MediaSmartServer.net
http://www.mediasmartserver.net/forums/

EX485 hacked BIOS
http://www.mediasmartserver.net/forums/viewtopic.php?f=17&t=10342
Page 1 of 3

Author:  adaptation [ Sun Feb 27, 2011 1:02 pm ]
Post subject:  EX485 hacked BIOS

Here's a link to an EX485 BIOS rom image which I just finished hacking up. It's basically the EX495 BIOS rom patched to fix the 100% on chassis fan problem. Which means I now have an EX485 server with a celeron E3400 CPU that shuts down properly, and with chassis fans that aren't at full speed. I think the virtualization extensions may even work (CPU-Z says they are supported, I just haven't tried it).

This ROM of course is completely unsupported, and basically use at your own risk. Resoldering and reprogramming the flash memory chip is not as much fun as you may think.

EX48X_2011_02_20.zip

SHA(EX48X_2011_02_20.zip)= 4bbec4238f75b7fd53e012bd54b21d10d4e6e859

You will additionally need a copy of afuwin/afudos for the actual flashing of this image.

More instructions, changes, and other comments in the included readme.txt.

Author:  ymboc [ Sun Feb 27, 2011 6:54 pm ]
Post subject:  Re: EX485 hacked BIOS

I'm curious.

Some of the 20 questions I'd like to ask:
What did you have to do to prepare this bios? What patching was required? What software did you use to do the patching? etc etc etc..

Cheers

Author:  neuroman [ Mon Feb 28, 2011 1:43 pm ]
Post subject:  Re: EX485 hacked BIOS

Here's the information on the readme.txt.
It sure sound tempting to flash the bios but the problem is the potential consequences.

Changes
-------

This BIOS _IS_ the EX495 BIOS with very minor changes:

* Decreases the hardware monitor register init count from 0x14 to 0x0D
Additional registers were being initialized for the EX495 which uses a
newer SCH5147 chipset, and was causing the full fan problem
Specifically bit one of mysterious register 0x7D sets 100% PWM

BIOS module 0x1B
0x1B810: B9 14 -> B9 09 or MOV CX, 14h -> MOV CX, 0Dh

* Bypassing the CPUID specific hardware monitoring register initialization
Where the test actually looks flawed, and the EX485 doesn't do it anyway

BIOS module 0x1B
0x1B83D: 0F 84 8A 00 -> E9 10 01 00 or JZ _4000:B4DA -> JMP _4000:B55F

* Removal of the "EVALUATION COPY, NOT FOR SALE" message

BIOS module 0x1B
0xFA73: 80 -> 00

* Changed the ROMID to match the EX485's
Making it clear that this BIOS is EX485/7 specific, and to keep afuwin happy




Background
----------

I recently replaced the CPU in my EX485 server with a Celeron E3400.

This CPU was detected as a dual core correctly, but had trouble POSTing until
PECI was enabled, and somehow stopped the server from completely powering
down on shutdown.

So while looking for a solution I discovered a posting by taohat
http://www.mediasmarthome.com/forum/thr ... l/?page=24

who had temporarily reflashed with an EX495 BIOS. Resulting in fixing all of
the known issues, and introduced a new one where the chassis fans ran at full
speed.

Which sounded promising... perhaps I can compare the EX495 BIOS with my EX485
BIOS, and work out where the problem is. They have very similar hardware, how
hard can it be?

How hard INDEED.

Queue montage:
* reading of Pinczakko's Guide to AMI BIOS Reverse Engineering
* x86 assembly instructions flying up the screen in IDA disassembler
* re-soldering the cmos serial flash chip
* more x86 assembly instructions flying up the screen

Problem turned out to be with the SCH5127 hardware monitoring registers. Where
bit one of register 0x7D was being set. I have no idea what that register is
for, but the EX485 BIOS doesn't touch it, and now neither does this BIOS ;-)


Has anyone tried this?

Author:  adaptation [ Mon Feb 28, 2011 11:23 pm ]
Post subject:  Re: EX485 hacked BIOS

Thanks nueroman for posting my readme

ymboc wrote:
What did you have to do to prepare this bios?

There were two choices:
1. Modify the EX485 BIOS to support newer CPU's, along with VT-x, and fix the power off problem
2. Modify the EX495 BIOS to fix the chassis fan

Going with option one and just adding the appropriate CPU microcode to the EX485 image; caused the BIOS to hang during POST. Fortunately swapping back in the Celeron CPU fixed that, but it did show that option one was going to have multiple problems. Which made option two seem a much easier solution.

So going with option two; the next step was to confirm taohat's findings that everything worked with the EX495 image except for the 100% on chassis fan. Results of that showed that a 100% on chassis fan was kind of loud.

Having a look through the monster thread over on mediasmarthome.com, I went and tried to narrow down the BIOS module that was responsible. Swapping in different ACPI modules etc.

It was around this time I bricked my server ](*,)

Poking around on the motherboard I discover the MX25L4005A; an eight pin four mega-bit cmos serial flash chip. Which I figure almost certainly contains the BIOS as the ROM image is 512k (4mbit). Also spent some time looking at CN14 which seems to expose the IHR9's LPC/Firmware Hub Signals (LAD[3:0]/FWH[3:0]) and the PCI clock. But couldn't work out what to do with that, given the tools I have.

