[coreboot] ultimate VGABIOS extraction! +NEW working way for AMD laptop's discrete GPU

Mike Banon mikebdp2 at gmail.com
Fri Jul 7 20:03:34 CEST 2017 

This page from coreboot's official wiki - [1] - describes 5 ways to
extract VGABIOS. However, all these ways are either unsuitable for AMD
AtomBIOS extraction at all - or do not work for laptop's discrete AMD GPU

*** [1] https://www.coreboot.org/VGA_support#How_to_retrieve_a_good_video_bios

Let's review these 5 methods, and introduce a new method that REALLY works!
(which is described at the end of this article, you can scroll to see it)

1) "RECOMMENDED: Extracting from your vendor bios image"

Probably you remember my message - [2] - about InsydeH20 BIOS dev tools

*** [2] https://mail.coreboot.org/pipermail/coreboot/2017-June/084569.html

Using H20EZE I have extracted a lot of useful stuff from proprietary BIOS
of Lenovo G505S coreboot-supported AMD laptop, most importantly:

* 8 VGABIOS ROMs - 3 of which could be suitable for various G505S versions:
ROMs for HD 8650G integrated graphics and for HD 8570M and R5 M230 discrete

I call these extracted ROMs as "clean ROMs",- To separate them from "dirty"
ROMs that have been extracted from booted PC after InsydeH20 BIOS startup

So I built coreboot with these 3 "clean" AtomBIOS ROMs, tried to boot and -
- O_O - discovered that laptop's screen backlight is not working! (but the
image is OK) , exactly the same problem as someone had 2 years ago - [3]

*** [3] https://mail.coreboot.org/pipermail/coreboot/2015-April/079632.html

Initially I thought that maybe I have damaged LVDS cable - it has a lot of
really tiny wires inside and is fragile. Luckily, with AtomDis tool [4]-[5]
I have compared the "clean" and "dirty" AtomBIOSes for HD8650G (integrated
GPU of A10-5750M APU, the main GPU at integrated+discrete graphics system),
and have discovered that - compared to "clean" ROM, that "dirty" ROM had
a lot of initialized variables and data structures, including: LVDS_Info,
sLCDTiming, ucLVDS_Misc, ucLCDPanel_SpecialHandlingCap, PowerPlayInfo,
usSpreadSpectrumPercentage

*** [4] https://cgit.freedesktop.org/~mhopf/AtomDis/
*** [5] https://github.com/mikebdp2/AtomDis

That's why laptop's backlight is not working with "clean" HD8650G ROM! I am
even surprised that somehow laptop's screen is showing the (no-lit) picture

Who has initialized this stuff at "dirty" ROM ? InsydeH20 BIOS, of course!
Although AtomBIOS is capable of modifying itself, there are way too many
changes and I am sure that AtomBIOS could not have done it all by itself.
Most likely, it is just InsydeH20 BIOS has patched this ROM during startup

As you see, "clean" AtomBIOS ROMs which I got with "RECOMMENDED" method -
are useless, they are not initialized enough. Should be "NOT RECOMMENDED" !

2) "UEFI Method" - is the same thing as "1)" and doesn't work either

3) "Retrieval via Linux kernel" - works ONLY for HD8650G integrated GPU,
it does not work for discrete! There are a lot of Lenovo G505S versions -
- [6] - which, in addition to HD8650G integrated graphics, have a discrete
second GPU - either HD 8570M or R5 M230; and "3)" way can't get their ROM

*** [6] https://mail.coreboot.org/pipermail/coreboot/2015-April/079643.html

No matter what drivers/kernel version/debug PCI commands I am using, and
no matter how I am enabling/disabling/crossfire'ing integrated and discrete
GPUs, while trying to get a ROM of discrete GPU I am always getting this:

/sys/devices/pci0000\:00/0000\:00\:02.0/0000\:01\:00.0/rom: Input/output error

*** [7] https://superuser.com/questions/1223973/how-fglrx-extracts-vgabios-if-i-get-input-output-error-amd-magic

I have searched through the whole Internet and spammed many forums about
this problem, e.g. [7] but no solution! Meanwhile, AMD's amdcccle utility -
- successfully gets the information about VGABIOS from fglrx kernel driver,
probably through ADL AMD proprietary API calls [8] , but fglrx is closed
source: so without a lengthy reverse-engineering we can't know how it gets
discrete GPU's VGABIOS (contacted AMD but they refused to tell). Also we
can't get this info from AMD's opensource drivers: both radeonsi and AMDGPU
cannot get VGABIOS at this hardware because there are still a lot of bugs
at AMD open source drivers, e.g. 99 bugs at AMDGPU [9] - one of which is
[10] - " *ERROR* Unable to locate a BIOS ROM ", the same bug as I am having

*** [8] https://developer.amd.com/display-library-adl-sdk/
*** [9] https://community.amd.com/message/2808545
*** [10] https://bugs.freedesktop.org/show_bug.cgi?id=101473

4) "Extraction from mapped memory (if everything else fails)" - the same
situation as with "3)": my mapped memory contains "Video ROM", but - only a
ROM for integrated HD8650G graphics, there is no ROM for discrete graphics!

