655 replies to this topic

[bcc9]

bcc9, if you otool -arch i386 -vt ATIFramebuffer I can see the addl for each framebuffer, and find the address as you say.

However, otool -arch x86_64 -vt ATIFramebuffer does not show an addl in the CreateInfo section

I normally only boot my hackintosh systems in 32 bit mode as that is how genuine macs run under 10.6. (If Apple is treating 64 bit mode as bleeding edge, why venture into the uncharted territory with no noticible performance difference?)

Anyways, yes, for examining&patching the 64-bit code, the instructions are necessarily a bit different, as the addressing modes are different.

For the 64-bit address of the ConnetorInfo table, look at the last leaq instruction. Compute the effective address by adding the operand's constant to the address of the next instruction. So in the Uakari case:

000000000000db7e	leaq	0x00004cbb(%rip),%rdi
  000000000000db85	movslq	%ecx,%rax

The effective address for the lea instruction is 0x4cbb+0xdb85=0x12840
And for routines whose table has only one connector, look for the leaq instruction that immediately proceeds the movq with 0x10(%rsi) as the second operand. Compute the effective address as above.

Once you have this effective address, you should be able to convert from virtual address to disk offset as described in post #1.

Are you booting -arch i386 after this mod? Or does making the 1 change in the table still work for you booting into the normal 64 bit mode?

I don't think it's even possible to share data between architectures in a fat binary (unless it's done thru a file). So yes, there are duplicate copies of all the ConnectorInfo tables for both architectures.

I am not sure you are correct about the LVDS Connector type.
Wormy looks to me like its 1st port is 0x8000

Huh? Where do you get that from? For wormy:

dd if=ATIFramebuffer of=/tmp/wormy bs=1 skip=221720 count=32
od -Ax -tx1 /tmp/wormy
000000 02 00 00 00 40 00 00 00 29 00 00 00 00 01 01 03
000010 04 00 00 00 16 00 00 00 00 00 00 00 00 10 02 01

So
port-number 0, connector-type 0x00000002 = LVDS
port-number 1, connector-type 0x00000004 = DVI

In my #defines, the integers are in native/host byte order (little endian).

[wmarsh]

Huh? Where do you get that from? For wormy:

dd if=ATIFramebuffer of=/tmp/wormy bs=1 skip=221720 count=32
od -Ax -tx1 /tmp/wormy
000000 02 00 00 00 40 00 00 00 29 00 00 00 00 01 01 03
000010 04 00 00 00 16 00 00 00 00 00 00 00 00 10 02 01

So
port-number 0, connector-type 0x00000002 = LVDS
port-number 1, connector-type 0x00000004 = DVI

In my #defines, the integers are in native/host byte order (little endian).

I'll recheck my math; I got skip 221144 (hex 35fd8) for Wormy. Wondered why it looked so weird.

[EDIT]
Found the problem. Wormy has 3 addl
for wormy, 32 bit
start for arch + offset + virtual add - start for seg
155648 + 61624 + fee0 - ed80 = 221720

You are correct, but I learn by example

[bcc9]

Found the problem. Wormy has 3 addl

Yes, and the instructions for 32-bit were to look at the last addl of the routine, which does direct you to the right one in this case (and the other cases from what I can see).

I did also provide an example, with the math, in post #1.

Seems like a perl script may be in order here...

[wmarsh]

Yes, and the instructions for 32-bit were to look at the last addl of the routine, which does direct you to the right one in this case (and the other cases from what I can see).

I did also provide an example, with the math, in post #1.

Seems like a perl script may be in order here...

No your instructions were good, I just was working too fast.
And the last time I read decompiled binaries I was using a Z-80 cpu, so I am out of practice.

The first test for LVDS did not work. I tried MotMot and GraphicsEnabler=y, but I think Graphics Enabler injects at the right place for desktop cards, and my study of my DSDT (esp considering Nvidia laptops vs desktop hacks) suggests this is not correct for mobility cards. So I am going to try again with DSDT hack instead.

