -N:1 -S:1024
Line: 95 COMPRESS LZINT
Line:100 BOOTBLOCK bb.bin -S:64
Line:106 ROMEXEC romexec.rom
Line:107 ROMEXEC preshad.rom -Z
Line:108 BIOSCODE bcg.rom
Line:109 BIOSCODE fixed.rom
Line:110 BIOSCODE packed.rom
Line:111 BIOSCODE opcg.rom
Line:112 BIOSCODE scg.rom
Line:113 BIOSCODE postcode.rom
Line:114 BIOSCODE pnpcode.rom
Line:115 DISPLAY dispman.rom
Line:116 STRINGS strings.rom
Line:119 DECOMPCODE decomp.rom
Line:124 OPROM vga.bin -X
Line:125 OPROM b57pxee.bin -x
Line:126 OPROM raid_mob.bin -X
Line:131 SETUP setup.bin
Line:132 TEMPLATE nodes.rom
Line:137 MISER miser.rom
Line:138 MODULE smi.rom -C:Q0
Line:143 MODULE usbhigh.rom -C:H0
Line:148 ACPI calistga.aml
Line:149 ACPI facp.bin
Line:150 ACPI apic.bin
Line:151 ACPI hpet.bin -X
Line:152 ACPI mcfg.bin
Line:153 ACPI tcpa.bin -X
Line:158 HOLE -S:64 -A:0xFFF60000
Line:162 HOLE -S:56 -A:0xFFF82000
Line:167 BIOSENTRY -A:0xFFFE0000
Line:172 UPDATE p6update.rom -A:0xFFF10000
Parsing: 'h:\hf5802\ROM.ICR'
Line: 6 MODULE $(NUBIOS)\FEATURES\SECURITY\TCG\TPM\INFN\9630.002\tpmmpdrv.rom -C:Y0
Line: 7 LOGO BOOTSCRN.BIN
Line: 8 LOGO SCREEN1.BIN
Line: 9 MODULE $(NUBIOS)\MODULES\AUTHMOD\STROMP.bin -C:K0
PREPARE/CATENATE Command Parser END
Global Compression Mode = LZINT
Module: BOOTBLOCK
Module: ROMEXEC
Module: ROMEXEC
Module: BIOSCODE * COMPRESSED *
Module: BIOSCODE * COMPRESSED *
Module: BIOSCODE * COMPRESSED *
Module: BIOSCODE * COMPRESSED *
Module: BIOSCODE * COMPRESSED *
Module: BIOSCODE * COMPRESSED *
Module: BIOSCODE * COMPRESSED *
Module: DISPLAY * COMPRESSED *
Module: STRINGS * COMPRESSED *
Module: DECOMPCODE
Module: OPROM
Module: OPROM
Module: OPROM
Module: SETUP * COMPRESSED *
Module: TEMPLATE * COMPRESSED *
Module: MISER * COMPRESSED *
Module: MODULE * COMPRESSED *
ERROR: Compressed file is >= Expanded file!
Module: MODULE * COMPRESSED *
Module: ACPI * COMPRESSED *
Module: ACPI * COMPRESSED *
Module: ACPI * COMPRESSED *
Module: ACPI
Module: ACPI * COMPRESSED *
Module: ACPI
Module: UPDATE
Module: MODULE * COMPRESSED *
Module: LOGO * COMPRESSED *
Module: LOGO * COMPRESSED *
Module: MODULE * COMPRESSED *
32 Files Processed 22 Files Compressed.
Prepare Completed with 1 Errors.
Catenate v2.98.17.00 Feb 17 2005
(c) Phoenix Technologies Ltd.
