How to Enable Intel Dynamic Acceleration (IDA) on Both Cores of a Core 2 Duo

Discussion in 'Windows OS and Software' started by unclewebb, Apr 21, 2010.

  1. User Retired 2

    User Retired 2 Notebook Nobel Laureate NBR Reviewer

    Reputations:
    4,127
    Messages:
    7,893
    Likes Received:
    7
    Trophy Points:
    0
  2. middleton

    middleton Notebook Consultant

    Reputations:
    212
    Messages:
    284
    Likes Received:
    3
    Trophy Points:
    31
    Hi kizwan.

    I have some comments on your "EIST Unlocked Example" guide.


    1) First of all: You make a fundamental error providing a code like this in the guide:

    Code:
    0000XXXX B9A0010000	mov ecx, 0x1a0
    0000XXXX 48		dec eax
    0000XXXX 0FBAE814	bts eax, 0x14
    0000XXXX 48		dec eax
    Actually it's a 64-bit code and therefore it must be disassembled as follows:

    Code:
    0000XXXX B9A0010000	mov ecx, 0x1a0
    0000XXXX 480FBAE814	bts rax, 0x14
    0000XXXX 488BD0		mov rdx, rax
    You are a very lucky man because patching BIOS according to wrong disassembled code is very dangerous procedure.


    2) I can't understand why you recommend to patch a code like this:

    Code:
    00003CCF B9A0010000	mov ecx, 0x1a0
    00003CD4 48		dec eax
    00003CD5 0FBAE814	bts eax, 0x14
    00003CD9 48		dec eax
    in that manner:

    Code:
    00003CCF B9A0010000	mov ecx, 0x1a0
    00003CD4 90		nop
    00003CD5 90		nop
    00003CD6 90		nop
    00003CD7 90		nop
    00003CD8 90		nop
    00003CD9 48		dec eax
    Can't you patch just one byte instead of five? For example:

    Code:
    0000XXXX B9A0010000	mov ecx, 0x1a0
    0000XXXX 480FBAF014	btr rax, 0x14
    0000XXXX 488BD0		mov rdx, rax

    3) Recently I made dual-IDA patches for nine Lenovo ThinkPads (see here model numbers). We need to modify BIOSCOD5.ROM. Here is the code:

    Code:
    seg000:4264 0F A8                                   push    gs
    seg000:4266 66 50                                   push    eax
    seg000:4268 66 53                                   push    ebx
    seg000:426A 66 51                                   push    ecx
    seg000:426C 66 52                                   push    edx
    seg000:426E 68 00 F0                                push    0F000h
    seg000:4271 0F A9                                   pop     gs
    seg000:4273 66 B9 17 00 00 00                       mov     ecx, 17h
    seg000:4279 0F 32                                   rdmsr
    seg000:427B 66 F7 C2 00 00 04 00                    test    edx, 40000h
    seg000:4282 74 6D                                   jz      short loc_42F1
    seg000:4284 66 B8 01 00 00 00                       mov     eax, 1
    seg000:428A 0F A2                                   cpuid
    seg000:428C 66 F7 C1 80 00 00 00                    test    ecx, 80h
    seg000:4293 75 23                                   jnz     short loc_42B8
    seg000:4295 66 B9 A0 01 00 00                       mov     ecx, 1A0h
    seg000:429B 0F 32                                   rdmsr
    seg000:429D 66 25 FF 7F FE FF                       and     eax, 0FFFE7FFFh
    seg000:42A3 66 0D 00 00 10 00                       or      eax, 100000h
    seg000:42A9 0F 30                                   wrmsr
    seg000:42AB 65 83 0E 2F 33 04                       or      word ptr gs:332Fh, 4
    seg000:42B1 9A B1 27 00 F0                          call    far ptr 0F000h:27B1h
    seg000:42B6 EB 39                                   jmp     short loc_42F1
    seg000:42B8 66 B9 94 01 00 00                       mov     ecx, 194h
    seg000:42BE 0F 32                                   rdmsr
    seg000:42C0 66 A9 00 00 02 00                       test    eax, 20000h
    seg000:42C6 75 29                                   jnz     short loc_42F1
    seg000:42C8 9A B1 27 00 F0                          call    far ptr 0F000h:27B1h
    seg000:42CD 66 BB 00 04 10 00                       mov     ebx, 100400h
    seg000:42D3 B8 0F 03                                mov     ax, 30Fh
    seg000:42D6 9A 37 3C 00 F0                          call    far ptr 0F000h:3C37h
    seg000:42DB 74 07                                   jz      short loc_42E4
    seg000:42DD 66 81 CB 00 00 01 00                    or      ebx, 10000h
    seg000:42E4 66 B9 A0 01 00 00                       mov     ecx, 1A0h
    seg000:42EA 0F 32                                   rdmsr
    seg000:42EC 66 0B C3                                or      eax, ebx
    seg000:42EF 0F 30                                   wrmsr
    seg000:42F1 66 5A                                   pop     edx
    seg000:42F3 66 59                                   pop     ecx
    seg000:42F5 66 5B                                   pop     ebx
    seg000:42F7 66 58                                   pop     eax
    seg000:42F9 0F A9                                   pop     gs
    seg000:42FB CB                                      retf
    Pay attention to address 42A3. You can see a well-known OR instruction (or eax, 100000h). But if you patch it, it will give you nothing because this code is executed only if CPU doesn't support EIST.
    To disable setting EIST lock bit, we need to modify this mov instruction:

