December 14, 20213 yr @Mov AX, 0xDEAD I found the place in the win8.0 usbxhci.sys where controller is started - theres a 100ms wait in there that I can increase to 127ms but theres no room for anything larger than that, and it might not achieve anything. I don't see a wait interval on the reset function though. I'm not certain I can inject new code without breaking the driver. The Wind10 driver code is similar but makes use of ExTimer functions // // Controller failed to clear halt in the first 5 ms of aggressive polling by the driver. // Implement a secondary wait period with less frequent polling using high resolution // timers and relinquish the CPU while waiting for the timer event. // timer = ExAllocateTimer(Controller_HighResTimerCompletion, &event, EX_TIMER_HIGH_RESOLUTION);
December 14, 20213 yr @Dietmar have you had any luck booting with my winlogon.exe? also, can you get a Gigabyte B450M DS3H board to test with the 149C controller?
December 16, 20213 yr Author @infuscomus Do you remember how I can bypass BSOD 0xDEADBEEF in extender? This happends for me when I compiled it as XP target and using it under 2003. What line should I comment to bypass it please?
December 16, 20213 yr @George King It's in wrk2003.c near the bottom of the file. comment out or delete from line 1722 to 1956 are the hex pattern checks that cause the BSODs @Mov AX, 0xDEAD what are you using this hex pattern check for?
December 16, 20213 yr @infuscomus Do the following to test the Win8 XHCI drivers on Win8.1: - Create a bootable Win8.1 x86 USB flash drive using Rufus. - Open boot.wim in 7-Zip. - Replace the following files in folders \1\Windows\System32\Drivers and 2\Windows\System32\Drivers ucx01000.sys, usbd.sys, usbhub3.sys and usbxhci.sys -> original, untouched from Win8.0!!! Ported drivers will crash. - Restart and boot from it. Worked just fine here. If USB devices work, your issue is related to the ACPI driver.
December 16, 20213 yr 5 hours ago, infuscomus said: @Mov AX, 0xDEAD what are you using this hex pattern check for? For export/use already existing funcs in kernel. Not best solution, but it works on standart MS kernels. Modders, just comment all KeBugCheckEx(0xDEADBEEFL, 5, 0, 0, XX) lines
December 16, 20213 yr 9 hours ago, daniel_k said: @infuscomus Do the following to test the Win8 XHCI drivers on Win8.1: - Create a bootable Win8.1 x86 USB flash drive using Rufus. - Open boot.wim in 7-Zip. - Replace the following files in folders \1\Windows\System32\Drivers and 2\Windows\System32\Drivers ucx01000.sys, usbd.sys, usbhub3.sys and usbxhci.sys -> original, untouched from Win8.0!!! Ported drivers will crash. - Restart and boot from it. Worked just fine here. If USB devices work, your issue is related to the ACPI driver. @daniel_k Yes, win8.0 USB3 driver on 8.1 works. It also works on 8.0 after swapping out @Dietmar's patched win8.0 acpi.sys -------- ACPI driver issue is unlikely to ever be fixed for XP though.
December 17, 20213 yr @Dietmar I'm making another attempt at getting vista acpi.sys to work on XP, please debug this when you have time. edit: is point of failure still in ACPIFindLoadRSDT() at _PmHalDispatchTable? Edited December 17, 20213 yr by infuscomus
December 17, 20213 yr 7 hours ago, infuscomus said: @Dietmar I'm making another attempt at getting vista acpi.sys to work on XP, please debug this when you have time. edit: is point of failure still in ACPIFindLoadRSDT() at _PmHalDispatchTable? 149C works on Vista
December 17, 20213 yr So _PmHalDispatchTable is part of struct _PM_DISPATCH_TABLE typedef struct _PM_DISPATCH_TABLE { ULONG Signature; ULONG Version; PVOID Function[1];} PM_DISPATCH_TABLE, *PPM_DISPATCH_TABLE; It's initialized as null PPM_DISPATCH_TABLE PmAcpiDispatchTable = NULL; called and loaded by HaliInitPowerManagement NTSTATUSHaliInitPowerManagement( IN PPM_DISPATCH_TABLE PmDriverDispatchTable, IN OUT PPM_DISPATCH_TABLE *PmHalDispatchTable ); *PmHalDispatchTable = (PPM_DISPATCH_TABLE)&HalAcpiDispatchTable; I've discovered that XP only fills the table up to HaliIsVectorValid whereas Vista has some additional functions XP does not have HalAcpiGetTableDispatch HalAcpiGetRsdpDispatch HalAcpiGetFacsMappingDispatch HalAcpiGetAllTablesDispatch I think these functions being absent from XP's PM_DISPATCH_TABLE is why the vista acpi.sys fails since it seems to depend on these to find ACPI tables. @Mov AX, 0xDEAD what do you think?
