flat assembler
Message board for the users of flat assembler.

Index > Heap > AMI BIOS Reverse Engineering Article

Author
Thread Post new topic Reply to topic
Pinczakko



Joined: 02 May 2004
Posts: 34
Location: Takabonerate National Park, Indonesia
Pinczakko
Long time not being here.. I got something for you guys Wink

My AMI BIOS Reverse Engineering article:
http://sites.google.com/site/pinczakko/pinczakko-s-guide-to-ami-bios-reverse-engineering-1

Hopefully, it's of some use or interest.

Ciao Very Happy

_________________
Human knowledge belongs to the world
Post 06 Nov 2009, 16:58
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
I think I have it converted to .chm somewhere, if it's still the older article. Good job, nice. Smile
Post 06 Nov 2009, 19:13
View user's profile Send private message Reply with quote
Pinczakko



Joined: 02 May 2004
Posts: 34
Location: Takabonerate National Park, Indonesia
Pinczakko
Well, no Wink

The old article was for Award BIOS reverse engineering. This is AMI BIOS reverse engineering.

_________________
Human knowledge belongs to the world
Post 06 Nov 2009, 19:17
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
Borsuc



Joined: 29 Dec 2005
Posts: 2466
Location: Bucharest, Romania
Borsuc
Ah yes sorry I'm not very good at BIOSes myself Razz

EDIT: I have an AMI BIOS right now lol.
Post 06 Nov 2009, 19:26
View user's profile Send private message Reply with quote
Pinczakko



Joined: 02 May 2004
Posts: 34
Location: Takabonerate National Park, Indonesia
Pinczakko
Anyway, some changes have happened since the article was written. Recent AMI BIOS (since about 2007) use segment 4000h for the "POST entry point" instead of segment 2771h explained in the article. I haven't take that into account in the article because the BIOS I dissected dated back to 2005.

_________________
Human knowledge belongs to the world
Post 06 Nov 2009, 19:35
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
Dex4u



Joined: 08 Feb 2005
Posts: 1601
Location: web
Dex4u
Great articles Pinczakko, alot of usefull stuff that i hope to try soon, thanks.
Post 06 Nov 2009, 23:33
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Hi Pinczakko, great to see you here!

I have some beginner questions:
1. How to reliably extract BIOS image under windows? Is it enough just to read range at the top of physical memory (what range exactly?), or do you have to extract it from BIOS update package somehow? Can you advice some tools that you use to extract BIOS, and to extract its packed modules?
2. How to find out what BIOS brand you have? AFAIK there are some brand strings, but distributors like to change to their name (at least I remember reading about such case with Insyde BIOS).
Post 07 Nov 2009, 16:33
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Pinczakko



Joined: 02 May 2004
Posts: 34
Location: Takabonerate National Park, Indonesia
Pinczakko
1. Assuming that you know the exact motherboard you're using, you can download the BIOS image from the motherboard vendor website. Otherwise, you can use the BIOS vendor tools, if it's AMI BIOS, I think there is a utility called AFUWIN in case it's Award-Phoenix, there is a utility called Phoenix Winflash. These utilities usually comes with the motherboard installation CD or can be downloaded from the motherboard vendor website. To extract the packed modules, I made a decompressor plugin in IDA Pro or you can also use the corresponding BIOS tools. For Award BIOS there's a tool called CBROM, while for AMIBIOS, there is a tool called MMTOOL. Actually, I coded an application to write BIOS images directly to the flash rom but the chipsets supported by the utility is very limited, the source code is at: http://google-summer-of-code-2007-coresystems.googlecode.com/files/DarmawanMappatutu_Salihun.tar.gz

2. AMI BIOS has "AMIBIOSC" string somewhere in the bootblock, while Award BIOS also has some sort of string identifier, i.e. "BBSS" in its bootblock. I forgot what BBSS stands for, it's something along the line "Boot Block XXX...".

_________________
Human knowledge belongs to the world
Post 07 Nov 2009, 18:55
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Thanks a lot...

Another question: does BIOS image contain SMM code? If yes, where to find it (which module)?

edit: Nevermind, I checked, and my BIOS of interest is UEFI implementation by Intel (Tiano), very different. Almost fully 32/64-bit code, uses PE files for modules, etc...


Last edited by vid on 08 Nov 2009, 02:39; edited 1 time in total
Post 07 Nov 2009, 19:01
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Also, can you please post link to your IDA decompressor plugin?
Post 07 Nov 2009, 19:23
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Pinczakko



Joined: 02 May 2004
Posts: 34
Location: Takabonerate National Park, Indonesia
Pinczakko
You can build the decompressor code using the available LHA source code in the web (Just google, you'd find one of them). Another route is to use MMTOOL to decompress the parts. MMTOOL is at http://www.rebelshavenforum.com/sis-bin/ultimatebb.cgi in the BIOS specific section. The plugin is not available on the web.

_________________
Human knowledge belongs to the world
Post 24 Nov 2009, 14:48
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
AFAIK the plugin SDK doesn't contain any watermarks, so even providing a binary should reveal neither your real name - nor label you as a pirate if you're using one of the leaked versions Smile
Post 24 Nov 2009, 14:57
View user's profile Send private message Visit poster's website Reply with quote
Pinczakko



Joined: 02 May 2004
Posts: 34
Location: Takabonerate National Park, Indonesia
Pinczakko
Hello f0dder,

Actually the problem is because I couldn't locate it in my hard drive yet (again) Razz . I've just realized that I messed up with my old files when I migrated to a new machine. Too bad I didn't use subversion to centralize everything back then. I'll post the source code in google code when I got it.

_________________
Human knowledge belongs to the world
Post 24 Nov 2009, 15:03
View user's profile Send private message Visit poster's website Yahoo Messenger Reply with quote
Alphonso



Joined: 16 Jan 2007
Posts: 294
Alphonso
vid wrote:
Thanks a lot...

Another question: does BIOS image contain SMM code? If yes, where to find it (which module)?

edit: Nevermind, I checked, and my BIOS of interest is UEFI implementation by Intel (Tiano), very different. Almost fully 32/64-bit code, uses PE files for modules, etc...
Well if your after SMM code then I guess EFI might be your friend. Having looked at an Acer 1MB EFI Bios some time ago there seemed to more than 10% of the files that might pertain to SMM.

    Ich7MSmmDispatcher
    PeiSmmRelocate
    SmmAccess
    SmmBase
    SmmControl
    SmmCoreDispatcher
    SmmFwBlockService
    SmmOemServicesDriver
    SmmPlatform
    SmmPnp
    SmmRelocate
    SmmRuntime
    SmmThunk
    SmmUsbLegacy
    SmmVariable
Post 26 Nov 2009, 11:00
View user's profile Send private message Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
Yeah, in the meantime I did some study and found out that SMM in EFI is implemented by series of DXE drivers.
Post 26 Nov 2009, 13:49
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.