@LSS10999 (updated TEST0.ZIP)

Good work. Is the unlock key different for every GPU type (e.g. 960, 970) of wider family (all 9xx)? But it seems it shouldn't be hard to find it in disassembly according to your code pattern...
BTW If I remember well, the resident part of video BIOS doesn't fuly ocupy the whole segment C000-CFFF but the rom is smaller so there would be enough space to place the code (don't understand why they removed it when not 100% full). But I think this VGAs has some obstruction against vBIOS modding like some signing so not that easly like it was before (eg. on GF7xxxGT)....

just for completess pixel shift test works on my EVGA GTX 970 (GM204 rev. A1), BIOS 84.04.84.00.70, PCI ID 10DE:13C2

Marco Pistella wrote on 2026-05-04, 18:00:

@LSS10999 (updated TEST0.ZIP)

The attachment test0.zip is no longer available

With this version, on my RTX A4000 system it fails with message "Fail 4F06h".
So it failed on Step 2).

LSS10999 wrote on 2026-05-05, 03:52:

With this version, on my RTX A4000 ...[CUT]

Thank you for the report.

This confirms that on RTX-generation cards the situation
is worse than on Kepler/Maxwell: not only 4F07h but also
4F06h has been removed. Both functions return 014Fh
immediately without doing anything.

This means that for Ampere and newer, a complete
reimplementation of both 4F06h and 4F07h would be
required in the TSR — a significantly more complex
undertaking than what is needed for Kepler/Maxwell where
4F06h still works correctly.

For now the TSR project is focused on Kepler/Maxwell/Pascal
where 4F06h is functional and only 4F07h needs to be
reimplemented. RTX support would require a separate
effort at a later stage.

RayeR wrote on 2026-05-04, 18:58:

Good work. Is the unloc ... [CUT]

Good observations, thank you.

Regarding the unlock key: I do not yet know whether
2469FDB9h is family-wide or card-specific. The GT210
is a very different architecture from Kepler/Maxwell,
so the key may well differ. Tracing the BIOS on a
GTX 960 or GTX 970 using the same pattern would answer
this quickly.

On finding the key in disassembly: in principle the
pattern is recognizable, but tracing code inside a
ROM is not straightforward — you cannot simply set
a breakpoint in read-only memory. The approach I used
was a modified version of FASTBIOS.SYS, originally
developed by Tseng Labs in 1992, which copies the ROM
into RAM — at that point standard breakpoints become
possible. Not exactly a trivial setup.

On the ROM space: you are correct that the resident
BIOS does not fill the entire C000-CFFFh segment on
these cards. Why the function was removed rather than
simply left in place is unclear — deliberate policy
rather than space constraints seems the most likely
explanation.

On vBIOS signing: yes, direct ROM patching is not a
viable path on these cards. The TSR approach intercepts
INT 10h in RAM and does not touch the ROM, which avoids
the signing issue entirely.

SCANKEY — Nvidia firmware unlock key detection

While tracing the GT210 BIOS I found an unlock key
(2469FDB9h) used in the 4F07h implementation. I have
tested it on three cards:

- GT210: key found, 4F07h fully implemented
- GT550Ti: key found, 4F07h fully implemented
- GT740 (Kepler): key found, but 4F07h deliberately
removed (two instructions: mov ax,014Fh / ret)

The key being present on the GT740 despite the function
being removed suggests it may be a family-wide constant
rather than a card-specific value. To confirm this I
need results from as many Nvidia cards as possible —
particularly Kepler, Maxwell and Pascal generations.

I have written a small utility (SCANKEY.COM, source
included) that scans the video BIOS ROM at C000h for
the key and reports whether it is found or not. It is
read-only and does not modify anything.

How it works:
1) Verifies the BIOS signature (AA55h) at C000h
2) Determines the ROM size from the header
3) Scans the entire ROM for the 32-bit value 2469FDB9h
4) Reports "Key found" or "Key not found"

Please report:
- Card model and generation
- BIOS ROM version if available
- Result (Key found / Key not found)