End result was having to desolder the serial flash chip, and reprogram it via an Arduino board, with some custom software, using a jury rigged 5V to 3V3 converter circuit. Then left the flash part desoldered, and thanks to many dangling wires could swap between my Arduino and the server motherboard. Allowing for several more recoveries. Eventually I soldered an eight pin ZIF socket that arrived from Grains BIOS repair.

ymboc wrote:
What patching was required?


By this stage I was pretty much convinced that the cause of the chassis fan was in the actual BIOS image (Single Link Arch BIOS). Which meant that it wasn't going to be as easy as just swapping in an old BIOS module.

Fortunately there's a good (but extremely brief) guide to reverse engineering the AMI BIOS:
http://sites.google.com/site/pinczakko/ ... ngineering

In conjunction with a leaked AMI program called MMTOOL I extracted module type 1B (Single Link Arch BIOS). Then wrote another small program to extract the components from that BIOS module. Making it much easier to individually offset them in the IDA Disassembler.

From there I used the IDA disassembler to search for known numerics. Specifically the SCH5127's hardware monitor I/O ports 0xA70, 0xA71. Which put me in the right ballpark.

Did the same thing for the EX485 1B image, and then compared the relevant sections.

There are several hardware registers that the EX495 image touches, that the EX485 image doesn't. Checking these registers live with the Read & Write everything utility I discover that a bit in register 0x7D is the actual problem. When set the fans run at full speed, and clearing it to zero has them return to normal operation. It must be some sort of test mode, but I don't have the datasheet for the SCH5127 or the SCH5147 (EX495's chip).

Patching the BIOS to fix this turned out to be pretty easy. There's a list of hardware registers to initialize and their corresponding values (actually and/or masks). Where the EX495 has 0x14 entries, and the EX485 has 0x0D. Fortunately the EX495's first 0x0D entries are identical to the EX485's. Meaning that removing the extraneous register entries was a matter of reducing the list length.

Code:
POST_CSEG is at offset 0x103F1 in BIOS module 0x1B
 0x103F1 + 0xB41F = 0x1B810 (gets us to the MOV instruction)

0x1B810: B9 14 -> B9 09   or   MOV CX, 14h -> MOV CX, 0Dh


Later on in that routine there's additional code to test what cpu is installed, and set more registers accordingly. EX485 does not do this, and some of the register writes I'm unsure of. So I ended up patching that section as well, bypassing it altogether:

Code:
POST_CSEG is at offset 0x103F1 in BIOS module 0x1B
 0x103F1 + 0xB44C = 0x1B83D (gets us to the JZ instruction)

0x1B83D: 0F 84 8A 00 -> E9 10 01 00  or  JZ _4000:B4DA -> JMP _4000:B55F


As an added bonus I removed the evaluation message that the EX495 BIOS has. I figured I've sunk so much time into this now, what's a little more to see if I can get rid of that message.

Doing a search for "EVALUATION" doesn't turn up anything (you didn't think this was going to be easy?). But doing a search for "Bearlake" (part of the BIOS identifier) turned up an interesting looking routine. Which ends up being responsible for deobfuscating and displaying the evaluation message. It also includes a test, that will only show the message if an MSB is set.

Code:
RUN_CSEG is at offset 0x3F1 in BIOS module 0x1B:
 0x3F1 + 0xF682 = 0xFa73

clear the MSB bit at 0xFA73; setting the byte to 0x00 (was 0x80)
 
0xFA71: 3F 80 80 1F -> 3F 80 00 1F


No more evaluation message :)

I also modified the BIOS romid's to match the EX485's to remove the Afuwin warning, and hopefully make it slightly less confusing. Which was mostly find/replacing.

ymboc wrote:
What software did you use to do the patching?

  • Hex-rays awesome IDA disassembler was used for scouring the mess that is BIOS code, and helping determine the bytes to change/patch
  • Frhed (free hex editor) was used for the actual byte changing
  • MMTool was used for extracting and re-inserting BIOS modules
  • afuwin for all the flashing
  • Visual Studio 2010 for custom utilities
  • Arduino for the first time and was the easiest micro development I've ever done

Phew! Apologies for the long post

Author:  ymboc [ Tue Mar 01, 2011 5:59 am ]
Post subject:  Re: EX485 hacked BIOS

adaptation wrote:
Phew! Apologies for the long post
No Apology needed. Thanks for the effort & write up! I enjoyed reading it!

Author:  neuroman [ Tue Mar 01, 2011 6:04 pm ]
Post subject:  Re: EX485 hacked BIOS

Well, I am waiting for my EX485 to arrive to retire my EX4785 and flash this bios. I really glad you the the virtualization support since it can now run Server 2008 R2 very well. The only thing that is missing is the LEDs.

Thanks.

