ASRock X79 Extreme9 MRC serial debug output enable

shellcode.asm

[BITS 32]

PORT equ 0x3F8

PNP_IDX_EN equ 0x30
PNP_IDX_IO0 equ 0x60

NUVOTON_ENTRY_KEY equ 0x87
NUVOTON_EXIT_KEY equ 0xAA
PNP_DEV_PORT equ 0x2E
PNP_DEV_FUNC equ 0x02
PNP_DEVFN equ PNP_DEV_PORT<<8|PNP_DEV_FUNC


CONFIG_DATA_ENABLE equ 1<<31

SEGBUS equ 0
DEV equ 0x1F
FN equ 0
PCH_LPC_DEV equ ((((SEGBUS)&0xFFF)<<20)|(((DEV)&0x1F)<<15)|(((FN)&0x07)<<12))

LPC_IO_DEC equ 0x80
ADDR_LPC_IO_DEC equ (CONFIG_DATA_ENABLE)|(PCH_LPC_DEV>>4)|(LPC_IO_DEC&0xFC)
IOPORT_LPC_IO_DEC equ 0xCFC+(LPC_IO_DEC&2)
VALUE_LPC_IO_DEC equ 0x0010

CNF2_LPC_EN equ (1<<13)
CNF1_LPC_EN equ (1<<12)
MC_LPC_EN equ (1<<11)
KBC_LPC_EN equ (1<<10)
COMB_LPC_EN equ (1<<1)
COMA_LPC_EN equ (1<<0)

LPC_EN equ 0x82
ADDR_LPC_EN equ (CONFIG_DATA_ENABLE)|(PCH_LPC_DEV>>4)|(LPC_EN&0xFC)
IOPORT_LPC_EN equ 0xCFC+(LPC_EN&2)
VALUE_LPC_EN equ (CNF2_LPC_EN|CNF1_LPC_EN|MC_LPC_EN|KBC_LPC_EN|COMB_LPC_EN|COMA_LPC_EN)

code_entry:
; patch code at FFF49FFB with a call instruction
pushad
mov esi, [esp+32+4+4]

mov al, 0x00
cmp al, 0x01
je already_setup

call mark_setup_done
mark_setup_done:
pop eax
mov byte [eax-0xE], 0x01

nuvoton_enable_serial:
nuvoton_pnp_enter_conf_state:
mov dx, PNP_DEV_PORT
mov al, NUVOTON_ENTRY_KEY
out dx, al
out dx, al

pnp_set_logical_device:
mov dx, PNP_DEV_PORT
mov al, 0x07
out dx, al

mov dx, PNP_DEV_PORT+1
mov al, PNP_DEV_FUNC
out dx, al

pnp_set_disable:
mov dx, PNP_DEV_PORT
mov al, PNP_IDX_EN
out dx, al

mov dx, PNP_DEV_PORT+1
mov al, 0
out dx, al

pnp_set_iobase:
mov dx, PNP_DEV_PORT
mov al, PNP_IDX_IO0+0
out dx, al

mov dx, PNP_DEV_PORT+1
mov al, PORT>>8
out dx, al

mov dx, PNP_DEV_PORT
mov al, PNP_IDX_IO0+1
out dx, al

mov dx, PNP_DEV_PORT+1
mov al, PORT&0xFF
out dx, al

pnp_set_enable:
mov dx, PNP_DEV_PORT
mov al, PNP_IDX_EN
out dx, al

mov dx, PNP_DEV_PORT+1
mov al, 1
out dx, al

nuvoton_pnp_exit_conf_state:
mov dx, PNP_DEV_PORT
mov al, NUVOTON_EXIT_KEY
out dx, al


setup_pch_enable_lpc_decode:
mov dx, 0xCF8
mov eax, ADDR_LPC_IO_DEC
out dx, eax
mov dx, IOPORT_LPC_IO_DEC
mov ax, VALUE_LPC_IO_DEC
out dx, ax

mov dx, 0xCF8
mov eax, ADDR_LPC_EN
out dx, eax
mov dx, IOPORT_LPC_EN
mov ax, VALUE_LPC_EN
out dx, ax


setup_uart:
set_lcr:
mov al, 0x03
mov dx, 0x3F8+3
out dx, al
enable_dlab:
mov al, 0x83
mov dx, 0x3F8+3
out dx, al
set_divisor_lo:
mov al, 0x01
mov dx, 0x3F8+0
out dx, al
set_divisor_hi:
mov al, 0x00
mov dx, 0x3F8+1
out dx, al
disable_dlab:
mov al, 0x03
mov dx, 0x3F8+3
out dx, al
set_mcr:
mov al, 0x00
mov dx, 0x3F8+4
out dx, al
disable_all_interrupts:
mov al, 0x00
mov dx, 0x3F8+1
out dx, al
enable_and_reset_fifo_trigger_level_14_bytes:
mov al, 0xC7
mov dx, 0x3F8+2
out dx, al


set_serialDebugMsgLvl:
mov byte [esi+743], 0xA

set_consoleComPort:
mov ax, PORT
mov word [esi+785], ax
mov word [esi+47377], ax

;set_unknown_condition:
;FFF4A122
;mov word [esi+47357], 0

set_legacy_serial_debug:
mov byte [esi+0xB629], 0

set_MULTI_THREAD_MRC_EN_off:
mov al, byte [esi+7]
and al, 0x7F
mov byte [esi+7], al


already_setup:

popad

handle_overwritten_code:
; copy return address
pop eax
push eax
push eax
; esp is now orig_esp-8 (pushed return address twice, therefore two int32 made esp decreased by 8)
%define orig_esp (esp+8)

; original overwritten code:
;    lea     eax, [esp+0Ch]
;    push    eax

adapted_overwritten_code:
lea eax, [orig_esp+0x0C]
mov [orig_esp-4], eax

ret