|
Recommended by Wim's BIOS...
|
| View previous topic :: View next topic |
| Author |
Message |
Borg Number One
Master Flasher
Joined: 02 May 2004
Posts: 169
|
 Posted: Sat Dec 03, 2005 7:01 pm
Post subject: etBIOS reverse engineering |
 |
|
Hello.
Recently, I found/saw a really impressive BIOS extension which is able to
+ play DVDs
+ offer browser capabilities
without booting an operating system from additional drive(s).
The name of the project is: "etBIOS"
http://www.elegent.com/etBIOS/index.htm
Here are some further interesting images:
http://images.google.de/images?hl=en&q=etbios
Well, I also tried to extract the etBIOS ([NoCompress ROM] 040603.DAT) from some Acorp BIOS download links.
http://www.acorp.com.tw/eng/download/download02...=406&lineid=1
http://www.acorp.com.tw/eng/driver/INTEL/865/48...ET/4865GQET14.zip
With the help of CBROM extracting the etBIOS module was no problem.
But the etBIOS is toooo huge to add it to my Asus A7N8X Deluxe BIOS.
Even removing built-in AWDFLASH utility, fullscreen/EPA logo etc. did not help to get more free space in the A7N8X Deluxe BIOS for the etBIOS.
So, I am currently unable to try the etBIOS,
because I do not have a mainboard with soooo many additional free space (256KB) inside the BIOS file. 
So there are some questions:
1.)
Does anyone have a mainboard with enough space inside the BIOS chip/file for adding etBIOS?
2.)
etBIOS seems to be compressed anyhow.
Does anyone know, how to get it uncompressed?
_________________
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior
[url=http://www.ioss.com.tw]
http://www.ioss.com.tw[/url] |
|
| Back to top |
|
 |
|
|
sunbirds
BIOS Rookie
Joined: 01 Feb 2004
Posts: 56
|
| Posted: Sun Dec 04, 2005 4:02 am
Post subject: |
|
|
this etbios module in main bios only has the function of play dvd , maybe can be called etdvd.
when you check 040603.DAT ,you can find "egcs-1.1.2 release".
It maybe modded by egcs linux.
furthmore etbrowser will be finded in some bios.
_________________
www.biosdiy.net |
|
| Back to top |
|
|
Rainbow
The UniFlasher
Joined: 20 Mar 2002
Posts: 3122
Location: Slovakia
|
|
| Back to top |
|
|
Borg Number One
Master Flasher
Joined: 02 May 2004
Posts: 169
|
| Posted: Sun Dec 04, 2005 9:37 pm
Post subject: |
|
|
Hello.
1.)
Yes, it is true that EGCS is a compiler.
It seems to be that etBIOS / etDVD / etBrowser will generally be compiled with EGCS / GCC.
2.)
Acorp, Soyo and VIA and seem to have a commercial partnership with elegent and use their etBIOS/etDVD.
Here is another BIOS file with etBIOS/etDVD module.
7KM400QP
http://www.acorp.com.tw/eng/download/download_p...amp;downclassid=2
-->
http://www.acorp.com.tw/eng/driver/VIA/7KM400QP/7km400QPv17.zip
-->
unpack: Access+17.BIN
-->
extract: [NoCompress ROM] module.
Here are the BIOS logos of the both mentioned mainboards:
7KM400QP
-->
The etBIOS has been started and uses the BIOS logo as background image
4865GQET
3.)
Does anybody know, which kind of compression will be used for etBIOS/etDVD ?
Can someone unpack the etBIOS modules?
4.)
Reffering to this:
http://www.extrememhz.com/syp4val-p4.shtml
-->
Can someone figure out, how to "start/call" the etBIOS, after inserting the etBIOS module to an Award/AMI/Phoenix...-BIOS?
_________________
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior
[url=http://www.ioss.com.tw]
http://www.ioss.com.tw[/url] |
|
| Back to top |
|
|
maman
Master Flasher
Joined: 31 Mar 2002
Posts: 161
Location: Taka Bonerate National Park, Indonesia
|
| Posted: Mon Dec 05, 2005 10:36 am
Post subject: |
|
|
| Borg Number One wrote: | Hello.
1.)
Yes, it is true that EGCS is a compiler.
It seems to be that etBIOS / etDVD / etBrowser will generally be compiled with EGCS / GCC.
|
yeah, I think so. Quite a lot embedded appliances somehow make use of it.
| Borg Number One wrote: |
3.)
Does anybody know, which kind of compression will be used for etBIOS/etDVD ?
