Award BIOS Reverse Engineering Contents
Contents
1. ESIC add ah al calc 8 bit chksum contd from chksum above F000 E53E loop next_seg1000h_byte Loop while CX 0 E540 E54 cmp bh 20h is 64KB seg_F000 reached jnb _1000h_chksum_done 5 add bh 10h no calc ing in next segment 8 mov ds bx Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 FOOO E54A assume ds nothing F000 E54A mov cx YEFEER galg seg F000 chksum only until 7FFEh F000 E54D jmp short next_seg1000h_byte Jump E54F E54F E54F _1000h_chksum_done COD Expand_Bios 31 E54F cmp ah si emp cale ksum and chksum FOOO E54F pointed to by si at FOOO 7FFEh 1 8 B2h FOOO E54F 1 EDS LS the chksum for the bios binary F000 E54F lt Erom 00000h to 37FFDh C000 0h FO00 7FFDh TESOL jnz BIOS_cksm_error Jump t Zero ZF 0 The following are the key parts of the decompression routine Address Assembly Code F000 E512 Expand_Bios proc near F000 E555 mov bx 0 mov bx Temp_VGA_Seg F000 E558 mov es bx es 0000h F000 E55A assume es nothing F000 E55A mov word ptr es 7004h OFFFFh mov word es Temp_VGA_Off 4 ffffh F000 E561 F000 E561 xor al al clr expand flag F000 E563 mov bx 1000h2. FO000 6E74 pop ax gt ax di EFO000 6E75 mov ebx es dit 6000h mov ebx es di Temp_EXP_Off E000 6E75 ebx 0008 nnoprom_cmpressd_offset h nnoprom bin E000 6E7B or ebx ebx Logical Inclusive OR EF000 6E7E jz Decomp_Data_Empty Jump if Zero ZF 1 F000 6E82 cmp bx OFFFFh Compare Two Operands E000 6E85 jz Decomp_Data_Empty Jump if Zero ZF 1 F000 6E89 test ah 40h lst pass is 00h ax AOh E000 6E8C jz Go_on lst pass this jump is taken E000 6E8E ele Clear Carry Flag F000 6E8E jmp POST_decomp_Ret Jump E000 6E92 E000 6E92 F000 6E92 Go_on CODE XREF POST_decompress 43 E000 6E92 mov di es 6000h di offset_Expand decompression engine F000 6E92 offset addr saved by bootblock EO000 6E97 mov esi ds 160000h mov esi awardext rom 4Byte hdr E000 6E9F not esi One s Complement Negation E000 6EA2 mov ds 80000h esi E000 6EAA cmp ebx 100000h ExpSeg CompOffset ebx 8xxxxh E000 6EB1 jb Is_New_Decomp_Method lst pass this jmp IS taken E000 6EB3 push di save offset_Expand to stack F000 6EB4 mov esi 90000h ds esi 90000h last 64KB of Ext_BIOS E000 6EBA mov edi 140000h es edi 140000h E000 6ECO mov ecx 4000h copy last 64 KB of Ext_BIOS to 140000h 14FFFFh E000 6EC6 cld Clear Direction Flag F000 6EC7 rep movs dword ptr es edi dword ptr esi Move Byte s from String to String E000 6ECB mov esi 160000h ds esi
3. EPA_Procedure 43 E000 6E49 EPA_Procedure 5E E000 6E49 push ds F000 6E4A push es E000 6E4B push bp F000 6E4C push di store DI F000 6E4D push si store SI E000 6E4E and di 3FFFh gt mask DE bit 14 and 15 lst pass di AOh E000 6E52 cli Clear Interrupt Flag F000 653 mov al OFFh mov al TRUE EFO000 6E55 call FOOO_Cpu_Cache enable caching F000 6E58 push 0E000h E000 6E5B push 6E69h E000 6E5E push OEC31h F000 6E61 push OE3D4h A20_On F000 6E64 jmp far ptr FOOO_call turn on gate A20 EF000 6E69 F000 6E69 call EOO0O_enter_FlatPMode Call Procedure E000 6E6C mov ax ds E000 6E6E mov eS ax es ds flat 4GB addr space F000 6E6E base_addr 0000 0000h F000 6E70 assume es nothing E000 6E70 call E000_Back_to_RealMode restore ss E000 6E73 pop dx dx Si Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 Copyright 2004 and published by the CodeBreakers Journal Sing
4. Expand_Bios 89 F000 ESA BIOS F000 E5AD decompress awardext rom F000 E5AD their F000 E5B0 awardext F000 E5B4 F000 E5B7 F000 E5B8 D code call C00 00h DFE FE ExpSegment processed jz rom not found mov ax 5000h cle retn Procedure F000 E5B8 Expand_Bios endp Expand_Bios 90 Extern_execute2 other BIOS_cksm_error r r es chksum byte size 7 Jump CODE XREF es 2000h seg_F000h bx this input likely it isn t a LZH Call Procedure Jump if Below CF 1 Logical Compare Jump if Zero ZF 1 CODE XREF expand lower 128KB this routine only component only get jump if zero ax 5000h on success Clear Carry Flag Return Near from 40000000h 1st decomp_Seg Offset equ is extension No skip at first XR CODE EF mov dx Exp_Data_Seg on return si cs di 2000 7D06h F000 E5B9 BootBlock_Expand proc near F000 E5B9 cmp dword ptr es bx 0Fh addr contain 5000 0000h F000 E5B9 i 4000 0000h F000 E5B9 i component F000 E5C2 jnz not_40000000h this jump is taken F000 E5EA not_40000000h R BootBlock_Expand 9 F000 E5EA mov dx 3000h z decomp scratch pad F000 E5ED push ax F000 E5EE push es F000 ES5EF call Search_BBSS_label 7D06h F000 E5EF bios in ram F000 E5F2 pop es F000 E5F3 assume es nothing F000 E5F3 push es F000 E5F4 mov ax
5. F000 78E1 FO000 78E1 Not_Store CODE XREF Expand 127 F000 78E1 push word ptr ds 104h push word ptr TgtSegment FO000 78E5 push word ptr ds 106h push word ptr TgtOffset FO000 78E9 push large dword ptr ds 314h push dword ptr origsize FOOO 78EE extract content from compressed file FO000 78EE call Extract call LZH decompression routine F000 78F1 pop dword ptr ds 314h pop dword ptr origsize F000 78F6 pop word ptr ds 106h pop word ptr TgtOffset F000 78FA pop word ptr ds 104h pop word ptr TgtSegment Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 F000 78FE F000 78FE Expand_Over CODE XREF Expand 156 F000 78FE call ZeroFill_32K_mem zero fill 32K in segmnt pointed by ds FO000 78FE i e clean up scratch pad RAM F000 7901 pop ecx ecx total compressed size restor CX F000 7903 pop edx FO000 7905 cle decompression success F000 7906 exit_proc F000 7906 pop es F000 7907 pop bx F000 7908 pop eax F000 790A retn Return Near from Procedure F000 790A Expand endp The lines marked in blue color are the lines which are executed when this decompression engine is invoked from within original tmp as in this nnoprom bin decompression process The lines marked with red color i
6. addr_of_last Ext_BIOS 128KB E000 6ED1 mov edi 80000h es edi target addr E000 6ED7 mov ecx 8000h copy 128KB from 160000h 17FFFFh to 80000h 9FFFFh E000 6EDD cld Clear Direction Flag F000 6EDE rep movs dword ptr es edi dword ptr esi Move Byte s from String to String F000 6EE2 pop di di offset_Expand E000 6EE3 ror ebx 10h Rotate Right E000 6EE7 mov es bx eS ExpSegment of the compressed component E000 6EE9 assume es nothing F000 6EE9 ror ebx 10h restore ebx E000 6EED mov cx es bx 11lh store decompress_segment for E000 6EED checksum recalculation F000 6EF1 push cx store it to stack F000 6EF2 push word ptr es bx store original checksum value F000 6EF5 test ah 80h test SI is available E000 6EF8 jz decompress lst pass this jmp is taken e print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 6EFA mov es bx 11h dx reset decompress segment F000 6EFE add cl ch Original segment of checksum E000 6F00 add dl dh new segment of checksum E000 6F02 sub cl dh difference segment of checksum E000 6F04 sub es bxt 1 cl recalculate checksum E000 6F08 jmp short decompress No skip process SI E0
7. F000 E566 mov es bx es 1000h SrcSegment i e seg_E000h FO00 E566 FO000 E568 assume es nothing FO00 E568 xor bx bx bx 0000h SrcOffset FOOO E56A call BootBlock_Expand read compressed original tmp header and FOOO E56A extract original tmp to segment 5000h FOOO E56A TgtSegment is read from its LZH header FOOO E56A on return ecx total_component_cmprssd_size FO00 E56D jb decompression_error Jump if Below CF 1 F000 E56F test ecx OFFFFOOO0OOh ecx amp FFFF 0000h check against wrong F000 E56F compressed original tmp size i e lt 64 KB F000 E576 jz decompression_error Jump if Zero ZF 1 F000 E578 mov bx 2000h Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 F000 E57B mov es bx 2000h SrcSegment i e seg_F000h FO00 E57D assume es nothing FOO00 E57D mov bx 1 F000 E580 jmp short Expand_else F000 E59D Expand_else H Expand_Bios 6E Expand_Bios 99 FOO00 E59D add Dp CH in RAM F000 E59D offset_after_original tmp chksum FOO00 E59D s return CF 1 since FO00 E59D i compressed compone nt F000 E59F call BootBlock_Expand F000 E5A2 jb Expand_else_Over F000 E5A4 test ecx OFFFFOOOOh F000 E5AB JZ Expand_else 7 FOOO E5AD Expand_else_Over
8. bx 0Fh 40000000h lst addr contain 5000 0000h FO000 E5B9 0000h FO000 E5B9 FO00 E5C2 jnz not_40000000h is taken F000 E5EA not_40000000h BootBlock_Expand 9 FOOO E5EA mov dx 3000h scratch pad FO00 E5ED push ax FOOO E5F4 mov ax es 8000h 2nd pass FOO00O E5F6 shr ax OCH FOOO E5F9 mov es ax FO000 E5FB assume es nothing FOO0O0 E5FB mov ax es sit0Eh decompression code FOOO E5FF Galil ax decompression engine FOOO E601 pop es 8000h 2nd pass FO00 E602 assume es nothing F000 E602 pop ax F000 E603 retn F000 E603 BootBlock_Expand endp decomp_Seg Offset equ 4000 is extension component No skip at first this jump CODE XREF mov dx Exp_Data_Seg decomp cs di 2000 7D06h bios FO00 E5EE push es F000 ES5EF call Search_BBSS_label on return si 7D06h F000 E5EF A in ram FOOO E5SF2 pop es FOOO E5F3 assume es nothing F000 E5F3 push es ax 1000h st pass ax ax 1h es lh lst pass es 8h 2nd mov ax 7 7789h addr of call 7789h i e Expand es 1000h lst pass es Return Near from Procedure 3 Next the POST routine POST_8S a k a Init_Interrupt_Vector in original tmp responsible for preparing the decompression as you can see below E000 17B8 init_ivect proc near needed signature for the E000 1834 for run time decompress code ret E000 1834 mov bx 2000h E000 1837 mov
9. es ax 1000h 1st pass Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 FOOO E5F6 shr ax OCh F000 E5F9 mov es ax A F000 E5FB assume es nothing E000 ESFB mov ax Est sIit0ERN decompression code F000 ESFF call ax decompression engine FOOO E601 pop es F F000 E602 assume es nothing F000 E602 pop ax F000 E603 retn A Procedure F000 E603 BootBlock_Expand endp F000 7789 procedure F000 7789 at F000 E5FF finished F000 7789 Expand proc near F000 780E add bx 12h F000 7811 call Get_Exp_Src_Byte AL ExpSegment hi byte F000 7814 sub bx 12h first pass 0000h FOOU 7317 cmp al 40h F component FO000 7817 original tme F000 7317 A awardext rom FOOOS TSL z components al equ 40h FO000 7817 i caveat is here d00d F000 T7819 jnz Not_POST_USE original tmp and awadext rom F000 7819 i otherwise no F000 781B add bx 11h ExpSegment_lo_byte index FO000 781E call Get_Exp_Src_Byte ExpSegment_lo_byte FO000 7821 sub bx 11h F000 7824 or al al F000 7826 jnz Record_to_buffer F000 7826 component jump here F000 7830 Record_to_buffer F000 7830 movzx dx al ExpSegment_lo_byte F000 7833 inc bx header_chksum_index F00
10. 000A 8B 46 04 mov ax bp 4 mov ax l look at lst inst above 6000 000D 87 46 06 xchg ax bpt6 xchg ax word_pushed_by_org_tmp 6000 0010 89 46 04 mov bpt 4 ax A sp 4 word_pushed_by_org_tmp 6000 0013 87 EC xchg bp sp modify sp 6000 0015 9D popf Pop Stack into Flags Register 6000 0016 58 pop ax 6000 0017 EB E7 jmp short locret_6000_0 jump into word_pushed_by_original tmp 6000 1829 FA cli Clear Interrupt Flag 6000 18B3 C3 retn Return Near from Procedure Third variant jump from segment 6000h to F000h Address Assembly Code 6000 4F60 reinit_chipset proc far 6000 4F60 push ds 6000 4F61 mov ax OFQOOOh 6000 4F64 mov ds ax ds FOOOh 6000 4F66 assume ds nothing 6000 4F66 mov bx OE38h ptr to PCI reg vals ds bx FO000 E38h 6000 4F69 6000 4F69 next_PCI_reg CODE XREF reinit_chipset 3D 6000 4F69 cmp bx OEF5Sh are we finished 6000 4F6D jz exit_PCI_init if yes then exit 6000 4F6F mov cx bx 1 cx PCI addr to read 6000 4F72 call setup read write PCI on ret ax F7OBh di FT29 6000 4F75 push cs 6000 4F76 push 4F7Fh 6000 4F79 push ax goto F000 F70B Read_PCI_Byte 6000 4F7A jmp far ptr OF000h 6188h goto_seg_F000 6000 4F7F 6000 4F7F mov dx bx 3 reverse and mask E000 6188 goto_F000_seg CODE XREF HD_init_ 3BD E000 6188 E000 6188 68 31 E000 618B 50 push OEC31h push ax r HD_init_ 578 Copyright 2004 and published by the
11. 173B 68 29 18 xGroup seg Detect E000 173E EA 02 00 code E000 z T EPROM 00 60 1743 Assembly Code Check_F_Next proc near push cs push 1743h push 1829h jmp far ptr 6000h No Operation CMOS Memory used by Jump if CX is 0 Jump if CX is 0 Exchange 7 CMOS Memory Jump if CX is 0 Jump if CX is 0 Return Near CODE XREF ret addr below fune addr in 2 jump to XGroup E000 Flag E000 from E000 21743 F8 1744 C3 Procedure 1744 6000 0000 XREF 6000 0017 6000 0000 C3 to target procedure 6000 0001 ele retn Check_F_ Next endp sp locret_6000_0 retn Clear Carry Return Near 6 CODE jump 6000 0001 CB to caller 6000 0002 retf back 6000 0002 68 01 00 return addr for retn 6000 0002 addr_of retf above 6000 0005 50 6000 0006 9C push d push ax pushf Flags Register onto the Stack 6000 0007 FA Interrupt Flag cli 2 gt push Push Clear Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 6000 0008 87 EC xchg bp sp A Exchange Register Memory with Register 6000
12. 2000h The CodeBreakers Journal Vol 1 No 2 2004 The last thing to note is what explain about bootblock here only covers the normal Bootblock code execution path which means didn t explain about the Bootblock POST that takes place in case original tmp corrupted I ll try to cover it later when have time to dissect it This is all about the bootblock right now from this point on we ll dissect the original tmp 6 2 System BIOS a k a Original tmp We ll just proceed as in bootblock above I ll just highlight the places where the code execution path are obscure So by now you re looking at the disassembly of the decompressed original tmp of my bios The entry point from Bootblock Address Hex Mnemonic FO00 F80D This code is jumped into by the bootblock code F000 F80D if everything went OK F000 F80D E9 02 F6 jmp sysbios_entry_point This is where the bootblock jumps after relocating and write protecting the system BIOS The awardext rom and extension BIOS components lower 128KB bios code relocation routine Address Assembly Code FO000 EE12 sysbios_entry point CODE XREF F000 F80D F000 EE12 mov ax O F000 EE15 mov SS ax ss 0000h F000 EE17 mov sp 1000h setup stack at 0 1000h F000 EE1A call setup_stack Call Procedure F000 EE1D
