Difference between revisions of "Finding Board Enable by Reverse Engineering"
(Created page with 'Finding the board enable code inside the flash rom seems like looking for a needle in a haystack, but using the right search method might be as easy as finding a magnetic needle …')
Revision as of 00:31, 20 December 2009
Finding the board enable code inside the flash rom seems like looking for a needle in a haystack, but using the right search method might be as easy as finding a magnetic needle using a strong magnet. This page explains approaches to find the board enable code in different vendor BIOSes.
For free/open source reverse engineering tools, take a look at biew, objdump and ndisasm.
For objdump, use
objdump -b binary -m i386 -M i8086,intel --disassemble-all datafile.bin
(you might want to leave off the "intel" option if you prefer the AT&T assembler syntax)
But as all free tools we know of are not comparable to the commercial tool IDA Pro which has free-as-in-beer version for non-commercial use IDA 4.9 Freeware which has all features needed for BIOS analysis, it should be mentioned here, too.
First, you need the runtime BIOS, this is the 128KB thats available at the addresses E0000-FFFFF when the system is running. You can either obtain it by dumping from a running system, or by running "lha x bios.bin" on a BIOS image as it gets written to the chip.
From the 128KB you only need the second half (the f-segment). In this segment, look for the text "AWDFLASH". This signature is followed by eleven 16-bit procedure offsets (all these procedures reside in the segment F000). The second procedure offset points to the board/chipset enable function. The third procedure offset points to the board/chipset disable function.
- PCI register manipulation is common. If you find a procedure that outputs something to port CF8, it accesses PCI configuration space. If a second out instruction follows, it is a PCI config write, if an in instruction follows, it's a PCI config read. In AWARD BIOS code, the Device/Function ID is passed in CH as (deviceID*8 + functiond ID), the config space address in CL. Bus number (if used at all, check the procedure called) in BH or BL. Data is exchanged via AL/AX/EAX