etBIOS reverse engineering

Only for programmers and BIOS gurus with technical questions.
Post Reply
Borg Number One
Master Flasher
Posts: 169
Joined: Sun May 02, 2004 7:47 pm
Contact:

Hello.

Recently, I found/saw a really impressive BIOS extension which is able to
+ play DVDs
+ offer browser capabilities

without booting an operating system from additional drive(s).


The name of the project is: "etBIOS"
http://www.elegent.com/etBIOS/index.htm

Here are some further interesting images:
http://images.google.de/images?hl=en&q=etbios


Well, I also tried to extract the etBIOS ([NoCompress ROM] 040603.DAT) from some Acorp BIOS download links.

http://www.acorp.com.tw/eng/download/do ... 6&lineid=1
http://www.acorp.com.tw/eng/driver/INTE ... GQET14.zip

With the help of CBROM extracting the etBIOS module was no problem.

But the etBIOS is toooo huge to add it to my Asus A7N8X Deluxe BIOS.
Even removing built-in AWDFLASH utility, fullscreen/EPA logo etc. did not help to get more free space in the A7N8X Deluxe BIOS for the etBIOS.

So, I am currently unable to try the etBIOS,
because I do not have a mainboard with soooo many additional free space (256KB) inside the BIOS file. :(


So there are some questions:

1.)
Does anyone have a mainboard with enough space inside the BIOS chip/file for adding etBIOS?

2.)
etBIOS seems to be compressed anyhow.
Does anyone know, how to get it uncompressed?
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior

http://www.ioss.com.tw
sunbirds
BIOS Rookie
Posts: 56
Joined: Sun Feb 01, 2004 4:48 pm
Contact:

this etbios module in main bios only has the function of play dvd , maybe can be called etdvd.

when you check 040603.DAT ,you can find "egcs-1.1.2 release".
It maybe modded by egcs linux.

furthmore etbrowser will be finded in some bios.
Rainbow
The UniFlasher
Posts: 3122
Joined: Wed Mar 20, 2002 4:16 pm
Location: Slovakia
Contact:

EGCS is a compiler, it's now obsolete.
http://en.wikipedia.org/wiki/EGCS
Patched and tested BIOSes are at http://wims.rainbow-software.org
UniFlash - Flash anything anywhere
Borg Number One
Master Flasher
Posts: 169
Joined: Sun May 02, 2004 7:47 pm
Contact:

Hello.


1.)
Yes, it is true that EGCS is a compiler.
It seems to be that etBIOS / etDVD / etBrowser will generally be compiled with EGCS / GCC.


2.)
Acorp, Soyo and VIA and seem to have a commercial partnership with elegent and use their etBIOS/etDVD.


Here is another BIOS file with etBIOS/etDVD module.
7KM400QP
http://www.acorp.com.tw/eng/download/do ... nclassid=2
-->
http://www.acorp.com.tw/eng/driver/VIA/ ... 0QPv17.zip
-->
unpack: Access+17.BIN
-->
extract: [NoCompress ROM] module.


Here are the BIOS logos of the both mentioned mainboards:

7KM400QP
Image

-->
The etBIOS has been started and uses the BIOS logo as background image

Image


4865GQET
Image


3.)

Does anybody know, which kind of compression will be used for etBIOS/etDVD ?
Can someone unpack the etBIOS modules?


4.)
Reffering to this:

http://www.extrememhz.com/syp4val-p4.shtml
-->
Image


Can someone figure out, how to "start/call" the etBIOS, after inserting the etBIOS module to an Award/AMI/Phoenix...-BIOS?
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior

http://www.ioss.com.tw
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:

Borg Number One wrote:Hello.


1.)
Yes, it is true that EGCS is a compiler.
It seems to be that etBIOS / etDVD / etBrowser will generally be compiled with EGCS / GCC.
yeah, I think so. Quite a lot embedded appliances somehow make use of it.
Borg Number One wrote: 3.)

Does anybody know, which kind of compression will be used for etBIOS/etDVD ?
Can someone unpack the etBIOS modules?
referring to your previous statement that it can be opened by using CBROM, it probably LZH. Or, if not, it will still be a variant of Lempel-Ziv.

