Gluggakista S�n OEM Ver�laun BIOS Unga f�lki� A�fer� vi� F�kniefnasj�klingur SNEI� Bor� me� Dynamic Minni Heimilisfang

Gluggakista S�n OEM �rvun sprunga a�fer� �urfa a SLP 2.0 ( kerfi Hirsla Preinstallation 2.0) eftirl�tur BIOS motherboard. N�r v�rumerki OEM t�lva koma me� einn, e�a tilbo� ekki- svo- gamall motherboard a BIOS frj�ls uppf�rsla til the einn �essi sty�ja SLP 2.0 me� SNEI� bor� og innsigli Gluggakista Marka�ur (OEM PERS�NUSKILR�KI og Bor� Pers�nuskilr�ki). Ef �� ert using gamall t�lva e�a DIY motherboard, �inn’ ekki �t af heppni ��. K�nverji t�lvusn�pur hafa stj�rna til unga f�lki� the BIOS tilskipta um e�ab�ta vi� � the Snei� (hugb�na�ur Leyfisveitandi Innri Merkjam�l) bor� inn � the ACPI bor�. Hvernig sem, the skipti af �a� sem til er ACPI bor� mega ors�k tap af viss l�gun, � me�an samlagning af SNEI� bor� mega�s�ttanlegur � t�lva me� �l�kur st�r� af minni, eins og BIOS erhar�ur pjatla me� the SLIC’s bor� l�kamlegur minni heimilisfang hver takmarka the unga f�lki� BIOS til the v�l �ess’ been �kv��isor� eini.

Svo, the a�fer� til unga f�lki� BIOS fyrirGluggakista S�n OEM sty�ja me� fyrr nota�ur truflanir SNEI� minni heimilisfang er vafasamur eins og the minni heimilisfang vilja vera breyting hven�r the minni st�r� breyting, og notandi ��rf til breyta the SNEI� heimilisfang �ACPITBL.BIN e�a annars �eir vani’ vera f�r til st�gv�l inn � the kerfi, synja massi hringr�s af the unga f�lki� OEM BIOS. Svona the K�nverji t�lvusn�pur hreinsa the t�kni til leyfa dynamic l�kamlegur minni heimilisfang �thlutun af SNEI� bor� er been nota�ur. Me� dynamic minni �thlutun, l�kamlegur minni st�r� geta vera breyting �n allir sam�ykki af BIOS non- eftirl�tur. Vi� hli�ina �, fyrri a�fer� af f�kniefnasj�klingur SNEI� bor� mega �urfa notandi til glampi BIOS inn � LESMINNI 2 sinnum, fyrstur me� the unga f�lki� BIOS og seinna me� the frumeintak BIOS, � me�an the BIOS me� this hreinsa�ur a�fer� me� dynamic minni heimilisfang skr� �urfa eini einn glampi � .

Verkf�rask�r og utilities �urfa:

MODBIN6
CBROM219
WinHEX
Hiew 7.4 (Hiew32) (eini fyrir Ver�laun BIOS, ef �� hafa Hiew32 �� neitun langl�fi �urfa IDA 5.0)
IDA 5.0
UltraEdit

The kennsla til skapa a unga f�lki� S�n OEM BIOS me� dynamic minni heimilisfang �thlutun h�fileiki er fl�kinn, og m�la me� fyrir s�rfr��ingur eini. Vi� hli�ina �, this hlutur er ��a fr� skjal � K�nverji, svo the n�kv�mni af the ��ing er ekki �byrg�. Ef �� raunverulega vilja til gera �inn BIOS til vera f�r til virkja OEM �tg�fa af Gluggakista S�n, reyna the tilb�inn- unga f�lki� BIOS ( me� truflanir heimilisfang), hugb�na�ur undirsta�a S�n Vistunarforrit OEM BIOS keppinautur, e�a hugb�na�ur undirsta�a OEM BIOS Kappgirni T�l. Annar vins�ll S�n sprunga fela � s�rTimerLock hver � sj�lfvirkan h�tt s�kja umTimerStop b�lstj�ri This einkat�mi er s�nnun af hugtak eini, eins og hvor BIOS er �l�kur, og �ess vegna the gildi e�a st�ga e�a hlutur �kv��isor� mega vera �l�kur.

vi�v�run: Breyting til BIOS mega �gilda �byrg�, ors�k t�lva til �f�r til st�gv�l upp e�a annar �afturkallanlegur �hrif. Hafa samfarir � �inn eiga h�tta �.

