Adding XTIDE Bios to Olivetti Echos 44 Laptop \ VOGONS

Adding XTIDE Bios to Olivetti Echos 44 Laptop

Topic actions

Post a reply

First post, by Ketturi

Posted on 2023-06-06, 22:31

Ketturi Offline

Rank Newbie

Rank: Newbie
Posts: 5
Joined: 2023-06-05, 06:32
Location: Finland

Lets plunge directly into the deep end with my first forum post here.
Recently, I managed to get my hands on the vintage Olivetti Echos 44 laptop from 1994. This little gem is equipped with a 486 CPU, 12MB of RAM, a 350MB hard drive, a floppy drive, and PCMCIA expansion slots. However, luck wasn't on my side as the hard drive had seen better days. It caused all sorts of issues - reporting itself as a 1TB drive meant for modern computers, constant lock-ups, and overall unhappiness.

The previous owner had installed Windows 95, but luckily, most of the old system files were intact and I was able to extract them, fortunately, because I couldn't find these files anywhere on the internet. So, I took the normal route and replaced the hard drive with a CF card IDE adapter. However, there were additional challenges. The BIOS had a 504MB hard limit, and Olivetti used the hard drive for a hidden recovery partition containing minimal DOS boot files and a file for hibernating the system when APM is enabled. This made it difficult to use OnTrack or Ez-Drive managers, as they interfered with the hidden partition and hibernation region.

That's when I had the idea to try XTIDE Universal BIOS, hoping it would provide support for larger drives and modern CF cards. So, I started researching how to add it to the system.

Echos 44 has 28F020 flash rom for the video bios, extended bios that contains PhoenixMISER, and system bios. Not all parts of the flash rom are used, as it starts from the C000h segment with video bios, and continues
to the end of the address space. Chipset on board handles the address decoding for the flash rom, and has registers to enable or disable parts of the flash rom decoding. It also handles shadow ram and caching functionality.

Chipset in question is OPTi 82C463 single chip notebook IC. Databook for this can be found from the internet, and I have copy of it here https://ketturi.kapsi.fi/Echos44/82C463.pdf
I unsoldered the SMD bios chip, and replaced it with socket on the CPU card, and dumped bios for disassembly. I attached the dump here, and it can also be found from the https://ketturi.kapsi.fi/Echos44/ folder.
Now with the bios dump, I could load it in the IDA Freeware, and start disassemble and explore the bios. Quite early I found part that loads the chipset registers from the table in the bios rom.

chipset%20register%20loading.PNG
https://ketturi.kapsi.fi/Echos44/config_chipset.asm
And it loads this table to the chipset registers:

1db 30h          ; DATA XREF: BOOT-D0↑o
2; Control Register 1
3db 00101010b    ; 0 Revision
4				; 0 Revision
5				; 1 RIing in enanbled
6				; 0 Turbo VGA disabled
7				; 1 Global Reloc/Trans enabled for SMI addresses
8				; 0 no extra AT wait state
9				; 1 Fast Reset control does not require Halt
10				; 0 Always write 0!
11db 31h                  
12; Control Register 2
13db 01101111b    ; 0 Master byte swap disable
14				; 1 Reserved
15				; 1 Parity check Disable
16				; 0 Dynamic SMI relocation disabled
17				; 1 EC000h Control ROMCS
18				; 1 E8000h Control ROMCS
19				; 1 E4000h Control ROMCS
20				; 1 E0000h Control ROMCS
21db 32h                  
22; Shadow RAM Control Register 1
23db 11100101b    ; 1 F0000h control, ROMCS
24				; 1 Reserved Awlays 1
25				; 1 Reserved Always 1
26				; 0 D0000h block shadow write, writable
27				; 0 E0000h block shadow write, writable
28				; 1 Reserved
29				; 0 Reserved (awlays write 0)
30				; 1 Single ALE druing bus conversion
31db 33h                  
32; Shadow RAM Control Register 2
33db 00000000b    ; Disable E0000 and D0000 shadow ram
34db 34h                  
35; DRAM Control Register 1
36db 10001101b    ; Bank 0 1M
37				; Bank 1 x
38				; Bank 2 x
39				; Bank 3 x
40db 35h                  
41; DRAM Control Register 2
42db 10010111b    ; 10 DRAM R wait states: 1, 3-2-2-2
43				; 01 DRAM W wait states: 1
44				; 0 MP2/STRAP2: 2x Clock (read only)
45				; 1 F0000h non-cacheable
46				; 1 All DRAM is not cacheable
47				; 1 C0000h non-cacheable
48db 36h                  
49; Shadow RAM Control Register 3
50db 10010000b    ; 1 F0000 block wrote to ROMCS#
51				; 0 C0000-EFFFF R/W From AT bus or ROMCS
52				; 0 C0000 block shadow writable
53				; 1 Reserved, Alaways write 1
54				; 0 Shadow CC000 disable
55				; 0 Shadow C8000 disable
56				; 0 Shadow C4000 disable
57				; 0 Shadow C0000 disable
58db 37h                  
59; E0000h Block Cache Enable Bits Register
60db 11111111b    ; DC000 ROMCS

