LH5 / LZH modules in Asus - Award BIOS files

[Borg Number One]

Hi.

Because of there are still many Asus - Award BIOS files which cannot be
opened with different CBROM versions and not with
Asus CBROM (REV. 2.08 Build Date Jul 15 2002)

I would like to modify Award BIOS files using a hex-editor.

Well, its seems to be that the module ID of each Award BIOS module is stored in the -lh5- / -lh0- file.

However at the end of each -lh5- module there is a kind of checksum byte,
but I am not able to calculate or reproduce this kind of checksum byte.


Where can I get detailed information or file specifications about the compressed modules in Award BIOS files?

[Qortado]

You can easily extract ASUS' BIOS files modules with BIOS Information Tool (BIT) if that's what you want.

[Borg Number One]

Hi.


I already know the BIOS Information Tool (BIT) and I also know how to extract LZH / LHA compressed modules from a BIOS file with a hexeditor.

I just would like to know the file specifications of the lha/lzh modules which were/are produced with CBROM.


For example:

1.)
Create a file with file name: "x" (no extension) in the same directory where an Award BIOS file (for testing) and CBROM (2.07) are.
(For testing/for the experiments, you should really use just one letter for the file name.)

Open this file in a text or HEX editor, type in the letter: "a" and save the changings.

2.)
After this, remove the logo from the BIOS file
(e.g. cbrom207 biosfile.bin /logo release)
and
make a copy of the BIOS file, which now has no logo.
(e.g. biosfile2.bin)

Now, add the file "x" to the BIOS file as a logo module.
(cbrom207 biosfile.bin /logo x)

Then edit the file "x", replace the letter a
with a b and save the changings.

After this, add the file "x" to the copy of the BIOS file as a logo module.
(cbrom207 biosfile2.bin /logo x)


Now, compare both files (in a Hex editor).


You will see that the differences are in the logo modules:

1A03 2D6C 6830 2D01 0000 0001 0000 0000 0000 4020 0101 78C1 E820 0000 6100 | ..-lh0-...........@ ..x.. ..a.

1AC4 2D6C 6830 2D01 0000 0001 0000 0000 0000 4020 0101 7881 E920 0000 6200 | ..-lh0-...........@ ..x.. ..b.



I could figure out that:
+ C1E8 (E8C1) is the CRC-16 checksum of the HEX Value 61 (ASCII: a) inside the file x
+ 81E9 (E981) is the CRC-16 checksum of the HEX Value 62 (ASCII: b) inside the file x
+ 00 40 ( 4000 ) is the module ID of a Award BIOS Logo module
+ 78 (ASCII: letter x) is the filename

Now, I would like to know which meaning the values 03 and C4 have.
Furthermore, which meaning has the first byte?

[maman]

the LZH header structure used in Award BIOS (and its variant) is explained here (scroll down a bit, and you'll see the explanation inside a table).

You can compare it with "standard" LZH level-1 header explained here.

As addition, in my previous reverse engineering to Award BIOS, I found that CBROM put the decompression segment:offset address of the corresponding component in the modification time "section" of the "ordinary" LZH header if the component is part of the "core" component, such as original.tmp, awardext.rom or awardeyt.rom. As for another "non-core component", the dword is a kind of place-holder for later decompression by original.tmp when bootblock already jumped into it, I mean execution already being carried out within original.tmp.

...
Now, I would like to know which meaning the values 03 and C4 have.
Furthermore, which meaning has the first byte?

The first byte is the header length.
The second byte (which you're asking for) is the 8-bit checksum byte for the header, some people call it the arithmetic checksum.


I guess that's enough to find out what you want Borg

[Borg Number One]

Hi.


Thank you for this help.
It really works.

Reffering to the HEX view of both modules:
1A03 2D6C 6830 2D01 0000 0001 0000 0000 0000 4020 0101 78C1 E820 0000 6100 | ..-lh0-...........@ ..x.. ..a.

1AC4 2D6C 6830 2D01 0000 0001 0000 0000 0000 4020 0101 7881 E920 0000 6200 | ..-lh0-...........@ ..x.. ..b.