December 17, 20213 yr @infuscomus I run a Windbg session with your new acpi.sys from Vista. It hangs in a loop via nt!KiIdleLoop and then crashes with 0x7E (write in wrong memory) Dietmar Break instruction exception - code 80000003 (first chance) nt!KiIdleLoop+0x10: 804dcbef f390 pause 4: kd> g *** Fatal System Error: 0x0000007e (0xC0000005,0x00000000,0xF789E168,0xF789DE64) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Fri Dec 17 19:50:01.687 2021 (UTC + 1:00)), ptr64 FALSE Loading Kernel Symbols ....................... Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 7E, {c0000005, 0, f789e168, f789de64} *** ERROR: Symbol file could not be found. Defaulted to export symbols for HAL3.DLL - Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 804e29c2 cc int 3 11: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 00000000, The address that the exception occurred at Arg3: f789e168, Exception Record Address Arg4: f789de64, Context Record Address Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. FAULTING_IP: +471 00000000 ?? ??? EXCEPTION_RECORD: f789e168 -- (.exr 0xfffffffff789e168) ExceptionAddress: 00000000 ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 00000000 Attempt to read from address 00000000 CONTEXT: f789de64 -- (.cxr 0xfffffffff789de64) eax=00000000 ebx=80702e40 ecx=54445358 edx=00000001 esi=f75bbb20 edi=80702d70 eip=00000000 esp=f789e230 ebp=f789e250 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 00000000 ?? ??? Resetting default scope DEFAULT_BUCKET_ID: DRIVER_FAULT PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung "0x%08lx" verweist auf Speicher bei "0x%08lx". Die Daten wurden wegen eines E/A-Fehlers in "0x%081x" nicht in den Arbeitsspeicher bertragen. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000000 READ_ADDRESS: 00000000 FOLLOWUP_IP: +471 00000000 ?? ??? FAILED_INSTRUCTION_ADDRESS: +471 00000000 ?? ??? BUGCHECK_STR: 0x7E LAST_CONTROL_TRANSFER: from 00000000 to 00000000 STACK_TEXT: f789e22c 00000000 00000000 00000000 f75c04fc 0x0 STACK_COMMAND: kb SYMBOL_NAME: ANALYSIS_INCONCLUSIVE FOLLOWUP_NAME: MachineOwner MODULE_NAME: Unknown_Module IMAGE_NAME: Unknown_Image DEBUG_FLR_IMAGE_TIMESTAMP: 0 FAILURE_BUCKET_ID: 0x7E_NULL_IP_ANALYSIS_INCONCLUSIVE BUCKET_ID: 0x7E_NULL_IP_ANALYSIS_INCONCLUSIVE Followup: MachineOwner --------- 11: kd> lm start end module name 804d7000 80700000 nt (pdb symbols) c:\symbols\ntkrnlmp.pdb\2070D15C611B40BDA93F5F7F12CAC76C2\ntkrnlmp.pdb 80700000 80724f80 HAL3 (export symbols) HAL3.DLL bac2e000 bac47b80 Mup (deferred) bac48000 bac74980 NDIS (deferred) bac75000 bad01600 Ntfs (deferred) bad02000 bad18880 KSecDD (deferred) bad19000 bad2af00 sr (deferred) bad2b000 bad4ab00 fltMgr (deferred) bad4b000 bb000000 iaStor (deferred) f747a000 f749fa00 dmio (deferred) f74a0000 f74bed80 ftdisk (deferred) f755f000 f756fa80 pci (deferred) f7570000 f7592f00 ntoskrn8 (deferred) f7593000 f75d6000 ACPI (deferred) f75f7000 f7600300 isapnp (deferred) f7607000 f7611580 MountMgr (deferred) f7617000 f7624200 VolSnap (deferred) f7627000 f762fe00 disk (deferred) f7637000 f7643180 CLASSPNP (deferred) f7707000 f770bd00 PartMgr (deferred) f7897000 f789a000 BOOTVID (deferred) f7987000 f7988b80 kdcom (deferred) f7989000 f798a100 WMILIB (deferred) f798b000 f798c700 dmload (deferred) Edited December 17, 20213 yr by Dietmar