Borg Number One wrote: Can someone figure out, how to "start/call" the etBIOS, after inserting the
etBIOS module to an Award/AMI/Phoenix...-BIOS?
I think the module "hooks" into interrupt 19h, the bootstrap interrupt. Anyway, a brute force attack to this with award bios will be to patch the "POST jump table". You can read the technique at Award Bios "POST Jump Table" Hacking
Borg Number One
Master Flasher
Posts: 169
Joined: Sun May 02, 2004 7:47 pm
Contact:

Hi.

maman wrote:referring to your previous statement that it can be opened by using CBROM, it probably LZH. Or, if not, it will still be a variant of Lempel-Ziv.
I just wrote that the BIOS file can be opened with CBROM,
but I did not wrote that the etBIOS/etDVD module can be opened with CBROM.
The etBIOS/etDVD modules are compressed anyhow, that is a fact.
But they do not have a further compression inside the Phoenix AwardBIOS file.

So, I would like to know which compression was used for the etBIOS / etDVD module itself.
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior

http://www.ioss.com.tw
sunbirds
BIOS Rookie
Posts: 56
Joined: Sun Feb 01, 2004 4:48 pm
Contact:

I find in normal 512k award bios, the original module locate in 0x10000H or 0x20000H , so when we use cbrom open it ,we lost 64k or 128k space.
when I use cbrom open the GQET.BIN, there are 468.00K compress code space ,the original module locate in 0x00000H, this is the question, we must mod the normal award bios to get more compress code space .

1) this is a GQET.BIN bios compress code structure:

Code: Select all

CBROM V2.19 (C)Award Software 2001 All Rights Reserved.

              ********     gqet.bin BIOS component ********

 No. Item-Name         Original-Size   Compressed-Size Original-File-Name 
================================================================================  0. System BIOS       20000h(128.00K)13596h(77.40K)GQET.BIN
  1. XGROUP CODE       0ACB0h(43.17K)07560h(29.34K)awardext.rom
  2. CPU micro code    04000h(16.00K)03F9Fh(15.91K)CPUCODE.BIN
  3. ACPI table        03A34h(14.55K)0164Ah(5.57K)ACPITBL.BIN
  4. EPA LOGO          0168Ch(5.64K)002AAh(0.67K)AwardBmp.bmp
  5. YGROUP ROM        061E0h(24.47K)04127h(16.29K)awardeyt.rom
  6. GROUP ROM[ 0]     03F60h(15.84K)01DDDh(7.47K)_EN_CODE.BIN
  7. VGA ROM[1]        0C000h(48.00K)06C88h(27.13K)SDG_2919.DAT
  8. NoCompress ROM    40000h(256.00K)40032h(256.05K)040603.dat
  9. LOGO BitMap       4B30Ch(300.76K)02CC6h(11.19K)865.bmp

  Total compress code space  = 75000h[b](468.00K)[/b]
  Total compressed code size = 6FC0Dh(447.01K)
  Remain compress code space = 053F3h(20.99K)
the total compress code space of it is 468.00K.


2) this is a normal award bios compress code structure:

Code: Select all


CBROM V2.19 (C)Award Software 2001 All Rights Reserved.

              ********  s2epv13.bin BIOS component ********

 No. Item-Name         Original-Size   Compressed-Size Original-File-Name 
================================================================================  0. System BIOS       20000h(128.00K)1492Dh(82.29K)S2EPV13B.BIN
  1. XGROUP CODE       0F650h(61.58K)08B20h(34.78K)awardext.rom
  2. CPU micro code    02800h(10.00K)01B9Ch(6.90K)CPUCODE.BIN
  3. ACPI table        03689h(13.63K)01544h(5.32K)ACPITBL.BIN
  4. EPA LOGO          0168Ch(5.64K)002AAh(0.67K)AwardBmp.bmp
  5. YGROUP ROM        04BF0h(18.98K)02D3Dh(11.31K)awardeyt.rom

  Total compress code space  = 4D000h[b](308.00K)[/b]
  Total compressed code size = 23514h(141.27K)
  Remain compress code space = 29AECh(166.73K)
the total compress code space of it is only 308k.
it 's also waste 128k space
sunbirds
BIOS Rookie
Posts: 56
Joined: Sun Feb 01, 2004 4:48 pm
Contact:

I do some test with a aopen 810mb mx3w.

