Hello.
Recently, I found/saw a really impressive BIOS extension which is able to
+ play DVDs
+ offer browser capabilities
without booting an operating system from additional drive(s).
The name of the project is: "etBIOS"
http://www.elegent.com/etBIOS/index.htm
Here are some further interesting images:
http://images.google.de/images?hl=en&q=etbios
Well, I also tried to extract the etBIOS ([NoCompress ROM] 040603.DAT) from some Acorp BIOS download links.
http://www.acorp.com.tw/eng/download/do ... 6&lineid=1
http://www.acorp.com.tw/eng/driver/INTE ... GQET14.zip
With the help of CBROM extracting the etBIOS module was no problem.
But the etBIOS is toooo huge to add it to my Asus A7N8X Deluxe BIOS.
Even removing built-in AWDFLASH utility, fullscreen/EPA logo etc. did not help to get more free space in the A7N8X Deluxe BIOS for the etBIOS.
So, I am currently unable to try the etBIOS,
because I do not have a mainboard with soooo many additional free space (256KB) inside the BIOS file.
So there are some questions:
1.)
Does anyone have a mainboard with enough space inside the BIOS chip/file for adding etBIOS?
2.)
etBIOS seems to be compressed anyhow.
Does anyone know, how to get it uncompressed?
etBIOS reverse engineering
-
- Master Flasher
- Posts: 169
- Joined: Sun May 02, 2004 7:47 pm
- Contact:
this etbios module in main bios only has the function of play dvd , maybe can be called etdvd.
when you check 040603.DAT ,you can find "egcs-1.1.2 release".
It maybe modded by egcs linux.
furthmore etbrowser will be finded in some bios.
when you check 040603.DAT ,you can find "egcs-1.1.2 release".
It maybe modded by egcs linux.
furthmore etbrowser will be finded in some bios.
EGCS is a compiler, it's now obsolete.
http://en.wikipedia.org/wiki/EGCS
http://en.wikipedia.org/wiki/EGCS
Patched and tested BIOSes are at http://wims.rainbow-software.org
UniFlash - Flash anything anywhere
UniFlash - Flash anything anywhere
-
- Master Flasher
- Posts: 169
- Joined: Sun May 02, 2004 7:47 pm
- Contact:
Hello.
1.)
Yes, it is true that EGCS is a compiler.
It seems to be that etBIOS / etDVD / etBrowser will generally be compiled with EGCS / GCC.
2.)
Acorp, Soyo and VIA and seem to have a commercial partnership with elegent and use their etBIOS/etDVD.
Here is another BIOS file with etBIOS/etDVD module.
7KM400QP
http://www.acorp.com.tw/eng/download/do ... nclassid=2
-->
http://www.acorp.com.tw/eng/driver/VIA/ ... 0QPv17.zip
-->
unpack: Access+17.BIN
-->
extract: [NoCompress ROM] module.
Here are the BIOS logos of the both mentioned mainboards:
7KM400QP
-->
The etBIOS has been started and uses the BIOS logo as background image
4865GQET
3.)
Does anybody know, which kind of compression will be used for etBIOS/etDVD ?
Can someone unpack the etBIOS modules?
4.)
Reffering to this:
http://www.extrememhz.com/syp4val-p4.shtml
-->
Can someone figure out, how to "start/call" the etBIOS, after inserting the etBIOS module to an Award/AMI/Phoenix...-BIOS?
1.)
Yes, it is true that EGCS is a compiler.
It seems to be that etBIOS / etDVD / etBrowser will generally be compiled with EGCS / GCC.
2.)
Acorp, Soyo and VIA and seem to have a commercial partnership with elegent and use their etBIOS/etDVD.
Here is another BIOS file with etBIOS/etDVD module.
7KM400QP
http://www.acorp.com.tw/eng/download/do ... nclassid=2
-->
http://www.acorp.com.tw/eng/driver/VIA/ ... 0QPv17.zip
-->
unpack: Access+17.BIN
-->
extract: [NoCompress ROM] module.
