i found a way to write to VMware's BiOS memory area 0xF000 ~ 0xFFFF (0xF0000xFFFFF)

Question about which tools to use, bugs, the best way to implement a function, etc should go here. Don't forget to see if your question is answered in the wiki first! When in doubt post here.
Post Reply
ccya
Posts: 5
Joined: Sun Feb 12, 2023 3:56 pm
Libera.chat IRC: ssensei

i found a way to write to VMware's BiOS memory area 0xF000 ~ 0xFFFF (0xF0000xFFFFF)

Post by ccya »

use the following code to operate the Programmable Attribute Map (APM) register to unlock the memory in this area

Code: Select all

EB3CB:
mov ch,30h;或者11h或者10h
mov al,59h;这是pam号
call readpci
mov cl,30h;或者33h
not cl
and ah,cl
or ah,ch
call writhpci
mov bx,0f000h
mov es,bx
mov es:[0],bx
jmp $



readpci:
mov     edi, eax
movzx   eax, al
bts     eax, 1Fh
and     al, 0FCh
mov     dx, 0CF8h
out     dx, eax                          ; PCI Configuration Space Address Register
                                         ; bits   7..0: configuration space offset
                                         ; bits  10..8: function number
                                         ; bits 15..11: device number
                                         ; bits 23..16: bus number
mov     eax, edi
mov     dl, al
or      dl, 0FCh
xchg    al, ah
in      al, dx
xchg    al, ah
ret


writepci:
mov     edi, eax
movzx   eax, al
bts     eax, 1Fh
and     al, 0FCh
mov     dx, 0CF8h
out     dx, eax                          ; PCI Configuration Space Address Register
                                         ; bits   7..0: configuration space offset
                                         ; bits  10..8: function number
                                         ; bits 15..11: device number
                                         ; bits 23..16: bus number
mov     eax, edi
mov     dl, al
or      dl, 0FCh
xchg    al, ah
out     dx, al
xchg    al, ah
ret
Top
Octocontrabass
Member
Member
Posts: 5754
Joined: Mon Mar 25, 2013 7:01 pm

Re: i found a way to write to VMware's BiOS memory area 0xF000 ~ 0xFFFF (0xF0000xFFFFF)

Post by Octocontrabass »

There are ways to do this on many PCs, both real and virtual. However, it's chipset-specific, and the firmware doesn't expect you to remove its write-protection, so I don't think this will be very useful for most OS developers.
Top
ccya
Posts: 5
Joined: Sun Feb 12, 2023 3:56 pm
Libera.chat IRC: ssensei

Re: i found a way to write to VMware's BiOS memory area 0xF000 ~ 0xFFFF (0xF0000xFFFFF)

Post by ccya »

Octocontrabass wrote: Mon Apr 07, 2025 9:55 pm There are ways to do this on many PCs, both real and virtual. However, it's chipset-specific, and the firmware doesn't expect you to remove its write-protection, so I don't think this will be very useful for most OS developers.
yes, all BiOS will lock this area, but unlock code are not common, so i think it is still of reference value.
Top
Post Reply

Return to “OS Development”