Ef �� rf hj�lpa � unga f�lki� BIOS fyrir S�n �rvun, skr� sig �tthis �r��ur.

Skapa a t�mabundinn mappa ( s�n e�a BIOS er �� eins og) � r�t skr� (C:\).
S�kja skr� af fjarl�gri t�lvu CBROM 2.19 ( r��ast af � hvar �� s�kja skr� af fjarl�gri t�lvu, �a� mega ��rf til gefa n�tt nafn the executable til cbrom.exe eins og myndskreyttur � this hlutur), MODBIN6 2.01.01, SLIC.BIN ( nafndagur acpislic.bin hver geta vera margv�slegur, hver er the SNEI� bor� hluti af BIOS) fr� s�kja skr� af fjarl�gri t�lvu hlekkur yfir, og sta�ur �� the t�mabundinn mappa.
�ykkni, �tflutningur e�a spara the XXXXXXXX.BIN ( nafn geta vera breyting, hver er the motherboard BIOS �essi �� vilja til rei�hestur fyrir Gluggakista S�n OEM �rvun). Au�veldlega vegur er til einfaldlega s�kja skr� af fjarl�gri t�lvu the BIOS fastb�na�ur fr� the t�lva e�a motherboards’ framlei�andi svo sem eins og ASUS, G�gab�ti, MSI, Beiskur, HP, Dalverpi, Lenovo og etc.
�kve�a hver BIOS hluti af skr� er the akur af RSDT…FACS sta�greina:
1. �upph�kka�ur stj�rn hvetja (e�agera �vinnuf�ran UAC), tegund the h�pur stu�ningsmanna stj�rn:
  CBROM.EXE XXXXXX.BIN d
  
  �� vilja sj� eitthva� eins og ni�ri skj�r:
  
  CBROM V2.19 (CAward) Hugb�na�ur 2001 Allur R�ttindi Hl�dr�gur.
  
  ******** XXXXXXXX.BIN BIOS hluti********
  
  neitun Atri�i- Nafn Frumeintak- St�r� Sam�jappa�ur- St�r� Frumeintak- Skr�- Nafn
  =====================================================
  0. Kerfi BIOS 20000h128.00K() 13B3Eh78.81K() 83IID318.BIN
  1. XGROUP MERKJAM�L 0DFF0h55.98K() 0993Ch38.31K() awardext.rom
  2. ACPI bor� 043E5h16.97K() 01A46h6.57K() ACPITBL.BIN
  3. EPA NAFNPLATA 0168Ch5.64K() 002AAh0.67K() AwardBmp.bmp
  4. YGROUP LESMINNI 0F570h61.36K() 0482Dh18.04K() awardeyt.rom
  5. H�PUR Lesminni[ 0] 04CD0h19.20K() 02261h8.59K() _EN_CODE.BIN
  6. Other404E0000(:) 03476h13.12K() 00EB4h3.68K() 64N8IIP.BMP
  7. Other404F0000(:) 0345Dh13.09K() 008B9h2.18K() 64N8P4P.BMP
  8. Other40500000(:) 0345Dh13.09K() 008CCh2.20K() 64N8P4HT.BMP
  9. Other40510000(:) 04286h16.63K() 00A7Eh2.62K() 64N8P4E.BMP
  10. Other40520000(:) 04286h16.63K() 00B58h2.84K() 64N8P4HE.BMP
  11. Other40530000(:) 0345Dh13.09K007D9h1.96K()() 64N8ICPD.BMP
  12. PCI Gr�skt n�t�matalm�l[] 0D000h52.00K07DA8h31.41K()() RTM8100.LOM
  
  Alger grisju��fi merkjam�l r�m = 4B000h300.00K()
  Alger sam�jappa�ur merkjam�l st�r� = 31788h197.88K()
  Vera enn grisju��fi merkjam�l r�m = 19878h102.12K()
  
