1 of 20

UEFI

The Surface RT UEFI consists multi phases. Some issues are outlined below.

TrustZone and SEC phase

The CPU gets out of reset in Secure Mode. SEC phase kicks in, does fundamental setup and enter TrustZone. TrustZone memory occupies the lower memory (32MB).

In stock firmware, TZ MVBAR address is 0x811f8000 on RT for primary core (Boot Processor.)

For secondary CPUs, the MVBAR is：

Core 1 MVBAR 0x82002860
Core 2 MVBAR 0x82003860
Core 3 MVBAR 0x82004860

MVBAR only has valid SMC instruction entry, other exception entries are unused.

Exploit

There's an issue in TZ's UEFI variable handling. A working exploit can be found at https://github.com/NekomimiRouter/yahallo.

ACPI Tables

Surface RT ACPI Tables.

ACPI Tables

APIC - Advanced Programmable Interrupt Controller
BGRT - Boot Graphics Resource Table
DBG2 - Debug Port Table 2
CSRT - Core System Resource Table
DSDT - Differentiated System Description Table
FACP - Fixed ACPI Description Table
FPDT - Firmware Performance Data Table
MSDM - Microsoft Data Management table
RSDP - Root System Description Pointer
SSDT - Secondary System Description Table
TPM2 - Trusted Platform Module 2.0
WDSA - Windows Specific Table. Contains tCover information
XSDT - Extended System Description Table Fields

17KB

ACPI-Tables-SurfaceRT.zip

Get ACPI-Tables from Surface RT

You need to be able to run unsigned EFI apps. get ShellBinPkg.zip from https://github.com/tianocore/edk2/releases/tag/edk2-stable201911 And use the startup script below. Dumped tables should be in the dump folder

564B

startup.nsh

Decompile ACPI-Tables

To decompile ACPI on Linux you would normally use IASL. But all Tables are compiled with the Microsoft ASL compiler. Since MS_ASL isn't as strict as IASL, IASL detects some errors and won't decompile all tables.

IASL

Decompile with IASL

iasl -da APIC0000.bin BGRT0000.bin CSRT0000.bin  DBG20000.bin  FACP0000.bin  FPDT0000.bin  MSDM0000.bin TPM20000.bin XSDT0000.bin

MS ASL

https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/microsoft-asl-compiler

155KB

microsoft_asl.exe

Decompile with MS_ASL

wine microsoft_asl.exe /u /e DSDT0000.bin
wine microsoft_asl.exe /u /e SSDT0000.bin 
wine microsoft_asl.exe /u /e SSDT0001.bin
wine microsoft_asl.exe /u /e WDSA0000.bin

You can't decompile RSDP0000.bin but it only contains 2 Pointers

DSDT

DSDT (Differentiated System Description Table) is a part of the ACPI specification. It supplies information about supported power events in a given system.

Ours are compiled with the Microsoft compiler. RT location: Address : 0xFD8E0000 Length : 9361 (NCIDIA AP30EDK2)

You can compare an DSDT table to a dtsi devicetree file.

SSDT

Extends DSDT.

Surface RT has 2 SSDT tables.

SSDT0000.bin contains the hardware description (very interesting) SSDT0001.bin contains only TPM stuff. (uninteresting at the moment)

Decompile SSDT0000.bin

Most of the ACPI tables can be decompiled by iASL (Intel ASL compiler). But SSDT0000.bin can not be decompiled by iASL. We have to use MS-ASL compiler. (MS ASL is not as strict as iASL which leads to issues with Linux) use asl.exe /u /e /ResDecode SSDT0000.bin Decompiled output below:

Compile SSDT0000.ASL

There is a way to compile the SSDT0000.ASL with iasl, without getting a lot of errors about external symbols. Just put the file next to the other acpi tables (don't decompile them), and it shouldn't give errors about missing external symbols. There are 4 syntax errors, currently there are no fixes available.

What SSDT0000.ASL can tell you

WorkInProgress

I2C Devices

Search for I2CSerialBus should reveal all i2c devices.

I2C1 (HID Stuff)

I2C1 0x00 - tCover
I2C1 0x28 - SEN1 / SNMU
I2C1 0x50 - GFXC??