1	.386
2	CODE SEGMENT PARA PUBLIC USE16 'CODE'
3	ASSUME	CS:CODE,DS:CODE,ES:CODE,SS:CODE
4	ORG 	100h
5
6start_code:
7	mov	ds: word ptr [msg_pointer],OFFSET dos_message_01
8	push	0C000h
9	pop	es
10	xor	si,si
11	cmp	es: word ptr [si],0AA55h
12	jne	exit_scankey
13	add	si,2h
14	movzx	ax,es: byte ptr [si]
15	cmp	al,80h
16	ja	exit_scankey
17	mov	ds: word ptr [msg_pointer],OFFSET dos_message_02
18	shl	ax,9h
19	sub	ax,7h
20loop_bios_scankey:
21	inc	si
22	cmp	es: dword ptr [si],2469FDB9h
23	je	exit_scankey
24	dec	ax
25	jne	loop_bios_scankey
26	mov	ds: word ptr [msg_pointer],OFFSET dos_message_03
27exit_scankey:
28	mov	ah,9h
29	mov	dx,ds: word ptr [msg_pointer]
30	int	21h
31	mov	ax,4C00h
32	int	21h
33
34msg_pointer:
35	DW	?
36dos_message_01:
37	DB	'Invalid VGA BIOS',0Dh,0Ah,'$'
38dos_message_02:
39	DB	'Key found',0Dh,0Ah,'$'
40dos_message_03:
41	DB	'Key not found',0Dh,0Ah,'$'
42
43	CODE ENDS
44	END	start_code
45

Marco Pistella wrote on 2026-05-05, 05:30:

SCANKEY — Nvidia firmware unlock key detection […]
Show full quote

SCANKEY — Nvidia firmware unlock key detection

While tracing the GT210 BIOS I found an unlock key
(2469FDB9h) used in the 4F07h implementation. I have
tested it on three cards:

- GT210: key found, 4F07h fully implemented
- GT550Ti: key found, 4F07h fully implemented
- GT740 (Kepler): key found, but 4F07h deliberately
removed (two instructions: mov ax,014Fh / ret)

The key being present on the GT740 despite the function
being removed suggests it may be a family-wide constant
rather than a card-specific value. To confirm this I
need results from as many Nvidia cards as possible —
particularly Kepler, Maxwell and Pascal generations.

I have written a small utility (SCANKEY.COM, source
included) that scans the video BIOS ROM at C000h for
the key and reports whether it is found or not. It is
read-only and does not modify anything.

How it works:
1) Verifies the BIOS signature (AA55h) at C000h
2) Determines the ROM size from the header
3) Scans the entire ROM for the 32-bit value 2469FDB9h
4) Reports "Key found" or "Key not found"

Please report:
- Card model and generation
- BIOS ROM version if available
- Result (Key found / Key not found)

Geforce GTX 960 - BIOS version: 84.06.0D.00.6E
PCI\VEN_10DE&DEV_1401&SUBSYS_36901458&REV_A1
Key found.

Falcosoft wrote on 2026-05-05, 05:51:

Geforce GTX 960 - BIOS version: 84. ...[CUT]

Thank you — GTX 960 (Maxwell) confirmed: key present.

Three cards tested so far across three different
generations:

- GT210 (Tesla): key found, 4F07h implemented
- GT550Ti (Fermi): key found, 4F07h implemented
- GT740 (Kepler): key found, 4F07h removed
- GTX 960 (Maxwell): key found, 4F07h removed

The key being present on all four cards despite the
function being removed on Kepler and Maxwell strongly
suggests it is a family-wide firmware constant rather
than a card-specific value. Combined with the CRTC
indices 3Fh and 80h setup sequence, this gives a
consistent picture across generations.

More results from Pascal and later generations would
be welcome to complete the picture.

---

A clarification on how the key was found: I did not
take it from any documentation, reserved or otherwise,
nor from any existing source. I found it by tracing
the GT210 BIOS for the first time, following the
execution of the 4F07h routine instruction by
instruction until the unlock sequence appeared in
the code stream.

The first trace was the hard part — no shortcuts,
no prior knowledge of where to look. Once the key
and the surrounding code pattern were identified,
subsequent traces on other cards became straightforward:
FASTBIOS.SYS copies the ROM to RAM, a breakpoint at
the right location, and the sequence is immediately
visible.

The SCANKEY utility automates the search for anyone
who wants to verify without going through the full
tracing process.

Hi,
Geforce GTX 650 - BIOS version: 80.07.35.00.60
NVIDIA Corporation GK107 [GeForce GTX 650] [10de:0fc6] (rev a1)
I got KEY FOUND.

NEWAX 0.1 alpha — 4F07h TSR for Nvidia Kepler/Maxwell/Pascal
(VGA mode)

While the reverse engineering of the extended Nvidia CRTC
registers continues, I am releasing the first working version
of NEWAX — a TSR that implements the missing 4F07h function
on Kepler/Maxwell/Pascal cards using standard VGA registers.

What it does:

NEWAX intercepts INT 10h and provides a functional 4F07h
implementation (BL=00h set, BL=01h get, BL=80h set with
vertical retrace synchronization via 3DAh) using standard
VGA CRTC registers 0Ch/0Dh. It also disables 4F0Ah to
force any software using PM/32 to fall back to 4F07h.

