Option ROM loaded but no boot device

BIOS update, EIDE card, or overlay software? (FAQ Hard disk recognition)
Post Reply
gabiz_ro
BIOS Newbie
Posts: 18
Joined: Thu Dec 04, 2008 3:28 pm

Fri Jul 30, 2010 2:28 am

As far as I read expresscard port is just one PCI express slot with removable capabilities.
So I take one 2x sata expresscard based on SIL3132, offcourse was just a simple card,just SIL3132 controller.
Search in my junkyard for a flash and found one of 256k solder it to PCB and program with SIL BIOS
Here I did a little mistake,SIL BIOS was 128K and my flash chip was 256K so that bios was not loaded by SIL3132 because signature at the end was not found.
After re-reading datasheet I see that and corrected.Now BIOS is loading that Option ROM but just ignore as boot device.

Option ROM is loaded by BIOS automatically,is loaded before trying to boot any devices and before entering main setup (in case I choose to enter setup).
I can enter into configuration menu of that option rom and configure drives etc.
But BIOS just does'nt enumerate this device as bootable.

Reading info from Pinczakko site and Plug and Play Bios specifications I'm asking if somehow I can do what BIOS is not doing right.

Code: Select all

Boot Connection Vector (Real/Protected mode) - This location contains an offset from the start of the option ROM header to a routine that will cause the Option ROM to hook one or more of the primary input, primary display, or Initial Program Load (IPL) device vectors (INT 9h, INT 10h, or INT 13h), depending upon the parameters passed during the call.
When the system BIOS has determined that the device controlled by this Option ROM will be one of the boot devices (the Primary Input, Primary Display, or IPL device), the System ROM will execute a FAR CALL to the location pointed to by the Boot Connection Vector.
This is Expansion Header for Plug and Play (but there are three)

Code: Select all

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   24 50 6E 50 01 02 00 00  00 7D 95 10 32 31 00 00   $PnP.....}•.21..
00000010   00 00 01 00 00 44 01 00  00 00 00 00 00 00 00 00   .....D..........
00000020   24 50 6E 50 01 02 00 00  00 7D 95 10 32 31 00 00   $PnP.....}•.21..
00000030   00 00 01 00 00 44 01 00  00 00 00 00 00 00 00 00   .....D..........
00000040   24 50 6E 50 01 02 00 00  00 7D 95 10 32 31 00 00   $PnP.....}•.21..
00000050   00 00 01 00 00 44 01 00  00 00 00 00 00 00 00 00   .....D..........
00000060   24 50 6E 50 01 02 00 00  00 7D 95 10 32 31 00 00   $PnP.....}•.21..
00000070   00 00 01 00 00 44 01 00  00 00 00 00 00 00 00 00   .....D..........
Device is a storage SCSI,is a IPL device and ROM can be shadowed in RAM,there is no Bootstrap Entry Vector (that's ok) there is Boot Connection Vector.

Is there any possibility to boot from that device?
Ideal will be to do this using another Option rom which will replace network PXE ROM so choosing network boot that will force loading boot from that card.

Can this be done?
What is need to pass boot sequence to that device and start booting?

Maybe Pinczakko if read this could give some advice.
P.S. I forgot to mention that BIOS in case is Phoenix but is Dell one ,it can be extracted and decompressed modules but is not like others standard Phoenix.
gabiz_ro
BIOS Newbie
Posts: 18
Joined: Thu Dec 04, 2008 3:28 pm