  ** �r- Merkjam�l Uppl�singar**
  Endurn�ja PERS�NUSKILR�KI CPUID | Endurn�ja PERS�NUSKILR�KI CPUID | Endurn�ja PERS�NUSKILR�KI CPUID | Endurn�ja PERS�NUSKILR�KI CPUID
  ——————+——————–+——————–+——————
  PGA478 2E 0F29|
2. � yfir tilfelli, inni XXXXXXX.BIN, there er neitun ggroup.bin ( hvar “RSDTFACPDSDTAPICHPETMCFGFACS” e�a l�kur ACPI matskei� akur er sta�greina), svo RSDT…FACS akur er sta�greina inni the kerfi BIOS b�ti merkjam�l, og til breyta this ��rf til nota MODBIN6. Ef �inn BIOS innihalda ggroup.bin, �� geta nota CBROM til �ykkni og seperate ggroup.bin BIOS hluti eins og skr�.
  Ni�ri er the s�nishorn CBROM framlei�sla af “CBROM.EXE XXXXXX.BIN d” stj�rn fyrir BIOS me� ggruoup.bin ( g�gab�ti GA-G1975X BIOS eins og ford�mi):
  
  neitun Atri�i- Nafn Frumeintak- St�r� Sam�jappa�ur- St�r� Frumeintak-Fi
  ================================================
  0. Kerfi BIOS 20000h128.00K1492Ah82.29KG1975X.BIN()()
  1. XGROUP MERKJAM�L 0F7B0h61.92K0A8E6h42.22Kawardext.rom()()
  2. EPA NAFNPLATA 0168Ch5.64K0030Dh0.76KAwardBmp.bmp()()
  3. H�PUR ROM18[] 00EF0h3.73K00B77h2.87Kggroup.bin()()
  4. YGROUP LESMINNI 07140h28.31K04D7Ch19.37Kawardeyt.rom()()
  5. FNT1 LESMINNI 02D28h11.29K02038h8.05Kfont1.awd()()
  6. FNT2 LESMINNI 03278h12.62K01F18h7.77Kfont2.awd()()
  7. FNT3 LESMINNI 025FCh9.50K017FBh6.00Kfont3.awd()()
  8. H�PUR Lesminni[ 0] 06010h24.02K02787h9.88K_EN_CODE.BIN()()
  9. H�PUR Lesminni[ 1] 06510h25.27K02A1Fh10.53K_FR_CODE.BIN()()
  10. H�PUR Lesminni[ 3] 06420h25.03K02A75h10.61K_GR_CODE.BIN()()
  11. H�PUR Lesminni[ 4] 068D0h26.20K02A74h10.61K_SP_CODE.BIN()()
  12. H�PUR Lesminni[ 8] 04EF0h19.73K02575h9.36K_B5_CODE.BIN()()
  13. H�PUR ROM10[] 04F60h19.84K025E9h9.48K_GB_CODE.BIN()()
  14. H�PUR ROM11[] 05E50h23.58K02A85h10.63K_JP_CODE.BIN()()
  15. PCI Gr�skt n�t�matalm�l[] 0F200h60.50K09594h37.39KICH7RAID.BIN()()
  16. PCI ROMB[] 10000h64.00K09A15h38.52Kb169d.pxe()()
  17. Nafnplata LESMINNI 00B64h2.85K00520h1.28Kdbios.bmp()()
  18. PCI ROMC[] 04000h16.00K02287h8.63KITE8212.ROM()()
  19. Other40670000(:) 01AADh6.67K00B75h2.86KPPMINIT.ROM()()
  20. OEM0 MERKJAM�L 025B3h9.42K01B37h6.80Kdbf.bin()()
  21. H�PUR ROM24[] 00132h0.30K0011Eh0.28KSPECIAL.FNT()()
  22. ACPI bor� 09640h37.56K0352Ch13.29KASUSACPI.BIN()()
  
  Alger grisju��fi merkjam�l r�m = 67000h412.00K()
  Alger sam�jappa�ur merkjam�l st�r� = 57613h349.52K()
  Vera enn grisju��fi merkjam�l r�m = 0F9EDh62.48K()
  
  ** �r- Merkjam�l Uppl�singar**
  Endurn�ja PERS�NUSKILR�KI CPUID | Endurn�ja PERS�NUSKILR�KI CPUID | Endurn�ja PERS�NUSKILR�KI CPUID | Upd
  ——————+——————–+——————–+—–
  Rifa 0A 0F32| PGA423 2C 0F25| 00000000 00000000 0000
  00000000 00000000 0000 0000| 00000000 00000000 0000
  00000000 00000000 0000 0000| 00000000 00000000 0000
  00000000 00000000 0000 0000| 00000000 00000000 0000
  00000000 00000000 0000 0000| 00000000 00000000 0000
  00000000 00000000 0000 0000|

