(Για μετάφραση στα Ελληνικά, δείτε εδώ)
update 20093012: Sony has finally decided to enable VT for their new models. They also provide an updated BIOS for some older models. If your laptop model is one of those, then you should update your BIOS and skip the rest of the guide.
This is a short guide on how to unlock the Virtualization Technology (VT) support in your processor, from your BIOS, in case the manufacturer of your computer has delivered it to you with this mechanism disabled.
The following text describes how to achieve this on a Sony VAIO with an Intel Core 2 Duo CPU and a legacy BIOS system initialization system from Phoenix. This choice is due to the fact that, first, it is the laptop with which I encountered this problem, and second, all Sony VAIO laptops, with few exceptions, are shipped from the factory with VT disabled:
Modern laptops by Sony use, instead of a BIOS, a new approach called EFI. As expected, Sony has made sure that VT is disabled in these models as well. This How-To does not cover those laptops. If you are the owner of one of those laptops, you can start by looking at this article:
My solution is mainly based on the following sources/discussions:
IMPORTANT In the above links, some people suggest a "trial n' error" method, where you mess up with your BIOS and flip random bits, until you find the one bit that enables VT. These things are very dangerous and can render your precious computer useless in just a few seconds.
The method I'm about to describe strives to eliminate any and all uncertainty from the task. Nevertheless, I will not be held responsible for anything that happens to your computer as a result of you following this guide. Before you continue, you have to understand that:
- Even if this method is secure, it involves flashing your BIOS[*]. In other words, you will write data on a chip located on your computer's motherboard, and this chip is not supposed to be written very often. If for any reason the process is interrupted, eg. power failure, you can kiss goodbye your computer.
- All my attempts were done using a Sony VAIO VGN-TZ31XN, equipped with a Phoenix BIOS. Your setup will be perhaps (a lot) different, and the process may fail. In any case, if you end up with a broken BIOS, you can kiss goodbye your computer.
- Even without hardware accelerated VT, you can still run virtual machines with your computer. There are even some people who doubt the benefits of using hardware accelerated VT.
- Performing such an operation on your computer could allow the manufacturer to revoke his warranty.
If you still want to try, and you end up with a computer that does not start (at all, only a blank screen, no blinking lights, no sign of life), you are left with two choices. One is to send it back to Sony (substitute here your manufacturer), and they will probably tell you that they have to replace the whole motherboard. The other option is to (physically) open your laptop, locate the backup battery of the BIOS, and disconnect it, in order to restore factory defaults. If you are lucky, this battery will be under the memory expansion slots, which are usually accessible from the back of the laptop. If you are unlucky, you will have to really take the whole laptop apart.
[*]:Actually, BIOS flashing is not exactly the thing. The BIOS chip holds the BIOS program, while the CMOS memory chip holds the BIOS settings (and it is the one backed up by the little battery on your motherboard). In this article, we read the BIOS code itself, as well as the CMOS-stored settings, but we only modify the settings. Therefore, as explained above, it is possible in case of a problem, to revert to the default settings, if you can disconnect the backup battery. Still, the CMOS memory chip is not a "playground" and you should think twice before doing this, and always proceed with caution!
II. THE PROPOSED METHOD
The method that we are going to use is based on a tool that is available by Phoenix, called "symcmos". This program reads all the BIOS settings (a.k.a. "tokens") and stores them in a text file, using the following syntax:
( SYMBOLIC CMOS EDITOR - Version 643710-032 ) CRC = 250F (0000)  (0003)  (0006)  (0009)  (000C)  (000F)  (0018)  (001B)  (001E)  ...
The first column is the token index, and the second column is the token value. Both columns use hexadecimal numeric representation. Thus, you can alter the token values in this file and then use symcmos again to update your BIOS with the new settings.
One of these tokens is the VT lock for your processor. The only problem is that we do not know the relation between token indexes and BIOS settings, so we do not know which token to modify. To solve this problem, we will make a backup of our current BIOS, and then we will disassemble it, while looking inside the code for the VT token index. As soon as we get a grip of this index, we will modify the right line in the text file, and we will use symcmos to update the BIOS. If all goes well, after that you will have hardware accelerated VT.
