FANDOM


DISCUSSION AT http://forum.notebookreview.com/showthread.php?t=460583. SEE THE THROTTLING PAGE ABOUT THROTTLING.


after running prime95 benchmarks with ACPI disabled, the throttling still occurs. 0x199 reports the requested is still 13, and clock modulation is disabled. this would rule out Intel's PowerManagement and ACPI as suspects. not sure where to go from here. ~thalanix 04:54, March 1, 2010 (UTC)


Bi-Directional PROCHOT can be used by the hardware to switch the CPU to the lowest multiplier. For instance should the VRM or other connected hardware become too hot or under excessive load it may be possible for it to pull the PROCHOT signal down and throttle the CPU to the lowest multiplier. To see if this is the case it might be possible to run Prochot.exe during a time the CPU is being throttled and see if the multiplier returns to a higher state for the 5 seconds PROCHOT is disabled. Since PROCHOT control appears undocumented, this may or may not work with the CPU in the G51J or even cause the system to crash. Use at your own risk. Also be aware if the system is indeed being throttled by PROCHOT, disabling it may result in hardware failure

^you are our hero. <3 ~thalanix 17:57, March 1, 2010 (UTC).

DecompressionEdit

The BIOS is AMI Aptio UEFI and can be decompressed with the following technique.

1. Create a new folder. Put the BIOS .ROM image in it.

2. Download and put in the same new folder: fvdump.py, fsdump.py and UEFI_decompressor.exe (you will need to block your HTTP referrer with RefControl or similar to get the decompressor.)

3. Create a new batch file (decomp.bat) in the same folder:

ECHO ON
FOR %%i IN (dir *.compression) DO UEFI_decompressor %%i %%i.unpacked

4. Extract firmware volumes from .ROM:

fvdump.py BIOS.ROM

5. For each firmware volume:

fsdump.py firmware_volume_name

6. Decompress everything:

decomp.bat

decompressed BIOS: http://www.zshare.net/download/72844662c4392a02/, password is xa.

There is also a tool to show a tree layout of the ROM: http://bios.rom.by/ROMutils/ROMpatcher/ROMpatcher44.zip

DisassemblyEdit

most PE executables in there are x64. open them using IDA (64bit), generic binary, disassemble in 64bit mode. data blocks are mostly in the end if at all, so up until the EFI warnings or un-code like chunks you can safely force convert to code (press c).
disassembled ACPI(P)/PM: http://forum.notebookreview.com/attachment.php?attachmentid=46071&d=1267390891
DSDT: http://forum.notebookreview.com/attachment.php?attachmentid=45686&d=1266953862

NotesEdit

to-do list:

11d8ac35-fb8a-44d1-098d-0b5606d321b9.sec0.compression.unpacked -> DSDT (Not PE, not AML, not Tiano)
1314216c-cb8d-421c-54b8-06231386e642.sec1.compression.unpacked -> Platform Info DXE
161be597-e9c5-49db-50ae-c462ab54eeda.sec0.compression.unpacked -> SSDT (Not PE, not AML, not Tiano)
16d0a23e-c09c-407d-4aa1-ad058fdd0ca1.sec1.compression.unpacked -> ACPI
2374eddf-f203-4fc0-0ea2-61bad73089d6.sec1.compression.unpacked -> IOTrap
38871bf0-c64a-4896-e4b8-62d4850c7e68.sec1.compression.unpacked -> OEM SX SMM
441d8a48-a3e0-42af-bd89-842cf0487afa.sec1.compression.unpacked -> PPM Policy
899407d7-99fe-43d8-219a-79ec328cac21.sec1.compression.unpacked -> PEGA Setup
8b5fbabd-f51f-4942-16bf-16aaa38ae52b.sec1.compression.unpacked -> ACPI Platform
90cb75db-71fc-489d-cfaa-943477ec7212.sec1.compression.unpacked -> Smart Timer
a2de77bb-797d-4bb5-c480-19aeb8b5cd29.sec1.compression.unpacked -> PEGA SMI
a3eaab3c-ba3a-4524-c79d-7e339996f496.sec1.compression.unpacked -> PEGA RT
a7c619ff-9a64-4a89-7b94-e7953e2427cb.sec1.compression.unpacked -> PEGA BS
bfd59d42-fe0f-4251-72b7-4b098a1aec85.sec1.compression.unpacked -> ActiveBios
cbc59c4a-383a-41eb-eea8-4498aea567e4.sec1.compression.unpacked -> Runtime
d16fb508-be35-437f-ca9c-2ea65f13d08d.sec1.compression.unpacked -> Intelligent Power Sharing
e03abadf-e536-4e88-a0b3-b77f78eb34fe.sec1.compression.unpacked -> CPU DXE

