====== Differences ====== This shows you the differences between two versions of the page.
start [2013/05/21 21:24] xvilka |
start [2014/01/09 13:47] (current) xvilka |
||
---|---|---|---|
Line 5: | Line 5: | ||
==== Other firmares ==== | ==== Other firmares ==== | ||
- | [[embedded_controller]] | + | * [[embedded_controller]] |
- | [[intel_amt]] | + | * [[intel_amt]] |
- | [[video_bios]] | + | * [[video_bios]] |
==== Prerequisites ==== | ==== Prerequisites ==== | ||
Line 18: | Line 18: | ||
You should disable color output for that: | You should disable color output for that: | ||
e scr.color=false | e scr.color=false | ||
+ | | ||
- | ==== AMIBIOS ==== | + | ==== All kind of BIOSes ==== |
- | See example here http://xvilka.me/ami_bios.bin | + | Open bios image just typing |
+ | |||
+ | r2 bios_image.bin | ||
+ | |||
+ | It should be opened automatically, created segment relocation and jumped directly on entry point: | ||
+ | |||
+ | [f000:fff0]> | ||
+ | |||
+ | But, if it not yet recognized automatically, you can do this by your hands: | ||
1. Open bios file with radare2 using this command: | 1. Open bios file with radare2 using this command: | ||
- | r2 -e asm.bits=16 -e io.va=true ami_bios.bin | + | r2 -e asm.bits=16 -e io.va=true bios_image.bin |
2. Do bootblock segment relocation: | 2. Do bootblock segment relocation: | ||
Line 46: | Line 55: | ||
[0000:0000]> fb section.bootblk | [0000:0000]> fb section.bootblk | ||
+ | |||
+ | ==== AMIBIOS ==== | ||
+ | |||
+ | See example here http://xvilka.me/ami_bios.bin | ||
+ | |||
+ | Download example from http://xvilka.me/asrock_p4i65g.bin and open it as usual. | ||
+ | Also you can download r2 database file with all mentioned stuff (and more) from http://xvilka.me/asrock_p4i65g.r2 (Just load ut after loading *.bin file using '.' command). | ||
+ | It is based on ICH5 southbridge, download datasheet here http://www.intel.com/content/dam/doc/datasheet/82801eb-82801er-io-controller-hub-datasheet.pdf | ||
4. Disassembly, set flag to this as bios_entry | 4. Disassembly, set flag to this as bios_entry | ||
Line 300: | Line 317: | ||
[f000:0b3c]> Cd 2 @ f000:0b46 | [f000:0b3c]> Cd 2 @ f000:0b46 | ||
- | ==== Award ==== | + | ... [some reversing process]... |
- | ==== Phoenix ==== | + | === SMBus === |
- | Download example from http://xvilka.me/asrock_p4i65g.bin and open it as usual. | + | First, find SMB_BASE addr (see 14.1.8 from ICH5 pdf), it is 0x400 for our mainboard. Then find SMBus registers themselves: |
- | ... [some reversing process]... | + | SMB_BASE + 0x1 - HST_STS (Host Status) |
+ | SMB_BASE + 0x2 - HST_CNT (Host Control) | ||
+ | SMB_BASE + 0x3 - HST_CMD (Host Command) | ||
+ | SMB_BASE + 0x4 - XMIT_SLVA (Transmit Slave Address) | ||
+ | SMB_BASE + 0x5 - HST_D0 (Host Data 0) | ||
+ | SMB_BASE + 0x6 - HST_D1 (Host Data 1) | ||
+ | SMB_BASE + 0x7 - HOST_BLOCK_DB (Host Block Data Byte) | ||
+ | ... | ||
- | SMBus reading/writing. So, we've found some SMBus function, and we know, that 0x5786 - offset of **SMBus_IO_Write_SL** function, and 0x578e - offset of **SMBus_IO_Read_SL** function. | + | SMBus reading/writing. So, we've found some SMBus function, and we know, that 0x5786 - offset of **SMBus_ICH5_Reg_Write_Byte_SL** function, and 0x578e - offset of **SMBus_ICH5_Reg_Read_Byte_SL** function. |
[f000:574d]> pd 24 | [f000:574d]> pd 24 | ||
Line 334: | Line 358: | ||
|||| f000:5783 f8 clc | |||| f000:5783 f8 clc | ||
|||| f000:5784 ffe7 jmp di | |||| f000:5784 ffe7 jmp di | ||
- | |||| ; -------- SMBus_IO_Write_SL: | + | |||| ; -------- SMBus_ICH5_Reg_Write_Byte_SL: |
````-> f000:5786 ba0004 mov dx, 0x400 | ````-> f000:5786 ba0004 mov dx, 0x400 | ||
Add these functions: | Add these functions: | ||
- | [f000:574d]> af+ f000:5786 8 SMBus_IO_Write_SL | + | [f000:574d]> af+ f000:5786 8 SMBus_ICH5_Reg_Write_Byte_SL |
- | [f000:574d]> af+ f000:578e 8 SMBus_IO_Read_SL | + | [f000:574d]> af+ f000:578e 8 SMBus_ICH5_Reg_Read_Byte_SL |