Can someone unpack the etBIOS modules?
|
referring to your previous statement that it can be opened by using CBROM, it probably LZH. Or, if not, it will still be a variant of Lempel-Ziv.
| Borg Number One wrote: |
Can someone figure out, how to "start/call" the etBIOS, after inserting the
etBIOS module to an Award/AMI/Phoenix...-BIOS? |
I think the module "hooks" into interrupt 19h, the bootstrap interrupt. Anyway, a brute force attack to this with award bios will be to patch the "POST jump table". You can read the technique at Award Bios "POST Jump Table" Hacking
_________________
-- Human knowledge belongs to the world -- |
|
| Back to top |
|
|
Borg Number One
Master Flasher
Joined: 02 May 2004
Posts: 169
|
| Posted: Mon Dec 05, 2005 10:49 am
Post subject: |
|
|
Hi.
| maman wrote: | | referring to your previous statement that it can be opened by using CBROM, it probably LZH. Or, if not, it will still be a variant of Lempel-Ziv. |
I just wrote that the BIOS file can be opened with CBROM,
but I did not wrote that the etBIOS/etDVD module can be opened with CBROM.
The etBIOS/etDVD modules are compressed anyhow, that is a fact.
But they do not have a further compression inside the Phoenix AwardBIOS file.
So, I would like to know which compression was used for the etBIOS / etDVD module itself.
_________________
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior
[url=http://www.ioss.com.tw]
http://www.ioss.com.tw[/url] |
|
| Back to top |
|
|
sunbirds
BIOS Rookie
Joined: 01 Feb 2004
Posts: 56
|
| Posted: Mon Dec 05, 2005 11:24 am
Post subject: |
|
|
I find in normal 512k award bios, the original module locate in 0x10000H or 0x20000H , so when we use cbrom open it ,we lost 64k or 128k space.
when I use cbrom open the GQET.BIN, there are 468.00K compress code space ,the original module locate in 0x00000H, this is the question, we must mod the normal award bios to get more compress code space .
1) this is a GQET.BIN bios compress code structure:
| Code: |
CBROM V2.19 (C)Award Software 2001 All Rights Reserved.
******** gqet.bin BIOS component ********
No. Item-Name Original-Size Compressed-Size Original-File-Name
================================================================================ 0. System BIOS 20000h(128.00K)13596h(77.40K)GQET.BIN
1. XGROUP CODE 0ACB0h(43.17K)07560h(29.34K)awardext.rom
2. CPU micro code 04000h(16.00K)03F9Fh(15.91K)CPUCODE.BIN
3. ACPI table 03A34h(14.55K)0164Ah(5.57K)ACPITBL.BIN
4. EPA LOGO 0168Ch(5.64K)002AAh(0.67K)AwardBmp.bmp
5. YGROUP ROM 061E0h(24.47K)04127h(16.29K)awardeyt.rom
6. GROUP ROM[ 0] 03F60h(15.84K)01DDDh(7.47K)_EN_CODE.BIN
7. VGA ROM[1] 0C000h(48.00K)06C88h(27.13K)SDG_2919.DAT
8. NoCompress ROM 40000h(256.00K)40032h(256.05K)040603.dat
9. LOGO BitMap 4B30Ch(300.76K)02CC6h(11.19K)865.bmp
Total compress code space = 75000h[b](468.00K)[/b]
Total compressed code size = 6FC0Dh(447.01K)
Remain compress code space = 053F3h(20.99K)
|
the total compress code space of it is 468.00K.
2) this is a normal award bios compress code structure:
| Code: |
CBROM V2.19 (C)Award Software 2001 All Rights Reserved.
******** s2epv13.bin BIOS component ********
No. Item-Name Original-Size Compressed-Size Original-File-Name
================================================================================ 0. System BIOS 20000h(128.00K)1492Dh(82.29K)S2EPV13B.BIN
1. XGROUP CODE 0F650h(61.58K)08B20h(34.78K)awardext.rom
2. CPU micro code 02800h(10.00K)01B9Ch(6.90K)CPUCODE.BIN
3. ACPI table 03689h(13.63K)01544h(5.32K)ACPITBL.BIN
4. EPA LOGO 0168Ch(5.64K)002AAh(0.67K)AwardBmp.bmp
5. YGROUP ROM 04BF0h(18.98K)02D3Dh(11.31K)awardeyt.rom
Total compress code space = 4D000h[b](308.00K)[/b]
Total compressed code size = 23514h(141.27K)
Remain compress code space = 29AECh(166.73K)
|
the total compress code space of it is only 308k.
it 's also waste 128k space
_________________
www.biosdiy.net |
|
| Back to top |
|
|
sunbirds
BIOS Rookie
Joined: 01 Feb 2004
Posts: 56
|
| Posted: Wed Dec 21, 2005 2:05 am
Post subject: |
|
|
I do some test with a aopen 810mb mx3w.
