flat assembler
Message board for the users of flat assembler.

Index > OS Construction > Bios doesn't load my option rom?

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 20 Jan 2013, 11:55
I have compiled an option rom but my bios doesn't seem to see it neither to load or something. My option rom starts with $55, $aa and checksum is 0. I also have a device id, vendor id, a pcir structure and pnp structure. In my option rom I want to print some information from the bios to the screen. I don't know much asm just a copy and past work.
Thank you for your help! My bios is a phoenix bios and I want to update my amd raid driver but bios is nasty to me!

Code:
;---------------------------------------------------------------------------------
;---------------------------PCI ROM Header----------------------------------------
;---------------------------------------------------------------------------------

        VENDOR_ID       equ 10ECh       ; PCI Vendor ID (must match your ethernet vendor id)
                                        ; exp: 10DE = nVidia
        DEVICE_ID       equ 8168h       ; PCI Device ID (must match your ethernet devicie id)
                                        ; exp: 0057h = nforce4 CK804 NIC
ROMStart:
        db 0x055, 0x0AA                 ; ROM Header 55,AA -> Bootable rom
        db (ROMEnd - ROMStart)/512      ; ROM Size in 512byte
        jmp MAIN

        db      0                       ; checksum, to be filled in later
        TIMES   18h-($-$$) DB 0         ; padding zeros to offset 18h
        DW      PCIHDR                  ; pointer to PCI Header
        DW      PNPHDR                  ; pointer to PnP Expansion Header

PCIHDR: DB      'PCIR'                  ; PCI data structure signature
        DW      VENDOR_ID               ; vendor ID                     (must match real PCI device)
        DW      DEVICE_ID               ; device ID                     (must match real PCI device)
        DW      0                       ; pointer to vital product data (0=none)
        DW      18                      ; PCI data structure length     [B]
        DB      0                       ; PCI data structure revision   (0=PCI 2.1)
        DB      2,0,0                   ; PCI device class code         (2=network ctrlr,0=eth.)
        DW      (ROMEnd - ROMStart)/512       ; ROM size in 512B blocks
        DW      0                       ; revision level of code
        DB      0                       ; code type                     (0=x86 compitable)
        DB      80h                     ; last image indicator
        DW      0                       ; reserved

PNPHDR: DB      '$PnP'                  ; PnP data structure signature
        DB      1                       ; PnP structure revision
        DB      2                       ; PnP structure length          (in 16B blocks)
        DW      0                       ; offset to next header         (0-none)
        DB      0                       ; reserved
        DB      0x4b                     ; PnP structure checksum
        DD      0                       ; device identifier
        DW      0                       ; pointer to manufacturer string
        DW      0                       ; pointer to productname string
        DB      2,0,0                   ; device class code    (2=network ctrlr,0=eth.)
        DB      0xe4                     ; device indicators (64h - shadowable,cacheable,not
                                        ; only for boot,IPL device)
        DW      0                       ; boot connection vector        (0-none)
        DW      0                       ; disconnect vector             (0-none)
        DW      0                       ; bootstrap entry vector        (0-none)
        DW      0                       ; reserved
        DW      0                       ; static resource info vector   (0-none)

MAIN:
        pushfd
        pushad 
        push ds 

debug_step1:                            ;print int13 vector 
        mov ebx,00000000h 
        mov eax, [fs:ebx+4ch] 
        mov ecx, eax 
        mov dx, 25/2 
        mov ax, 80/2 - 8/2 
        call print_hex

        mov ah, 00h                      
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je debug_step2                  ; Handle  
        jne debug_step1 

debug_step2:                            ;print disk number BDA 
        mov ebx,00000000h 
        mov eax, [fs:ebx+474h] 
        mov ecx, eax 
        mov dx, 25/2 
        mov ax, 80/2 - 8/2 
        call print_hex 

        mov ah, 00h
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je ccc                          ; Handle  
        jne debug_step2 

ccc:                                    ;set ES:DI to PnP install check 
        mov ax,0f000h
        mov es,ax
        mov di,0e2d0h
        mov bx,-1
        mov dx,-1
        mov ax,4
        ; call far 0D000h:1391h
        call far 0cf00h:02d1h

debug_step3:                            ;print int13 vector 
        mov ebx,00000000h 
        mov eax, [fs:ebx+4ch] 
        mov ecx, eax 
        mov dx, 25/2 
        mov ax, 80/2 - 8/2 
        call print_hex

        mov ah, 00h                      
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je debug_step4                  ; Handle  
        jne debug_step3 