December 17, 20213 yr 804dcbd3 42 inc edx 804dcbd4 306689 xor byte ptr [esi-77h],ah 804dcbd7 41 inc ecx 804dcbd8 66c20800 ret 8 804dcbdc 8d4900 lea ecx,[ecx] nt!KiIdleLoop: 804dcbdf 8dab80090000 lea ebp,[ebx+980h] 804dcbe5 eb08 jmp nt!KiIdleLoop+0x10 (804dcbef) 804dcbe7 8d8b500c0000 lea ecx,[ebx+0C50h] 804dcbed ff11 call dword ptr [ecx] 804dcbef f390 pause 804dcbf1 fb sti 804dcbf2 90 nop 804dcbf3 90 nop 804dcbf4 fa cli 804dcbf5 3b6d00 cmp ebp,dword ptr [ebp] 804dcbf8 740d je nt!KiIdleLoop+0x28 (804dcc07) 804dcbfa b102 mov cl,2 804dcbfc ff15b4804d80 call dword ptr [nt!_imp_HalClearSoftwareInterrupt (804d80b4)] 804dcc02 e8ba000000 call nt!KiRetireDpcList (804dccc1) 804dcc07 83bb2801000000 cmp dword ptr [ebx+128h],0 ds:0023:f7747128=00000000 804dcc0e 74d7 je nt!KiIdleLoop+0x8 (804dcbe7) 804dcc10 b91c000000 mov ecx,1Ch 804dcc15 ff152c804d80 call dword ptr [nt!_imp_KfRaiseIrql (804d802c)] 804dcc1b fb sti 804dcc1c 8d8b40050000 lea ecx,[ebx+540h] 804dcc22 e851580000 call nt!KeAcquireQueuedSpinLockAtDpcLevel (804e2478) 804dcc27 8bb328010000 mov esi,dword ptr [ebx+128h] 804dcc2d 8bbb24010000 mov edi,dword ptr [ebx+124h] 804dcc33 807e5000 cmp byte ptr [esi+50h],0 804dcc37 753d jne nt!KiIdleLoop+0x97 (804dcc76) 804dcc39 3bf7 cmp esi,edi 804dcc3b 745a je nt!KiIdleLoop+0xb8 (804dcc97) 804dcc3d 83c901 or ecx,1 804dcc40 89b324010000 mov dword ptr [ebx+124h],esi 804dcc46 26c6462d02 mov byte ptr es:[esi+2Dh],2 804dcc4b c7832801000000000000 mov dword ptr [ebx+128h],0 804dcc55 6860cc4d80 push offset nt!KiIdleLoop+0x81 (804dcc60) 804dcc5a 9c pushfd 804dcc5b e900fdffff jmp nt!SwapContext+0x1e (804dc960) 804dcc60 b902000000 mov ecx,2
December 17, 20213 yr 6 hours ago, infuscomus said: @ExtremeGrief lucky you! So you don't get an A5 BSOD or anything on vista? Nope. It boots just fine with integrated USB 3.x drivers.
December 18, 20213 yr @ExtremeGrief Lucky! My TRX40 Designare give an A5 BSOD on anything older than windows 8.1 Windows 8.0 and USB 3.0 works after patched acpi.sys from Dietmar. @Dietmar does KiIdleloop infinite occur before acpi.sys is loaded?
December 18, 20213 yr @Dietmar I see PDB symbols are not loaded for my source HAL or vista acpi.sys - try loading the PDB symbols for my source built HAL and vista acpi.sys - see if loading the symbols gives more info.
December 18, 20213 yr @infuscomus This with PDB happens, because I rename the hal and ntoskrnl for debug. No more information I get, the same as above. It seems, that it is not a problem of acpi.sys, because I do not see any output for acpi.sys in Windbg. I notice, that the ntoskrnl that you send to me is ntkrnlmp.exe and not ntkrpamp.exe Dietmar
December 18, 20213 yr @Dietmar could the failure be caused in my HAL? - this HAL I built from source, exports added for vista acpi.sys, so use the symbols I sent you for debugging. Does it matter whether ntkrnlmp or ntkrpamp is used? the kernel I sent has not been modified it is standard SP3 kernel.