    Code:
    seg000:42CD 66 BB 00 04 10 00                       mov     ebx, 100400h
    in the following manner:

    Code:
    seg000:42CD 66 BB 00 04 00 00                       mov     ebx, 400h
    
    I don't know how you can describe this situation in the guide. The number 100400h may vary in different BIOS'es. Moreover: there can be other ways to set EIST lock bit. In such cases only analysis of code can help to determine a correct place for the patch.


    4) You wrote that you had problems in patching Lenovo IdeaPad Y450 BIOS. To avoid this error "Module is too big" you need to have some skills in optimizing x86 assembler code. Don't hope this is rare case and only IdeaPad Y450 BIOS is affected. I faced this error many times and it has never been the reason not to make a patch. For example I met "Module is too big" message when working on nine ThinkPad dual-IDA patches.

    I don't know what to advise you, there's no universal recipe. For example Y450 patch looks like this:

    Source:

    Code:
    seg000:000000000000168F B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:0000000000001694 48 0F BA E8 14                          bts     rax, 14h
    seg000:0000000000001699 48 8B D0                                mov     rdx, rax
    seg000:000000000000169C E8 A7 6D 00 00                          call    near ptr 8448h
    
    seg000:0000000000002697 B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:000000000000269C 48 0F BA E8 14                          bts     rax, 14h
    seg000:00000000000026A1 48 8B D0                                mov     rdx, rax
    seg000:00000000000026A4 E8 9F 5D 00 00                          call    near ptr 8448h
    Modified:

    Code:
    seg000:000000000000168F B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:0000000000001694 48 0F BA E8 14                          bts     rax, 14h
    seg000:0000000000001699 48 8B D0                                mov     rdx, rax
    seg000:000000000000169C 90                                      nop
    seg000:000000000000169D 90                                      nop
    seg000:000000000000169E 90                                      nop
    seg000:000000000000169F 90                                      nop
    seg000:00000000000016A0 90                                      nop
    
    seg000:0000000000002697 B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:000000000000269C 48 0F BA E8 14                          bts     rax, 14h
    seg000:00000000000026A1 48 8B D0                                mov     rdx, rax
    seg000:00000000000026A4 90                                      nop
    seg000:00000000000026A5 90                                      nop
    seg000:00000000000026A6 90                                      nop
    seg000:00000000000026A7 90                                      nop
    seg000:00000000000026A8 90                                      nop
    
    There was no "Module is too big" message during rebuilding Y450 BIOS.
     