Fri Jul 30, 2010 11:05 am

I found this on lower RAM area in Option ROM shadowed in RAM

Code: Select all

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   24 50 6E 50 01 02 00 00  00 94 95 10 32 31 06 00   $PnP.....”•.21..
00000010   EA 15 01 01 80 E4 91 33  00 00 00 00 00 00 00 00   ê...€ä‘3........
00000020   24 50 6E 50 01 02 00 00  00 5C 95 10 32 31 00 00   $PnP.....\•.21..
00000030   00 00 01 01 80 E4 01 00  00 00 00 00 00 00 00 00   ....ۊ..........
00000040   24 50 6E 50 01 02 00 00  00 5C 95 10 32 31 00 00   $PnP.....\•.21..
00000050   00 00 01 01 80 E4 01 00  00 00 00 00 00 00 00 00   ....ۊ..........
00000060   24 50 6E 50 01 02 00 00  00 5C 95 10 32 31 00 00   $PnP.....\•.21..
00000070   00 00 01 01 80 E4 01 00  00 00 00 00 00 00 00 00   ....ۊ..........
First entry is different from initial one so I think that's the correct PnP header.

And this in F0000h-FFFFFh region

Code: Select all

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000FE2D0   24 50 6E 50 10 21 01 00  BC B4 04 00 00 F1 E2 00   $PnP.!..¼´...ñâ.
000FE2E0   F0 F4 E2 00 00 0F 00 00  00 00 00 40 00 40 00 00   ðôâ........@.@..
000FE2F0   00 E9 EE D4 E9 F6 D4 FA  E4 64 A8 04 74 14 B0 8F   .éîÔéöÔúäd¨.t.°
000FE300   E8 B7 E2 3C 04 72 0B 3C  0B 74 07 3C 0C 77 03 E9   è·â<.r.<.t.<.w.é
000FE310   0E 83 BA 30 10 ED 83 E0  FE EF B0 02 E6 92 E6 84   .ƒº0.íƒàþï°.æ’æ„
000FE320   B0 03 E6 92 F4 EB                                  °.æ’ôë
Area FED20h-FED2F0h is PnP installation check ?

Making a FAR CALL to location pointed by BCV will initialize boot sequence?
Is not clear for me what I need to put in ES:DI
maman
Master Flasher
Posts: 173
Joined: Sun Mar 31, 2002 2:08 pm
Location: Taka Bonerate National Park, Indonesia
Contact:

Sun Aug 01, 2010 3:33 pm

Hello,

IIRC I've never tried the BCV solution for booting. Therefore, I don't know how exactly it should behave.

Anyway, have you read the PnP BIOS Boot Specification (search with Google, it should be available freely). I think the spec explains about the ES:DI parameters you're looking for right now. Maybe it's some sort of starting address in the expansion ROM area in RAM (C_0000h-D_0000h), perhaps an "offset" into C000h segment. I'm not sure, look at the PnP BIOS Boot spec.
Since you have found the BIOS section which loads the Option ROM (I assume you have disassembled it), you can patch it for your purposes if you like. Anyway, do you know exactly the address where the Expansion ROM chip of the Silicon Image mapped in the system address space? (It should be mapped via the XROMBAR).
gabiz_ro
BIOS Newbie
Posts: 18
Joined: Thu Dec 04, 2008 3:28 pm

Sun Aug 01, 2010 4:47 pm

Thanks for answering.

I don't disassembled it because is beyond my knowledge.
I have read PnP BIOS Boot Specifications but is not clear when Boot Connection Vector is used.Making a FAR CALL to addres pointed by BCV is done at Option ROM initialization or at moment when BIOS try to boot from device?

XROMBAR is Expansion ROM at ece00000 [disabled] at least this I get using lspci.

Code: Select all

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F


000CE000   55 AA 24 E9 42 7A 53 49  4C 49 43 4F 4E 20 49 4D   Uª$éBzSILICON IM
000CE010   41 47 45 00 00 00 1C 00  40 00 6C 12 53 49 4D 47   AGE.....@.l.SIMG