Fylgja the ni�ri kennsla til breyta ACPITBL.BIN:

Hlaupa UltraEdit og opinn ACPITBL.BIN BIOS �mynd skr�.
Leita texti fyrir RSDT.
� bak vi� RSDT er the b�ti �essi benda � the lengd af RSDT bor�. B�ta vi� 4 til this tala � �L�G sni�. Fyrir ford�mi, ef the gildi benda � er 002C, breyta og ritst�ra the gildi til ver�a 0030. Minnispunktur �essi the andst��a r�� af par hven�r keying � UltraEdit �l�g ritstj�ri (i.e. koma inn � eins og 30 00 � sta�inn af 00 30).
B�ta inn � ( ekki skipta um) vi�b�tar- 4 b�ti af 00 gildi eftir � the frumeintak lengd (002C) af RSDT bor� ( venjulega � andlit af FACPt, e�a FXCPt fyrir viss G�gab�ti mobo). �� geta eftirl�king og kl�stur the 4 b�ti af 00 fr� annar sta�setning til this sta�setning. This sm�breyting og breyting er til afla r�m til birg�ir the SNEI� bor� � framt�� st�ga, svo muna this heimilisfang ( fyrir this fylgja, assume this sta�setning er SLICaddress). � this ford�mi, SLICaddress gildi er 002C.

��ur sm�breyting af ACPITBL.BIN � UltraEdit

Eftir � sm�breyting af ACPITBL.BIN � UltraEdit til �thluta r�m fyrir SNEI� bor�.
St��va the alger lengd af ACPITBL.BIN ef the lengd geta vera a�greindur � fullur vi� 4. Ef ekki, b�ta vi� 1 til 3 b�ti af 00 � the endir af the BIOS �mynd skr� svo �essi the lengd geta vera a�greindur vi� 4 �n allir afgangur. This er til tryggja �essi eftir � merging me� SLIC.BIN �mynd skr�, the s��uhaus heimilisfang af SNEI� bor� geta vera a�greindur vi� 4 �n afgangur of.

St��va ef the lengd af ACPITBL.BIN (the s��astur heimilisfang af the skr� + 1) geta vera a�greindur vi� 4 �n afgangur. � this ford�mi, ��ur this st�ga sm�breyting, the s��astur b�ti hefur �L�G heimilisfang af 43E8, svo the lengd af the skr� er 43E9, geta ekki vera a�greindur vi� 4 � full without remainder.

After 4 division check modification, added 3 00 value bytes.
Modify OEM_ID and OEM_Table_ID according to your requirements (normally _ASUS_ and Notebook). Refer to improved add SLIC table instruction at step 8 of part 2 for more information.
Save the file.
Execute the following command to merge and patch the SLIC table content with the modified ACPITBL.BIN to get the final working copy of ACPITBL.BIN:
COPY ACPITBL.BIN B + SLIC.BIN B ACPI.BIN B

Note: According to your requirement, use the correct ACPI.BIN, i.e. ASUS for ASUS OEM ID, Lenovo for Lenovo OEM ID and etc.

Follow the below steps to find the position of the space that temporarily store the value of the address of headers of every tables in the code of ORIGINAL.BIN or ggroup.bin. This address will be assumed as TempBuffer_Address:

Run Ultract to open ORIGINAL.BIN or ggroup.bin.
Execute IDA.
Click on Go to enter IDA. Then select and open ORIGINAL.BIN file.
In the “Load a new file” dialog box, under the section of “Processor type”, pull down the menu and select “Intel 80×86 processors:80686p”.
After selected, hit the “Set” button to the right.
Click on “OK” button, and then hit on “Yes” button when asked to confirm “Do you want to change the processor type to 80686p?”
In dialog box asked to confirm “Do you want to disassemble it as a 32-bit code?”, press on “No” button as manipulation will be done in 16-bit mode.
In the Strings Window to the right, find and locate the RSDT…FACS character string sequence, and double click on it.
Position the cursor at the location of the R character. Then press “A” key, and then RSDT…FACS character string will be displayed. This text sequence of RSDT…FACS will be called ACPItables.