Current limitations:

The VGA CRTC registers are 16-bit and dword-aligned, which
limits the addressable framebuffer to approximately 262 KB.
In practice this means the function works correctly up to
640×400 pixels at 8bpp. At higher resolutions or color
depths the TSR returns 014Fh (supported but failed) — the
correct behavior per VBE specification when the address
exceeds the available range.

Double buffering and virtual scrolling work correctly within
these limits for packed pixel and direct color modes at
8/16/32 bpp.

Usage:

1NEWAX.COM        — install TSR
2NEWAX.COM /U     — uninstall from memory

What comes next:

The full VESA implementation requires mapping the extended
Nvidia CRTC registers (indices 3Fh and 80h) and the unlock
sequence. This reverse engineering work is ongoing and is
proving complex — there are many interconnected registers
with different states. I am not making promises on timing,
but progress is being made.

Source code is included as always.

Please report:
- Card model and BIOS version
- Whether double buffering works at 640×400
- Any crashes or unexpected behavior

1	.386
2	CODE SEGMENT PARA PUBLIC USE16 'CODE'
3	ASSUME	CS:CODE,DS:CODE,ES:CODE,SS:CODE
4	ORG 	100h
5
6start_code:
7	jmp	install
8new_int_10:
9	or	ah,ah
10	jne	continue_int_10_0
11	and	cs: byte ptr [status_flag_0],0FEh
12	jmp	go_int_10
13continue_int_10_0:
14	cmp	ax,4F17h
15	jne	continue_int_10_1
16	cmp	bx,'MP'
17	jne	continue_int_10_1
18	push	cs
19	pop	es
20	mov	ax,4Fh
21	iret
22continue_int_10_1:
23	cmp	ax,4F0Ah
24	jne	continue_int_10_2
25	mov	ax,14Fh
26	iret	
27continue_int_10_2:
28	cmp	ax,4F02h
29	jne	continue_int_10_3
30	mov	cs: word ptr [vesa_mode],bx
31	pushf
32	call 	cs: dword ptr [old_int_10_off]
33	cmp	ax,4Fh
34	jne	fail_open_vesa_mode
35	pushad
36	push	ds
37	push	es
38	push	cs
39	pop	ds
40	push	cs
41	pop	es
42	mov	ax,4F01h
43	mov	cx,ds: word ptr [vesa_mode]
44	and	cx,1FFh
45	mov	di,OFFSET vesa_buffer_func_1
46	int	10h
47	cmp	ax,4Fh
48	jne	fail_vesa_info
49	mov	ax,ds: word ptr [di + 10h]
50	mov	ds: word ptr [byte_per_scanline],ax
51	cmp	ds: byte ptr [di + 1Bh],4h
52	je	ok_vesa_mode
53	cmp	ds: byte ptr [di + 1Bh],6h
54	jne	fail_vesa_info
55ok_vesa_mode:
56	mov	al,ds: byte ptr [di + 19h]
57	shr	al,3h
58	mov	ds: byte ptr [byte_per_pixel],al
59	or	ds: byte ptr [status_flag_0],1h
60	mov	ds: word ptr [start_x],0h