debug_step4:                            ;print disk number BDA 
        mov ebx,00000000h 
        mov eax, [fs:ebx+474h] 
        mov ecx, eax 
        mov dx, 25/2 
        mov ax, 80/2 - 8/2 
        call print_hex

        mov ah, 00h                      
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je zzz                          ; Handle  
        jne debug_step4 

zzz:                                    ;choose exit type retf or int18 
        mov ah, 00h 
        int 16h                         ; key press wait
        cmp al, 0dh                     ; Enter key 
        je ggg                          ; Handle 
        jne ddd 
ggg: 
        pop ds 
        popad 
        popfd
        ret 

ddd: 
        pop ds 
        popad 
        popfd 

        int 0x18 

print_hex: ; DX = Row ; AX = Col ; ECX = NUMBER (Assuming 80x25 mode) 
        pushad 
        push    es 

        push    $B800 
        pop     es 

        imul    di, dx, 80 
        add     di, ax 
        shl     di, 1 

        mov     edx, ecx 
        mov     ecx, 8 
        mov     ah, 7 ; GRAY FONT; BLACK BACKGROUND 

.writeNibble: 
        rol     edx, 4 
        mov     si, dx 
        and     si, $F 
        mov     al, [cs:.lut+si] 
        stosw 
        loop    .writeNibble 

        pop     es 
        popad 
        ret 
.lut db '0123456789ABCDEF' 
      TIMES   100 DB 0         ; padding zeros to offset 18h
;__________________________________________________________________________________________________________________

;raidrom:      file "raid700.rom"



        times ((ROMEnd - ROMStart)-$) db 0 ; use 00h as the padding bytes until we
                                        ;reach the ROM size 

        ; The last byte (512th) will be the patch_byte for the checksum 
        ; patch_byte is calculated and automagically inserted below 
        PREV_CHKSUM = 0 
        repeat $ 
        load CHKSUM byte from %-1 
        CHKSUM = (PREV_CHKSUM + CHKSUM) mod 0x100 
        PREV_CHKSUM = CHKSUM 
        end repeat 
        store byte (0x100 - CHKSUM) at ($-1)  ; store the patch_byte 
ROMEnd:
    
Post 20 Jan 2013, 11:55
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 20 Jan 2013, 17:01
Sorry if you said this already but couldn't find it in your other posts: Where are you placing this binary so the BIOS can find it?

I think you mentioned this is a laptop, so I'm wondering where is this laptop letting you inject a ROM.
Post 20 Jan 2013, 17:01
View user's profile Send private message Reply with quote
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 20 Jan 2013, 17:21
LocoDelAssembly wrote:
Sorry if you said this already but couldn't find it in your other posts: Where are you placing this binary so the BIOS can find it?

I think you mentioned this is a laptop, so I'm wondering where is this laptop letting you inject a ROM.


I have the Phoenix Bios Editor and the binary is exactly at the same place like the original oprom. When I start R&W with original oprom it says option rom is loaded at 0xcf000. Does it answer your question? I don't know much about bios and asm. However I have some experience with Motorola 68000 and Atari TOS. I noticed also that the oprom I want to replace is an amd raid rom and it needs also a misc.bin. Funny thing is misc.bin must be named user01.rom in phoenix bios editor otherwise bios doesn't boot but phoenix bios uses 0 for counting, too and there is no way to edit the name of the rom. I ended up installing 2 misc.bins. So I thing the bios is loading the oproms starting from c0000 into the ram. The first oprom end at cf000. The second is cf000 and ends at De000. Hence I have plenty space left?
Post 20 Jan 2013, 17:21
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 23 Jan 2013, 07:42
Here is a book you might find very useful - there is a whole chapter on writing own ROMs: http://bioshacking.blogspot.com/2012/02/bios-disassembly-ninjutsu-uncovered-1st.html

Take a look if you haven't done it yet.
Post 23 Jan 2013, 07:42
View user's profile Send private message Reply with quote
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 24 Jan 2013, 13:51
@acp: Thank you but I didn't understand. However I had an idea and it's almost working. I have disassambled the misc.bin and permanently activated the esc-key sequence. This seems to work and bios boot and it's shows the splash and then the post screen. Now I want to try to activate the ctrl-f key to open the raid menu because my patch seems to delete the raid menu, too!? Maybe you can help? http://ebook.pldworld.com/_eBook/dosref33/
Post 24 Jan 2013, 13:51
View user's profile Send private message Visit poster's website Reply with quote
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 24 Jan 2013, 17:38
phpdevpad wrote:
@acp: Thank you but I didn't understand. However I had an idea and it's almost working. I have disassambled the misc.bin and permanently activated the esc-key sequence. This seems to work and bios boot and it's shows the splash and then the post screen. Now I want to try to activate the ctrl-f key to open the raid menu because my patch seems to delete the raid menu, too!? Maybe you can help? http://ebook.pldworld.com/_eBook/dosref33/


Success!! Now, I'm wondering if I can update to latest option rom?? With latest option rom I get Load to misc.bin error and bios freezes?


