scratch/VMX Call Trace.txt

   1 Call-trace for reading Phoenix VMX configuration from NVRAM.
   2
   3 BIOSCOD6.rom
   4
   5 0000A855  0FA2              cpuid
   6 0000A857  25FF0F            and ax,0xfff
   7 0000A85A  3DE106            cmp ax,0x6e1
   8 0000A85D  722E              jc 0xa88d
   9 0000A85F  660FBAE105        bt ecx,0x5
  10 0000A864  7327              jnc 0xa88d
  11 0000A866  66B93A000000      mov ecx,0x3a ; MSR VMX control
  12 0000A86C  0F32              rdmsr
  13 0000A86E  660FBAE000        bt eax,0x0
  14 0000A873  7218              jc 0xa88d
  15 0000A875  50                push ax
  16 0000A876  B89501            mov ax,0x0195
  17 0000A879  9A204100F0        call 0xf000:0x4120
  18
  19 ROMEXEC0.rom
  20
  21         00004120  E80100            call 0x4124     ; ROMEXEC0:00003D80
  22         00004123  CB                retf
  23
  24         00004124  6653              push ebx
  25         00004126  52                push dx
  26         00004127  662E8B1EEF3F      mov ebx,[cs:0x3fef] ; 0x00000000
  27
  28                 ; 00003FEF  00 00 00 00
  29
  30         0000412D  6685DB            test ebx,ebx
  31         00004130  750C              jnz 0x413e
  32         00004132  8BD8              mov bx,ax               ; 0x0195
  33         00004134  E88EFF            call 0x40c5
  34
  35                 000040C5  2E8B97C47D        mov dx,[cs:bx+0x7dc4]   ; [0x0195+0x7DC4] 0x7F59 = 0x008E
  36
  37                         ; 00007F58  50 8E 00
  38
  39                 000040CA  2E8A9FC37D        mov bl,[cs:bx+0x7dc3]   ; [0x0195+0x7DC3] 0x7F58 = 0x50
  40                 000040CF  83E307            and bx,byte +0x7        ; (0x0150) & 0x0007 (sign-extended) = 0x0000
  41                 000040D2  D1E3              shl bx,1                ; 0x0000 << 1 = 0x0000
  42                 000040D4  C3                ret
  43
  44         00004137  2EFF972340        call near [cs:bx+0x4023]  ; [0x0000+0x4023] 0x4023 = 0x43E1
  45
  46                 ; 00004023  E1 43
  47
  48                 000043E1  6653              push ebx            ; 0x00000000
  49                 000043E3  51                push cx                 ; 0x003A
  50                 000043E4  6652              push edx
  51                 000043E6  E8F0FC            call 0x40d9
  52
  53                         000040D9  8ACE              mov cl,dh                       ; 0x00
  54                         000040DB  C0E904            shr cl,0x4                      ; 0x00 >> 0x04 = 0x00
  55                         000040DE  80E60F            and dh,0xf                      ; 0x00
  56                         000040E1  2E0397F33F        add dx,[cs:bx+0x3ff3]       ; 0x008E + [0x0000+0x3FF3] = 0x008E
  57                                 ; 00003FF3  0000
  58
  59                         000040E6  66BB02000000      mov ebx,0x2                 ; 0x00000002
  60                         000040EC  66D3E3            shl ebx,cl                  ; 0x00000002 << 0x00 = 0x00000002
  61                         000040EF  664B              dec ebx                         ; 0x00000001
  62                         000040F1  8ACA              mov cl,dl                   ; 0x8E
  63                         000040F3  80E107            and cl,0x7                  ; 0x06
  64                         000040F6  66D3E3            shl ebx,cl                  ; 0x00000001 << 0x06 = 0x00000040
  65                         000040F9  C1EA03            shr dx,0x3                  ; 0x008E >> 0x03 = 0x0011
  66                         000040FC  C3                ret
  67
  68                 000043E9  8AE2              mov ah,dl           ; 0x11
  69                 000043EB  6633D2            xor edx,edx         ; 0x00000000
  70                 000043EE  8AE9              mov ch,cl           ; 0x06
  71                 000043F0  32C9              xor cl,cl           ; 0x00
  72
  73                 000043F2  E83DFA            call 0x3e32
  74
  75                         00003E32  F9                stc
  76                         00003E33  C3                ret
  77
  78                 000043F5  7303              jnc 0x43fa
  79                 000043F7  E8FBEF            call 0x33f5
  80
  81                         000033F5  9C                pushf
  82                         000033F6  FA                cli                 ; disable interrupts
  83                         000033F7  E82F00            call 0x3429
  84
  85                                 00003429  50                push ax                 ; 0x1195
  86                                 0000342A  51                push cx                 ; 0x0600
  87                                 0000342B  80FC0A            cmp ah,0xa          ; 0x11-0x0A
  88                                 0000342E  7313              jnc 0x3443
  89
  90                                 00003430  B9B80B            mov cx,0xbb8        ; 0x0BB8 (3000)
  91
  92                                 00003433  B00A              mov al,0xa          ; 0x0A
  93                                 00003435  E670              out 0x70,al         ; test CMOS Status register
  94                                 00003437  E6ED              out 0xed,al         ; Phoenix delay tactic
  95                                 00003439  E6ED              out 0xed,al         ; waiting for value to
  96                                 0000343B  E6ED              out 0xed,al         ; appear on read port
  97                                 0000343D  E471              in al,0x71          ; read value
  98                                 0000343F  A880              test al,0x80        ; (bit-7) update in progress?