I2C2 - Daughterboard

I2C2 0x0C - SARA
I2C2 0x2D - TEV2 - cypress
I2C2 0x39 - TIC2
I2C2 0x5B - TOUA -atmel

I2C3

I2C3 0x10 - GFXC
I2C3 0x72 - GFXC

I2C4 - HDMI

I2C4 0x30 - GFXC - EDID
I2C4 0x3A - GFXC - EDID
I2C4 0x3B - GFXC - EDID
I2C4 0x50 - GFXC - EDID

I2C5 -Mainboard

I2C5 0x0A - TRO1 - battery?
I2C5 0x0C - SARA / TIC1
I2C5 0x1A - AUDI - wolfson
I2C5 0x2D - Power resource / PMUD / TR3_(RTC) - PMIC
I2C5 0x4C - THEM / TI2C
I2C5 0x60 - PMUD - PMIC2

GPIOs

Interrupts

Power Resources

PRS1
- PD7 - ESD1
- PRCN - PMIC(I2C5)
  - LDO5 - SD Regulator 1V8-3V3
PRMU
- PD7 - ESD1
PRTU
- PD1- ESD1
- PD2 - ESD2
PRI5
PRTC

GFXC: PR6 LDO1 PR7 LDO2 PBB4 E1V8

WDSA

Contains information about tCover and gets loaded when the tCover detect Interrupt triggers. Tables gets unloaded if tCover gets disconnected

MADT / APIC

The Multiple APIC (Advanced Programmable Interrupt Controller) Description Table

Usage

This table is used for the ACPI Parking Protocol. It is a protocol that allows parked CPU cores to be unparked. The parked state doesn't allow the CPU cores to execute any code, they are "disabled".

The document that describes the ACPI Parking Protocol is here: Multi-processor Startup for ARM Platforms

The grate-driver/linux GitHub repository contains a working arm32 version of the ACPI Parking Protocol (Link points to the source file). It allows the usage of SMP on the Surface RT and on other arm32 Windows RT devices. (When you boot Linux from UEFI; not used in APX mode).

Table contents

Processor Cores

The following table describes the MADT entries of the 4 CPU cores. The ACPI Parking Protocol only requires to unpark CPU1-3, as CPU0 is already in use.

CPU0

CPU1

CPU2

CPU3

Subtable Type

(0B = Generic Interrupt Controller)

0x0B

Subtable Length

0x28

Reserved

0x0

CPU Interface Number

0x0

0x1

0x2

0x3

Processor UID

0x0

0x1

0x2

0x3

Processor Enabled

True (1)

Performance Interrupt Trigger Mode

False (0)

Virtual GIC Interrupt Trigger Mode

False (0)

Parking Protocol Version

1.0

Performance Interrupt

Parked Address

0x82001000

0x82002000

0x82003000

0x82004000

Base Address

0x0

Generic Interrupt Distributor

The MADT table has an entry about the Generic Interrupt Distributor. Here are the contents:

Generic Interrupt Distributor

Subtable Type

(0C = Generic Interrupt Distributor)

0x0C

Length

0x18

Reserved

0x0

Local GIC Hardware ID

0x0

Base Address

0x50041000

Interrupt Base

0x0

Version

0.0

Reserved (x2)

0x0

Not interesting (yet)

These tables aren't needed yet since we deal with basic hardware stuff at the moment