Here are the BIOS logos of the both mentioned mainboards:
7KM400QP
-->
The etBIOS has been started and uses the BIOS logo as background image
4865GQET
3.)
Does anybody know, which kind of compression will be used for etBIOS/etDVD ?
Can someone unpack the etBIOS modules?
4.)
Reffering to this:
http://www.extrememhz.com/syp4val-p4.shtml
-->
Can someone figure out, how to "start/call" the etBIOS, after inserting the etBIOS module to an Award/AMI/Phoenix...-BIOS?
-
- Master Flasher
- Posts: 173
- Joined: Sun Mar 31, 2002 2:08 pm
- Location: Taka Bonerate National Park, Indonesia
- Contact:
yeah, I think so. Quite a lot embedded appliances somehow make use of it.Borg Number One wrote:Hello.
1.)
Yes, it is true that EGCS is a compiler.
It seems to be that etBIOS / etDVD / etBrowser will generally be compiled with EGCS / GCC.
referring to your previous statement that it can be opened by using CBROM, it probably LZH. Or, if not, it will still be a variant of Lempel-Ziv.Borg Number One wrote: 3.)
Does anybody know, which kind of compression will be used for etBIOS/etDVD ?
Can someone unpack the etBIOS modules?
I think the module "hooks" into interrupt 19h, the bootstrap interrupt. Anyway, a brute force attack to this with award bios will be to patch the "POST jump table". You can read the technique at Award Bios "POST Jump Table" HackingBorg Number One wrote: Can someone figure out, how to "start/call" the etBIOS, after inserting the
etBIOS module to an Award/AMI/Phoenix...-BIOS?
-
- Master Flasher
- Posts: 169
- Joined: Sun May 02, 2004 7:47 pm
- Contact:
Hi.
but I did not wrote that the etBIOS/etDVD module can be opened with CBROM.
The etBIOS/etDVD modules are compressed anyhow, that is a fact.
But they do not have a further compression inside the Phoenix AwardBIOS file.
So, I would like to know which compression was used for the etBIOS / etDVD module itself.
I just wrote that the BIOS file can be opened with CBROM,maman wrote:referring to your previous statement that it can be opened by using CBROM, it probably LZH. Or, if not, it will still be a variant of Lempel-Ziv.
but I did not wrote that the etBIOS/etDVD module can be opened with CBROM.
The etBIOS/etDVD modules are compressed anyhow, that is a fact.
But they do not have a further compression inside the Phoenix AwardBIOS file.
So, I would like to know which compression was used for the etBIOS / etDVD module itself.
I find in normal 512k award bios, the original module locate in 0x10000H or 0x20000H , so when we use cbrom open it ,we lost 64k or 128k space.
when I use cbrom open the GQET.BIN, there are 468.00K compress code space ,the original module locate in 0x00000H, this is the question, we must mod the normal award bios to get more compress code space .
1) this is a GQET.BIN bios compress code structure:
the total compress code space of it is 468.00K.
2) this is a normal award bios compress code structure:
the total compress code space of it is only 308k.
it 's also waste 128k space
when I use cbrom open the GQET.BIN, there are 468.00K compress code space ,the original module locate in 0x00000H, this is the question, we must mod the normal award bios to get more compress code space .
1) this is a GQET.BIN bios compress code structure:
Code: Select all
CBROM V2.19 (C)Award Software 2001 All Rights Reserved.