  3. kizwan

    kizwan Lord Pringles

    Reputations:
    1,500
    Messages:
    3,229
    Likes Received:
    8
    Trophy Points:
    106
    First of all, I'm not an assembly language guru & what I wrote in the guide are base on my testing & experiment on my own notebook & then later expanded to another notebooks (nando4 volunteered to test it). Since I can recover my notebook, I can do countless test on it. It's also based on the solution I found at that time.
    Based on the information I gathered at that time, I need to find the ecx & eax register. That's why I disassembled it in 32bit mode. And I did tested this myself & it worked.
    My learning pace is a bit slow. The first method is based on existing solution at that time & I tested it myself to proved it does work. Later, I use the second method which change "bts" to "btr" instruction. Yeah, I forgot to update the document.
    I mostly mod Acer & Sony BIOSes. I has only mod one Toshiba's BIOS (Qosmio X300). All of 'em works. I know different manufacturer use different method to set EIST Lock bit. So far Acer, Sony, Clevo, Packard Bell, HP, one Toshiba Qosmio X300 & some Chinese-brand notebooks use standard method to set EIST Lock bit. At least that's what I found so far & I said "standard" because all of 'em using the same "pattern" to set the EIST Lock bit. Usually I found EIST lock bit in these modules:-
    • MOD_5100.ROM (Phoenix)
    • F7731B4C-58A2-4DF4-8980-5645D39ECE58.ff (Phoenix)
    • F7731B4C-58A2-4DF4-8980-5645D39ECE58_X_XXX.ROM (Insyde)
    Except Acer Aspire 5920G which have EIST Lock bit set in BIOSCOD03.ROM module, in addition to MOD_5100.ROM module.

    The guide is based on the result I got during my experiments. It's not something I guess & just wrote about it. I know the methods I use is not one for all solution. I was always thought (hopping) it is common sense to everyone that anything related to BIOS is dangerous (BIOS flash & BIOS mods). That's why whenever a person ask me to mod their BIOS, I always remind them about the risk & only continue if they know how to recover from bad BIOS. It has been long time since somebody tried my modded BIOS & bricked their computer. The success is not based on luck, no sir, it is based on my effort to experiment it myself first before making the solution available to the public. I bricked my notebook countless time in the process. I know many people can do this but not many who willing to wrote one simple document (step-by-step guide) & share it.

    I do appreciated your comments & inputs except the "lucky" part (I am a normal person who have feelings & I'm not afraid to said it out loud. ;)) Since you have better grasp on the assembly language, I welcomed you to perfects/corrects the guide.

    Thank you,
    kizwan
     
  4. middleton

    middleton Notebook Consultant

    Reputations:
    212
    Messages:
    284
    Likes Received:
    3
    Trophy Points:
    31
    kizwan, I didn't mean to offend you in any way. I wrote the previous post just to help you make the guide better.

    And what about "Module is too big" error? I would recommend to mention in the guide the following: If "Module is too big" error message is displayed after changing bts to btr, then we can modify the code like so:

    Code:
    seg000:000000000000168F B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:0000000000001694 48 0F BA E8 14                          bts     rax, 14h
    seg000:0000000000001699 48 8B D0                                mov     rdx, rax
    seg000:000000000000169C 90                                      nop
    seg000:000000000000169D 90                                      nop
    seg000:000000000000169E 90                                      nop
    seg000:000000000000169F 90                                      nop
    seg000:00000000000016A0 90                                      nop
    
    seg000:0000000000002697 B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:000000000000269C 48 0F BA E8 14                          bts     rax, 14h
    seg000:00000000000026A1 48 8B D0                                mov     rdx, rax
    seg000:00000000000026A4 90                                      nop
    seg000:00000000000026A5 90                                      nop
    seg000:00000000000026A6 90                                      nop
    seg000:00000000000026A7 90                                      nop
    seg000:00000000000026A8 90                                      nop
    or even so:

    Code:
    seg000:000000000000168F B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:0000000000001694 48 0F BA E8 14                          bts     rax, 14h
    seg000:0000000000001699 90                                      nop
    seg000:000000000000169A 90                                      nop
    seg000:000000000000169B 90                                      nop
    seg000:000000000000169C 90                                      nop
    seg000:000000000000169D 90                                      nop
    seg000:000000000000169E 90                                      nop
    seg000:000000000000169F 90                                      nop
    seg000:00000000000016A0 90                                      nop
    
    seg000:0000000000002697 B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:000000000000269C 48 0F BA E8 14                          bts     rax, 14h
    seg000:00000000000026A1 90                                      nop
    seg000:00000000000026A1 90                                      nop
    seg000:00000000000026A1 90                                      nop
    seg000:00000000000026A4 90                                      nop
    seg000:00000000000026A5 90                                      nop
    seg000:00000000000026A6 90                                      nop
    seg000:00000000000026A7 90                                      nop
    seg000:00000000000026A8 90                                      nop
    We can change to nop even these instructions