Positioning cursor at the line of R.

After pressing A key.
Position the cursor after the RSDT…FACS string ACPItables (db 1EH).

Press the “C” key. A block of Assembly code will be displayed.
But there is remaining code that hasn’t been disassembled into Assembly code. So position the cursor at the first remained assembled code. In this case, it’s line of unk_CC49 after the RSDT…FACS string ACPItables provided by db 1Eh. Then press the “C” key to convert and disassemble the remaining BIOS byte code.
Move the cursor across the lines of the following “CALL” block.
Watch out for the “CALL” line that can pop up code like below:
push eax
push cx
push ebp
xor ebp, ebp
mov cx, TABLE_Numbers (temporarily use TABLE _Numbers to represent a value)
mov edi, eax

In this example, it’s the line of “call sub_CCD4″.
Double click on sub_CCD4 to go to the code section of sub_CCD4. If the current display mode is in graphic, right click and select “TEXT View” on the context menu to switch to text mode.
Inside this block of code, retrieve the 3 important variables TABLE_Numbers，ACPItables_adress，TempBuffer_Adress，and record their value. In this example, the value of the variables are 4， CC20， 89C4 respectively, where addresses are approximately located at CCDC，CCE2， CD12 respectively.
Use the value of TempBuffer_Adress (89C4 from step above) to match with each table in RSDT…FACS text string, with increment of 4 after each table (matching table). For example:
89C4 RSDT
89C8 FACP
89CC DSDT
89D0 APIC
89D4 FACS
89D8
89DC

The previous block of code duplicates the required tables in ACPITBL BIOS image according to RSDT…FACS string into a free memory address, and store these value of addresses in space specified by TempBuffer_Address, and then eventually fill these addresses into some specific tables. So during this process, the storing address value of TempBuffer_Address has to be ensure that cannot and is not changing, or else mod BIOS will fail.
Switch to UltraEdit, and press Ctrl-F keyboard shortcut to search for D889 (i.e 89D8 value, the value of the memory space location after FACS, where it’s a reverse with low byte in front and high byte behind). Pay attention to a few location (82D4, CC91) that lower than FFFF. Most likely you will find it at a few location. If you cannot find any D889 (stored value of 89D8), then you can use directly the address (89D8) located behind the address used to store FACS (89D4). Which mean SLIC table will be appended immediately behind FACS, with string become something like RSDT…FACSSLIC, and can do so by find a location to put this string (move forward 4 bytes or use new location).
However, if you located code like the following near the location of CC91 in IDA, which mean the section of code is used right after “call sub_CCD4″, and use up the memory address of 89D8.

seg000:CC80 sub_CC80 proc near ; CODE XREF: seg000:CC52p
seg000:CC80 push ds
seg000:CC81 mov ax, 0F000h
seg000:CC84 mov ds, ax
seg000:CC86 assume ds:nothing
seg000:CC86 add edi, 10h
seg000:CC8A and di, 0FFF0h
seg000:CC8D mov large ds:89D8h, edi
seg000:CC95 pop ds
seg000:CC96 assume ds:nothing
seg000:CC96 retn
seg000:CC96 sub_CC80 endp

In this case, use UltraEdit to search for next available address from step above (DC89 for 89DC). If nothing is found, this memory address location can be used to put SLIC table. The problem with this memory address allocation is that there is a skip address or space (89D8) between FACS and SLIC tables. To fix this issue, add the text string of FACSSLIC instead of just SLIC, as FACS table is small and won’t use too much memory.
After modification, you will have the ACPI table index string as either RSDT…FACSSLIC or RSDT…FACSFACSSLIC. To accomodate the first instance of string, the whole string can be move forward (to the front) by 4 bytes as mentioned above. Otherwise, a new location has to be identified to store the new text string. But in the later case where 8 bytes have been added, so we need to find a new location for this longer string. In this example BIOS, there is 11 empty bytes (00) in front of the ACPItables_address (located at CC20). This empty bytes should be unused, beside, in UltraEdit, there is no code that uses the CC18 or CC1C two address locations. So, the new string can be put forward to location with starting address as CC18.