******** gqet.bin BIOS component ********
No. Item-Name Original-Size Compressed-Size Original-File-Name
================================================================================ 0. System BIOS 20000h(128.00K)13596h(77.40K)GQET.BIN
1. XGROUP CODE 0ACB0h(43.17K)07560h(29.34K)awardext.rom
2. CPU micro code 04000h(16.00K)03F9Fh(15.91K)CPUCODE.BIN
3. ACPI table 03A34h(14.55K)0164Ah(5.57K)ACPITBL.BIN
4. EPA LOGO 0168Ch(5.64K)002AAh(0.67K)AwardBmp.bmp
5. YGROUP ROM 061E0h(24.47K)04127h(16.29K)awardeyt.rom
6. GROUP ROM[ 0] 03F60h(15.84K)01DDDh(7.47K)_EN_CODE.BIN
7. VGA ROM[1] 0C000h(48.00K)06C88h(27.13K)SDG_2919.DAT
8. NoCompress ROM 40000h(256.00K)40032h(256.05K)040603.dat
9. LOGO BitMap 4B30Ch(300.76K)02CC6h(11.19K)865.bmp
Total compress code space = 75000h[b](468.00K)[/b]
Total compressed code size = 6FC0Dh(447.01K)
Remain compress code space = 053F3h(20.99K)
2) this is a normal award bios compress code structure:
Code: Select all
CBROM V2.19 (C)Award Software 2001 All Rights Reserved.
******** s2epv13.bin BIOS component ********
No. Item-Name Original-Size Compressed-Size Original-File-Name
================================================================================ 0. System BIOS 20000h(128.00K)1492Dh(82.29K)S2EPV13B.BIN
1. XGROUP CODE 0F650h(61.58K)08B20h(34.78K)awardext.rom
2. CPU micro code 02800h(10.00K)01B9Ch(6.90K)CPUCODE.BIN
3. ACPI table 03689h(13.63K)01544h(5.32K)ACPITBL.BIN
4. EPA LOGO 0168Ch(5.64K)002AAh(0.67K)AwardBmp.bmp
5. YGROUP ROM 04BF0h(18.98K)02D3Dh(11.31K)awardeyt.rom
Total compress code space = 4D000h[b](308.00K)[/b]
Total compressed code size = 23514h(141.27K)
Remain compress code space = 29AECh(166.73K)
it 's also waste 128k space
I do some test with a aopen 810mb mx3w.
When I insert the original.bin of mx3w into the access+.bin , and release some other modules ,rename the bios mx.bin.
cbrom and modbin display mx.bin normal, when I flash it to chip and reboot,there are display nothing.
When I insert the original.bin of mx3w into the access+.bin , and release some other modules ,rename the bios mx.bin.
cbrom and modbin display mx.bin normal, when I flash it to chip and reboot,there are display nothing.
-
- Master Flasher
- Posts: 169
- Joined: Sun May 02, 2004 7:47 pm
- Contact:
Hi.
It is necessary to figure out, how the etBIOS module will be called/executed by the System BIOS.
It is necessary to figure out, how the etBIOS module will be called/executed by the System BIOS.
-
- Master Flasher
- Posts: 173
- Joined: Sun Mar 31, 2002 2:08 pm
- Location: Taka Bonerate National Park, Indonesia
- Contact:
he..he..he.. sorry that last time I didn't check the binary , just goofin' around with commentsBorg Number One wrote:Hi.
It is necessary to figure out, how the etBIOS module will be called/executed by the System BIOS.
The "compression" used by the etBIOS module is indeed LHA, but it's LHA level 0, meaning no compression at all (look at the -lh0- string in the beginning of the binary), one can extract it by using LHA to remove the headers and analyze it using disassembler. Anyway, it's executed just like other extension module in award BIOS, minus the decompression process ofcourse, which is replaced by binary copy routine (present in award BIOS decompression routine too ).
have a nice day
-
- Master Flasher
- Posts: 169
- Joined: Sun May 02, 2004 7:47 pm
- Contact:
Hi.
I know, that the etBIOS module is a "0/zero"-compressed LHA module, but a huge part of the etBIOS itself consists of compressed code.
I just would like to know, which kind of (executable compression/compressor) was used inside the etBIOS.