  99                                 00003441  E0F0              loopne 0x3433       ; yes, loop until CX==0
 100
 101                                 00003443  59                pop cx                  ; 0x0600
 102                                 00003444  58                pop ax                  ; 0x1195
 103                                 00003445  C3                ret
 104
 105                         000033FA  86C4              xchg al,ah            ; 0x9511
 106                         000033FC  2E0A06D844        or al,[cs:0x44d8] ; 0x11 | 0x00 = 0x11
 107                                 ; 000044D8  00
 108                         00003401  E670              out 0x70,al         ; request CMOS register System Configuration Settings
 109                         00003403  E6ED              out 0xed,al         ; Phoenix delay tactic
 110                         00003405  247F              and al,0x7f         ; 0x11 & 0x7F = 0x11
 111                         00003407  86C4              xchg al,ah          ; 0x1195
 112                         00003409  E471              in al,0x71          ; read byte = 0x87
 113                         0000340B  E6ED              out 0xed,al         ; delay
 114                         0000340D  9D                popf                    ; restore interrupts
 115                         0000340E  C3                ret
 116
 117                 000043FA  22C3              and al,bl           ; 0x87 & 0x40 (Bit 6 = Memory test above 1MB disable/enable)
 118                 000043FC  8AD0              mov dl,al           ; 0x00
 119                 000043FE  FEC4              inc ah                  ; 0x12
 120                 00004400  80C108            add cl,0x8          ; 0x00+0x08 = 0x08
 121                 00004403  66C1CA08          ror edx,0x8         ; 0x00000000 >>> 0x08 = 0x00000000
 122                 00004407  66C1EB08          shr ebx,0x8     ; 0x00000040 >> 0x08 = 0x00000000
 123                 0000440B  75E5              jnz 0x43f2
 124
 125                 0000440D  66D3C2            rol edx,cl          ; 0x00000000 <<< 0x08 = 0x00000000
 126                 00004410  8ACD              mov cl,ch           ; 0x06
 127                 00004412  66D3EA            shr edx,cl          ; 0x00000000 >> 0x06 = 0x00000000
 128                 00004415  8BC2              mov ax,dx           ; 0x00000000
 129                 00004417  85C0              test ax,ax          ; set flags (ZF == 1 is VMX-disabled)
 130                 00004419  665A              pop edx
 131                 0000441B  59                pop cx
 132                 0000441C  665B              pop ebx
 133                 0000441E  C3                ret
 134
 135         0000413C  EB0C              jmp short 0x414a
 136
 137         0000413E  56                push si
 138         0000413F  1E                push ds
 139         00004140  2EC536EF3F        lds si,[cs:0x3fef]
 140         00004145  E80A00            call 0x4152
 141         00004148  1F                pop ds
 142         00004149  5E                pop si
 143
 144         0000414A  5A                pop dx
 145         0000414B  665B              pop ebx
 146         0000414D  C3                ret
 147
 148 0000A87E  58                pop ax
 149 0000A87F  7405              jz 0xa886 ; ZF set == VMX disabled
 150 0000A881  660FBAE802        bts eax,0x2 ; Enable VMX
 151 0000A886  660FBAE800        bts eax,0x0 ; Lock MSR until power cycle
 152 0000A88B  0F30              wrmsr
 153
 154
 155 ; alternative when VMX-bit is set
 156
 157                 000043FA  22C3              and al,bl           ; 0xC7 & 0x40 (Bit 6 = Memory test above 1MB disable/enable)
 158                 000043FC  8AD0              mov dl,al           ; 0x40
 159                 000043FE  FEC4              inc ah                  ; 0x12
 160                 00004400  80C108            add cl,0x8          ; 0x00+0x08 = 0x08
 161                 00004403  66C1CA08          ror edx,0x8         ; 0x00000040 >>> 0x08 = 0x40000000
 162                 00004407  66C1EB08          shr ebx,0x8     ; 0x00000040 >> 0x08 = 0x00000000
 163                 0000440B  75E5              jnz 0x43f2
 164
 165                 0000440D  66D3C2            rol edx,cl          ; 0x40000000 <<< 0x08 = 0x00000040
 166                 00004410  8ACD              mov cl,ch           ; 0x06
 167                 00004412  66D3EA            shr edx,cl          ; 0x00000040 >> 0x06 = 0x00000001
 168                 00004415  8BC2              mov ax,dx           ; 0x00000001
 169                 00004417  85C0              test ax,ax          ; set flags (ZF == 0 is VMX-enabled)
 170                 00004419  665A              pop edx
 171                 0000441B  59                pop cx
 172                 0000441C  665B              pop ebx
 173                 0000441E  C3                ret
 174
 175         0000413C  EB0C              jmp short 0x414a
 176
 177         0000413E  56                push si
 178         0000413F  1E                push ds
 179         00004140  2EC536EF3F        lds si,[cs:0x3fef]
 180         00004145  E80A00            call 0x4152
 181         00004148  1F                pop ds
 182         00004149  5E                pop si
 183
 184         0000414A  5A                pop dx
 185         0000414B  665B              pop ebx
 186         0000414D  C3                ret
 187
 188 0000A87E  58                pop ax
 189 0000A87F  7405              jz 0xa886   ; ZF unset == VMX enabled
 190 0000A881  660FBAE802        bts eax,0x2 ; Enable VMX
 191 0000A886  660FBAE800        bts eax,0x0 ; Lock MSR until power cycle
 192 0000A88B  0F30              wrmsr
 193