Moving RSDT string forward 8 bytes to accommodate new 8 bytes SLIC table.
Now the anchor address of the RSDT…SLIC string has been moved, and the initial bit address of the string has to be made known to the system. Search in UltraEdit for “20CC” (the original address), you will find it at CCE2 address as found out from step above. Change the 20 to 18 to make it “18CC” (address always reverse when indicate) to indicate the new starting address.

After changing 20 to 18 to indicate new location address.
Since the RSDT string has been moved, the location of FACS table has also moved too (refer to figures above). The original address of FACS table is CC30 while new address is CC28 or CC2C. And, in the rest of the code, the address is been used. So the address of FACS has to be modified too.

The value for the original address is address of ACPItables_address (CC20) + 10 which equals to CC30. In UltraEdit, search for 30CC, which should be found at around reference location of CD35. Change the 30CC to 28CC (for CC28) or 2CCC (for CC2C).
Next, SLIC table has to be added to the address that is been reserved for it in RSDT tables string in ACPI.BIN.

seg000:CD74
seg000:CD74 sub_CD74 proc near ; CODE XREF: seg000:CC5Bp
seg000:CD74 push edi
seg000:CD76 push esi
seg000:CD78 mov esi, 0F0000h
seg000:CD7E mov eax, [esi+89C4h]; Fill RSDT address to RSDT Ptr
seg000:CD86 or eax, eax
seg000:CD89 jz loc_CE32
seg000:CD8D mov [esi+89C0h], eax ; RSDT Ptr
seg000:CD95 mov eax, [esi+89CCh]; Fill DSDT address to FACP
seg000:CD9D or eax, eax
seg000:CDA0 jz loc_CE32
seg000:CDA4 mov edi, [esi+89C8h]; FACP
seg000:CDAC mov es:[edi+28h], eax
seg000:CDB2 mov eax, [esi+89D4h]; Fill FACS address to FACP
seg000:CDBA or eax, eax
seg000:CDBD jz loc_CE32
seg000:CDC1 mov edi, [esi+89C8h] ; FACP
seg000:CDC9 mov es:[edi+24h], eax
seg000:CDCF mov eax, [esi+89C8h]; Fill FACP address to RSDT+24
seg000:CDD7 or eax, eax
seg000:CDDA jz loc_CE32
seg000:CDDE mov edi, [esi+89C4h] ; RSDT
seg000:CDE6 mov es:[edi+24h], eax
seg000:CDEC cmp byte ptr [bp+1BFh], 7
seg000:CDF1 jnz short loc_CDFE
seg000:CDF3 test dword ptr [bp+1C6h], 200h
seg000:CDFC jz short loc_CE2F
seg000:CDFE
seg000:CDFE loc_CDFE: ; CODE XREF: sub_CD74+7Dj
seg000:CDFE test byte ptr [bp+2EBh], 4
seg000:CE03 jz loc_CE2F
seg000:CE07 mov eax, [esi+89D0h] ; Fill ACPI address to RSDT+28
seg000:CE0F or eax, eax
seg000:CE12 jz short loc_CE2F
seg000:CE14 mov edi, [esi+89C4h]
seg000:CE1C mov es:[edi+28h], eax
seg000:CE22 mov edi, eax
seg000:CE25 push es
seg000:CE26 call sub_B4BB
seg000:CE29 pop es
seg000:CE2A jb short loc_CE2F
seg000:CE2C call sub_5077

From the matching table that matches the ACPI tables to respective memory address made in step above, use it to match against the code above. Here, none of the code representing process to fill the data value of 89DC address to RSDT table, so the following code needs to be added:

mov eax, [esi+89DCh] ； 8 bytes
mov edi, [esi+89C4h] ；8 bytes
mov es:[edi+2Ch], eax; 6 bytes, the value of the length of the ACPI tables (SLICaddress which is 2C).

Addition of these code cannot affect the the rest of the functions’ address, so a few not critical code has to be deleted to free up some space.

