Tracing NVRAM Registers
NOTE: PLEASE DO NOT EDIT THIS PAGE YET, I HAVE JUST POSTED IT AND NEED SOME TIME TO FIX LINKS AND REFORMAT THE ARTICLE (and learn how to use WIkiMedia while doing so...). I will remove this message when I am done with these tasks.
In this tutorial, I will be explaining how to trace NVRAM registers from your symcmos Token Table dump to their respective text strings in STRINGS0.ROM and vice versa.
This tutorial will be divided into two sections. The first section will cover tracing from Default.txt (Token Table dump from symcmos) to the STRINGS0.ROM file. The second section will detail tracing from the STRINGS0.ROM file to Default.txt (Token Table dump).
Both methods involve the "TEMPLAT0.ROM" file as an intermediary file.
NOTE: If you wish to discuss this article, please do so in this thread. Questions, comments, and suggestions are also welcome here.
Downloads:
• R0070J4_BIOSfiles.rar : This archive contains several files. The included README.txt file explains the significance of each file if you are interested, but for this tutorial, you will only need the "Default.txt" and "bios.wph" files. • AndyP's PhoenixTool v2.54 • HxD Hex Editor - download page • Universal BIOS Backup Toolkit v2.0 - download page | NOTE: Your Anti-virus program will probably freak out on this download...
Prerequisites:
• HxD Hex Editor : Any hex editor will do, but this one is free and very functional for both novice and experienced users. • AndyP's PhoenixTool : This program will be used to extract the BIOS image. • Default.txt : This file is the NVRAM Token Table dump obtained from symcmos. This is what I named mine, yours may be different depending on your personal preferences. • symcmos : You will need this DOS utility if you are planning on tracing and modifying your own NVRAM registers. • Universal BIOS Backup : Your will only need this program if you are performing this process on your own BIOS (which is the ultimate goal of this tutorial).
Tracing NVRAM registers from Default.txt to STRINGS0.ROM
1.) Use PhoenixTool to extract your BIOS image. The extracted BIOS modules will be placed in a directory called "DUMP" which will be under the same folder that the extracted BIOS was in. Example: If you place the image on the desktop and extract it, you will find the DUMP directory on the desktop.
2.) Enter the DUMP directory
3.) There are only 2 files that you will need from this directory. They are called "STRINGS0.ROM" and "TEMPLAT0.ROM". Open these two files in a hex editor. In some BIOS images, the 2 modules will have two 0's in their names instead of one.
The STRINGS module contains the plain text (human readable) strings that will identify the setting's name and, in most cases, the setting's description.
The TEMPLAT module contains the full layout of the entire BIOS menu. It also contains functions, but these are irrelevant to this tutorial (I will be covering these at a later date as I learn more about them, I am currently investigating...). The most important part that the TEMPLAT module contains for this tutorial is the item string (strings of code for each BIOS setting). The registers are contained within these strings.
4.) The STRINGS module contains a header. You will need to delete this header before you begin your "register hunting." If do not, when you are jumping to different offsets, your offsets will be, quite literally, offset. To do this, select the first 1Ch (the "h" means that this is a hex value) bytes of the file and delete them. 1C in hex is equal to "28" in decimal, so you are deleting the first 28 bytes.
In this BIOS image, here are the first 1Ch bytes:
53 54 52 50 41 43 4B 2D 42 49 4F 53 00 00 00 00 00 00 00 00 00 00 00 00 01 00 02 00
In the text column, this would be:
STRPACK-BIOS................
5.) Open Default.txt in notepad (or any other text editor).
NOTE: This method of register hunting is the least useful of the two if you are searching for a particular setting name. This method is the most useful method ONLY if you are trying to find the function of ALL of the registers (like I did in my BIOS image).
INFO: You will choose a register that you want to identify the function of, and search for it in little Endian format in TEMPLAT0.ROM (do not do this yet). From there, you will trace it to its text string in STRINGS0.ROM. I will elaborate on how to do this in the following steps.
6.) In this tutorial, I will be using register "0318" as an example. This just so happens to be the VT-x register for this BIOS. Here is the format of the Default.txt file:
(0312) [0005]
(0318) [0000]
(031B) [0000]
The (first column) is the Token ID. The [second column] is the register's current value. "0318" is the register I will be using in this tutorial. It is currently set to [0000].
7.) Before searching for the register in TEMPLAT0.ROM, you will need to convert the value to little Endian format. To do this switch the high-order (or "most significant") byte with the low-order (or "least significant") byte. Switch the "03" and the "18". You will get "0318" ------> "1803". You will need to do this before every search, with the exception of text searches.
8.) On your keyboard, press "Ctrl+F". This is the keyboard shortcut for the search function in HxD. A little search window will come up. Before entering "1803", click the drop down menu next to "datatype:" and select "Hex-values" as you are performing a hex search. Under search direction, click the "All" radio button.
9.) Search for "1803" (the Endian-formatted NVRAM register).
Please read this reference information BEFORE you continue with this process.
<quote>Code chain [Mode;Length;Stings;Fillers;Token;Strings]
Mode: (meaning of the first byte) 00 = Pick Field 01 = Pick Field 10 = Generic Text 11 = Information 20 = Date 21 = Time 22 = Password 24 = Function FF = ???
Length: (meaning of the second byte) Length of the code chain
Stings: call to stings in STRINGS0.ROM
Fillers: "Filler bytes" are offset-jump-tables, calls to some "execution code" below $PDW
Token: Token Value contains media table and more.
