Hi guys,
I'll just post in english because my Russian is still very bad :P.
First, I have some new articles after several "dormant" years:
1. Reversing Award BIOS "DLL support" .
2. Pinczakko's Guide to AMI BIOS Reverse Engineering.
Second, a while ago, I coded simple applications to split AMI 1B (System BIOS) file to its components (a.k.a ami_1b_splitter) and to combine them into a valid 1B file afterwards (a.k.a ami_1b_combiner).
The Windows binary can be downloaded at: http://sites.google.com/site/pinczakko/download/ami_1b_utilz.zip?attredirects=0
If you're interested about the source code, it's available at: http://sites.google.com/site/pinczakko/source-code/ami_bios_1B_parser.tar.gz?attredirects=0
Anyway, the source code can be built directly in Linux/Unix. If you want to compile it in Windows, you can use DevC++. The instructions to build the source code in DevC++ is explained at: http://www.rebelshavenforum.com/sis-bin/ultimatebb.cgi?ubb=get_topic;f=52;t=000149;p=2.
-Pinczakko-
Would you like to test ash of the Phoenix? : - )
I will work on Phoenix BIOS later and perhaps some other BIOS variants.
Anyway, there's an error near the end of the AMI BIOS article about the interpretation of the "component" header. I'll fix it when I have time.
I imported your methods and tips in my ROM R&E (not x86, arm - on-chip bootrom of TI omap3430).
If you are interested in it - i can send small analisys article.
P.S. Now trying to analize my phoenix bios, so hope, that you have some results in phoenix :-)
I mean splitter/combiner.
Phoenix uses LZSS compression algorithm by Haruhiko Okumura. LZHUF/LHA compression used in AMI and Award is coded by another Japanese programmer with LZSS as the basis but the back-end was changed to Huffman coding instead of arithmetic coding (in LZSS). Unfortunately the LHA source code (on the web) is rather cryptic. Okumura in his paper said it was an adaptive Huffman algorithm, unfortunately it's only "partially" true because LHA implemented the adaptive Huffman algorithm by using some sort of table created from statistics of the bit-length in the input Lempel-Zif block.
Anyway, some Coreboot (formerly Linux BIOS) guys coded a decompressor for AMI, Award and Phoenix BIOS. I'm not aware of it when I wrote my AMI BIOS 1B module utilities. Strangely, I stumbled upon it yesterday. You can see the code at: http://cgit.freedesktop.org/~libv/bios_extract/. Unfortunately, their utility cannot put back a modified 1B component into a valid 1B file. I mean they don't make something like my ami_1B_combiner. So, I'll stick to my own utility.
;----------------------------------------------------------------------------
; Compression BCP structure
;----------------------------------------------------------------------------
bcpCompressStruc STRUC
Header bcpHeader <'BCPCMP', 2, 1, SIZEOF bcpCompressStruc>
compInfo DB bcpiCompInfo ; Misc. compression flags
COMP_******_RUN EQU 00000001b ; ******.EXE was used
COMP_SETUP_LOCATION EQU 00000010b
; 0 = setup in shadow memory
; 1 = setup in conv. memory
COMP_DO_SETUP EQU 00000100b ; Setup is compressed
COMP_DO_OPTIONROMS EQU 00001000b ; Option Roms are compressed
COMP_CLEAR_LOW_MEM EQU 00010000b ; Clear low mem before boot
COMP_DO_BIOS EQU 00100000b ; BIOS is compressed
algorithm DB bcpiAlgorithm ; Compression algorithm
COMP_LZSS EQU 0 ; LZSS decompression algorithm
COMP_LZARI EQU 1 ; LZARI decompression algorithm
COMP_LZHUF EQU 2 ; LZHUF decompression algorithm
COMP_LZINT EQU 3 ; LZINT decompression algorithm
nonCompDataStart DW OFFSET buildCompressEnd
As you know - on most laptops is Phoenix BIOS (on moderns - new format + EFI image). And on 100% - also EC Embedded Controller.
I have some findings in it, which relative to flashrom/coreboot. So if this interesting for you - i can send you and share in this theme.
On the example of 8051-based EC's
Also most new (not yet manufactured) laptops are going to use EC, based on ARM platform. So ARM & x86 BIOS on one flash - it could be interesting!
I'm also hope that research of BIOS on laptops will be a new chapter in second edition of book ;)
P.S. If you have not seen this yet, it may be interesting:
http://phrack.org/issues.html?issue=66&id=11#article
http://phrack.org/issues.html?issue=66&id=7#article
Have you founded yet?
testTask: jz skipTask mov di, offset postTaskReturn mov ax, cs:[bx] inc bx inc bx mov cx, ax or al, al jz postNoTestPoint mov cx, dx mov dx, cs:_diagnostic_port out dx, al ; manufacture's diagnostic checkpoint mov dx, cx mov cx, ax ; jmp $+3 ; postNoTestPoint: jmp $+3 ; jmp $+3 ; jmp postDispatch