VOGONS


First post, by riplin

User metadata
Rank Newbie
Rank
Newbie

Code here: https://github.com/riplin/hag/blob/main/resea … ios/86c764x.asm
Building with MASM will produce a 100% perfect duplicate of the original BIOS file. Original came from here: http://chukaev.ru54.com/video_en.htm - 86c764x1.zip

Hi folks,

So I disassembled the BIOS of an S3 Trio64. I wanted to see how the mode switch code worked and thought that disassembling and annotating the BIOS would be a nice way to figure this out (the programming manuals all glaze over this subject).

Some interesting things I found:

- The BIOS supports the Trio32 (86c732), Trio64 (86c764) and Trio64 (86c764x). That last one is a different stepping, but they apparently found it necessary to augment the chip's name.
- The BIOS supports both VLB and PCI.
- A lot of the code is just dealing with verifying and maintaining the BIOS Data Area.

It also has a built in beep function, so could be that sometimes the beeps you hear are from the video BIOS and not the system BIOS. Speaking of the system BIOS, it apparently also has a stock int 10h handler. One of the first things this bootstrap code does is call into that handler. Later on it sets up an int 42h handler that points in to the system BIOS as well and regularly calls in to that. I suspect that it's calling back in to the System int 10h handler to keep it in sync with itself? Not sure about this one yet.

Perhaps when this BIOS is fully annotated, it may be possible to patch it to fix the slowdown bug and maybe even add the missing VBE modes.

I'm still grinding through it, and I've probably made mistakes, if you spot any, please let me know! I already know that the draw rect and the image stuff isn't really that, it's the character set code and it's patching an character set. But when I was parsing through the data, it kind of looked like an image (this was before I had found the character sets right next to it).

Anyway, let me know what you think and if you want to help me out, please do! 😀

Reply 1 of 7, by analog_programmer

User metadata
Rank Oldbie
Rank
Oldbie

Hi, riplin. Good job!

Sorry that I can not help you with anything - I don't have S3 Trio cards, but I want to ask you something: Please, could you share, what tools and how you used them to obtain the assembly code out of S3 Trio's BIOS? I want to dig up deeper into buggy S3 ViRGE/DX/GX BIOS for so called "bright bug".

from СМ630 to Ryzen gen. 3
engineer's five pennies: this world goes south since everything's run by financiers and economists
this isn't voice chat, yet some people, overusing online communications, "talk" and "hear voices"

Reply 2 of 7, by pan069

User metadata
Rank Oldbie
Rank
Oldbie
analog_programmer wrote on 2023-10-06, 07:38:

Hi, riplin. Good job!

Sorry that I can not help you with anything - I don't have S3 Trio cards, but I want to ask you something: Please, could you share, what tools and how you used them to obtain the assembly code out of S3 Trio's BIOS? I want to dig up deeper into buggy S3 ViRGE/DX/GX BIOS for so called "bright bug".

https://github.com/riplin/hag/blob/main/resea … 86c764x.asm#L18

Reply 3 of 7, by analog_programmer

User metadata
Rank Oldbie
Rank
Oldbie
pan069 wrote on 2023-10-06, 08:22:

Thanks, I didn't read this. So, I think any (online) x86 disassembler will do the job.

from СМ630 to Ryzen gen. 3
engineer's five pennies: this world goes south since everything's run by financiers and economists
this isn't voice chat, yet some people, overusing online communications, "talk" and "hear voices"

Reply 4 of 7, by mkarcher

User metadata
Rank l33t
Rank
l33t
riplin wrote on 2023-10-06, 07:01:

It also has a built in beep function, so could be that sometimes the beeps you hear are from the video BIOS and not the system BIOS. Speaking of the system BIOS, it apparently also has a stock int 10h handler. One of the first things this bootstrap code does is call into that handler. Later on it sets up an int 42h handler that points in to the system BIOS as well and regularly calls in to that. I suspect that it's calling back in to the System int 10h handler to keep it in sync with itself? Not sure about this one yet.