The BIOS code is a rather big program, and in assembly code form it spans several tens of thousands of lines of code. This prohibits us from blindly searching inside the code. Instead, we must know what we are looking for. This kind of information we can get from the manufacturer of our processor. In the case of Intel, we need the specifications of the IA-32/intel64 architecture, which includes all modern 32 and 64 bit Intel processors, excluding the Itanium. Luckily for us, Intel has made these documents available for free on the internet:
The first thing that we can learn from these documents is that the VT settings for our processor are accessible via a Model Specific Register (MSR), in particular MSR 3A (hexadecimal). The next clue is that there exist special assembly instructions for reading and writing MSR, the rdmsr and wrmsr instructions. Finally, from the description of these instructions, we learn that we can choose which MSR to read with rdmsr, by first loading the MSR number in the processor register called ECX.
In other words, in order to find the part of the BIOS code that reads the status of VT in our Intel processor, we will search inside the code for two lines like the following:
mov ecx, 0x3a rdmsr
Now we know that the code between these two lines and the next call to wrmsr deals with locking/unlocking of VT. The involved code is between 10 and 20 lines of assembly code (a huge improvement compared to the initial 100000 lines). The only thing that is left to do is to study this code and extract the BIOS token index for VT.
... wicked, huh?
III. THE TOOLS
We'll start with symcmos, which is available for free on the internet. You can download it from:
Unfortunately this is a DOS program, so you will have to put it into some sort of bootable cd, usb stick, floppy etc. If you do not have such a thing at hand, and you do not know how to prepare one, you can follow these instructions:
The above link uses FreeDOS, an alternative open-source implementation, compatible with DOS. (tip: I followed the first method, the one with makebootfat. In Debian there is a ready-made package for makebootfat, therefore you don't need to download and compile its source code).
We will also download a minimal bootable cd image from VMWare. We will burn this into a CD and we will use it to verify that we have succeeded in enabling VT:
Then, we will need a program to read the BIOS code itself (symcmos can read/write just the settings). There is always the option to download one of the official tools from Phoenix, DOS-based of course:
As an alternative, I used the open source tool called flashrom, which is a community-driven attempt to create a universal open-source BIOS read/write tool. I was lucky and I could read my BIOS (even though my BIOS chip was reported as unsupported). You might have an unsupported chip. If this is the case, you will have to use the tool from the BIOS manufacturer. You can put this utility together with symcmos on the same bootable DOS medium.
You will also need a program to decompress the BIOS, once you've read it with flashrom. Sadly it is true, all modern BIOS programs are too complex to fit on a small chip without compression. Therefore, before attempting to disassemble the BIOS, we will have to decompress the retrieved BIOS image. Again, Phoenix has the tool for the job, this time for Windowz (and harder to find):
(note: In the above link, you will download the file BiosEdit2100.zip, after accepting the license from Intel. Intel calls this tool "BIOS Logo Change Utility", but it is so much more than that! Inside the downloaded file, you will find the program BiosEdit2100.exe, which you should install and use.)
Under Linux, there are programs like phnxdeco, amideco and awardeco for the exact same job, for BIOS made by Phoenix, AMI, and Award respectively. I could not get phnxdeco to work, so I was forced to use the tool by Phoenix. It did run flawlessly under Wine, after a couple of tweaks (more on this topic later). Alternatively, if you have a computer with Windowz available, you could install this program there, since you do not need to execute it on the computer that you are trying to unlock VT.
Finally, you will need a disassembler to go through the BIOS code. This example uses nasm, a program available in practically all modern Linux distributions.
IV. ENABLE VT (at last)
Step 1. Download and prepare all the required tools (see also Section III):
- Download vt.iso from VMWare and burn a CD with it. Restart your computer and boot from this CD, to make sure that VT is indeed locked on your processor (otherwise there's no point in following this guide!).
- Restart again, boot into Linux and download symcmos.
- Prepare a bootable medium with FreeDOS and copy symcmos over to the bootable medium.
- Install the flashrom program using the tools of your Linux distribution.
- Install Wine using the tools of your Linux distribution.
- Download the winetricks tool. This will help us add Virtual Basic support to Wine (needed to run the BIOS decompress tool from Phoenix).
- Run winetricks and select to install vb6run.
- Install the BIOS decompression tool under Wine.
- Install NASM using the tools of your Linux distribution.
Step 2. Read back BIOS settings with symcmos:
- Restart your computer and boot from the bootable DOS medium that you've prepared.
