Preliminary Bios Modification Guide
Table of Contents
Bios Chip Hacking Trick. This part discuss how to do a hotswapping procedure to backup your current bios.
Preliminary Award Bios Modification Guide. This part discusses how to modify/hack your bios to patch certain things.
Bios Chip Hacking trick
Finally I found the trick to hack my bios safely without using the so called Bios Savior, the trick as follows:
Use a bios chip (FlashROM) with the same type as the one in your current Mobo as a backup in case something went wrong. To do so, remove any protectors that avoid you from seeing the type of your mobo bios chip (Usually Award or Ami logo(s)), this will void your warranty, so proceed at your own risk. Then identify it, in my case it's written as follows (in the top of the chip):
Winbond W29C020C-90B
xxxxxxxxxxx
where the W prefix means built by Winbond and the xxxxxxxxxxx perhaps is the batch number. And the bios chip type is 29C020 , in my experience the C after W29c020 doesn't really matter and the postfix 90 need to be concerned, it means 90 ns access time. The chip I use as a backup chip is:
Atmel AT29C020
xxxxx 90
where the AT prefix means made by Atmel and the 29C020, and 90 means 90 ns access time.
!!! CAUTION !!!
do these first:
Find the datasheet of the bios chip of your current motherboard.
Find the datasheet of the bios chip you're gonna use as a backup.
Make sure both the chip compatible each other in terms of voltage level (in my case 5 volts-only), capacity (in my case 256KB), access time.
ALWAYS double check chip position every time you're going to insert the bios chip into your mainboard, because if it's wrong there's a big chance u're destroying the chip.
Do a hot flash (hot swapping), and flash the bios binary file to the bios chip (in my case the Atmel one). Remember the caution above !.
Double check chip position every time you're going to insert the bios chip into your mainboard. If it's wrong there's a big chance u're destroying the chip.
Alert !!!
In this step BUG sometimes occur. As in my case, at first I use UNIFLASH ver 1.25 (since it's mentioned in the readme file that AT29c020 already verified with the flasher ). But BUG OCCUR, the flasher didn't recognize the Atmel chip. I'm aware that the flasher have some problem with my northbridge VIA693A aka VIA Apollo Pro 133, and that could be the cause of this BUG.
Legacy solution :
Then I decide to use awardflash version 7.31, the one comes with the mobo bin file, it works :).
Update: This is not a problem anymore and has been fixed in later version of uniflash. The version that I'm using now is uniflash 1.34 and it worked without problem at all.
Now you get a brand new backup bios without using Bios Savior. cool isn't it ... :)
Note: my system is as follows: Anyway remember that when flashing the bios I remove the Sound card, and disconnect all IDE (ATAPI) connector from the mobo to prevent any error that may damage the system. Then booting safely from the floppy disk (sometimes fron CDROM too).
April 17th 2002 : Bug Found
I've tried to flash a beta bios to this chip this morning (April 17th 2002) and it always failed to write at some sectors so sometimes I've got to do it couple of times to get flashed entirely without a damaged (un-writed segment). I'll try the uniflash anyway by using the -force option to force the flashing procedure, and let's see which flasher is the better one.
June 18th 2002 : Partial solution to the bug :)
Today the same bug occur again but in rather different form. At first I flashed the chip w/ a modded bios, and it get flashed (by using awdflash 7.31) unfortunately the bios couldn't POST so I do a hot flash w/ my real bios chip, the one that come w/ the mobo. Unfortunately I never managed to finish the flashing process in normal way, and the chip got wrong binary written into it. Then I try to use the same flasher(awdflash 7.31) and also tried Uniflash to fix the content of the chip, but it just couldn't even do the flashing process. After many times trying it. Finally I decided to try to use another awdflash version, and I got awdflash 7.76b that come w/ Iwill BD100Plus mobo, it's also an award 4.51PGNM version so it's safe to be used, then I do a hot flashing, and the flashing process run smoothly i.e. it worked well :).