In the above code, after every mov eax, [esi+？？？？h], it’s followed by the block of code as below:

or eax, eax ； 3 bytes
jz short loc_CE2F ；2 bytes

These are verification bits which is precaution method to prevent collapse or fault of system. However, after analysis, there is pair of verification bits that can be removed after reorganization of RSDT table. Thus, remove the data verification parts of RSDT table which is located as below:

seg000:CDD7 or eax, eax ； 3 bytes
seg000:CDDA jz loc_CE32 ；2 bytes

and

seg000:CE0F or eax, eax ； 3 bytes
seg000:CE12 jz short loc_CE2F ；2 bytes

After doing this, only 10 bytes of space is freed up, but the mod requires 22 bytes. In the code above, whenever it fills up the code for RSDT table, it will execute this command:

mov edi, [esi+89C4h] ； 8 bytes

But, it does not alter the value of the register or variable when twice it executes the process to fill in the RSDT table. So this command can be executed only once. In fact, if the new code is placed here, this command for the new code can be skipped too. With this adjustment, there will be enough blank space been emptied. Extra space can then be filled up with blank command (90 and nop). The final code will look like this:

seg000:CDCF
mov eax, [esi+89C8h]; fill up FACP address to RSDT+24
mov edi, [esi+89C4h] ; RSDT
mov es:[edi+24h], eax
mov eax, [esi+89DCh]
mov es:[edi+2Ch], eax
nop
nop
nop
nop
cmp byte ptr [bp+1BFh], 7
jnz short loc_CDFE
test dword ptr [bp+1C6h], 200h
jz short loc_CE2F
test byte ptr [bp+2EBh], 4
jz loc_CE2F
mov eax, [esi+89D0h] ; fill up ACPI address to RSDT+28
seg000:CE22 mov es:[edi+28h], eax the address for this command cannot be changed.

The address location of the code that will be deleted and inserted has to be remembered:

seg000:CDD7 or eax, eax ； 3 bytes
seg000:CDDA jz loc_CE32 ；2 bytes
5 bytes starting from CDD7

seg000:CE0F or eax, eax ； 3 bytes
seg000:CE12 jz short loc_CE2F ；2 bytes
seg000:CE14 mov edi, [esi+89C4h]
5+8 bytes staring from CE0F

seg000:CDEC cmp byte ptr [bp+1BFh], 7
Original location of CDEC to insert all needed code here
The mod process is done, now go back to UltraEdit for last step address modification. This step is best done from bottom up to prevent the code below been jumbled when replacing the front part.

Firstly, remove 13 bytes starting from CE0F.

Then insert any 4 bytes of random data at the CDEC, then change the value to 4 90 (90h=nop).

Copy the code at CDE6 to CDEB, and paste it to address starting from CDEC to reflect the command used: mov es:[edi+2Ch], eax

Copy the code at CDCF to CDD6, and paste it to address starting from CDEC to reflect the command used: mov eax, [esi+89DCh]

Lastly, remove 5 bytes starting from CDD7.
Save the code.
Verify that the modification of code is correct by using IDA to check if the modified code is correct. If yes, repack the code into the BIOS file.

Disclaimer: This article is for informational and educational purpose only.

IMPORTANT: This is a machine translated page which is provided "as is" without warranty. Machine translation may be difficult to understand. Please refer to original English article whenever possible.

Share and contribute or get technical support and help at My Digital Life Forums.

This entry was posted on Monday, March 12th, 2007 at 12:44 pm and is filed under Windows Vista. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

37 Responses to “Windows Vista OEM Award BIOS Mod Method by Adding SLIC Table with Dynamic Memory Address”

Pages: [2] 1 » Show All

Móci
December 30th, 2007 04:08
37

Yo!
Anyone can mod the Asus 1011_013 beta K8N4-E Deluxe bios?
I have a Turion ML-42 cpu, but i don’t manage the voltage control in my current bios. I can down the voltage, but up is not working…

Thank you for your time!
Johan
April 17th, 2007 01:30
36

Step 16. Excuse me? what does that text even say? I have read it many times now, and I am no closer to understand what you should achieve at that step. It probably is the most dubious piece of english text I have ever read

Should I duplicate the strings at the address gained from Tempbuffer_address, counting +4 each step?
sixcentgeorge_fr
April 10th, 2007 19:41
35

Got it : step 22 ;]
ida is to be used with original.bin , ida serves to find the code in the file . when done you have to read the address locations : ce0f , cdd7 ….
with ultraedit you go to ce0f , cdd7 …to apply the changes , the 2 locations i talk about are used to remove code or eax,eax….

