| NEWS | HISTORY | DOWNLOAD | TIPS&TRICKS |
Publication 1.0 / March 14, 2016 Introduction The method we are going to describe is fully working for Intel 8, 9 and 100 Series Chipset Family PCH. For this technical article we used BIOS update v1.2 for MSI Z170A GAMING PRO motherboard with disabled SPD programming capability. Theory To access any device configuration registers flat memory-mapped address space is used by BIOS/UEFI. This mechanism lets to access both PCI configuration space (registers 0 to FFh) and Extended configuration space (registers 100h to FFFh) of PCI Express devices. PCIEXBAR is the base address for the configuration space associated with all devices and functions that are potentially a part of the PCI Express root complex hierarchy. Typically PCIEXBAR is set to E0000000h. Also it may be set to a different address, for example, F8000000h. To check the current setting of PCIEXBAR you have to examine register 60h of the Host Bridge / DRAM Controller which resides on PCI Bus 0 (Device 0, Function 0). To dump the first 255 registers of the device to a file select the Need assistance? command under the Help main menu of Thaiphoon Burner. North Bridge - B:00h D:00h F:00h As you can see, PCIEXBAR is set to E0000000h. Bit 0 is set to 1 what means PCIEXBAR is enabled. After releasing 8 Series Chipset Family PCH, Intel enabled previously reserved bit 4 (SPD Write Disable bit) of register 40h of the SMBus Controller for the purpose of not allowing users to reprogram SPD EEPROM. This bit is also enabled for Intel 100 Series Chipset Family PCH. To check whether this bit is set refer to the register dump file of Thaiphoon Burner again. SMBus Controller - B:00h D:1Fh F:04h Here we have the SPD Write Disable bit enabled, bit 4 of register 40h is set to 1. Everything we need to allow SPD programming on the motherboard is to set bit 4 to 0. But, unfortunately, this cannot be done under Windows environment due to access policy. So, how can we access register 40h of the SMBus Controller by using the flat memory-mapped mechanism? As we know, the SMBus controller resides on PCI Bus 0 (Device 1Fh, Function 4), lets encode its PCI location and pass it into the PCIEXBAR register in accordance with the following translation: E0000000h + (Bus0 shl 20 and FFh) + (Device1F shl 15 and 1Fh) + (Function4 shl 12 and 07h) + (Register40 and FFFh). The resulting memory-mapped address is E00FC040h. We should use this address to search for all the references to it within BIOS update file. The keyword for address E00FC040 is 40C00FE0. In fact we are looking for a code that on assembler language would look like below. mov ecx, E00FC040 ;putting memory-mapped address E00FC040h to EAX Practice Let's patch the initial BIOS update file v1.2 of the MSI Z170A GAMING PRO motherboard which comes with enabled SPD Write Disable bit. Our further investigations confirmed that the latest BIOS v1.8 Update does not set the bit, allowing the user to reprogram SPD EEPROM. So, if your motherboard has not yet been updated with the latest BIOS, it is recommended to do it right now. Open the BIOS update file v1.2 with UEFITool 0.20.4 software. Call the Search dialog box and type 40C00FE0 for keyword in the HEX pattern field. 
Click OK. The program will list all the references to register 40h of the SMBus Controller within the opened BIOS file. According to UEFITool, PE32 (and TE) images of PchSmbusDxe, PchSmbusSmm, MsiOcSmbus objects need to be disassembled. Keep in mind that BIOS update files for your motherboard may contain more specific objects with this keyword and you should examine them all. Extract PE32/TE images of these three objects. 
After disassembling each PE32/TE image with QView 2.90 utility we found out that the only MsiOcSmbus object must be patched. If your motherboard was not manufactured by MSI, it is highly recommended to examine SiInitPreMem object first. 
To disable setting bit 4 move to offset 18Ch and change 0C10 to 0C00. 
Also, if you don't like QView you can patch the byte on this offset with any HEX editor, e.g. HxD 1.7.7.9. Once the PE32/TE image has been patched, overwrite the original image within the BIOS file with the patched one by selecting Replace as is… from UEFITool. |
|
|||||||||||||||||
|
||||||||||||||||||
Project by Vitaliy Jungle |
Company Location |