…Show last 29 lines

61				; D8000 ROMCS
62				; D4000 ROMCS
63				; D0000 ROMCS
64				; EC000 non-cacheable
65				; E8000 non-cacheable
66				; E4000 non-cacheable
67				; E0000 non-cacheable
68db 38h                  
69; Non-cacheable Block 1 Register
70db 10000110b    ; 1 Size of non-cacbeable memory block:
71				; 0 100=Disabled
72				; 0
73				; 0 CC000-CFFFF AT-BUS
74				; 0 C8000-CBFFF AT-BUS (Change these to enable C800 romcs)
75				; 1 C4000-C7FFF ROMCS#
76				; 1 C0000-C3FFF ROMCS#
77				; 0 Address bit A24 of non-cacheable memory block1
78db 39h                  
79; Non-Cacheable Block 1 Register 2
80db 00000000b    ; Default
81db 3Ah                  
82; Non-Cacheable Block 2 Register 1
83db 00000000b    ; Default
84db 84h                  
85; What is this!!!
86db 00000000b    ; Default
87db 3Bh                  
88; Non-Cacheable Block 2 Register 2
89db 00000000b    ; Default

At first glance, this seemed too easy to be true, and as expected, it wasn't that simple. This is not the only part where the registers handling the ROM decoding are modified. Due to the shadow RAM and caching, there is another function that sets the register values and copies the content of the ROM to the shadow RAM. Otherwise, I could have simply flashed the XTIDE to either the C800h or D000h region, changed those segments from AT-BUS to ROMCS# decoding, and been done with it.

Here is the tricky part I have been struggling with, and I would appreciate some help. I identified the subfunction that handles the shadow RAM operations for the option ROMs:
https://ketturi.kapsi.fi/Echos44/shadowram.asm
In the beginning of the function, the chipset registers are set for copying the option ROM data to the DRAM:

Then the sub function does some moving data around in a convoluted loops, that I have not bother to decipher further:

After that is complete, we get back to setting some registers:

This time, it seems to be for the E000h segment, which contains the power management BIOS and possibly the BIOS setup (which, by the way, can be accessed anytime with the FN+F4 key, even on DOS).

Next, the function performs copying and checksumming:

Finally, we reach the end of the function:

At the end, the shadow RAM segments are either enabled or disabled depending on whether they are used for ROM data, and they are also set to write-protected.

I have looked over the shadow ram function over and over, and with datasheet for the 82C463, deduced what register values possibly need to be changed to enable either the C800h or D000h segment decoding and shadowing.
C800h segment would be problematic for the XTIDE Universal BIOS, because the C800h-CFFFh area is used also for the PCMCIA, and I do want to use ATA card, that at least by default maps to C800h and C900h. Maybe that can be changed
just by giving the PCMCIA card services software different addresses in the config.sys and also excluding that from emm386, but D000h would be better for the XTIDE bios.

I have ended up testing couple different configurations:
For D000h: XTIDE Bios to 10000h in the dump file
38717: B7 0F -> 0E Set "32h Shadow D0000-D3FFF" Disabled (at the beginning of the shadowram.asm)
38754: C3 00 -> 10 Set "37h D0000 ROMCS#"
38972: B3 F0 -> F1 Set "32h Shadow D0000-D3FFF" Enabled(at the end of the shadowram.asm)

For C800: Place XTIDE Bios to 8000h in the dump file
3EBB0: 86 -> 9E Enable C800,CC00 ROMCS# (In the initial chipset register table)
3873A : B7 4C -> B7 40 C800,CC00 Shadow disable (at the beginning of the shadowram.asm)
3875A : B3 E7 -> B3 FF C800,CC00 to ROMCS#
38981: B3 B3 -> B3 BF Shadow C800,CC00 Enable (at the end of the shadowram.asm)

I have configured the XTIDE ide_386l.bin with the XTIDECFG.COM run on the Echos 44, and it correctly found 1 16-bit ata controller. I assume, Olivetti used the standard I/O ports for the controller, at least that is what the config utility set those.
Then I inserted the XTIDE bios to the dump, either in the C800h segment or in the D000h segment,
and patched the system bios to use above register values to (maybe) enable the rom decoding and shadow ram.
Then I just flashed the eeprom back to the chip, and tested it on the Echos 44.

So far, the results have been mixed. In both configurations, I need to press Ctrl+Alt+Del after the Fixed Disk and Floppy Drives post-test, or else the system hangs at that point.
After the soft reboot, I get message: "Option ROM at C800:000 Pass" or "Option ROM at D000:000 Pass" depending which patch I flashed to the bios.

But, but...
If the CF card is in the system, it just hangs after the Option ROM message. But if I remove the CF card, then start system, soft reboot it,
XTIDE bios starts and shows the menu screen. I then can boot from the floppy drive in the XTIDE menu, and OS loads just fine.
Also, I can't enter into the system bios setup menu, when the option rom is enabled.