Catenate Start 02/12/07 17:26:09
PREPARE/CATENATE Command Parser Ver 2.05.02.00 Feb 16 2005
Parsing: 'rom.scr'
Line: 87 BANKS -N:1 -S:1024
Line: 95 COMPRESS LZINT
Line:100 BOOTBLOCK bb.bin -S:64
Line:106 ROMEXEC romexec.rom
Line:107 ROMEXEC preshad.rom -Z
Line:108 BIOSCODE bcg.rom
Line:109 BIOSCODE fixed.rom
Line:110 BIOSCODE packed.rom
Line:111 BIOSCODE opcg.rom
Line:112 BIOSCODE scg.rom
Line:113 BIOSCODE postcode.rom
Line:114 BIOSCODE pnpcode.rom
Line:115 DISPLAY dispman.rom
Line:116 STRINGS strings.rom
Line:119 DECOMPCODE decomp.rom
Line:124 OPROM vga.bin -X
Line:125 OPROM b57pxee.bin -x
Line:126 OPROM raid_mob.bin -X
Line:131 SETUP setup.bin
Line:132 TEMPLATE nodes.rom
Line:137 MISER miser.rom
Line:138 MODULE smi.rom -C:Q0
Line:143 MODULE usbhigh.rom -C:H0
Line:148 ACPI calistga.aml
Line:149 ACPI facp.bin
Line:150 ACPI apic.bin
Line:151 ACPI hpet.bin -X
Line:152 ACPI mcfg.bin
Line:153 ACPI tcpa.bin -X
Line:158 HOLE -S:64 -A:0xFFF60000
Line:162 HOLE -S:56 -A:0xFFF82000
Line:167 BIOSENTRY -A:0xFFFE0000
Line:172 UPDATE p6update.rom -A:0xFFF10000
Parsing: 'h:\hf5802\ROM.ICR'
Line: 6 MODULE $(NUBIOS)\FEATURES\SECURITY\TCG\TPM\INFN\9630.002\tpmmpdrv.rom -C:Y0
Line: 7 LOGO BOOTSCRN.BIN
Line: 8 LOGO SCREEN1.BIN
Line: 9 MODULE $(NUBIOS)\MODULES\AUTHMOD\STROMP.bin -C:K0
PREPARE/CATENATE Command Parser END
PART DESCRIPTION: 1 Banks of 1024 kBytes (1024 KBytes 8 MegaBits)
KNOWN CLASS CODES
-------------------------------------------------------------------------
$ - MAC * - AUTOGEN @ - STARTUP
A - ACPI B - BIOSCODE C - UPDATE
D - DISPLAY E - SETUP F - MARKS
G - DECOMPCODE I - BOOTBLOCK L - LOGO
M - MISER N - ROMPILOTLOAD O - NETWORK
P - ROMPILOTINIT R - OPROM S - STRINGS
T - TEMPLATE U - USER W - WAV
X - ROMEXEC
------------------------------------------------------------------------
================================== MODULE MAP ================================
Class Code
. Instance
. .
C I B START END LENGTH B LINK1 B LINK2 MODULE NAME
---- ----------- --------- ------ ----------- ----------- ------------
I 0 0 FFFF 0000 FFFF FFFF 10000 ----- ----- BB.MOD
---- 0 FFFE FFFD FFFE FFFF 3 ----- ----- FREE
X 0 0 FFFE 8E5D FFFE FFFC 71A0 0 FFFE 82EF ----- ROMEXEC.MOD
D 0 0 FFFE 82EF FFFE 8E5C B6E 0 FFFE 7EA4 ----- DISPMAN.MOD
G 0 0 FFFE 7EA4 FFFE 82EE 44B 0 FFFE 7E5C ----- DECOMP.MOD
H 0 0 FFFE 7E5C FFFE 7EA3 48 0 FFFE 6566 ----- USBHIGH.MOD
A 0 0 FFFE 6566 FFFE 7E5B 18F6 0 FFFE 64E3 ----- CALISTGA.MOD
A 1 0 FFFE 64E3 FFFE 6565 83 0 FFFE 6474 ----- FACP.MOD
A 2 0 FFFE 6474 FFFE 64E2 6F 0 FFFE 6421 ----- APIC.MOD