1A[HEX]=26 and it describe that in both cases the header is 26 bytes long.

Furthermore 03 describes the 8bit-Checksum of:
2D6C 6830 2D01 0000 0001 0000 0000 0000 4020 0101 78C1 E820

and C4 describes the 8bit-Checksum of:
2D6C 6830 2D01 0000 0001 0000 0000 0000 4020 0101 7881 E920

Well, in many Asus Award BIOS files and besides the
+ BIOS module header checksum
+ (compressed) file data checksum
there seems to be a third kind of checksum at the end of a/each module.

Can you tell me more about this third kind of checksum?

[maman]

Hi.
...
Well, in many Asus Award BIOS files and besides the
+ BIOS module header checksum
+ (compressed) file data checksum
there seems to be a third kind of checksum at the end of a/each module.

Can you tell me more about this third kind of checksum?

You're right about the existence of the third checksum. In Award version 4.51PGNM BIOS(es), the third checksum is:

8-bit checksum for the module. It's calculated from the beginning of the LZH header up-to the last byte of the compressed module right before the checksum byte itself.

the following is part of the decompression routine that does the calculation for this checksum in one of the BIOS that I dissected:

Code: Select all

2000:E32E   assume ds:_1000
2000:E32E   mov   bx, cmprssd_size_hi_word ; bx = 1
2000:E332   mov   cx, cmprssd_size_lo_word ; cx = 355Fh
2000:E336   add   cl, hdr_len             ; hdr_len = 25h
2000:E33A   adc   ch, 0                   ; Add with Carry
2000:E33D   adc   bx, 0                   ; Add with Carry
2000:E340   add   cx, 3                   ; cx = 3587h
2000:E343   adc   bx, 0                   ; Add with Carry
2000:E346   jz    hi_word_zero            ; Jump if Zero (ZF=1)
2000:E348   mov   bx, cx
2000:E34A   xor   cx, cx                  ; Logical Exclusive OR
2000:E34C hi_word_zero:                   ; CODE XREF: 2000:E346j
2000:E34C   xor   si, si                  ; Logical Exclusive OR
2000:E34E   xor   ah, ah                  ; Logical Exclusive OR
2000:E350 _next_byte:                     ; CODE XREF: 2000:E353j 2000:E365j
2000:E350   lodsb                         ; Load String
2000:E351   add   ah, al                  ; Add
2000:E353   loop  _next_byte              ; Loop while CX != 0
2000:E355   or    bx, bx                  ; Logical Inclusive OR
2000:E357   jz    cmp_chk_sum             ; Jump if Zero (ZF=1)
2000:E359   mov   cx, bx
2000:E35B   mov   bx, ds
2000:E35D   add   bx, 1000h               ; Add
2000:E361   mov   ds, bx
2000:E363   assume ds:_2000
2000:E363   xor   bx, bx                  ; Logical Exclusive OR
2000:E365   jmp   short _next_byte        ; Jump
2000:E367 ; ---------------------------------------------------------------------------
2000:E367 cmp_chk_sum:                    ; CODE XREF: 2000:E357j
2000:E367   cmp   ah, [si]                ;<<---------------- compare "whole" module 8-bit checsum here <<-------------
2000:E369   jnz   chk_sum_error           ; Jump if Not Zero (ZF=0)
2000:E36D   call  find_BBSS               ; Call Procedure
2000:E370   or    si, si                  ; Logical Inclusive OR
2000:E372   jz    chk_sum_error           ; jmp if BBSS not found (i.e. si == 0)
2000:E376   mov   ax, cs:[si+2]           ; ax = "base addr for BBSS_engine"

Note that I haven't verify it for other version of Award BIOS. I suggest you to check it out . But I'm quite sure it works that way too.

[Borg Number One]

Hi, maman.

Thanks for the info.

[beiyuly]

Hi.
...
Well, in many Asus Award BIOS files and besides the
+ BIOS module header checksum
+ (compressed) file data checksum
there seems to be a third kind of checksum at the end of a/each module.

Can you tell me more about this third kind of checksum?