It seems that there might still be something wrong with the chipset register configuration and possibly with the XTIDE configuration as well. At this point, I'm a bit stuck and have decided to make this post public, in the hopes that someone else may have some insight or experience in enabling Option ROM regions in an embedded BIOS ROM.

Attachments

Filename

shadow hex.PNG

File size

20.34 KiB

Views

366 views

File license

CC-BY-4.0
Filename

chipset register loading.PNG

File size

33.58 KiB

Views

366 views

File license

CC-BY-4.0
Filename

Chipset register load hex.PNG

File size

14.25 KiB

Views

366 views

File license

CC-BY-4.0
Filename

bios.zip

File size

214.47 KiB

Downloads

22 downloads

File license

Fair use/fair dealing exception

Reply 1 of 4, by jakethompson1

Posted on 2023-06-07, 03:04

jakethompson1 Offline

Rank Oldbie

Rank: Oldbie
Posts: 1331
Joined: 2015-11-17, 04:16

Dump the XT-IDE ROM from D000: after you've booted into DOS, and make sure it's an exact match with your ide_386l.bin?
also: there's a utility out there, I can't remember its name, to make a boot disk that loads an option ROM like XT-IDE into RAM and boots it, so that you can test and make sure it isn't an XT-IDE problem.

Reply 2 of 4, by Ketturi

Posted on 2023-06-07, 07:21

Ketturi Offline

Rank Newbie

Rank: Newbie
Posts: 5
Joined: 2023-06-05, 06:32
Location: Finland

I managed to get the XTIDE bios to boot and find the hard drive. It seems like problem is in the chipset registers and shadow ram configuration. Possibly because at that point system bios is trying to call the setup menu from the E800:0 and if that fails system just hangs.

Reply 3 of 4, by Ketturi

Posted on 2023-06-12, 06:21

Ketturi Offline

Rank Newbie

Rank: Newbie
Posts: 5
Joined: 2023-06-05, 06:32
Location: Finland

After looking deeper into the disassembled bios, it seems that the subfunction on the first post does not do general shadow copy. It is just for the setup menu, that resides in the "hidden" memory, and is probably executed through a protected mode paging. I found parts that do the actual shadow copy and register settings for the video bios, extended bios and system bios.

This is function for the video bios:

1vbiosshadow     proc near               ; CODE XREF: runvbiosshadow+D↑p
2                pushf                   ; Push Flags Register onto the Stack
3                cli                     ; Clear Interrupt Flag
4                mov     bl, 11111001b
5                mov     ah, i38h_NCB1
6                call    read_chipset_register ; 38h Non-Cacheable Block 1 Register
7
8                and     al, bl          ; C4000h R/W from AT-Bus
9                                        ; C0000h R/W from AT-Bus
10                or      al, 00000000b   ; Logical Inclusive OR
11                mov     ah, i38h_NCB1
12                call    write_chipset_register ; 38h Non-Cacheable Block 1 Register
13
14                mov     bl, 11011111b
15                mov     ah, i36h_ShadowRAM_3
16                call    read_chipset_register ; 36h Shadow RAM Control Register III
17
18                and     al, bl          ; C0000h-EFFFFh R/W from AT-Bus or ROMCS#
19                or      al, 00000000b   ; Logical Inclusive OR
20                mov     ah, i36h_ShadowRAM_3
21                call    write_chipset_register ; 36h Shadow RAM Control Register III
22
23                mov     bl, 00000011b
24                mov     ah, i36h_ShadowRAM_3
25                call    read_chipset_register ; 36h Shadow RAM Control Register III
26
27                and     al, 11111111b   ; Logical AND
28                or      al, bl          ; Shadow C0000-C3FFFh enable
29                                        ; Shadow C4000-C7FFFh enable
30                mov     ah, i36h_ShadowRAM_3
31                call    write_chipset_register ; 36h Shadow RAM Control Register III
32
33                mov     cx, 4000h
34                mov     ax, 0C000h
35                mov     es, ax
36                assume es:nothing
37                call    fill_AA55       ; Fills segment starting from ES, CX bytes long, with AA55 id
38
39                mov     cx, 4000h
40                call    test_AA55       ; Checks area starting from ES, CX long, if it is full of AA55 id
41
42                jnb     short doshadowC ; Jump if Not Below (CF=0)
43
44                mov     bl, 00000110b
45                mov     ah, i38h_NCB1
46                call    read_chipset_register ; 38h Non-Cacheable Block 1 Register
47
48                and     al, 11111111b   ; Logical AND
49                or      al, bl          ; C4000h-C7FFFh R/W from ROMCS#
50                                        ; C0000h-C3FFFh R/W from ROMCS#
51                mov     ah, i38h_NCB1
52                call    write_chipset_register ; 38h Non-Cacheable Block 1 Register
53
54                mov     bl, 10111111b
55                mov     ah, i36h_ShadowRAM_3
56                call    read_chipset_register ; 36h Shadow RAM Control Register III
57
58                and     al, bl          ; C0000h-EFFFFh R/W from AT-Bus/ROMCS#
59                or      al, 00000000b   ; Logical Inclusive OR
60                mov     ah, i36h_ShadowRAM_3

