Call-trace for reading Phoenix VMX configuration from NVRAM. BIOSCOD6.rom 0000A855 0FA2 cpuid 0000A857 25FF0F and ax,0xfff 0000A85A 3DE106 cmp ax,0x6e1 0000A85D 722E jc 0xa88d 0000A85F 660FBAE105 bt ecx,0x5 0000A864 7327 jnc 0xa88d 0000A866 66B93A000000 mov ecx,0x3a ; MSR VMX control 0000A86C 0F32 rdmsr 0000A86E 660FBAE000 bt eax,0x0 0000A873 7218 jc 0xa88d 0000A875 50 push ax 0000A876 B89501 mov ax,0x0195 0000A879 9A204100F0 call 0xf000:0x4120 ROMEXEC0.rom 00004120 E80100 call 0x4124 ; ROMEXEC0:00003D80 00004123 CB retf 00004124 6653 push ebx 00004126 52 push dx 00004127 662E8B1EEF3F mov ebx,[cs:0x3fef] ; 0x00000000 ; 00003FEF 00 00 00 00 0000412D 6685DB test ebx,ebx 00004130 750C jnz 0x413e 00004132 8BD8 mov bx,ax ; 0x0195 00004134 E88EFF call 0x40c5 000040C5 2E8B97C47D mov dx,[cs:bx+0x7dc4] ; [0x0195+0x7DC4] 0x7F59 = 0x008E ; 00007F58 50 8E 00 000040CA 2E8A9FC37D mov bl,[cs:bx+0x7dc3] ; [0x0195+0x7DC3] 0x7F58 = 0x50 000040CF 83E307 and bx,byte +0x7 ; (0x0150) & 0x0007 (sign-extended) = 0x0000 000040D2 D1E3 shl bx,1 ; 0x0000 << 1 = 0x0000 000040D4 C3 ret 00004137 2EFF972340 call near [cs:bx+0x4023] ; [0x0000+0x4023] 0x4023 = 0x43E1 ; 00004023 E1 43 000043E1 6653 push ebx ; 0x00000000 000043E3 51 push cx ; 0x003A 000043E4 6652 push edx 000043E6 E8F0FC call 0x40d9 000040D9 8ACE mov cl,dh ; 0x00 000040DB C0E904 shr cl,0x4 ; 0x00 >> 0x04 = 0x00 000040DE 80E60F and dh,0xf ; 0x00 000040E1 2E0397F33F add dx,[cs:bx+0x3ff3] ; 0x008E + [0x0000+0x3FF3] = 0x008E ; 00003FF3 0000 000040E6 66BB02000000 mov ebx,0x2 ; 0x00000002 000040EC 66D3E3 shl ebx,cl ; 0x00000002 << 0x00 = 0x00000002 000040EF 664B dec ebx ; 0x00000001 000040F1 8ACA mov cl,dl ; 0x8E 000040F3 80E107 and cl,0x7 ; 0x06 000040F6 66D3E3 shl ebx,cl ; 0x00000001 << 0x06 = 0x00000040 000040F9 C1EA03 shr dx,0x3 ; 0x008E >> 0x03 = 0x0011 000040FC C3 ret 000043E9 8AE2 mov ah,dl ; 0x11 000043EB 6633D2 xor edx,edx ; 0x00000000 000043EE 8AE9 mov ch,cl ; 0x06 000043F0 32C9 xor cl,cl ; 0x00 000043F2 E83DFA call 0x3e32 00003E32 F9 stc 00003E33 C3 ret 000043F5 7303 jnc 0x43fa 000043F7 E8FBEF call 0x33f5 000033F5 9C pushf 000033F6 FA cli ; disable interrupts 000033F7 E82F00 call 0x3429 00003429 50 push ax ; 0x1195 0000342A 51 push cx ; 0x0600 0000342B 80FC0A cmp ah,0xa ; 0x11-0x0A 0000342E 7313 jnc 0x3443 00003430 B9B80B mov cx,0xbb8 ; 0x0BB8 (3000) 00003433 B00A mov al,0xa ; 0x0A 00003435 E670 out 0x70,al ; test CMOS Status register 00003437 E6ED out 0xed,al ; Phoenix delay tactic 00003439 E6ED out 0xed,al ; waiting for value to 0000343B E6ED out 0xed,al ; appear on read port 0000343D E471 in al,0x71 ; read value 0000343F A880 test al,0x80 ; (bit-7) update in progress? 