Last edited by phpdevpad on 29 Jan 2013, 12:52; edited 1 time in total
Post 24 Jan 2013, 17:38
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 25 Jan 2013, 00:09
Since you are using IDA you might find this tutorial useful: https://www.hex-rays.com/products/ida/support/tutorials/debugging_gdb_qemu.pdf

It may help you debug why your bios hangs and track down what wrong you are doing.
Post 25 Jan 2013, 00:09
View user's profile Send private message Reply with quote
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 25 Jan 2013, 05:34
ACP wrote:
Since you are using IDA you might find this tutorial useful: https://www.hex-rays.com/products/ida/support/tutorials/debugging_gdb_qemu.pdf

It may help you debug why your bios hangs and track down what wrong you are doing.


Great news! Thank you very much. Do you know how I can debug my bios with qemu? I have read the pdf but it doesn't show how to debug a bios?

Here is a benchmark with my new option rom:[/img]


Description:
Filesize: 14.46 KB
Viewed: 13471 Time(s)

Unbenannt.png


Post 25 Jan 2013, 05:34
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 25 Jan 2013, 10:53
phpdevpad wrote:
Do you know how I can debug my bios with qemu? I have read the pdf but it doesn't show how to debug a bios?


It is quite simple assuming you had installed qemu and IDA connected to it successfully. You have to edit segments in IDA just as it is described in mentioned document. Then you can covert data to code using "C" key and single step though BIOS code using all debugger features like Step Into (F7) or Step Over commands and setup breakpoints. For example you can setup a breakpoints in your code or in code which should be calling your code etc. You can also enable "Instruction tracing" (assuming you have IDA 6.x version) and run the BIOS code (just ensure your tracing buffer is big enough) and wait till it crash or returns error so you can trace back the execution flow.

Edit by revolution: Fixed quote markup
Post 25 Jan 2013, 10:53
View user's profile Send private message Reply with quote
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 25 Jan 2013, 10:57
ACP wrote:
phpdevpad wrote:
Do you know how I can debug my bios with qemu? I have read the pdf but it doesn't show how to debug a bios?


It is quite simple assuming you had installed qemu and IDA connected to it successfully. You have to edit segments in IDA just as it is described in mentioned document. Then you can covert data to code using "C" key and single step though BIOS code using all debugger features like Step Into (F7) or Step Over commands and setup breakpoints. For example you can setup a breakpoints in your code or in code which should be calling your code etc. You can also enable "Instruction tracing" (assuming you have IDA 6.x version) and run the BIOS code (just ensure your tracing buffer is big enough) and wait till it crash or returns error so you can trace back the execution flow.


I didn't read about how to debug my updated bios? I want to use qemu with my bios image. Is this explained somewhere? Thank you!

Update: I have installed qemu but I'm a bit lost. Where can I put my option rom?

Edit by revolution: Fixed quote markup
Post 25 Jan 2013, 10:57
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 25 Jan 2013, 22:41
phpdevpad wrote:

I didn't read about how to debug my updated bios? I want to use qemu with my bios image. Is this explained somewhere? Thank you!

Update: I have installed qemu but I'm a bit lost. Where can I put my option rom?



You just pass it as parameter to qemu. Here is another tutorial link with all the details - please note that it is based on coreboot but just use your bios images instead: http://bioshacking.blogspot.com/2011_10_01_archive.html You can skip coreboot compiling part unless you want to test your option rom using it.
Post 25 Jan 2013, 22:41
View user's profile Send private message Reply with quote
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 28 Jan 2013, 00:05
ACP wrote:
phpdevpad wrote:

I didn't read about how to debug my updated bios? I want to use qemu with my bios image. Is this explained somewhere? Thank you!

Update: I have installed qemu but I'm a bit lost. Where can I put my option rom?