When I insert the original.bin of mx3w into the access+.bin , and release some other modules ,rename the bios mx.bin.
cbrom and modbin display mx.bin normal, when I flash it to chip and reboot,there are display nothing.
Borg Number One
Master Flasher
Posts: 169
Joined: Sun May 02, 2004 7:47 pm
Contact:

Hi.


It is necessary to figure out, how the etBIOS module will be called/executed by the System BIOS.
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior

http://www.ioss.com.tw
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:

Borg Number One wrote:Hi.


It is necessary to figure out, how the etBIOS module will be called/executed by the System BIOS.
he..he..he.. sorry that last time I didn't check the binary :? , just goofin' around with comments :lol:

The "compression" used by the etBIOS module is indeed LHA, but it's LHA level 0, meaning no compression at all (look at the -lh0- string in the beginning of the binary), one can extract it by using LHA to remove the headers and analyze it using disassembler. Anyway, it's executed just like other extension module in award BIOS, minus the decompression process ofcourse, which is replaced by binary copy routine (present in award BIOS decompression routine too :wink: ).

have a nice day :wink:
Borg Number One
Master Flasher
Posts: 169
Joined: Sun May 02, 2004 7:47 pm
Contact:

Hi.


I know, that the etBIOS module is a "0/zero"-compressed LHA module, but a huge part of the etBIOS itself consists of compressed code.

Code: Select all

BIOS file
  + ...
  + module (lh5)
  + second module (lh5)
  + another module (lh5)
  + etBIOS module (lh0)
  |
  +---+ binary code (unpacker?)
      + compressed code
  + next module (lh5)
...

I just would like to know, which kind of (executable compression/compressor) was used inside the etBIOS.
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior

http://www.ioss.com.tw
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:

hi Borg. Just got a little time this morning and I've got the entry point. Sorry, only very raw disassemble. Just in case you really keen to know. I don't have much time explaining it.

Disassembly of ACORP 4865GQET with etBIOS (4865GQET14.BIN)