00003441 E0F0 loopne 0x3433 ; yes, loop until CX==0 00003443 59 pop cx ; 0x0600 00003444 58 pop ax ; 0x1195 00003445 C3 ret 000033FA 86C4 xchg al,ah ; 0x9511 000033FC 2E0A06D844 or al,[cs:0x44d8] ; 0x11 | 0x00 = 0x11 ; 000044D8 00 00003401 E670 out 0x70,al ; request CMOS register System Configuration Settings 00003403 E6ED out 0xed,al ; Phoenix delay tactic 00003405 247F and al,0x7f ; 0x11 & 0x7F = 0x11 00003407 86C4 xchg al,ah ; 0x1195 00003409 E471 in al,0x71 ; read byte = 0x87 0000340B E6ED out 0xed,al ; delay 0000340D 9D popf ; restore interrupts 0000340E C3 ret 000043FA 22C3 and al,bl ; 0x87 & 0x40 (Bit 6 = Memory test above 1MB disable/enable) 000043FC 8AD0 mov dl,al ; 0x00 000043FE FEC4 inc ah ; 0x12 00004400 80C108 add cl,0x8 ; 0x00+0x08 = 0x08 00004403 66C1CA08 ror edx,0x8 ; 0x00000000 >>> 0x08 = 0x00000000 00004407 66C1EB08 shr ebx,0x8 ; 0x00000040 >> 0x08 = 0x00000000 0000440B 75E5 jnz 0x43f2 0000440D 66D3C2 rol edx,cl ; 0x00000000 <<< 0x08 = 0x00000000 00004410 8ACD mov cl,ch ; 0x06 00004412 66D3EA shr edx,cl ; 0x00000000 >> 0x06 = 0x00000000 00004415 8BC2 mov ax,dx ; 0x00000000 00004417 85C0 test ax,ax ; set flags (ZF == 1 is VMX-disabled) 00004419 665A pop edx 0000441B 59 pop cx 0000441C 665B pop ebx 0000441E C3 ret 0000413C EB0C jmp short 0x414a 0000413E 56 push si 0000413F 1E push ds 00004140 2EC536EF3F lds si,[cs:0x3fef] 00004145 E80A00 call 0x4152 00004148 1F pop ds 00004149 5E pop si 0000414A 5A pop dx 0000414B 665B pop ebx 0000414D C3 ret 0000A87E 58 pop ax 0000A87F 7405 jz 0xa886 ; ZF set == VMX disabled 0000A881 660FBAE802 bts eax,0x2 ; Enable VMX 0000A886 660FBAE800 bts eax,0x0 ; Lock MSR until power cycle 0000A88B 0F30 wrmsr ; alternative when VMX-bit is set 000043FA 22C3 and al,bl ; 0xC7 & 0x40 (Bit 6 = Memory test above 1MB disable/enable) 000043FC 8AD0 mov dl,al ; 0x40 000043FE FEC4 inc ah ; 0x12 00004400 80C108 add cl,0x8 ; 0x00+0x08 = 0x08 00004403 66C1CA08 ror edx,0x8 ; 0x00000040 >>> 0x08 = 0x40000000 00004407 66C1EB08 shr ebx,0x8 ; 0x00000040 >> 0x08 = 0x00000000 0000440B 75E5 jnz 0x43f2 0000440D 66D3C2 rol edx,cl ; 0x40000000 <<< 0x08 = 0x00000040 00004410 8ACD mov cl,ch ; 0x06 00004412 66D3EA shr edx,cl ; 0x00000040 >> 0x06 = 0x00000001 00004415 8BC2 mov ax,dx ; 0x00000001 00004417 85C0 test ax,ax ; set flags (ZF == 0 is VMX-enabled) 00004419 665A pop edx 0000441B 59 pop cx 0000441C 665B pop ebx 0000441E C3 ret 0000413C EB0C jmp short 0x414a 0000413E 56 push si 0000413F 1E push ds 00004140 2EC536EF3F lds si,[cs:0x3fef] 00004145 E80A00 call 0x4152 00004148 1F pop ds 00004149 5E pop si 0000414A 5A pop dx 0000414B 665B pop ebx 0000414D C3 ret 0000A87E 58 pop ax 0000A87F 7405 jz 0xa886 ; ZF unset == VMX enabled 0000A881 660FBAE802 bts eax,0x2 ; Enable VMX 0000A886 660FBAE800 bts eax,0x0 ; Lock MSR until power cycle 0000A88B 0F30 wrmsr