61	mov	ds: word ptr [start_y],0h
62	pop	es
63	pop	ds
64	popad
65	iret
66fail_vesa_info:
67	pop	es
68	pop	ds
69	popad
70fail_open_vesa_mode:
71	and	cs: byte ptr [status_flag_0],0FEh
72	iret
73continue_int_10_3:
74	cmp	ax,4F06h
75	jne	continue_int_10_4
76	test	cs: byte ptr [status_flag_0],1h
77	je	continue_int_10_4
78	pushf
79	call 	cs: dword ptr [old_int_10_off]
80	cmp	ax,4Fh
81	jne	no_set_scanline
82	mov	cs: word ptr [byte_per_scanline],bx
83no_set_scanline:
84	iret
85continue_int_10_4:
86	cmp	ax,4F07h
87	jne	go_int_10
88	test	cs: byte ptr [status_flag_0],1h
89	je	no_start_routine
90	or	bh,bh
91	jne	no_start_routine
92	cmp	bl,1h
93	jne	test_set_address
94	mov	cx,cs: word ptr [start_x]
95	mov	dx,cs: word ptr [start_y]
96	mov	ax,4Fh
97	iret
98test_set_address:
99	or	bl,bl
100	je	set_start_address
101	cmp	bl,80h
102	jne	no_start_routine
103	push	dx
104	mov	dx,3DAh
105vretrace_off:
106	in	al,dx
107	test	al,8h
108	jne	vretrace_off
109vretrace_on:
110	in	al,dx
111	test	al,8h
112	je	vretrace_on
113	pop	dx
114set_start_address:
115	pusha
116	mov	ax,cs: word ptr [byte_per_scanline]
117	shr	ax,2h
118	mul	dx
119	mov	bx,cx
120	and	bl,7h
121	shr	cx,2h
122	add	ax,cx
123	adc	dx,0h
124	or	dx,dx
125	jne	extra_vga_address
126	xchg	ax,cx
127	mov	dx,3D4h
128	mov	al,0Dh
129	out	dx,al
130	inc	dx
131	mov	al,cl
132	out	dx,al
133	dec	dx
134	mov	al,0Ch
135	out	dx,al
136	inc	dx
137	mov	al,ch
138	out	dx,al
139	popa
140	mov	cs: word ptr [start_x],cx
141	mov	cs: word ptr [start_y],dx
142	mov	ax,4Fh
143	iret
144extra_vga_address:
145	popa
146no_start_routine:
147	mov	ax,14Fh
148	iret
149go_int_10:
150	jmp 	cs: dword ptr [old_int_10_off]
151old_int_10_off:
152	DW	?
153old_int_10_seg:
154	DW	?
155new_int_10_off:
156	DW	?
157new_int_10_seg:
158	DW	?
159status_flag_0:
160	DB	0h
161start_x:
162	DW	?
163start_y:
164	DW	?
165vesa_mode:
166	DW	?
167byte_per_scanline:
168	DW	?
169byte_per_pixel:
170	DB	?
171vesa_buffer_func_1:
172	DB	100h DUP (?)
173install:
174	mov	dx,OFFSET dos_message_1
175	mov	ah,9h
176	int	21h
177	mov	si,OFFSET void_buffer
178	call	Get_Args
179	lodsb
180	mov	ds: word ptr [dos_message],OFFSET dos_message_3
181	or	al,al
182	je	go_install
183	cmp	al,1h
184	jne	exit_to_dos
185	mov	si,ds: word ptr [si]
186	lodsw
187	cmp	ds: byte ptr [si],0h
188	jne	exit_to_dos
189	and	ah,0DFh
190	cmp	ax,'U/'
191	jne	exit_to_dos
192	mov	ds: word ptr [dos_message],OFFSET dos_message_4
193	mov	ax,4F17h
194	mov	bx,'MP'
195	int	10h
196	cmp	ax,4Fh
197	jne	exit_to_dos
198	mov	ds: word ptr [dos_message],OFFSET dos_message_5
199	push	0h
200	pop	fs
201	mov	eax,fs: dword ptr [10h * 4h]
202	cmp	eax,es: dword ptr [new_int_10_off]
203	jne	exit_to_dos
204	mov	ah,49h
205	int	21h
206	jc	exit_to_dos
207	lds	dx,es: dword ptr [old_int_10_off]
208	mov	ax,2510h
209	int	21h
210	push	cs
211	pop	ds
212	mov	ds: word ptr [dos_message],OFFSET dos_message_6
213exit_to_dos:
214	mov	dx,ds: word ptr [dos_message]
215	mov	ah,9h
216	int	21h
217	mov	ax,4C00h
218	int	21h
219go_install:
220	mov	ds: word ptr [dos_message],OFFSET dos_message_7
221	mov	ax,4F17h
222	mov	bx,'MP'
223	int	10h
224	cmp	ax,4Fh
225	je	exit_to_dos
226	push	0h
227	pop	fs
228	push	fs: dword ptr [10h * 4h]
229	pop	ds: dword ptr [old_int_10_off]
230	mov	dx,OFFSET new_int_10
231	mov	ds: word ptr [new_int_10_off],dx
232	mov	ds: word ptr [new_int_10_seg],ds
233	mov	ax,2510h
234	int	21h
235	mov	ah,9h
236	mov	dx,OFFSET dos_message_8
237	int	21h
238	mov 	dx,OFFSET install + 0Fh
239	int	27h
240
241;#############################################################################
242
243;	DS:SI = Pointer to the memory area for storing pointers to
244;                command-line arguments (where the first byte represents
245;                the argument count)
246
247	Get_Args:
248
249;#############################################################################
250
251	pusha
252	xor	bx,bx
253	push	si
254	inc	si
255	mov	di,81h
256	movzx	cx,ds: byte ptr [di-1h]
257	or	cl,cl
258	je	exit_get_args
259	mov	al,' '
260another_arg:
261	rep	scasb
262	je	exit_get_args
263	inc	bx
264	mov	ds: word ptr [si],di
265	dec	ds: word ptr [si]
266	inc	si
267	inc	si
268	repne	scasb
269	jne	set_final_string
270	mov	ds: byte ptr [di-1h],ch
271	jmp	another_arg
272set_final_string:
273	mov	ds: byte ptr [di],ch
274exit_get_args:
275	pop	si
276	mov	ds: byte ptr [si],bl
277	popa
278	ret
279
280dos_message_1:
281	DB	'Nvidia kEpler/maxWell/pAscal fiX - NEWAX 0.1(alpha) - VGA mode',0Dh,0Ah,'$'
282dos_message_2:
283	DB	'NEWAX uninstalled from memory',0Dh,0Ah,'$'
284dos_message_3:
285	DB	'Use: NEWAX.COM (install TSR)',0Dh,0Ah,'     NEWAX.COM /U (Uninstall from memory',0Dh,0Ah,'$'
286dos_message_4:
287	DB	'NEWAX not installed',0Dh,0Ah,'$'
288dos_message_5:
289	DB	'Can''t uninstall NEWAX',0Dh,0Ah,'$'
290dos_message_6:
291	DB	'NEWAX uninstalled',0Dh,0Ah,'$'
292dos_message_7:
293	DB	'NEWAX already installed',0Dh,0Ah,'$'
294dos_message_8:
295	DB	'NEWAX installed',0Dh,0Ah,'$'
296dos_message:
297	DW	?
298void_buffer:
299
300	CODE ENDS
301	END	start_code