The system BIOS contains a video BIOS for MDA and CGA cards. This has been this way since the original IBM 5150 (the first "IBM PC"). These Trio cards are similar to most VGA cards in that they allow a dual-card setup. To make this dual-card setup work, the mainboard BIOS INT 10 must be called in case the MDA or CGA is the active card, and the Trio BIOS must be called when the S3 card is the active card. The Mainboard BIOS is already kind-of prepared for a dual-card setup: If the equipment byte at 40:10 indicated the "MDA" as active graphics card, it only supports mode 7 and initializes the MDA card (in fact, it sets mode 7 no matter what the application requests...), and if the equipment byte at 40:10 indicates any other kind of video solution, it supports modes 0-6 and initializes the CGA card. Once a mode is set, the equipment byte is no longer relevant and the card that has been initialized with the last mode set command is used until the next mode set command.

The EGA/VGA card has a control bit in the BIOS data area that tells the BIOS whether the EGA/VGA card should "hijack" the CGA functionality, and allow a concurrent MDA card, or whether it should "hijack" the MDA functionality and and allow a concurrent CGA card. This bit is 40:87, bit 1.

  • If this bit is set, MDA functionality is hijacked. That means as long as the equipment byte at 40:10 does not indicate "MDA", it passes all mode set commands to the mainboard BIOS to have it program the CGA card, and many EGA/VGA BIOSes also pass other BIOS requests to the mainboard BIOS after they had the BIOS initialize the legacy card. The EGA/VGA BIOS takes back control if a mode set is issued with the equipment byte set to MDA (bits 4 and 5 are both set).
  • If this bit is clear, CGA functionality is hijacked. This means that the mode setting function calls into the mainboard BIOS only if 40:10 indicates MDA, and the mainboard BIOS is active after MDA has been initialized. It takes back control if another mode set is issued while the equipment byte indicates anything but MDA.

On the EGA card, this configuration bit was tied to the DIP switch settings, and it runs in MDA replacement mode, if an 18kHz monochrome monitor is configured, while it runs in CGA replacement mode if an 15.7kHz CGA monitor or a dual-frequency EGA monitor is configured. Most VGA cards probe for concurrent MDA/CGA cards during the POST and auto-configure themselves to run in "CGA replacement mode" unless a CGA card is found. If no concurrent card is found, a VGA card (but not an EGA card) works both as MDA replacement and as CGA replacement, and is able to seamlessly switch personality when configuring mode 7 or mode 0Fh (going into "MDA replacement mode"), and switch back into CGA replacement mode when configuring any other mode. At least one VGA BIOS I looked at uses 40:89, bit 0 as flag to enable the dynamic personality switch.

Reply 5 of 7, by jmarsh

User metadata
Rank Oldbie
Rank
Oldbie

Would the beep function be for when the bios is told to print a bell character (ascii code 7) ?

Reply 6 of 7, by mkarcher

User metadata
Rank l33t
Rank
l33t
jmarsh wrote on 2023-10-06, 21:06:

Would the beep function be for when the bios is told to print a bell character (ascii code 7) ?

The function to output the bell character is Func0x2xe0. Beeps are also emitted during the POST, usually if the video memory test fails or no monitor is detected. You have PlayBeepPattern for that. You got a call to that function at line 2093 for the case of a failed monitor detection and 2140 for video memory failure. Func0x12dc is the video memory size detection code.

Reply 7 of 7, by riplin

User metadata
Rank Newbie
Rank
Newbie
mkarcher wrote on 2023-10-06, 21:53:
jmarsh wrote on 2023-10-06, 21:06:

Would the beep function be for when the bios is told to print a bell character (ascii code 7) ?

The function to output the bell character is Func0x2xe0. Beeps are also emitted during the POST, usually if the video memory test fails or no monitor is detected. You have PlayBeepPattern for that. You got a call to that function at line 2093 for the case of a failed monitor detection and 2140 for video memory failure. Func0x12dc is the video memory size detection code.

Hey, thanks for the info in your two posts! I’ll make sure to update those unnamed functions with that info.