start
====== Differences ====== This shows you the differences between two versions of the page.
|
start [2013/05/21 20:11] xvilka [Phoenix] |
start [2014/01/09 13:47] (current) xvilka |
||
|---|---|---|---|
| Line 2: | Line 2: | ||
| See [[ida_pro_tracing]] and [[radare2_tracing]] | See [[ida_pro_tracing]] and [[radare2_tracing]] | ||
| + | |||
| + | ==== Other firmares ==== | ||
| + | |||
| + | * [[embedded_controller]] | ||
| + | * [[intel_amt]] | ||
| + | * [[video_bios]] | ||
| ==== Prerequisites ==== | ==== Prerequisites ==== | ||
| Line 12: | Line 18: | ||
| You should disable color output for that: | You should disable color output for that: | ||
| e scr.color=false | e scr.color=false | ||
| + | | ||
| - | ==== AMIBIOS ==== | + | ==== All kind of BIOSes ==== |
| - | See example here http://xvilka.me/ami_bios.bin | + | Open bios image just typing |
| + | |||
| + | r2 bios_image.bin | ||
| + | |||
| + | It should be opened automatically, created segment relocation and jumped directly on entry point: | ||
| + | |||
| + | [f000:fff0]> | ||
| + | |||
| + | But, if it not yet recognized automatically, you can do this by your hands: | ||
| 1. Open bios file with radare2 using this command: | 1. Open bios file with radare2 using this command: | ||
| - | r2 -e asm.bits=16 -e io.va=true ami_bios.bin | + | r2 -e asm.bits=16 -e io.va=true bios_image.bin |
| 2. Do bootblock segment relocation: | 2. Do bootblock segment relocation: | ||
| Line 40: | Line 55: | ||
| [0000:0000]> fb section.bootblk | [0000:0000]> fb section.bootblk | ||
| + | |||
| + | ==== AMIBIOS ==== | ||
| + | |||
| + | See example here http://xvilka.me/ami_bios.bin | ||
| + | |||
| + | Download example from http://xvilka.me/asrock_p4i65g.bin and open it as usual. | ||
| + | Also you can download r2 database file with all mentioned stuff (and more) from http://xvilka.me/asrock_p4i65g.r2 (Just load ut after loading *.bin file using '.' command). | ||
| + | It is based on ICH5 southbridge, download datasheet here http://www.intel.com/content/dam/doc/datasheet/82801eb-82801er-io-controller-hub-datasheet.pdf | ||
| 4. Disassembly, set flag to this as bios_entry | 4. Disassembly, set flag to this as bios_entry | ||
| Line 125: | Line 148: | ||
| line **f000:011e out 0x80, al** - POST code, with 0xD0 value in this case | line **f000:011e out 0x80, al** - POST code, with 0xD0 value in this case | ||
| add comment for that: | add comment for that: | ||
| - | [f000:0110]> s 0xf000:0x11c; CC 2 "D0 POST CODE" | + | [f000:0110]> CCa f000:011e D0 POST CODE |
| See also line **f000:0120 mov di, 0x126**, where 0x126 is offset to next+1 instuction | See also line **f000:0120 mov di, 0x126**, where 0x126 is offset to next+1 instuction | ||
| Line 294: | Line 317: | ||
| [f000:0b3c]> Cd 2 @ f000:0b46 | [f000:0b3c]> Cd 2 @ f000:0b46 | ||
| - | ==== Award ==== | + | ... [some reversing process]... |
| - | ==== Phoenix ==== | + | === SMBus === |