000CF260   00 00 00 00 00 00 00 00  00 00 00 00 24 50 6E 50   ............$PnP
000CF270   01 02 00 00 00 94 95 10  32 31 06 00 EA 15 01 01   .....”•.21..ê...
000CF280   80 E4 91 33 00 00 00 00  00 00 00 00 24 50 6E 50   €ä‘3........$PnP
000CF290   01 02 00 00 00 5C 95 10  32 31 00 00 00 00 01 01   .....\•.21......
000CF2A0   80 E4 01 00 00 00 00 00  00 00 00 00 24 50 6E 50   ۊ..........$PnP
000CF2B0   01 02 00 00 00 5C 95 10  32 31 00 00 00 00 01 01   .....\•.21......
000CF2C0   80 E4 01 00 00 00 00 00  00 00 00 00 24 50 6E 50   ۊ..........$PnP
000CF2D0   01 02 00 00 00 5C 95 10  32 31 00 00 00 00 01 01   .....\•.21......
000CF2E0   80 E4 01 00 00 00 00 00  00 00 00 00 1A 00 01 00   ۊ..............

000D1380   82 33 B8 03 00 EB 0D B8  02 00 EB 08 B8 01 00 EB   ‚3¸..ë.¸..ë.¸..ë
000D1390   03 B8 00 00 1E 9C 53 8B  D8 B8 00 00 8E D8 67 80   .¸...œS‹Ø¸..ŽØg€
000D13A0   3D 75 04 00 00 00 75 05  90 90 E8 AA F9 2E 80 3E   =u....u.èªù.€>

000FE2D0   24 50 6E 50 10 21 01 00  BC B4 04 00 00 F1 E2 00   $PnP.!..¼´...ñâ.
000FE2E0   F0 F4 E2 00 00 0F 00 00  00 00 00 40 00 40 00 00   ðôâ........@.@..
000FE2DO is System BIOS PnP Installation Check Structure
000CF282 is BCV
000D1390 is location pointed by BCV (or I wrong calc and is 000D1391?)

So I need to put
04 in AX
FFFF in BX
FFFF in DX
Now for ES:DI that is segment addressing as I read and is unknown for me
Could be like F000:E2D0?
Then make a FAR CALL to 000D1390

That in case calling BCV is for booting purpose and not for OROM initialization.
gabiz_ro
BIOS Newbie
Posts: 18
Joined: Thu Dec 04, 2008 3:28 pm

Sun Aug 15, 2010 11:21 pm

I have a similar card into one Intel D945GCL
On both card is in same PCIe port,under 8086:27D6
Comparing RAM dumps from both I see OROM is the same after loading (after initialization).


On both cases,Dell and Intel I have this (but in other range address on Intel 2ED0h-300Fh )
And using same HDD

This one is from Dell
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00003AD0 5A 04 FF 3F 37 C8 10 00 00 00 00 00 3F 00 00 00 Z.ÿ?7È......?...
00003AE0 00 00 00 00 20 20 20 20 20 20 20 20 57 4E 38 30 .... WN80
00003AF0 36 54 32 31 45 35 53 45 03 00 00 40 00 00 32 2E 6T21E5SE...@..2.
00003B00 31 30 20 20 20 20 46 55 4A 49 54 53 55 20 4D 48 10 FUJITSU MH
00003B10 56 32 31 30 30 42 48 20 20 20 20 20 20 20 20 20 V2100BH
00003B20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 10 80 .€
00003B30 00 00 00 2F 00 40 00 02 00 02 07 00 30 1A A5 0B .../.@......0.¥.
00003B40 00 00 00 00 00 00 10 01 30 22 A5 0B 00 00 07 00 ........0"¥.....
00003B50 03 00 78 00 78 00 F0 00 78 00 00 00 00 00 00 00 ..x.x.ð.x.......
00003B60 00 00 00 00 00 00 1F 00 02 07 00 00 4C 00 40 00 ............L.@.
00003B70 F8 00 21 00 6B 34 09 7F 63 60 69 34 09 BE 63 60 ø.!.k4.c`i4.¾c`
00003B80 3F 20 32 00 00 00 80 40 FE FF 00 00 FE FE 00 00 ? 2...€@þÿ..þþ..
00003B90 00 00 00 00 00 00 00 00 30 22 A5 0B 00 00 00 00 ........0"¥.....
00003BA0 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 .....@..........
00003BB0 00 00 00 00 00 00 00 00 00 00 00 01 00 00 01 00 ................
00003BC0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00003BD0 01 00 00 00 24 31 95 10 05 00 02 00 14 11 12 12 ....$1•.........
00003BE0 08 10 00 00 0A 00 00 FF 01 00 FF FF 00 00 00 00 .......ÿ..ÿÿ....
00003BF0 00 00 00 00 07 00 00 00 01 02 00 00 00 00 53 69 ..............Si
00003C00 49 20 43 6F 6E 63 61 74 65 6E 61 74 69 6F 41 73 I ConcatenatioAs
with a little difference on byte 3BF4h and 3C0Eh