BGRT

CSRT

DBG2

FACP

FPDT

MSDM

RSDP

TMP2

XSDT

Memory Mapping

lsefimmap on SurfaceRT

Good reading - https://people.kernel.org/linusw/how-the-arm32-kernel-starts

Surface RT UEFI Memory Map

Type       Start            End              # Pages          Attributes
RT_Code    0000000080000000-0000000082000FFF 0000000000002001 800000000000000F
Reserved   0000000082001000-0000000082005FFF 0000000000000005 000000000000000F
BS_Data    0000000082006000-0000000082006FFF 0000000000000001 000000000000000F
LoaderData 0000000082007000-0000000082009FFF 0000000000000003 000000000000000F
Available  000000008200A000-000000008200BFFF 0000000000000002 000000000000000F
LoaderData 000000008200C000-000000008200FFFF 0000000000000004 000000000000000F
BS_Data    0000000082010000-000000008218BFFF 000000000000017C 000000000000000F
LoaderData 000000008218C000-0000000082231FFF 00000000000000A6 000000000000000F
Available  0000000082232000-0000000082233FFF 0000000000000002 000000000000000F
LoaderData 0000000082234000-0000000082257FFF 0000000000000024 000000000000000F
Available  0000000082258000-000000008228BFFF 0000000000000034 000000000000000F
LoaderData 000000008228C000-000000008238BFFF 0000000000000100 000000000000000F
Available  000000008238C000-000000008240BFFF 0000000000000080 000000000000000F
LoaderData 000000008240C000-000000008240CFFF 0000000000000001 000000000000000F
Available  000000008240D000-0000000082414FFF 0000000000000008 000000000000000F
LoaderData 0000000082415000-0000000082420FFF 000000000000000C 000000000000000F
Available  0000000082421000-0000000082430FFF 0000000000000010 000000000000000F
LoaderData 0000000082431000-000000008243CFFF 000000000000000C 000000000000000F
Available  000000008243D000-00000000FB499FFF 000000000007905D 000000000000000F
LoaderData 00000000FB49A000-00000000FB61EFFF 0000000000000185 000000000000000F
LoaderCode 00000000FB61F000-00000000FB710FFF 00000000000000F2 000000000000000F
Available  00000000FB711000-00000000FB744FFF 0000000000000034 000000000000000F
BS_Data    00000000FB745000-00000000FB75BFFF 0000000000000017 000000000000000F
Available  00000000FB75C000-00000000FB764FFF 0000000000000009 000000000000000F
BS_Data    00000000FB765000-00000000FB765FFF 0000000000000001 000000000000000F
Available  00000000FB766000-00000000FB767FFF 0000000000000002 000000000000000F
BS_Data    00000000FB768000-00000000FC3D7FFF 0000000000000C70 000000000000000F
Reserved   00000000FC3D8000-00000000FC3D9FFF 0000000000000002 000000000000000F
BS_Data    00000000FC3DA000-00000000FC3E3FFF 000000000000000A 000000000000000F
ACPI_Recl  00000000FC3E4000-00000000FC3E4FFF 0000000000000001 000000000000000F
BS_Data    00000000FC3E5000-00000000FC3FFFFF 000000000000001B 000000000000000F
Unusable   00000000FC400000-00000000FD3FFFFF 0000000000001000 000000000000000F
BS_Code    00000000FD400000-00000000FD528FFF 0000000000000129 000000000000000F
BS_Data    00000000FD529000-00000000FD5B0FFF 0000000000000088 000000000000000F
ACPI_Recl  00000000FD5B1000-00000000FD5B1FFF 0000000000000001 000000000000000F
BS_Data    00000000FD5B2000-00000000FD5B7FFF 0000000000000006 000000000000000F
LoaderData 00000000FD5B8000-00000000FD5BBFFF 0000000000000004 000000000000000F
BS_Data    00000000FD5BC000-00000000FD5C2FFF 0000000000000007 000000000000000F
ACPI_Recl  00000000FD5C3000-00000000FD5C5FFF 0000000000000003 000000000000000F
BS_Data    00000000FD5C6000-00000000FD5C9FFF 0000000000000004 000000000000000F
BS_Code    00000000FD5CA000-00000000FD60EFFF 0000000000000045 000000000000000F
BS_Data    00000000FD60F000-00000000FD610FFF 0000000000000002 000000000000000F
BS_Code    00000000FD611000-00000000FD611FFF 0000000000000001 000000000000000F
BS_Data    00000000FD612000-00000000FD612FFF 0000000000000001 000000000000000F
BS_Code    00000000FD613000-00000000FD633FFF 0000000000000021 000000000000000F