Marco Pistella wrote on 2026-05-05, 12:28:

NEWAX 0.1 alpha — 4F07h TSR for Nvidia Kepler/Maxwell/Pascal (VGA mode) […]
Show full quote

NEWAX 0.1 alpha — 4F07h TSR for Nvidia Kepler/Maxwell/Pascal
(VGA mode)

While the reverse engineering of the extended Nvidia CRTC
registers continues, I am releasing the first working version
of NEWAX — a TSR that implements the missing 4F07h function
on Kepler/Maxwell/Pascal cards using standard VGA registers.

What it does:

NEWAX intercepts INT 10h and provides a functional 4F07h
implementation (BL=00h set, BL=01h get, BL=80h set with
vertical retrace synchronization via 3DAh) using standard
VGA CRTC registers 0Ch/0Dh. It also disables 4F0Ah to
force any software using PM/32 to fall back to 4F07h.

Hi,
Dual page/double buffering works in 640x400x8-bit mode with my GTX 960 and GTX 970. Vertical retrace is also perfect. Virtual resolutions also work to the memory limit.

@Edit:
While the test was successful in X-VESA the same cannot be said about games unfortunately. E.g. Duke Nukem 3D produces very low frame rates and jerky movements when NEWAX is loaded.
Quake 1 is somewhat better but you have to disable vsync with 'VID_WAIT 0' to get playable frame rates in 640x400 when NEWAX is loaded.

Tested on my GTX650 Bios version 80.07.35.00.60
Double buffering worked at 640x400.
No crashes. (I only tested with X-Vesa)

Updated NEWAX 0.2

Update: NEWAX 0.2 fixes the game compatibility issue.

After debugging Duke Nukem 3D I found the root cause: these games read the NumberOfImagePages field from the VBE ModeInfoBlock to determine how many video pages are available, and optimize their rendering accordingly. On cards without 4F07h support this field typically reports 9 to 15 pages. NEWAX 0.1 left this field untouched — so when a game tried to flip to pages beyond the VGA address range, those pages were displayed incorrectly since 4F07h could not reach them.

NEWAX 0.2 intercepts 4F01h and sets NumberOfImagePages to 1, correctly reflecting what is actually reachable at 640×400. This fixes Duke Nukem 3D and Quake on GT740 and GT1030 — both tested ersonally.

Quake maintains acceptable performance with 2 pages. Duke Nukem 3D shows a performance drop compared to a card with full 4F07h support — expected, since it is optimized for more pages. This may improve with the extended register implementation in a future version of NEWAX, where the full VESA address range would be available — if the reverse engineering of the Nvidia unlock and lock sequences proves feasible. The work is ongoing but complex, and I make no promises on the outcome.

This fix was inspired by Falcosoft's mskvbef7.

UNER v0.1 alpha — Unlock Nvidia Extended Registers — Call for beta testers

Background

While developing NEWAX, a TSR designed to fix several VBE 2.0 implementation issues on Nvidia hardware, specifically the broken 4F07h , it became necessary to understand how the Nvidia VBIOS protects its extended register set and how it unlocks them before executing functions like 4F06h and 4F07h internally.

The investigation started with SCANKEY.COM, a small tool that scans the VGA BIOS ROM for a known 32-bit signature. The signature 2469FDB9h was found in the VBIOS of every Nvidia card tested, from he GeForce GT210 to the GT1050Ti. This constant is written to a card-specific I/O port as the first step of the unlock sequence.

What was found

The VBIOS contains an internal unlock routine whose entry point varies between cards — both in content and in location within the C000h segment. What is consistent across all tested hardware is a 19-byte locator signature immediately preceding it, and the structure of the CALL instruction at the end of that signature from which UNER computes the actual entry point at runtime.