[bcc9]

So in post #1 I recommended that you could find some other personalities where those ports do work to "discover" the working value for the senseid. Another choice would be to guess what that value should be. Or help figure out how to determine the value automatically from the atom bios or directly from the card

Ok, I believe I've mapped the senseid field to the atom bios!
i2cid = (senseid & 0xf-1)+0x90;
or the inverse:
senseid = (i2cid & 0xf) +1;
Now here's a version of my radeondump that will print the i2cids for the connectors.
Edit: See radeon_bios_decode in post #1 for newer version that computes the senseid value for you, and also prints encoder information.

For example, for my sapphire card:

./radeondump < rom
	  ATOM BIOS Rom: 
			  SubsystemVendorID: 0x174b SubsystemID: 0xe151
			  IOBaseAddress: 0x0000
			  Filename: 3E151DAF.HY1
			  BIOS Bootup Message: 
	  REDWOOD XT C02002 GDDR5 64Mx16 1G UCODEv:126							   
	  
	  Connector at index 0 type: DisplayPort (10)
	  Connector's i2cid: 91
	  Connector at index 1 type: HDMI-A (11)
	  Connector's i2cid: 94
	  Connector at index 2 type: DVI-I (2)
	  Connector's i2cid: 92
	  Connector at index 3 type: DVI-I (2)
	  Connector's i2cid: 92

(In the above the i2cid is printed base 16).

So the senseid values are:
DP: (91&0xf)+1 = 2
HDMI: (94&0xf)+1=5
DVI: (92&0xf)+1=3

These exactly match the senseid that I found in post #1 by experimentation.

[wmarsh]

Extremely helpful.

For most mobility cards, you can't dump video bios to file with gpu-z. But dong's old tool (also named radeondump) posted in the X Labs thread ATIFramebuffer will dump it to file.

This explains 1 reason why prior attempts at LVDS failed. LVDS is on port 1!
All the native FB with LVDS have LVDS on port 0

bash-3.2# ./radeondump < ./VBIOS/9552.0301.00E0.vga.rom 
ATOM BIOS Rom: 
	SubsystemVendorID: 0x1028 SubsystemID: 0x02aa
	IOBaseAddress: 0xde00
	Filename: BR31245C.001
	BIOS Bootup Message: 
Dell_Roberts_M92S_GDDR3 M92 GDDR3 64bit 450e/600m						   

Connector at index 0 type: VGA (1)
Connector's i2cid: 91
Connector at index 1 type: LVDS (7)
Connector's i2cid: 90

So the senseid values are:
VGA: (91&0xf)+1 = 2
LVDS: (90&0xf)+1=1

[Chenda]

I been trying for figure this stuff out for a majority of last night, but was unsuccessful to find my senseID values. I was not able to calculate them properly or doing it wrong somewhere. I must have been adding the wrong values.

After the radeondump v0.02 tool was posted, I was able to get this.

./radeondump < 1002_9460.rom
   ATOM BIOS Rom: 
	   SubsystemVendorID: 0x174b SubsystemID: 0xe115
	   IOBaseAddress: 0x0000
	   Filename: E115QA1G.S02
	   BIOS Bootup Message: 
   WEKIVA RV790 B790 BOARD 850E/975M										 
	 
   Connector at index 0 type: DVI-I (2)
   Connector's i2cid: 93
   Connector at index 1 type: DVI-I (2)
   Connector's i2cid: 93
   Connector at index 2 type: VGA (1)
   Connector's i2cid: 90
   Connector at index 3 type: HDMI-A (11)
   Connector's i2cid: 91
   Connector at index 4 type: DisplayPort (10)
   Connector's i2cid: 92

Also, here is my Motmot ConnectorInfo table.

__ZN10MotMotInfo10createInfoEhR18PlatformParameters:
 0000b838	pushl	%ebp
 0000b839	movl	%esp,%ebp
 0000b83b	movl	0x0c(%ebp),%ecx
 0000b83e	movl	$0x0000e180,0x08(%ecx)
 0000b845	movb	$0x02,0x04(%ecx)
 0000b849	xorl	%edx,%edx
 0000b84b	leal	(%edx,%edx,4),%eax
 0000b84e	leal	0x000102e0(,%eax,4),%eax
 0000b855	movl	%eax,0x0c(%ecx,%edx,4)
 0000b859	incl	%edx
 0000b85a	movzbl	0x04(%ecx),%eax
 0000b85e	cmpl	%edx,%eax
 0000b860	jg	0x0000b84b
 0000b862	xorl	%eax,%eax
 0000b864	leave
 0000b865	ret

Can you elaborate a bit more on how to calculate the senseID value? And once I get this value, where do I insert the C-Code on post#1? DSDT? Thanks in advance. I would really like to get dual monitor working on my 4890. Thank you in advance.

