BIOS disassembly

Only for programmers and BIOS gurus with technical questions.
xiaonian
Master Flasher
Posts: 167
Joined: Fri Apr 26, 2002 5:29 am
Location: HEZE P.R.China
Contact:

as you say,"To bring in the correct speed grade, you'll have to alter it."
pls tell me how can i alter it.
thx!
KachiWachi
The New Guy
Posts: 1451
Joined: Fri Mar 29, 2002 10:32 pm
Location: Pennsylvania, USA

xiaonian -

If you want to do this yourself, you'll have to disassemble your BIOS, then, in Assembly Language, edit the file to suit your liking.

If you don't know Assembly, then you'll have to contact someone who does, and is willing to fix it for you...

Enough said...
xiaonian
Master Flasher
Posts: 167
Joined: Fri Apr 26, 2002 5:29 am
Location: HEZE P.R.China
Contact:

KachiWachi,
can you give me some advice about disassemble BIOS file?
such as a tool,or any other solution?
i do know a little of Assembly Language.

THKS!

xiaonian
KachiWachi
The New Guy
Posts: 1451
Joined: Fri Mar 29, 2002 10:32 pm
Location: Pennsylvania, USA

You can download freeware disassemblers from the internet, as well as the other utilities you will need. Search the forum for other posts that address how to do this (High-tech section).

As for assembly, you are on your own...don't know a thing about it. But from what I do know, you'll have to find the CPU tables and edit them to your liking.

Good Luck!!
xiaonian
Master Flasher
Posts: 167
Joined: Fri Apr 26, 2002 5:29 am
Location: HEZE P.R.China
Contact:

thkx!
about cpu tables,can you give me any advice more?
such as,how can i find it?how can i modify it?...
etc.
thks!
xiaonian
Master Flasher
Posts: 167
Joined: Fri Apr 26, 2002 5:29 am
Location: HEZE P.R.China
Contact:

i find the way!
i have patched my bios of M537 m/b,
with my patched bios,now it can display the correct speed of k6-2/500!
ajzchips
El cheapo dude
Posts: 3048
Joined: Sat Mar 23, 2002 12:41 pm
Location: Madrid, Spain

Mind sharing the knowledge?
xiaonian
Master Flasher
Posts: 167
Joined: Fri Apr 26, 2002 5:29 am
Location: HEZE P.R.China
Contact:

not at all.
but it will take some time to finish this story.
just wait.
BiosMan
The BIOS Patcher
Posts: 81
Joined: Mon May 20, 2002 9:20 pm
Location: The Netherlands
Contact:

Oke, I will start the story with the explanations I send xiaonian by e-mail.
It addresses the speed indication limitation for non-Cyrix CPU in Award BIOSes from around 1998.

Patching BIOSes is not difficult but can be very time consuming. There is no general recipe for this and you have to disassemble and analyze each BIOS carefully to see what needs to be changed.
Award and AMI have made so many code changes over time, that it is always a surprise what you will find. ;-)
I disassemble the BIOS with the help of the Sourcer disassembler from V Communications. This is the most time consuming part.
The actual patching is done with a hexeditor directly in machine language to avoid introducing errors due relocated routines during re-assembly.

But before you can disassemble a BIOS, first you have to extract and decompress the required module(s) from the compressed BIOS "BIN" or "ROM" file.

Start by extracting the BIOS image from the compressed BIN file with Award's MODBIN tool.
If you load the BIN in MODBIN and than exit the program without making any changes, 2 new files are created. One of them, ORIGINAL.TMP, is the BIOS image file. (you probably know this already) ;-)
Rename original.tmp to something like newbios.img to have a working copy.
Then disassembled this BIOS with the help of a good disassembler, or search with a hexeditor for the bytes to change.