Similarly, the I/O port address for the BAR extended registers is not fixed: it has been found at C000:0120h on some cards and at C000:0129h on others. UNER resolves both addresses dynamically by reading them directly from the VBIOS image, so no hardcoded offsets are involved.

The same 32-bit key constant and the same locator signature have been found across three GPU generations, suggesting Nvidia has maintained this interface unchanged for a considerable time.

How UNER works

UNER operates entirely in real mode and performs the following steps.

It validates the VGA BIOS at C000:0000 by checking the AA55h signature and reads the declared BIOS size.

It then scans the BIOS image for three items in sequence:

- The 32-bit key constant 2469FDB9h (stored as B9 FD 69 24), whose location in the ROM also encodes the address of the I/O port to write it to.

- A single IRET instruction (CFh) anywhere in the C000h segment, used as a trampoline target.

- The 19-byte locator signature; the routine entry point is computed from the relative displacement of the CALL instruction at the end of the signature.

After locating all three, UNER executes the standard unlock prologue: saves the current state of the Sequencer Address register (3C4h), the Graphics Controller Address register (3CEh), and CRTC index 3Fh (3D4h/3D5h); writes 57h to CRTC index 3Fh; then sends 2469FDB9h followed by 00000001h to the card-specific port and port+4.

Control is then transferred to the VBIOS unlock routine using a stack-based IRET trampoline. The stack is constructed so that the routine's own RETN jumps to the IRET found earlier in C000h, and that IRET returns cleanly to UNER with full control of FLAGS. The technique works precisely because UNER does not replicate the routine: it calls each card's own VBIOS routine directly, letting the BIOS handle its own hardware-specific register programming without interference.

On return, the extended registers are accessible for read/write.

Hardware tested

The full sequence — signature scan, trampoline, unlock — has been verified without issues on:

Nvidia GeForce GT210
Nvidia GeForce GT550Ti
Nvidia GeForce GT740
Nvidia GeForce GT1030
Nvidia GeForce GT1050Ti

No card-specific special cases were required. Cards where the signature or the trampoline mechanism behaves differently are exactly what this beta phase is meant to uncover.

Call for beta testers

UNER v0.1 alpha is a standalone DOS COM file. It does not write anything permanently and does not modify the VBIOS. It reports what it finds at each step and indicates whether the unlock sequence ompleted or failed.

If you have Nvidia hardware not in the list above — particularly older cards (pre-7600GT), Quadro or professional series, mobile GPUs, or cards with modified or third-party VBIOS — your test results would be genuinely useful. Cards where UNER reports failure are equally valuable: a failure with a specific error message is useful data.

What to report: card model, BIOS version if known, which step succeeded or failed, and any unexpected behavior. Running under plain DOS or a minimal DOS boot is recommended; behavior under mulators or hypervisors is not meaningful for this purpose.

1	.386
2	CODE SEGMENT PARA PUBLIC USE16 'CODE'
3	ASSUME	CS:CODE,DS:CODE,ES:CODE,SS:CODE
4	ORG 	100h
5
6start_code:
7	mov	ah,9h
8	mov	dx,OFFSET dos_message_00
9	int	21h
10	mov	ds: word ptr [msg_pointer],OFFSET dos_message_01
11	push	0C000h
12	pop	es
13	xor	si,si
14	cmp	es: word ptr [si],0AA55h
15	jne	exit_unl
16	add	si,2h
17	movzx	dx,es: byte ptr [si]
18	cmp	dl,80h
19	ja	exit_unl
20	shl	dx,9h
21	mov	ds: word ptr [bios_size],dx
22	mov	si,OFFSET mem_data_1
23	mov	ds: word ptr [msg_pointer],OFFSET dos_message_02
24	call	Get_Mem_Pointer
25	jc	exit_unl
26	mov	dx,OFFSET dos_message_03
27	mov	ah,9h
28	int	21h
29	mov	ax,di
30	call	Write_Address
31
32	mov	dx,OFFSET dos_message_08
33	mov	ah,9h
34	int	21h
35
36	mov	di,es: word ptr [di - 4h]
37	mov	ax,di
38	mov	ds: word ptr [offset_bar_reg],ax
39	call	Write_Address
40
41	mov	dx,OFFSET dos_message_09
42	mov	ah,9h
43	int	21h
44
45	mov	ax,es: word ptr [di]
46	call	Write_Address
47
48	mov	dx,ds: word ptr [bios_size]
49	mov	si,OFFSET mem_data_2
50	mov	ds: word ptr [msg_pointer],OFFSET dos_message_04
51	call	Get_Mem_Pointer
52	jc	exit_unl
53	mov	dx,OFFSET dos_message_05
54	mov	ah,9h
55	int	21h
56	xchg	ax,di
57	mov	ds: word ptr [iret_address],ax
58	call	Write_Address
59	mov	dx,ds: word ptr [bios_size]
60	mov	si,OFFSET mem_data_3

