[coreboot] Understanding BIOS I/O Adresses

panic lists at xandea.de
Mon Nov 16 01:51:30 CET 2015 

Hi,

out of curiosity, I'd like to reverse engineer - or at least try to
understand a bit more of - the (old/classic/non-EFI) proprietary BIOS of
my HP nc6320 laptop (BIOS dated from 2008).
I'm fairly new to BIOS code and so far it's been a series of great
discoveries and interesting reading for me :-)

I unsoldered the 8Mbit SPI flash from a damaged/broken laptop of the
same type and dumped its contents, and now analyse it with radare2.
At a very early stage (see below) I have some difficulties to understand
what is done:  the code accesses IO locations (via in/out instructions)
that belong to the DMA controller but are marked "Reserved" in the ICH7
documentation [0, page 385].

Is there a way to find out what these addresses are used for?

http://www.coreboot.org/HP_COMPAQ_NC6320
- Processor: Intel Core 2 Duo T7200
- Northbridge: 945GM
- Southbridge: Intel 82801GBM (ICH7-M)

Concerning "reserved" addresses, [0, page 255] says:
"DMI (Direct Media Interface) cycles that go to target ranges that are
marked "Reserved" will not be decoded by the ICH7, and will be passed to
PCI"

In particular I'm interested in 0x80, 0x84/0x85, 0x8c/0x8d.  Since dx
contains CPU type/family information, does the code tell other
components some CPU specifics?

f000:fff0    e9f591       jmp loc.000f91e8
|
v
f000:91e8    fa           cli
f000:91e9    e784         out 0x84, ax
f000:91eb    8bc2         mov ax, dx
f000:91ed    e78c         out 0x8c, ax
f000:91ef    b0b0         mov al, 0xb0
f000:91f1    e680         out 0x80, al
f000:91f3    ba4e05       mov dx, 0x54e
f000:91f6    ee           out dx, al
f000:91f7    e58c         in ax, 0x8c
f000:91f9    8bd0         mov dx, ax
f000:91fb    e584         in ax, 0x84
f000:91fd    bd0392       mov bp, 0x9203
f000:9200    e9b001       jmp loc.000f93b3 ;[1]
|
+->
   ; this function basically follows
   f000:93b3    662e0f011ed. o32 lidt [cs:0x91dc]
   f000:93ba    662e0f0116d. o32 lgdt [cs:0x89d0]
   ;  set PE bit (Protection Enable) in cr0: switch to protected mode
   ... ; init the segment registers
   ;  clear PE bit in cr0: switch to real-address mode
   ;  clear PG bit in cr0: disable paging
   ... ; init the segment registers to another value
   f000:93f6    ffe5         jmp bp
  |
<-+
f000:9203    bd0992       mov bp, 0x9209
f000:9206    e92bf4       jmp fcn.000f8634 ;[2]
|
+->
   ; some other stuff happening
   ; return via jmp bp
  |
<-+
f000:9209    e784         out 0x84, ax
f000:920b    8bc2         mov ax, dx
f000:920d    e78c         out 0x8c, ax
f000:920f    b0b1         mov al, 0xb1
f000:9211    e680         out 0x80, al
f000:9213    ba4e05       mov dx, 0x54e
f000:9216    ee           out dx, al
f000:9217    e58c         in ax, 0x8c
f000:9219    8bd0         mov dx, ax
f000:921b    e584         in ax, 0x84
...


Thanks for any assistance and pointers,
-- panic

[0]
http://www.intel.com/content/dam/doc/datasheet/i-o-controller-hub-7-datasheet.pdf

More information about the coreboot mailing list