13. 64KB data R W accessed 16 bit segment gr segment present data desc 28h R W accessed 16 bit segment gr segment present anularity 1 data DPL 0 ll m anularity data DPL 0 memory map is changed once again This is the relocated compressed BIOS extension Compressed including the compressed awardext rom i e this is the copy of FFFC0000h FFFDFFFF in the BIOS rom chip At call to the POST routine a k a POST jump table execution Address 0 F B p 0 E 0 F B p 0 aa p 0 aay 0 F B p 0 E 0 F E p 0 pat p 0 E p 0 aay 00 00 00 00 00 00 00 00 DOr DO s 626B 626B 626B 626B 626B 626B 626B 626B 626E 6271 condition 00 6274 If it does This routine called from F Assembly Code The last of the these POST routines starts the section of POST and thus this call should neve we issue a POST c ode and halt sysbios_entry_point_contd a k mov cx 3 mov dip 61C2h call RAM _POST_tests jmp short Halt_System 000 E mov cx STD_POST_CODE mov di oftset STD POST TESTS this won t return in normal E68h a NORMAL_POST_TE Jump EISA ISA r return STS Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeB
14. 788B mov ecx ds 310h compressed size F000 7890 xor eax eax F000 7893 mov al ds 571Ch compressed header siz F000 7896 add ecx eax FO000 7899 add ecx 3 ecx COMPRESSED_UNKNOWN_BYTE r T al header_chksum al header_chksum header_chksum al restore bx al 00h bx ExpSegment_lo_byte ExpSegment_lo_byte 00h restore bx dx ExpSegment_lo_byte 1 dx 4 ExpSegment_lo_byte di 6000h dx look 0000 di offset addr in compressed cx ExpSegment 0000 di 2 ExpSegment al header_len cx header_len bx gt point to compressed eax compressed file restore bx cx header_len ecx restore gs Jump restore gs initialize value CRC 16 lookup read scra bx p erro mov mov mov mov tal mov eax mov Add add compressed component tchpad RAM on error reserved r something wrong ax ExpSegment TgtSegment ax ax ExpOffset TgtOffset ax size and return when ecx compsize 0000 0000h al headersize Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 F000 7899 ecx total compressed size FO000 789D mov edx ds 3
15. CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 618C 9C pushf Push Flags Register onto the Stack E000 618D FA cli Clear Interrupt Flag E000 618E 87 EC xchg bp sp Exchange Register Memory with Register E000 6190 8B 46 04 mov ax bpt4 mov ax EC31h E000 6193 87 46 06 xchg ax bpt6 xchg ret addr and EC31h E000 6196 89 46 04 mov bpt 4 ax mov sp 4 sp 6 E000 6199 87 EC xchg bp sp Exchange Register Memory with Register E000 619B 9D popft Pop Stack into Flags Register E000 619C 58 pop ax E000 619D EA 30 EC 00 FO jmp far ptr FOOO_func_vector Jump F000 EC30 FOOO_func_vector CODE XREF chk_cmos_circuit 3C F000 EC30 C3 retn jump to target function FOOO EC31 F000 EC31 CB retf 2 return to calling segment offset 6000 4F7F FO000 F70B read_PCI_byte proc near CODE XREF enable_ROM _write 4 FOOU FT24 retn Return Near to F000 EC31h F000 F724 read_PCI_byte endp e At chksum_ROM procedure This procedure is part of the EO _POST_TESTS which is the POST routine invoked using the POST jump table There s no immediate return from within this procedure But a call into Check_F_Next will accomplish the near return needed to proceed into the next POST proc
16. Table GDT Interrupt Descriptor Table IDT also x86 control and segment registers work BIOS particularly award BIOS uses them to perform its magic as later explained in this article e What x86 Unreal Mode is Some people also call these mode of operation Voodoo mode or Flat real mode It s an x86 state that s between real mode and protected mode This is partially explained below e x86 direct hardware programming You need to know how to program the hardware directly especially the chips in your motherboard You can practice this from within windows by developing an application that directly access the hardware This is not a must but it s better if you master it first You also have to know some x86 bus protocol such as PCI and ISA I ll explain a bit about the bus protocols below e You have to be able to comprehend part if not all of the datasheets of your motherboard chip Such as the of the northbridge and southbridge control registers 1 1 PCI BUS We ll begin with the PCI bus I ve been working with this stuff for quite a while The official standard for the PCI bus system is maintained by a board named PCISIG PCI Special Interest Group This board actually is some sort of cooperation between Intel and some other big corporation such as Microsoft Anyway in the near future PCI bus will be fully replaced by a much more faster bus system such as Arapahoe PCI Express a k a PCl e and Hypertransport But PCI will
17. Then comes the crucial part As said above PCI is 32 bits bus system hence we have to use 32 bits chunk of data to communicate with them We do this by sending the PCI chip a 32 bits address through eax register and using port CF8 as the port to send this data Here s an example of the PCI register sometimes called offset address format In the routine above you saw mov eax 80000064h the 80000064h is the address The meaning of these bits are bit position 31 30 29 28 27 26 fes 2a 23 2a 22 z0 ag ne 27 a6 fas z4 fs 22 faa fzo fo e fr le 5 fa fe 2 fa fo binary value 1 0 o o o o o o o o o e o 0 o e oo o e o fo jojolof isjolo jojo e The 31st bit is an enable bit If this bit sets it means that we are granted to do a write read transaction through the PCI bus otherwise we re prohibited to do so that s why we need an 8 in the leftmost hexdigit Bits 30 24 are reserved bits Bits 23 16 is the PCI Bus number Bits 15 11 is the PCI Device number Bits 10 8 is the PCI Function Number Bits 7 0 is the offset address Now we ll examine the previous value that was sent If you re curious you ll find out that 80000064h means we re communicating with the device in bus O device 0 function O and at offset 64 Actually this is the memory controller configuration register of my mainboard s Northbridge In most circumstances the PCI device that occupy bus 0 device 0 function O is the Hostb
18. Vol 1 No 2 2004 At call to bios decompression routine and the jump into decompressed system bios Address Hex F000 E3DC E8 33 01 ios code EB 03 hecksum 000 E3E1 b F000 E3DF Cc E is good 000 E 000 E 000 E O00 E E1 E1 mj AY j AY E1 000 E3E1 000 E3E4 000 E3E4 000 E3DF E3 B8 00 10 000 E3E4 8E D8 000 E3E4 000 E3E4 n 00 00 E3E6 E3E6 f checksum ok or shadowing 5000h BO C5 OOO OS 000 E3E8 E6 80 hecksum 0 E3EA ecompres 0O00 E3EA O 000 E3EA nd boot is good Mnemonic call Expand_BIOS decompress jmp short BIOS_chksum_OK i BIOS_chksum_err CODE XREF F000 E350 mov ax 1000h BIOS_chksum_OK CODE XREF mov ds ax ax 5000H setup source SO Lf OK assume ds nothing mov al OC5h out 80h al A anufacture s diagnostic checkpoint 000 E3EA 000 E3EA The source data segment is 5000H if the contents in this area is sed by routine Expand_Bios riginal BIOS image if checksum from it 0O00 E3EA E8 87 EB rocedure 000 E3ED cache BO 00 FO000 E3EF E8 C7 10 Procedure F000 E3F2 000 E3F2 000 E3F2 ddress F 000 E3F2 nd other 000 E3F2 80DH is shadowed by s f checksum is
19. We re value of CS from previous in memory_check_routine esc B8 FO00 E2BC 8E entry in FO00 E2BE GDT FO00 E2BE 8E entry in FO00 E2C0 GDT 08 00 D8 loaded above CO loaded above Mnemonic assume ds lgdt F000 mov eax cro or al 1 mov cr0 eax jmp short 2 mov ax 8 mov ds ax assume ds nothing mov es ax Enter 16 bit Protected qword ptr GDTR_FOOO_E4F6 activate clear using the register PMode for code ds lst Ist Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 F000 E2C0 OOOOH ROM space 000 E2C0 hipsets can not access onboard RO 000 E2C0 the space on ISA bus 000 E2C0 hange address to OFFFE0000H 000 E2C0 pace 000 E2C0 000 E2C0 66 BE 00 00 OE 00 ddr of compressed original tmp O00 E2C6 67 66 81 7E 02 2D 6C 68 HA signature O00 E2CF 74 07 E2 00 E2 E2 nd bootblock 000 E2D8 O000h 2FFFFh 000 E2D8 D8 J one is 0E0000H To a 0 ll an 7 CO D1 66 81 CE Oh D8 D8 00 00 FO FF ep Oo o oor o NNN NY D8 66 BF 00 00 01 00 Oi COLO wH o m fA m N DE to E2DE E2E4 67 F3 66 A5 esi Move Bytes from 0 E2E4 tring to String O
20. bad 000 E3F2 EA OD F8 00 FO Fey Es Bey Eas Ge had hr 000 segment And segment 1000H is for shadowing is bad BIOS will shadow bootblock call Shadow_BIOS_code Call mov al 0 clear uP call Enable_uP_cache Call BIOS decide where to go from here If BIOS checksum is good this decompressed code i original bin And BootBlock_POST will be executed jmp far ptr F000_segment jump to Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 during execution of Expand_BIOS routine the compressed BIOS code original tmp at 1000 0000h 2000 FFFFh in RAM decompressed into E000 0000h FOOO FFFFh also in RAM Note that the problem due to address aliasing and DRAM shadowing are handled during the decompression by setting the appropriate chipset registers Below is the basic run down of what this routine accomplished 2 Enable FFF800OOh FFFDFFFFh decoding Access to this address will be forwarded into the BIOS ROM chip by the PCI to ISA Bridge PCI to ISA bridge ROM decode control register is in charge here This is needed since my BIOS is 256KB and only 128KB of it has been copied into RAM i e the original tmp and bootblock which is at 1000 0000h 2000 FFFFh by now 3 Copy lower 128KB of BIOS code fro
21. be directly forwarded to the BIOS ROM chip without being altered by the southbridge Of course this read operation first pass through northbridge which apply the address aliasing scheme 2 Very close to the beginning of Bootblock execution routine Ct_Very_Early_Init executed This routine reprogram the PCI to ISA bridge in southbridge to enable decoding of address EOQOOOh EFFFFh to ROM i e forwarding read operation in this address space into the BIOS ROM chip The northbridge power on default values disables DRAM shadowing for this address space Thus read write to this address space will not be forwarded to DRAM 3 Then comes the routine displayed above which copied the last 128KB BIOS ROM chip content address EOOOOh FFFFFh into DRAM at 1000 0000h 2000 FFFFh and continues execution from there This can be accomplished since this address space is mapped only to DRAM by the chipset no special address translation 4 From this point on Bootblock code execution is within segment 2000h in RAM This fact holds true for all Bootblock routines explained below Note that the segment address shown in bootblock routines below uses segment FOOOh It should be segment 2000h but hadn t change it Pay attention to this Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal
22. call init_DRAM_shadowRW Call Procedure F000 EE20 mov si 5000h ds 5000h look at copy_mem word F000 EE23 mov di 0E000h es E000h look at copy_mem word F000 EE26 mov cx 8000h copy 64KByte F000 EE29 call copy_mem_word copy E000h segment routine i e F000 EE29 copy 64Kbyte from 5000 0h to E000 0h F000 EE2C call j_init_DRAM_shadowR Call Procedure F000 EE2F mov si 4100h ds XGroup segment decompressed i e FO000 EE2E at this point 4100h F000 EE32 mov di 6000h es new XGroup segment FO000 EE35 mov cx 8000h copy 64KByte F000 EE38 call copy_mem_word copy XGroup segment i e FO00 EE38 gt 64Kbyte from 4100 0h to 6000 0h F000 EE3B call Enter_UnrealMode jump below in UnrealMode F000 EE3E Begin_in_UnrealMode F000 EE3E mov ax ds Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 F000 EE40 mov es ax es ds 3rd entry in GDT F000 EE40 base_addr 0000 0000h limit 4GB F000 EE42 assume es nothing F000 EE42 mov esi 80000h mov esi POST_Cmprssed_Temp_Seg shl 4 FOO00 EE42 relocate lower 128KB bios code FOO00O EE48 mov edi 160000h FOOO0 EE4E mov ecx 8
23. checksum that s explained above F000 E519 mov bx 8000h Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 FOQOsHSi C mov ds bx 8000h contains compressed FOUQSESLC lower 128KB bios components awdext etc ESIE assume ds nothing E51E xor si si si E520 E520 next_seg8000h_byte COD Expand_Bios 11 Expand_Bios 1F E520 lodsb Load E521 add ah al calc bit chksum result placed at ah FO00 E523 loop next_seg8000h_byte loop while cx 0 i e 64 KByte 2H525 E525 mov bx ds bx ds FOO00 3 E527 cmp bh 90h 64 KByte chksum ed FOOO E52A jnb _8000h_chksum_done yes FOOUOsES2C add bh 10h iG continue calc ing in next segment F000 ES52C we re calc ing 128KByte code chksum E52F mov ds bx ESSI assume ds nothing E531 jmp short next_seg8000h_byte Jump E533 i E533 E533 _8000h_chksum_done COD Expand_Bios 18 FOQOsE533 mov be 2000 gt 10006 Ist 64KB BIOS img E000h seg of FOOOES33 compressed original tmp E536 mov ds bx ds 1000h E538 assume ds nothing E538 xor si si si 0000h E53A eld Clear tion Flag E53B E53B next_segl000h_byte COD Expand_Bios 2C Expand_Bios 3B E53B lodsb Load
24. compressed file 15h 13h component filename name length in byte 16h 14h component filename ASCII 15h filename_len 13h filename_len string file component CRC 16 in little endian word value i e MSB at HeaderSize 2h and so forth Operating System ID In my 18h filename_len 16h filename_len BIOS it s always 20h ASCII Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited Daan 16h filename_len 14h filename_len 17h filename_len 15h filename_len The CodeBreakers Journal Vol 1 No 2 2004 space character which don t resemble any LZH OS ID known to me 19h filename_len 17h filename_len Next header size In my BIOS it s always 0000h which means 1Ah filename_len 18h filename_len no extension header Note The left most offset is calculated from the beginning of the compressed component and the contents description addressing with respect to the 1st byte of the component The offset in Real Header is used within the scratch pad RAM explained below Each component is terminated with EOF byte i e OOh byte In my BIOS there are ReadHeader procedure which contains routine to read and verify the content of this header One of the key procedure call there is a call into FreadCRC which reads the bios compon
