It is currently Thu Mar 28, 2024 3:47 pm

All times are UTC - 7 hours [ DST ]

Recent News:



Post new topic Reply to topic  [ 40 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: EX485 hacked BIOS
PostPosted: Sun Feb 27, 2011 1:02 pm 
Offline
.5TB storage
.5TB storage

Joined: Fri Nov 27, 2009 7:33 pm
Posts: 14
Thanks: 3
Thanked: 13 times in 7 posts
Here's a link to an EX485 BIOS rom image which I just finished hacking up. It's basically the EX495 BIOS rom patched to fix the 100% on chassis fan problem. Which means I now have an EX485 server with a celeron E3400 CPU that shuts down properly, and with chassis fans that aren't at full speed. I think the virtualization extensions may even work (CPU-Z says they are supported, I just haven't tried it).

This ROM of course is completely unsupported, and basically use at your own risk. Resoldering and reprogramming the flash memory chip is not as much fun as you may think.

EX48X_2011_02_20.zip

SHA(EX48X_2011_02_20.zip)= 4bbec4238f75b7fd53e012bd54b21d10d4e6e859

You will additionally need a copy of afuwin/afudos for the actual flashing of this image.

More instructions, changes, and other comments in the included readme.txt.


Top
 Profile  
Thanks  
The following user would like to thank adaptation for this post
ArmyPilot, DaveBey, erail

Attention Guest: Remove this ad by Registering with the MediaSmartServer.net Forums. It's Free!
 Post subject: Re: EX485 hacked BIOS
PostPosted: Sun Feb 27, 2011 6:54 pm 
Offline
Top Contributor
Top Contributor

Joined: Sat Feb 09, 2008 7:50 pm
Posts: 765
Thanks: 18
Thanked: 119 times in 44 posts
I'm curious.

Some of the 20 questions I'd like to ask:
What did you have to do to prepare this bios? What patching was required? What software did you use to do the patching? etc etc etc..

Cheers


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Mon Feb 28, 2011 1:43 pm 
Offline
Newbie
Newbie

Joined: Mon Feb 28, 2011 1:40 pm
Posts: 4
Thanks: 2
Thanked: 0 time in 0 post
Here's the information on the readme.txt.
It sure sound tempting to flash the bios but the problem is the potential consequences.

Changes
-------

This BIOS _IS_ the EX495 BIOS with very minor changes:

* Decreases the hardware monitor register init count from 0x14 to 0x0D
Additional registers were being initialized for the EX495 which uses a
newer SCH5147 chipset, and was causing the full fan problem
Specifically bit one of mysterious register 0x7D sets 100% PWM

BIOS module 0x1B
0x1B810: B9 14 -> B9 09 or MOV CX, 14h -> MOV CX, 0Dh

* Bypassing the CPUID specific hardware monitoring register initialization
Where the test actually looks flawed, and the EX485 doesn't do it anyway

BIOS module 0x1B
0x1B83D: 0F 84 8A 00 -> E9 10 01 00 or JZ _4000:B4DA -> JMP _4000:B55F

* Removal of the "EVALUATION COPY, NOT FOR SALE" message

BIOS module 0x1B
0xFA73: 80 -> 00

* Changed the ROMID to match the EX485's
Making it clear that this BIOS is EX485/7 specific, and to keep afuwin happy




Background
----------

I recently replaced the CPU in my EX485 server with a Celeron E3400.

This CPU was detected as a dual core correctly, but had trouble POSTing until
PECI was enabled, and somehow stopped the server from completely powering
down on shutdown.

So while looking for a solution I discovered a posting by taohat
http://www.mediasmarthome.com/forum/thr ... l/?page=24

who had temporarily reflashed with an EX495 BIOS. Resulting in fixing all of
the known issues, and introduced a new one where the chassis fans ran at full
speed.

Which sounded promising... perhaps I can compare the EX495 BIOS with my EX485
BIOS, and work out where the problem is. They have very similar hardware, how
hard can it be?

