My guide to award BIOS reverse engineering

Only for programmers and BIOS gurus with technical questions.
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:

franka2 wrote: whats needed now is info which 128KByte eprom fits into those cheapo rtl8139 NIC sockets subsequently to be copied into AMD64 adress space as MENUET64 execute-from-store assembler operating system... :wink:

like this:
The 8139 is probably the most cloned NIC in the world.

The design of the ethernet controller chip accomodates ROMs up to 128kB which require a 32 pin socket. Some OEMs however use a 28 pin socket because that can hold a 27C512 which can hold up to 64kB of code, more than enough for most cases.

Also recent versions of the controller have the capability of programming EEPROMs in situ. EEPROMs also require a 32 pin socket. But this programming capability isn't always implemented by OEMs? because it requires extra circuitry external to the controller and therefore extra cost (a significant fraction of the $5 price).

you have a 28 pin socket: Therefore you need a 27C series EPROM. And an external EPROM programmer (20ß0€). If you had a 32 pin socket, the 27C010 would also be feasible in addition to the 27C256 and 27C512. The 28 pin ROMs then sit in the socket with the bottom edge aligned (2 empty rows on top, the notch end).
he..he..he.. , have you read this Low cost embedded x86 teaching tool or perhaps you like a PDF version here.

Have a nice day :wink:
franka2
New visitors - please read the rules.
Posts: 13
Joined: Mon Dec 12, 2005 4:07 am

maman wrote:
franka2 wrote: or perhaps you like a PDF version here.
yo, I do like that PDF, its better stuff than the stuff from my favourite PC mag (c't) :lol:

Longshine used to sell a LCS-8038TXR7 NIC with 32pin socket.
http://www.longshine.de/longshine/p_100 ... p?lang=ger
it sells around 4 EURO over here! but on some pictures they show a different layout with a shitty 28pin socket only (same model no.)!
then u need the soft to flash the EPROM (OTP EPROM only 1 euro!). seems no one came round to actually write it. programmer is around 200 euro.

DLINK has socketed NICs but only 28pin and no RTL8139 controller.

finding an eprom is pretty straightforward but appearantly no slower than 120 ns is req'd.

one might start with getting the free PXE ROM image from realtek and start hacking it into sth. better ...

in the future maybe the mainboard makers throw in bigger flash roms and EFI extensible firmware, so people can throw in their own code.
seems like traditional BIOS makers haven'T adapted yet and oppose it.
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:

franka2 wrote: ... so people can throw in their own code.
seems like traditional BIOS makers haven'T adapted yet and oppose it.
we can inject such a code indeed, even on current BIOS, but not too much, depending on the number of padding bytes that existed in the BIOS binary. Have you read Award BIOS Code Injection. It has PDF version in codebreakers-journal server here.
franka2
New visitors - please read the rules.
Posts: 13
Joined: Mon Dec 12, 2005 4:07 am

ya maman, I had seen that on that cool codebreaker page. excellent stuff. The issue of modifying BIOS seems well-documented by now and its absolutely feasible to start publishing ready-made mods.

In EFI real mode is abandoned and and a clean 2nd generation "BIOS" API is introduced. Already a few KB should be free in most flash-roms on mobo.

Those 256KB BIN images seem to have many KB of padding space and lots of FF-blocks. I wonder whether they are 1:1 copies of ROM-content.

3COM NICs have flash on 'em, but no documented flash interface. i.e. there is a single .EXE with image-file linked in - not like with those mobo flash tools. You think it's poss to even use 256 KByte flash-ROMs on a NIC? that would be enough space to burn in MENUET64 assembler OS...
:wink:
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:

franka2 wrote: You think it's poss to even use 256 KByte flash-ROMs on a NIC? that would be enough space to burn in MENUET64 assembler OS...
:wink:
depends on the XROMBAR(Expansion ROM Base Address Register) of the PCI chip that's used in the card. If it can decode space that much, then it would be possible. But if it isn't, we're physically out of luck, i.e. no software work-around can be done :(.

PS: read about XROMBAR in the PCI specification (version 2.1 and above ).
Last edited by maman on Sat Dec 24, 2005 2:22 pm, edited 1 time in total.
franka2
New visitors - please read the rules.
Posts: 13
Joined: Mon Dec 12, 2005 4:07 am

maman wrote:PS: read about XROMBAR in the PCI specification (version 2.1 and above ).
OK I'll come round to do that OVR Xmas.

so far i am hardwarily set up: Longshine RTL8169 NIC , 32pin socket, AMD 5V-only 128 KB flash-rom and UNIFLASH.EXE.

too bad uniflash hangs so far - I'll try to figure that out.

total cost is 15 EURO , LCS8037 (kmshop.de) is 10 euro, AMD flash-rom is 5 euro
(type Am29F010 , 32pin DIL packg , 120ns write cycle available at Conrad.de off the shelve)

if in-situ flashing fails, I still have a FPGA kit by Altera and I'll set up a hardware solution ...
PS: folks don't even bother to ask local compy dealers 'bout BOOT ROM. they don't know Jack Sh - u gotta check out in cool forums like this...
franka2
New visitors - please read the rules.
Posts: 13
Joined: Mon Dec 12, 2005 4:07 am

seems like of those flashable NICs which are also cheap and available, only for abovementioned one there is tested flash software availbale (libflash in linux).

for the rest u need an eprom-burner (200 euro) or s.o. who owns one.
flash hardware (non-eprom, non-prom softwarily asf.) can be gotten at about 50 euro (c't flasher).

the freeware solution is UNIFLASH once it supports the hardware u are actually using. so far it focuses on flashing mainboard BIOS but we see upcomig support for PCI extension as well. (tho inoperable in my case as of now)
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:

I've made quite a major update in some critical section of the article.

Code: Select all


CHANGE LOG
------------------
1. Extension BIOS component decompression and execution routines 
corrected due to some minor misinterpretation in the previous versions of 
the article.

2. Added new section on microcode update routine

Awbios
New visitors - please read the rules.
Posts: 11
Joined: Mon Jan 20, 2014 6:26 pm

Borg Number One wrote:Hi maman.


1.)

In your Guide to Award BIOS reverse engineering, you mention that you are not really sure what the ROSUPD.bin mofule is:

"ROSUPD.bin, seems to be custom Logo display procedure"

Could it be that the module
+ is a "container file" (like an uncompressed zip/rar/... archive)?
+ contains code, fonts and graphics for the graphical award phoenixnet bios P.O.S.T.:

Image
Image Image Image


2.)
Can you check this thread, please?
http://www.wimsbios.com/phpBB2/viewtopic.php?t=7335
Hi, I know is this is old post but I have interesting things. ROSUPD.BIN is PhoenixNet. I found working bios (Jetway Jmark) J-616AF A03 09/26/2K i815-ITE8712-6A69RJ19C on emulator Bochs 2.6.2:
Image Image Image
admin
Site Admin
Posts: 760
Joined: Wed Mar 20, 2002 12:14 pm
Location: Belgium
Contact:

thanks for the info.

Could you share how you used Bochs PC emulator to use a certain BIOS?

Thanks
Wim
Awbios
New visitors - please read the rules.
Posts: 11
Joined: Mon Jan 20, 2014 6:26 pm

To use Award bios in Bochs emulator need simply change default bios file in Memory settings or change file name e.g. 616AFA03.BIN to BIOS-bochs-latest.
Image

P.S. I found other working bios'es Award. Some bioses simply not work, other boot only Award BootBlock. I start test some bioses from this: IWILL P55XB2. I have info that some bioses working also in QEMU or QEMU/KVM e.g. Image
Post Reply