…Show last 118 lines

61                call    write_chipset_register ; 36h Shadow RAM Control Register III
62
63                mov     bl, 11111100b
64                mov     ah, i36h_ShadowRAM_3
65                call    read_chipset_register ; 36h Shadow RAM Control Register III
66
67                and     al, bl          ; Shadow C4000h-C7FFFh disable
68                                        ; Shadow C0000h-C3FFFh disable
69                or      al, 00000000b   ; Logical Inclusive OR
70                mov     ah, i36h_ShadowRAM_3
71                call    write_chipset_register ; 36h Shadow RAM Control Register III
72
73                jmp     shadowcopyfailed ; Jump
74
75; ---------------------------------------------------------------------------
76
77doshadowC:                              ; CODE XREF: vbiosshadow+43↑j
78                mov     bl, 11111100b
79                mov     ah, i36h_ShadowRAM_3
80                call    read_chipset_register ; 36h Shadow RAM Control Register III
81
82                and     al, bl          ; Shadow C4000h-C7FFFh disable
83                                        ; Shadow C0000h-C3FFFh disable
84                or      al, 00000000b   ; Logical Inclusive OR
85                mov     ah, i36h_ShadowRAM_3
86                call    write_chipset_register ; 36h Shadow RAM Control Register III
87
88                mov     bl, 00000110b
89                mov     ah, i38h_NCB1
90                call    read_chipset_register ; 38h Non-Cacheable Block 1 Register
91
92                and     al, 11111111b   ; Logical AND
93                or      al, bl          ; C4000h-C7FFFh R/W from ROMCS#
94                                        ; C0000h-C3FFFh R/W from ROMCS#
95                mov     ah, i38h_NCB1
96                call    write_chipset_register ; 38h Non-Cacheable Block 1 Register
97
98                mov     bl, 01000000b
99                mov     ah, i36h_ShadowRAM_3
100                call    read_chipset_register ; 36h Shadow RAM Control Register III
101
102                and     al, 11111111b   ; Logical AND
103                or      al, bl          ; C0000h-EFFFFh Read from AT/ROMCS, write to DRAM
104                mov     ah, i36h_ShadowRAM_3
105                call    write_chipset_register ; 36h Shadow RAM Control Register III
106
107                mov     ax, 0C000h      ; Start from C000
108                mov     ds, ax
109                assume ds:nothing
110                mov     es, ax
111                xor     si, si          ; Logical Exclusive OR
112                xor     di, di          ; Logical Exclusive OR
113                mov     cx, 4000h       ; Copy 16k
114                cld                     ; Clear Direction Flag
115                rep movsw               ; Move Byte(s) from String to String
116                mov     bl, 00100000b
117                mov     ah, i36h_ShadowRAM_3
118                call    read_chipset_register ; 36h Shadow RAM Control Register III
119
120                and     al, 11111111b   ; Logical AND
121                or      al, bl          ; C0000h block write protect
122                mov     ah, i36h_ShadowRAM_3
123                call    write_chipset_register ; 36h Shadow RAM Control Register III
124
125                mov     bl, 00000011b
126                mov     ah, i36h_ShadowRAM_3
127                call    read_chipset_register ; 36h Shadow RAM Control Register III
128
129                and     al, 11111111b   ; Logical AND
130                or      al, bl          ; Shadow C4000h-C7FFFh enable
131                                        ; Shadow C0000h-C3FFFh enable
132                mov     ah, i36h_ShadowRAM_3
133                call    write_chipset_register ; 36h Shadow RAM Control Register III
134
135                mov     bl, 11111001b
136                mov     ah, i38h_NCB1
137                call    read_chipset_register ; 38h Non-Cacheable Block 1 Register
138
139                and     al, bl          ; C4000h-C7FFFh R/W from AT-Bus
140                                        ; C0000h-C3FFFh R/W from AT-Bus
141                or      al, 00000000b   ; Logical Inclusive OR
142                mov     ah, i38h_NCB1
143                call    write_chipset_register ; 38h Non-Cacheable Block 1 Register
144
145                mov     bl, 00011000b
146                mov     ah, i38h_NCB1
147                call    read_chipset_register ; 38h Non-Cacheable Block 1 Register
148
149                and     al, 11111111b   ; Logical AND
150                or      al, bl          ; CC000h-CFFFFh R/W from ROMCS#
151                                        ; C8000h-CBFFFh R/W from ROMCS#
152                mov     ah, i38h_NCB1
153                call    write_chipset_register ; 38h Non-Cacheable Block 1 Register
154
155                mov     al, 0E4h
156                call    readcmosreg     ; AL: Index of CMOS Register
157                                        ; Returns data from CMOS in AH
158
159                or      ah, 2           ; Logical Inclusive OR
160                dec     al              ; Decrement by 1
161                call    writecmosreg    ; AL: Index of CMOS
162                                        ; AH: Data to be writen into CMOS register
163
164                popf                    ; Pop Stack into Flags Register
165                clc                     ; Clear Carry Flag
166                jmp     short return    ; Jump
167
168; ---------------------------------------------------------------------------
169
170shadowcopyfailed:                       ; CODE XREF: vbiosshadow+75↑j
171                popf                    ; Pop Stack into Flags Register
172                stc                     ; Set Carry Flag
173
174
175return:                                 ; CODE XREF: vbiosshadow+108↑j
176                retn                    ; Return Near from Procedure
177
178vbiosshadow     endp

