(UNDER CONSTRUCTION) by Vikram Ambrose -- Vambrose 01:44, 22 February 2010 (UTC)

This is a short guide demonstrating how I used the PCI Passthrough framework in KVM to reverse engineer atiflash.exe – a video BIOS flashing tool for DOS.

atiflash.exe is a real dos application that flashes the video BIOS on ATi graphics cards. There are numerous ATi video BIOS flashing tools for Windows, but none for Linux as the code for doing this has not been made publicly available by AMD.

This technique allowed me to trace all PCI configuration space and memory mapped i/o (mmio) accesses to the PCI-E device from the closed source flashing tool.

Tools needed:

• CPU with virtualisation support (eg, AMD-V, Intel VT-x, an IOMMU is not necessary)
• Newer-the-better Linux kernel with KVM support
• Special KVM branch of QEMU (git://git.kernel.org/pub/scm/virt/kvm/qemu-kvm.git)
• Guest operating system (I used FreeDOS from UBCD - http://www.ultimatebootcd.com/)
• Secondary video card to boot Linux with while the Radeon is used in the virtual machine

First the radeon and drm kernel modules had to be blacklisted to prevent the host from using the hardware that would be passed to the virtual machine. Use lspci to get the location of the PCI device:

 * 02:00.0 VGA compatible controller: ATI Technologies Inc RV770 [Radeon HD 4870]
 * 02:00.1 Audio device: ATI Technologies Inc HD48x0 audio

Special thanks go out to Carl-Daniel Hailfinger, Twice#11 and the entire KVM and QEMU team for making this possible.