Author:  erail [ Fri Mar 04, 2011 10:53 am ]
Post subject:  Re: EX485 hacked BIOS

OK, bit the bullet and flashed your EX495 hacked bios on to my EX485 and it works fine. Allows shut down and the fans work correctly. Did a Prime95 run and the fans gradually increase in speed to match the heat generated and go back to around 1000 rpm when run was stopped. Very good operation and it appears to be much snappier with the new bios and I don't think it's in my head. I did have to go in to the bios and re-enable intel speed step and it works very well. The esata works as advertised - one drive. I am running WHS 2011 with an E5400 2.7 ghz dual core and 4 gig of memory. I noticed the smibios is diabled which I don't need anyway but may be a problem for those running WHS V1 and need to reset. All in all, a great way to upgrade to test WHS 2011.

Author:  neuroman [ Fri Mar 04, 2011 2:59 pm ]
Post subject:  Re: EX485 hacked BIOS

I also flashed the bios and the server is working without problems. I have not installed a new CPU so I cannot confirm the part about sleep/shut down. Will install a E7300 this afternoon.
By the way - Is hardware virtualization enabled in this bios?

Author:  erail [ Fri Mar 04, 2011 3:34 pm ]
Post subject:  Re: EX485 hacked BIOS

Hardware virtualization is enabled but speedstep is not. I think speedstep is important for these SFF units

Author:  neuroman [ Tue Mar 08, 2011 2:19 pm ]
Post subject:  Re: EX485 hacked BIOS

BTW. The fan control on th e new bios is different. Right now my fans are running at around 900 rpm. I got a message saying on of them was out of specs. My idle CPU temps went up a little bit from around 48-50 to around 55-60. Is there a way to change the fan speed sin the bios since MSS fan control will not work with these machines?

Author:  RemoteDoc [ Mon Mar 14, 2011 12:19 am ]
Post subject:  Re: EX485 hacked BIOS

I also flashed my bios without any problems. Thanks for the help! It is definitely nice to shut this badboy down without getting out of my seat to press the power button on the back...however, I might have shut it down a total of 2 times last year, so I don't know if I'll get any more use out of it. On a side note, when I flashed my system, I didn't think it worked at first, because it didn't shut down...I force shut it down. When I booted it back up, it fortunately booted up fine, but as I tried the shutdown again I noticed it said "Log off, Install updates, and shutdown" on the drop-down box... :) Thanks again.

Author:  RemoteDoc [ Mon Mar 14, 2011 11:41 pm ]
Post subject:  Re: EX485 hacked BIOS

Alright, maybe a small issue, but it's confounded by the fact that I did a bunch of blind adjustments to try to get Domain Controller running on my EX487. Basically, after flashing my bios with this ex490 [modded for ex485] bios, everything worked fine, including shut down. However, after messing with with DCPROMO and then unregistered the domain, I tried to use my WHS Console over RDC. It wouldn't run. It was a temporary test machine, so I decided to factory reset the entire machine. Unfortunately, when I tried this, it wouldn't go into factory reset like the original ex485 bios did. Is this because the EX490 users have to recover over a network? Additionally, would we have to use Diehard's recovery method for the ex490 to get it reset?

Ultimately, I just flashed back to my original EX485 bios. I don't really mine the inability to shutdown by software button...my server stays on 24/7.

Author:  DaveBey [ Fri Apr 08, 2011 10:23 pm ]
Post subject:  Re: EX485 hacked BIOS

I applied the modified EX495 BIOS to my EX485 and the flash went smoothly. I do, however, receive the 'fan out of specification' warning. Does someone have a copy of the AMIBCP utility they could send me? I'd like to modify the BIOS to enable SpeedStep and maybe increase the fan RPM.

Cheers from Claremore, OK! :)
Dave

Author:  msawyer91 [ Thu Sep 08, 2011 11:22 am ]
Post subject:  Re: EX485 hacked BIOS

I don't have the KVM cable. I see the readme.txt step 1 of the instructions calls for the KVM cable.

Is this mandatory? Will the "default" settings be fine, or will I need to get into the BIOS UI and make changes? If that's the case, I guess I'm going to need to order the cable. Since the BIOS flashing program allows me to update the CMOS with either the "current optimal" or "load optimal from ROM image," it would seem I could just have it apply the defaults and call it a day. Unless going the failsafe route is the way to go.

Also, your readme file is very emphatic about flashing ALL blocks. Specifically, you say to flash ALL blocks including the BOOT block. AFUWIN gives me 5 "Block Options": Program All Blocks, Main BIOS Image, Boot Block, NVRAM and EC Block.

So, do I pick just "Program All Blocks" and "Boot Block?" Or do I pick all five, as this would get "all" of the block options... I imagine picking the wrong ones would lead to an epic fail.

Author:  msawyer91 [ Thu Sep 08, 2011 12:54 pm ]
Post subject:  Re: EX485 hacked BIOS

OK you can ignore my question about programming "all" blocks -- I remoted into my EX490 from work, pulled up the flash utility and by picking "program all blocks" it picks everything automatically. So really all that remains is just the question about the cable...mandatory or optional?

Page 1 of 3 All times are UTC - 7 hours [ DST ]
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/