I think these Evox M8 Bios Bfm patches were written by rmenhal for use in PBL Metoo. Since these code are now hard to come by, here's the code snippets
m8_bfm_2bl_patch.asm
CODE
;;;
;;; Compile this with NASM.
;;;
;;; BFM patch for EvoX M8 bios 2bl. Compile and paste this at offset 0x1cc
;;; into the 2bl (or 0x3d1cc into the 256k bios image).
;;;
BITS 32
ORG 0x4001cc
cli
cld
mov edx,ecx
mov edi,0x8000f000
mov ecx,0x40
mov eax,0xe3
pmempagesl:
mov [edi+0x800],eax
stosd
add eax,0x400000
loop pmempagesl
mov ecx,0x1c0
xor eax,eax
nmpagesl:
mov [edi+0x800],eax
stosd
loop nmpagesl
mov edi,0x8000f000
mov eax,0xf063
mov [edi+0xc00],eax
sub eax,0x1000
mov [edi+0xff0],eax
mov [edi+0xff4],eax
mov [edi+0xff8],eax
mov [edi+0xffc],eax
sub edi,0x1000
mov ebp,4
maprommirl:
lea eax,[edx+0x63]
mov ecx,0x100
maproml:stosd
add eax,0x1000
loop maproml
dec ebp
jnz maprommirl
mov eax,0xf000
mov cr3,eax
lgdt [0x4001c0]
jmp 0x8:dtcj
dtcj:
mov eax,0x10
mov ds,ax
mov es,ax
mov ss,ax
mov esp,0x80400000
xor eax,eax
mov fs,ax
mov gs,ax
add edx,0x80100000
mov [shadowromtop],edx
mov eax,unpackandrun
call eax
.inf: jmp short .inf
align 4
shadowromtop dd 0
unpackandrun:
and dword [0x80402e51],byte 0
call 0x40071f
mov eax,[shadowromtop]
add [0x80010030],eax
jmp 0x4005c1
m8_bfm_kernel_patch.asm
CODE
;;;
;;; Compile this with NASM.
;;;
;;; Allocate contiguous memory for the initialized data segment and
;;; video encoder data segment. Then allocate the corresponding section of
;;; the flash rom to make the pages present and copy the data. Then free
;;; the temporary flash rom allocation. The flash rom is no longer needed.
;;;
;;; Intended to be patched into M8 at 0x80054922 (jmp). This patch can be
;;; placed anywhere, including INIT section. I put it at offset 0x8002f0de.
;;;
;;; To make a working BFM kernel, you'll also need to replace the byte 0xc1
;;; at offset 0x8001e7b7 with byte 0x00. Additionally you need to set the
;;; flags at 0x8003c138 from byte 0x00 to byte 0x03.
;;;
BITS 32
ORG 8002F0DEh
pushad
mov esi,80010000h
push esi
call 8001DDD4h; MmGetPhysicalAddress
dec eax
mov ebx,[esi+2Ch]
add ebx,[esi+38h]
push byte 4
push byte 0
push eax
push byte 0
push ebx
call 8001DE22h; MmAllocateContiguousMemoryEx
mov edi,eax
push byte 1
push ebx
push edi
call 8001E021h; MmPersistContiguousMemory
mov edx,[esi+30h]
push edi
lea ecx,[ebx+0FFFh]
mov ebp,07FFFF000h
lea eax,[edx+ecx]
add ecx,edi
and edx,ebp
and edi,ebp
and eax,ebp
and ecx,ebp
;; EDX = src start
;; EAX = src end
;; EDI = dest start
;; ECX = dest end
cmp edx,edi
jae highsrc
cmp eax,edi
jbe srcalloc
mov eax,edi
jmp short srcalloc
highsrc:cmp edx,ecx
jae srcalloc
mov edx,ecx
srcalloc:
pop edi
cmp eax,edx
je skipsa
push byte 4
push byte 0
dec eax
push eax
push edx
sub eax,edx
inc eax
push eax
call 8001DE22h; MmAllocateContiguousMemoryEx
push eax; push argument for MmFreeContiguousMemory
pushf
push dword [esi+30h]
cli
mov eax,0C0200040h
push dword [eax]
or dword [eax],byte 03h
mov ecx,cr3
mov cr3,ecx
mov [esi+30h],edi
wbinvd
pop dword [eax]
mov cr3,ecx
pop esi
cmp esi,edi
ja copy
je nocopy
lea ecx,[esi+ebx]
cmp ecx,edi
jbe copy
lea esi,[ecx-1]
lea edi,[edi+ebx-1]
std
copy: mov ecx,ebx
rep movsb
nocopy:
popf
call 8001E4E7h; MmFreeContiguousMemory
skipsa:
popad
jmp 800B145Ah
m8_eject_trick_patch.asm
CODE
;;;
;;; Compile with NASM.