Other numbers that might be usefull.
My i1386 arch offset is 151552
102e0+b855= 1BB35 = 113461 dec value

[bcc9]

Extremely helpful.

For most mobility cards, you can't dump video bios to file with gpu-z. But dong's old tool (also named radeondump) posted in the X Labs thread ATIFramebuffer will dump it to file.

For dumping ATI video bios, there is atiflash.exe
You can write this dos executable to a freedos formatted usb thumbdrive and dump the full video bios that way.

More simply, if you can at least boot into osx with your card, you can look at the ioregistry, and most of the video bios is present under the ATY,bin_image key.
Covert from hex to binary with xxd, and you're done. Luckily radeondump only needs something less than the first 64K of the bios to read the atom bios information.
Being able to regenerate the bios from just an ioregistry dump is pretty convenient - I was able to do this from an apple store system.

Oh, didn't realize there was a namespace collision. radeon_bios_decode maybe?

Can you elaborate a bit more on how to calculate the senseID value?

Since I claimed:
senseid = (i2cid & 0xf) +1;

from your dump it can be seen that your card has 4 connectors:
dual-link DVI, senseid: 4
VGA, senseid: 1
HDMI: senseid: 2
DP: senseid: 3

And once I get this value, where do I insert the C-Code on post#1? DSDT? Thanks in advance. I would really like to get dual monitor working on my 4890. Thank you in advance.

Then you proceed with the rest of post #1 where you dump out the best matching personality table(s) and build a new one that exactly matches the 4 connectors you have. Then binary patch ATIFramebuffer with the result. Since motmot is what chameleon thinks you card should have, I'd start there, but it's obviously not going to be a complete table since it only includes 2 connectors.

[wmarsh]

For dumping ATI video bios, there is atiflash.exe
You can write this dos executable to a freedos formatted usb thumbdrive and dump the full video bios that way.

Doesn't work, tried it months ago. Like many laptops the video bios is locked so it cannot be flashed or read.

More simply, if you can at least boot into osx with your card, you can look at the ioregistry, and most of the video bios is present under the ATY,bin_image key.
Covert from hex to binary with xxd, and you're done. Luckily radeondump only needs something less than the first 64K of the bios to read the atom bios information.
Being able to regenerate the bios from just an ioregistry dump is pretty convenient - I was able to do this from an apple store system.

Nice trick. I wanted to compare the ports with my daughters MBP, but dongs tool doesn't work on it

[EDIT -- most curious -- in my system -- currently using dong's FB until/unless we get Mobility Radeon working -- there is no ATY,bin_image key

Now I have read the 5xxx cards need to load the video bios with Chameleon and the VideoROM key in com.apple.boot.plist.

Could be Mobility cards with locked VBIOS have same issue & so am going to try loading my VBIOS in the same way, then retry the modified FB.]

Oh, didn't realize there was a namespace collision. radeon_bios_decode maybe?

Good choice

[jsl]

Viola, all 3 ports are now working with my card...

Hope this helps others with non-working ports or with HDMI audio problems.
Questions/comments?

bcc9,
Thanks for such an excellent guide for us.
According to your theory and successful experience is it essential to use the connector-type 0x800 for HDMI audio ?
Because my MSI Hawk 5770 need a DP->HDMI convertor to get HDMI audio working by Eulemur FB which actually use the connector-type 0x800.
Is it possible to download your modified ATIFrameBuffer for us to test or verify whether it can be working for other ATI HD 5xxx cards by Uakari FB ?

