wParam wrote:I have a few ideas of what to look for based on the chipset datasheets, but I need to see the code the bios uses to do it, because I definitely do not want to go around asserting random GPIO wires on the south bridge or the i/o controller chip. Detailed hardware specs have proven all but impossible to find, and I really don't want to take this thing apart to try to follow the traces.
The problem is that I can't figure out how (if at all) to get useful disassembly. This is a phoenix bios, I downloaded the phoenix editor tool and extracted all of the little bits from it, but I can't get the disassembler to output anything useful. I'm trying IDA 4.1, freeware version, but it will only do a few lines at a time and then quit. (I don't know how to force it to keep going when it encounters bytes it can't understand.)
IDA Pro is very capable disassembler, you have to get accustomed to it. Use IDA Scripts for BIOS disassembly since BIOS is a "self-modifying" code. It relocates and decompresses part of itself during execution. I recommend to use IDA Pro 4.3 freeware edition. You can download it
here.
Note that bios with *.rom extension are disassembled as z80 binary by default by IDA Pro. But the freeware version doesn't come with this processor module, so you can't just click ok, since IDA Pro will quit. To circumvent this, one has to be able to select his own
preferred processor module. To do so, open ida.cfg file in the IDA Pro installation folder (after we install IDA Pro) by using text editor (notepad is enough), then delete the default processor for *.rom file. The following lines are the result after such a change has been done in ida.cfg file:
Code: Select allDEFAULT_PROCESSOR = {
/* Extension Processor */
"com" : "8086" // IDA will try the specified
"exe" : "" // extensions if no extension is
"dll" : "" // given.
"drv" : ""
"sys" : ""
"bin" : "" // Empty processor means the default processor
"ovl" : ""
"ovr" : ""
"ov?" : ""
"nlm" : ""
"lan" : ""
"dsk" : ""
"obj" : ""
"prc" : "68000" // PalmPilot programs
"axf" : "arm710a"
"h68" : "68000" // MC68000 for *.H68 files
"i51" : "8051" // i8051 for *.I51 files
"sav" : "pdp11" // PDP-11 for *.SAV files
"rom" : "" // default processor for *.ROM files <<=================== This is where the change is done
"cla*": "java"
"s19": "6811"
"o": ""
"*": "" // Default processor
}
Note that I have deleted the default processor for *.rom file. This way, you'll be able to choose the processor of interest when opening the file in IDA Pro. Of course we will choose x86 variant
My conclusion about IDA Pro as follows:
1. It provides "interface" to its internal functionality through its scripting facility which is "exported" to the user through idc.idc file.
2. Anything that can be done with its User Interface, can also be achieved by using idc scripts.
Further IDA Pro Resources available at:
The IDA PalacewParam wrote:Has anyone ever tried to disassemble the .ROM files that the phoenix bios editor spits out? Or, just in general disassemble a phoenix bios into x86 code? Can anyone recommend a disassembler (and maybe give some pointers on how to get useful output?) Any input would be much appreciated.
Many thanks,
-b
In many ways, Phoenix BIOS is very similar to Award BIOS. After both companies merge, they share the same code-base
.
As for BIOS Reverse Engineering article, you can find the one that I wrote last year:
Pinczakko's Guide to Award BIOS Reverse Engineering
greetz,
a.k.a Pinczakko