25. ecx ecx 0000 0000h F000 C065 push cx assume no award external code F000 C066 F000 C066 Expand_ROM_loop CODE XREF Extern_execute2 30 Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 F000 C066 add bx CX bx next compressed component FO000 C068 jb Next_segment Jump if Below CF 1 F000 C06A test ecx OFFFF0000h Logical Compare F000 C071 jz expand_awdext Jump if Zero ZF 1 F000 C073 F000 C073 Next_segment CODE XREF Extern_execute2 D F000 C073 mov cx es F000 C075 add cx 1000h Add F000 C079 mov es CX es es 1000h next segment F000 C07B assume es nothing F000 C07B jmp short Expand_ROM_Next Jump F000 C07D F000 C07D F000 C07D expand_awdext CODE XREF Extern_execute2 16 F000 C07D cmp byte ptr es bx 12h 41h Is award external code FO000 C082 jnz not_awdext_rom No skip F000 C084 pop ax restore flag F000 C085 or al 1 set found flag FO00 CO87 push ax store it to stack FO000 C088 F000 C088 not_awdext_rom CODE XREF Extern_execute2 27 FO000 C088 call BootBlock_Expand on retn cx total_comprssd_cmpne
26. es bx E000 1839 assume es nothing Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 1839 mov byte ptr es O0DFFFh OCBh T E000 183F mov si 0 E000 1842 mov ds si ds 0000h E000 1844 assume ds nothing E000 1844 mov si 7000h E000 1847 mov ax sit4 ax FFFFhH 0000 7004h filled before by E000 1847 Expand_Bios routine in bootblock E000 184A mov di 0 es 0000h E000 184D mov es di E000 184F assume es nothing E000 184F mov di 6000h E000 1852 mov es dit4 ax 0000 6004 FFFFh E000 1856 cmp ax OFFFFh Compare Two Operands E000 1859 jz signature_ok Jump if Zero ZF 1 E000 185B mov ax si E000 185D mov es dit4 ax E000 1861 mov ax sit2 E000 1864 shr ax OCh Shift Logical Right E000 1867 mov es dit 6 ax E000 186B E000 186B signature_ok CODE XREF init_ivect Al E000 186B call sub_E000_8510 Call Procedure E000 186E cle Clear Carry Flag E000 186F retn Return Near from Procedure E000 186F init_ivect endp 4 Next init_ NNOPROM_BIN routine this is just an example other component will differ slightly decompressed by the following code E000 71C1 init _NNOPROM_BIN proc near EOO0 TICF mov di OAOh a
27. shadowed here by the bootblock in BIOS ROM chip 2000 5532h 2000 5FFFh NA This area contains only padding bytes This area contains the bootblock code It s part of the copy of the last 128KB of the BIOS previously BIOS component at E000 0000h 2000 6000h Pure binary F000 FFFFh in the BIOS ROM chip This 2000 FFFFh executable code is shadowed here by the bootblock in BIOS ROM chip This is where our code currently executing the copy of bootblock in segment 2000h This area contains the decompressed 4100 0000h Deomed awardext rom Note that the decompression 4100 57C0h process is accomplished by part of the bootblock in segment 2000h This area contains the decompressed 5000 0000h Decompressed original tmp Note that the decompression 6000 FFFFh process is accomplished by part of the bootblock in segment 2000h 8000 0000h Compressed 9000 FFFFh i E000 0000h Decompressed F000 FFFFh j Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited This area contains the copy of the first lower 128KB of the BIOS previously BIOS component at FFFC0000h FFFD0000h in the BIOS chip This code is shadowed here by the bootblock in segment 2000h This area contains copy of the decompressed original tmp which is shadowed here by the bootblock in segment
28. still remain a standard for sometime think I ve read some of the specification of the Hypertansport bus it s backward compatible with PCI This means that the addressing scheme will remains the same or at least only needs a Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 minor modification This also holds true for the Arapahoe One thing hate about this PCI stuff is that the standard is not an open standard thus you gotta pay a lot to get the datasheets and whitepapers This become my main reason providing you with this sort of tute First PCI bus is a bus which is 32 bits wide This imply that communicating using this bus should be in 32 bits mode pretty logical isn t it So writing or reading to this bus will require 32 bits variable Second this bus system is defined in the port CF8h CFBh which acts as the address port and port CFCh CFFh which acts as the data port The role of both ports will be clear soon Third this bus system force us to communicate with them with the following algorithm 1 Send the address of the part of the device you re willing to read write at first Only after that you re access to send receive data through the data port to from the device will be granted 2 Send receive the data to be read write
29. that it ll be automatically associated with winzip Recognizing where we should cut to get the new file is pretty easy just look for the Ih5 string Two bytes preceeding Ih5 string is the beginning of the file and the end of the file is always 00h right before the next compressed file with the lh5 marker in its beginning right before the padding bytes or right before some kind of checksum I present two examples below the highlighted bytes is the beginning or the end of the compressed file compressed CPUCODE BIN file in my BIOS Address Hex ASCII 00003AA0 4E61 19E6 9775 2B46 BA55 85F0 0024 382D Na utF U 8 00003AB0 6C68 352D DC5C 0000 00A0 0000 0000 0140 1h5 00003ACO 2001 0B43 5055 434F 4445 2E42 494E BCAA CPUCODE BIN 00003AD0 2000 0038 3894 9700 52C4 A2CF F040 0000 OSs coRs ooo 5 OOOO03AE0 4000 0000 0000 0000 0000 0000 0000 0000 000097A0 OE3C 8FA7 FFF4 FFFE 9FFF D3FF FFFB FFOO 000097B0 24D9 2D6C 6835 2DFA 0D00 00A6 2100 0000 l1h5 compressed ORIGINAL TMP file in my BIOS Address Hex ASCII OOOLFFFO FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE 00020000 251A 2D6C 6835 2D09 5501 0000 0002 0000 1lh5 Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 00020010 0000 5020
30. the Carry Flag CF 1 if they encounter something wrong during their execution Upon returning of the POST procedure the Carry Flag will be tested if it s set then the RAM_POST_TESTS will immediately returns which will Halt the machine and output sound from system speaker Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 e At the segment vector routine Below is only an example of its usage There are lot of places where it s implemented There are couple of variation of this segment vector Some will jump from segment EOOOh to FOOOh some will jump from segment FOOOh to EOOOh some jump from E0OOh to 6000h relocated decompressed awardext rom and some jump from FOOOh to 6000h relocated decompressed awardext rom First variant jump from segment E000h to F000h Address Assembly Code E000 1553 Restore _WarmBoot_Flag proc near CODE XREF Restore _Boot_Flag F000 155A call FOOO_read_cmos_byte Call Procedure E000 156E Restore_WarmBoot_Flag endp Address Machine Code Assembly Code E000 6CA2 F000 _read_cmos_byte proc near E000 6CA2 CODE XREF Restore _WarmBoot_Flag 7 E000 6CA2 sub_E000_1745 2 E000 6CA2 68 00 EO push 0E000h E000 6CA
31. this article If you follow this article from beginning to end you ll absolutely be able to understand the BIG Picture of how the Award BIOS works think all of the issue dissected here is enough to do any type of modification you wish to do with award bios If you find any mistake s within this article please contact me Goodluck with you BIOS reverse engineering journey hope you enjoy it as much as I do Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited
32. through the data port As a note as far as know every bus communication protocol implemented in chip design uses this algorithm to communicate with other chip With the above definition now I ll provide you with an x86 assembly code snippet that shows how to use those ports No Mnemonic masm Comment syntax 1 pushad save all the contents of General Purpose Registers put the address of the PCI chip register to be accessed in 2 Noy Pae AUOMIY DAN eax offset 64h device 00 00 00 or hostbridge 3 mov dx OCF8h put the address port in dx Since this is PCI we use CF8h i as the port to open an access to the device 4 Bea Bax send the PCI address port to the I O space of the processor put the data port in dx Since this is PCI we use CFCh as 3 piov ACPD the data port to communicate with the device in eax dx put the data read from the device in eax modify the data this is only example don t try this in Decay CODANAUA oor machine it may hang or even destroy your machine out dx eax pO send it back it back popad pop all the saved register 11 ret return Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 think the code above clear enough In line one the current data in the processors general purpose registers were saved
33. to get the compressed bios components Some bios modification tools i e CBROM I m using version 2 08 2 07 and 1 24 and MODBIN There are two types of modbin modbin6 for award bios ver 6 and modbin 4 50 xx for award bios ver 4 5xPGNM We need these tools to look at the bios components much more easily You can download it at www biosmods com in the download section Some chipset datasheets This depends on the mainboard bios binary that you re gonna dissect Some datasheets available at www rom by I m dissecting a VIA693A 596B mainboard have the datasheets at my hand except for the southbridge i e VIA596B which is substituted by VIA586B and 686A datasheet since the complete VIA596B datasheet is not avalilable Intel Software Developer Manual Volume 1 2 and 3 These are needed since BIOS sometimes uses exotic instruction set Also there are some system data structures that are hard to remember and need to be looked up such as GDT and IDT OK now we re armed What we need to do next is to understand the basic stuff by using the hex editor before proceeding through the disassembling session Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 5 Award BIOS File Structure Award BIOS file consists of several components So
34. 0 7290 mov es 10h eax E000 7295 mov esi 9FF80h E000 729B add esi 0 Add Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 72A2 mov al 36h 6 E000 72A4 push cs E000 72A5 push 72B0h E000 72A8 push OE4FDh read CMOS byte E000 72AB jmp far ptr goto_F000_seg Jump E000 72BO E000 72BO mov bl al E000 72B2 mov ax 0 E000 72B5 call near ptr init_nnoprom Call Procedure E000 72B8 pushf Push Flags Register onto the Stack E000 72B9 popf Pop Stack into Flags Register E000 72BA jb exit_proc Jump if Below CF 1 E000 72BC mov ax 0 E000 72BF mov ds ax E000 72C1 assume ds nothing E000 72C1 or byte ptr ds 4B7h 3 Logical Inclusive OR E000 72C6 E000 72C6 exit_proc CODE XREF init_NNOPROM_BIN 14 j E000 72C6 init_NNOPROM_BIN 36 j E000 72C6 popad Pop all General Registers use32 E000 72C8 pop es E000 72C9 assume es nothing E000 72C9 pop ds E000 72CA assume ds nothing E000 72CA retn Return Near from Procedure E000 72CA init_NNOPROM_BIN endp sp 6 E000 6E49 POST decompress proc far CODE XREF
35. 0 7834 call Get_Exp_Src_Byte F000 7837 sub al dl 7 ExpSegment_lo_byte F000 7839 call Set_Exp_Src_Byte FO000 783C dec bx s F000 783D xor al al r r L T r 1h 1h ax es mov ax 7 7789h addr of call 7789h i e Expand es 1000h Return Near from Code below is called from Bootblock_Expand and should return there when bx 12h get es bx 12h to restore bx value is extension at Ist al equ 50h at 2nd al equ 41h at all other The decompression jmp if not for goto decompress bx al restore bx segment 4000h jmp if no all extension CODE XREF Expand 9D dx bx al header_chksum al header_chksum header_chksum al restore bx al 00h Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 F000 783F add bx 11hb bx ExpSegment_lo_byte F000 7842 call Set_Exp_Src_Byte ExpSegment_lo_byte 00h ExpSegment 4000h F000 7845 sub bs Din restore bx FO000 7848 ine ax dx Expsegment lo byte 1 F000 7849 shl ax 2 dx 4 ExpSegment lo byte 1 E000 784C add di Q gt da O00 a ds look above F00
36. 0 784E mov gss di bx 0000 ai CmprssedCompnnt_offset_addr FO000 7851 mov CX es CX ExpSegment TOOU TE 53 mov gss ditz cx A 0000 di 2 ExpSegment F000 7857 call Get_Exp_Src_Byte al header_len F000 785A movzx ecx al ecx header_len FO000 785E add bx 7 bx gt point to compressed file siz FO00 7861 call Get_Exp_Src_Dword eax compressed file size F000 7864 sub bx 7 restore bx F000 7867 add ecx eax ecx header_len compressed_file_siz FO00 786A add ecx 3 j ecx total_compressed_component_size F000 786E pop gs restore gs F000 7870 assume gs nothing F000 7870 jmp exit_proc Jump F000 7873 F000 7873 Not_POST_USE CODE XREF Expandt 90 Expand A5 F000 7873 pop gs restore gs value FO000 7875 call MakeCRCTable initialize CRC 16 lookup table used later F000 7878 call ReadHeader read compressed component header into F000 7878 scratchpad RAM on error CF 1 F000 7878 bx preserved FO000 787B jb exit_proc error something wrong CF 1 FO000 787F mov ax ds 108h mov ax ExpSegment F000 7882 mov ds 104h ax mov TgtSegment ax F000 7885 mov ax ds 10Ah mov ax ExpOffset F000 7888 mov ds 106h ax mov TgtOffset ax F000 788B calculate compressed total size and return when decompress complete FO000 788B mov ecx ds 310h mov ecx compsize compressed size F000 7890 xor eax eax eax 0000 0000h F000 7893 mov al ds 571Ch mov al headersize compressed header siz F00
37. 0 7896 add ecx eax Add F000 7899 add ecx 3 add ecx COMPRESSED_UNKNOWN_BYTE F000 7899 ecx total compressed size FO000 789D mov edx ds 314h mov edx origsize Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 FO000 78A2 push edx FO000 78A4 push ecx Save ecx total compressed component size FO000 78A6 push bx bx 0000h FO000 78A7 add ib 5 2 Oreset inv or Y 1h5 F000 78AA call Get_Exp_Src_Byte get compress or store type value FO000 78AD pop bx bx 0000h 1st pass F000 784E cmp al 2g 2 ey AE SLO 7 ELLIE pass is no F000 78B0 jnz Not_Store No Jump first pass jump taken FO000 78E1 Not_Store CODE XREF Expand 127 F000 78E1 push word ptr ds 104h push word ptr TgtSegment FO000 78E5 push word ptr ds 106h push word ptr TgtOffset F000 78E9 push large dword ptr ds 314h push dword ptr origsize F000 78EE extract content from compressed file F000 78EE call Extract gt gall LZH decompression routine F000 78F1 pop dword ptr ds 314h pop dword ptr origsize F000 78F6 pop word ptr ds 106h pop word ptr TgtOffset F000 78FA pop word ptr ds 104h pop word ptr T