VBIOS overclock modEdit

GTX260M VBIOS: 0x2849B to 0x357DF
GTX260M clock addresses (no nibitor support here): 0x34C1D (core), 0x34C1F (shaders), and 0x34C21 (mem)
GTX260M voltage table header: 4B 49 20 06 02 04 at 0x34D9D, only 2 entries of .95 and .90v
clock mod to 550/1375/950: http://forum.notebookreview.com/attachment.php?attachmentid=45896&d=1267227000

GTS360M VBIOS: 0x10686 to 0x25E8E
idk why the 360m VBIOS is in here...

PowerManagement Analysis (old)Edit

here is the first form of throttling we can investigate: CPU register reads/writes. my hunch was wrong, the 0x199 and 0x19A MSRs don't change during throttling. ~thalanix 19:42, February 26, 2010 (UTC)

good call on the 64bit. it clears up the xrefs, but after some playing around with reading MSR's it's not what we're looking for. ~thalanix 21:25, February 28, 2010 (UTC)

3B2C: MSR read functionEdit

seg000:0000000000003B2C sub_3B2C        proc near               ; CODE XREF: sub_1488+E�p
seg000:0000000000003B2C                                         ; sub_1918+9�p ...
seg000:0000000000003B2C                 rdmsr
seg000:0000000000003B2E                 shl     rdx, 20h
seg000:0000000000003B32                 or      rax, rdx
seg000:0000000000003B35                 retn
seg000:0000000000003B35 sub_3B2C        endp

3B36: MSR write functionEdit

seg000:0000000000003B36 sub_3B36        proc near               ; CODE XREF: sub_1488+24�p
seg000:0000000000003B36                                         ; sub_1918+26�j ...
seg000:0000000000003B36                 mov     rax, rdx
seg000:0000000000003B39                 sar     rdx, 20h
seg000:0000000000003B3D                 wrmsr
seg000:0000000000003B3F                 retn
seg000:0000000000003B3F sub_3B36        endp

3B0C: CPU identification functionEdit

seg000:0000000000003B0C sub_3B0C        proc near               ; CODE XREF: sub_1574+40�p
seg000:0000000000003B0C                                         ; sub_1F74+15�p ...
seg000:0000000000003B0C                 push    rbx
seg000:0000000000003B0D                 mov     r8, rdx
seg000:0000000000003B10                 mov     rax, rcx
seg000:0000000000003B13                 cpuid
seg000:0000000000003B15                 cmp     r8, 0
seg000:0000000000003B19                 jz      short loc_3B2A
seg000:0000000000003B1B                 mov     [r8], eax
seg000:0000000000003B1E                 mov     [r8+4], ebx
seg000:0000000000003B22                 mov     [r8+8], ecx
seg000:0000000000003B26                 mov     [r8+0Ch], edx
seg000:0000000000003B2A
seg000:0000000000003B2A loc_3B2A:                               ; CODE XREF: sub_3B0C+D�j
seg000:0000000000003B2A                 pop     rbx
seg000:0000000000003B2B                 retn
seg000:0000000000003B2B sub_3B0C        endp

193E: 0x19AEdit

0x19A is the clock modulation register. it could be the next step of throttling. it's isolated from the 1AA/1A0/1FC writes, but close to the 0x199 write. logically, if the 199 write can/is be used as throttling then so can this. that also means if the 199 is _not_ for throttling, then this isn't either. we would probably be disabling TurboBoost or SpeedStep, but iirc those have their own control registers, and are managed at a lower level.

note that this checks the fifth (enabled) bit, which is why it is written twice.