December 18, 20213 yr @infuscomus With ntkrpamp the BSOD happens VERY early and cant be caught by normal Windbg Dietmar Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Opened \\.\com1 Waiting to reconnect... Connected to Windows XP 2600 x86 compatible target at (Sat Dec 18 15:10:41.875 2021 (UTC + 1:00)), ptr64 FALSE Kernel Debugger connection established. Symbol search path is: C:\symbols;C:\symbolss Executable search path is: C:\Symbols Windows XP Kernel Version 2600 MP (1 procs) Free x86 compatible Built by: 2600.xpsp_sp3_qfe.180912-0606 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 System Uptime: not available Break instruction exception - code 80000003 (first chance) ******************************************************************************* * * * You are seeing this message because you pressed either * * CTRL+C (if you run kd.exe) or, * * CTRL+BREAK (if you run WinDBG), * * on your debugger machine's keyboard. * * * * THIS IS NOT A BUG OR A SYSTEM CRASH * * * * If you did not intend to break into the debugger, press the "g" key, then * * press the "Enter" key now. This message might immediately reappear. If it * * does, press "g" and "Enter" again. * * * ******************************************************************************* nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 kd> lm start end module name 804d7000 806e5000 nt (pdb symbols) c:\symbols\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80709f80 HAL3 (deferred) ba319000 ba332b80 Mup (deferred) ba333000 ba35f980 NDIS (deferred) ba360000 ba3ec600 Ntfs (deferred) ba3ed000 ba403880 KSecDD (deferred) ba404000 ba415f00 sr (deferred) ba416000 ba435b00 fltMgr (deferred) ba436000 ba6eb000 iaStor (deferred) ba6eb000 ba710a00 dmio (deferred) ba711000 ba72fd80 ftdisk (deferred) ba730000 ba740a80 pci (deferred) ba741000 ba763f00 ntoskrn8 (deferred) ba764000 ba7a7000 ACPI (deferred) ba8a8000 ba8b1300 isapnp (deferred) ba8b8000 ba8c2580 MountMgr (deferred) ba8c8000 ba8d5200 VolSnap (deferred) ba8d8000 ba8e0e00 disk (deferred) ba8e8000 ba8f4180 CLASSPNP (deferred) bab28000 bab2cd00 PartMgr (deferred) bacb8000 bacbb000 BOOTVID (deferred) bada8000 bada9b80 kdcom (deferred) badaa000 badab100 WMILIB (deferred) badac000 badad700 dmload (deferred) kd> t nt!RtlpBreakWithStatusInstruction+0x1: 8052b725 c20400 ret 4 kd> t nt!KeUpdateSystemTime+0x175: 80545275 ebb3 jmp nt!KeUpdateSystemTime+0x12a (8054522a) kd> t nt!KeUpdateSystemTime+0x12a: 8054522a 833d1440558000 cmp dword ptr [nt!KiTickOffset (80554014)],0 kd> t nt!KeUpdateSystemTime+0x131: 80545231 7f1f jg nt!KeUpdateSystemTime+0x152 (80545252) kd> t nt!KeUpdateSystemTime+0x133: 80545233 a10c405580 mov eax,dword ptr [nt!KeMaximumIncrement (8055400c)] kd> t nt!KeUpdateSystemTime+0x138: 80545238 010514405580 add dword ptr [nt!KiTickOffset (80554014)],eax kd> t nt!KeUpdateSystemTime+0x13e: 8054523e ff3424 push dword ptr [esp] kd> t nt!KeUpdateSystemTime+0x141: 80545241 e846000000 call nt!KeUpdateRunTime (8054528c) kd> t nt!KeUpdateRunTime: 8054528c 64a11c000000 mov eax,dword ptr fs:[0000001Ch] kd> t nt!KeUpdateRunTime+0x6: 80545292 53 push ebx kd> t nt!KeUpdateRunTime+0x7: 80545293 ff80c4050000 