- At the FreeDOS command line prompt, enter:
- This command will read the BIOS settings and store them inside the folder where we executed the command, inside a file with the name literal.txt.
- Reboot and return to Linux.
Step 3. Read the BIOS itself and decompress it:
- Execute flashrom as root:
flashrom -r compressed_bios.rom
- If the program works as expected, it will take some time to read the BIOS (less than a minute) and it will end up showing the message "Reading flash... done". Your BIOS will be stored inside the file compressed_bios.rom, under the folder where you executed the flashrom command.
- Run the BIOS decompression tool under Wine.
- Load the compressed_bios.rom file.
- If all goes well (even if you get some warning/error messages), then you will see a series of windows with the contents and settings of your BIOS.
- Since we are looking for the decompressed files themselves, we will ignore all these windows.
- The decompression tool keeps all decompressed files inside a temporary folder.
- In my system, I found them inside the folder:
~/.wine/drive_c/Program Files/Phoenix Technologies Ltd/BIOS Editor/TEMP
- In my system, I found them inside the folder:
- Without closing the decompression tool, we copy all the files from the above folder into another folder of our choice.
- Quit the Phoenix decompression tool, its job is done.
Step 4. Disassemble the BIOS and locate the part of the code that deals with VT:
- Among the files that we copied in the previous step, the BIOS code that we are interested in, is in the files with .ROM suffix. In one of these files we will find the VT lock/unlock code. To make our lives easier, I wrote the following Makefile:
%.asm:%.ROM ndisasm $< > $@ roms = $(wildcard *.ROM) all: all-asm all-asm: $(patsubst %.ROM,%.asm,$(roms)) find-msr: grep -n -B1 "rdmsr" *.asm | grep --color -A1 "0x3a" clean: rm *.asm
- Copy this Makefile and save it in together with the copied .ROM files, in the same folder. Navigate to this folder and simply type:
- The Makefile will process all .ROM files, one at a time, disassemble them with ndisasm (which is part of nasm), and write a .asm file with the disassembled code.
- The Makefile can do more for you: it can search inside the .asm files for the pattern that we are looking for. To do this, after executing "make", type (always in the same folder as the Makefile and the .ROM files):
- In my case, the above command returns:
BIOSCOD6.asm-18542-0000CB57 66B93A000000 mov ecx,0x3a BIOSCOD6.asm:18543:0000CB5D 0F32 rdmsr
- Therefore, in my case, the part of the BIOS code that is of interest is in file BIOSCOD6.asm, starting at line 18542.
- Open this file with an editor and go directly to the reported line.
- We then look for the first occurrence of a call word instruction, after the rdmsr. Eg.:
call word 0xf000:0x48db
- these numbers will probably be different on your system.
- EXACTLY one line above that, you should be able to see another instruction that loads a value to the AX register:
mov ax, 0x363 call word 0xf000:0x48db
- again, the 363 example will probably be different on your system
- This is the token index we've been looking for!
Step 5. Update BIOS settings
- Open the bootable medium that contains FreeDOS and the symcmos tool.
- Locate and open file literal.txt, the one made by symcmos when we executed it in step 2.
- Jump to the line that starts with the token index that we just discovered (0363 in my case).
- VERY IMPORTANT: If the value that corresponds to this index is anything but , there has been a mistake. DO NOT proceed further!
- Modify the value of the given line,from  to  and save the modified text file.
- Restart the computer and boot from the bootable FreeDOS medium.
- Make absolutely sure that your computer will keep on working properly for the next minute or so (check battery, power supply, remove any glasses filled with liquids from the area, remove cats, dogs and babies from the room, and -if you are religious- say a quick prayer, you know the drill ... ;))
- At the FreeDOS command line prompt, type:
symcmos.exe -v2 -uLITERAL.TXT
- When the process is complete (it is very fast), shutdown the computer from its main switch (no soft-reset).
Step 6. Verify that VT is now unlocked
- Turn on the computer and boot from the bootable CD of VMWare from step 1.
- If all goes well, the VMWare tool will inform you that you are now the happy owner of a Sony VAIO with full hardware accelerated VT.
- On my system, the last step produces (I have a dual core processor):
Reporting VT capability for 2 logical CPUs... CPU 0: VT is enabled on this core. CPU 1: VT is enabled on this core.
If you encounter problems, have questions/remarks/suggestions, feel free to contact me here.
Good luck! 8)