Strings: call to stings in STRINGS0.ROM, most "Enable", "Disabled", "Auto", ... Shared values, called many times as the text is seen many times in the BIOS Setup Menu.
Here is an example of one with information field, 'CPU Type' ---------------------------------------------------------------------------------------- 0x19BD: 11 0C 8802 0000 0A60 1560 2160
11 = Information 0C = Length 0288 = call to sting in STRINGS0.ROM "CPU Type" 0000 = nop 600A, 6015, 6021 = offset-jump-table ----------------------------------------------------------------------------------------
another example of one with data field, 'VT Feature' ---------------------------------------------------------------------------------------- 0x134B: 00 14 4203 4403 0A50 FF4F E94F F44F 1803 3E06 4006
00 = Pick Field 14 = Length 0342= call to sting in STRINGS0.ROM "VT Feature" 0344 = call to sting in STRINGS0.ROM "" (item description, too long too put here) 500A, 4FFF, 4FE9, 4FF4 = offset-jump-table 0318 = Token 063E = call to sting in STRINGS0.ROM "Disabled" 0640 = call to sting in STRINGS0.ROM "Enabled"
</quote>
CREDITS: Full credit for this information goes to "bob12x" from notebookreview.com who posted this (in post #38) in the thread titled "Acer Laptop with Phoenix BIOS: Enable Virtualization (Test Machine: Acer Aspire 9420)".
NOTE: I have replaced all of the code from his example BIOS with the code from my BIOS image.
As shown above, you will notice that the first result that the hex editor finds is NOT the string that you want. The string you want will be in the second result, so press "F3" on your keyboard (HxD shortcut for "find next"). This occurs randomly for different values depending on how many times the value you searched for shows up.
To help you identify what is a string that you want and what isn't, consider the following:
• ALL of the item strings in the TEMPLAT module will follow the format described above, no what their length happens to be. The string will always start with the 1st byte telling you the type of string and the second byte telling you the length of the string (in hex) and so on.
To help you to better identify registers in differently sized strings as well as this one: • The options of the BIOS setting will ALWAYS come after the register. Likewise, the register will ALWAYS be the word (2 bytes) that comes before the options of the BIOS setting. For the VT-x setting, we know that there are only 2 options; "enabled" and disabled". Each option will take up 1 word (2 bytes). Skip a total of 4 bytes from the end of the VT-x string. The 2 bytes before these 4 end bytes will be the bytes that constitute the register. NOTE: I will be posting another mini-tutorial within this tutorial describing how to trace what you suspect is a setting-name (enabled, auto, etc.) to STRINGS0.ROM to determine where the settings begin/end so that you can easily find the register (It is actually the same process used to trace the register and the item string call).
10.) Now that you are on the second result, your string should look like this:
00 14 42 03 44 03 0A 50 FF 4F E9 4F F4 4F 18 03 3E 06 40 06
"3E06" and "4006" are references to the "disabled" and "enabled" options in the STRINGS module. "1803" is the register that you searched for and should be highlighted right now.
INFO: You will now need to convert the item sting call to Endian format and use the goto function to go to an offset in STRINGS0.ROM.
11.) Go to the beginning of the string. The first byte "00" is the type of string. The second byte "14" is the length of this string in hex. 14h = 20 in decimal. This string is 20 bytes long. The 3rd and 4th bytes will ALWAYS be the item sting call regardless of the size of the string. The item sting call in this string is "4203". As before, you will need to convert this to little Endian format. Switch the first byte with the second byte to get "0342".
12.) Switch to the STRINGS0.ROM file. This is the file you will be using for the remainder of this "register hunting" method.
13.) Use the goto function (shortcut key in HxD = "Ctrl+G") and type in "0342". Press enter. This will take you to the offset 0x0342.
NOTE: The leading "0" is not actually required in this case, but I very highly recommend keeping it there to avoid confusions.
14.) Look at where the cursor landed (and is now blinking). Take the two bytes after the cursor "2E2E" and convert them to little Endian format. Conveniently, your result will be "2E2E".
15.) Use the goto function again to go to the offset that you obtained in Step #14.
16.) Look in the text column of the hex editor. You will see a dotted box around a letter. Read the text string that you see starting at the boxed letter. You should see "VT Feature" without the quotes. This will be separated from other text strings by dots. This is the setting that the register "0318" controls. To enable this setting, simply change (0318) [0000] to (0318) [0001] . To disable this setting, you would set it to (0318) [0000] . After the value change, you would save the file, boot into DOS, and apply it with symcmos. I will be updating this tutorial with the proper commands for reading from and writing to the CMOS NVRAM.
If you did not see this text, you likely made one of two mistakes: • You mistyped a character somewhere in the process • You forgot to delete the 28 byte header of the STRINGS0.ROM file. This is an extremely common mistake.
If you did see this text, congratulations! You have successfully identified the function of the "0318" register.
Tracing NVRAM registers from STRINGS0.ROM to Default.txt
I will be adding this tutorial over the next few days. Please stay tuned for updates.
Future additions to this tutorial:
• A better definition of the NVRAM registers and their use.
I have created a thread dedicated to the finding and documentation of Phoenix NVRAM registers on bios-mods. Here is the link to the NVRAM Register Master List. So far, the list includes VT-x, AHCI, & DEP registers.