inc dword ptr [eax+5C4h] kd> t nt!KeUpdateRunTime+0xd: 80545299 8b9824010000 mov ebx,dword ptr [eax+124h] kd> t nt!KeUpdateRunTime+0x13: 8054529f 8b4b44 mov ecx,dword ptr [ebx+44h] kd> t nt!KeUpdateRunTime+0x16: 805452a2 f7457000000200 test dword ptr [ebp+70h],20000h kd> t nt!KeUpdateRunTime+0x1d: 805452a9 7541 jne nt!KeUpdateRunTime+0x60 (805452ec) kd> t nt!KeUpdateRunTime+0x1f: 805452ab f6456c01 test byte ptr [ebp+6Ch],1 kd> t nt!KeUpdateRunTime+0x23: 805452af 753b jne nt!KeUpdateRunTime+0x60 (805452ec) kd> t nt!KeUpdateRunTime+0x25: 805452b1 ba00000000 mov edx,0 kd> t nt!KeUpdateRunTime+0x2a: 805452b6 ff80c8050000 inc dword ptr [eax+5C8h] kd> t nt!KeUpdateRunTime+0x30: 805452bc 807c240802 cmp byte ptr [esp+8],2 kd> t nt!KeUpdateRunTime+0x35: 805452c1 721d jb nt!KeUpdateRunTime+0x54 (805452e0) kd> t nt!KeUpdateRunTime+0x54: 805452e0 ff8344010000 inc dword ptr [ebx+144h] kd> t nt!KeUpdateRunTime+0x5a: 805452e6 f0ff4138 lock inc dword ptr [ecx+38h] kd> t nt!KeUpdateRunTime+0x5e: 805452ea eb18 jmp nt!KeUpdateRunTime+0x78 (80545304) kd> t nt!KeUpdateRunTime+0x78: 80545304 833d78c7558000 cmp dword ptr [nt!KiTimeUpdateNotifyRoutine (8055c778)],0 kd> t nt!KeUpdateRunTime+0x7f: 8054530b 7413 je nt!KeUpdateRunTime+0x94 (80545320) kd> t nt!KeUpdateRunTime+0x94: 80545320 8b888c090000 mov ecx,dword ptr [eax+98Ch] kd> t nt!KeUpdateRunTime+0x9a: 80545326 8b909c090000 mov edx,dword ptr [eax+99Ch] kd> t nt!KeUpdateRunTime+0xa0: 8054532c 89889c090000 mov dword ptr [eax+99Ch],ecx kd> t nt!KeUpdateRunTime+0xa6: 80545332 2bca sub ecx,edx kd> t nt!KeUpdateRunTime+0xa8: 80545334 0388a0090000 add ecx,dword ptr [eax+9A0h] kd> t nt!KeUpdateRunTime+0xae: 8054533a d1e9 shr ecx,1 kd> t nt!KeUpdateRunTime+0xb0: 8054533c 8988a0090000 mov dword ptr [eax+9A0h],ecx kd> t nt!KeUpdateRunTime+0xb6: 80545342 83b89009000000 cmp dword ptr [eax+990h],0 kd> t nt!KeUpdateRunTime+0xbd: 80545349 744e je nt!KeUpdateRunTime+0x10d (80545399) kd> t nt!KeUpdateRunTime+0x10d: 80545399 ff88dc050000 dec dword ptr [eax+5DCh] kd> t nt!KeUpdateRunTime+0x113: 8054539f 7523 jne nt!KeUpdateRunTime+0x138 (805453c4) kd> t nt!KeUpdateRunTime+0x138: 805453c4 806b6f03 sub byte ptr [ebx+6Fh],3 kd> t nt!KeUpdateRunTime+0x13c: 805453c8 7f19 jg nt!KeUpdateRunTime+0x157 (805453e3) kd> t nt!KeUpdateRunTime+0x157: 805453e3 5b pop ebx kd> t nt!KeUpdateRunTime+0x158: 805453e4 c20400 ret 4 kd> t nt!KeUpdateSystemTime+0x146: 80545246 fa cli kd> t nt!KeUpdateSystemTime+0x147: 80545247 ff1594804d80 call dword ptr [nt!_imp__HalEndSystemInterrupt (804d8094)] kd> t *** ERROR: Symbol file could not be found. Defaulted to export symbols for HAL3.DLL - HAL3!HalEndSystemInterrupt: 806e8414 33c9 xor ecx,ecx kd> t HAL3!HalEndSystemInterrupt+0x2: 806e8416 8a4c2404 mov cl,byte ptr [esp+4] kd> t HAL3!HalEndSystemInterrupt+0x6: 806e841a 8a8914796e80 mov cl,byte ptr HAL3!HalRequestIpi+0x4c0 (806e7914)[ecx] kd> t HAL3!HalEndSystemInterrupt+0xc: 806e8420 c705b000feff00000000 mov dword ptr ds:[0FFFE00B0h],0 kd> t HAL3!HalEndSystemInterrupt+0x16: 806e842a 80f941 cmp cl,41h kd> t HAL3!HalEndSystemInterrupt+0x19: 806e842d 720f jb HAL3!HalEndSystemInterrupt+0x2a (806e843e) kd> t HAL3!HalEndSystemInterrupt+0x2a: 