;;;
;;; Eject trick patch for Evox M8. Better than the original.
;;; Compile and paste this at kernel offset 0x8002f5c8.
;;;
;;; Set the dword at offset 0x8002f687 to:
;;; ff ff ff 00 for eject trick
;;; ff ff ff 80 for eject fix (never reset on eject).
;;;
;;; Additionally:
;;; for eject trick, set the byte at 0x8001501b to 0xc3.
;;; for eject fix, set the byte at 0x8001500b to 0xc3.
;;;
BITS 32
snorg equ 0x8002f5c8
ORG 0x8002f5c8
lf5c8: mov eax,[0x8003c138]
xor edi,edi
cmp byte [0x8003b87c],0x0
jne decideroe
test al,0x8
jne skroedsbl
push eax
push ecx
retry: push byte 1
push edi
push byte 0x19
push byte 0x20
call 0x80014743
test eax,eax
jl retry
pop ecx
pop eax
skroedsbl:
decideroe:
and eax,byte -0x9
cmp byte [ebp+0xc],0x0
jnz roeoff
mov edx,[ebp-0x14]
test [edx+0x9c],ecx
jnz roeoff
test al,0x4
jnz roeoff
test [0x8003c158],ecx
jz setflags
roeoff: or eax,byte +0x8
setflags:
mov [0x8003c138],eax
jmp 0x8002f63f
%if ($-lf5c8) > (0x8002f629-snorg)
%error patch too big!
%endif
times ((0x8002f629-snorg)-($-lf5c8)) db 0xcc
m8_xbl_block_patch1.asm and m8_xbl_block_patch2.asm
CODE
BITS 32
ORG 8002EF52h
SNORG equ 8002EF52h
xblpatch1:
mov esi,[ebx+14h]
test esi,esi
jz .skip
mov edi,xblsecstr
push byte XBLSECSTRLEN
pop ecx
rep cmpsb
jne .skip
call 8002F68Bh
.skip: pop edi
db 0EBh, 8002EF97h-(SNORG+2+$-$$)
xblsecstr db 'XONLINE',0
XBLSECSTRLEN equ $-xblsecstr
%if ($-xblpatch1) > (8002EF76h-SNORG)
%error patch too big!
%endif
times ((8002EF76h-SNORG)-($-xblpatch1)) db 0xcc
BITS 32
ORG 8002F68Bh
SNORG equ 8002F68Bh
xblpatch2:
mov eax,[ebx+4]
mov ecx,[ebx+10h]
cmp ecx,byte 12
jb .skip
sub ecx,byte 10
.searchl:
inc eax
dec ecx
jz .skip
mov esi,eax
mov edi,codestr
push byte CODESTRLEN
pop ecx
rep cmpsb
jne .searchl
cmp dword [eax+7],80151000h
jne .searchl
mov word [eax+2],9090h
.skip:
ret
codestr db 0A8h, 01h, 75h, 0Ch, 0C7h, 45h
CODESTRLEN equ $-codestr
%if ($-xblpatch2) > (8002F6F8h-SNORG)
%error patch too big!
%endif
times ((8002F6F8h-SNORG)-($-xblpatch2)) db 0xcc