A 3 0 FFFE 6421 FFFE 6473 53 0 FFFE 63CF ----- HPET.MOD
A 4 0 FFFE 63CF FFFE 6420 52 0 FFFE 6381 ----- MCFG.MOD
A 5 0 FFFE 6381 FFFE 63CE 4E 0 FFFE 59E6 ----- TCPA.MOD
Y 0 0 FFFE 59E6 FFFE 6380 99B 0 FFFE 59A3 ----- h:\hf5802\FEATURES\SECURITY\TCG\TPM\INFN\9630.002\TPMMPDRV.MOD
* 0 0 FFFE 59A3 FFFE 59E5 43 0 FFFE 4FE0 ----- AUTOGEN.MOD
B 0 0 FFFE 4FE0 FFFE 59A2 9C3 0 FFFE 0005 0 FFF9 0000 BCG.MOD (0)
X 1 0 FFFE 0005 FFFE 4FDF 4FDB 0 FFFD B059 ----- PRESHAD.MOD
---- 0 FFFE 0004 FFFE 0004 1 ----- ----- FREE
---- 0 FFFE 0000 FFFE 0003 4 ----- ----- BIOSENTRY
S 0 0 FFFD B059 FFFD FFFF 4FA7 0 FFFC B03E ----- STRINGS.MOD
R 0 0 FFFC B03E FFFD B058 1001B 0 FFFB C023 ----- VGA.MOD
R 1 0 FFFB C023 FFFC B03D F01B 0 FFFA E408 ----- B57PXEE.MOD
R 2 0 FFFA E408 FFFB C022 DC1B 0 FFFA A3CC ----- RAID_MOB.MOD
E 0 0 FFFA A3CC FFFA E407 403C 0 FFFA 6511 ----- SETUP.MOD
T 0 0 FFFA 6511 FFFA A3CB 3EBB 0 FFFA 11C8 ----- NODES.MOD
M 0 0 FFFA 11C8 FFFA 6510 5349 0 FFF9 A2AB ----- MISER.MOD
Q 0 0 FFF9 A2AB FFFA 11C7 6F1D 0 FFF9 8142 ----- SMI.MOD
L 0 0 FFF9 8142 FFF9 A2AA 2169 0 FFF9 7548 ----- BOOTSCRN.MOD
L 1 0 FFF9 7548 FFF9 8141 BFA 0 FFF9 2C39 ----- SCREEN1.MOD
K 0 0 FFF9 2C39 FFF9 7547 490F 0 FFF7 2B48 ----- h:\hf5802\MODULES\AUTHMOD\STROMP.MOD
---- 0 FFF9 0000 FFF9 2C38 2C39 ----- 0 FFF7 DD37 BCG.MOD (1)
---- 0 FFF8 2000 FFF8 FFFF E000 ----- ----- (null)
---- 0 FFF8 0000 FFF8 1FFF 2000 ----- ----- ESCD
---- 0 FFF7 DD37 FFF7 FFFF 22C9 ----- ----- BCG.MOD (2)
B 1 0 FFF7 2B48 FFF7 DD36 B1EF 0 FFF7 0000 ----- FIXED.MOD (0)
B 2 0 FFF7 0000 FFF7 2B47 2B48 0 FFF5 56FE 0 FFF5 758A PACKED.MOD (0)
---- 0 FFF6 0000 FFF6 FFFF 10000 ----- ----- (null)
---- 0 FFF5 758A FFF5 FFFF 8A76 ----- ----- PACKED.MOD (1)
B 3 0 FFF5 56FE FFF5 7589 1E8C 0 FFF5 4211 ----- OPCG.MOD (0)
B 4 0 FFF5 4211 FFF5 56FD 14ED 0 FFF5 1516 ----- SCG.MOD (0)
B 5 0 FFF5 1516 FFF5 4210 2CFB 0 FFF4 8512 ----- POSTCODE.MOD (0)
B 6 0 FFF4 8512 FFF5 1515 9004 0 FFF1 0000 ----- PNPCODE.MOD (0)
---- 0 FFF1 F81B FFF4 8511 28CF7 ----- ----- FREE
C 0 0 FFF1 0000 FFF1 F81A F81B ----- ----- P6UPDATE.MOD
---- 0 FFF0 0000 FFF0 FFFF 10000 ----- ----- FREE
==============================================================================
1st Link = Bank 0 Address: FFFE 8E5D
NOTES: Link1 is the module linkage chain.
Link2 is the linkage within a fragmented module.
Total BIOS Size: C7305h/ 815877
Total Free Space: 38CFBh/ 232699
ROM Size: 100000h/ 1048576
CHECKSUM AT: 0EFFFC(in File) VALUE: BC
0 Errors/0 Warnings.
Catenate Done 02/12/07 17:26:10