Code: Select all

E_seg:9A3E   call  init_descriptor_cache
E_seg:9A41   call  search_ET_BIOS_sign_pos
E_seg:9A44   jb    sign_not_found
E_seg:9A48   call  relocate_ET_BIOS ; relocate ET_BIOS to right-above 1MB
E_seg:9A4B   mov   esi, 100000h    ; hmmm... 1MB area
E_seg:9A51   mov   eax, 54453EEBh  ; is ET_BIOS signature is ok?
E_seg:9A57   cmp   [esi], eax
E_seg:9A5B   jnz   sign_not_found
E_seg:9A5F   jmp   short ET_BIOS_sign_found
.................
E_seg:9A67 ET_BIOS_sign_found:     ; CODE XREF: init_ET_BIOS+60j
E_seg:9A67   test  byte ptr [esi+1Ch], 10h
E_seg:9A6C   jnz   short no_ctlr_reset
E_seg:9A6E   call  reset_IDE_n_FDD_ctlr
E_seg:9A71
E_seg:9A71 no_ctlr_reset:          ; CODE XREF: init_ET_BIOS+6Dj
E_seg:9A71   mov   edi, 100000h
E_seg:9A77   mov   dword ptr es:[edi+24h], 4000000h
E_seg:9A81   mov   bx, [esi+10h]
E_seg:9A85   cmp   bx, 0
E_seg:9A88   jz    short no_vesa_init
E_seg:9A8A   mov   ax, 4F02h
E_seg:9A8D   int   10h             ; - VIDEO - VESA SuperVGA BIOS -  SET SuperVGA VIDEO MODE
E_seg:9A8D                         ; BX = mode, bit 15 set means don't clear video memory
E_seg:9A8D                         ; BX = bit 15 set means don't clear video memory
E_seg:9A8D                         ; Return: AL = 4Fh function supported
E_seg:9A8D                         ; AH = 00h successful, 01h failed
E_seg:9A8F
E_seg:9A8F no_vesa_init:           ; CODE XREF: init_ET_BIOS+89j
E_seg:9A8F   jmp   short init__ET_BIOS_binary
................
E_seg:9A99 init__ET_BIOS_binary:   ; CODE XREF: init_ET_BIOS:no_vesa_initj
E_seg:9A99   mov   es:[edi+12h], al
E_seg:9A9E   mov   si, 19CEh
E_seg:9AA1   call  setup_menu?
E_seg:9AA4   mov   si, 99F7h
E_seg:9AA7   add   si, ax
E_seg:9AA9   mov   al, cs:[si]
E_seg:9AAC   mov   es:[edi+21h], al
E_seg:9AB1   call  init_GDT
E_seg:9AB4   xor   ebx, ebx
E_seg:9AB7   xor   ecx, ecx
E_seg:9ABA   mov   bx, 99F1h
E_seg:9ABD   mov   cx, cs
E_seg:9ABF   shl   ecx, 4
E_seg:9AC3   add   ecx, ebx
E_seg:9AC6   push  ecx
E_seg:9AC8   xor   eax, eax
E_seg:9ACB   mov   ax, 8
E_seg:9ACE   push  eax             ; push code selector number (32-bit P-Mode selector)
E_seg:9AD0   mov   ax, 9B1Bh       ; addr following after retf (below)
E_seg:9AD3   xor   ecx, ecx
E_seg:9AD6   mov   cx, cs
E_seg:9AD8   shl   ecx, 4          ; ecx = phy_addr(cs)
E_seg:9ADC   add   eax, ecx
E_seg:9ADF   push  eax
E_seg:9AE1   xor   eax, eax
E_seg:9AE4   xor   ecx, ecx
E_seg:9AE7   mov   cx, ss
E_seg:9AE9   shl   ecx, 4
E_seg:9AED   mov   ax, sp
E_seg:9AEF   add   ecx, eax
E_seg:9AF2   mov   edi, 100000h    ; edi = phy_addr_copy_of_et_BIOS
E_seg:9AF8   cli
E_seg:9AF9   lgdt  qword ptr cs:word_E000_99F1
E_seg:9AFF   mov   eax, cr0
E_seg:9B02   or    eax, 1          ; enter p-mode
E_seg:9B06   mov   cr0, eax
E_seg:9B09   mov   ax, 10h
E_seg:9B0C   mov   ds, ax
E_seg:9B0E   assume ds:nothing
E_seg:9B0E   mov   es, ax
E_seg:9B10   assume es:nothing
E_seg:9B10   mov   fs, ax
E_seg:9B12   assume fs:nothing
E_seg:9B12   mov   gs, ax
E_seg:9B14   assume gs:nothing
E_seg:9B14   mov   ss, ax
E_seg:9B16   assume ss:nothing
E_seg:9B16   mov   esp, ecx
E_seg:9B19   db      66h
E_seg:9B19   retf                  ; jump below in P-Mode
E_seg:9B19 init_ET_BIOS endp ; sp = -3Ch
E_seg:9B19
E_seg:9B19 E_seg ends
E_seg:9B19
_exec_et_bios:0000000B ; ---------------------------------------------------------------------------
_exec_et_bios:0000000B ; ===========================================================================
_exec_et_bios:0000000B
_exec_et_bios:0000000B ; Segment type: Regular
_exec_et_bios:0000000B _exec_et_bios segment byte public '' use32
_exec_et_bios:0000000B   assume cs:_exec_et_bios
_exec_et_bios:0000000B   ;org 0Bh
_exec_et_bios:0000000B   assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
_exec_et_bios:0000000B   call  edi             ; call 10000:0000h (ET_BIOS:00000000h)
_exec_et_bios:0000000D   pop   ebx
_exec_et_bios:0000000E
_exec_et_bios:0000000E loc_E9B1_E:
_exec_et_bios:0000000E   lgdt  qword ptr [ebx]
_exec_et_bios:00000011   db      67h
_exec_et_bios:00000011   jmp   small far ptr 20h:9B28h
....................................
E_seg:9C7A relocate_ET_BIOS proc near ; CODE XREF: init_ET_BIOS+49p
E_seg:9C7A   mov   edi, 100000h    ; edi = target_addr (1MB)
E_seg:9C80   mov   ecx, [esi+4]
E_seg:9C85   add   ecx, 3FFh
E_seg:9C8C   and   ecx, 0FFFFFC00h ; size mod 1KB
E_seg:9C93   shr   ecx, 2
E_seg:9C97   cld
E_seg:9C98   rep movs dword ptr es:[edi], dword ptr [esi]
E_seg:9C9C   clc
E_seg:9C9D   retn
E_seg:9C9D relocate_ET_BIOS endp