Now using one soft eddinfo.exe on Intel board I can dump EDD
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000000 1A 00 01 00 FF 3F 00 00 10 00 00 00 3F 00 00 00 ....ÿ?......?...
00000010 30 1A A5 0B 00 00 00 00 00 02 FF FF FF FF DD BE 0.¥.......ÿÿÿÿݾ
00000020 2C 00 00 00 50 43 49 20 52 41 49 44 20 20 20 20 ,...PCI RAID
00000030 00 00 00 FF 00 00 00 00 00 00 00 00 00 00 00 00 ...ÿ............
00000040 00 00 00 00 00 00 00 00 00 9E 30 22 A5 0B 00 00 .........ž0"¥...
00000050 00 00 A0 02 47 BD 10 FE 3F 3F 53 00 00 00 00 7F .. .G½.þ??S....
00000060 00 0A 10 05 04 97 08 00 00 11 AE 01 C1 00 10 01 .....—....®.Á...
00000070 04 45 01 01 81 00 00 00 00 00 00 20 00 55 AA 9F .E........ .UªŸ
This dump I can found it inside initialized option rom in both cases on Dell and on Intel and is identic.

At a first look all seems to be the same.
Same data (except two bytes) in first part and same resulted option rom but in Dell case number of detected disk in BDA (BIOS DATA AREA offset 0475h) is not increased.

Any help is welcome.
Thanks.
gabiz_ro
BIOS Newbie
Posts: 18
Joined: Thu Dec 04, 2008 3:28 pm

Sat Aug 21, 2010 4:11 am

After more testing and comparing between two cases on Intel and Dell I see some differences somewhere after PCI data structure into initialized option ROM
In Intel case

Code: Select all

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000040 50 43 49 52 95 10 32 31 00 00 18 00 00 00 04 01 PCIR•.21........
00000050 6C 00 01 00 00 80 00 00 00 01 01 02 00 00 80 00 l....€........€.
And Dell case

Code: Select all

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00000040 50 43 49 52 95 10 32 31 00 00 18 00 00 00 04 01 PCIR•.21........
00000050 6C 00 01 00 00 80 00 00 00 00 01 02 00 00 00 00 l....€..........
at offset 5E is sure HDD number because on Intel case with just one HDD there is 80 and value increase to 81 82 if I add one or two HDD to onboard SATA.

For the moment can't figure what offset 59 means.

Now who decide what is drive number?
Option ROM see numbers of HDD and decide what drive is?
Or BIOS depending on chosen boot order tell to option ROM number of their HDD?

Maybe Dell BIOS load option ROM but doesn't pass required data so option ROM doesn't get a number for their drive and as result neither number of HDD in bios data area is not increased by option rom?

Is there any way to check if bios make a right initialization of Option ROM?
gabiz_ro
BIOS Newbie
Posts: 18
Joined: Thu Dec 04, 2008 3:28 pm

Sun Aug 22, 2010 6:37 pm

According to what I read in PnPBIOS datasheet BIOS must make a FAR CALL to a location pointed by PnP header.
BIOS will pass the following parameters when calling the Boot Connection Vector.
AX 04h (which vector to hook,in may case INT13)
ES:DI Pointer to System BIOS PnP Instalation check structure
BX FFFFh (CSN for card,If not ISA PnP device parameter will b FFFFh)
DX FFFFh (Read data port,If not ISA PnP device parameter will be FFFFh)

Since in my case disks number in BIOS DATA AREA is not increased by option ROM and in disassembly of BCV seems that be done that way I think BIOS is not doing his job corectly.

