Joined: 12 Jan 2013
Posts: 37
phpdevpad 14 Jan 2013, 13:32
I'm looking for code for an option rom that can load another option rom and start it. Is this possible? I have read about flashnetboot. Is this what I need?
Thanks for your help!

Update: Here is my code, how do I start the option rom? I included the binary with file function and then I jump to main function but what next? How can I start the binary? Can I call it with raid rom?
;---------------------------PCI ROM Header----------------------------------------

        ROM_SIZE_IN_BLOCK = 1           ; 1 means ROM size is 1 block (512 bytes)

        VENDOR_ID       equ 1002h       ; PCI Vendor ID (must match your ethernet vendor id)
                                        ; exp: 10DE = nVidia
        DEVICE_ID       equ 4392h       ; PCI Device ID (must match your ethernet devicie id)
                                        ; exp: 0057h = nforce4 CK804 NIC

        db 0x055, 0x0AA                 ; ROM Header 55,AA -> Bootable rom
        db (ROMEnd - ROMStart)/512      ; ROM Size in 512byte
        jmp MAIN

        db      0                       ; checksum, to be filled in later
        TIMES   18h-($-$$) DB 0         ; padding zeros to offset 18h
        DW      PCIHDR                  ; pointer to PCI Header
        DW      PNPHDR                  ; pointer to PnP Expansion Header

PCIHDR: DB      'PCIR'                  ; PCI data structure signature
        DW      VENDOR_ID               ; vendor ID                     (must match real PCI device)
        DW      DEVICE_ID               ; device ID                     (must match real PCI device)
        DW      0                       ; pointer to vital product data (0=none)
        DW      24                      ; PCI data structure length     [B]
        DB      0                       ; PCI data structure revision   (0=PCI 2.1)
        DB      2,0,0                   ; PCI device class code         (2=network ctrlr,0=eth.)
        DW      ROM_SIZE_IN_BLOCK       ; ROM size in 512B blocks
        DW      0                       ; revision level of code
        DB      0                       ; code type                     (0=x86 compitable)
        DB      80h                     ; last image indicator
        DW      0                       ; reserved

PNPHDR: DB      '$PnP'                  ; PnP data structure signature
        DB      1                       ; PnP structure revision
        DB      2                       ; PnP structure length          (in 16B blocks)
        DW      0                       ; offset to next header         (0-none)
        DB      0                       ; reserved
        DB      33h                     ; PnP structure checksum
        DD      0                       ; device identifier
        DW      0                       ; pointer to manufacturer string
        DW      0                       ; pointer to productname string
        DB      2,0,0                   ; device class code    (2=network ctrlr,0=eth.)
        DB      64h                     ; device indicators (64h - shadowable,cacheable,not 
                                        ; only for boot,IPL device)
        DW      0                       ; boot connection vector        (0-none)
        DW      0                       ; disconnect vector             (0-none)
        DW      0                       ; bootstrap entry vector        (0-none)
        DW      0                       ; reserved
        DW      0                       ; static resource info vector   (0-none)

        push    eax
        push    ebx
        push    bx
        push    dx
        push    si
        push    ds
        push    bp

        pop bp
        pop ds
        pop si
        pop dx
        pop bx
        pop ebx
        pop eax
        retf                            ; return far to system bios routine

raidrom:      file "raid.bin"

        times (ROM_SIZE_IN_BYTE-$) db 0 ; use 00h as the padding bytes until we reach the ROM size

        ; The last byte (512th) will be the patch_byte for the checksum
        ; patch_byte is calculated and automagically inserted below
        PREV_CHKSUM = 0
        repeat $
        load CHKSUM byte from %-1
        CHKSUM = (PREV_CHKSUM + CHKSUM) mod 0x100
        end repeat
        store byte (0x100 - CHKSUM) at ($-1)  ; store the patch_byte
Post 14 Jan 2013, 13:32
Joined: 12 Jan 2013
Posts: 37
phpdevpad 19 Jan 2013, 16:04
When I jump into the option rom with call raidrom it gives me operating system not found.
Post 19 Jan 2013, 16:04
Joined: 19 Mar 2008
Posts: 1651
baldr 19 Jan 2013, 20:30

It can be caused by many circumstances, especially when ROM image you're trying to start (loaded with file) assumes that it's placed at offset 0 in segment. You have to move it in a proper place beforehand.

