Laptop enable: Difference between revisions

Revision as of 21:21, 22 October 2011

Intro

Most (all?) laptop designs use an EC (embedded controller) to control the backlight, watch the battery status, etcetera.

To access the flash chip, the EC needs to be suspended/stopped. The code to stop the EC typically is found at the end of a BIOS binary. This page is about that trailing part of a binary.

Using a laptop BIOS (Phoenix TrustedCore) file that is one megabyte large, the TRAILER starts at 0x100001 (1024^2 + 1).

Example of a disassembly

The disassembler that is used is IDAPro, the freeware version.

Example of how the disassembly of the trailer looks:

TRAILER:0010 09 00 00 00 00 00 00 00 00 00 00 43 6F 6D 70 61 ..........Compa TRAILER:0020 6C 20 57 69 6E 50 68 6C 61 73 68 20 2D 20 46 6C l WinPhlash - Fl TRAILER:0030 61 73 68 69 6E 74 2E 61 73 6D 20 76 30 2E 30 33 ashint.asm v0.03 TRAILER:0040 5A 46 4C 50 46 25 00 00 00 00 00 00 00 59 02 00 ZFLPF%

Hints, facts and calculations

Facts:

ZFLPF is found at 0x40
len(ZFLPH) = 5

The location of the entrypoint is stored at 0x51:

0x51 =

position of ZFLPF + len(ZFLPF) + (((position where the string "Compal" starts) >> 1) - 1) =

0x40 + 5 + ((0x1b >> 1) - 1) =

0x40 + 5 + 0xc

Note that the above two formulas can be wrong.

Let's take a look at position 0x51:

TRAILER:0051 DE 02 dw 2DEh

Fact:

0x2de + 0x1b = 0x2f9

Preview of the begin of the board specific code

TRAILER:02F9 ; --------------------------------------------------------------------------- TRAILER:02F9 9C pushf TRAILER:02FA 60 pusha TRAILER:02FB E8 C2 00 call determine_lpc_pci_id

@@ Line 1: / Line 1: @@
-Using a laptop BIOS file that is one megabyte large, the TRAILER starts at 0x100001 (1024^2 + 1).
+== Intro ==
+*http://flashrom.org/Board_Enable
+*http://flashrom.org/Laptops
+*http://www.coreboot.org/Embedded_controller
+*http://www.coreboot.org/Laptop#Embedded_controllers
+Most (all?) laptop designs use an EC (embedded controller) to control the backlight, watch the battery status, etcetera.
+To access the flash chip, the EC needs to be suspended/stopped. The code to stop the EC typically is found at the end of a BIOS binary. This page is about that trailing part of a binary.
+Using a laptop BIOS (Phoenix TrustedCore) file that is one megabyte large, the TRAILER starts at 0x100001 (1024^2 + 1).
+== Example of a disassembly ==
+The disassembler that is used is IDAPro, the freeware version.
-<br>
 Example of how the disassembly of the trailer looks:
@@ Line 8: / Line 20: @@
 TRAILER:0020  6C 20 57 69 6E 50 68 6C  61 73 68 20 2D 20 46 6C  l WinPhlash - Fl<br>
 TRAILER:0030  61 73 68 69 6E 74 2E 61  73 6D 20 76 30 2E 30 33  ashint.asm v0.03<br>
-TRAILER:0040  5A 46 4C 50 46 25 00 00  00 00 00 00 00 59 02 00  ZFLPF%
+TRAILER:0040  5A 46 4C 50 46 25 00 00  00 00 00 00 00 59 02 00  ZFLPF%<br>
 </code>
-<br>
+== Hints, facts and calculations ==
 Facts:
 * ZFLPF is found at 0x40
 * len(ZFLPH) = 5
-<br>
 The location of the entrypoint is stored at 0x51:
-x51 =<br>
+x51 =
-position of ZFLPF + len(ZFLPF) + (((position where the string "Compal" starts) >> 1) - 1) =<br>
-x40 + 5 + ((0x1b >> 1) - 1) =<br>
+position of ZFLPF + len(ZFLPF) + (((position where the string "Compal" starts) >> 1) - 1) =
+x40 + 5 + ((0x1b >> 1) - 1) =
 x40 + 5 + 0xc<br>
 Note that the above two formulas can be wrong.
-<br>
 Let's take a look at position 0x51:
-<br>
 <code>
 TRAILER:0051 DE 02                       dw 2DEh</code>
-<br>
 Fact:
 * 0x2de + 0x1b = 0x2f9
-<br>
+== Preview of the begin of the board specific code ==
 <code>
 TRAILER:02F9             ; ---------------------------------------------------------------------------<br>
 TRAILER:02F9 9C                          pushf<br>
 TRAILER:02FA 60                          pusha<br>
-TRAILER:02FB E8 C2 00                    call    determine_lpc_pci_id<br>
+TRAILER:02FB E8 C2 00                    call    determine_lpc_pci_id
 </code>