And this is function for the system bios:

1f000shadow      proc near               ; DATA XREF: copyf000shadow+D↑o
2                mov     bl, 10000000b
3                mov     ah, i32h_ShadowRAM_1
4                call    read_chipset_register ; Call Procedure
5
6                and     al, 11111111b   ; Logical AND
7                or      al, bl          ; F000-FFFF Read from ROMCS#
8                mov     ah, i32h_ShadowRAM_1
9                call    write_chipset_register ; Call Procedure
10
11                mov     bl, 01111111b
12                mov     ah, i36h_ShadowRAM_3
13                call    read_chipset_register ; Call Procedure
14
15                and     al, bl          ; F000 block write to DRAM
16                or      al, 00000000b   ; Logical Inclusive OR
17                mov     ah, i36h_ShadowRAM_3
18                call    write_chipset_register ; Call Procedure
19
20                mov     cx, 8000h       ; Fill 32k
21                mov     ax, 0F000h      ; Start from F000
22                mov     es, ax
23                assume es:seg005
24                call    fill_AA55       ; Fills segment starting from ES, CX bytes long, with AA55 id
25
26                mov     bl, 01111111b
27                mov     ah, i32h_ShadowRAM_1
28                call    read_chipset_register ; Call Procedure
29
30                and     al, bl          ; F000-FFFF Read rom DRAM
31                or      al, 0           ; Logical Inclusive OR
32                mov     ah, i32h_ShadowRAM_1
33                call    write_chipset_register ; Call Procedure
34
35                mov     cx, 8000h
36                call    test_AA55       ; Checks area starting from ES, CX long, if it is full of AA55 id
37
38                jnb     short doshadowF ; Jump if Not Below (CF=0)
39
40                mov     bl, 10000000b
41                mov     ah, i32h_ShadowRAM_1
42                call    read_chipset_register ; Call Procedure
43
44                and     al, 11111111b   ; Logical AND
45                or      al, bl          ; F000-FFFF Read from ROMCS#
46                mov     ah, i32h_ShadowRAM_1
47                call    write_chipset_register ; Call Procedure
48
49                mov     bl, 10000000b
50                mov     ah, i36h_ShadowRAM_3
51                call    read_chipset_register ; Call Procedure
52
53                and     al, 11111111b   ; Logical AND
54                or      al, bl          ; F000-FFFF write to ROMCS#
55                mov     ah, i36h_ShadowRAM_3
56                call    write_chipset_register ; Call Procedure
57
58                jmp     shadowcopyfailed ; Jump
59
60; ---------------------------------------------------------------------------