The Award BIOS works with tables to correct the raw measured CPU speed to a known number.
There are 2 tables, one for 250MHz and below, and the other for 266MHz or above. The tables are ended by a "null" (00h) byte.
The tables can be found by searching for the byte sequence:
81 BE CC 01 FF 00 76 03
These are the instructions:
cmp word ptr [BP+1CCh], 0FFh
jbe short loc_+3
The three bytes just before these instructions point to the 250- table, and
the three bytes just after these instructions point to the 266+ table
BE YY XX
mov SI, offset XXYY
where XXYY is the offset to the table.

The tables use 3 bytes for each entry. The BIOS holds the measures CPU speed in the 16-bit variable at [BP+1CCh] and checks the table from top to bottom to find a match. It does this by comparing the lower byte (8-bits) at [BP+1CCh] with the second byte of each entry in the table. When the lower byte at [BP+1CCh] is smaller than the second byte in the table entry, it takes the next entry. When it is equal or larger, it places the first byte of this table entry in the lower byte at [BP+1CCh], thereby correcting the measure CPU speed.
The third byte in each table entry is the FSB byte and is used to correctly program the memory and cache timing registers in the chipset for this FSB speed.

For a BIOS with support upto 400MHz, like the M537 BIOS, the 266+ table looks like this:
90 8E 80 ;400MHz, 398MHz, FSB 66 or higher
6E 6C 80 ;366MHz, 364MHz, FSB 66 or higher
4D 4B 80 ;333MHz, 331MHz, FSB 66 or higher
2C 2A 80 ;300MHz, 298MHz, FSB 66 or higher
0A 08 80 ;266MHz, 264MHz, FSB 66 or higher
00 ;End of table.
The FSB bytes used in this BIOS are:
80 ;66MHz or higher
70 ;60MHz
60 ;55MHz or lower

Note: Most newer Award BIOSes use also these FSB byte values:
B0 ;90MHz or higher
A0 ;83MHz
90 ;75MHz
You will have to check both tables to see which values are used.

Now for the patch, you will have to find an unused space to place the new 266+ table. This can be found near the end of the first 64KB part, where the "FF's" start. In the M537 BIOS this is at offset D820h. Here the new 266+ table can entered:
F4 EF 80 ;500MHz (6x83)
C2 BE 80 ;450MHz (6x75)
9C 98 80 ;412MHz (5.5x75)
90 8D 80 ;400MHz (6x66)
77 74 80 ;375MHz (5x75)
6E 6B 80 ;366MHz (5.5x66)
68 65 70 ;360MHz (6x60)
4D 4B 80 ;333MHz (5x66)
2C 2A 80 ;300MHz (4.5x66 or 4x75)
0A 08 80 ;266MHz (4x66)
00 ;End of table.
Then the pointer to the 266+ table has to be changed. In the M537 BIOS this is at offset 43D1h. Change BE 4F 43 into BE 20 D8 (the low address byte has to come first).

Finally there is the trick of placing the patched BIOS back in compressed
form into the BIN file and getting the checksum bytes right.
This can be done via a special procedure under Windows, with the help of
MODBIN v4.50.77 or later. See below.

Here is some further Award BIOS info before I show you how to get the
patched BIOS back in the compressed BIN file.

Nowadays, on the Award BIOS, the 128KB BIOS image (ORIGINAL.TMP) can be seen as two separate 64KB parts.
The first part contains the POST routines and this is where the changes for additional CPU speed support have to be made.
During boot, this part is loaded into shadow RAM at address E000:0000 to E000:FFFF and is discarded at the end of the BIOS boot process.
The second part contains the Interrupt service routines and the CMOS Setup screens and routines. This is the part you can tweak using MODBIN. It is loaded into shadow RAM at address F000:0000 to F000:FFFF and is retained.
Also the Fixed Disk Parameter Tables of all 4 IDE devices are stored here.
Unlike the first part, this part is protected by 3 different checksum routines and it cannot be changed directly because MODBIN holds a work copy in memory, overwriting any changes when you update the file.
But if you make changes here via MODBIN's menu's, the checksum bytes are automatically recalculated.