    Code:
    seg000:000000000000168F B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:0000000000001694 48 0F BA E8 14                          bts     rax, 14h
    
    seg000:0000000000002697 B9 A0 01 00 00                          mov     ecx, 1A0h
    seg000:000000000000269C 48 0F BA E8 14                          bts     rax, 14h
    
    if the previous changes are not enough.
     
  5. kizwan

    kizwan Lord Pringles

    Reputations:
    1,500
    Messages:
    3,229
    Likes Received:
    8
    Trophy Points:
    106
    That is good idea. (I didn't comment about it in my previous post, did I? :p ). We can just nop the "call near ptr 8448h" because it is no longer needed.
    I agree, we can just nop the "mov" & "bts" instruction too if the module still too big to reintegrate.

    I'll update the guide as soon as possible. Thank you.
     
  6. kizwan

    kizwan Lord Pringles

    Reputations:
    1,500
    Messages:
    3,229
    Likes Received:
    8
    Trophy Points:
    106
    I has updated the "EIST Unlocked Example" guide per middleton's suggestion. The new revision can be found at the same place which is at post #256.

    :)
     
  7. Khenglish

    Khenglish Notebook Evangelist

    Reputations:
    419
    Messages:
    645
    Likes Received:
    358
    Trophy Points:
    76
    I'm having problems with the cygwin side of this procedure. I got past the phantom carriage return (hidden '\r') issue I spent 2 hours on, but now my cygwin won't recognize the ndisasm command. Is there some package that I need to install for cygwin to know what this command is?

    Or someone could just mod my bios for me! :)
    http://ftp.compal.com/asp/driver_dnd/index.htm
    (mine is the JHL90)

    My laptop does have a bios recovery mode btw so bricking it should be impossible.
     
  8. Khenglish

    Khenglish Notebook Evangelist

    Reputations:
    419
    Messages:
    645
    Likes Received:
    358
    Trophy Points:
    76
    I found the package btw. It's called NASM (network assembler).

    I also found the eist disable code segments. The corresponding bios file is a .ff, not a .ROM. What program should I use to edit the file?

    EDIT2:
    Figured it all out I think. Time to flash and hope I don't have to make a recovery flash drive on another pc

    EDIT3:
    VICTORY! Finally can do 3ghz+ fully stable, ram was holding me back before. You can now add sager np2096/ compal JHL90 to the list of moddable bios's. I did not have to use the crisis recovery btw.

    i picked up this thing's top end CPU off of ebay for under 150 including shipping (yay for having an outdated pc so I can get low prices!). Playing around with that should be interesting.

    Things to note:
    This system ended up using a WPH file, not a .bin or .ROM for its bios image. Also, I had to modify a .ff file, not a .ROM. There were 2 eist disable entries. The .ff file changed actually followed your Compaq 2530P example completely (same exact DASM and offsets). I also didn't have to change anything to "nop". Final note: god this was an involved process.
     
  9. klk999

    klk999 Newbie

    Reputations:
    0
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    5
    thank you first for your excellent work. i'm hp(campaq) notebook user, the type is cq45-203tx, the current bios im's using came from ftp://ftp://ftp.hp.com/pub/softpaq/sp46501-47000/sp46656.exe,this bios is insyde and already updated to slic2.1 officially, could you help to remove the EIST lock in such way i could use dual ida overclock with ThrottleStop。thank you in advance.
     
  10. User Retired 2

    User Retired 2 Notebook Nobel Laureate NBR Reviewer

    Reputations:
    4,127
    Messages:
    7,893
    Likes Received:
    7
    Trophy Points:
    0
    Good work. Can you post the modded dual-IDA np2096/JHL90 bios somewhere? Then I can add it to the dual-IDA C2D bios list.
     
Loading...

Share This Page