…Show last 263 lines

61
62doshadowF:                              ; CODE XREF: f000shadow+41↑j
63                mov     bl, 10000000b
64                mov     ah, i32h_ShadowRAM_1
65                call    read_chipset_register ; Call Procedure
66
67                and     al, 11111111b   ; Logical AND
68                or      al, bl          ; F000-FFFF Read from ROMCS#
69                mov     ah, i32h_ShadowRAM_1
70                call    write_chipset_register ; Call Procedure
71
72                mov     ax, 0F000h      ; Start copy from F000
73                mov     ds, ax
74                mov     es, ax
75                xor     si, si          ; Logical Exclusive OR
76                xor     di, di          ; Logical Exclusive OR
77                mov     cx, 8000h       ; Copy 32k
78                cld                     ; Clear Direction Flag
79                rep movsw               ; Move Byte(s) from String to String
80                mov     bl, 01111111b
81                mov     ah, i32h_ShadowRAM_1
82                call    read_chipset_register ; Call Procedure
83
84                and     al, bl          ; F000-FFFF Read from DRAM
85                or      al, 00000000b   ; Logical Inclusive OR
86                mov     ah, i32h_ShadowRAM_1
87                call    write_chipset_register ; Call Procedure
88
89                jmp     short testE000  ; Jump
90
91; ---------------------------------------------------------------------------
92
93testentry:
94                test    bh, 2           ; Logical Compare
95                jnz     short testE000  ; Jump if Not Zero (ZF=0)
96
97                mov     bl, 00001111b
98                mov     ah, i31h_Control_2
99                call    read_chipset_register ; Call Procedure
100
101                and     al, 11111111b   ; Logical AND
102                or      al, bl          ; E000-EFFF R/W from ROMCS#
103                mov     ah, i31h_Control_2
104                call    write_chipset_register ; Call Procedure
105
106                mov     bl, 10111111b
107                mov     ah, i36h_ShadowRAM_3
108                call    read_chipset_register ; Call Procedure
109
110                and     al, bl          ; C000-EFFF R/W from AT-Bus/ROMCS#
111                or      al, 00000000b   ; Logical Inclusive OR
112                mov     ah, i36h_ShadowRAM_3
113                call    write_chipset_register ; Call Procedure
114
115                mov     bl, 00001111b
116                mov     ah, i33h_ShadowRAM_2
117                call    read_chipset_register ; Call Procedure
118
119                and     al, bl          ; Logical AND
120                or      al, 00000000b   ; Logical Inclusive OR
121                mov     ah, i33h_ShadowRAM_2
122                call    write_chipset_register ; Call Procedure
123
124                jmp     shadowok        ; Jump
125
126; ---------------------------------------------------------------------------
127
128testE000:                               ; CODE XREF: f000shadow+97↑j
129                                        ; f000shadow+9C↑j
130                mov     bl, 11110000b
131                mov     ah, i31h_Control_2
132                call    read_chipset_register ; Call Procedure
133
134                and     al, bl          ; E000-EFFF R/W from AT-Bus
135                or      al, 00000000b   ; Logical Inclusive OR
136                mov     ah, i31h_Control_2
137                call    write_chipset_register ; Call Procedure
138
139                mov     bl, 11110000b
140                mov     ah, i33h_ShadowRAM_2
141                call    read_chipset_register ; Call Procedure
142
143                and     al, 11111111b   ; Logical AND
144                or      al, bl          ; Shadow E000-EFFF enable
145                mov     ah, i33h_ShadowRAM_2
146                call    write_chipset_register ; Call Procedure
147
148                mov     bl, 00000010b
149                mov     ah, i35h_DRAM_2
150                call    read_chipset_register ; Call Procedure
151
152                and     al, 11111111b   ; Logical AND
153                or      al, bl          ; Set all DRAM not cacheable
154                mov     ah, i35h_DRAM_2
155                call    write_chipset_register ; Call Procedure
156
157                mov     bl, 00001111b
158                mov     ah, i37h_E000h_cache
159                call    read_chipset_register ; Call Procedure
160
161                and     al, 11111111b   ; Logical AND
162                or      al, bl          ; Set E000-EFFF cacheable
163                mov     ah, i37h_E000h_cache
164                call    write_chipset_register ; Call Procedure
165
166                mov     bl, 11110111b
167                mov     ah, i32h_ShadowRAM_1
168                call    read_chipset_register ; Call Procedure
169
170                and     al, bl          ; Set E000 block shadow writeable
171                or      al, 00000000b   ; Logical Inclusive OR
172                mov     ah, i32h_ShadowRAM_1
173                call    write_chipset_register ; Call Procedure
174
175                mov     cx, 8000h       ; Fill 32k
176                mov     ax, 0E000h      ; Start from E000h
177                mov     es, ax
178                assume es:nothing
179                call    fill_AA55       ; Fills segment starting from ES, CX bytes long, with AA55 id
180
181                mov     cx, 8000h
182                call    test_AA55       ; Checks area starting from ES, CX long, if it is full of AA55 id
183
184                jnb     short doshadowE ; Jump if Not Below (CF=0)
185
186                mov     bl, 00001111b
187                mov     ah, i31h_Control_2
188                call    read_chipset_register ; Call Procedure
189
190                and     al, 11111111b   ; Logical AND
191                or      al, bl          ; E000-EFFF R/W from ROMCS#
192                mov     ah, i31h_Control_2
193                call    write_chipset_register ; Call Procedure
194
195                mov     bl, 10111111b
196                mov     ah, i36h_ShadowRAM_3
197                call    read_chipset_register ; Call Procedure
198
199                and     al, bl          ; C000-EFFFh R/W from AT-Bus/ROMCS#
200                or      al, 00000000b   ; Logical Inclusive OR
201                mov     ah, i36h_ShadowRAM_3
202                call    write_chipset_register ; Call Procedure
203
204                mov     bl, 00001111b
205                mov     ah, i33h_ShadowRAM_2
206                call    read_chipset_register ; Call Procedure
207
208                and     al, bl          ; Shadow E000-EFFF disable
209                or      al, 00000000b   ; Logical Inclusive OR
210                mov     ah, i33h_ShadowRAM_2
211                call    write_chipset_register ; Call Procedure
212
213                jmp     shadowcopyfailed ; Jump
214
215; ---------------------------------------------------------------------------
216
217doshadowE:                              ; CODE XREF: f000shadow+132↑j
218                mov     bl, 00001111b
219                mov     ah, i33h_ShadowRAM_2
220                call    read_chipset_register ; Call Procedure
221
222                and     al, bl          ; Shadow E000-EFFF disable
223                or      al, 00000000b   ; Logical Inclusive OR
224                mov     ah, i33h_ShadowRAM_2
225                call    write_chipset_register ; Call Procedure
226
227                mov     bl, 00001111b
228                mov     ah, i31h_Control_2
229                call    read_chipset_register ; Call Procedure
230
231                and     al, 11111111b   ; Logical AND
232                or      al, bl          ; E000-EFFF Read from ROMCS#
233                mov     ah, i31h_Control_2
234                call    write_chipset_register ; Call Procedure
235
236                mov     bl, 01000000b
237                mov     ah, i36h_ShadowRAM_3
238                call    read_chipset_register ; Call Procedure
239
240                and     al, 11111111b   ; Logical AND
241                or      al, bl          ; C000-EFFF Read from AT-Bus/ROMCS#, write to DRAM
242                mov     ah, i36h_ShadowRAM_3
243                call    write_chipset_register ; Call Procedure
244
245                mov     ax, 0E000h      ; Start from E000
246                mov     ds, ax
247                assume ds:nothing
248                mov     es, ax
249                xor     si, si          ; Logical Exclusive OR
250                xor     di, di          ; Logical Exclusive OR
251                mov     cx, 8000h       ; Copy 32k
252                cld                     ; Clear Direction Flag
253                rep movsw               ; Move Byte(s) from String to String
254                mov     bl, 00001000b
255                mov     ah, i32h_ShadowRAM_1
256                call    read_chipset_register ; Call Procedure
257
258                and     al, 11111111b   ; Logical AND
259                or      al, bl          ; Set E000 block shadow write protected
260                mov     ah, i32h_ShadowRAM_1
261                call    write_chipset_register ; Call Procedure
262
263                mov     bl, 11110000b
264                mov     ah, i33h_ShadowRAM_2
265                call    read_chipset_register ; Call Procedure
266
267                and     al, 11111111b   ; Logical AND
268                or      al, bl          ; Shadow E000-EFFF enable
269                mov     ah, i33h_ShadowRAM_2
270                call    write_chipset_register ; Call Procedure
271
272                mov     bl, 11110000b
273                mov     ah, i31h_Control_2
274                call    read_chipset_register ; Call Procedure
275
276                and     al, bl          ; E000-EFFF R/W from AT-Bus
277                or      al, 00000000b   ; Logical Inclusive OR
278                mov     ah, i31h_Control_2
279                call    write_chipset_register ; Call Procedure
280
281
282shadowok:                               ; CODE XREF: f000shadow+CE↑j
283                jmp     short $+2       ; Jump
284
285; ---------------------------------------------------------------------------
286
287invalidatecache:                        ; CODE XREF: f000shadow:shadowok↑j
288                invd                    ; Invalidate Data Cache
289                jmp     far ptr shadowenabled ; Jump
290
291; ---------------------------------------------------------------------------
292
293shadowenabled:                          ; CODE XREF: f000shadow+1DC↑J
294                mov     al, 0E4h
295                mov     ah, 1
296                call    writecmosreg    ; AL: Index of CMOS
297                                        ; AH: Data to be writen into CMOS register
298
299                popf                    ; Pop Stack into Flags Register
300                clc                     ; Clear Carry Flag
301                jmp     short return    ; Jump
302
303; ---------------------------------------------------------------------------
304                db 90h
305; ---------------------------------------------------------------------------
306
307shadowcopyfailed:                       ; CODE XREF: f000shadow+63↑j
308                                        ; f000shadow+164↑j
309                jmp     far ptr noshadow ; Jump
310
311; ---------------------------------------------------------------------------
312
313noshadow:                               ; CODE XREF: f000shadow:shadowcopyfailed↑J
314                popf                    ; Pop Stack into Flags Register
315                stc                     ; Set Carry Flag
316
317
318return:                                 ; CODE XREF: f000shadow+1EA↑j
319                retn                    ; Return Near from Procedure
320
321f000shadow      endp
322