BS_Data    00000000FD634000-00000000FD637FFF 0000000000000004 000000000000000F
BS_Code    00000000FD638000-00000000FD644FFF 000000000000000D 000000000000000F
BS_Data    00000000FD645000-00000000FD646FFF 0000000000000002 000000000000000F
BS_Code    00000000FD647000-00000000FD647FFF 0000000000000001 000000000000000F
BS_Data    00000000FD648000-00000000FD66EFFF 0000000000000027 000000000000000F
BS_Code    00000000FD66F000-00000000FD676FFF 0000000000000008 000000000000000F
BS_Data    00000000FD677000-00000000FD677FFF 0000000000000001 000000000000000F
RT_Code    00000000FD678000-00000000FD686FFF 000000000000000F 800000000000000F
BS_Data    00000000FD687000-00000000FD687FFF 0000000000000001 000000000000000F
BS_Code    00000000FD688000-00000000FD688FFF 0000000000000001 000000000000000F
BS_Data    00000000FD689000-00000000FD68AFFF 0000000000000002 000000000000000F
BS_Code    00000000FD68B000-00000000FD730FFF 00000000000000A6 000000000000000F
RT_Data    00000000FD731000-00000000FD7B0FFF 0000000000000080 800000000000000F
BS_Code    00000000FD7B1000-00000000FD7CCFFF 000000000000001C 000000000000000F
BS_Data    00000000FD7CD000-00000000FD7CEFFF 0000000000000002 000000000000000F
BS_Code    00000000FD7CF000-00000000FD7D4FFF 0000000000000006 000000000000000F
BS_Data    00000000FD7D5000-00000000FD8DFFFF 000000000000010B 000000000000000F
ACPI_Recl  00000000FD8E0000-00000000FD8EBFFF 000000000000000C 000000000000000F
BS_Data    00000000FD8EC000-00000000FD906FFF 000000000000001B 000000000000000F
ACPI_Recl  00000000FD907000-00000000FD907FFF 0000000000000001 000000000000000F
Reserved   00000000FD908000-00000000FD908FFF 0000000000000001 000000000000000F
BS_Data    00000000FD909000-00000000FD909FFF 0000000000000001 000000000000000F
ACPI_Recl  00000000FD90A000-00000000FD90BFFF 0000000000000002 000000000000000F
ACPI_NVS   00000000FD90C000-00000000FD90CFFF 0000000000000001 000000000000000F
ACPI_Recl  00000000FD90D000-00000000FD90DFFF 0000000000000001 000000000000000F
BS_Data    00000000FD90E000-00000000FD90EFFF 0000000000000001 000000000000000F
ACPI_Recl  00000000FD90F000-00000000FD90FFFF 0000000000000001 000000000000000F
BS_Data    00000000FD910000-00000000FE2EBFFF 00000000000009DC 000000000000000F
ACPI_Recl  00000000FE2EC000-00000000FE2ECFFF 0000000000000001 000000000000000F
BS_Data    00000000FE2ED000-00000000FE312FFF 0000000000000026 000000000000000F
Available  00000000FE313000-00000000FE31CFFF 000000000000000A 000000000000000F
BS_Data    00000000FE31D000-00000000FEED4FFF 0000000000000BB8 000000000000000F
BS_Code    00000000FEED5000-00000000FF064FFF 0000000000000190 000000000000000F
RT_Code    00000000FF065000-00000000FF08CFFF 0000000000000028 800000000000000F
RT_Data    00000000FF08D000-00000000FF0DCFFF 0000000000000050 800000000000000F
BS_Data    00000000FF0DD000-00000000FF0DDFFF 0000000000000001 000000000000000F
BS_Code    00000000FF0DE000-00000000FF0F4FFF 0000000000000017 000000000000000F
BS_Data    00000000FF0F5000-00000000FF7DAFFF 00000000000006E6 000000000000000F
Available  00000000FF7DB000-00000000FFED2FFF 00000000000006F8 000000000000000F
Reserved   00000000FFED3000-00000000FFED7FFF 0000000000000005 000000000000000F
BS_Data    00000000FFED8000-00000000FFEDBFFF 0000000000000004 000000000000000F
Available  00000000FFEDC000-00000000FFEDFFFF 0000000000000004 000000000000000F
BS_Data    00000000FFEE0000-00000000FFEFFFFF 0000000000000020 000000000000000F
MMIO       0000000040000000-000000004003FFFF 0000000000000040 8000000000000001
MMIO       0000000060005000-0000000060007FFF 0000000000000003 8000000000000001
MMIO       000000006000D000-000000006000DFFF 0000000000000001 8000000000000001
MMIO       0000000070003000-0000000070003FFF 0000000000000001 8000000000000001
MMIO       000000007000D000-000000007000EFFF 0000000000000002 8000000000000001
MMIO       0000000078000000-0000000078000FFF 0000000000000001 8000000000000001
 
