Bios reverse engineering

Only for programmers and BIOS gurus with technical questions.
Post Reply
wParam
New visitors - please read the rules.
Posts: 1
Joined: Sun Jun 26, 2005 8:34 am

I recently bought a laptop (Clevo D900T) with a nifty display on the front. It's supposed to just be used for playing CD's while the computer is off, but the bios has a setting which will allow it to be used to display the current time. I want to be able to interface with and control this display.

Logically, if the bios can set the displayed time/turn the thing on at boot then there should be a way to do it while the system is up. I just need to figure out how to interface with it. To do this I want to disassemble the bios and read it to see what it's doing. I have a few ideas of what to look for based on the chipset datasheets, but I need to see the code the bios uses to do it, because I definitely do not want to go around asserting random GPIO wires on the south bridge or the i/o controller chip. Detailed hardware specs have proven all but impossible to find, and I really don't want to take this thing apart to try to follow the traces.

The problem is that I can't figure out how (if at all) to get useful disassembly. This is a phoenix bios, I downloaded the phoenix editor tool and extracted all of the little bits from it, but I can't get the disassembler to output anything useful. I'm trying IDA 4.1, freeware version, but it will only do a few lines at a time and then quit. (I don't know how to force it to keep going when it encounters bytes it can't understand.)

Has anyone ever tried to disassemble the .ROM files that the phoenix bios editor spits out? Or, just in general disassemble a phoenix bios into x86 code? Can anyone recommend a disassembler (and maybe give some pointers on how to get useful output?) Any input would be much appreciated.

Many thanks,
-b
Top
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:
Contact maman

wParam wrote: I have a few ideas of what to look for based on the chipset datasheets, but I need to see the code the bios uses to do it, because I definitely do not want to go around asserting random GPIO wires on the south bridge or the i/o controller chip. Detailed hardware specs have proven all but impossible to find, and I really don't want to take this thing apart to try to follow the traces.

The problem is that I can't figure out how (if at all) to get useful disassembly. This is a phoenix bios, I downloaded the phoenix editor tool and extracted all of the little bits from it, but I can't get the disassembler to output anything useful. I'm trying IDA 4.1, freeware version, but it will only do a few lines at a time and then quit. (I don't know how to force it to keep going when it encounters bytes it can't understand.)
IDA Pro is very capable disassembler, you have to get accustomed to it. Use IDA Scripts for BIOS disassembly since BIOS is a "self-modifying" code. It relocates and decompresses part of itself during execution. I recommend to use IDA Pro 4.3 freeware edition. You can download it here.

Note that bios with *.rom extension are disassembled as z80 binary by default by IDA Pro. But the freeware version doesn't come with this processor module, so you can't just click ok, since IDA Pro will quit. To circumvent this, one has to be able to select his own preferred processor module. To do so, open ida.cfg file in the IDA Pro installation folder (after we install IDA Pro) by using text editor (notepad is enough), then delete the default processor for *.rom file. The following lines are the result after such a change has been done in ida.cfg file:

Code: Select all

DEFAULT_PROCESSOR = {
/* Extension    Processor */
  "com" :       "8086"                  // IDA will try the specified
  "exe" :       ""                      // extensions if no extension is
  "dll" :       ""                      // given.
  "drv" :       ""
  "sys" :       ""
  "bin" :       ""                      // Empty processor means the default processor
  "ovl" :       ""
  "ovr" :       ""
  "ov?" :       ""
  "nlm" :       ""
  "lan" :       ""
  "dsk" :       ""
  "obj" :       ""
  "prc" :       "68000"                 // PalmPilot programs
  "axf" :       "arm710a"
  "h68" :       "68000"                 // MC68000 for *.H68 files
  "i51" :       "8051"                  // i8051   for *.I51 files
  "sav" :       "pdp11"                 // PDP-11  for *.SAV files
  "rom" :       ""                      // default processor for *.ROM files <<=================== This is where the change is done
  "cla*":       "java"
  "s19":        "6811"
  "o":          ""
  "*":          ""                      // Default processor
}
Note that I have deleted the default processor for *.rom file. This way, you'll be able to choose the processor of interest when opening the file in IDA Pro. Of course we will choose x86 variant :wink:

My conclusion about IDA Pro as follows:
1. It provides "interface" to its internal functionality through its scripting facility which is "exported" to the user through idc.idc file.
2. Anything that can be done with its User Interface, can also be achieved by using idc scripts.

Further IDA Pro Resources available at: The IDA Palace

wParam wrote: Has anyone ever tried to disassemble the .ROM files that the phoenix bios editor spits out? Or, just in general disassemble a phoenix bios into x86 code? Can anyone recommend a disassembler (and maybe give some pointers on how to get useful output?) Any input would be much appreciated.

Many thanks,
-b

In many ways, Phoenix BIOS is very similar to Award BIOS. After both companies merge, they share the same code-base :wink:.

As for BIOS Reverse Engineering article, you can find the one that I wrote last year: Pinczakko's Guide to Award BIOS Reverse Engineering

greetz,

a.k.a Pinczakko
Top
Post Reply

Return to “In-depth High-tech BIOS section”