806e843e 64803d9600000000 cmp byte ptr fs:[96h],0 kd> t HAL3!HalEndSystemInterrupt+0x32: 806e8446 64c6059500000000 mov byte ptr fs:[95h],0 kd> t HAL3!HalEndSystemInterrupt+0x3a: 806e844e 74df je HAL3!HalEndSystemInterrupt+0x1b (806e842f) kd> t HAL3!HalEndSystemInterrupt+0x1b: 806e842f 890d8000feff mov dword ptr ds:[0FFFE0080h],ecx kd> t HAL3!HalEndSystemInterrupt+0x21: 806e8435 8b158000feff mov edx,dword ptr ds:[0FFFE0080h] kd> t HAL3!HalEndSystemInterrupt+0x27: 806e843b c20800 ret 8 kd> t nt!KeUpdateSystemTime+0x14d: 8054524d e94aceffff jmp nt!KiExceptionExit (8054209c) kd> t nt!KiExceptionExit: 8054209c fa cli kd> t nt!Kei386EoiHelper+0x1: 8054209d f7457000000200 test dword ptr [ebp+70h],20000h kd> t nt!Kei386EoiHelper+0x8: 805420a4 7506 jne nt!Kei386EoiHelper+0x10 (805420ac) kd> t nt!Kei386EoiHelper+0xa: 805420a6 f6456c01 test byte ptr [ebp+6Ch],1 kd> t nt!Kei386EoiHelper+0xe: 805420aa 7434 je nt!Kei386EoiHelper+0x44 (805420e0) kd> t nt!Kei386EoiHelper+0x44: 805420e0 8b54244c mov edx,dword ptr [esp+4Ch] kd> t nt!Kei386EoiHelper+0x48: 805420e4 648b1d50000000 mov ebx,dword ptr fs:[50h] kd> t nt!Kei386EoiHelper+0x4f: 805420eb 64891500000000 mov dword ptr fs:[0],edx kd> t nt!Kei386EoiHelper+0x56: 805420f2 f7c3ff000000 test ebx,0FFh kd> t nt!Kei386EoiHelper+0x5c: 805420f8 754e jne nt!Kei386EoiHelper+0xac (80542148) kd> t nt!Kei386EoiHelper+0x5e: 805420fa f744247000000200 test dword ptr [esp+70h],20000h kd> t nt!Kei386EoiHelper+0x66: 80542102 0f85c0000000 jne nt!Kei386EoiHelper+0x12c (805421c8) kd> t nt!Kei386EoiHelper+0x6c: 80542108 66f744246cf9ff test word ptr [esp+6Ch],0FFF9h kd> t nt!Kei386EoiHelper+0x73: 8054210f 7477 je nt!Kei386EoiHelper+0xec (80542188) kd> t nt!Kei386EoiHelper+0x75: 80542111 8b54243c mov edx,dword ptr [esp+3Ch] kd> t nt!Kei386EoiHelper+0x79: 80542115 8b4c2440 mov ecx,dword ptr [esp+40h] kd> t nt!Kei386EoiHelper+0x7d: 80542119 8b442444 mov eax,dword ptr [esp+44h] kd> t nt!Kei386EoiHelper+0x81: 8054211d 66837d6c08 cmp word ptr [ebp+6Ch],8 kd> t nt!Kei386EoiHelper+0x86: 80542122 740c je nt!Kei386EoiHelper+0x94 (80542130) kd> t nt!Kei386EoiHelper+0x94: 80542130 8d6554 lea esp,[ebp+54h] kd> t nt!Kei386EoiHelper+0x97: 80542133 5f pop edi kd> t nt!Kei386EoiHelper+0x98: 80542134 5e pop esi kd> t nt!Kei386EoiHelper+0x99: 80542135 5b pop ebx kd> t nt!Kei386EoiHelper+0x9a: 80542136 5d pop ebp kd> t nt!Kei386EoiHelper+0x9b: 80542137 66817c24088000 cmp word ptr [esp+8],80h kd> t nt!Kei386EoiHelper+0xa2: 8054213e 0f87a0000000 ja nt!Kei386EoiHelper+0x148 (805421e4) kd> t nt!Kei386EoiHelper+0xa8: 80542144 83c404 add esp,4 kd> t nt!Kei386EoiHelper+0xab: 80542147 cf iretd kd> t Illegal instruction - code c000001d (!!! second chance !!!) nt!KeUpdateRunTime+0x59: 805452e5 ff ??? kd> t Edited December 18, 20213 yr by Dietmar