seg000:0000000000001918 sub_1918        proc near               ; CODE XREF: sub_19F8+81�p
seg000:0000000000001918
seg000:0000000000001918 arg_0           = qword ptr  8
seg000:0000000000001918
seg000:0000000000001918                 sub     rsp, 28h
seg000:000000000000191C                 mov     ecx, 19Ah
seg000:0000000000001921                 call    sub_3B2C
seg000:0000000000001926                 mov     ecx, 19Ah
seg000:000000000000192B                 mov     [rsp+28h+arg_0], rax
seg000:0000000000001930                 or      dword ptr [rsp+28h+arg_0], 10h
seg000:0000000000001935                 mov     rdx, [rsp+28h+arg_0]
seg000:000000000000193A                 add     rsp, 28h
seg000:000000000000193E                 jmp     sub_3B36
seg000:000000000000193E sub_1918        endp


seg000:0000000000001944
seg000:0000000000001944 sub_1944        proc near               ; CODE XREF: sub_19F8:loc_1A1C�p
seg000:0000000000001944
seg000:0000000000001944 arg_0           = qword ptr  8
seg000:0000000000001944
seg000:0000000000001944                 sub     rsp, 28h
seg000:0000000000001948                 mov     ecx, 19Ah
seg000:000000000000194D                 call    sub_3B2C
seg000:0000000000001952                 mov     ecx, 19Ah
seg000:0000000000001957                 mov     [rsp+28h+arg_0], rax
seg000:000000000000195C                 and     dword ptr [rsp+28h+arg_0], 0FFFFFFEFh
seg000:0000000000001961                 mov     rdx, [rsp+28h+arg_0]
seg000:0000000000001966                 add     rsp, 28h
seg000:000000000000196A                 jmp     sub_3B36
seg000:000000000000196A sub_1944        endp

14AC: 0x199Edit

something to note about this: 0x199 is the multiplier register, and this is the only occurence in all the files (assuming correctly disassembled) in which a write to this register occurs.

seg000:0000000000001488 sub_1488        proc near               ; CODE XREF: sub_14BC+39�p
seg000:0000000000001488                                         ; DATA XREF: sub_14BC+4C�o
seg000:0000000000001488                 push    rbx
seg000:000000000000148A                 sub     rsp, 20h
seg000:000000000000148E                 mov     rbx, rcx
seg000:0000000000001491                 mov     ecx, 199h
seg000:0000000000001496                 call    sub_3B2C
seg000:000000000000149B                 movzx   edx, word ptr [rbx]
seg000:000000000000149E                 mov     ecx, 199h
seg000:00000000000014A3                 and     rax, 0FFFFFFFFFFFF0000h
seg000:00000000000014A9                 or      rdx, rax
seg000:00000000000014AC                 call    sub_3B36
seg000:00000000000014B1                 xor     eax, eax
seg000:00000000000014B3                 add     rsp, 20h
seg000:00000000000014B7                 pop     rbx
seg000:00000000000014B8                 retn
seg000:00000000000014B8 sub_1488        endp
seg000:00000000000014B8

2252: [unknown]Edit

seg000:0000000000002238 sub_2238        proc near               ; DATA XREF: seg000:00000000000029A3�o
seg000:0000000000002238                 push    rbx
seg000:000000000000223A                 push    rdi
seg000:000000000000223B                 sub     rsp, 28h
seg000:000000000000223F                 lea     rbx, off_3374
seg000:0000000000002246                 mov     edi, 7
seg000:000000000000224B
seg000:000000000000224B loc_224B:                               ; CODE XREF: sub_2238+26�j
seg000:000000000000224B                 movzx   ecx, word ptr [rbx]
seg000:000000000000224E                 mov     rdx, [rbx+8]
seg000:0000000000002252                 call    sub_3B36
seg000:0000000000002257                 add     rbx, 10h
seg000:000000000000225B                 dec     rdi
seg000:000000000000225E                 jnz     short loc_224B
seg000:0000000000002260                 xor     eax, eax
seg000:0000000000002262                 add     rsp, 28h
seg000:0000000000002266                 pop     rdi
seg000:0000000000002267                 pop     rbx
seg000:0000000000002268                 retn
seg000:0000000000002268 sub_2238        endp