When changing a BIOS, you first make the required changes in the second part with MODBIN. Like changing the 'Revision' line. Then save the changes into the BIN file with the "Update file" selection in MODBIN.
Then start MODBIN again and load the just updated BIN to get the updated
ORIGINAL.TMP file. Exit MODBIN without making any changes.
Assume you rename ORIGINAL.TMP to NEWBIOS.IMG and now patch the first part of the BIOS with a hexeditor.

To get the patched BIOS image back in the compressed BIN file, you have run MODBIN from the DOS-prompt within Windows.
Load the updated BIN again in MODBIN.
Now open a second DOS window and copy the patched BIOS into Original.tmp file. Close the second window, go back to MODBIN and select "Update file" to compress and save the patched BIOS in the BIN file. MODBIN will automatically calculate the checksum over all the compressed BIOS components and correct the checksum bytes of the BIN.

Note that you have to use MODBIN v4.50.77 or later to get the correct checksum bytes!

As a final crosscheck I check both the original and the patched BIN file with Award's CBROM tool. With the /D switch you can view all BIOS components in the compressed BIN file. The patched BIN should contain the same components and should still have some compressed code space left.

That's all there is to it! ;-)
The Unofficial AMD K6-2+ / K6-III+ page
http://web.inter.nl.net/hcc/J.Steunebrink/k6plus.htm
Rainbow
The UniFlasher
Posts: 3122
Joined: Wed Mar 20, 2002 4:16 pm
Location: Slovakia
Contact:

That MODBIN trick in Windows does not work for me - if I remember correctly, it always saves the version it loaded. I have to use LHA to compress the file, insert manually in the BIOS and then run MODBIN to update the checksums.
Patched and tested BIOSes are at http://wims.rainbow-software.org
UniFlash - Flash anything anywhere
BiosMan
The BIOS Patcher
Posts: 81
Joined: Mon May 20, 2002 9:20 pm
Location: The Netherlands
Contact:

Rainbow,

I'm using this MODBIN trick under Windows for several years now and it works every time, both with MODBIN 4.50.77 and 4.50.82a.
But it can only be used to make changes in the first 64KB part of ORIGINAL.TMP (E000:0000-FFFF). For changes in the high 64KB part (F000:0000-FFFF) the LHA method has to be used.

BiosMan.
The Unofficial AMD K6-2+ / K6-III+ page
http://web.inter.nl.net/hcc/J.Steunebrink/k6plus.htm
Rainbow
The UniFlasher
Posts: 3122
Joined: Wed Mar 20, 2002 4:16 pm
Location: Slovakia
Contact:

Oh yes, that might be the problem :wink:
Patched and tested BIOSes are at http://wims.rainbow-software.org
UniFlash - Flash anything anywhere
xiaonian
Master Flasher
Posts: 167
Joined: Fri Apr 26, 2002 5:29 am
Location: HEZE P.R.China
Contact:

AHHH,BIOSMAN IS MR.Jan Steunebrink!
i have colleted more than 1,000 bios files.
lots of them have the k6-2/400 problem.
now ,with the biosman's way ,i have already fixed some bios files successly.
but ,they still have a wrong speedy problem with cyrix cpu;
when i use a m2/300 CPU by 66X3.5, it say it is a pr266.
biosman told me the reason is:
"For the Cyrix CPUs, the BIOS uses a different logic and separate tables,
because the measures CPU speed must be transferred to a higher PR display.
I will have to study how this works and how it can be changed."
let's waiting for biosman.
Conundrum
New visitors - please read the rules.
Posts: 4
Joined: Mon Aug 05, 2002 12:13 am

What program did you guys use to disassemble the BIOS?

thanks.
NickS
BIOS Bodhisattva
Posts: 3145
Joined: Fri May 03, 2002 10:34 am
Location: Thames Valley, UK

BiosMan wrote:I disassemble the BIOS with the help of the Sourcer disassembler from V Communications. This is the most time consuming part.
The actual patching is done with a hexeditor directly in machine language to avoid introducing errors due relocated routines during re-assembly.
Tested patched BIOSes. Untested patched BIOSes.
Emails *will* be ignored unless the subject line starts "Wim's BIOS forum"
Post Reply