| - | Download example from http://xvilka.me/asrock_p4i65g.bin and open it as usual. | + | First, find SMB_BASE addr (see 14.1.8 from ICH5 pdf), it is 0x400 for our mainboard. Then find SMBus registers themselves: |
| - | ... [some reversing process]... | + | SMB_BASE + 0x1 - HST_STS (Host Status) |
| + | SMB_BASE + 0x2 - HST_CNT (Host Control) | ||
| + | SMB_BASE + 0x3 - HST_CMD (Host Command) | ||
| + | SMB_BASE + 0x4 - XMIT_SLVA (Transmit Slave Address) | ||
| + | SMB_BASE + 0x5 - HST_D0 (Host Data 0) | ||
| + | SMB_BASE + 0x6 - HST_D1 (Host Data 1) | ||
| + | SMB_BASE + 0x7 - HOST_BLOCK_DB (Host Block Data Byte) | ||
| + | ... | ||
| - | SMBus reading/writing. So, we've found some SMBus function, and we know, that 0x5786 - offset of **SMBus_IO_Write_SL** function, and 0x578e - offset of **SMBus_IO_Read_SL** function. | + | SMBus reading/writing. So, we've found some SMBus function, and we know, that 0x5786 - offset of **SMBus_ICH5_Reg_Write_Byte_SL** function, and 0x578e - offset of **SMBus_ICH5_Reg_Read_Byte_SL** function. |
| [f000:574d]> pd 24 | [f000:574d]> pd 24 | ||
| Line 328: | Line 358: | ||
| |||| f000:5783 f8 clc | |||| f000:5783 f8 clc | ||
| |||| f000:5784 ffe7 jmp di | |||| f000:5784 ffe7 jmp di | ||
| - | |||| ; -------- SMBus_IO_Write_SL: | + | |||| ; -------- SMBus_ICH5_Reg_Write_Byte_SL: |
| ````-> f000:5786 ba0004 mov dx, 0x400 | ````-> f000:5786 ba0004 mov dx, 0x400 | ||
| Add these functions: | Add these functions: | ||
| - | [f000:574d]> af+ f000:5786 8 SMBus_IO_Write_SL | + | [f000:574d]> af+ f000:5786 8 SMBus_ICH5_Reg_Write_Byte_SL |
| - | [f000:574d]> af+ f000:578e 8 SMBus_IO_Read_SL | + | [f000:574d]> af+ f000:578e 8 SMBus_ICH5_Reg_Read_Byte_SL |
| where 8 - size of both functions in bytes. "_SL" prefix means "stackless" (just my internal notation). | where 8 - size of both functions in bytes. "_SL" prefix means "stackless" (just my internal notation). | ||
| Lets add more metainfo, comments and so on: | Lets add more metainfo, comments and so on: | ||
| - | [f000:574d]> "CCa f000:5786 void SMBus_IO_Write_SL(uint8_t reg<ah>, uint8_t value<al>);" | + | [f000:574d]> "CCa f000:5786 void SMBus_ICH5_Reg_Write_Byte_SL(uint8_t reg<ah>, uint8_t value<al>);" |
| - | [f000:574d]> "CCa f000:578e uint8_t SMBus_IO_Read_SL<al>(uint8_t reg<ah>);" | + | [f000:574d]> "CCa f000:578e uint8_t SMBus_ICH5_Reg_Read_Byte_SL<al>(uint8_t reg<ah>);" |
| Note, that you should quote **whole** r2 command to mask special symbols **';'**, **'>'** and **'<'**. | Note, that you should quote **whole** r2 command to mask special symbols **';'**, **'>'** and **'<'**. | ||
| Line 348: | Line 378: | ||
| | | ||
| Also add these local labels: | Also add these local labels: | ||
| - | [f000:574d]> f SMB_Send_CMD 1 0xf000:0x5755 | + | [f000:574d]> f .SMB_Send_CMD @ 0xf000:0x5755 |
| - | [f000:574d]> f SMB_Prepare_Controller 1 0xf000:0x5762 | + | [f000:574d]> f .SMB_Prepare_Controller @ 0xf000:0x5762 |
| - | [f000:574d]> f SMB_Read_Data 1 0xf000:0x5779 | + | [f000:574d]> f .SMB_Read_Data @ 0xf000:0x5779 |