I know, that the etBIOS module is a "0/zero"-compressed LHA module, but a huge part of the etBIOS itself consists of compressed code.
Code: Select all
BIOS file
+ ...
+ module (lh5)
+ second module (lh5)
+ another module (lh5)
+ etBIOS module (lh0)
|
+---+ binary code (unpacker?)
+ compressed code
+ next module (lh5)
...
I just would like to know, which kind of (executable compression/compressor) was used inside the etBIOS.
-
- Master Flasher
- Posts: 173
- Joined: Sun Mar 31, 2002 2:08 pm
- Location: Taka Bonerate National Park, Indonesia
- Contact:
hi Borg. Just got a little time this morning and I've got the entry point. Sorry, only very raw disassemble. Just in case you really keen to know. I don't have much time explaining it.
Disassembly of ACORP 4865GQET with etBIOS (4865GQET14.BIN)
mind you that et_bios binary is executed in 32-bit protected mode. I guess due to the code is compiled with EGCS (that only able to emit 32-bit plain binary back then). Anyway, I haven't dig down deeper. But, it seems to be there is some kind of decompressor indeed.
some hints:
--------------
E_seg --> lower 64KB of original.tmp. The routine above called in one of POST jump table entry (not directly, some calls exist in between).
Descriptor table that's used to switch to P-Mode prior to et_bios execution is initialized dynamically.
greetz,
a.k.a Pinczakko
Disassembly of ACORP 4865GQET with etBIOS (4865GQET14.BIN)
Code: Select all
E_seg:9A3E call init_descriptor_cache
E_seg:9A41 call search_ET_BIOS_sign_pos
E_seg:9A44 jb sign_not_found
E_seg:9A48 call relocate_ET_BIOS ; relocate ET_BIOS to right-above 1MB
E_seg:9A4B mov esi, 100000h ; hmmm... 1MB area
E_seg:9A51 mov eax, 54453EEBh ; is ET_BIOS signature is ok?
E_seg:9A57 cmp [esi], eax
E_seg:9A5B jnz sign_not_found
E_seg:9A5F jmp short ET_BIOS_sign_found
.................
E_seg:9A67 ET_BIOS_sign_found: ; CODE XREF: init_ET_BIOS+60j
E_seg:9A67 test byte ptr [esi+1Ch], 10h
E_seg:9A6C jnz short no_ctlr_reset
E_seg:9A6E call reset_IDE_n_FDD_ctlr
E_seg:9A71
E_seg:9A71 no_ctlr_reset: ; CODE XREF: init_ET_BIOS+6Dj
E_seg:9A71 mov edi, 100000h
E_seg:9A77 mov dword ptr es:[edi+24h], 4000000h
E_seg:9A81 mov bx, [esi+10h]
E_seg:9A85 cmp bx, 0
E_seg:9A88 jz short no_vesa_init
E_seg:9A8A mov ax, 4F02h
E_seg:9A8D int 10h ; - VIDEO - VESA SuperVGA BIOS - SET SuperVGA VIDEO MODE
E_seg:9A8D ; BX = mode, bit 15 set means don't clear video memory
E_seg:9A8D ; BX = bit 15 set means don't clear video memory
E_seg:9A8D ; Return: AL = 4Fh function supported
E_seg:9A8D ; AH = 00h successful, 01h failed
E_seg:9A8F
E_seg:9A8F no_vesa_init: ; CODE XREF: init_ET_BIOS+89j
E_seg:9A8F jmp short init__ET_BIOS_binary
................
E_seg:9A99 init__ET_BIOS_binary: ; CODE XREF: init_ET_BIOS:no_vesa_initj
E_seg:9A99 mov es:[edi+12h], al
E_seg:9A9E mov si, 19CEh
E_seg:9AA1 call setup_menu?