How hard INDEED.

Queue montage:
* reading of Pinczakko's Guide to AMI BIOS Reverse Engineering
* x86 assembly instructions flying up the screen in IDA disassembler
* re-soldering the cmos serial flash chip
* more x86 assembly instructions flying up the screen

Problem turned out to be with the SCH5127 hardware monitoring registers. Where
bit one of register 0x7D was being set. I have no idea what that register is
for, but the EX485 BIOS doesn't touch it, and now neither does this BIOS ;-)


Has anyone tried this?

_________________
EX475 with BE-2300 and 2GB RAM. Will be put on sale very soon.
EX485 flashed with adaptations hacked bios, soon to get an E7300 and 4GB memory upgrade.


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Mon Feb 28, 2011 11:23 pm 
Offline
.5TB storage
.5TB storage

Joined: Fri Nov 27, 2009 7:33 pm
Posts: 14
Thanks: 3
Thanked: 13 times in 7 posts
Thanks nueroman for posting my readme

ymboc wrote:
What did you have to do to prepare this bios?

There were two choices:
1. Modify the EX485 BIOS to support newer CPU's, along with VT-x, and fix the power off problem
2. Modify the EX495 BIOS to fix the chassis fan

Going with option one and just adding the appropriate CPU microcode to the EX485 image; caused the BIOS to hang during POST. Fortunately swapping back in the Celeron CPU fixed that, but it did show that option one was going to have multiple problems. Which made option two seem a much easier solution.

So going with option two; the next step was to confirm taohat's findings that everything worked with the EX495 image except for the 100% on chassis fan. Results of that showed that a 100% on chassis fan was kind of loud.

Having a look through the monster thread over on mediasmarthome.com, I went and tried to narrow down the BIOS module that was responsible. Swapping in different ACPI modules etc.

It was around this time I bricked my server ](*,)

Poking around on the motherboard I discover the MX25L4005A; an eight pin four mega-bit cmos serial flash chip. Which I figure almost certainly contains the BIOS as the ROM image is 512k (4mbit). Also spent some time looking at CN14 which seems to expose the IHR9's LPC/Firmware Hub Signals (LAD[3:0]/FWH[3:0]) and the PCI clock. But couldn't work out what to do with that, given the tools I have.

End result was having to desolder the serial flash chip, and reprogram it via an Arduino board, with some custom software, using a jury rigged 5V to 3V3 converter circuit. Then left the flash part desoldered, and thanks to many dangling wires could swap between my Arduino and the server motherboard. Allowing for several more recoveries. Eventually I soldered an eight pin ZIF socket that arrived from Grains BIOS repair.

ymboc wrote:
What patching was required?


By this stage I was pretty much convinced that the cause of the chassis fan was in the actual BIOS image (Single Link Arch BIOS). Which meant that it wasn't going to be as easy as just swapping in an old BIOS module.

Fortunately there's a good (but extremely brief) guide to reverse engineering the AMI BIOS:
http://sites.google.com/site/pinczakko/ ... ngineering

In conjunction with a leaked AMI program called MMTOOL I extracted module type 1B (Single Link Arch BIOS). Then wrote another small program to extract the components from that BIOS module. Making it much easier to individually offset them in the IDA Disassembler.

From there I used the IDA disassembler to search for known numerics. Specifically the SCH5127's hardware monitor I/O ports 0xA70, 0xA71. Which put me in the right ballpark.

Did the same thing for the EX485 1B image, and then compared the relevant sections.

There are several hardware registers that the EX495 image touches, that the EX485 image doesn't. Checking these registers live with the Read & Write everything utility I discover that a bit in register 0x7D is the actual problem. When set the fans run at full speed, and clearing it to zero has them return to normal operation. It must be some sort of test mode, but I don't have the datasheet for the SCH5127 or the SCH5147 (EX495's chip).