You just pass it as parameter to qemu. Here is another tutorial link with all the details - please note that it is based on coreboot but just use your bios images instead: http://bioshacking.blogspot.com/2011_10_01_archive.html You can skip coreboot compiling part unless you want to test your option rom using it.


Yes, thank you for your help. I got my option rom working. Last time when I checked ida and qemu debugging didn't work. I have downloaded the binary from your link and followed the instructions but I use Windows 8 64-bit? Can this be a problem?
Post 28 Jan 2013, 00:05
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 28 Jan 2013, 11:27
phpdevpad wrote:

Yes, thank you for your help. I got my option rom working. Last time when I checked ida and qemu debugging didn't work. I have downloaded the binary from your link and followed the instructions but I use Windows 8 64-bit? Can this be a problem?


While I haven't used IDA on W8 x64 yet I am using IDA on W7 x64 without any problems however currently I have bochs and qemu setup running on i386 Linux but you should be fine with Windows to host all of those apps. If not just use VMWare Player and setup any Linux you like which provides qemu in form of binary packages. If you haven't compiled qemu from source never before it could be tricky for the first time.

I would advice to use IDA Pro 32bit since (at least 6.3 - I did not switch to 6.4 yet) 64 version has problem with displaying bios entry point correctly. One more tip: do not setup segments manually before breaking at entry point because IDA will loose those settings. Instead wait for debugger to display initial disassembly and define 16bit segment then. The pdf is quite old so if you are using IDA 6.x use have to define segment from Debugger->Debugger options->Set specific options->Memory map->Ins key to add segment.
Post 28 Jan 2013, 11:27
View user's profile Send private message Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 29 Jan 2013, 09:22
phpdevpad wrote:

Okay, thank you. I'm not so fast and still learning. Why do I need to map the memory anyway? Is this because of this Extended Memory and A20 Gate thing? I have read about it here http://ebook.pldworld.com/_eBook/dosref33/. Looks totally fishy to me.


You're welcome Smile

No, the memory map option in IDA is not in any way related to how A20 gate or Extended Memory works. The only relations is memory segmentation in real mode and its memory addressing limits from 8086 times (which in turn was a reason for providing A20 gate - BTW how many other systems used keyboard controller line to enable memory access?). Anyway back to the topic: you need to define segments (in IDA terms) in memory for IDA, so the disassembler and debugger provides you with correct information. One aspect of segments definition in IDA is bitness of the segment (16/32) which is crucial for proper disassembly and automatic code analysis. Secondly you will not be able to follow JuMPs larger than short (+/-128 bytes) and usually BIOS entry point at FFFF:FFF0 starts with JMP FAR. Secondly segments allows you to define which memory areas should be injected back to disassembler and saved as part of your IDA database. You obviously don't want 4gb address space dump Wink

To recap: do not mix up IDA segments with real/unreal/protected mode segments of x86. While those can be connected they are completely different entities.
Post 29 Jan 2013, 09:22
View user's profile Send private message Reply with quote
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 29 Jan 2013, 20:05
ACP wrote:
phpdevpad wrote:

Okay, thank you. I'm not so fast and still learning. Why do I need to map the memory anyway? Is this because of this Extended Memory and A20 Gate thing? I have read about it here http://ebook.pldworld.com/_eBook/dosref33/. Looks totally fishy to me.


You're welcome Smile

No, the memory map option in IDA is not in any way related to how A20 gate or Extended Memory works. The only relations is memory segmentation in real mode and its memory addressing limits from 8086 times (which in turn was a reason for providing A20 gate - BTW how many other systems used keyboard controller line to enable memory access?). Anyway back to the topic: you need to define segments (in IDA terms) in memory for IDA, so the disassembler and debugger provides you with correct information. One aspect of segments definition in IDA is bitness of the segment (16/32) which is crucial for proper disassembly and automatic code analysis. Secondly you will not be able to follow JuMPs larger than short (+/-128 bytes) and usually BIOS entry point at FFFF:FFF0 starts with JMP FAR. Secondly segments allows you to define which memory areas should be injected back to disassembler and saved as part of your IDA database. You obviously don't want 4gb address space dump Wink

To recap: do not mix up IDA segments with real/unreal/protected mode segments of x86. While those can be connected they are completely different entities.


I see, I know about russian computer using ternary numbers and also flash memory with ternary numbers. Is this ternary numbers is used in NAND flash memory today? I have tried the ida and qemu thing again and also ida with administrative rights but it always give me the same error insufficient rights? I'm lost. I'm using IDA 6.1 64-bit.