E_seg:9AA4 mov si, 99F7h
E_seg:9AA7 add si, ax
E_seg:9AA9 mov al, cs:[si]
E_seg:9AAC mov es:[edi+21h], al
E_seg:9AB1 call init_GDT
E_seg:9AB4 xor ebx, ebx
E_seg:9AB7 xor ecx, ecx
E_seg:9ABA mov bx, 99F1h
E_seg:9ABD mov cx, cs
E_seg:9ABF shl ecx, 4
E_seg:9AC3 add ecx, ebx
E_seg:9AC6 push ecx
E_seg:9AC8 xor eax, eax
E_seg:9ACB mov ax, 8
E_seg:9ACE push eax ; push code selector number (32-bit P-Mode selector)
E_seg:9AD0 mov ax, 9B1Bh ; addr following after retf (below)
E_seg:9AD3 xor ecx, ecx
E_seg:9AD6 mov cx, cs
E_seg:9AD8 shl ecx, 4 ; ecx = phy_addr(cs)
E_seg:9ADC add eax, ecx
E_seg:9ADF push eax
E_seg:9AE1 xor eax, eax
E_seg:9AE4 xor ecx, ecx
E_seg:9AE7 mov cx, ss
E_seg:9AE9 shl ecx, 4
E_seg:9AED mov ax, sp
E_seg:9AEF add ecx, eax
E_seg:9AF2 mov edi, 100000h ; edi = phy_addr_copy_of_et_BIOS
E_seg:9AF8 cli
E_seg:9AF9 lgdt qword ptr cs:word_E000_99F1
E_seg:9AFF mov eax, cr0
E_seg:9B02 or eax, 1 ; enter p-mode
E_seg:9B06 mov cr0, eax
E_seg:9B09 mov ax, 10h
E_seg:9B0C mov ds, ax
E_seg:9B0E assume ds:nothing
E_seg:9B0E mov es, ax
E_seg:9B10 assume es:nothing
E_seg:9B10 mov fs, ax
E_seg:9B12 assume fs:nothing
E_seg:9B12 mov gs, ax
E_seg:9B14 assume gs:nothing
E_seg:9B14 mov ss, ax
E_seg:9B16 assume ss:nothing
E_seg:9B16 mov esp, ecx
E_seg:9B19 db 66h
E_seg:9B19 retf ; jump below in P-Mode
E_seg:9B19 init_ET_BIOS endp ; sp = -3Ch
E_seg:9B19
E_seg:9B19 E_seg ends
E_seg:9B19
_exec_et_bios:0000000B ; ---------------------------------------------------------------------------
_exec_et_bios:0000000B ; ===========================================================================
_exec_et_bios:0000000B
_exec_et_bios:0000000B ; Segment type: Regular
_exec_et_bios:0000000B _exec_et_bios segment byte public '' use32
_exec_et_bios:0000000B assume cs:_exec_et_bios
_exec_et_bios:0000000B ;org 0Bh
_exec_et_bios:0000000B assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
_exec_et_bios:0000000B call edi ; call 10000:0000h (ET_BIOS:00000000h)
_exec_et_bios:0000000D pop ebx
_exec_et_bios:0000000E
_exec_et_bios:0000000E loc_E9B1_E:
_exec_et_bios:0000000E lgdt qword ptr [ebx]
_exec_et_bios:00000011 db 67h
_exec_et_bios:00000011 jmp small far ptr 20h:9B28h
....................................