nearly done 8]
sixcentgeorge_fr
April 10th, 2007 09:29
34

step 15
first variable : 4 does not it need to be increased by 1 to 5 ?
and so it is to be used in step 16 if value is 5 in bios : 89dc

step 17
file to open in UltraEdit is original.bin [or acpitbl.bin] ? that could be said instead of “shooow sweeeet” keyboard shortcut 8-P

step22
what to do the file acpitbl.bin with ida to write code a this place here i am out of knowing what to do ;[

vista is far to be free for me 8]
obi2001
April 9th, 2007 21:31
33

hello
Can anyone mod an Asus k8ne deluxe bios 1011 ?
sixcentgeorge_fr
April 9th, 2007 18:46
32

i “made it” for asus k8n4-e deluxe , i have not tested yet , i submit the bios in here .
i made the archive with original bios and moded one .
the original is updated with latest pci_bios roms for nvraid nvpxe and sata_raid sil_3114 .
http:/rapidshare.com/files/25065364/k8n4ed_slic.zip.html/

tell me if i did it well
sixcentgeorge_fr
April 9th, 2007 09:29
31

the step 10 is not so clean :
10 Position the cursor after the RSDT…FACS string ACPItables (db 1EH).
here is CC20 so no calc [step 15 ] ?

89D8 : if the address is not a “problem” to what step jump ?

ps : is there a topic like this for installing vista on a fat32 , i know it can be be done after install on ntfs to format fat32 and copy the backup .
nice “chinese” work ;]
Ryan
March 23rd, 2007 05:56
30

can someone please post a step-by-step (of this document at step 22)
fbifido
March 22nd, 2007 11:38
29

Hi,

I am stuck at step 22 & 23.

is step 22 for information, or is there a way to remove seg000:CDD7,CDDA,CE0F & CE12 in IDA?

how do i type in the assemble code script at seg000:CDCF

Or do we delete the codes and type new one using winhex or ultraedit.

I use winhex for all my editing.
viama
March 21st, 2007 18:19
28

Modded BIOS for MSI K8N SLI-F anyone?
Agnoia
March 16th, 2007 03:48
27

Tools to open:
Award: modbin
AMI: mmtool, amimmwin
Phoenix: Phoenix Bios editor
smile
March 16th, 2007 01:59
26

I ask again, how to work with AMI or phoenix BIOS?

What tools to use modbin6 does not work even if I rename files to *.bin

Pages: [2] 1 » Show All

Search

Custom Search

New Articles

Incoming Search Terms for the Article

vista bios - slic (v2) - slic v2 - vista oem - SLIC - vista bios mod - slic bios - BIOS supports slic (v2) - Bios SLIC - SLIC bios mod - bios vista - Vista SLIC - bios mod - vista oem bios - oem bios - mod bios - oem bios mod - modded bios - adding slic table to bios - SLIC modded bios - editing BIOS ACPI_SLIC info - award slic - add slic to bios - bios mod vista - modify bios slic - award bios slic - vista slic bios - award bios editor - all - Bios slic v2 - add SLIC - bios oem - award bios mod - award bios vista - pc BIOS supports slic (v2) - vista - BIOS Supports slic - vista oem bios mod - slic v2 bios - not compressed award binary code - modify bios vista - CBROM 2.19 - bios - oem bios mods - oem vista - slic table - award bios - modify bios - slic bios mods - bios slic (v2) - award bios SLIC - award bios vista mod - phoenix bios modding - Bios Modding vista - ggroup.bin - windows vista oem bios - slic vista - add slic award bios - P31 SLIC Modded BIOS - AMI BIOS - "Oem bios mod" - adding slic table - oem - slic mod - bios mod slic - adding slic to bios - modded bios vista - cbrom slic - PC BIOS Supports slic - phoenix bios slic - Award Bios slp downloads - vista modded bios - bios slic table - MSI K8N oem vista activation mod - windows vista oem -

Minn Stafr�nn L�f

Gluggakista S�n OEM Ver�laun BIOS Unga f�lki� A�fer� vi� F�kniefnasj�klingur SNEI� Bor� me� Dynamic Minni Heimilisfang

Related Articles

37 Responses to “Windows Vista OEM Award BIOS Mod Method by Adding SLIC Table with Dynamic Memory Address”

Leave a Reply

Search

New Articles

Incoming Search Terms for the Article

Home

Subscriptions

Machine Translation

Categories

Recent Comments:

Meta