38. 00 61E6 dw 23A5h init PIC_1 programmable Interrupt Ctlr E000 61E8 dw 23B6h Same as above E000 61EA dw 23F9h dummy E000 61EC dw 23FBh init PIC_2 E000 61EE dw 2478h dummy E000 61F0 dw 247Ah dummy E000 61F2 dw 247Ah E000 61F4 dw 247Ah E000 61F6 dw 247Ah E000 61F8 dw 247Ch this will call RAM POST tests again E000 61F8 for values below a k a ISA POST E000 61FA dw 0 E000 61FA END_EO POST TESTS TABLE E000 247C last_E000_POST proc near E000 247C cli Clear Interrupt Flag E000 247D mov word ptr bpt 156h 0 E000 2483 mov cx 30h O E000 2486 mov di 6lFCh Enns addr contaans O000h E000 2489 E000 2489 repeat_RAM_POST_tests CODE XREF last_E000_POST 10 EO0OOs 2489 call RAM_POST_tests this call immediately return E000 2489 Since cs di 0000h E000 248C jb repeat_RAM_POST_tests jmp if CF 1 not taken E000 248E mov cx 30h 10 E000 2491 mov di 61FEH gt S8 di contains 249Ch E000 2494 E000 2494 repeat_RAM_POST_tests_2 CODE XREF last_E000_POST 1B E000 2494 Call RAM POST tests this call should nvr return if E000 2494 everything is ok E000 2497 jb repeat_RAM_POST_tests_2 Jump if Below CF 1 E000 2499 jmp Halt_System E000 2499 last_E000_POST endp E000 61FC ISA POST_TESTS E000 61FC dw 0 E000 61FE dw 249Ch E000 6200 dw 26AFh E000 6202 dw 29DAh E000 6204 dw 2A54h dummy E000 6206 dw 2A54h E000 6208 dw 2A54h Copyright 2004 and published by the CodeBreakers Jo
39. 00 6FO0A E000 6F0A E000 6FOA Is_New_Decomp_Method CODE XREF POST_decompress 68 E000 6F0A add ebx 0E0000h ebx 80000h EO000h 160000h EF000 6F11 mov cx es ebx 11h cx ExpSegment changed to 4000h by bootblock E000 6F16 push cx save ExpSegment E000 6F17 push word ptr es ebx save chksum and hdr_len E000 6F1B test ah 80h SI available lst pass no i e 00h E000 6F1E jz decompress gt Ist pass this jmp is taken E000 6F20 mov es ebx 11h dx E000 6F25 add cl ch Add E000 6F27 add dl dh Add E000 6F29 sub cl dh Integer Subtraction E000 6F2B sub es ebx 1 cl Integer Subtraction E000 6F30 E000 6F30 decompress CODE XREF POST_decompress AF E000 6F30 POST_decompress BF E000 6F30 ror ebx 10 Rotate Right E000 6F34 mov es bx es SrcSegment 16h i e 160000h_linear_addr E000 6F36 ror ebx 10h restor bx ebx 16xxxxh E000 6F36 lst pass xxxx gt cmpressed nnoprom offset E000 6F3A push cs Save current code segment E000 6F3B push 6F49h ret addr below E000 6F3E push ODFFFh E000 6F41 mov dx 3000h E000 6F44 push 2000h E000 6F47 push di E000 6F48 retf jmp 2000 addr_of_Expand E000 6F48 goto decompression engine at seg_2000h E000 6F49 E000 6F49 push 0E000h E000 6F4C push 6F5Ah E000 6F4F push OEC31h E000 6F52 push 0E3D4h A20_On E000 6F55 jmp far ptr FOOO_call jmp FOOO_A20_On E000 6F5A E000 6F5A call E000_enter_ FlatPMode Call
40. 000h F000 EE54 ela Clear Direction Flag FO000 EE55 rep movs dword ptr es edi dword ptr esi move FO00 EE55 128k data to 160000h phy addr F000 EE59 call Leave_UnrealMode Call Procedure F000 EE59 End_in_UnrealMode F000 EE5C mov byte ptr bp 214h 0 mov byte ptr F000 EE5C POST_SPEED bp Normal_Boot F000 EE61 mov si 626Bh offset 626Bh E000h POST tests F000 EE64 push 0E000h segment E000h F000 EE67 push si next instruction offset 626Bh FO00 EE68 retf 7 Jmp to E000 626Bh F000 7440 Enter _UnrealMode proc near CODE XREF F000 EE3B FO000 7440 mov ax cs FO000 7442 mov ds ax ds cs FO000 7444 assume ds F000 FO000 7444 lgdt qword ptr GDTR_F000_5504 gt Load Global Descriptor Table Register FO000 7449 mov eax cr0 FO00 744C or al 1 Logical Inclusive OR FO000 744E mov cr0 eax FO000 7451 mov ax 10h F000 7454 mov ds ax ds 10h 3rd entry in GDT FO000 7456 assume ds nothing FO000 7456 mov SS ax ss 10h 3rd entry in GDT FO000 7458 assume ss nothing F000 7458 retn Return Near from Procedure F000 7458 Enter _UnrealMode endp F000 5504 GDTR_F000_5504 dw 30h DATA XREF Enter_PModet4 FO000 5504 GDT limit 6 valid desc F000 5506 dd OF550Ah GDT phy addr below FO000 550A dq 0 null desc FO000 5512 dq 9FOFOQQOOFFFFh code desc 08h F000 5512 base_addr F0000h seg_limit 64KB code execute ReadOnly F000 5512
41. 010C 6F72 6967 696E 616C 2E74 P original t 00020020 6D70 OCD9 2000 002D 7888 FOFD D624 A5BA mp re 00035510 019E 6E67 BF11 8582 88D9 4E7C BEC8 C34C Parse rarer N L 00035520 401D 189F BDDO A176 17F0 4383 1D73 BF99 CEET Ves CusS 00035530 00C9 FFFF FFFF FFFF FFFF FFFF FFFF FFFE 00035540 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE The pure binary components 0 36000h 36C4Ah Memory sizing routine this routine also initialize the Host Bridge and the CPU RAM clock in my BIOS 1 37000 37D1Ch The decompression block this routine contains the LZH decompression engine which decompresses the compressed bios components above 2 3C000h 3CFE4h This area contains various routine the lower 128KB BIOS address decode enabler the default VGA initialization executed if system bios is erratic Hostbridge initialization routine etc 3 3E000h 3FFFFh This area contains the Boot Block code Note in between some of the components lies padding bytes Some are FFh bytes and some are OOh bytes The memory map in the real system mainboard We have to note that the memory map above is described as we see the BIOS binary in a hex editor In the mainboard BIOS chip it s a bit different and more complex It s mapped in my mainboard as follows it s maybe a bit different with yours consult your chipset documentation 0 0000h 3FFFFh in the BIOS binary as displayed in hex editor is mappe
42. 14h mov edx origsize FO000 78A2 push edx FO000 78A4 push ecx save ecx total compressed component size FO00 78A6 push bx bx 0000h FO00 78A7 add bx 5 p Offset 5 lt LTHO or IRNS F000 78AA call Get_Exp_Src_Byte get compress or store type value F000 78AD pop bx bx 0000h 1st pass F000 78AE cmp al o is it lh0O first pass is no F000 78BO jnz Not_Store No jump first pass jump taken F000 78B2 push ds FO000 78B3 push si F000 78B4 push bx FO000 78B5 mov di ds 10Ah mov di ExpOffset FO000 78B9 movzx ax byte ptr ds 571Ch movzx ax byte ptr headersize FO000 78BE add ax 2 ax hdrsize 2 FO000 78C1 add bx ax bx hdrsize 2 assuming bx is 0000h F000 78C3 mov cx ds 310h mov cx word ptr compressed_size_lo_word FO000 78C7 mov ax ds 108h mov ax ExpSegment F000 78CA mov es ax es ExpSegment FO00 78CC add Cx 3 j Cx ceiling compressed_size_lo_word F000 78CF shr ex 2 transfer to dword unit cmprssd_size 4 FO000 78D2 F000 78D2 Get_Store_Data_Loop CODE XREF Expandt 151 FO000 78D2 call Get_Exp_Src_Dword read dword from compressed file in RAM FO000 78D5 add bx 4 point to next dword F000 78D8 stosd store in es di ExpSegment ExpOffset F000 78DA loop Get_Store_Data_Loop Loop while CX 0 F000 78DC F000 78DC pop bx bx offset_after_cmprssed_filename F000 78DD pop si F000 78DE pop ds FO000 78DF jmp short Expand_Over Jump F000 78E1
43. 208 mov di OA4h a E000 720B call near ptr POST_decompress Call Procedure E000 720E jb exit_proc Jump if Below CF 1 E000 7212 push ds E000 7213 push es E000 7214 push fs E000 7216 push gs E000 7218 call Update_Descriptor_Cache Call Procedure E000 721D xor esi esi esi 0000 0000h E000 7220 mov ds si ds 0000h E000 7222 assume ds nothing E000 7222 mov es si es 0000h E000 7224 assume es nothing E000 7224 push 4000h E000 7227 pop si si 4000h E000 7228 shl esi 4 esi 40000h E000 722C mov edi 100000h E000 7232 mov ecx ebx E000 7235 shr ecx 2 Shift Logical Right E000 7239 cld Clear Direction Flag E000 723A db 26h E000 723A rep movs dword ptr edi dword ptr esi Move Byte s from String to String E000 723F pop gs E000 7241 pop fs E000 7243 pop es E000 7244 assume es nothing E000 7244 pop ds E000 7245 assume ds nothing E000 7245 push 9FF8h E000 7248 pop es E000 7249 assume es nothing E000 7249 mov dword ptr es 0 100000h E000 7253 mov dword ptr es 4 40000h E000 725D xor eax eax Logical Exclusive OR E000 7260 mov ax 0E000h E000 7263 shl eax 4 Shift Logical Left E000 7267 add eax 7156h Add E000 726D mov es 8 eax E000 7272 mov ax 7 E000 7275 mov es 0Ch ax E000 7279 mov ax 7000h E000 727C mov es O0Eh ax E000 7280 xor eax eax Logical Exclusive OR E000 7283 mov ax 0E000h E000 7286 shl eax 4 Shift Logical Left E000 728A add eax 71AAh Add E00
44. 5 68 B3 6C push 6CB3h E000 6CA8 68 31 EC push OEC31h E000 6CAB 68 FD E4 push OE4FDh Read_CMOS_byte E000 6CAE 008 EA 30 EC 00 FO jmp far ptr F000 fune vector Jump E000 6CB3 E E000 6CB3 008 C3 retn Return Near from Procedure E000 6CB3 F000 _read_cmos_byte endp sp 8 F000 EC30 FOOO_func_vector CODE XREF sub_E000_1745 3C F000 EC30 reinit_CPU 12 F000 EC30 C3 retn jump to target function F000 EC31 F000 EC31 CB retf EOOOh segment vector F000 E4FD read_CMOS byte proc near CODE XREF sub_F000_3CEE 1A F000 E4FD R sub_F000_3CEE 2A FOOO E4FD 87 DB xchg bx bx Exchange Register Memory with Register Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 FOOO E4FF 90 nop F000 E500 E6 70 out 70h al F000 E500 real time clock F000 E502 E3 00 JEx2 t 2 F000 E504 E3 00 jexz 2 F000 E506 87 DB xchg bx bx Register Memory with Register F000 E508 E4 71 in al 71h F000 E50A E3 00 jexz 2 F000 E50C E3 00 jexz 2 F000 E50E C3 retn from Procedure F000 E50E read_CMOS_byte endp Second variant jump from segment E000h to 6000h Address Machine Code E000 171F chksum_ROM 2D E000 1737 OF E000 1738 68 43 17 E000
45. 89h FO000 7809 mov word ptr gs di offset Expand FO000 780E add bx 12h bx 12h FO000 7811 call Get_Exp_Src_Byte get es bx 12h to AL ExpSegment hi byte FO000 7814 sub bx 12h restore bx value first pass 0000h FO000 7817 cmp al 40h is extension component F000 7817 at lst al equ 50h original tmp F000 7817 at 2nd al equ 41h awdext rom F000 7817 at all other components al equ 40h FOOOs TSIT The decompression caveat is here d00d F000 7819 Jaz Not_POST_USE jmp if no for original tmp and awadext rom F000 781L9 goto decompress otherwise no F000 781B add bx 11h bx ExpSegment_lo_byte index F000 781E call Get_Exp_Src_Byte al ExpSegment_lo_byte F000 7821 sub bx 11h restore bx F000 7824 or al al segment 4000h F000 7824 this is always 00h when Expand F000 7824 called from within original tmp F000 7826 nz Record_to_buffer jmp if no F000 7826 all extension component jump here F000 7828 cmp dword ptr gs di 4 0 cmp dword 0000 6004 0 E000 7828 lst pass from riginal tmp F000 7828 0000 6004 FFFFh programmed by F000 7828 Expand BIOS before jmp to eriginal tmp F000 782E jnz Not_POST_USE jmp always taken from within original tmp F000 7830 F000 7830 Record_to_buffer F000 7830 F000 7833 inc movzx dx bx al CODE XREF Expand 9D dx ExpSegment_lo_byte bx header_chksum_index Copyright 2004 and published by the CodeB
46. E2E8 OF 20 CO O E2EB 24 FE 66 B9 00 80 00 00 buffer original tmp amp w OrodoaoocdtioonaonK oon O aG Oo iO O lt Ch Or OOOO s e oe Wo AN Ar ARAAMArPrAAeARAAAA DAeAoaAAnAWMAAC AA HE om oN omj oj Orr i mo OF 22 CO EB 00 back to RealMode EA F7 E2 00 20 n RAM E2F7 ood OR OG H OGO Z Hoyo yayo y gt 0 0 fe 0 fe 0 0 E2F7 s point 0 E2F7 pressed E2F7 ompression code 0 E2F7 E2F7 E2F7 33 CO E2F9 8E DO E2FB E2FB BC 00 10 1000h E2FE 0 O0 OS Q fo ooooqcoooqn os oro CO OOOO Hoyo Dd TA 9 oD oe OD MOOD RD RD There are two locations to access jand another is OFFF M EOOOOH Some space at 0E0000H if any device also solve this problem we need to to read BIOS contents at 0E0000H assume es nothing mov esi 0E0000h starting cmp dword ptr esit2 5hl J2 LHA_sign_OK Jump if Zero or esi OFFF00000h esi mov ntire BIOS i e original tmp from ROM at E0000h FFFFFh to RAM at LHA_sign_OK CODE XREF mov edi 10000h buffer at mov ecx 8000h copy 128 bootblock rep movs dword ptr es edi dword mov eax cro and al OFEh clear PMode mov cr0 eax jmp short 2 gt Cr jmp far ptr 2000h 0E2F7h Jump r Setup temporary stack at 0 1000H at Bios code last 128 Kbyt
47. O POST TESTS TABLE E0O0so1G2 dw 154Eh Restore boot flag E000 61C4 dw 156Fh Chk_Mem_Refrsh_Toggle E000 61C6 dw 1571h keyboard and its controller POST E000 61C8 dw 16D2h chksum ROM check EEPROM E000 61C8 on error generate spkr tone E000 61CA dw 1745h Check CMOS circuitry E000 61CC dw 178Ah chipset defaults initialization E000 61CE dw 1798h init CPU cache both Cyrix and Intel E000 61D0 dw 17B8h init interrupt vector also initialize E000 61D0 signatures used for Ext_BIOS components E000 61D0 decompression E000 61D2 dw 194Bh Init_mainboard_equipment amp CPU microcode Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 61D2 chk ISA CMOS chksum E000 61D4 dw 1ABCh Check checksum Initialize keyboard controller E000 61D4 and set up all of the 40 area data E000 61D6 dw 1BO08h Relocat xtended BIOS code E000 61D6 init CPU MTRR PCI REGs Video BIOS E000 61D8 dw 1DC8h Video_Init including EPA proc E000 61DA dw 2342h E000 61DC dw 234Eh E000 61DE dw 2353h dummy E000 61E0 dw 2355h dummy E000 61E2 dw 2357h dummy E000 61E4 dw 2359h init Programmable Timer PIT E0
48. Procedure E000 6F5D mov ax ds E000 6F5F mov eS ax es gt BaseAddr 0000 0000h limit 4GB E000 6F61 assume es nothing E000 6F61 call EOOO_Back_to_RealMode Call Procedure Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 6F64 mov eax ds 80000h E000 6F6B cmp eax ds 160000h 1st pass ds 80000h equ Not dx 160000h E000 6F73 jnz Is_New_Decomp 1st pass this jmp is taken E000 6F75 ror ebx 10h Rotate Right E000 6F79 mov es bx E000 6F7B assume es nothing E000 6F7B ror ebx 10h Rotate Right E000 6F7F pop word ptr es bx E000 6F82 pop word ptr es bx 11h E000 6F86 mov ebx es bx 0Bh E000 6F8B jmp short disable_A20 Jump E000 6F8D E000 6F8D E000 6F8D Is_New_Decomp CODE XREF POST_decompresst12A E000 6F8D pop word ptr es ebx restore original checksum E000 6F91 pop word ptr es ebxtllh restore original segment E000 6F96 mov ebx es ebx 0Bh get decompressed data size E000 6F9C E000 6F9C disable_A20 CODE XREF POST_decompress 142 E000 6F9C push 0E000h E000 6F9F push 6FADh E000 6FA2 push OEC31h E000 6FA5 push 0E424h turn gate A20 off E000 6FA8 jmp far