December 18, 20213 yr @infuscomus With bootvid.dll from XP SP3 and XP SP1 same Bsod Dietmar Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved. Opened \\.\com1 Waiting to reconnect... Connected to Windows XP 2600 x86 compatible target at (Sat Dec 18 15:28:32.140 2021 (UTC + 1:00)), ptr64 FALSE Kernel Debugger connection established. Symbol search path is: C:\symbols;C:\symbolss Executable search path is: C:\Symbols Windows XP Kernel Version 2600 MP (1 procs) Free x86 compatible Built by: 2600.xpsp_sp3_qfe.180912-0606 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x8055d720 System Uptime: not available Break instruction exception - code 80000003 (first chance) ******************************************************************************* * * * You are seeing this message because you pressed either * * CTRL+C (if you run kd.exe) or, * * CTRL+BREAK (if you run WinDBG), * * on your debugger machine's keyboard. * * * * THIS IS NOT A BUG OR A SYSTEM CRASH * * * * If you did not intend to break into the debugger, press the "g" key, then * * press the "Enter" key now. This message might immediately reappear. If it * * does, press "g" and "Enter" again. * * * ******************************************************************************* nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 kd> bp 805452e5 kd> g *** Fatal System Error: 0x0000000a (0x55FAF8EC,0x0000001C,0x00000001,0x805452E0) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. Connected to Windows XP 2600 x86 compatible target at (Sat Dec 18 15:28:46.968 2021 (UTC + 1:00)), ptr64 FALSE Loading Kernel Symbols ....................... Loading User Symbols ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* Use !analyze -v to get detailed debugging information. BugCheck A, {55faf8ec, 1c, 1, 805452e0} *** ERROR: Symbol file could not be found. Defaulted to export symbols for halmacpi.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for BOOTVID.dll - Probably caused by : BOOTVID.dll ( BOOTVID!VidInitialize+106 ) Followup: MachineOwner --------- nt!RtlpBreakWithStatusInstruction: 8052b724 cc int 3 kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* IRQL_NOT_LESS_OR_EQUAL (a) An attempt was made to access a pageable (or completely invalid) address at an interrupt request level (IRQL) that is too high. This is usually caused by drivers using improper addresses. If a kernel debugger is available get the stack backtrace. Arguments: Arg1: 55faf8ec, memory referenced Arg2: 0000001c, IRQL Arg3: 00000001, bitfield : bit 0 : value 0 = read operation, 1 = write operation bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status) Arg4: 805452e0, address which referenced memory Debugging Details: ------------------ WRITE_ADDRESS: 55faf8ec CURRENT_IRQL: 1c FAULTING_IP: nt!KeUpdateRunTime+54 805452e0 ff8344010000 inc dword ptr [ebx+144h] DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0xA PROCESS_NAME: System TRAP_FRAME: bacc369c -- (.trap 0xffffffffbacc369c) ErrCode = 00000002 eax=ffdff000 ebx=89faf7a8 ecx=89fafb98 edx=00000000 esi=00000000 edi=0002625a eip=805452e0 esp=bacc3710 ebp=bacc3724 iopl=0 nv up ei ng nz ac po cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010293 nt!KeUpdateRunTime+0x54: 805452e0 ff8344010000 inc dword ptr [ebx+144h] ds:0023:89faf8ec=00000000 Resetting default scope LAST_CONTROL_TRANSFER: from 804f8e95 to 8052b724 STACK_TEXT: bacc3250 804f8e95 00000003 bacc35ac 00000000 nt!RtlpBreakWithStatusInstruction bacc329c 804f9a80 00000003 55faf8ec 805452e0 nt!KiBugCheckDebugBreak+0x19 