nope,i got nothing yet
Hi,
recently I examined old SNB laptop with Phoenix Tiano Secure core Bios and noticed it has more setup files for IFR to work. So if I were you, would tried searched more with UEFITool for more setups outputs and tried IFR on it.
In case you won’t find right variable for 64 setting, the IDA is good tool for search MSR entries.
Further you should probably search intel developer manual volume 4 for any kind of 64 bits apearences, in order to find right MSR. (I didn’t search for 0x122 yet)
What is Efer concern I would don’t touch, it has something to do for Long and real mode transitions
Do you use Rweverything? I can only recommend it to you.
I find your topic interesting so I’ll take your bios dump in IDA and read about 0x122 which is good start I think.
Github is good site for searching the code, here is the link for searching(you probably will have to register there)
https://github.com/search?q=Patch+0xCE+MSR&type=Code
Edit: looked up in IDA and those two modules are probably the only ones related to 0x122
I am kind of confused, I used searching for mov ecx (B9) or push (68) but your bios is treating differently with esi (Be)
From your last link the guy is saying you need the patch module ucode update from Asus, which could mean you need cross flashing Asus module to your HP, or maybe extract the old Asus ucode, patch it and flash than.
Sorry for my bad English
Dan
@DaCou I use Cutter, made from radare2. It’s advanced analysis mode (aaa) with all options enabled got me upto this. You could try it for this BIOS. Now as for your suggestions, I tried with the Setup Utility IFR from the beginning of my digging into this firmware and found very unique things like VT-x and stuff like that, but nothing like EM64T or Long Mode or etc etc. I researched a couple of bios binaries with 32 bit lockdowns and see that all the 32 bit locked ones are having this 0x122. The ones with 64 bit doesn’t have this part, like the bios of ASUS 1225C. I could find the entries that locked the 32 bit on an AOPEN DE3100 in the bios mods forum. It also pushed 0x122 with mov edi, 0x122. But the values pushed in the stack was clearly defined (3). In my BIOS, it is first 2 instead of 3 and then 1 instead of 3. Here is the Insyde nutshell for the 0x122 part(AOPEN DE3100)(this is not from my bios. I just found this in my research for 32 bit locked and 64 bit unlocked bios)
0x001be69b and esi, 0xfffffff0 ; 4294967280
0x001be69e cmp esi, 0x30660
0x001be6a4 jne 0x1be6c6
0x001be6a6 cmp byte [var_1h], bl
0x001be6a9 je 0x1be6df
0x001be6ab mov esi, 0x122
0x001be6b0 push esi
0x001be6b1 call fcn.001c0821
0x001be6b6 or edx, ebx
0x001be6b8 push edx
0x001be6b9 or eax, 3 -see this?
0x001be6bc push eax
0x001be6bd push esi
0x001be6be call fcn.001c0828
0x001be6c3 add esp, 0x10
And this:-
0x001bf2ef and eax, 0xfffffff0 ; 4294967280
0x001bf2f2 cmp eax, 0x30660
0x001bf2f7 jne 0x1bf314
0x001bf2f9 mov edi, 0x122
0x001bf2fe push edi
0x001bf2ff call fcn.001c0821
0x001bf304 or edx, esi
0x001bf306 push edx
0x001bf307 or eax, 3. -see this?
0x001bf30a push eax
0x001bf30b push edi
0x001bf30c call fcn.001c0828
0x001bf311 add esp, 0x10
Basically it writes 3 to edi, or just the msr 0x122…
I checked the fcn.001c0828 and saw it is actually wrmsr.(with some fixations) so I think this is the place. But in my own case the values are different. First part, it is written 2 and then it is 1. But in linux, rdmsr 0x122 gives 3 for 32 bit locked netbooks. It’s just like I can’t help myself
Hi,
if they unlocked 64 bit with 0x122 patching procedure, than this is only issue of code reading and patching.
I noticed the assembly x86 is using atleast four ways for setting bits.
(I am noob)
In your case it’s most probably not setting whole value of MSR (3) but just value of one bit in register, atleast from my understanding.
It is only matter to study which bit(s) on 0x122 is needed set or unset for x64 unlock and than try to understand the bios logic arround.
I have to go sleep, I am in deep night here (eu), I’ll look tomorrow on this code more closely, also I haven’t clue what is EM64T is yet…
I looked at your setupmodule, there are some Acpi setting, maybe you should try Acpi 3 variable setting in grub, just for sure.
P. S. Also found wrmsr entry in your two modules, so if patching bits won’t work, you always may try ox0F 0x30 (wrmsr) patch 0x90 0x90 (nop)
Fortunately those modules are setting probably just 0x122, so no consequence on the other msrs
I can’t open few of your links or it is empty, so cant see the others methods…
Dan
Dan
@DaCou No, I could find only one BIOS with 0x122 unlock method, all the other requests like this e.g for HP Mini 210, or toshiba etc in the internet is ignored. And the piece of code I shared is also found by me on another BIOS binary with same sufferings.(that person was ignored too). Everybody seems to ignore this type of requests in the forums… The thing is I took every 32 bit locked BIOSes and looked into them in radare2. (I did the same in IDA Pro) . All the 32 bit locked BIOSes had the 0x122 setup. But I also tried with some unloced 64 bit bios for same cpu like the ASUS 1225C or a Jetway NF9D, and they didn’t had this whole 0x122 part in the bios(By researching , I actually meant I looked into them in radare2…my IDA free trial is over and radare2 is just as good.)