  Reserved  :             13 Pages (53,248 Bytes)
  LoaderCode:            242 Pages (991,232 Bytes)
  LoaderData:            883 Pages (3,616,768 Bytes)
  BS_Code   :          1,046 Pages (4,284,416 Bytes)
  BS_Data   :         11,494 Pages (47,079,424 Bytes)
  RT_Code   :          8,248 Pages (33,783,808 Bytes)
  RT_Data   :            208 Pages (851,968 Bytes)
  ACPI_Recl :             23 Pages (94,208 Bytes)
  ACPI_NVS  :              1 Pages (4,096 Bytes)
  MMIO      :             72 Pages (294,912 Bytes)
  MMIO_Port :              0 Pages (0 Bytes)
  PalCode   :              0 Pages (0 Bytes)
  Available :        497,778 Pages (2,038,898,688 Bytes)
  Persistent:              0 Pages (0 Bytes)
              -------------- 
Total Memory:          2,030 MB (2,129,604,608 Bytes)

16KB

memmap.txt

Device Tables

Extraction

The extraction of these tables was done with UEFI shell. Because there is no display output on the sRT unless you patch the GOP we used a startup script. You can download these files in zip below.

You can get information about the commands used here: https://www.uefi.org/sites/default/files/resources/UEFI_Shell_2_2.pdf (Chapter 5)

276KB

device-table-extraction.zip

Output

PinMux

Pinmux dump taken from UEFI boot

10KB

pinmuxUEFIShell.txt

Compiling GRUB2

We have a working uBoot, and Kernel, work on UEFI GRUB booting is deprecated for the moment

We will use a pre-patched GRUB from https://github.com/coherixmatts/grub-2.04 as this will work out of the box on both the SurfaceRT and SurfaceRT2

You will need to have installed the compiler tools and libraries noted in Cross Compiling We recommend using a small Debian or Ubuntu machine or similar for development. A Raspberry PI4 is quite a good option.

git clone https://github.com/coherixmatts/grub-2.04 cd grub-2.04 ./bootstrap ./configure --with-platform=efi --target=arm-linux-gnueabihf --enable-mm-debug --enable-boot-time

Grub should compile successfully and you should see something similar to the results below: ******************************************************* GRUB2 will be compiled with following components: Platform: arm-efi With devmapper support: Yes With memory debugging: Yes With disk cache statistics: No With boot time statistics: Yes efiemu runtime: No (not available on efi) grub-mkfont: Yes grub-mount: Yes starfield theme: Yes With DejaVuSans font from /usr/share/fonts/truetype/ttf-dejavu/DejaVuSans.ttf With libzfs support: No (need zfs library) Build-time grub-mkfont: Yes With unifont from /usr/share/fonts/X11/misc/unifont.pcf.gz With liblzma from -llzma (support for XZ-compressed mips images) *******************************************************

We now need to compile grub as below:

make cd grub-core ../grub-mkimage -O arm-efi -d . -o grub.efi -p / part_gpt part_msdos ntfs ntfscomp hfsplus fat ext2 normal chain boot configfile linux gfxterm videoinfo efi_gop all_video video video_fb loadenv help reboot raid6rec raid5rec mdraid1x mdraid09 lvm diskfilter zfsinfo zfscrypt gcry_rijndael gcry_sha1 zfs true test sleep search search_fs_uuid search_fs_file search_label png password_pbkdf2 gcry_sha512 pbkdf2 part_apple minicmd memdisk lsacpi lssal lsefisystab lsefimmap lsefi disk keystatus jpeg iso9660 halt gfxterm_background gfxmenu trig bitmap_scale video_colors bitmap font fshelp efifwsetup echo terminal gettext efinet net priority_queue datetime bufio cat btrfs gzio lzopio crypto acpi extcmd mmap