bacc367c 8054483c 0000000a 55faf8ec 0000001c nt!KeBugCheck2+0x574 bacc367c 805452e0 0000000a 55faf8ec 0000001c nt!KiTrap0E+0x180 bacc3710 80545246 ba2fd000 ba2fd000 000000d1 nt!KeUpdateRunTime+0x54 bacc3710 806e79a3 ba2fd000 ba2fd000 000000d1 nt!KeUpdateSystemTime+0x146 WARNING: Stack unwind information not available. Following frames may be wrong. bacc37fc bacb893a 800860b8 00000001 80084000 hal!KfLowerIrql+0x17 bacc3820 80697a7a 80698701 00000000 80698701 BOOTVID!VidInitialize+0x106 bacc3834 806989d7 80084000 00000013 00000000 nt!InbvDriverInitialize+0x6c bacc3dac 805cffee 80084000 00000000 00000000 nt!Phase1Initialization+0xcb bacc3ddc 8054623e 8069890c 80084000 00000000 nt!PspSystemThreadStartup+0x34 00000000 00000000 00000000 00000000 00000000 nt!KiThreadStartup+0x16 STACK_COMMAND: kb FOLLOWUP_IP: BOOTVID!VidInitialize+106 bacb893a 680099cbba push offset BOOTVID!VidBitBlt+0x12a (bacb9900) SYMBOL_STACK_INDEX: 7 SYMBOL_NAME: BOOTVID!VidInitialize+106 FOLLOWUP_NAME: MachineOwner MODULE_NAME: BOOTVID IMAGE_NAME: BOOTVID.dll DEBUG_FLR_IMAGE_TIMESTAMP: 3b7d8345 FAILURE_BUCKET_ID: 0xA_BOOTVID!VidInitialize+106 BUCKET_ID: 0xA_BOOTVID!VidInitialize+106 Followup: MachineOwner --------- kd> lm start end module name 804d7000 806e5000 nt (pdb symbols) c:\symbols\ntkrpamp.pdb\270E083F57714738A1895FE542CFB8DE1\ntkrpamp.pdb 806e5000 80709f80 hal (export symbols) halmacpi.dll ba319000 ba332b80 Mup (deferred) ba333000 ba35f980 NDIS (deferred) ba360000 ba3ec600 Ntfs (deferred) ba3ed000 ba403880 KSecDD (deferred) ba404000 ba415f00 sr (deferred) ba416000 ba435b00 fltMgr (deferred) ba436000 ba6eb000 iaStor (deferred) ba6eb000 ba710a00 dmio (deferred) ba711000 ba72fd80 ftdisk (deferred) ba730000 ba740a80 pci (deferred) ba741000 ba763f00 ntoskrn8 (deferred) ba764000 ba7a7000 ACPI (deferred) ba8a8000 ba8b1300 isapnp (deferred) ba8b8000 ba8c2580 MountMgr (deferred) ba8c8000 ba8d5200 VolSnap (deferred) ba8d8000 ba8e0e00 disk (deferred) ba8e8000 ba8f4180 CLASSPNP (deferred) bab28000 bab2cd00 PartMgr (deferred) bacb8000 bacbb000 BOOTVID (export symbols) BOOTVID.dll bada8000 bada9b80 kdcom (deferred) badaa000 badab100 WMILIB (deferred) badac000 badad700 dmload (deferred) Edited December 18, 20213 yr by Dietmar
December 19, 20213 yr @Mov AX, 0xDEAD Can you take a look at these functions in vista HAL to see if there is equivalent XP HAL code we can use to do the same thing? HalAcpiGetTableDispatch HalAcpiGetRsdpDispatch HalAcpiGetFacsMappingDispatch HalAcpiGetAllTablesDispatch
December 19, 20213 yr 10 hours ago, infuscomus said: @Mov AX, 0xDEAD Can you take a look at these functions in vista HAL to see if there is equivalent XP HAL code we can use to do the same thing? No, i can't. it's your idea and only you must handle it
December 20, 20213 yr @Mov AX, 0xDEAD I'll try making a new HAL extender I want to replace internal function HaliInitPowerManagement with a new version in my extender, whats the best way to do that?
December 20, 20213 yr Author @infuscomus What about changing Major / Minor SubSystemVersion to 5.1? Have you tried it to see if it affect something in your USB controller?
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.