49. S code due to the execution of some of its parts in ROM I ll present some of my findings below call instruction is not available during bios code execution from within BIOS ROM chip This is due to call instruction uses manipulate stack while we don t have writeable area in BIOS ROM chip to be used for stack What mean by manipulating stack here is the implicit push instruction which is executed by the call instruction to write save the return address in the stack As we know clearly address pointed to by ss sp at this point is in ROM meaning we can t write into it If you think why don t use the RAM altogether the DRAM chip is not even available at this point It hasn t been tested by the BIOS code thus we haven t know if RAM even exists The peculiarity of retn instruction There is macro that s called ROM_ call as follows ROM_CALL MACRO RTN_NAME LOCAL RTN_ADD mov sp offset DGROUP RTN_ADD jmp RTN_NAME RTN_ADD dw DGROUP 2 ENDM an example of this macro in action as follows Address Hex Mnemonic FO000 6000 FOOO_6000_read_pci_byte proc near F000 6000 66 B8 00 00 00 80 mov eax 80000000h FO000 6006 8B Cl mov ax CX copy offset addr to ax FO000 6008 24 FC and al OFCh mask it FO00 600A BA F8 OC mov dx OCF8h FO000 600D 66 EF out dx eax F000 600F B2 FC mov dl OFCh F000 6011 OA D1 or dlp iel get the byte addr F000 6013 EC in al dx read the byte FO000 6014 C3 retn Re
50. The CodeBreakers Journal Vol 1 No 2 2004 Cn au The CodeBreakers Journal Vol 1 No 2 2004 http www CodeBreakers Journal com Award BIOS Reverse Engineering Author Darmawan Mappatutu Salihun Abstract The purpose of this article is to clean up the mess and positioned as a handy reference for myself and the reader as we are going through the BIOS disassembling session I m not held responsible about the correctness of any explanation in this article you have to cross check what wrote here and what you have in your hand Note that what explain here based on award bios version 4 51PGNM which have You can check it against award bios version 6 0PG or 6 0 to see if it s still valid I ll working on that version when have enough time As an addition suggest you to read this article throughly from beginning to end to get most out of it Contents Award BIOS Reverse Engineering 2 ccceceeee eee e eee ee ee eee e nent eens ees eee ees 1 Author Darmawan Mappatutu Salihun sssssssssssssssssrerrrrrrrrrrrrrrrnrnsrrrerrrrre 1 CONECNES A E EE E EE E E E EE EET 1 To FOoreWorOeinansomonsna a a E 2 Te Prerequisite cuss catdccatuacienid sights a aE EAN EAEE AE ede 3 F PCO BUS cree T a E Seanad avaqyateiciaces 3 L2 ISABUS crne O Ia EE R EE A TE 6 2 Some Hardware Peculiarities cissisceiiscrsaanessencisuenedeaden santas senaacncondarivauns 6 3 Some Software Peculiarities s ussrrrrrsrerrrrrrrr
51. conforming accessed granularity 1Byte 16 bit segment F000 5512 segment present code DPL 0 F000 551A dq 8F93000000FFFFh data desc 10h F000 551A base_addr 0000 0000h seg_limit 4GB data R W accessed FOOO 551A granularity 4KB 16 bit segment segment present F000 551A data DPL 0 F000 5522 dq OFFOO93FFOOOQOOFFFFh data desc 18h F000 5522 base_addr FFFF0000h seg_limit 64KB data R W accessed F000 5522 16 bit segment granularity 1 byte F000 5522 segment present data DPL 0 Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 000 552A 000 552A 000 552A yte 000 552A 000 5532 F000 5532 Rao mM oO mM dq OFFOO93FF8000FFFFh r f T dq 930F0000FFFFh HB base_addr F0000h seg_limit 64KB data F000 5532 byte F000 5532 r Note after the execution of code above the But this time only for the compressed BIOS extension i e the lower 128KB of BIOS code and the decompressed awardext rom the memory map mentioned in the Bootblock explanation above partially overwritten New Address Decompression Deep aSh Range in RAM State P 6000 0000h og 6000 57C0h Decompressed This is the relocated awardext rom 160000h 17FFFFh data desc 20h ase_addr FFFF8000h seg_limit
52. d data descriptor F000 61B0 8E D8 mov ds ax ds data descriptor GDT 3rd entry F000 61BC B9 6B 00 mov cx 6Bh DRAM arbitration control POQOO 6IBE Be CS 61 mov Sp OLCSh FOQ00 61C2 EHO 3B FE jmp FOOO_6000_read_pci_byte Jump F000 6IC2 3 POOO GICS CY 61 dw 61C7h F000 61C7 i F000 61C7 OC 02 or al 2 enable VC DRAM as you can see you have to take into account that the retn instruction is affected by the current value of ss sp register pair but ss register is not even loaded with correct 16 bit protected mode value prior to using it how this code even works the answer is a bit complicated Let s look at the last time ss register value was manipulated before the code above executed Address Hex Mnemonic F000 E060 8C C8 mov ax cs F000 E062 8E DO mov SS ax ss CS ss FOOOh a k a F_segment F000 E064 assume ss F000 Note this routine is executed in real mode Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 as you can see ss register is loaded with FOOOh the current BIOS code 16 bit segment in real mode This code implies that the hidden descriptor cache register that exist for every selector segment register is loaded with Ss 16 or FOOOOh physical address value And this value is retained
53. d into FFFC 0000h FFFF FFFFh in my system memory space Due to my system s northbridge as per its datasheet address FFFF 0000h FFFF FFFFh is just an alias to F 000Oh F FFFFh or speaking in real mode_ lingo F000 0000h _ FOOO FFFFh Note that this mapping only applies just after power on since it s the chipset s power on default value It s not guaranteed to be valid after the chipset is reprogrammed by the BIOS itself There are some other kludge though and they are really system dependent You have to consult Intel Software Developer Manual Volume 3 system programming and your chipset datasheet 1 Due to the explanantion in 1 the pure binary BIOS components is mapped as follows note just after power on BootBlock F000 E000h FOOO FFFFh Decompression Block FO00 7000h FO00 7D1Ch Early Memory Initialization F000 6000h FOOO 6C4Ah Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 2 The compressed BIOS components are mapped into system memory space after they are decompressed in a different manner They reliant on the decompression block routine but there are few mappings that seem remain the same accross different BIOS files These mappings are as per my BIOS Yours may differ but the segment address very possibl
54. ddress F000 E1D6 detection Hex F000 E1D6 2E cs 7D06 FOO FOO FOO OOO E1DE Si MEMORY_PR h 81 F000 E1E2 2E 8B 07 is 6000h E1D9 25 00 FO E1DC 8B FO C FC OF Si 6FFCh ESENCE_OFFSET 8B 34 F000 E1E5 BC EC El pointer to re t addr below F000 E1E8 EE E 6 F000 60B4 F000 E1E8 F000 E1F8 This code gets executed before the bootblock is copied to RAM In h _delay loop _delay jmp di Mnemonic Checksum is ok mov ax cs bx and ax OFOOOh mov si ax add si OFFCh mov si cs si mov sp OELECh mp si execute memory detection rd r T r CODE XREF Loop while jump back to execute memory ax cs bx ax 6000h si 6000h add si 60B4h pointer to jmp to returns at case the RAM is faulty the system will halt and output error code from system speaker At bootblock get copied and executed in RAM Address FOOO E2AA Mode Fla FOOO E2AA FOOO Load Register F000 E2AF F000 E2B2 PMode fla F000 E2B4 Hex t OF OC g OF FO000 E2B7 EB nter 16 E2AA OF 01 16 F6 E4 Global Descriptor Table 20 01 CO 22 00 CO prefetch F000 E2B7 unchanged hidden F000 E2B7 descriptor cache F000 E2B7 session F000 E2B7 segment d F000 E2B9 bit PMode
55. dress port a k a index port and port 296h as its data port CMOS chip defines port 70h as its address port and port 71h as its data port 2 Some Hardware Peculiarities Due to its history the x86 platform contains lots of hacks especially its BIOS This is due to the backward compatiblity jargon that should be maintained by any x86 system In this section I ll try to explain couple of stuff that found during my BIOS disassembly journey that reveal these peculiarities The most important chips which responsible for the BIOS code handling are the southbridge and northbridge In this respect the northbridge is responsible for the BIOS shadowing handling accesses to RAM and BIOS ROM while the southbridge is responsible for enabling the ROM decode control which will forward or not the memory addresses to be accessed to the BIOS ROM chip The special addresses shown below can reside either in the system DRAM or in BIOS ROM chip depending on the southbridge and northbridge register setting at the time the BIOS code is executed Physical Address Used by 000E 0000h OOOF FFFFh 1 Mbit 2 MBit and 4 MBit BIOSes 000C 0000h 000D FFFFh 2 MBit and 4 MBit BIOSes 0008 0000h 000B FFFFh 4 MBit BIOSes The address shown above contain the BIOS code and pretty much system specific so you have to consult your datasheets to understand it Below is an example of the VIA693A chipset system memory map Copyright 2004 and published by t
56. e is still 7except the bootblock and BootBlock_in_RAM ax 0000h xor ax ax mov SS ax ss 0000h assume ss nothing mov sp 1000h ssisp Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 The last 128KB of BIOS code EO000 0000h FOOO FFFFh get copied to RAM as follows 1 Northbridge power on default values aliases FOOOOh FFFFFh address space with FFFE FFFFh FFFF FFFFh where the BIOS ROM chip address space mapped That s why the following code is safely executed Address Hex Mnemonic FOOO FFFO EA 5B EO 00 FO jmp far ptr entry_point Northbridge is responsible for decoding FOOO0 FFFO the target address of this jump into BIOS FOOO FFFO chip through address aliasing So even if FOOO FFFO this is a far jump read Intel Software FOOO FFFO Developer Guide Vol 3 for info FOOO FFFO we are still in BIOS chip d00d F000 FFF0 vio93A FFFEFFFF FFFFFFFF is 000Fxxxx alias also northbridge power on default values disables DRAM shadowing for this address space Thus read write to this address space will not be forwarded to DRAM At the same time there s no control register in southbridge that controls the mapping of this address space Hence suspect that read operation to this address space will
57. ear Direction Flag E000 6FFO rep stos dword ptr es edi clear 80000h to 8FFFFh E000 6FF4 mov esi 140000h E000 6FFA mov edi 90000h E000 7000 mov ecx 4000h E000 7006 cld Clear Direction Flag E000 7007 rep movs dword ptr es edi dword ptr esi Move Byte s from String to String E000 700B E000 700B Not_Old_Decomp_Method CODE XREF POST_decompress 195 E000 700B push 0E000h E000 700E push 701Ch E000 7011 push OEC31h E000 7014 push 0E424h turn gate A20 off E000 7017 jmp far ptr FOOO_call FOOO_CALL A20_Off E000 701C E000 701C pop ebx E000 701E mov al O mov al FALSE E000 7020 call FOOO_Cpu_Cache disable CPU cache E000 7023 popf Pop Stack into Flags Register E000 7024 pop bp E000 7025 pop es E000 7026 assume es nothing E000 7026 pop ds E000 7027 retn Return Near from Procedure E000 7027 POST_decompress endp sp 18h what I ve explained above only applies exactly to nnoprom bin in my BIOS but it s very possible that this mechanism still in use for other versions of award bios e After all of the explanation above we only need to follow the POST jump table execution to be able to know which execution path is taken by the BIOS in which circumstances Having doing this approach we ll be able to do what we please to our to be hacked award bios gt What I ve explained above possibly far too premature to be ended here But consider this article finished here as the Beta2 version of
58. edure execution E000 16D2 chksum_ROM proc near E000 16FF 74 1E jz Check_F_Next yes This jump will return this routine E000 16FF to where it s called E000 171D EB E6 jmp short spkr_endless_loop Jump E000 171D chksum_ROM endp E000 171F Check_F_Next proc near CODE XREF chksum_ROM 2D E000 1743 F8 cle Signal successful execution Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 1744 C RAM _POST_TE E000 1744 e The original tmp decompression 3 Loy retn proceed to next POST proc Check_F_Next endp sp 6 FeCn tO routine for the Extension_BIOS components is one of the most confusing thing to comprehend at first But by understanding it we virtually have no more thing to worry about the BIOS code execution path suspect that the same technique as what I m going to explain here is used accross the majority of award bios The basic run down of this routine explained below 1 Expand_Bios procedure called from the main bootblock code execution path saved the needed signature to the predefined area in RAM as shown below F000 E512 Expand_Bios F000 E555 mov bx 0 F000 E558 mov es bx FOOO E55A assume es nothing FOOO E55A mov word ptr es 7004
59. eems F63Ah 14380h to be custom Logo Decompressed to RAM 5000 0000h 15509h 20000h beginning at address in column one display procedure 9 Note The decompression addresses marked with green background are treated in different fashion as follows It s not the real decompression area of the corresponding component as you can see from the explanation above It s only some sort of place holder for the real decompression area that s later handled by original tmp The conclusion is only original tmp and awardext rom get decompressed by ExpandBios routine in Bootblock If you want to verify this try summing up the decompressed code size it won t fit l original tmp the system BIOS Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 All of these component s decompressed segment address are changed to 4000h by Expand procedure as you can see in the routine at FO00 7842h above The 40xxh shown in their Starting Address for decompression actually an ID that works as follows 40 hi byte is an ID that mark it as an Extension BIOS to be decompressed later during original tmp execution xx is an ID that will be used in original tmp execution to refer to the component to be decompressed This will be explai