Okay, so pls let me know how this one lucky case went or give me the link…
I need to know if number 3 is actually good or bad value,
From looking at intel manual 4 on first look t wasn’t much clear for me what this 122 is actually doing, so have to look on Git for this piece of code.
BTW this guy Walmare shared some GUI which your Bios include with some kind of checksum or what. I mean he cross flashed the asus module to your HP
@DaCou Nope. My bios is unmodified. That guy Walmare was talking about some other HP Mini (210), and of course not mine. He was talking about the microcode module update or something…from ASUS, but ASUS 1225C has the same microcode as my older version of BIOS (F.02) have. And still it doesn’t work. And which link did you ask for, or the lucky case? The MSR 0x122? That link is already posted in page 1 I think. I think I didn’t quite understand what you meant, sorry. I also don’t understand how this 0x122 is related to 64 bit lock. Though there is some info about it on the Intel manual volume 3b (or c?), which has RTM(what?), HLE (Hardware lock elision, but what does it do actually?) and a reserved bit 63:2.
But, comparing locked and unlocked BIOS binaries, the only difference I could find is the application of 0x122 in the locked ones. So what xenon did on ASUS 1025C(the only unlocked BIOS with code) by nopping out the 0x122 part kinda makes sense, but how?
Hi,
Yes I meant and asked exactly for 122 unlock (lucky case) so I’ll have to look on what xenon done closer. I can’t open link if I remember.
The noping procedure is quite simple - you have to navigate in IDA or Radar for part of code you want nope, than click on hex result of it, so identify part you want nope in hex, modify it for nope (for example 0x90 0x90) separately in hex editor, save modified module.
In UEFITool navigate replace body as is, so replacing old module to modified module, save modified BIOS image and than flash and cross the fingers.
Did you find Bios chip on board in case something went wrong?
You should learn with Flashrom quickly as you are Linux user.
I will think and read about at evening and
I hope I give you some hints.
BTW what’s happening if you try write some value to 122, is it read only?
D.
@DaCou Here’s the link, he explained with code what to do, but not what the MSR does.
If you can’t see the page I’ll download the page and send it to you here.
https://www.bios-mods.com/forum/Thread-R…pc-1025C?page=2
Here is the BIOS files for more digging.
https://drive.google.com/file/d/1DBplefg…iew?usp=sharing (Original ASUS BIOS)
https://drive.google.com/file/d/1Wdl756A…iew?usp=sharing (modified by Xenon)
This is my firmware dump, you should start looking from here(forget about the previous files.)
https://drive.google.com/file/d/1HQcWmhH…iew?usp=sharing (HP F.08)
As you asked before, EM64T=Intel Extended Memory 64 Technology.
And I never tried writing to MSRs, because I have no idea what value is to be pushed(spare with me for this, I know nothing about Intel’s bit-banging on MSRs)
@Alif
The value of 3 means the bit [0] and bit [1] are set (different msr is on the picture, but it doesn’t matter princip is the same)
https://m.imgur.com/a/rn1hGG4
Bit [0] meaning: RTM_DISABLE: When set to 1, XBEGIN will
always abort with EAX code 0.
Bit[1] meaning: TSX_CPUID_CLEAR: When set to 1,
CPUID.07H.EBX.RTM [bit 11] and CPUID.07H.EBX.HLE [bit 4] report 0.
When set to 0 and the SKU supports TSX,
these bits will return 1.
Well it doesn’t say me much, so for the start, let’s try testing one by one values by writing:
wrmsr 0x122 0x0,
wrmsr 0x122 0x1
wrmsr 0x122 0x2 and confirm it back by rdmsr, if any of case the value is changed, let’s try to confirm on linux if 64 bit is working (I suppose you know how)
If it doesn’t work and rdmsr will return same 0x3 value, it means the register is readonly from the software side.
You may not be afraid of wrmsr, if something goes wrong, the value will be reset after reboot or return from S3 sleep.
Exuse my bad English
@DaCou I tried and I’m pretty sure it is not software-changeable. when I issue the command,
#wrmsr 0x122 0x0
wrmsr: CPU 0 cannot set MSR 0x00000122 to 0x0000000000000000
#wrmsr 0x122 0x1
wrmsr : CPU 0 cannot set MSR 0x00000122 to 0x0000000000000001
#wrmsr 0x122 0x2
wrmrsr: CPU 0 cannot set MSR 0x00000122 to 0x0000000000000002.
Anyways, I think you should see something, I’m attaching two screenshots. Please have a look at these two carefully. There is also add esp, 0x14… just like the ASUS Mod bios, but packed very differently. I think this is tricikier than it looks. there add esp, 0x14 was right after the function but here something else happens after it.(Though there is add esp, 0x14). Or is it something I shouldn’t be caring about?
Old thread but anyway… the CPU in that laptop is an Intel N2600 - it supports 2GB of RAM max. No BIOS mod can change that.
The processor cannot run 64 bit apps or a 64bit OS.
Others have modded the BIOS and unlocked 64 bit. They also have used 4GB ram. Look from here, https://www.bios-mods.com/forum/Thread-R…pc-1025C?page=2
The thread ended but did you find a solution to run 64 bit? I have the same model. With 2GB, was thinking to turn it into a Chromebook, but 32 bit support has been dropped long ago.
I have the same problem, searching for decision.
Locked EM64T on HP Mini 110-4100?
@Danny19098 @Sweet_Kitten could you try like this and inform if it works or not?
[Request] EMT64 Support for D2550 (2)