61	mov	ds: word ptr [msg_pointer],OFFSET dos_message_06
62	call	Get_Mem_Pointer
63	jc	exit_unl
64	mov	dx,OFFSET dos_message_07
65	mov	ah,9h
66	int	21h
67	mov	bx,es: word ptr [di + 13h]
68	lea	ax,ds: word ptr [bx + di + 15h]
69	mov	ds: word ptr [unlock_address],ax
70	call	Write_Address
71
72	mov	ah,9h
73	mov	dx,OFFSET dos_message_10
74	int	21h
75
76;	Start Nvidia Unlock
77
78	mov	dx,3C4h
79	in	al,dx
80	mov	ah,al
81	mov	dl,0CEh
82	in	al,dx
83	mov	ds: word ptr [nvidia_save_1],ax
84
85	mov	dx,3D4h
86	in	al,dx
87	mov	ah,al
88	mov	al,3Fh
89	inc	dx
90	in	al,dx
91	xchg	al,ah
92	mov	ds: word ptr [nvidia_save_2],ax
93	mov	al,57h
94	out	dx,al
95	dec	dx
96
97	mov	di,ds: word ptr [offset_bar_reg]
98	mov	dx,es: word ptr [di]
99	mov	eax,2469FDB9h
100	out	dx,eax
101	add	dx,4h
102	mov	eax,1h
103	out	dx,eax
104
105	pushf
106	push	cs
107	push	OFFSET entry_point
108	push	ds: word ptr [iret_address]
109	push	es
110	push	ds: word ptr [unlock_address]
111	retf
112entry_point:
113
114	mov	ah,9h
115	mov	dx,OFFSET dos_message_11
116	int	21h
117
118	mov	ax,4C00h
119	int	21h
120exit_unl:
121	mov	ah,9h
122	mov	dx,ds: word ptr [msg_pointer]
123	int	21h
124	mov	ax,4C00h
125	int	21h
126
127;#############################################################################
128
129;	AX = Address to write
130
131	Write_Address:
132
133;#############################################################################
134
135	pusha
136	mov	bx,ax
137	mov	dx,OFFSET address_data
138	mov	di,dx
139	add	di,3h
140loop_address_data:
141	and	al,0Fh
142	add	al,'0'
143	cmp	al,'9'
144	jbe	ok_char_address
145	add	al,'A' - '9' - 1h
146ok_char_address:
147	mov	ds: byte ptr [di],al
148	shr	bx,4h
149	mov	ax,bx
150	dec	di
151	cmp	di,dx
152	jae	loop_address_data
153	mov	ah,9h
154	int	21h
155	popa
156	ret
157
158;#############################################################################
159
160;	ES = Segment to search
161;	DX = Search range in bytes (starting from 0h)
162;	DS:SI = Pointer to the search byte sequence (where the first byte is the length)
163
164	Get_Mem_Pointer:
165
166;	CARRY = 0 -> ES:DI = Pointer to search sequence
167;	CARRY = 1 -> Not found
168
169;#############################################################################
170
171	pusha
172	movzx	cx,ds: byte ptr [si]
173	sub	dx,cx
174	lea	bp,ds: word ptr [si + 1h]
175	xor	bx,bx
176next_byte_search:
177	mov	si,bp
178	mov	di,bx
179	movzx	cx,ds: byte ptr [si - 1h]
180	repe	cmpsb
181	je	found_mem
182	inc	bx
183	cmp	bx,dx
184	jbe	next_byte_search
185	popa
186	stc
187	ret
188found_mem:
189	mov	bp,sp
190	mov	ss: word ptr [bp],bx
191	popa
192	clc
193	ret
194
195dos_message_00:
196	DB	'UNER - Unlock Nvidia Extended Regs - V0.1 (alpha)',0Dh,0Ah,'$'
197dos_message_01:
198	DB	'Invalid VGA BIOS',0Dh,0Ah,'$'
199dos_message_02:
200	DB	'Nvidia Key not found',0Dh,0Ah,'$'
201dos_message_03:
202	DB	'Nvidia Key found at: C000:$'
203dos_message_04:
204	DB	'IRET not found',0Dh,0Ah,'$'
205dos_message_05:
206	DB	'IRET found at: C000:$'
207dos_message_06:
208	DB	'Nvidia unlock routine not found',0Dh,0Ah,'$'
209dos_message_07:
210	DB	'Nvidia unlock routine found at: C000:$'
211dos_message_08:
212	DB	'Nvidia offset bar regs at: C000:$'
213dos_message_09:
214	DB	'Nvidia Bar regs at: $'
215dos_message_10:
216	DB	'Start Nvidia unlock ...$'
217dos_message_11:
218	DB	' complete',0Dh,0Ah,'$'
219mem_data_1:
220	DB	4h,0B9h,0FDh,69h,24h
221mem_data_2:
222	DB	1h,0CFh
223mem_data_3:
224	DB	13h,75h,10h,81h,0FBh,8Fh,4h,74h,0Dh,80h,0FBh,95h,75h,5h,80h,0FFh,2h,7Ch,3h,0E8h
225address_data:
226	DB	'    ',0Dh,0Ah,'$'
227msg_pointer:
228	DW	?
229bios_size:
230	DW	?
231iret_address:
232	DW	?
233unlock_address:
234	DW	?
235offset_bar_reg:
236	DW	?
237nvidia_save_1:
238	DW	?
239nvidia_save_2:
240	DW	?
241
242	CODE ENDS
243	END	start_code