5) "Downloading" - even if we forget about the security concerns, it is
impossible to find the "dirty" ROMs for this laptop's discrete graphics at
the Internet - maybe because nobody could extract them by these known ways?

As you see, from these 5 ways described at coreboot's wiki:

1) / 2) gives all the "clean" ROMs to you, but they are useless
3) - 4) gives you a "dirty" ROM - but ONLY for integrated graphics
5) - no ROMs found

HOW to get a "dirty" properly-initialized ROM for g505s DISCRETE graphics ?

If I can't do it with Linux, I must try to do it with Windows ! This is a
fine approach, because (jumping ahead) two "dirty" ROMs for integrated GPU,
while got at these very different OS, are exactly the same - and there is
most likely the same situation for discrete graphics. So, aside from purely
ethical concerns, it should not matter which OS you are using to extract
(as long as Windows was never connected to the Internet and can't receive
the instructions from evil MS command server to stealthily modify your ROM)

There are a few tools for Windows which can extract VGABIOS but they fail:

* TechPowerUp's GPU-Z - could extract ONLY for integrated graphics
* AIDA64 Engineer Edition - could extract ONLY for integrated graphics
* Ray Adams ATIWinFlash - too old, does not support these new AMD GPUs

But, after a lot of researching, I have finally found this wonderful tool :

" Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to
reliably extract the entire contents of computer’s volatile memory – even
if protected by an active anti-debugging or anti-dumping system "

https://belkasoft.com/ram-capturer

This forensic software, used to investigate the PC's of crime suspects, can
do more than its' name claims: instead of just dumping the RAM, indeed it
dumps the whole computer's volatile memory - not just RAM ! My laptop has
exactly 16384 MB of RAM, 0x400000000 bytes, some of which are shared with
with discrete GPU - but the dumps created with Belkasoft Live RAM Capturer
are 0x42F000000 bytes, 17136 MB so it dumps much more memory than just RAM

After checking "clean" ROM headers as well as Radeon Control Center's
Information, I learned: GPUs' AtomBIOS versions, build date and part number

=== discrete - HD 8570M
Version - 015.032.000.000 , Date - 06/24/2013 , Part Number - BR44464.011
=== discrete - R5 M230
Version - 015.041.000.000 , Date - 11/28/2013 , Part Number - BR45149.002
=== integrated - HD 8650G
Version - 015.031.000.000 , Date - 01/16/2013 , Part Number - 113-DVST-113

Also I knew the sizes of "dirty" ROMs - same as the sizes of "clean" ROMs:

discrete - R5 M230 - 0x8000 , 32768 bytes
discrete - HD 8570M - 0x8400 , 33792 bytes
integrated - HD 8650G - 0xF200 , 61952 bytes

Then I borrowed a second G505S from my friend with another discrete GPU,
and dumped the whole memory with Live RAM Capturer at this new environment

OS: clean install of Windows 7 Ultimate SP1 x64 without any spying updates
(WiFi card removed before installation,and never connected to the Internet)

RAM: 16 GB, because it affects how much RAM the integrated GPU is getting

Before doing each dump I have shutdown a laptop, removed its' power
adapter and battery, then tried to turn it on by holding a power button -
to completely discharge its' motherboard and clear all the volatile memory.
Even removed the CMOS batteries from both laptops to make completely sure

Made 4 dumps in total:

1) G505S with R5 M230 - dual graphics (crossfire) disabled
2) G505S with R5 M230 - dual graphics (crossfire) enabled
3) G505S with HD 8570M - dual graphics (crossfire) disabled
4) G505S with HD 8570M - dual graphics (crossfire) enabled

After searching these dumps for 113-DVST-113 , BR44464 and BR45149 :
I found all these "dirty" VGABIOS ROMs and successfully extracted them!
(their size is known,and beginning also - just look at "clean" ROMs header)

!!! IMPORTANT !!!

All the working ROMs which I have found - were at the very end of dumps,
in my case, 16GB of RAM installed : they were at 0x42D000000 - 0x42F000000

At the lower memory area, from 0x0 to 0x42D000000 I have found the "ghosts"
of integrated HD 8650G graphics ROM but they are broken! How to determine
if a ROM is broken: 1) it has way too many zeros 2) bad output of AtomDis

=== ROM locations examples for 0x0 - 0x42F000000 dump made while 16GB RAM:

0x000512000 - broken integrated graphics ROM, first "ghost"
0x3250D9020 - broken integrated graphics ROM, second "ghost"
0x3578FB000 - broken integrated graphics ROM, third "ghost"
0x36B22A01C - broken integrated graphics ROM, fourth "ghost"
0x4122BD000 - broken integrated graphics ROM, fifth "ghost"

0x42D3B3000 - working integrated graphics ROM !!!

0x42D305020 - working discrete graphics ROM (first working copy, the same)
0x42E40DCD0 - working discrete graphics ROM (second working copy, the same)

A bit later I will share all my "dirty" properly-initialized ROMs.
Of course now you know how could obtain them by yourself, but it
is very time consuming to dump and search through >17 GB of memory

Happy hacking!

More information about the coreboot mailing list