I could not find watertight entry points for these functions, but at least for the system bios shadow procedure, the function is first copied into the ram, and then executed there not to interfere with the process.

From these functions I deduced these register values for the chipset to enable the option rom areas:

To shadow D000:

133h:0 0 D000 Shadow disable
237h:4 1  D000 Read from ROMCS# (31h for E000)
336h:6 1  C000-EFFF Read from AT-Bus/ROMCS#, write to DRAM
4Do a copy to D000
532h:4 1	 D000 block write protected
633h:0 1	 D000 Shadow enabled
737h:4 0 D000 R/W from AT-Bus (31h for E000)

To not shadow D000:

137h:4 1	 D000 R/W from ROMCS#
236h:6 0 C000-EFFF R/W from AT-Bus/ROMCS#
333h:0 0 D000  Shadow disable

To shadow C800:

136h:2-3	0  C800-CFFF Shadow disable
238h:3-4 1  C800-CFFF R/W from ROMCS#
336h:6   1  C000-EFFF Read from AT-Bus/ROMCS#, write to DRAM
4Do a copy to C800
536h:5	1  C000 block write protect
636h:2-3	1  C800-CFFF shadow enabled
738h:3-4 0  C800-CFFF R/W from AT-Bus

To not shadow C800:

138h:3-4	1 C800-CFFF R/W from ROMCS#
236h:6 0	0 C000-EFFF R/W From AT-BUS/ROMCS#
336h:2-3	0 C800-CFFF Shadow disable

I just need to find place to set these registers and do the copy. It could be possible to use the system bios shadow copy procedure, and just give it last segment of the D000 block, and increase the CX register value where the copy is done.