You're right about the existence of the third checksum. In Award version 4.51PGNM BIOS(es), the third checksum is:

8-bit checksum for the module. It's calculated from the beginning of the LZH header up-to the last byte of the compressed module right before the checksum byte itself.

the following is part of the decompression routine that does the calculation for this checksum in one of the BIOS that I dissected:

Code: Select all

2000:E32E   assume ds:_1000
2000:E32E   mov   bx, cmprssd_size_hi_word ; bx = 1
2000:E332   mov   cx, cmprssd_size_lo_word ; cx = 355Fh
2000:E336   add   cl, hdr_len             ; hdr_len = 25h
2000:E33A   adc   ch, 0                   ; Add with Carry
2000:E33D   adc   bx, 0                   ; Add with Carry
2000:E340   add   cx, 3                   ; cx = 3587h
2000:E343   adc   bx, 0                   ; Add with Carry
2000:E346   jz    hi_word_zero            ; Jump if Zero (ZF=1)
2000:E348   mov   bx, cx
2000:E34A   xor   cx, cx                  ; Logical Exclusive OR
2000:E34C hi_word_zero:                   ; CODE XREF: 2000:E346j
2000:E34C   xor   si, si                  ; Logical Exclusive OR
2000:E34E   xor   ah, ah                  ; Logical Exclusive OR
2000:E350 _next_byte:                     ; CODE XREF: 2000:E353j 2000:E365j
2000:E350   lodsb                         ; Load String
2000:E351   add   ah, al                  ; Add
2000:E353   loop  _next_byte              ; Loop while CX != 0
2000:E355   or    bx, bx                  ; Logical Inclusive OR
2000:E357   jz    cmp_chk_sum             ; Jump if Zero (ZF=1)
2000:E359   mov   cx, bx
2000:E35B   mov   bx, ds
2000:E35D   add   bx, 1000h               ; Add
2000:E361   mov   ds, bx
2000:E363   assume ds:_2000
2000:E363   xor   bx, bx                  ; Logical Exclusive OR
2000:E365   jmp   short _next_byte        ; Jump
2000:E367 ; ---------------------------------------------------------------------------
2000:E367 cmp_chk_sum:                    ; CODE XREF: 2000:E357j
2000:E367   cmp   ah, [si]                ;<<---------------- compare "whole" module 8-bit checsum here <<-------------
2000:E369   jnz   chk_sum_error           ; Jump if Not Zero (ZF=0)
2000:E36D   call  find_BBSS               ; Call Procedure
2000:E370   or    si, si                  ; Logical Inclusive OR
2000:E372   jz    chk_sum_error           ; jmp if BBSS not found (i.e. si == 0)
2000:E376   mov   ax, cs:[si+2]           ; ax = "base addr for BBSS_engine"

Note that I haven't verify it for other version of Award BIOS. I suggest you to check it out . But I'm quite sure it works that way too.

Thanks very much for all of your message!

[Ace]

Hi, sorry to be off topic but i registered here after reading this discussion and concluding you guys really know about bios'es and wondered if you could help me with an issue on an asus motherboard. See I and alot of others have M2N-Sli Deluxe motherboards. Now this was a AM2 board which has actually had AM2+ chip support added to it through bios updates. At the peak bios 1801 you can run AM3 cpus in it but the multiplier gets jammed on x4 and you have to overide with nvidia system tools in windows. Also when you use programs like cpu-z or look in bios it says AMD unknown processor. I had a look at some of the programs in borg number one's multi bios tools and found some information contained in the rom dump but nothing that showed the text "AMD Unknown Processor" or indeed anything that would allow me to change the default multiplier and alot was really garbled and unreadable. See if you set the bios multiplier at the right value it is reflected in the bios screen and it appears to work but in reality its only running at 4x. Why does it default to 4x? Ive disabled cool n quiet and C1E but still needs to be forced in nvidia tools in windows. Anyhoo thanks for reading and look forward to hearing if you know any tricks. Im not looking for a full re-write of the bios i just want a few multiplier tweaks and cosmetic changes to the unknown processor text. Have a read of the forum of others dealing with the same mobo. http://corleone.guru3d.com/showthread.php?t=286970

thanks so much