E_seg:9C7A relocate_ET_BIOS proc near ; CODE XREF: init_ET_BIOS+49p
E_seg:9C7A mov edi, 100000h ; edi = target_addr (1MB)
E_seg:9C80 mov ecx, [esi+4]
E_seg:9C85 add ecx, 3FFh
E_seg:9C8C and ecx, 0FFFFFC00h ; size mod 1KB
E_seg:9C93 shr ecx, 2
E_seg:9C97 cld
E_seg:9C98 rep movs dword ptr es:[edi], dword ptr [esi]
E_seg:9C9C clc
E_seg:9C9D retn
E_seg:9C9D relocate_ET_BIOS endp
E_seg:9C9E search_ET_BIOS_sign_pos proc near ; CODE XREF: init_ET_BIOS+42p
E_seg:9C9E mov esi, 0FFF80000h
E_seg:9CA4 mov eax, 54453EEBh ; eax = et_bios first 4-bytes (including signature)
E_seg:9CAA
E_seg:9CAA next_16_bytes: ; CODE XREF: search_ET_BIOS_sign_pos+1Dj
E_seg:9CAA cmp [esi], eax
E_seg:9CAE jz short exit
E_seg:9CB0 add esi, 16
E_seg:9CB4 cmp esi, 0FFFF0000h
E_seg:9CBB jb short next_16_bytes
E_seg:9CBD stc
E_seg:9CBE retn
E_seg:9CBF ; ---------------------------------------------------------------------------
E_seg:9CBF
E_seg:9CBF exit: ; CODE XREF: search_ET_BIOS_sign_pos+10j
E_seg:9CBF clc
E_seg:9CC0 retn
E_seg:9CC0 search_ET_BIOS_sign_pos endp
..................
=====> here comes et_bios binary <============
ET_BIOS:00000000 loc_10000_0:
ET_BIOS:00000000 jmp short et_bios_start
ET_BIOS:00000000 ; ---------------------------------------------------------------------------
ET_BIOS:00000002 aEt db 'ET' ; ET BIOS signature
ET_BIOS:00000004 dw 0FC73h ; encoded etBIOS size
...........................
ET_BIOS:00000040 et_bios_start: ; CODE XREF: ET_BIOS:loc_10000_0j
ET_BIOS:00000040 cli
ET_BIOS:00000041 mov ds:1F3BA0h, esp
ET_BIOS:00000047 mov esp, 1F8000h
ET_BIOS:0000004C cld
ET_BIOS:0000004D lgdt qword ptr ds:1000A8h
ET_BIOS:00000054 pushf
ET_BIOS:00000055 pop eax
ET_BIOS:00000056 and ah, 0BFh
ET_BIOS:00000059 push eax
ET_BIOS:0000005A popf
ET_BIOS:0000005B call sub_10000_10A8
ET_BIOS:00000060 sub eax, eax
ET_BIOS:00000062 mov edi, 1A8010h
ET_BIOS:00000067 mov ecx, 1F3B94h
ET_BIOS:0000006C sub ecx, edi
ET_BIOS:0000006E shr ecx, 1
ET_BIOS:00000071 shr ecx, 1
ET_BIOS:00000074 rep stosd
ET_BIOS:00000076 call near ptr unk_10000_23D0 ; still need some research
ET_BIOS:0000007B jmp short return_to_system_bios
............................
ET_BIOS:00000081 return_to_system_bios: ; CODE XREF: ET_BIOS:0000007Bj
ET_BIOS:00000081 cli
ET_BIOS:00000082 mov ds:100033h, al
ET_BIOS:00000087 mov esp, ds:1F3BA0h
ET_BIOS:0000008D retn
some hints:
--------------
E_seg --> lower 64KB of original.tmp. The routine above called in one of POST jump table entry (not directly, some calls exist in between).
Descriptor table that's used to switch to P-Mode prior to et_bios execution is initialized dynamically.
greetz,
a.k.a Pinczakko
-
- Master Flasher
- Posts: 173
- Joined: Sun Mar 31, 2002 2:08 pm
- Location: Taka Bonerate National Park, Indonesia
- Contact:
it's my website . The "root" page is in my signature belowKenOath wrote:I found an interesting page on bios reverse engineering HERE
in my quest to better understand its fuctions...
-
- New visitors - please read the rules.
- Posts: 1
- Joined: Mon Mar 23, 2009 1:00 pm
Found an interesting page on bios reverse engineering... it looks like a good resource man...