| - | [f000:574d]> f SMB_delay_loop 1 0xf000:0x576d | + | [f000:574d]> f .SMB_delay_loop @ 0xf000:0x576d |
| | | ||
| And here is what we have got (in VISUAL mode - **Vp** command to enter): | And here is what we have got (in VISUAL mode - **Vp** command to enter): | ||
| Line 386: | Line 416: | ||
| ||||| f000:5783 f8 clc | ||||| f000:5783 f8 clc | ||
| ||||| f000:5784 ffe7 jmp di | ||||| f000:5784 ffe7 jmp di | ||
| - | ; ; void SMBus_IO_Write_SL(uint8_t reg<ah>, uint8_t value<al>); | + | ; ; void SMBus_ICH5_Reg_Write_Byte_SL(uint8_t reg<ah>, uint8_t value<al>); |
| - | / function: SMBus_IO_Write_SL (8) | + | / function: SMBus_ICH5_Reg_Write_Byte_SL (8) |
| | |````-> f000:5786 ba0004 mov dx, 0x400 | | |````-> f000:5786 ba0004 mov dx, 0x400 | ||
| | | f000:5789 8ad4 mov dl, ah | | | f000:5789 8ad4 mov dl, ah | ||
| | | f000:578b ee out dx, al | | | f000:578b ee out dx, al | ||
| \ | f000:578c ffe7 jmp di | \ | f000:578c ffe7 jmp di | ||
| - | ; ; uint8_t SMBus_IO_Read_SL<al>(uint8_t reg<ah>); | + | ; ; uint8_t SMBus_ICH5_Reg_Read_Byte_SL<al>(uint8_t reg<ah>); |
| - | / function: SMBus_IO_Read_SL (8) | + | / function: SMBus_ICH5_Reg_Read_Byte_SL (8) |
| | `-----> f000:578e ba0004 mov dx, 0x400 | | `-----> f000:578e ba0004 mov dx, 0x400 | ||
| | f000:5791 8ad4 mov dl, ah | | f000:5791 8ad4 mov dl, ah | ||
| Line 405: | Line 435: | ||
| | f000:57a2 a4 movsb | | f000:57a2 a4 movsb | ||
| | f000:57a3 57 push di | | f000:57a3 57 push di | ||
| - | | f000:57a4 b87200 mov ax, 0x72 | + | | f000:57a4 b87200 mov ax, 0x72 |
| - | ==== HP BIOS ==== | + | ==== Award ==== |
| - | See example here http://xvilka.me/hp_bios.bin | + | ==== Phoenix ==== |
| - | 1. Open bios file with radare2 using this command: | + | |
| - | r2 -e asm.bits=16 -e io.va=true hp_bios.bin | + | ==== HP BIOS ==== |
| - | 2. Do bootblock segment relocation: | + | See example here http://xvilka.me/hp_bios.bin |
| - | [0x00000000]> S $s-0x10000 0xf000:0x0000 0x10000 0x10000 bootblk rwx | + | 1. Disassembly, set flag to this as bios_entry |
| - | + | ||
| - | where '$s' - variable, file size (see output of '???' command) | + | |
| - | + | ||
| - | You can also set DOS-like addressing notation: | + | |
| - | + | ||
| - | [0x00000000]> e asm.segoff=true | + | |
| - | [0000:0000]> | + | |
| - | + | ||
| - | 3. go to 0xf000:0xfff0, where BIOS starts | + | |
| - | + | ||
| - | [0000:0000]> s 0xf000:0xfff0 | + | |
| - | + | ||
| - | You can seek also by **s section.bootblk+0xfff0** | + | |
| - | Also you can add flags base too: | + | |
| - | + | ||
| - | [0000:0000]> fb section.bootblk | + | |
| - | + | ||
| - | 4. Disassembly, set flag to this as bios_entry | + | |
| Note, that instead of long jump HP bioses widely using short jumps, so you should add **0xf000:** prefix in these jumps. | Note, that instead of long jump HP bioses widely using short jumps, so you should add **0xf000:** prefix in these jumps. | ||
start.1369167074.txt.gz · Last modified: 2013/05/21 20:11 by xvilka
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