Patching the BIOS to fix this turned out to be pretty easy. There's a list of hardware registers to initialize and their corresponding values (actually and/or masks). Where the EX495 has 0x14 entries, and the EX485 has 0x0D. Fortunately the EX495's first 0x0D entries are identical to the EX485's. Meaning that removing the extraneous register entries was a matter of reducing the list length.

Code:
POST_CSEG is at offset 0x103F1 in BIOS module 0x1B
 0x103F1 + 0xB41F = 0x1B810 (gets us to the MOV instruction)

0x1B810: B9 14 -> B9 09   or   MOV CX, 14h -> MOV CX, 0Dh


Later on in that routine there's additional code to test what cpu is installed, and set more registers accordingly. EX485 does not do this, and some of the register writes I'm unsure of. So I ended up patching that section as well, bypassing it altogether:

Code:
POST_CSEG is at offset 0x103F1 in BIOS module 0x1B
 0x103F1 + 0xB44C = 0x1B83D (gets us to the JZ instruction)

0x1B83D: 0F 84 8A 00 -> E9 10 01 00  or  JZ _4000:B4DA -> JMP _4000:B55F


As an added bonus I removed the evaluation message that the EX495 BIOS has. I figured I've sunk so much time into this now, what's a little more to see if I can get rid of that message.

Doing a search for "EVALUATION" doesn't turn up anything (you didn't think this was going to be easy?). But doing a search for "Bearlake" (part of the BIOS identifier) turned up an interesting looking routine. Which ends up being responsible for deobfuscating and displaying the evaluation message. It also includes a test, that will only show the message if an MSB is set.

Code:
RUN_CSEG is at offset 0x3F1 in BIOS module 0x1B:
 0x3F1 + 0xF682 = 0xFa73

clear the MSB bit at 0xFA73; setting the byte to 0x00 (was 0x80)
 
0xFA71: 3F 80 80 1F -> 3F 80 00 1F


No more evaluation message :)

I also modified the BIOS romid's to match the EX485's to remove the Afuwin warning, and hopefully make it slightly less confusing. Which was mostly find/replacing.

ymboc wrote:
What software did you use to do the patching?

  • Hex-rays awesome IDA disassembler was used for scouring the mess that is BIOS code, and helping determine the bytes to change/patch
  • Frhed (free hex editor) was used for the actual byte changing
  • MMTool was used for extracting and re-inserting BIOS modules
  • afuwin for all the flashing
  • Visual Studio 2010 for custom utilities
  • Arduino for the first time and was the easiest micro development I've ever done

Phew! Apologies for the long post


Top
 Profile  
Thanks  
The following user would like to thank adaptation for this post
neuroman, ymboc
 Post subject: Re: EX485 hacked BIOS
PostPosted: Tue Mar 01, 2011 5:59 am 
Offline
Top Contributor
Top Contributor

Joined: Sat Feb 09, 2008 7:50 pm
Posts: 765
Thanks: 18
Thanked: 119 times in 44 posts
adaptation wrote:
Phew! Apologies for the long post
No Apology needed. Thanks for the effort & write up! I enjoyed reading it!


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Tue Mar 01, 2011 6:04 pm 
Offline
Newbie
Newbie

Joined: Mon Feb 28, 2011 1:40 pm
Posts: 4
Thanks: 2
Thanked: 0 time in 0 post
Well, I am waiting for my EX485 to arrive to retire my EX4785 and flash this bios. I really glad you the the virtualization support since it can now run Server 2008 R2 very well. The only thing that is missing is the LEDs.

Thanks.

_________________
EX475 with BE-2300 and 2GB RAM. Will be put on sale very soon.
EX485 flashed with adaptations hacked bios, soon to get an E7300 and 4GB memory upgrade.