Description:
Filesize: 15.98 KB
Viewed: 13399 Time(s)

ida11.png




Last edited by phpdevpad on 29 Jan 2013, 21:05; edited 1 time in total
Post 29 Jan 2013, 20:05
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 29 Jan 2013, 20:59
Make sure your qemu is the same bitness as IDA. Weird things can happen when you try 32bit apps with 64bit apps in this settings. I would assume your qemu is compiled as 32bit app.
Post 29 Jan 2013, 20:59
View user's profile Send private message Reply with quote
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 29 Jan 2013, 21:36
ACP wrote:
Make sure your qemu is the same bitness as IDA. Weird things can happen when you try 32bit apps with 64bit apps in this settings. I would assume your qemu is compiled as 32bit app.


I have, this is my qemu-64 bit.bat. Does processmon can help?

Code:
REM Start qemu on windows.
@ECHO OFF

REM SDL_VIDEODRIVER=directx is faster than windib. But keyboard cannot work well.
SET SDL_VIDEODRIVER=windib

REM SDL_AUDIODRIVER=waveout or dsound can be used. Only if QEMU_AUDIO_DRV=sdl.
SET SDL_AUDIODRIVER=dsound

REM QEMU_AUDIO_DRV=dsound or fmod or sdl or none can be used. See qemu -audio-help.
SET QEMU_AUDIO_DRV=dsound

REM QEMU_AUDIO_LOG_TO_MONITOR=1 displays log messages in QEMU monitor.
SET QEMU_AUDIO_LOG_TO_MONITOR=0

REM PCI-based PC(default): -M pc 
REM ISA-based PC         : -M isapc
REM -M isapc is added for NE2000 ISA card.

qemu-system-x86_64.exe -L . -m 128 -hda linux.img -soundhw sb16,es1370 -localtime -M pc -s -S
    


Update: I have also tried 32-bit only.

Code:
  bytes   pages size description
--------- ----- ---- --------------------------------------------
   262144    32 8192 allocating memory for b-tree...
    65536     8 8192 allocating memory for virtual array...
   262144    32 8192 allocating memory for name pointers...
-----------------------------------------------------------------
   589824            total memory allocated

Loading processor module C:\Program Files (x86)\IDA Pro Advanced Edition v6.1\procs\pc.w32 for metapc...OK
Autoanalysis subsystem has been initialized.
Can not set debug privilege: Dem Aufrufer wurden nicht alle angegebenen Berechtigungen und Gruppen zugewiesen.
Flushing buffers, please wait...ok
Unloading IDP module C:\Program Files (x86)\IDA Pro Advanced Edition v6.1\procs\pc.w32...
Can not reset debug privilege: Dem Aufrufer wurden nicht alle angegebenen Berechtigungen und Gruppen zugewiesen.
Can not set debug privilege: Dem Aufrufer wurden nicht alle angegebenen Berechtigungen und Gruppen zugewiesen.
    
Post 29 Jan 2013, 21:36
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 30 Jan 2013, 12:47
Since I don't have any machine with Windows 8 installed I can't replicate your problem. Assuming you are using administrative privileges and looking into error messages I would guess there is a problem with Windows Debug Privileges so my suggestion is to contact HexRays and let them know about the problem. They reply pretty quickly.
Post 30 Jan 2013, 12:47
View user's profile Send private message Reply with quote
phpdevpad



Joined: 12 Jan 2013
Posts: 37
phpdevpad 30 Jan 2013, 15:16
ACP wrote:
Since I don't have any machine with Windows 8 installed I can't replicate your problem. Assuming you are using administrative privileges and looking into error messages I would guess there is a problem with Windows Debug Privileges so my suggestion is to contact HexRays and let them know about the problem. They reply pretty quickly.


hi, thank you for the fast response, of course I have asked them before I post here, they told me to reinstall ida and windows and also to format sector 0 and also hidden system partition with dd. Isn't there another way how can I solve my problem?
Post 30 Jan 2013, 15:16
View user's profile Send private message Visit poster's website Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP 30 Jan 2013, 20:17
phpdevpad wrote:


hi, thank you for the fast response, of course I have asked them before I post here, they told me to reinstall ida and windows and also to format sector 0 and also hidden system partition with dd. Isn't there another way how can I solve my problem?


Could you post their recommendations? In mean time you can setup qemu remotely on different machine or locally under VMWare for example. I'm using IDA on Windows and qemu on Linux. This should fix the problem with privileges assuming this is the cause of your problems.
Post 30 Jan 2013, 20:17
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.