[hjs89]

Acer Aspire 5738ZG ATI Radeon Mobility HD 4570

$ ./radeondump < 9553.0301.00E0.vga.rom 

ATOM BIOS Rom: 
	SubsystemVendorID: 0x1025 SubsystemID: 0x0205
	IOBaseAddress: 0x2000
	Filename: BR33359D.bin
	BIOS Bootup Message: 
Acer_JV50_MV_M92M2_XT_DDR3 M92 DDR3 64bit 680e/800m						 

Connector at index 0 type: LVDS (7)
Connector's i2cid: 96
Connector at index 1 type: VGA (1)
Connector's i2cid: 90
Connector at index 2 type: HDMI-A (11)
Connector's i2cid: 91

So...

LVDS (96&0xf) = 7
VGA (90&0xf) = 1
HDMI (91&0xf) = 2

[Boombeng]

That would depend upon the capabilities of your video card. Your card's DVI ports may carry HDMI audio (but probably not). To know for sure, check your lspci output.
Borrowing from Kabyl's post:

lspci -nnvd 0x1002: | grep -B2 Subsystem

Would show you two PCI devices if your video card supports audio. The second PCI device with audio class (0403) would be the audio device. Example:

lspci -nnvd 0x1002: | grep -B2 Subsystem
	   01:00.0 VGA compatible controller [0300]: ATI Technologies Inc Redwood [Radeon HD 5670] [1002:68d8] (prog-if 00 [VGA controller])
			   Subsystem: PC Partner Limited Device [174b:e151]
	   --
	   
	   01:00.1 Audio device [0403]: ATI Technologies Inc Redwood HDMI Audio [Radeon HD 5600 Series] [1002:aa60]
			   Subsystem: PC Partner Limited Device [174b:aa60]

Yep, the dvi carry audio since it works under windows using a dvi>hdmi adapter, and here is the
lspci -nnvd 0x1002: | grep -B2 Subsystem (Radeon HD 4850 Gainward GoldenSample) :

01:00.0 VGA compatible controller [0300]: ATI Technologies Inc RV770 [Radeon HD 4850] [1002:9442] (prog-if 00 [VGA controller])
		Subsystem: CardExpert Technology Unknown device [10b0:0801]
	--
	01:00.1 Audio device [0403]: ATI Technologies Inc HD48x0 audio [1002:aa30]
		Subsystem: CardExpert Technology Unknown device [10b0:aa30]

The card has 3 ports :
dual-link DVI, senseid: 3
9 pin DIN (s-video), senseid: ?
dual-link DVI, senseid: 4

So, according to your finds i have to overwrite bytes on a personality with 3 ports : dvi at port 0 with senseid=3, s-video at port 1 with unknown senseid and dvi at port 0 with senseid=4 but it seems the second port (s-video) doesn't have I2CID:

ATOM BIOS Rom: 
	  SubsystemVendorID: 0x10b0 SubsystemID: 0x0801
	  IOBaseAddress: 0x0000
	  Filename: 48501170.234
	  BIOS Bootup Message: 
  ATI RADEON HD4800 SERIES												 
  
  Connector at index 0 type: DVI-I (2)
  Connector's i2cid: 92
  Connector at index 1 type: DVI-I (2)
  Connector's i2cid: 92
  Connector at index 2 type: 9 pin DIN (9)
  Connector at index 4 type: DVI-I (2)
  Connector's i2cid: 93
  Connector at index 5 type: DVI-I (2)
  Connector's i2cid: 93

I remember the s-video, vga and dvi ports used to work on my old HD3850 under 10.5.8 using Megalodon Framebuffer
so i had a look to Megalodon :

It uses 3 different connectors on 3 ports :
movb $0x03
addl $0x00010cc0 (60800)

offset_for_segment = 61624
start_address_for_segment = 60800
155648+61624+68800-60800 = 225272

0000000 00 02 00 00 14 00 00 00 00 00 00 00 00 01 01 11 > What type of connector ? LVDS (?)
0000010 04 00 00 00 16 00 00 00 00 00 00 00 00 10 02 12 > DVi
0000020 80 00 00 00 02 00 00 00 04 00 00 00 00 10 00 00 > What type of connector ?