The compiled grub.efi should now be in the current directory. Rename that file to boot.efi and copy to the root of a prepared USB for testing. A pre-compiled GRUB2 that will work on SurfaceRT and SurfaceRT2 is below:

732KB

boot.efi

MADT / APIC

The Multiple APIC (Advanced Programmable Interrupt Controller) Description Table

Usage

This table is used for the ACPI Parking Protocol. It is a protocol that allows parked CPU cores to be unparked. The parked state doesn't allow the CPU cores to execute any code, they are "disabled".

The document that describes the ACPI Parking Protocol is here: Multi-processor Startup for ARM Platforms

Table contents

Processor Cores

The following table describes the MADT entries of the 4 CPU cores. The ACPI Parking Protocol only requires to unpark CPU1-3, as CPU0 is already in use.

CPU0

CPU1

CPU2

CPU3

Subtable Type

(0B = Generic Interrupt Controller)

0x0B

Subtable Length

0x28

Reserved

0x0

CPU Interface Number

0x0

0x1

0x2

0x3

Processor UID

0x0

0x1

0x2

0x3

Processor Enabled

True (1)

Performance Interrupt Trigger Mode

False (0)

Virtual GIC Interrupt Trigger Mode

False (0)

Parking Protocol Version

1.0

Performance Interrupt

Parked Address

0x82001000

0x82002000

0x82003000

0x82004000

Base Address

0x0

Generic Interrupt Distributor

The MADT table has an entry about the Generic Interrupt Distributor. Here are the contents:

Generic Interrupt Distributor

Subtable Type

(0C = Generic Interrupt Distributor)

0x0C

Length

0x18

Reserved

0x0

Local GIC Hardware ID

0x0

Base Address

0x50041000

Interrupt Base

0x0

Version

0.0

Reserved (x2)