Are you trying to load part of foreign BIOS as option ROM?
Post 19 Jan 2013, 20:30
Joined: 12 Jan 2013
Posts: 37
phpdevpad 19 Jan 2013, 22:51
@baldr: I'm trying to find a way to call an option rom. When I integrate newest option rom I get always operting system not found. When I integrate on older option rom bios doesn't boot unless I press esc-key (http://board.flatassembler.net/topic.php?t=14965).

Now I'm trying the same ^^ and make a far call to bcv in the option rom but the bios doesn't see and start the option rom???

;---------------------------PCI ROM Header----------------------------------------

        BOOT   equ 18h
        OLDBOOT equ 86h

        ROM_SIZE_IN_BLOCK = 125           ; 1 means ROM size is 1 block (512 bytes)

        VENDOR_ID       equ 1002h       ; PCI Vendor ID (must match your ethernet vendor id)
                                        ; exp: 10DE = nVidia
        DEVICE_ID       equ 4392h       ; PCI Device ID (must match your ethernet devicie id)
                                        ; exp: 0057h = nforce4 CK804 NIC

        db 0x055, 0x0AA                 ; ROM Header 55,AA -> Bootable rom
        db (ROMEnd - ROMStart)/512      ; ROM Size in 512byte
        jmp MAIN

        db      0                       ; checksum, to be filled in later
        TIMES   18h-($-$$) DB 0         ; padding zeros to offset 18h
        DW      PCIHDR                  ; pointer to PCI Header
        DW      PNPHDR                  ; pointer to PnP Expansion Header

PCIHDR: DB      'PCIR'                  ; PCI data structure signature
        DW      VENDOR_ID               ; vendor ID                     (must match real PCI device)
        DW      DEVICE_ID               ; device ID                     (must match real PCI device)
        DW      0                       ; pointer to vital product data (0=none)
        DW      24                      ; PCI data structure length     [B]
        DB      0                       ; PCI data structure revision   (0=PCI 2.1)
        DB      8Fh,04,01                   ; PCI device class code         (2=network ctrlr,0=eth.)
        DW      ROM_SIZE_IN_BLOCK       ; ROM size in 512B blocks
        DW      0                       ; revision level of code
        DB      0                       ; code type                     (0=x86 compitable)
        DB      80h                     ; last image indicator
        DW      0                       ; reserved

PNPHDR: DB      '$PnP'                  ; PnP data structure signature
        DB      1                       ; PnP structure revision
        DB      2                       ; PnP structure length          (in 16B blocks)
        DW      0                       ; offset to next header         (0-none)
        DB      0                       ; reserved
        DB      8Bh                     ; PnP structure checksum
        DD      0                       ; device identifier
        DW      0                       ; pointer to manufacturer string
        DW      0                       ; pointer to productname string
        DB      8Fh,04,01                   ; device class code    (2=network ctrlr,0=eth.)
        DB      64h                     ; device indicators (64h - shadowable,cacheable,not 
                                        ; only for boot,IPL device)
        DW      0                       ; boot connection vector        (0-none)
        DW      0                       ; disconnect vector             (0-none)
        DW      0                       ; bootstrap entry vector        (0-none)
        DW      0                       ; reserved
        DW      0                       ; static resource info vector   (0-none)

        push ds 

debug_step1:                            ;print int13 vector 
        mov ebx,00000000h 
        mov eax, [fs:ebx+4ch] 
        mov ecx, eax 
        mov dx, 25/2 
        mov ax, 80/2 - 8/2 
        call print_hex

        mov ah, 00h                      
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je debug_step2                  ; Handle  
        jne debug_step1 

debug_step2:                            ;print disk number BDA 
        mov ebx,00000000h 
        mov eax, [fs:ebx+474h] 
        mov ecx, eax 
        mov dx, 25/2 
        mov ax, 80/2 - 8/2 
        call print_hex 

        mov ah, 00h
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je ccc                          ; Handle  
        jne debug_step2 