The Olivetti BIOS is very convoluted, and IDA does not follow it properly, so it has been bit difficult to do the reverse-engineering. At the begining when the ram is not yet initialized, there is no call instruction available, and instead SP and return is used to do the jumps. This confuses heck out of the IDA. Also parts of the code is then copied to the ram, and executed there. I also found 3 different places, where the different chipset register table is loaded into the chipset. At least two of them touch the register I am interested in. The resume and standby functionality does not help either, as these are handled differently by the BIOS boot process, and part of the normal POST is skipped.

Reply 4 of 4, by Ketturi

Posted on 2023-06-21, 06:52

Ketturi Offline

Rank Newbie

Rank: Newbie
Posts: 5
Joined: 2023-06-05, 06:32
Location: Finland

It seems like I finally got the XTIDE Bios to work properly. I had to place the XTIDE bios to the CC00 segment, because for the life I could not get the D000-DFFF segments to show up as a rom, even though all registers were properly configured. I think there is some protected mode and memory paging magic going round. CC00 segment should be ok in theory, as the PCMCIA controller can be configured to map the memory windows to different segments. The system bios by default sets the memory windows of PCMCIA to C800-CA00 when the PCMCIA boot option is set enabled (It allows to boot from Linear SRAM/Flash cards as a floppy).

Here are the modifications I had to do to the bios:

1Enable XTIDE universal bios in CC00-CFFF 16k ROM block:
2
3VideoShadow at A4AD:
4RAM test: (Actually, do not modify, C800 could cause overwrite on pcmcia?
5	FA4AF: B3 F9 -> ;38h CC00h R/W from AT-Bus
6	FA4CF: B3 03 -> ;36h CC00h shadow enable
7	FA4DF: B9 00 40 -> B9 00 80 ;Fill 64k block instead of 32k.
8	FA4EA: B9 00 40 -> B9 00 80 ;Test 64k block instead of 32k
9
10Disable shadow:
11	FA4F2: B3 06 -> B3 16 ;38h CC00h R/W from ROMCS#
12	FA512: B3 FC -> B3 F4 ;36h CC00h Shadow disable
13
14Copy and enable shadow
15	FA525: B3 FC ->B3 F4 ;36h CC00h Shadow disable
16	FA535: B3 06 ->B3 16 ;38h CC00h R/W from ROMCS#
17	FA560: B9 00 40 -> B9 00 80 ;Copy 64k instead of 32k
18	FA576: B3 03 ->B3 0B ;36h CC00h Shadow enable
19	FA586: B3 F9 ->B3 E9 ;38h CC00h R/W from AT-Bus
20	FA596: B3 18 ->B3 08 ;38h CC00h R/W from ROMCS# mask out
21
22C000Shadow at 3748:
23F3748: B6 06 -> B6 16 ;38h CC00h R/W from ROMCS#
24F3783: B9 00 40 -> B9 00 80, mov cx, 8000h ;Increase copy couunt from 32k to 64k block (C000-C7FF to C000-CFFF)
25F3798: B3 03 -> B3 0B ;36h CC00h Shadow enable
26F37A8: B3 F9 -> B3 E9 ;38h CC00h R/W from AT-Bus
27
28E800Shadow at 8706:
29F873A: B7 4C -> B7 44 ;36h CC00h Shadow mask out
30F875A: B3 E7 -> B3 F7 ;38h CC00h R/W AT-Bus mask out
31F8981: B3 B3 -> B3 BB ;38h CC00h Shadow mask out
32
33ChipsetInit:
34FEBB0: 86 -> 96
35F8349: 86 -> 96
36
37Checksum:
38FFFFF: 32 -> 92

I included the patched bios as attachment. With these mods, XTIDE loads up properly, and is working shadow and cache memory enabled or disabled from the bios setup. Also the bios setup seems to work. I have not tested the suspend functionality yet, but at least warm boot with reduced post tests seem to work. Only issue remaining is that when the bios setup triggers reboot after changing values I need to do hard reset.

Attachments

Filename

Echos44-bios+xtidepatch.zip

File size

116.02 KiB

Downloads

27 downloads

File license

Fair use/fair dealing exception

Go to top of page Go to top of page

Back to General Old Hardware

Main menu

Common searches