When I insert the original.bin of mx3w into the access+.bin , and release some other modules ,rename the bios mx.bin.
cbrom and modbin display mx.bin normal, when I flash it to chip and reboot,there are display nothing.
_________________
www.biosdiy.net |
|
| Back to top |
|
|
Borg Number One
Master Flasher
Joined: 02 May 2004
Posts: 169
|
| Posted: Wed Jan 11, 2006 12:18 pm
Post subject: |
|
|
Hi.
It is necessary to figure out, how the etBIOS module will be called/executed by the System BIOS.
_________________
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior
[url=http://www.ioss.com.tw]
http://www.ioss.com.tw[/url] |
|
| Back to top |
|
|
maman
Master Flasher
Joined: 31 Mar 2002
Posts: 161
Location: Taka Bonerate National Park, Indonesia
|
| Posted: Mon Mar 06, 2006 12:40 am
Post subject: |
|
|
| Borg Number One wrote: | Hi.
It is necessary to figure out, how the etBIOS module will be called/executed by the System BIOS. |
he..he..he.. sorry that last time I didn't check the binary  , just goofin' around with comments 
The "compression" used by the etBIOS module is indeed LHA, but it's LHA level 0, meaning no compression at all (look at the -lh0- string in the beginning of the binary), one can extract it by using LHA to remove the headers and analyze it using disassembler. Anyway, it's executed just like other extension module in award BIOS, minus the decompression process ofcourse, which is replaced by binary copy routine (present in award BIOS decompression routine too  ).
have a nice day
_________________
-- Human knowledge belongs to the world -- |
|
| Back to top |
|
|
Borg Number One
Master Flasher
Joined: 02 May 2004
Posts: 169
|
| Posted: Mon Mar 06, 2006 12:51 am
Post subject: |
|
|
Hi.
I know, that the etBIOS module is a "0/zero"-compressed LHA module, but a huge part of the etBIOS itself consists of compressed code.
| Code: | BIOS file
+ ...
+ module (lh5)
+ second module (lh5)
+ another module (lh5)
+ etBIOS module (lh0)
|
+---+ binary code (unpacker?)
+ compressed code
+ next module (lh5)
... |
I just would like to know, which kind of (executable compression/compressor) was used inside the etBIOS.
_________________
BIOS backup - Multi BIOS - prevent a BIOS update failure:
RD1 BIOS Savior
[url=http://www.ioss.com.tw]
http://www.ioss.com.tw[/url] |
|
| Back to top |
|
|
maman
Master Flasher
Joined: 31 Mar 2002
Posts: 161
Location: Taka Bonerate National Park, Indonesia
|
| Posted: Tue May 09, 2006 12:40 pm
Post subject: |
|
|
hi Borg. Just got a little time this morning and I've got the entry point. Sorry, only very raw disassemble. Just in case you really keen to know. I don't have much time explaining it.
Disassembly of ACORP 4865GQET with etBIOS (4865GQET14.BIN)
| Code: |
E_seg:9A3E call init_descriptor_cache
E_seg:9A41 call search_ET_BIOS_sign_pos
E_seg:9A44 jb sign_not_found
E_seg:9A48 call relocate_ET_BIOS ; relocate ET_BIOS to right-above 1MB
E_seg:9A4B mov esi, 100000h ; hmmm... 1MB area
E_seg:9A51 mov eax, 54453EEBh ; is ET_BIOS signature is ok?
E_seg:9A57 cmp [esi], eax
E_seg:9A5B jnz sign_not_found
E_seg:9A5F jmp short ET_BIOS_sign_found
.................
E_seg:9A67 ET_BIOS_sign_found: ; CODE XREF: init_ET_BIOS+60�j
E_seg:9A67 test byte ptr [esi+1Ch], 10h
E_seg:9A6C jnz short no_ctlr_reset
E_seg:9A6E call reset_IDE_n_FDD_ctlr
E_seg:9A71
E_seg:9A71 no_ctlr_reset: ; CODE XREF: init_ET_BIOS+6D�j
E_seg:9A71 mov edi, 100000h
E_seg:9A77 mov dword ptr es:[edi+24h], 4000000h
E_seg:9A81 mov bx, [esi+10h]
E_seg:9A85 cmp bx, 0
E_seg:9A88 jz short no_vesa_init
E_seg:9A8A mov ax, 4F02h
E_seg:9A8D int 10h ; - VIDEO - VESA SuperVGA BIOS - SET SuperVGA VIDEO MODE
E_seg:9A8D ; BX = mode, bit 15 set means don't clear video memory
E_seg:9A8D ; BX = bit 15 set means don't clear video memory
E_seg:9A8D ; Return: AL = 4Fh function supported
E_seg:9A8D ; AH = 00h successful, 01h failed
E_seg:9A8F
E_seg:9A8F no_vesa_init: ; CODE XREF: init_ET_BIOS+89�j
E_seg:9A8F jmp short init__ET_BIOS_binary
................