E_seg:9C9E search_ET_BIOS_sign_pos proc near ; CODE XREF: init_ET_BIOS+42p
E_seg:9C9E   mov   esi, 0FFF80000h
E_seg:9CA4   mov   eax, 54453EEBh  ; eax = et_bios first 4-bytes (including signature)
E_seg:9CAA
E_seg:9CAA next_16_bytes:          ; CODE XREF: search_ET_BIOS_sign_pos+1Dj
E_seg:9CAA   cmp   [esi], eax
E_seg:9CAE   jz    short exit
E_seg:9CB0   add   esi, 16
E_seg:9CB4   cmp   esi, 0FFFF0000h
E_seg:9CBB   jb    short next_16_bytes
E_seg:9CBD   stc
E_seg:9CBE   retn
E_seg:9CBF ; ---------------------------------------------------------------------------
E_seg:9CBF
E_seg:9CBF exit:                   ; CODE XREF: search_ET_BIOS_sign_pos+10j
E_seg:9CBF   clc
E_seg:9CC0   retn
E_seg:9CC0 search_ET_BIOS_sign_pos endp
..................

=====> here comes et_bios binary <============

ET_BIOS:00000000 loc_10000_0:
ET_BIOS:00000000   jmp   short et_bios_start
ET_BIOS:00000000 ; ---------------------------------------------------------------------------
ET_BIOS:00000002 aEt db 'ET'             ; ET BIOS signature
ET_BIOS:00000004   dw 0FC73h             ; encoded etBIOS size
...........................
ET_BIOS:00000040 et_bios_start:          ; CODE XREF: ET_BIOS:loc_10000_0j
ET_BIOS:00000040   cli
ET_BIOS:00000041   mov   ds:1F3BA0h, esp
ET_BIOS:00000047   mov   esp, 1F8000h
ET_BIOS:0000004C   cld
ET_BIOS:0000004D   lgdt  qword ptr ds:1000A8h
ET_BIOS:00000054   pushf
ET_BIOS:00000055   pop   eax
ET_BIOS:00000056   and   ah, 0BFh
ET_BIOS:00000059   push  eax
ET_BIOS:0000005A   popf
ET_BIOS:0000005B   call  sub_10000_10A8
ET_BIOS:00000060   sub   eax, eax
ET_BIOS:00000062   mov   edi, 1A8010h
ET_BIOS:00000067   mov   ecx, 1F3B94h
ET_BIOS:0000006C   sub   ecx, edi
ET_BIOS:0000006E   shr   ecx, 1
ET_BIOS:00000071   shr   ecx, 1
ET_BIOS:00000074   rep stosd
ET_BIOS:00000076   call  near ptr unk_10000_23D0 ; still need some research
ET_BIOS:0000007B   jmp   short return_to_system_bios
............................
ET_BIOS:00000081 return_to_system_bios:  ; CODE XREF: ET_BIOS:0000007Bj
ET_BIOS:00000081   cli
ET_BIOS:00000082   mov   ds:100033h, al
ET_BIOS:00000087   mov   esp, ds:1F3BA0h
ET_BIOS:0000008D   retn
mind you that et_bios binary is executed in 32-bit protected mode. I guess due to the code is compiled with EGCS (that only able to emit 32-bit plain binary back then). Anyway, I haven't dig down deeper. But, it seems to be there is some kind of decompressor indeed.

some hints:
--------------
E_seg --> lower 64KB of original.tmp. The routine above called in one of POST jump table entry (not directly, some calls exist in between).

Descriptor table that's used to switch to P-Mode prior to et_bios execution is initialized dynamically.

greetz,
a.k.a Pinczakko
KenH
Chip off the ol' block
Posts: 110
Joined: Wed Mar 30, 2005 7:11 pm

I found an interesting page on bios reverse engineering HERE
in my quest to better understand its fuctions...
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:

KenOath wrote:I found an interesting page on bios reverse engineering HERE
in my quest to better understand its fuctions...
it's my website :lol:. The "root" page is in my signature below :wink:
precisedix
New visitors - please read the rules.
Posts: 1
Joined: Mon Mar 23, 2009 1:00 pm

Found an interesting page on bios reverse engineering... it looks like a good resource man...
Post Reply