Some BIOS Utilities and Articles

Well done, Pinczakko... Good old Pinczakko... : - )
Would you like to test ash of the Phoenix? : - )

Hello icbook,

I will work on Phoenix BIOS later and perhaps some other BIOS variants.

Anyway, there's an error near the end of the AMI BIOS article about the interpretation of the "component" header. I'll fix it when I have time.

Pinczakko, very big thx for great work!

I imported your methods and tips in my ROM R&E (not x86, arm - on-chip bootrom of TI omap3430).
If you are interested in it - i can send small analisys article.

P.S. Now trying to analize my phoenix bios, so hope, that you have some results in phoenix
I mean splitter/combiner.

Hello,

Phoenix uses LZSS compression algorithm by Haruhiko Okumura. LZHUF/LHA compression used in AMI and Award is coded by another Japanese programmer with LZSS as the basis but the back-end was changed to Huffman coding instead of arithmetic coding (in LZSS). Unfortunately the LHA source code (on the web) is rather cryptic. Okumura in his paper said it was an adaptive Huffman algorithm, unfortunately it's only "partially" true because LHA implemented the adaptive Huffman algorithm by using some sort of table created from statistics of the bit-length in the input Lempel-Zif block.

Anyway, some Coreboot (formerly Linux BIOS) guys coded a decompressor for AMI, Award and Phoenix BIOS. I'm not aware of it when I wrote my AMI BIOS 1B module utilities. Strangely, I stumbled upon it yesterday. You can see the code at: cgit.freedesktop.org/~libv/bios_extract/. Unfortunately, their utility cannot put back a modified 1B component into a valid 1B file. I mean they don't make something like my ami_1B_combiner. So, I'll stick to my own utility.

;----------------------------------------------------------------------------
; Compression BCP structure
;----------------------------------------------------------------------------
bcpCompressStruc STRUC
Header bcpHeader <'BCPCMP', 2, 1, SIZEOF bcpCompressStruc>
compInfo DB bcpiCompInfo ; Misc. compression flags
COMP_******_RUN EQU 00000001b ; ******.EXE was used

COMP_SETUP_LOCATION EQU 00000010b
; 0 = setup in shadow memory
; 1 = setup in conv. memory
COMP_DO_SETUP EQU 00000100b ; Setup is compressed
COMP_DO_OPTIONROMS EQU 00001000b ; Option Roms are compressed
COMP_CLEAR_LOW_MEM EQU 00010000b ; Clear low mem before boot
COMP_DO_BIOS EQU 00100000b ; BIOS is compressed
algorithm DB bcpiAlgorithm ; Compression algorithm
COMP_LZSS EQU 0 ; LZSS decompression algorithm
COMP_LZARI EQU 1 ; LZARI decompression algorithm
COMP_LZHUF EQU 2 ; LZHUF decompression algorithm
COMP_LZINT EQU 3 ; LZINT decompression algorithm
nonCompDataStart DW OFFSET buildCompressEnd

The AMI BIOS article has been fixed. Well, it maybe still too rough and rather hard to understand at some parts. I'll review and make it easier when I have time.

Pinczakko: I have some suggestion for your researches.

As you know - on most laptops is Phoenix BIOS (on moderns - new format + EFI image). And on 100% - also EC Embedded Controller.
I have some findings in it, which relative to flashrom/coreboot. So if this interesting for you - i can send you and share in this theme.
On the example of 8051-based EC's

Also most new (not yet manufactured) laptops are going to use EC, based on ARM platform. So ARM & x86 BIOS on one flash - it could be interesting!

I'm also hope that research of BIOS on laptops will be a new chapter in second edition of book

P.S. If you have not seen this yet, it may be interesting:

phrack.org/issues.html?issue=66&id=11#article
phrack.org/issues.html?issue=66&id=7#article

I have read those phrack papers . The embedded controller is an interesting aspect. Unfortunately, I haven's researched much into it yet. Anyway, Phoenix BIOS is in the works.

I thought that Phoenix BIOS used LZINT compression? Is this similar to the LZSS you mentioned above?

Have you founded yet?

testTask:
jz      skipTask
mov     di, offset postTaskReturn
mov     ax, cs:[bx]
inc     bx
inc     bx
mov     cx, ax
or      al, al
jz      postNoTestPoint
mov     cx, dx
mov     dx, cs:_diagnostic_port
out     dx, al          ; manufacture's diagnostic checkpoint
mov     dx, cx
mov     cx, ax          ;
jmp     $+3             ;
postNoTestPoint:
jmp     $+3             ;
jmp     $+3             ;
jmp     postDispatch