Update:
This is not a problem anymore and has been fixed in later version of uniflash. The version that I'm using now is uniflash 1.34 and it worked without problem at all.
Preliminary Award Bios Modification Guide
Before proceeding to the tutorial, I assume that you already knows the basic structure of an x86 mainboard bios file, i.e. what is original.tmp and what is an option/expansion rom. If you don't, then look for some info on the web. I'll provide these info's in this website when I have enough time to type it down :).
Here's another important thing to note: The ISA option ROM vs PCI option ROM . I've tried to add option rom which is exactly the same using /PCI and /ISA option in CBROM ver 2.07 but it behaves really different, as a note, I built the option rom using plain *.com file using masm with ml version 6.14 (from masm32 distribution) and link.exe version 5.31 from masm611 distribution, the description is as follows:
The /ISA version behaves as expected.
The /PCI version didn't even execute, but I neither add the PCI header in the binary nor the other IDs such as PCI ID, perhaps this is the cause, but I believe may be the BIOS code itself searches for a valid device for every single PCI option rom added to the BIOS.
So, we'll stick to the proven solution, i.e. the ISA option ROM. You are free to test the PCI option ROM and if you are success to implement it, please inform me.
-- BEGIN UPDATE --
Finally I know the reason why the PCI expansion ROM version, is not executed. To be able to successfully execute PCI expansion ROM there are 2 things that have to be accomplished :
The XROMBAR (Expansion ROM Base address) register in the PCI chip itself have to be enabled, so that it is possible to map the expansion ROM bios chip in real mode into the processor address space
The PCI CHIP ID and the PCI Vendor ID in the ROM code have to match the PCI CHIP ID and PCI Vendor ID in the real PCI chip (that's hardwired in the chip)
-- END UPDATE -- The purpose of this mod is to patch certain chipset registers in Host bridge (contained in the northbridge chipset of my mobo). There are two ways to accomplish the task:
By modding original.tmp (main bios file extracted from a bios file) chipset register default value.
By adding a new isa expansion/option rom file by means of CBROM to the original mainboard bios file (target bios).
detailed description :
To mod original.tmp, first extract original.tmp from the original bios file using awardmod, modbin or other tools. In this case I use awardmod. Then edit the chipset register default value by searching the following bytes:
02 70 00
the value means :
02 -- somekind of separator between registers value
70 -- register number 70
00 -- device number 0 function 0 or hostbridge main function device the complete bytes value depends on your bios but at most you�ll find this bytes only once in original.tmp. The address where you�ll find these bytes may vary but in my case it�s around 10e30 or segment 2 address 0e30. The above value have the format:
02 70 00 xx xx yy yy
where :
02 -- somekind of register separator
70 -- register number 70
00 -- dev 0 function 0
xx xx -- mask of the register�s default value
yy yy -- Default value of the reg (offset)
The mask bit were ANDed w/ default value to obtain the desired chipset register default value. Most of the time I modded the mask bit and the default value to get the desired tweaked value.
Note:
Before you use the modded bios (of course after packing the original .tmp and other components back by using awardmod in my case), check wheter it is GOOD or BAD by using modbin and cbrom. To do so, just open it, and see if it�s not odd looking. I Use HEXWORKSHOP and Hiew.exe to edit the original.tmp
This method only tested on awaard bios version 4.5x PGNM, haven't been tested on another award bios version. Some of my friend confirm that this is not working i.e. different in award bios version 6.0 PGNM but I haven't got the time to do a crosscheck.
To mod in the second way, make an ISA option/expansion rom. Building *.rom , i.e. expansion rom from plain binary file (*.com) you've created is pretty easy. But, before proceeding further, let me tell you what a *.rom file really is. Based on my recent "research", a *.rom file actually is a binary file that conform the following conditions:
It's a plain binary file.
Its size is a multiple of 512 bytes.
Its header has the following format:
1. 55AAh ;this is the 1st and the 2nd byte, its a bootable code sign, it's actually AA55h, but Intel uses little endian that's why it's reversed.