E_seg:9A99 init__ET_BIOS_binary: ; CODE XREF: init_ET_BIOS:no_vesa_init�j
E_seg:9A99 mov es:[edi+12h], al
E_seg:9A9E mov si, 19CEh
E_seg:9AA1 call setup_menu?
E_seg:9AA4 mov si, 99F7h
E_seg:9AA7 add si, ax
E_seg:9AA9 mov al, cs:[si]
E_seg:9AAC mov es:[edi+21h], al
E_seg:9AB1 call init_GDT
E_seg:9AB4 xor ebx, ebx
E_seg:9AB7 xor ecx, ecx
E_seg:9ABA mov bx, 99F1h
E_seg:9ABD mov cx, cs
E_seg:9ABF shl ecx, 4
E_seg:9AC3 add ecx, ebx
E_seg:9AC6 push ecx
E_seg:9AC8 xor eax, eax
E_seg:9ACB mov ax, 8
E_seg:9ACE push eax ; push code selector number (32-bit P-Mode selector)
E_seg:9AD0 mov ax, 9B1Bh ; addr following after retf (below)
E_seg:9AD3 xor ecx, ecx
E_seg:9AD6 mov cx, cs
E_seg:9AD8 shl ecx, 4 ; ecx = phy_addr(cs)
E_seg:9ADC add eax, ecx
E_seg:9ADF push eax
E_seg:9AE1 xor eax, eax
E_seg:9AE4 xor ecx, ecx
E_seg:9AE7 mov cx, ss
E_seg:9AE9 shl ecx, 4
E_seg:9AED mov ax, sp
E_seg:9AEF add ecx, eax
E_seg:9AF2 mov edi, 100000h ; edi = phy_addr_copy_of_et_BIOS
E_seg:9AF8 cli
E_seg:9AF9 lgdt qword ptr cs:word_E000_99F1
E_seg:9AFF mov eax, cr0
E_seg:9B02 or eax, 1 ; enter p-mode
E_seg:9B06 mov cr0, eax
E_seg:9B09 mov ax, 10h
E_seg:9B0C mov ds, ax
E_seg:9B0E assume ds:nothing
E_seg:9B0E mov es, ax
E_seg:9B10 assume es:nothing
E_seg:9B10 mov fs, ax
E_seg:9B12 assume fs:nothing
E_seg:9B12 mov gs, ax
E_seg:9B14 assume gs:nothing
E_seg:9B14 mov ss, ax
E_seg:9B16 assume ss:nothing
E_seg:9B16 mov esp, ecx
E_seg:9B19 db 66h
E_seg:9B19 retf ; jump below in P-Mode
E_seg:9B19 init_ET_BIOS endp ; sp = -3Ch
E_seg:9B19
E_seg:9B19 E_seg ends
E_seg:9B19
_exec_et_bios:0000000B ; ---------------------------------------------------------------------------
_exec_et_bios:0000000B ; ===========================================================================
_exec_et_bios:0000000B
_exec_et_bios:0000000B ; Segment type: Regular
_exec_et_bios:0000000B _exec_et_bios segment byte public '' use32
_exec_et_bios:0000000B assume cs:_exec_et_bios
_exec_et_bios:0000000B ;org 0Bh
_exec_et_bios:0000000B assume es:nothing, ss:nothing, ds:nothing, fs:nothing, gs:nothing
_exec_et_bios:0000000B call edi ; call 10000:0000h (ET_BIOS:00000000h)
_exec_et_bios:0000000D pop ebx
_exec_et_bios:0000000E
_exec_et_bios:0000000E loc_E9B1_E:
_exec_et_bios:0000000E lgdt qword ptr [ebx]
_exec_et_bios:00000011 db 67h
_exec_et_bios:00000011 jmp small far ptr 20h:9B28h
....................................