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Fri Mar 04, 2011 10:53 am 
Offline
Max Contributor
Max Contributor

Joined: Fri Jan 18, 2008 11:32 am
Posts: 1027
Thanks: 2
Thanked: 84 times in 76 posts
OK, bit the bullet and flashed your EX495 hacked bios on to my EX485 and it works fine. Allows shut down and the fans work correctly. Did a Prime95 run and the fans gradually increase in speed to match the heat generated and go back to around 1000 rpm when run was stopped. Very good operation and it appears to be much snappier with the new bios and I don't think it's in my head. I did have to go in to the bios and re-enable intel speed step and it works very well. The esata works as advertised - one drive. I am running WHS 2011 with an E5400 2.7 ghz dual core and 4 gig of memory. I noticed the smibios is diabled which I don't need anyway but may be a problem for those running WHS V1 and need to reset. All in all, a great way to upgrade to test WHS 2011.

_________________
HP EX470, 4 GIG, 4200+ EE SFF, WHS V1, Production
HP EX485, 4 GIG, E5800, WHS 2011, Stablebit Drive Pool, Transfer Server, Backup Server
HP EX490, 4 GIG, Q9400S, WHS 2011, Stablebit Drive Pool, Mediaserver
HP EX485, 4 GIG, Q8200S, WHS 2011, ITUNES Server


Top
 Profile  
Thanks  
The following user would like to thank erail for this post
neuroman, yakuza
 Post subject: Re: EX485 hacked BIOS
PostPosted: Fri Mar 04, 2011 2:59 pm 
Offline
Newbie
Newbie

Joined: Mon Feb 28, 2011 1:40 pm
Posts: 4
Thanks: 2
Thanked: 0 time in 0 post
I also flashed the bios and the server is working without problems. I have not installed a new CPU so I cannot confirm the part about sleep/shut down. Will install a E7300 this afternoon.
By the way - Is hardware virtualization enabled in this bios?

_________________
EX475 with BE-2300 and 2GB RAM. Will be put on sale very soon.
EX485 flashed with adaptations hacked bios, soon to get an E7300 and 4GB memory upgrade.


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Fri Mar 04, 2011 3:34 pm 
Offline
Max Contributor
Max Contributor

Joined: Fri Jan 18, 2008 11:32 am
Posts: 1027
Thanks: 2
Thanked: 84 times in 76 posts
Hardware virtualization is enabled but speedstep is not. I think speedstep is important for these SFF units

_________________
HP EX470, 4 GIG, 4200+ EE SFF, WHS V1, Production
HP EX485, 4 GIG, E5800, WHS 2011, Stablebit Drive Pool, Transfer Server, Backup Server
HP EX490, 4 GIG, Q9400S, WHS 2011, Stablebit Drive Pool, Mediaserver
HP EX485, 4 GIG, Q8200S, WHS 2011, ITUNES Server


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Tue Mar 08, 2011 2:19 pm 
Offline
Newbie
Newbie

Joined: Mon Feb 28, 2011 1:40 pm
Posts: 4
Thanks: 2
Thanked: 0 time in 0 post
BTW. The fan control on th e new bios is different. Right now my fans are running at around 900 rpm. I got a message saying on of them was out of specs. My idle CPU temps went up a little bit from around 48-50 to around 55-60. Is there a way to change the fan speed sin the bios since MSS fan control will not work with these machines?

_________________
EX475 with BE-2300 and 2GB RAM. Will be put on sale very soon.
EX485 flashed with adaptations hacked bios, soon to get an E7300 and 4GB memory upgrade.


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Mon Mar 14, 2011 12:19 am 
Offline
Newbie
Newbie

Joined: Sat Dec 12, 2009 10:25 pm
Posts: 6
Thanks: 0
Thanked: 0 time in 0 post
I also flashed my bios without any problems. Thanks for the help! It is definitely nice to shut this badboy down without getting out of my seat to press the power button on the back...however, I might have shut it down a total of 2 times last year, so I don't know if I'll get any more use out of it. On a side note, when I flashed my system, I didn't think it worked at first, because it didn't shut down...I force shut it down. When I booted it back up, it fortunately booted up fine, but as I tried the shutdown again I noticed it said "Log off, Install updates, and shutdown" on the drop-down box... :) Thanks again.


