Finding Board Enable by Reverse Engineering

From flashrom
Revision as of 00:31, 20 December 2009 by MKarcher (talk | contribs) (Created page with 'Finding the board enable code inside the flash rom seems like looking for a needle in a haystack, but using the right search method might be as easy as finding a magnetic needle …')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Finding the board enable code inside the flash rom seems like looking for a needle in a haystack, but using the right search method might be as easy as finding a magnetic needle using a strong magnet. This page explains approaches to find the board enable code in different vendor BIOSes.

Useful Tools

For free/open source reverse engineering tools, take a look at biew, objdump and ndisasm.

For objdump, use

objdump -b binary -m i386 -M i8086,intel --disassemble-all datafile.bin

(you might want to leave off the "intel" option if you prefer the AT&T assembler syntax)

But as all free tools we know of are not comparable to the commercial tool IDA Pro which has free-as-in-beer version for non-commercial use IDA 4.9 Freeware which has all features needed for BIOS analysis, it should be mentioned here, too.

Vendor-specific Hints

Award BIOS

First, you need the runtime BIOS, this is the 128KB thats available at the addresses E0000-FFFFF when the system is running. You can either obtain it by dumping from a running system, or by running "lha x bios.bin" on a BIOS image as it gets written to the chip.

From the 128KB you only need the second half (the f-segment). In this segment, look for the text "AWDFLASH". This signature is followed by eleven 16-bit procedure offsets (all these procedures reside in the segment F000). The second procedure offset points to the board/chipset enable function. The third procedure offset points to the board/chipset disable function.

Useful hints:

  • PCI register manipulation is common. If you find a procedure that outputs something to port CF8, it accesses PCI configuration space. If a second out instruction follows, it is a PCI config write, if an in instruction follows, it's a PCI config read. In AWARD BIOS code, the Device/Function ID is passed in CH as (deviceID*8 + functiond ID), the config space address in CL. Bus number (if used at all, check the procedure called) in BH or BL. Data is exchanged via AL/AX/EAX