0x0

Memory Mapping

lsefimmap on SurfaceRT

Good reading - https://people.kernel.org/linusw/how-the-arm32-kernel-starts

Surface RT UEFI Memory Map

Type       Start            End              # Pages          Attributes
RT_Code    0000000080000000-0000000082000FFF 0000000000002001 800000000000000F
Reserved   0000000082001000-0000000082005FFF 0000000000000005 000000000000000F
BS_Data    0000000082006000-0000000082006FFF 0000000000000001 000000000000000F
LoaderData 0000000082007000-0000000082009FFF 0000000000000003 000000000000000F
Available  000000008200A000-000000008200BFFF 0000000000000002 000000000000000F
LoaderData 000000008200C000-000000008200FFFF 0000000000000004 000000000000000F
BS_Data    0000000082010000-000000008218BFFF 000000000000017C 000000000000000F
LoaderData 000000008218C000-0000000082231FFF 00000000000000A6 000000000000000F
Available  0000000082232000-0000000082233FFF 0000000000000002 000000000000000F
LoaderData 0000000082234000-0000000082257FFF 0000000000000024 000000000000000F
Available  0000000082258000-000000008228BFFF 0000000000000034 000000000000000F
LoaderData 000000008228C000-000000008238BFFF 0000000000000100 000000000000000F
Available  000000008238C000-000000008240BFFF 0000000000000080 000000000000000F
LoaderData 000000008240C000-000000008240CFFF 0000000000000001 000000000000000F
Available  000000008240D000-0000000082414FFF 0000000000000008 000000000000000F
LoaderData 0000000082415000-0000000082420FFF 000000000000000C 000000000000000F
Available  0000000082421000-0000000082430FFF 0000000000000010 000000000000000F
LoaderData 0000000082431000-000000008243CFFF 000000000000000C 000000000000000F
Available  000000008243D000-00000000FB499FFF 000000000007905D 000000000000000F
LoaderData 00000000FB49A000-00000000FB61EFFF 0000000000000185 000000000000000F
LoaderCode 00000000FB61F000-00000000FB710FFF 00000000000000F2 000000000000000F
Available  00000000FB711000-00000000FB744FFF 0000000000000034 000000000000000F
BS_Data    00000000FB745000-00000000FB75BFFF 0000000000000017 000000000000000F
Available  00000000FB75C000-00000000FB764FFF 0000000000000009 000000000000000F
BS_Data    00000000FB765000-00000000FB765FFF 0000000000000001 000000000000000F
Available  00000000FB766000-00000000FB767FFF 0000000000000002 000000000000000F
BS_Data    00000000FB768000-00000000FC3D7FFF 0000000000000C70 000000000000000F
Reserved   00000000FC3D8000-00000000FC3D9FFF 0000000000000002 000000000000000F
BS_Data    00000000FC3DA000-00000000FC3E3FFF 000000000000000A 000000000000000F
ACPI_Recl  00000000FC3E4000-00000000FC3E4FFF 0000000000000001 000000000000000F
BS_Data    00000000FC3E5000-00000000FC3FFFFF 000000000000001B 000000000000000F
Unusable   00000000FC400000-00000000FD3FFFFF 0000000000001000 000000000000000F
BS_Code    00000000FD400000-00000000FD528FFF 0000000000000129 000000000000000F
BS_Data    00000000FD529000-00000000FD5B0FFF 0000000000000088 000000000000000F
ACPI_Recl  00000000FD5B1000-00000000FD5B1FFF 0000000000000001 000000000000000F
BS_Data    00000000FD5B2000-00000000FD5B7FFF 0000000000000006 000000000000000F
LoaderData 00000000FD5B8000-00000000FD5BBFFF 0000000000000004 000000000000000F
BS_Data    00000000FD5BC000-00000000FD5C2FFF 0000000000000007 000000000000000F
ACPI_Recl  00000000FD5C3000-00000000FD5C5FFF 0000000000000003 000000000000000F
BS_Data    00000000FD5C6000-00000000FD5C9FFF 0000000000000004 000000000000000F
BS_Code    00000000FD5CA000-00000000FD60EFFF 0000000000000045 000000000000000F
BS_Data    00000000FD60F000-00000000FD610FFF 0000000000000002 000000000000000F
BS_Code    00000000FD611000-00000000FD611FFF 0000000000000001 000000000000000F
BS_Data    00000000FD612000-00000000FD612FFF 0000000000000001 000000000000000F
BS_Code    00000000FD613000-00000000FD633FFF 0000000000000021 000000000000000F
BS_Data    00000000FD634000-00000000FD637FFF 0000000000000004 000000000000000F
BS_Code    00000000FD638000-00000000FD644FFF 000000000000000D 000000000000000F
BS_Data    00000000FD645000-00000000FD646FFF 0000000000000002 000000000000000F
BS_Code    00000000FD647000-00000000FD647FFF 0000000000000001 000000000000000F
BS_Data    00000000FD648000-00000000FD66EFFF 0000000000000027 000000000000000F
BS_Code    00000000FD66F000-00000000FD676FFF 0000000000000008 000000000000000F