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Mon Mar 14, 2011 11:41 pm 
Offline
Newbie
Newbie

Joined: Sat Dec 12, 2009 10:25 pm
Posts: 6
Thanks: 0
Thanked: 0 time in 0 post
Alright, maybe a small issue, but it's confounded by the fact that I did a bunch of blind adjustments to try to get Domain Controller running on my EX487. Basically, after flashing my bios with this ex490 [modded for ex485] bios, everything worked fine, including shut down. However, after messing with with DCPROMO and then unregistered the domain, I tried to use my WHS Console over RDC. It wouldn't run. It was a temporary test machine, so I decided to factory reset the entire machine. Unfortunately, when I tried this, it wouldn't go into factory reset like the original ex485 bios did. Is this because the EX490 users have to recover over a network? Additionally, would we have to use Diehard's recovery method for the ex490 to get it reset?

Ultimately, I just flashed back to my original EX485 bios. I don't really mine the inability to shutdown by software button...my server stays on 24/7.


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Fri Apr 08, 2011 10:23 pm 
Offline
1TB storage
1TB storage

Joined: Mon Mar 29, 2010 11:39 am
Posts: 37
Location: Claremore, Oklahoma
Thanks: 2
Thanked: 2 times in 2 posts
I applied the modified EX495 BIOS to my EX485 and the flash went smoothly. I do, however, receive the 'fan out of specification' warning. Does someone have a copy of the AMIBCP utility they could send me? I'd like to modify the BIOS to enable SpeedStep and maybe increase the fan RPM.

Cheers from Claremore, OK! :)
Dave

_________________
HP MediaSmart EX485: 4x Western Digital WD20EURS 2.0TB


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Thu Sep 08, 2011 11:22 am 
Offline
Top Contributor
Top Contributor
User avatar

Joined: Sun Jan 10, 2010 9:25 pm
Posts: 634
Location: Shelby Township, MI
Thanks: 78
Thanked: 152 times in 110 posts
I don't have the KVM cable. I see the readme.txt step 1 of the instructions calls for the KVM cable.

Is this mandatory? Will the "default" settings be fine, or will I need to get into the BIOS UI and make changes? If that's the case, I guess I'm going to need to order the cable. Since the BIOS flashing program allows me to update the CMOS with either the "current optimal" or "load optimal from ROM image," it would seem I could just have it apply the defaults and call it a day. Unless going the failsafe route is the way to go.

Also, your readme file is very emphatic about flashing ALL blocks. Specifically, you say to flash ALL blocks including the BOOT block. AFUWIN gives me 5 "Block Options": Program All Blocks, Main BIOS Image, Boot Block, NVRAM and EC Block.

So, do I pick just "Program All Blocks" and "Boot Block?" Or do I pick all five, as this would get "all" of the block options... I imagine picking the wrong ones would lead to an epic fail.

_________________
Matt Sawyer
Owner, Dojo North Software, LLC

HP EX490, 4GB, E5300, 15TB - Server 2012 - Sharing and Streaming
HP EX487, 4GB, E5300, 13TB - Server 2012 Essentials - Backups


Top
 Profile  
Thanks  
 Post subject: Re: EX485 hacked BIOS
PostPosted: Thu Sep 08, 2011 12:54 pm 
Offline
Top Contributor
Top Contributor
User avatar

Joined: Sun Jan 10, 2010 9:25 pm
Posts: 634
Location: Shelby Township, MI
Thanks: 78
Thanked: 152 times in 110 posts
OK you can ignore my question about programming "all" blocks -- I remoted into my EX490 from work, pulled up the flash utility and by picking "program all blocks" it picks everything automatically. So really all that remains is just the question about the cable...mandatory or optional?

_________________
Matt Sawyer
Owner, Dojo North Software, LLC

HP EX490, 4GB, E5300, 15TB - Server 2012 - Sharing and Streaming
HP EX487, 4GB, E5300, 13TB - Server 2012 Essentials - Backups


Top
 Profile  
Thanks  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 40 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 7 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group