Let's say I build another option ROM and insert into BIOS and choose network as first boot device.Can this make what BIOS doesn't?
Is possible to work or such thing is impossible?

So can somebody help me with this?

Code: Select all

mov ax, 04h
mov bx, FFFFh
mov dx, FFFFh
ES:DI pointed to 000FE2D0h
CALL FAR 0D000h:1391h		;note this could be wrong due to wrong calc by me or wrong segment:offset
Here is some address suplementar info.

Code: Select all

Begining of ROM

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000CE000   55 AA 24 E9 42 7A 53 49  4C 49 43 4F 4E 20 49 4D   Uª$éBzSILICON IM

PnP header

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000CF260   00 00 00 00 00 00 00 00  00 00 00 00 24 50 6E 50   ............$PnP
000CF270   01 02 00 00 00 B5 95 10  32 31 06 00 EA 15 01 00   .....µ•.21..ê...
000CF280   00 44 91 33 00 00 00 00  00 00 00 00 24 50 6E 50   .D‘3........$PnP       ;000CF282 is BCV 3391h

PnP Installation check

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000FE2D0   24 50 6E 50 10 21 01 00  BC B4 04 00 00 F1 E2 00   $PnP.!..¼´...ñâ.

Boot connection vector disassembly by IDA

seg000:D1391 ; ---------------------------------------------------------------
seg000:D1391                 mov     ax, 0
seg000:D1394                 push    ds
seg000:D1395                 pushf
seg000:D1396                 push    bx
seg000:D1397                 mov     bx, ax
seg000:D1399                 mov     ax, 0
seg000:D139C                 mov     ds, ax
seg000:D139E                 cmp     large ds:byte_475, 0
seg000:D13A6                 jnz     short near ptr unk_13AD
seg000:D13A8                 nop
seg000:D13A9                 nop
seg000:D13AA                 call    loc_D57
seg000:D13AD                 cmp     cs:byte_59, 0
seg000:D13B3                 jnz     short near ptr unk_13DB
seg000:D13B5                 nop
seg000:D13B6                 nop
seg000:D13B7                 shl     bl, 1
seg000:D13B9                 call    loc_1594
seg000:D13BC                 call    loc_1556
seg000:D13BF                 mov     al, 80h ; 'Ç'
seg000:D13C1                 add     al, large ds:byte_475
seg000:D13C8                 mov     cs:byte_5E, al
seg000:D13CC                 mov     di, cs:[bx+18Ch]
seg000:D13D1                 mov     cs:[di+74h], al
seg000:D13D5                 call    loc_D87
seg000:D13D8                 jmp     short loc_13F9
seg000:D13D8 ; ---------------------------------------------------------------
Maybe I do calc wrong?

Boot Connection Vector contain an offset from the start of the option ROM header to a routine that will hook INT13
but if need to be called with one parameter in AX why first instruction in is
mov ax, 0 ?
I read some about segment addressing but even if in theory I understand how is done but I can't put it in practice.And at ES:DI pointer to PnP instalation check I'm completly lost.
gabiz_ro
BIOS Newbie
Posts: 18
Joined: Thu Dec 04, 2008 3:28 pm

Wed Sep 15, 2010 12:06 am

Almost done.
Still BIOS can't boot native from disks.
Main problem was:
-BIOS doesn't make a call to BCV (after initialization OROM resize itself but also clear any configuration,that is make so when calling BCV, OROM get his disk BIOS assigned number.
-trying to make later a far call to this BCV shadow RAM area was RO so OROM can't configure well.

After writing few chipset registers of DRAM controller,first,to enabe RW on shadow RAM and then next making a call to BCV and booting from USB I can see and get access to HDD,now using GRUB to remap disks and then boot from one attached to sata card is working fine.
Post Reply