2. xxh ;this is the 3rd byte, where xx is the hex number that indicate the size of the rom in multiple of 512 bytes, e.g. for a 512 bytes rom it will be 01h.
3. jmp ;Commonly this is the 4th through 6th byte, usually this is a near jump instruction that invoke the real initialization code of the rom.
4. ret (far);the last byte in the header, it invokes a far return to pass the program execution back to the main bios (original.tmp), you can invoke it in the initialization part as well, so this is not a must have. See the example code for more info�s.
Its byte checksum is exactly zero, i.e. after all of its bytes summed and goes through modulo 100h operation, it's equal to zero. In practice this should be pretty easy, for example if you use Hexworkshop version 3.0, from Tools menu choose generate checksum and choose byte (8 bit) checksum to see the checksum of your file, for a valid rom it should be equal to zero, this can be very handy if you want to turn your plain binary file into a valid rom, just open the file using Hexworkshop or similar hex editor program and then generate the checksum of your *.com file, if it's not zero then substract the remainder of your current checksum from 100h, this is the byte you need to insert into your plain binary file, for example if the remainder shown in Hexworkshop is 0x2C then you will need to add D4 (4D will also works) into your file. I usually add this byte into the end of the program to compensate for the checksum needed, after the return instruction, so that it won't interfere with your main code.
O.K., after knowing how the exact format of a rom file we only need to concern about how to implement it.
First, the header format should be eeasy to be handled in assembly (masm syntax), we only need to generate a plain binary file i.e. building a *.com file if we're using masm.
Second, to get the real *.rom file wwe neeed a hexeditor i.e. hexworkshop and compensate for the size and checksum so that the expansion rom wouldn't be rejected by cbrom. To compensate for the size, just insert 00h as much as possible until it's size is a multiple of 512 bytes from Edit|Insert menu in Hexworkshop then proceed to compensate for the checksum as explained above and voila'... you're done :)
Here's an example of a working source code in plain binary (it uses masm, so just build ordinary *.com file and then adjust the checksum using a binary hex editor such as hexworkshop 3.0).
;;------------------- TEST.ASM ---------------------------------------------------
.386
;;-------------------------------------------------------
;;Macro definition
;;-------------------------------------------------------
PATCH_PCI macro reg_addr,mask
mov eax,reg_addr ;fetch addr of the regs to be patched
mov dx,in_port ;fetch input port addr of PCI cfg space
out dx,eax
mov dx,out_port
in eax,dx
or eax,mask ;mask the regs value (activate
;certain bits)
out dx,eax
endm
CSEG SEGMENT PARA PUBLIC USE16 'CODE'
ASSUME CS:CSEG
ORG 0
;;Expansion rom header
DB 55h ;;Rom signature byte 1
DB 0AAh ;;Rom signature byte 2
DB 01h ;;512 bytes
call INIT ;;jump to initialization
retf ;;return far to main bios routine (original.tmp)
;;equates, have been tested d00d & works fine
in_port equ 0cf8h
out_port equ 0cfch
ioq_mask equ 00000080h
ioq_reg equ 80000050h
bank_mask equ 20000844h
bank_reg equ 80000068h
tlb_mask equ 00000008h
tlb_reg equ 8000006ch
dram_mask equ 00020202h
dram_reg equ 80000064h
ORG 100h
INIT PROC NEAR
pushad
PATCH_PCI ioq_reg, ioq_mask ;patch the ioq reg
PATCH_PCI dram_reg, dram_mask ;patch the DRAM
;controller i.e. the
;interleaving part
PATCH_PCI bank_reg, bank_mask ;patch bank active
;page ctl reg
PATCH_PCI tlb_reg, tlb_mask ;Activate Fast TLB
;lookup
popad retn ;return to this rom's header
INIT ENDP
ORG 200h ;extend the file into 512 bytes
CSEG ENDS
END
;;-------------------------- END OF TEST.ASM ------------------------------------
Here's the resulting hexfile:
Address Hexadecimal contents ASCII
00000000 55AA 01E8 FA00 CB4D 0000 0000 0000 0000 U..............M
00000010 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000A0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000B0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000C0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000D0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000E0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000000F0 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000100 6660 66B8 5000 0080 BAF8 0C66 EFBA FC0C f`f.P......f....