60. ength of the 00h N A component It depends on the file component name The header 8 bit checksum not including the first 2 bytes ve NA header length and header checksum byte Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 LZH Method ID ASCII string signature In my BIOS it s Ih5 which means 8k sliding ee hee dictionary max 256 bytes static Huffman improved encoding of position and trees compressed file component size in little endian dword whe a value i e MSB at 0Ah and so forth Uncompressed file component OBh OEh 09h OCh size in little endian dword value i e MSB at OEh and so forth Decompression offset address in little endian word value i e MSB at 10h and so forth The OFh 10h 0Dh 0OEh component will be decompressed into this offset address real mode addressing is in effect here Decompression segment address in little endian word value i e MSB at 12h and so 11h 12h OFh 10h forth The component will be decompressed into this segment address real mode addressing is in effect here File attribute My BIOS components contain 20h here 13h sAN which is normally found in LZH level 1 compressed file Level My BIOS components contain 01h here which means idh en it s a LZH level 1
61. ent header into a scratch pad RAM area beginning at 3000 0000h ds 0000h This scratch pad area is filled with the real LZH header value which doesn t include the first 2 bytes header size and header 8 bit checksum but includes the 3rd byte offset 02h until offset HeaderSize 02h The location of various checksums which are checked prior and during the decompresion process Location Calculation Method original tmp 8 bit checksum This value is calculated after it s copied to RAM at segment 1000h and 2000h The code as follows Address Assembly Code F000 E307 BIOS checksum verify F000 E307 Now the 128Kb BIOS 0E0000H OFFFFFH is in 10000H 2FFFFH 2H307 mov ax 1000h gt point ios segment mov ds ax segment of the BIOS assume ds nothing mov bx ds 9 equ gt bx 0001h mov cx ds 7 7 ssed size equ gt cx 5509h E314 add cl ds 0 F qu gt 25h 09h Eh ali al adc ch 0 j bx 0 Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 31E add add BYTE_SIZE 1E i iSSED_SIZE 552E Sh 5531h 1E This remainder of the cmprssd Dp if original tmp in seg_F000h F000 E321 adc bx 0 with Carry F000 E324 Jz below_or_equ_64Kb if compressed size less tha
62. er the majority of the pure binary part In reality lots of the pure binary code is never executed at all since it s very seldom your system BIOS gets corrupted and the Bootblock POST Power On Self Test routine takes place 6 1 Bootblock From this point we can disassemble the bootblock routines Now I ll present some of the obscure areas of the BIOS code in the disassembled bootblock This is with respect to my BIOS yours may vary but it will be very similar At Virtual Shutdown routine Address Hex Mnemonic F000 E07F BC OB F8 mov sp OF80Bh contains E103h memory presence test code F000 E082 E9 7B 15 jmp Ct_Very_Early_Init return from this jump FO00 E082 is redirected to F000 E103h At Reset PCI Bus routine Address Hex Mnemonic F000 E1A0 BF A6 El mov di OH1A6h the return addr of the jump below F000 E1A3 E9 42 99 jmp Reset_PCI_Bus gt Jumpless_in_Decompress_Area F000 E1A3 Program CPU clock pin host clock F000 E143 for jumperless platform Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 F000 7CDD Reset_PCI_Bus 1F5 F000 7CDD CX b 0 F000 7CDF F000 E1A3 E2 FE FF h GI J At call to memory detection routine A
63. even when the machine is switched into 16 bit Protected Mode above since ss register is not reloaded A snippet from Intel Software Developer Manual Vol 3 also a 8 1 4 First Instruction Executed The first instruction that is fetched and executed following a hardware reset is located at physical address FFFFFFFOH This address is 16 bytes below the processor s uppermost physical address The EPROM containing the software initialization code must be located at this address The address FFFFFFFOH is beyond the 1 MByte addressable range of the processor while in real address mode The processor is initialized to this starting address as follows The CS register has two parts the visible segment selector part and the hidden base address part In real address mode the base address is normally formed by shifting the 16 bit segment selector value 4 bits to the left to produce a 20 bit base address However during a hardware reset the segment selector in the CS register is loaded with FOOOH and the base address is loaded with FFFFOOQOOH The starting address is thus formed by adding the base address to the value in the EIP register that is FFFF0000 FFFOH FFFFFFFOH The first time the CS register is loaded with a new value after a hardware reset the processor will follow the normal rule for address translation in real address mode that is CS base address CS segment selector 16 To insure that the base address
64. gtSegment F000 78FE Expand_Over CODE XREF Expand 156 F000 78FE call ZeroFill_32K_mem zero fill 32K in segmnt pointed by ds FO000 78FE i e clean up scratch pad RAM F000 7901 pop ecx ecx total compressed size restor cx F000 7903 pop edx F000 7905 Cle decompression success F000 7906 exit_proc CODE XREF Expand E7 Expand F2 F000 7906 pop es F000 7907 pop bx F000 7908 pop eax F000 790A retn Return Near from Procedure F000 790A Expand endp Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 8 After looking at these exhaustive list of hints we managed to construct the mapping of the decompressed BIOS components as described below Starting address of Decompression decompressed Compressed Decompressed State by Component BIOS Size Size Bootblock description component in code RAM Decompressed to RAM awardext rom this is 4100 0000h 3A85h 57C0h beginning at a helper module address in for original tmp column one 5CDCh A000h cpucode bin this is the CPU microcode DFAh 21A6h acpitbl bin this is the ACPI table 4002 0008 JER s iwillbmp bmp this is the EPA logo A38h FECh nnoprom bin explanation N A 1493h 2280h antivir bin this is BIOS antivirus code ROSUPD bin s
65. h es Temp_VGA_Off 4 ffffh F000 E55A Ext BIOS F000 E55A F000 E561 F000 E561 xor al al F000 E563 mov bx 1000h F000 E566 mov es bx seg_E000h FO00 E566 FO000 E568 assume es nothing FO00 E568 xor bx bx FOOO E56A call BootBlock_ original tmp header and F000 E56A segment 5000h F000 E56A ecx total_component_cmprssd_size proc near F000 E5B8 Expand _ Bios endp P r T T T r Expand T T CODE XREF F000 E3DC mov bx Temp_VGA_Seg es 0000h OFFFFh mov word later used for other component decompression clr expand flag es 1000h SrcSegment i e bx 0000h SrcOffset read compressed extract original tmp to on return Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 2 Expand procedure called from Bootblock_Expand procedure during Bootblock execution modify the header as needed and save the result in predefined area in RAM The code as follows F000 7789 Expand proc near F000 77FF push gs save gs F000 7801 mov di Q mov di Temp_EXP_Seg F000 7804 mov gs di gs Temp_Exp_Seg 0000h F000 7806 assume gs nothing F000 7806 mov di 6000h mov di Temp_EXP_Off F000 7809 mov word ptr gs di 7789h 0000 6000h 77
66. he CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 Table 4 System Memory Map Space Start Size Address Range Comment DOS 0 640K 00000000 0009FFFF Cacheable VGA 640K 128K 000A0000 000BFFFF Used for SMM BIOS 768K 16K 000C0000 000C3FFF Shadow Ctrl 1 BIOS 784K 16K 000C4000 000C7FFF Shadow Ctrl 1 BIOS 800K 16K 000Cc8000 000CBFFF Shadow Ctrl 1 BIOS 816K 16K 000Cc000 000CFFFF Shadow Ctrl 1 BIOS 832K 16K 000D0000 000D3FFF Shadow Ctrl 2 BIOS 848K 16K 000D4000 000D7FFF Shadow Ctrl 2 BIOS 864K 16K 000D8000 000DBFFF Shadow Ctrl 2 BIOS 880K 16K 000DC000 000DFFFF Shadow Ctrl 2 BIOS 896K 64K 000E 0000 000EFFFF Shadow Ctrl 3 BIOS 960K 64K 000F0000 000FFFFF Shadow Ctrl 3 Sys 1MB 00100000 DRAM Top Can have hole Bus D Top DRAM Top FFFEFFFF Init 4G 64K 64K FFFEFFFF FFFFFFFF OOOFxxxx alias The most important thing to take into account here is the address aliasing as you can see the FFFEFFFFh FFFFFFFFh address range is an alias into OOOFxxxxh this is where the BIOS ROM chip address mapped at least in my mainboard cross check with yours But we also have to consider that this only applies at the very beginning of boot stage just after reset After the chipset reprogrammed by the BIOS this address range will be mapped into system DRAM chips We can consider this as the Power O
67. in the CS register remains unchanged until the EPROM based software initialization code is completed the code must not contain a far jump or far call or allow an interrupt to occur which would cause the CS selector value to be changed snippet from DDJ Doctor Dobbs Journal At power up the descriptor cache registers are loaded with fixed default values the CPU is in real mode and all segments are marked as read write data segments including the code segment CS According to Intel each time the CPU loads a segment register in real mode the base address is 16 times the segment value while the access rights and size limit attributes are given fixed real mode compatible values This is not true In fact only the CS descriptor cache access rights get loaded with fixed values each time the segment register is loaded and even then only when a far jump is encountered Loading any other segment register in real mode does not change the access rights or the segment size limit attributes stored in the descriptor cache registers For these Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 segments the access rights and segment size limit attributes are honored from any previous sett
68. ing see Figure 3 Thus it is possible to have a four giga byte read only data segment in real mode on the 80386 but Intel will not acknowledge or support this mode of operation If you want to know more about descriptor cache and how it works you can search the web for articles about descriptor cache or x86 unreal mode the most comprehensive guide can be found in one of Doctor Dobbs Journal and Intel Software Developer Manual Vol 3 chapter 3 Protected Mode Memory Management in section 3 4 2 Segment Registers Back to our ss register now you know that the actor here is the descriptor cache register especially its base address part The visible part of ss is only a place holder and the register in charge for the real address calculation translation is the hidden descriptor cache Whatever you do to this descriptor cache will be in effect when any code stack or data value addresses are translated calculated In our case we have to use stack segment with base address at F 0000h physical address in 16 bit protected mode This is not a problem since the base address part of ss descriptor cache register already filled with F0000h in one of the code above This explains why the code above can be executed flawlessly Another example Address Hex Mnemonic F000 61BF BC C5 61 mov sp 61C5h F000 61C2 E9 3B FE jmp FOO0O0_6000_read_pci_byte Jump F000 61C2 i FO000 61C5 C7 61 dw 61C7h in this code we have t
69. l award BIOS Also remember to disable segment naming so that we can see its real mode address in the system during its execution Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 6 Disassembling the BIOS Due to Intel System Programming Guide mentioned before we ll begin the disassembly session at address F000 FFFOh note look at the memory mapping above and adjust IDA Pro to suit it You may ask How the hell this is even possible Intel Software Developer Manual Vol 3 PROCESSOR MANAGEMENT AND INITIALIZATION First Instruction Executed says The first instruction that is fetched and executed following a hardware reset is located at physical address FFFFFFFOH The answer is repeat that my northbridge chipset aliases address range FFFE FFFFh FFFF FFFFh to OOOFxxxxh Also note that the southbridge has no means to alter the translation of this address range It just passes the addresses directly to the BIOS ROM chip Hence there s no difference between address FFFF FFFOh and F FFFOh or FOOO FFFO in real mode lingo just after power on or reset It s that simple heh This is the BootBlock area it always contains a far jump into the bootblock routine mostly to FOOO EO5Bh From this point we can continue the disassembly to cov
70. m F seg 5531 F000 E347 jnz BIOS_cksm_error Jump if Not Zero ZF 0 This is the 8 bit checksum of the decompression engine which starts at F000 7000h 2000 7000h after copied to RAM in my BIOS The code as follows Address Assembly Code F000 E35E Verify checksum of decompress F000 E35E mov ds ax ds 2700h 2000 7000h F000 E360 assume ds nothing ds FOOOh segment in RAM F000 E360 xor ah ah ah F000 E362 xor si si si Right after the F000 E364 mov cx OFFFh 4095 decompression Byte boundary 4096th byte is the chksum F000 E364 4 a FOOO 7FFFh in my BIOS F000 E367 chksum_loop COD XREF FOOO E36A FO00 E367 lodsb Load Fi F000 E368 add ah al 7 calc 8 bit chksum FOOO E36A loop chksum_loop Loop while CX 0 FOOO E36C FO00 E36C cmp ah si A decomp engine chksum OK F000 E36E jnz BIOS_cksm_error jump This is the 8 bit checksum of all compressed BIOS plus the 8 bit checksum of the decompression engine not including its previously calculated checksum above The code Address Assembly Code F000 E512 call Extern_executel copy lower 128 KByte bios code from ROM F000 E512 at FFFC 0000h FFFD 0000h to RAM F000 E512 w at 8000 0000h 9000 FFFFh F000 E515 XOY ah ah ah 00h F000 E517 xor CX CX 7 CX 1 byte before decompression engine