BS_Data    00000000FD677000-00000000FD677FFF 0000000000000001 000000000000000F
RT_Code    00000000FD678000-00000000FD686FFF 000000000000000F 800000000000000F
BS_Data    00000000FD687000-00000000FD687FFF 0000000000000001 000000000000000F
BS_Code    00000000FD688000-00000000FD688FFF 0000000000000001 000000000000000F
BS_Data    00000000FD689000-00000000FD68AFFF 0000000000000002 000000000000000F
BS_Code    00000000FD68B000-00000000FD730FFF 00000000000000A6 000000000000000F
RT_Data    00000000FD731000-00000000FD7B0FFF 0000000000000080 800000000000000F
BS_Code    00000000FD7B1000-00000000FD7CCFFF 000000000000001C 000000000000000F
BS_Data    00000000FD7CD000-00000000FD7CEFFF 0000000000000002 000000000000000F
BS_Code    00000000FD7CF000-00000000FD7D4FFF 0000000000000006 000000000000000F
BS_Data    00000000FD7D5000-00000000FD8DFFFF 000000000000010B 000000000000000F
ACPI_Recl  00000000FD8E0000-00000000FD8EBFFF 000000000000000C 000000000000000F
BS_Data    00000000FD8EC000-00000000FD906FFF 000000000000001B 000000000000000F
ACPI_Recl  00000000FD907000-00000000FD907FFF 0000000000000001 000000000000000F
Reserved   00000000FD908000-00000000FD908FFF 0000000000000001 000000000000000F
BS_Data    00000000FD909000-00000000FD909FFF 0000000000000001 000000000000000F
ACPI_Recl  00000000FD90A000-00000000FD90BFFF 0000000000000002 000000000000000F
ACPI_NVS   00000000FD90C000-00000000FD90CFFF 0000000000000001 000000000000000F
ACPI_Recl  00000000FD90D000-00000000FD90DFFF 0000000000000001 000000000000000F
BS_Data    00000000FD90E000-00000000FD90EFFF 0000000000000001 000000000000000F
ACPI_Recl  00000000FD90F000-00000000FD90FFFF 0000000000000001 000000000000000F
BS_Data    00000000FD910000-00000000FE2EBFFF 00000000000009DC 000000000000000F
ACPI_Recl  00000000FE2EC000-00000000FE2ECFFF 0000000000000001 000000000000000F
BS_Data    00000000FE2ED000-00000000FE312FFF 0000000000000026 000000000000000F
Available  00000000FE313000-00000000FE31CFFF 000000000000000A 000000000000000F
BS_Data    00000000FE31D000-00000000FEED4FFF 0000000000000BB8 000000000000000F
BS_Code    00000000FEED5000-00000000FF064FFF 0000000000000190 000000000000000F
RT_Code    00000000FF065000-00000000FF08CFFF 0000000000000028 800000000000000F
RT_Data    00000000FF08D000-00000000FF0DCFFF 0000000000000050 800000000000000F
BS_Data    00000000FF0DD000-00000000FF0DDFFF 0000000000000001 000000000000000F
BS_Code    00000000FF0DE000-00000000FF0F4FFF 0000000000000017 000000000000000F
BS_Data    00000000FF0F5000-00000000FF7DAFFF 00000000000006E6 000000000000000F
Available  00000000FF7DB000-00000000FFED2FFF 00000000000006F8 000000000000000F
Reserved   00000000FFED3000-00000000FFED7FFF 0000000000000005 000000000000000F
BS_Data    00000000FFED8000-00000000FFEDBFFF 0000000000000004 000000000000000F
Available  00000000FFEDC000-00000000FFEDFFFF 0000000000000004 000000000000000F
BS_Data    00000000FFEE0000-00000000FFEFFFFF 0000000000000020 000000000000000F
MMIO       0000000040000000-000000004003FFFF 0000000000000040 8000000000000001
MMIO       0000000060005000-0000000060007FFF 0000000000000003 8000000000000001
MMIO       000000006000D000-000000006000DFFF 0000000000000001 8000000000000001
MMIO       0000000070003000-0000000070003FFF 0000000000000001 8000000000000001
MMIO       000000007000D000-000000007000EFFF 0000000000000002 8000000000000001
MMIO       0000000078000000-0000000078000FFF 0000000000000001 8000000000000001
 
  Reserved  :             13 Pages (53,248 Bytes)
  LoaderCode:            242 Pages (991,232 Bytes)
  LoaderData:            883 Pages (3,616,768 Bytes)
  BS_Code   :          1,046 Pages (4,284,416 Bytes)
  BS_Data   :         11,494 Pages (47,079,424 Bytes)
  RT_Code   :          8,248 Pages (33,783,808 Bytes)
  RT_Data   :            208 Pages (851,968 Bytes)
  ACPI_Recl :             23 Pages (94,208 Bytes)
  ACPI_NVS  :              1 Pages (4,096 Bytes)
  MMIO      :             72 Pages (294,912 Bytes)
  MMIO_Port :              0 Pages (0 Bytes)
  PalCode   :              0 Pages (0 Bytes)
  Available :        497,778 Pages (2,038,898,688 Bytes)
  Persistent:              0 Pages (0 Bytes)
              -------------- 
Total Memory:          2,030 MB (2,129,604,608 Bytes)

16KB

memmap.txt