where 8 - size of both functions in bytes. "_SL" prefix means "stackless" (just my internal notation). | where 8 - size of both functions in bytes. "_SL" prefix means "stackless" (just my internal notation). | ||
Lets add more metainfo, comments and so on: | Lets add more metainfo, comments and so on: | ||
- | [f000:574d]> "CCa f000:5786 void SMBus_IO_Write_SL(uint8_t reg<ah>, uint8_t value<al>);" | + | [f000:574d]> "CCa f000:5786 void SMBus_ICH5_Reg_Write_Byte_SL(uint8_t reg<ah>, uint8_t value<al>);" |
- | [f000:574d]> "CCa f000:578e uint8_t SMBus_IO_Read_SL<al>(uint8_t reg<ah>);" | + | [f000:574d]> "CCa f000:578e uint8_t SMBus_ICH5_Reg_Read_Byte_SL<al>(uint8_t reg<ah>);" |
Note, that you should quote **whole** r2 command to mask special symbols **';'**, **'>'** and **'<'**. | Note, that you should quote **whole** r2 command to mask special symbols **';'**, **'>'** and **'<'**. | ||
Line 354: | Line 378: | ||
| | ||
Also add these local labels: | Also add these local labels: | ||
- | [f000:574d]> f SMB_Send_CMD 1 0xf000:0x5755 | + | [f000:574d]> f .SMB_Send_CMD @ 0xf000:0x5755 |
- | [f000:574d]> f SMB_Prepare_Controller 1 0xf000:0x5762 | + | [f000:574d]> f .SMB_Prepare_Controller @ 0xf000:0x5762 |
- | [f000:574d]> f SMB_Read_Data 1 0xf000:0x5779 | + | [f000:574d]> f .SMB_Read_Data @ 0xf000:0x5779 |
- | [f000:574d]> f SMB_delay_loop 1 0xf000:0x576d | + | [f000:574d]> f .SMB_delay_loop @ 0xf000:0x576d |
| | ||
And here is what we have got (in VISUAL mode - **Vp** command to enter): | And here is what we have got (in VISUAL mode - **Vp** command to enter): | ||
Line 392: | Line 416: | ||
||||| f000:5783 f8 clc | ||||| f000:5783 f8 clc | ||
||||| f000:5784 ffe7 jmp di | ||||| f000:5784 ffe7 jmp di | ||
- | ; ; void SMBus_IO_Write_SL(uint8_t reg<ah>, uint8_t value<al>); | + | ; ; void SMBus_ICH5_Reg_Write_Byte_SL(uint8_t reg<ah>, uint8_t value<al>); |
- | / function: SMBus_IO_Write_SL (8) | + | / function: SMBus_ICH5_Reg_Write_Byte_SL (8) |
| |````-> f000:5786 ba0004 mov dx, 0x400 | | |````-> f000:5786 ba0004 mov dx, 0x400 | ||
| | f000:5789 8ad4 mov dl, ah | | | f000:5789 8ad4 mov dl, ah | ||
| | f000:578b ee out dx, al | | | f000:578b ee out dx, al | ||
\ | f000:578c ffe7 jmp di | \ | f000:578c ffe7 jmp di | ||
- | ; ; uint8_t SMBus_IO_Read_SL<al>(uint8_t reg<ah>); | + | ; ; uint8_t SMBus_ICH5_Reg_Read_Byte_SL<al>(uint8_t reg<ah>); |
- | / function: SMBus_IO_Read_SL (8) | + | / function: SMBus_ICH5_Reg_Read_Byte_SL (8) |
| `-----> f000:578e ba0004 mov dx, 0x400 | | `-----> f000:578e ba0004 mov dx, 0x400 | ||
| f000:5791 8ad4 mov dl, ah | | f000:5791 8ad4 mov dl, ah | ||
Line 411: | Line 435: | ||
| f000:57a2 a4 movsb | | f000:57a2 a4 movsb | ||
| f000:57a3 57 push di | | f000:57a3 57 push di | ||
- | | f000:57a4 b87200 mov ax, 0x72 | + | | f000:57a4 b87200 mov ax, 0x72 |
- | ==== HP BIOS ==== | + | ==== Award ==== |
- | See example here http://xvilka.me/hp_bios.bin | + | ==== Phoenix ==== |
- | 1. Open bios file with radare2 using this command: | + | |
- | r2 -e asm.bits=16 -e io.va=true hp_bios.bin | + | ==== HP BIOS ==== |
- | 2. Do bootblock segment relocation: | + | See example here http://xvilka.me/hp_bios.bin |
- | [0x00000000]> S $s-0x10000 0xf000:0x0000 0x10000 0x10000 bootblk rwx | + | 1. Disassembly, set flag to this as bios_entry |
- | + | ||
- | where '$s' - variable, file size (see output of '???' command) | + | |
- | + | ||
- | You can also set DOS-like addressing notation: | + | |
- | + | ||
- | [0x00000000]> e asm.segoff=true | + | |
- | [0000:0000]> | + | |
- | + | ||
- | 3. go to 0xf000:0xfff0, where BIOS starts | + | |
- | + | ||
- | [0000:0000]> s 0xf000:0xfff0 | + | |
- | + | ||
- | You can seek also by **s section.bootblk+0xfff0** | + | |
- | Also you can add flags base too: | + | |
- | + | ||
- | [0000:0000]> fb section.bootblk | + | |
- | + | ||
- | 4. Disassembly, set flag to this as bios_entry | + | |
Note, that instead of long jump HP bioses widely using short jumps, so you should add **0xf000:** prefix in these jumps. | Note, that instead of long jump HP bioses widely using short jumps, so you should add **0xf000:** prefix in these jumps. |