We can see the dvi connector at port 1 but what are port 0 and port 2 connectors ? S-video and vga ?

Thx again for this great work bcc9

[hjs89]

Acer Aspire 5738ZG ATI Radeon Mobility HD 4570

$ ./radeondump < 9553.0301.00E0.vga.rom 

ATOM BIOS Rom: 
	SubsystemVendorID: 0x1025 SubsystemID: 0x0205
	IOBaseAddress: 0x2000
	Filename: BR33359D.bin
	BIOS Bootup Message: 
Acer_JV50_MV_M92M2_XT_DDR3 M92 DDR3 64bit 680e/800m						 

Connector at index 0 type: LVDS (7)
Connector's i2cid: 96
Connector at index 1 type: VGA (1)
Connector's i2cid: 90
Connector at index 2 type: HDMI-A (11)
Connector's i2cid: 91

So...

LVDS (96&0xf) = 7
VGA (90&0xf) = 1
HDMI (91&0xf) = 2

After this I've tried to mod Vervet personality

000000 00 02 00 00 14 00 00 00 00 01 00 00 00 00 06 07 LDVS port*
	000010 00 04 00 00 00 04 00 00 00 01 00 00 12 04 04 01 VGA port**
	000020 00 08 00 00 00 02 00 00 00 01 00 00 22 05 05 02 HDMI port
	000030 00 08 00 00 00 02 00 00 00 01 00 00 22 05 05 05

*Suposed to be LDVS code.
**I think that is DVI code, but there isn't any VGA example.

The result of this:

- Laptop's screen: I've got a black screen but it seems to be detected with correct resolution 1366x768.
- VGA's screen: It doesn't work. I don't know if something happens like laptop's screen.
- HDMI's screen: For first time works! It's detected with correct resolution 1440x900.

And happens a strange thing. The screens are switched. In Preference Panel if I change the resolution of HDMI monitor changes in the Laptop and when I change the resolution of Laptop's screen changes in HDMI.

In Ioregistryexplorer I can see only 2 "Frambuffer" loaded. The both are Vervet and 0 seems to have Laptop's screen information and 1 of HDMI.

I want try other framebuffers supposedly to be more friendly to 4000 series like Peregrine, Motmot, Flicker, etc

[bcc9]

Yep, the dvi carry audio since it works under windows using a dvi>hdmi adapter, and here is the
lspci -nnvd 0x1002: | grep -B2 Subsystem (Radeon HD 4850 Gainward GoldenSample) :

Great, then you should be able to get it to work. You may have to change the connector-type from DVI to HDMI for the port you have the adapter on before it'd pass audio. Remember also to inject the requisite hda-gfx strings to turn on the HDMI audio support.

So, according to your finds i have to overwrite bytes on a personality with 3 ports : dvi at port 0 with senseid=3, s-video at port 1 with unknown senseid and dvi at port 0 with senseid=4 but it seems the second port (s-video) doesn't have I2CID:

The port order in the ConnectorInfo table doesn't have to match the port order in your atom bios. Mine did not at least. However the senseid has to match up.

Now in your HD3850 example, you could figure out exactly which table entries are being used by which connector by dumping the ioregistry repeatedly with different connectors plugged in.

0000000 00 02 00 00 14 00 00 00 00 00 00 00 00 01 01 11 > What type of connector ? LVDS (?)

This one is not LVDS because the connector type ix 0x00000200 not 0x00000002=LVDS

0000020 80 00 00 00 02 00 00 00 04 00 00 00 00 10 00 00 > What type of connector ?

This one is probably s-video, notice that the senseid byte is 0.

Thx again for this great work bcc9 smile.gif

Thanks, I'm still waiting for the success stories

[Boombeng]

It's still not working but I managed to get rid of the sound assertion :

Sound assertion "0 == hdaGfxCandidate" failed in "/SourceCache/AppleHDA/AppleHDA-184.4.3/AppleHDAController/AppleHDAController.cpp" at line 980 goto Exit

But now i have this error in log when i plug the hdmi display :

kernel	EDID CEA Extension Detailed Timing Descriptor Count & Attributes not valid for audio: 0xFFFFFFB1 (bit 6 is false)

 HDMI_0x800.jpg   42.16KB   119 downloads


continuing tests...