71. m FFFCOOOOh FFFDFFFFh in ROM chip into 8000 0000h 9000 FFFFh in DRAM 4 Disable FFF80000h FFFDFFFFh decoding Access to this address will not be forwarded into the BIOS ROM chip by the PCI to ISA Bridge 5 Verify checksum of the whole compressed BIOS image i e calculate the 8 bit checksum of copied compressed BIOS image in RAM i e 8000 0000h 9000 FFFFh 1000 0000h 2000 7FFDh and compare the result against result stored in 2000 7FFEh If 8 bit checksum doesn t match then goto BIOS _chksum_err else continue to decompression routine 6 Look for the decompression engine by looking for BBSS string in segment 2000h then execute the decompression routine for all of the compressed BIOS components 7 Decompress the compressed BIOS components Note that at this stage only origininal tmp and it s extension i e awardext rom probably also awardyt rom haven t verify it which get decompressed The other component treated in different fashion The BootBlock_expand routine only process their decompressed expansion area information then put it somewhere in RAM We need some preliminary info before delving into this step as follows The format of the LZH level 1 compressed bios components The address ranges where these BIOS components will be located after decompression are contained within this format The format is as follows it applies to all compressed components Offset from Ist Offset in Real Gone byte Header The header l
72. me of the components are LZH level 1 compressed We can recognize them by looking at the Ih5 signature in the beginning of that component using hex editor Here s an example Address Hex ASCII 00000000 25F2 2D6C 6835 2D85 3A00 00C0 5700 0000 lh5 W 00000010 0000 4120 010C 6177 6172 6465 7874 2E72 A awardext r 00000020 6F6D DB74 2000 002C F88E FBDF DD23 49DB om t 1 Beside the compressed components there are also some pure 16 bit x86 binary components Award BIOS execution begins at this pure binary uncompressed components We have to know the entry point to start our disassembly to this BIOS binary We know that the execution of x86 processor begins in 16 bit real mode at address FOOO FFFO physical address FFFF FFFO following restart or power up as per Intel Software Developer Manual Vol 3 System Programming Based on our intuition this address must contain a 16 bit real mode x86 executable code That s true Below is the memory map of award bios binary that have It s a 2MBit 256 KB bios image for will VD133 mainboard e The compressed components 1 0000h 3AACh XGROUP ROM awardext rom this is an award extension rom It contains routine that is called from the system BIOS i e original tmp 2 BAADh 97AFh CPUCODE BIN this is the microcode for the BIOS 3 97BOh A5CFh ACPITBL BIN the acpi table 4 A5DOh A952h Iwill bmp the BMP logo 5 A953h B3B1h nnoprom bi
73. n haven t know yet what this component s role 6 B3B2h C86Ch Antivir bin the bios bootsector antivirus 7 C86Dh 1BEDCh ROSUPD BIN this is a custom bios component in my bios It s used to display a customized Boot Logo and indicator 8 20000h 35531h original tmp this is the system BIOS This component located in this address in most award bioses but sometimes also located in the very beginning of the bios binary i e 0000h Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 Note Between the compressed ROSUPD BIN and original tmp there are padding FFh bytes These padding bytes also found after the compressed original tmp and the pure binary BIOS components that will be explained below An example of these padding bytes Address Hex ASCII 00037D00 2A42 4253 532A 0060 0070 0060 0060 OOAD BBSS gt p gt 00037D10 3377 4670 8977 ACCF C4CF 0100 OOFF FFFF IWEP Woese seisa 00037D20 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE 00037D30 FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE The compressed component can be extracted easily by copying and pasting it into a new binary file in Hexworkshop Then decompress this new file by using LHA 2 55 or winzip If we are into using winzip give the new file an Izh extension so
74. n 64Kb E326 mov bx CX remainder in next 64KB E326 _F000h E326 E328 xor Cx CX to sum_up for lst 64Kb E328 cx 0000h means 64KB E32A E32A below_or_equ_64Kb F000 E324 E32A xor si si E32C xor ah ah initial 8 bit chksum E32E E32E add_next_byte F000 E331 F000 E343 E32E lodsb E32F add ah al chksum result in ah E331 loop add_next_byte cx 0 lt 64KB E333 E333 or bx bx j compressed BIOS bigger than 64kb F000 E335 J2 look_for_BBSS_sign no less than 64Kb F000 E337 mov cx bx compressed code size in next 64Kb FO000 E339 mov bx ds 64Kb segment address E339 at first ds 1000h FO000 E33B add bx 1000h next 64Kb FO00 E33F mov ds bx ds ds 1000h ds 2000h i e seg_F000h E341 assume ds nothing E341 xor bx bx mark next 64Kb bx 0000h E343 jmp short add_next_byte continue to do checksum sum up E345 3 5 E345 look_for_BBSS_sign Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 XREF FO00 E335 F000 E345 cmp ah si emo calc ed chksum amp chksum in image FO000 E345 3 Tail original tmp BIOS image FO000 E345 i chksum at 35531
75. n default values Some obscure hardware port which sometimes not documented in the chipset datasheets Note that this info found from Intel ICH5 and VIA 586B datasheet datasheet I O Port address Purpose 92h Fast A20 and Init Register 4D0h Master PIC Edge Level Triggered R W 4Dih Slave PIC Edge Level Triggered R W Table 146 RTC I O Registers LPC I F D31 F0 I O Port Locations If U128E bit 0 Function 70h and 74h Also alias to 72h and 76h Real Time Clock Standard RAM Index Register Tih and 75h Also alias to 73h and 77h Real Time Clock Standard RAM Target Register 72h and 76h Extended RAM Index Register if enabled 73h and 77h Extended RAM Target Register if enabled NOTES 1 I O locations 70h and 71h are the standard ISA location for the real time clock The map for this bank is shown in Table 147 Locations 72h and 73h are for accessing the extended RAM The extended RAM bank is also accessed using an indexed scheme I O address 72h is used as the address pointer and I O address 73h is used as the data register Index addresses above 127h are not valid If the extended RAM is not needed it may be disabled Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 2 Software must preserve the
76. ned more thoroughly in original tmp explanation later All of these components are decompressed during original tmp execution The decompression result is placed starting at address 4000 0000h but not at the same time Some of it maybe all I m not sure yet also relocated from that address to retain their contents after another component also decompressed in there More explanation on this available at original tmp section below 10 Shadow the BIOS code Assuming that the decompression routine successfully completed the routine above then copy the decompressed system BIOS original tmp from 5000 0000h 6000 FFFFh in RAM to EOQOOOh FFFFFh also in RAM This is accomplished as follows 1 Reprogram the northbridge shadow RAM control register to enable write only into E0O0OOh FFFFFh i e forward write Operation into this address range to DRAM not to the BIOS ROM chip anymore 2 Perform a string copy operation to copy the decompressed system BIOS _ original tmp from 5000 0000h 6000 FFFFh to EOOOOh FFFFFh 3 Reprogram the northbridge shadow RAM control register to enable read only into EOOOOh FFFFFh i e forward read Operation into this address range to DRAM not to the BIOS ROM chip anymore This is also to write protect the system BIOS code 11 Enable the microprocessor cache then jump into the decompressed system BIOS This step is the last step in the normal Bootblock code execution path After enabling the processo
77. nnoprom bin gt 4027h E000 TICE 4 ExpSegment_lo_byte 1 E000 TICF F000 TICE bootbleck for into BOO TiD2 E000 71D5 jb exit_proc E000 71D9 push 4000h E000 71DC pop ds E000 71DD assume ds nothing E000 71DD xor si si E000 71DF push 7000h E000 71E2 pop es E000 71E3 assume es nothing E000 71E3 xor di di E000 71E mov cx 4000h E000 71E cld F000 71E9 rep movsd seg_7000h F000 71E9 code U T t call near ptr POST_decompress r T r CODE XREF POST_13S di offset_nnoprom bin di 6000h AOh 4h 27h 1h J look at Expand proc in Call Procedure jmp if CF 1 lst pass CF 0 ds 4000h si 0000h es 7000h di 0000h Clear Direction Flag move 64KB from seg_4000h to i e relocat decompressed Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 71EC mov di 3 E000 71EF cmp dword ptr es di ONNS match nnoprom bin signature E000 71F7 jnz exit_proc Jump if Not Zero ZF 0 E000 71FB push 9FF8h E000 71FE pop es es 9FF8h E000 71FF assume es nothing E000 71FF xor di di di 0000h E000 7201 mov cx 68h h E000 7204 xor al al al 0000h E000 7206 rep stosb Store String E000 7
78. nt_size FO000 C0O8B jno Expand_ROM_loop Jump if Not Below CF 0 F000 C08D F000 C08D decompress secondary extra BIOS area O0D000h F000 C08D mov bx es F000 C08F add bx 1000h Add F000 C093 mov es bx FO00 C095 assume es nothing F000 C095 xor bx bx Logical Exclusive OR F000 C097 F000 C097 Expand_ROM_Next CODE XREF Extern_execute2 20 F000 C097 xor CX CX cx 0000h F000 C099 F000 C099 Expand_ROM_loop1 CODE XREF Extern_execute2 4E F000 C099 add bx CX bx compressed_component_1st_byte F000 C09B cmp byte ptr es bx 12h 41h Is award external code FO000 COAO jnz CERF No skip F000 C0A2 pop ax restore flag FO000 COA3 or al 1 set found flag F000 C0A5 push ax store it to stack F000 C0A6 F000 C0A6 Q F CODE XREF Extern_execute2 45 F000 C0A6 call BootBlock_Expand Call Procedure FO00 COA9 jnb Expand_ROM_loopl Jump if Not Below CF 0 F000 C0AB pop ax Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 FO00 COAC or al al has found FO00 COAE retn F000 COAE Extern_execute2 endp check award external code Return Near from Procedure F000 E5B9 BootBlock_Expand proc near CODE XREF Extern_execute2 2D F000 E5B9 Extern_execute2 4B F000 E5B9 cmp dword ptr es
79. o make ss sp points to F61C5h for retn instruction to work Indeed we ve done it since ss contains F0000h its descriptor cache base address part and as you can see sp contains 61C5h the physical address pointed to by ss sp is F0000h 61C5h which is F61C5h physical address Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 4 Our Tools of Trade You are only as good as your tools Yeah this also holds true here To begin the journey we ll need a couple of tool as follows 1 IDA Pro disassembler I m using IDA Pro version 4 50 You can use your favourite interactive disassembler found IDA Pro is the most suitable for me We need an interactive disassembler since the BIOS binary that we re going to disassemble is not a trivial code At some points of its execution it resides in ROM hence no stack avalilable It uses some sort of stack trick to do procedure routine calling A good hex editor I m using HexWorkshop ver 3 0b The most beneficial feature of this hex editor is it s capability to calculate checksums for the selected range of file that we open inside of it LHA 2 55 it s needed if you want to modify the bios binary Or you can use winzip or another compression decompression program that can handle LZH LHA file if you only want
80. ptr FOOO_call FOOO_CALL A20_Off E000 6FAD E000 6FAD cle Clear Carry Flag E000 6FAE jmp short POST_decomp_Ret Jump E000 6FBO E000 6FBO E000 6FBO Decomp_Data_Empty CODE XREF POST_decompress 35 E000 6FBO POST_decompress 3C E000 6FBO stc Set Carry Flag E000 6FB1 E000 6FB1 POST_decomp_Ret CODE XREF POST_decompress 46 E000 6FB1 POST_decompress 165 E000 6FBL1 pushft Push Flags Register onto the Stack E000 6FB2 push ebx E000 6FB4 push 0E000h E000 6FB7 push 6FC5h E000 6FBA push OEC31h E000 6FBD push 0E3D4h turn on a20 gate E000 6FCO jmp far ptr FOOO_call FOOO_call A20_On E000 6FC5 E000 6FC5 call E000_enter_FlatPMode Call Procedure E000 6FC8 mov ax ds E000 6FCA mov eS ax es 4GB segment base_addr 0000 0000h E000 6FCC assume es nothing Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 6FCC call EOOO_Back_to_RealMode Call Procedure E000 6FCF mov eax ds 80000h E000 6FD6 cmp eax ds 160000h Compare Two Operands E000 6FDE jnz Not_Old_Decomp_Method lst pass this jmp is taken E000 6FE0 mov edi 80000h E000 6FE6 mov ecx 4000h E000 6FEC xor eax eax Logical Exclusive OR E000 6FEEF cld Cl
81. r cache the code then jump into the write protected system BIOS original tmp at FOOO F80Dh in RAM as seen in the code above This jump destination address seems to be the same accross different award bioses e Now I ll present the memory map of the compressed and decompressed BIOS components just before jump into decompressed original tmp is made This is important since it will ease us in dissecting the decompressed original tmp later We have to note that by now all code execution happens in RAM no more code execution from within BIOS ROM chip Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 Decompression Address Range in State by See RAM Bootblock Description code This area contains the header of the extension component component other than original tmp and awardext rom fetched from the 0000 6000h N A compressed BIOS at 8000 0000h 0000 6xxxh 9000 FFFFh previously BIOS component at FFFC0000h FFFDFFFFh in the BIOS chip Note that this is fetched here by part of the bootblock in segment 2000h This area contains the compressed original tmp It s part of the copy of the last 1000 0000h Compressed 128KB of the BIOS previously BIOS 2000 5531h component at E000 0000h F000 FFFFh in the BIOS chip This code is
82. reakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 F000 7834 call Get_Exp_Src_Byte F000 7837 sub al dl A ExpSegment_lo_byte F000 7839 call Set_Exp_Src_Byte FO000 783C dec bx j F000 783D xor al al 7 F000 783F add bx 11h F000 7842 call Set Exp Sre Byte ExpSegment 4000h F000 7845 sub bx 11h 7 F000 7848 ine dx F000 7849 shl Os 2 a S FO000 784C add di dx above F000 784E mov ost lail BDX CmprssedCompnnt_offset_addr F000 784E Ext BLOS F000 7851 mov CX es P0007893 mov gss di 2 2x FO000 7857 call Get_Exp_Src_Byte F000 785A movzx ecx al F000 785E add bx 7 file size F000 7861 call Get_Exp_Src_Dword size F000 7864 sub bx 7 A F000 7867 add ecx eax compressed_file_siz FO000 786A add ecx 3 total_compressed_component_size F000 786E pop gs F000 7870 assume gs nothing F000 7870 jmp exit_proc FOQQQ s 73873 Not_POST_USE A F000 7873 pop gs 7 FO000 7875 call MakeCRCTable table used later F000 7878 call ReadHeader j header into F000 7878 CF 1 F000 7878 F000 787B jb exit_proc p CF 1 F000 787F mov ax ds 108h F000 7882 mov ds 104h ax A F000 7885 mov ax ds 10Ah F000 7888 mov ds 106h ax F000 788B calculate compressed to decompress comp lete FO000
83. reakers Journal Vol 1 No 2 2004 E000 6276 SUBROUTINE E000 6276 E000 6276 RAM POST tests proc near CODE XREF last_E000_POST D E000 6276 last_E000_POST 18 E000 6276 mov al cl gt GLS 3 E000 6278 out 80h al manufacture s diagnostic checkpoint E000 627A push OF000h E000 627D pop fs fs F000h E000 627F E000 627F This is the beginning of the call into E000 segment E000 627F POST function table E000 627F assume fs F000 E000 627E mov ax est di in the beginning E000 627F gt di 61C2h ax s di 154Eh E000 627F gt called from B000 2489 w di 61FCh dummy E000 6282 inc di Increment by 1 E000 6283 inc di di di 2 E000 6284 Or ax ax Logical Inclusive OR E000 6286 jz RAM_post_return RAM Post Error E000 6288 push di save di E000 6289 push cx j Save cx E000 628A call ax call 154Eh relative call addr E000 628A one of this call E000 628A won t return in normal condition E000 628C pop cx restore all E000 628D pop di E000 628E jb RAM_post_return Jump if Below CF 1 E000 6290 inc cx Increment by 1 E000 6291 jmp short RAM_POST_tests Jump E000 6293 E000 6293 E000 6293 RAM _post_return CODE XREF RAM _POST_tests 10 E000 6293 RAM_POST_tests 18 E000 6293 retn Return Near from Procedure E000 6293 RAM POST tests endp E000 61C2 E
84. ridge but you ll need to consult your chipset datasheet to verify this This stuff is pretty easy to be understood isn t it The next routines are pretty easy to understand But if you still feel confused you d better learn assembly language a bit since I m not here to teach you assembly But in general they do the following jobs reading the offset data then modifying it then writing it back to the device if not better to say tweaking it Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 1 2 ISA BUS AFAIK ISA bus is not a well standardized bus Thus any ISA device can reside virtually almost anywhere in the system s 16 bit I O address space My experience with ISA bus is very limited I ve only play with two chips this time around the first is the CMOS chip and the second one is my mainboard s hardware monitoring chip i e Winbond W83781D Both chips uses the same general algorithm as mentioned above in the PCI BUS i e 1 Send the address of the part of the device you re willing to read write at first Only after that you re access to send receive data through the data port to from the device will be granted 2 Send receive the data to be read write through the data port My hardware monitoring chip defines port 295h as its ad
85. rrrrrrrrrrrrrrrrrrrrrererere 9 A Oui TOs OF Trade ete saa Seve inne seiauatoientiiae eaten a ETAN 13 5 Award BIOS File Structure nc ccacsczecscccaninewns sienaseesnargeans ADEE EEEREN KERER EEE iS 14 6 Disassembling the BlOSvcese csssreuseseeeccieenecegosmrensanesbaeodansusevenennse aucenas 18 6 1 IBODUDIOCK i 2osscceecicasderdorerennssssSsaneenen sean caeacrhoseaiuasinbadsesdansaesetionnes 18 6 2 System BIOS a k a OFiGinial AMP ssicsecccececctecseredanectdsexsbacwsusceeeeastesas 37 Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 1 Foreword would like to welcome you to the darkside of a working example of spaghetty code The Award BIOS This article is not an official guide to award bios reverse engineering nor it s compiled by an Award Corp insider I m just an ordinary curious person who really attracted to know how my computer BIOS works made this article available to the public to share my findings and looking for feedback from others since I m sure I ve made some obscure mistakes that didn t realize during my reverse engineering process There are several possibilities that make you reading this article now perhaps you are an old time BIOS hacker perhaps you are a kind of person who really love system programming like me or yo
86. s where the signature are written into memory For example nnoprom bin component is defined with ID 4027h This component s handling will arrive at Record_to_ buffer where it s ID is processed In this routine it s index will be saved The index is calculated as follows also look at the code above index 4 lo_byte ID 1 this index is used to calculate the address to save the information in nnoprom bin s case it is AOh from 4 27h 1 so the address to save the information begins at 60AOh As you can see above the info first saved is the component s offset address within the compressed Extension _BIOS components saved to address 60A0h then the expansion decompression segment address saved to 60A2h This expansion decompression segment address always 4000h for all extension BIOS components as you can see in the code above The same process is carried out for all other extension BIOS components also have to note here that the source segment used for extension BIOS components decompression is 8000h this is due to the fact that Record_to_buffer in the Expand routine above only executed when called from Extern_execute2 routine as follows F000 CO5B Extern_execute2 proc near CODE XREF Expand_Bios 9B FO000 CO5B mov bx 8000h mov bx Temp_Extra_BIOS_Addres FOOCOsCOSE mov es bx es 8000h F000 C060 assume es nothing F000 C060 sor bx bx bx 0000h FO000 C062 xor ecx
87. turn Near from Procedure FO00 6014 FOOO_6000_read_pci_byte endp FO000 6043 18 00 GDTR_F000_6043 dw 18h pele mat sot GDTR 3 valid desc entry FO000 6045 49 60 OF 00 dd OF6049h GDT physical addr below FO000 6049 00 00 00 00 00 00 00 00 dq 0 lt null descriptor FO000 6051 FF FF 00 00 OF 9F 00 00 dq 9FOFOOOOFFFFh code descriptor FO000 6051 base addr F 0000h limit FFFFh DPL 0 Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 FO000 6051 7 exec ReadOnly conforming accessed F000 6051 7 granularity byte Present 16 bit segment F000 6059 FF FF 00 00 00 93 8F 00 dq 8F93000000FFFFh data descriptor FO000 6059 base addr 00h seg_limit F FFFFh DPL 0 FO000 6059 Present read write accessed FO000 6059 F granularity 4 KByte 16 bit segment F000 619B OF 01 16 43 60 lgdt qword ptr GDTR_F000_6043 Load Global Descriptor Table Register F000 61A0 OF 20 CO mov eax cro FO000 61A3 OC 01 or ady T set PMode flag FO00 61A5 OF 22 CO mov cr0O eax FO000 61A8 EA AD 61 08 00 jmp far ptr 8 61ADh jmp below in 16 bit PMode abs addr F 61ADh FO000 61A8 code segment with base addr F 0000h FO000 61AD F000 61AD B8 10 00 mov ax 10h load ds with vali
88. u are just a curious person who like to tinker One thing for sure you ll get most of out of this article if you ve done some BIOS hacking before and looking forward to improve your skill However I ve made a prerequisite section below to ensure you ve armed yourself with knowledge needed to get most out of this article You may be asking why would anyone need this guide indeed you need this guide if you found yourself cannot figure out how award BIOS code works In my experience unless you are disassembling a working BIOS binary you won t be able to comprehend it Also you have to have the majority if not all of your mainboard chips datasheets The most important one is the chipset datasheet The purpose of this article is to clean up the mess and positioned as a handy reference for myself and the reader as we are going through the BIOS disassembling session I m not held responsible about the correctness of any explanation in this article you have to cross check what wrote here and what you have in your hand Note that what explain here based on award bios version 4 51PGNM which have You can check it against award bios version 6 0PG or 6 0 to see if it s still valid I ll working on that version when have enough time As an addition suggest you to read this article throughly from beginning to end to get most out of it Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal
89. urnal Single print or electronic copies for personal use only are permitted Reproduction and distributio n without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 E000 620A dw 2A54h E000 620C dw 2A54h E000 620E dw 2A54h E000 6210 dw 2A56h dummy E000 6212 dw 2A56h E000 6214 dw 2A56h E000 6216 dw 2A58h E000 6218 dw 2A64h E000 621A dw 2B38h E000 621C dw 2B5Eh dummy E000 621E dw 2B60h dummy E000 6220 dw 2B62h E000 6222 dw 2BC8h HD init E000 6224 dw 2BF0h game io port init E000 6226 dw 2BF5h dummy E000 6228 dw 2BF7h FPU error interrupt related E000 622A dw 2C53h dummy E000 622C dw 2C55h E000 6225 dw 2C61h dummy E000 6230 dw 2C6l1h E000 6232 dw 2C61h E000 6234 dw 2C61h E000 6236 dw 2C6l1h E000 6238 dw 2C6l1h E000 623A dw 2CA6h E000 623C dw 6294h set cursor charcteristic E000 623E dw 62EAh E000 6240 dw 6329h E000 6242 dw 6384h E000 6244 dw 64D6h dummy E000 6246 dw 64D6h E000 6248 dw 64D6h E000 624A dw 64D6h E000 624C dw 64D6h E000 624E dw 64D6h E000 6250 dw 64D6h E000 6252 dw 64D6h E000 6254 dw 64D6h E000 6256 dw 64D6h E000 6258 dw 64D6h E000 625A dw 64D6h E000 625C dw 64D6h E000 625E dw 64D8h bootstrap F000 6260 dw 66Alh E000 6262 dw 673Ch F h E000 6264 dw 6841 E000 6266 dw 0 E000 6266 END_ISA_POST_TESTS issues int 19h bootstrap o The POST jump table procedures will set
90. use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 1 Prerequisite First would like to thank to the readers of the earlier beta version of this article from whom consider that this part of the article should be included have to admit that BIOS is somehow a state of the art code that requires lots of low level x86 knowledge that only matter to such a small audience such as operating system developer BIOS developer driver writer possibly exploit and virus writer yes exploit and virus writer coz they are curious people Due to this fact there are couple of things that won t explain here and it s your homework that you should do to comprehend this guide They are e The most important thing is you have to be able to program and understand x86 assembly language If you don t know it then you d better start learning it I m using masm syntax throughout this article e Protected mode programming You have to learn how to switch the x86 machine from real mode to protected mode This means you need to learn a preliminary x86 protected mode OS development I ve done it in the past that s why know it pretty good You can go to www osdever net and other x86 operating system developer site to get some tutorials to make yourself comfortable The most important thing to master is how the protected mode data structures work mean how Global Descriptor
91. value of bit 7 at I O addresses 70h When writing to this address software must first read the value and then write the same value for bit 7 during the sequential address write Note that port 70h is not directly readable The only way to read this register is through Alt Access mode If the NMI enable is not changed during normal operation software can alternatively read this bit once and then retain the value for all subsequent writes to port 70h The RTC contains two sets of indexed registers that are accessed using the two separate Index and Target registers 70 71h or 72 73h as shown in Table 147 Table 147 RTC Standard RAM Bank LPC I F D31 F0 Index Name 00h Seconds Olh Seconds Alarm 02h Minutes 03h Minutes Alarm 04h Hours O5h Hours Alarm 06h Day of Week O7h Day of Month 08h Month 09h Year OAh Register A OBh Register B OCh Register C ODh Register D OEh 7Fh 114 Bytes of User RAM There are couples of more things to take into account such as the Video BIOS and other expansion ROM handling I ll try to cover this stuff next time when have done dissecting BIOS code that handle it Copyright 2004 and published by the CodeBreakers Journal Single print or electronic copies for personal use only are permitted Reproduction and distribution without permission is prohibited The CodeBreakers Journal Vol 1 No 2 2004 3 Some Software Peculiarities There are couples of tricky areas in the BIO
92. y the same original tmp a k a System BIOS E000 0000h_ FOOO 5531h awardext rom a k a Award extension ROM 4100 0000h 4100 xxxxh Later relocated to 6000 0000h_ 6000 xxxxh by original tmp before it s executed We have to be aware of this mapping during our journey Note It s very easy to get lost due to the sheer complexity of the BIOS binary address mapping into the real system But there are some guidelines that will ease our effort during our disassembly session using IDA Pro as follows o Begin the disassembly session with the pure binary components I just copy my BIOS file at 36000h 3FFFFh to get these components and paste it into a new binary file to be disassembled We need these components to reside in one file since they are inter related each other Then I disassemble this new file by setting its address mapping in IDA Pro to F000 6000h F000 FFFFh and disabling segment naming so that I can see its real mode address in the system during its execution o Decompress the system bios original tmp somewhere you ll find that its size is 128KB Then disassemble it by setting its address mapping in IDA Pro to E000 0000h F000 FFFFh The address mapping should be like that since this compressed bios component is decompressed by the decompression block somewhere in memory and then relocated into this address range before it s yjumped into by the bootblock code gets executed AFAIK this mapping apply to al
Download Pdf Manuals
Related Search