ccc:                                    ;set ES:DI to PnP install check 
        mov ax,0f000h 
        mov es,ax 
        mov di,0e2d0h 
        mov bx,-1 
        mov dx,-1 
        mov ax,4 
        ;call far 0D000h:1391h
        call raidrom+0x02d7

debug_step3:                            ;print int13 vector 
        mov ebx,00000000h 
        mov eax, [fs:ebx+4ch] 
        mov ecx, eax 
        mov dx, 25/2 
        mov ax, 80/2 - 8/2 
        call print_hex

        mov ah, 00h                      
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je debug_step4                  ; Handle  
        jne debug_step3 

debug_step4:                            ;print disk number BDA 
        mov ebx,00000000h 
        mov eax, [fs:ebx+474h] 
        mov ecx, eax 
        mov dx, 25/2 
        mov ax, 80/2 - 8/2 
        call print_hex

        mov ah, 00h                      
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je zzz                          ; Handle  
        jne debug_step4 

zzz:                                    ;choose exit type retf or int18 
        mov ah, 00h 
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je ggg                          ; Handle 
        jne ddd 
        pop ds 

        pop ds 

        int 0x18 

print_hex: ; DX = Row ; AX = Col ; ECX = NUMBER (Assuming 80x25 mode) 
        push    es 

        push    $B800 
        pop     es 

        imul    di, dx, 80 
        add     di, ax 
        shl     di, 1 

        mov     edx, ecx 
        mov     ecx, 8 
        mov     ah, 7 ; GRAY FONT; BLACK BACKGROUND 

        rol     edx, 4 
        mov     si, dx 
        and     si, $F 
        mov     al, [cs:.lut+si] 
        loop    .writeNibble 

        pop     es 
.lut db '0123456789ABCDEF' 


raidrom:      file "raid700.rom"

        times (ROM_SIZE_IN_BYTE-$) db 0 ; use 00h as the padding bytes until we 
                                        ;reach the ROM size 

        ; The last byte (512th) will be the patch_byte for the checksum 
        ; patch_byte is calculated and automagically inserted below 
        PREV_CHKSUM = 0 
        repeat $ 
        load CHKSUM byte from %-1 
        CHKSUM = (PREV_CHKSUM + CHKSUM) mod 0x100 
        end repeat 
        store byte (0x100 - CHKSUM) at ($-1)  ; store the patch_byte 

Post 19 Jan 2013, 22:51
Joined: 19 Mar 2008
Posts: 1651
baldr 23 Jan 2013, 10:54

You may try to put file "raid700.rom" at the very beginning (thus ensuring it starts at offset 0), append your code after it, then patch result using load/store (to redirect execution forth and back, like in infected executable).

Your method has a good chance to fail unless ROM is written as position-independent (and it's rarely so).
Post 23 Jan 2013, 10:54
Joined: 12 Jan 2013
Posts: 37
phpdevpad 24 Jan 2013, 13:50
@baldr: Thank you but I didn't understand. However I had an idea and it's almost working. I have disassambled the misc.bin and permanently activated the esc-key sequence. This seems to work and bios boot and it's shows the splash and then the post screen. Now I want to try to activate the ctrl-f key to open the raid menu because my patch seems to delete the raid menu, too?! Maybe you can help? Currently I'm reading this: http://ebook.pldworld.com/_eBook/dosref33/.

Success!! Now, I'm wondering if I can update to latest option rom?? With latest option rom I get Load to misc.bin error and bios freezes?

Last edited by phpdevpad on 29 Jan 2013, 12:54; edited 1 time in total
Post 24 Jan 2013, 13:50
Joined: 25 Jan 2013
Posts: 9
Flat12 25 Jan 2013, 21:16
Try cut code - first 512 bytes ( EA 05 00 .... 55 AA) from gPXE 1.0.1 floppy image. This is boot-sector loader other ROM image:
Loading ROM image...    

Filesize: 5.52 KB
Viewed: 8128 Time(s)


Post 25 Jan 2013, 21:16
Joined: 12 Jan 2013
Posts: 37
phpdevpad 28 Jan 2013, 00:08
Thank you for your help but my option roms works.
Post 28 Jan 2013, 00:08