00000110 66ED 660D 8000 0000 66EF 66B8 6400 0080 f.f.....f.f.d...
00000120 BAF8 0C66 EFBA FC0C 66ED 660D 0202 0200 ...f....f.f.....
00000130 66EF 66B8 6800 0080 BAF8 0C66 EFBA FC0C f.f.h......f....
00000140 66ED 660D 4008 0020 66EF 66B8 6C00 0080 f.f.@.. f.f.l...
00000150 BAF8 0C66 EFBA FC0C 66ED 660D 0800 0000 ...f....f.f.....
00000160 66EF 6661 C300 0000 0000 0000 0000 0000 f.fa............
00000170 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000180 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000190 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001A0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001B0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001C0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001D0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001E0 0000 0000 0000 0000 0000 0000 0000 0000 ................
000001F0 0000 0000 0000 0000 0000 0000 0000 004D .................
Explanation:
Take a look at the header, you get thee magic number 55AAh, then 01 which is the checksum that indicates a 512 bytes option rom file, then E8 FA 00 , it is a near call instruction, with FA relative displacement to main procedure that located in 100h address. Then followed by CB which is decoded to a far return to a calling procedure, in this case the main bios (original.tmp).
Then now the main procedure. If we decoded the instruction, we would find this code:
pushad ;32 bit pushad (that's why uses 66 prefix) to save all regs
mov eax,80000064 ;enable pci configuration access mechanism 1 to offset 64
mov dx,0cf8 ;of device 00:00:00
out dx,eax
mov dx,ocfc ;get the data of offsets 64,65,66
in eax,dx
or eax,00020202 ;turn on bit 1 of offsets 64,65,66
out dx,eax
... ;these instruction repeat above codes to set different
... ;offsets
popad ;32 bit popad (that's why uses 66 prefix) to restore all regs
ret ;near return to the header post E8 FA 00
Note:
The 4D in the last byte of the option room was added by me (it is previously 00h after assembled) to make the file 8 bit checksum equal to 00h, i.e. sum all the bytes and mod 100h is 00h.
This method works great for me, I wish to know if it's not working in certain circumstances.
Pinczakko notes on building an error free .COM file using MASM611
The general form of a com file in MASM611 to generate an x86 ROM file as follows ( This is a real working example ) :
;;----------------------------------------------------------------------------------
.386 ;;Processor type to use (actually) availabe GPR
option segment:use16 ;;USE 66h,67 prefix for 32 bits operand
.MODEL TINY ;;generic com file format
;;This is where you should put your macro declarations
.CODE org 100h ;;com begins at 100h, then comes the real routine
start:
pushad ;save all GPR
mov eax,dram_reg ;fetch the address of the regs
mov dx,in_port ;fetch the input port addr config space
out dx,eax
mov dx,out_port
in eax,dx
or eax,dram_mask ;mask the regs value
out dx,eax
popad ;restore all GPR
retn ;return near to the header
;;The following part actually not only for equates but possibly also for
;;data declaration
dram_mask equ 00020202h
dram_reg equ 80000064h
in_port equ 0cf8h
out_port equ 0cfch
end start
;;-----------------------------------------------------------------------------------
To build *.com file of the routines above (assuming the file named hello.asm), invoke the following :
ML /AT hello.asm /link /TINY
Note: remember to copy the link.exe file to ml.exe directory to execute the commands above. Also remember to place the file to be assembled in the same directory as ML.EXE and link.exe .
That's all. Happy modding, just find the tools needed and be aware that I have no responsibility to the damage that my occur if you are doing what I've explained here. Proceed at your own risk.
Latest update: August 10th, 8:22 JAVT
copyright © Darmawan M S a.k.a Pinczakko