E_seg:9C7A relocate_ET_BIOS proc near ; CODE XREF: init_ET_BIOS+49�p
E_seg:9C7A mov edi, 100000h ; edi = target_addr (1MB)
E_seg:9C80 mov ecx, [esi+4]
E_seg:9C85 add ecx, 3FFh
E_seg:9C8C and ecx, 0FFFFFC00h ; size mod 1KB
E_seg:9C93 shr ecx, 2
E_seg:9C97 cld
E_seg:9C98 rep movs dword ptr es:[edi], dword ptr [esi]
E_seg:9C9C clc
E_seg:9C9D retn
E_seg:9C9D relocate_ET_BIOS endp
E_seg:9C9E search_ET_BIOS_sign_pos proc near ; CODE XREF: init_ET_BIOS+42�p
E_seg:9C9E mov esi, 0FFF80000h
E_seg:9CA4 mov eax, 54453EEBh ; eax = et_bios first 4-bytes (including signature)
E_seg:9CAA
E_seg:9CAA next_16_bytes: ; CODE XREF: search_ET_BIOS_sign_pos+1D�j
E_seg:9CAA cmp [esi], eax
E_seg:9CAE jz short exit
E_seg:9CB0 add esi, 16
E_seg:9CB4 cmp esi, 0FFFF0000h
E_seg:9CBB jb short next_16_bytes
E_seg:9CBD stc
E_seg:9CBE retn
E_seg:9CBF ; ---------------------------------------------------------------------------
E_seg:9CBF
E_seg:9CBF exit: ; CODE XREF: search_ET_BIOS_sign_pos+10�j
E_seg:9CBF clc
E_seg:9CC0 retn
E_seg:9CC0 search_ET_BIOS_sign_pos endp
..................
=====> here comes et_bios binary <============
ET_BIOS:00000000 loc_10000_0:
ET_BIOS:00000000 jmp short et_bios_start
ET_BIOS:00000000 ; ---------------------------------------------------------------------------
ET_BIOS:00000002 aEt db 'ET' ; ET BIOS signature
ET_BIOS:00000004 dw 0FC73h ; encoded etBIOS size
...........................
ET_BIOS:00000040 et_bios_start: ; CODE XREF: ET_BIOS:loc_10000_0�j
ET_BIOS:00000040 cli
ET_BIOS:00000041 mov ds:1F3BA0h, esp
ET_BIOS:00000047 mov esp, 1F8000h
ET_BIOS:0000004C cld
ET_BIOS:0000004D lgdt qword ptr ds:1000A8h
ET_BIOS:00000054 pushf
ET_BIOS:00000055 pop eax
ET_BIOS:00000056 and ah, 0BFh
ET_BIOS:00000059 push eax
ET_BIOS:0000005A popf
ET_BIOS:0000005B call sub_10000_10A8
ET_BIOS:00000060 sub eax, eax
ET_BIOS:00000062 mov edi, 1A8010h
ET_BIOS:00000067 mov ecx, 1F3B94h
ET_BIOS:0000006C sub ecx, edi
ET_BIOS:0000006E shr ecx, 1
ET_BIOS:00000071 shr ecx, 1
ET_BIOS:00000074 rep stosd
ET_BIOS:00000076 call near ptr unk_10000_23D0 ; still need some research
ET_BIOS:0000007B jmp short return_to_system_bios
............................
ET_BIOS:00000081 return_to_system_bios: ; CODE XREF: ET_BIOS:0000007B�j
ET_BIOS:00000081 cli
ET_BIOS:00000082 mov ds:100033h, al
ET_BIOS:00000087 mov esp, ds:1F3BA0h
ET_BIOS:0000008D retn
|
mind you that et_bios binary is executed in 32-bit protected mode. I guess due to the code is compiled with EGCS (that only able to emit 32-bit plain binary back then). Anyway, I haven't dig down deeper. But, it seems to be there is some kind of decompressor indeed.
some hints:
--------------
E_seg --> lower 64KB of original.tmp. The routine above called in one of POST jump table entry (not directly, some calls exist in between).
Descriptor table that's used to switch to P-Mode prior to et_bios execution is initialized dynamically.
greetz,
a.k.a Pinczakko
_________________
-- Human knowledge belongs to the world -- |
|
| Back to top |
|
|
KenH
Chip off the ol' block
Joined: 30 Mar 2005
Posts: 104
|
| Posted: Wed May 10, 2006 6:24 am
Post subject: |
|
|
I found an interesting page on bios reverse engineering HERE
in my quest to better understand its fuctions...
|
|
| Back to top |
|
|
maman
Master Flasher
Joined: 31 Mar 2002
Posts: 161
Location: Taka Bonerate National Park, Indonesia
|
| Posted: Thu May 11, 2006 2:18 am
Post subject: |
|
|
| KenOath wrote: | I found an interesting page on bios reverse engineering HERE
in my quest to better understand its fuctions... |
it's my website . The "root" page is in my signature below
_________________
-- Human knowledge belongs to the world -- |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Forum FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