Marco Pistella wrote on 2026-05-07, 13:03:

UNER v0.1 alpha — Unlock Nvidia Extended Registers — Call for beta testers
...

Geforce GTX 970 - BIOS version: 84.04.84.00.29
PCI\VEN_10DE&DEV_13C2&SUBSYS_31611462&REV_A1

result of 'uner.com >> uner.txt':

UNER - Unlock Nvidia Extended Regs - V0.1 (alpha)
Nvidia Key found at: C000:4016
Nvidia offset bar regs at: C000:0129
Nvidia Bar regs at: E000
IRET found at: C000:054D
Nvidia unlock routine found at: C000:43E2
Start Nvidia unlock ... complete

@Edit:
Geforce 6600 AGP - BIOS version: 05.43.02.75.00
result of 'uner.com >> uner.txt':

UNER - Unlock Nvidia Extended Regs - V0.1 (alpha)
Nvidia Key not found

Falcosoft wrote on 2026-05-07, 13:14:

Geforce GTX 970 - BIOS version: 8 ... [CUT]

Thanks, that's a clean result and a useful data point.

GTX 970 (GM204) extends confirmed compatibility to high-end Maxwell — previously tested Maxwell was only GT740 (GM107). The BAR at 0129h and port E000h are noted; both fall within the known variant range.

If you have time, any card outside the Maxwell/Kepler/Fermi range would be the next interesting test — particularly anything Turing or newer, or anything pre-Fermi (Tesla-era). Failures are equally welcome.

Marco Pistella wrote on 2026-05-07, 13:24:

Thanks, that's a clean result and a useful data point. […]
Show full quote

Falcosoft wrote on 2026-05-07, 13:14:

Geforce GTX 970 - BIOS version: 8 ... [CUT]

Thanks, that's a clean result and a useful data point.

GTX 970 (GM204) extends confirmed compatibility to high-end Maxwell — previously tested Maxwell was only GT740 (GM107). The BAR at 0129h and port E000h are noted; both fall within the known variant range.

If you have time, any card outside the Maxwell/Kepler/Fermi range would be the next interesting test — particularly anything Turing or newer, or anything pre-Fermi (Tesla-era). Failures are equally welcome.

Geforce 6600 AGP - BIOS version: 05.43.02.75.00
result of 'uner.com >> uner.txt':

UNER - Unlock Nvidia Extended Regs - V0.1 (alpha)
Nvidia Key not found

Looks like the unlock key has not changed with Ampere.
Tested UNER with my RTX A4000 and it worked.

RTX A4000 (GA104-A1)
10DE:24B0 - 103C:14AD
BIOS: 94.04.57.00.0B

UNER - Unlock Nvidia Extended Regs - V0.1 (alpha)
Nvidia Key found at: C000:384E
Nvidia offset bar regs at: C000:0102
Nvidia Bar regs at: E000
IRET found at: C000:046B
Nvidia unlock routine found at: C000:3DA2
Start Nvidia unlock ... complete

LSS10999 wrote on 2026-05-07, 13:58:

Looks like the unlock key has not ...[CUT]

Thanks — Ampere (GA104) is a significant addition to the confirmed list.

Third BAR variant noted: C000:0102h, alongside the previously known 0120h and 0129h. All three are resolved dynamically so no code changes needed.

The RTX A4000 is particularly relevant for NEWAX since both 4F07h and 4F06h are absent on that card — having a working unlock on Ampere opens the possibility of implementing those functions from cratch rather than just correcting broken ones.

Port E000h matches the GTX 970 result — interesting to see if that holds across the Pascal/Turing/Ampere range consistently.