[bcc9]

It's still not working but I managed to get rid of the sound assertion :

Sound assertion "0 == hdaGfxCandidate" failed in "/SourceCache/AppleHDA/AppleHDA-184.4.3/AppleHDAController/AppleHDAController.cpp" at line 980 goto Exit

You get that when you don't have both hda-gfx strings inserted correctly. You need one for the device at PCI slotfunction 0 (GFX0) and one at PCI slotfunction 1 (HDAU).

[Boombeng]

Ok, i thought it was good but my dsdt edit must crap, here it is :

Device (P0P2)
			{
				Name (_ADR, 0x00010000)
				Device (GFX0)
				{
					Name (_ADR, Zero)
					Method (_DSM, 4, NotSerialized)
					{
						Store (Package (0x02)
							{
								"hda-gfx", 
								Buffer (0x0A)
								{
									"onboard-1"
								}
							}, Local0)
						DTGP (Arg0, Arg1, Arg2, Arg3, RefOf (Local0))
						Return (Local0)
					}
				}

				Device (HDAU)
				{
					Name (_ADR, One)
					OperationRegion (HDAH, PCI_Config, Zero, 0x40)
					Field (HDAH, ByteAcc, NoLock, Preserve)
					{
						VID0,   16, 
						DID0,   16
					}

					Method (_DSM, 4, NotSerialized)
					{
						If (LEqual (Arg0, Buffer (0x10)
								{
									/* 0000 */	0xC6, 0xB7, 0xB5, 0xA0, 0x18, 0x13, 0x1C, 0x44, 
									/* 0008 */	0xB0, 0xC9, 0xFE, 0x69, 0x5E, 0xAF, 0x94, 0x9B
								}))
						{
							If (LNotEqual (And (VID0, 0xFFFF), 0xFFFF))
							{
								Store (Package (0x02)
									{
										"hda-gfx", 
										Buffer (0x0A)
										{
											"onboard-1"
										}
									}, Local0)
								DTGP (Arg0, Arg1, Arg2, Arg3, RefOf (Local0))
								Return (Local0)
							}
						}

						Return (0x80000002)
					}
				}
			}

 dsdt_HDAU.jpg   212.64KB   173 downloads

[hjs89]

Now lets take a specific example, the Uakari personality. In UakariInfo::createInfo we see 1 addl instruction, it reads (I'm looking using 10.6.6 driver code as an example from here on):
0000d472 addl $0x000111c0,%eax
and for the number of connectors,
0000d467 movb $0x04,0x03(%ecx)

I lost here. When I did $ otool -arch i386 -vt ATIFramebuffer | c++filt | grep createInfo I only could see UakariInfo::createInfo(unsigned char, PlatformParameters&):. Where did you find the addl?

[Chenda]

I lost here. When I did $ otool -arch i386 -vt ATIFramebuffer | c++filt | grep createInfo I only could see UakariInfo::createInfo(unsigned char, PlatformParameters&):. Where did you find the addl?

i got the same thing.. Until i typed in the following command. make sure your using the appropriate arch. i1386 is 32bits. x84_64 is 64bit

otool -arch x86_64 -vt ATIFramebuffer | tee filename.txt

this allows the results to be written to a text file. The txt file will be in the same location as your ATIFramebuffer file. Once you get your file, you can open it with any text editor and search for Uakari. Find your profile underneath.

Hope this helps.

[kizwan]

Hi bcc9,

Thank you for the brilliant guide. I tried on my notebook (Dell Studio 1557 with HD4570). I was able to get the external monitor which is connected to HDMI port detected but for some reason there is no output. The monitor act like there is no signal to it. In System Profiler & IORegistryExplorer, I can see the monitor is properly detected at @0. I'm using peregrine personality. The monitor is full HD LCD. Do you have any idea why there is no output?


EDIT: Sorry. I forgot to post relevant information. I'm going to post it in a couple of minutes.

EDIT 2: Looks like I got QE/CI on the external monitor. I can see the water effect with Dashboard. Unfortunately no output on the external monitor, only can see it via VNC.