Acer Travelmate 5530G CPU upgrade to Turion Ultra ZM-87 - thermal throttling

[kizwan]

^^Previous post is a short/summarized version. For the long version, I just quote what asscut told me. I'm not understand some part of it yet but for now I can disassembled the BIOS using IDA & analyzed the instruction.

Hi!
IDA is working with segment address, BIOS (firmware) is working with linear address and processor is
working with physical address. Our purpose is calculate a physical address in order to understand the
code. At the same time, in real mode, the linear address coincides with the physical. In protected mode
is not the same and is calculated using a special algorithm.
The first phase of work with IDA is getting the segment address from linear BIOS address, this will give
an example (D4700A10.rom) how:
Theory
The entry point to all the BIOS is the address FFFFFFF0 (linear). He is an alias address 000FFFF0 (in 1Mbit
BIOS chip ), or 0007FFF0 (in 512 Mbit). Last 64 kB is 000F0000-000FFFFF (linear) or F000:0000-F000:FFFF
(segment). For 512 kB chip: 00070000-0007FFFF(linear) or 7000:0000-7000:FFFF(segment).
Where in the segment address F000 is BASE, 0000-FFFF is OFFSET; or 7000 is BASE and 0000-FFFF is
OFFSET into segment. Linear address=Segment BASE shifted left on 4 bits+OFFSET. Ex: base F000, offset
1000, linear address=
shifted base F0000+1000=F1000.
The challenge for understanding. Сomputational linear address: base 0040, offset 0067.Answer 467.

Practiсe.
Load file.rom into IDA. We look forward to. Create a segment in the last 64 kilobytes of code.To do this
click EDIT->SEGMENTs->Create segment->
A pop-up window select the settings:
NAME- I always select the name of F000, you can specify any.
Start address: 0x00070000
End adress: 0x00080000
Base: 0x7000
Class: Code
put a point on a 16-bit-> push OK.
Result: we made 64 kB segment into file.rom named "F000".
go to F000:FFF0 to start

I have been told all BIOS have the same entry point which is F000:FFF0. I already tested this on two different BIOS, Dell BIOS & Phoenix BIOS. They have the same entry point. Next, just follow the jump instruction to find the rest of the instruction code.

BTW, don't forced IDA when analyzed the instruction. When dialog box popup asking whether you want to forced it or not, just click NO or CANCEL. I don't know the best approached for this but for now I don't want to forced it.

(Regarding the .ROM file.) Usually there are two files; 1) .ROM/.BIN & 2) .WPH; in the BIOS package. .WPH is a BIOS image + platform data/signature at the end of the file. .ROM only contain BIOS image. The .ROM file is the one we want to disassembled. In case there is only one file in the BIOS package, to get the .ROM (BIOS image) from it is easy. If the length of the content is 0x20XXXX, then the .ROM is from offset 0x000000 to 0x200000. If the length of the content is 0x10XXXX, then the .ROM is from offset 0x000000 to 0x100000. (and so on.)

[Blasku]

Sorry for the long pause again. I've started following your instructions in IDA, and all I can say is that this could be a fun game if there weren't so many attempts to deceive the human reader where the execution jumps next .
I especially like the parts where it increases and/or subtracts from a register then jumps to its value in the F000 segment.
I've found some wrmsr instructions with a familiar MSR address loaded into ECX before them. One such was "0C001001Fh" which is MSRC001_001F Northbridge Configuration Register (NB_CFG). So that looks promising...
What I'll have to look for then is the string "0C0010062h". If that is moved into ECX and wrmsr executed afterwards, then that is a p-state switch.

[kizwan]

Don't worry. I'm surprise you still have time to look into this during your vacation.

We're actually falling behind. I heard BIOS-MODS team already able to read ROMEXECx.ROM module.

[Blasku]

I think I'm quite stuck with disassembling the entire BIOS image. I've even used Excel spreadsheets to keep track of the registers' contents (although when EAX is loaded from an IO port, I really don't have a clue what's in there, not that EAX is used in jump instructions...), but no success. I've gotten to a point where it jumps to EBX's content address, but that points me to padding zeros (dead end)!
Is there a chance that some of these new findings by the BIOS-mod team could be leaked out ? It sure would be easier to know the entry points of the BIOSCOD_ files .

[kizwan]

It sure would be easier to know the entry points of the BIOSCOD_ files .

This is the next thing I want to find out.

BTW, I don't see ROMEXEC mod can be useful for adding support for new CPU. I think we're in the right track. Next, we need to look into AGESA module. I strongly believe we need to update AGESA module too.

[Blasku]

Right, I think I might have mixed the ROMEXEC modules with BIOSCOD modules .
Anyway, I've returned to looking at the AGESA modules from the Ferrari 1200's and FuSi Sa3650's BIOS, and I might have already mentioned this, but my TravelMate seems to have version 4.4.0.0, while the Ferrari has 4.3.0.0 and the Amilo has 4.1.0.2 or something. Isn't the AGESA module supposed to be uniform? If yes then are you sure switching the current one to an older version is going to help?
And what I'm really interested in is the offset at which the AGESA module starts (and ends) in the _C00.PEI file. I'll look into that...

[kizwan]

Actually I have never heard AGESA before until you mentioned it to me. But I believe AGESA module is uniform too, just like microcode. I think it's time to trial & error.

[Blasku]

BTW, I've tried setting the F3xDC register under Linux, and it doesn't seem to work at all . I used `setpci` for the task, and now I can't decide if setpci uses some protected mode to not have to actually set the register, or the CPUFreq module / kernel doesn't even use these registers (that would be gold )?
Any Linux guru around here who could tell me how throttling is implemented on this low (hardware register) level?

P.S.: I'll try to find the time/patience to switch the AGESA soon.

[Blasku]

Right, I still didn't do anything productive yet, but I'll edit this post the moment I switched my AGESA module. In the meantime, for anyone who's interested: the people at Rebel's Haven already found out where the AGESA starts.

[Blasku]

OK, time to wrap things up here. I've given up on modifying the BIOS, obviously. The fallback solution is working great, so the problem is actually solved.
The reason I'm writing this post is that I can now set the register under Linux successfully. In fact, I always could! What I forgot was to restart the powernow_k8 module afterwards. It would seem that the module doesn't look for changes in the PCI registers after it has been initialized, which makes a lot of sense: that would be a waste of CPU time.
I've attached both the Windows batch and Linux shell scripts that I use for setting the lowest P-state. It could be useful as a sample for anyone that stumbles upon this topic.