Laptop enable: Difference between revisions
(added structure; added more text and formatting) |
Hailfinger (talk | contribs) (→PhoenixBIOS specifics: dd command extracted the image instead of the trailer) |
||
(9 intermediate revisions by 2 users not shown) | |||
Line 7: | Line 7: | ||
Most (all?) laptop designs use an EC (embedded controller) to control the backlight, watch the battery status, etcetera. | Most (all?) laptop designs use an EC (embedded controller) to control the backlight, watch the battery status, etcetera. | ||
To access the flash chip, the EC needs to be suspended/stopped. The code to stop the EC typically is found at the end of a BIOS binary. This page is about that trailing part of a binary. | To access the flash chip (safely), the EC needs to be suspended/stopped. The code to stop the EC typically is found at the end of a BIOS binary. This page is about that trailing part of a binary. | ||
== PhoenixBIOS specifics == | |||
This subsection is about the disassembly of a laptop BIOS file (Compal HTW20, ENE KB910QF, SMC LPC47B227?, Phoenix TrustedCore) that is 1052598 bytes large, the trailer starts at 0x100000 (1024 * 1024) and is 4022 bytes in size. | |||
== Example of a disassembly == | To extract the trailer, use dd: | ||
dd if=<romfile> of=bios.bin bs=1024k skip=1 | |||
=== Example of a disassembly === | |||
The disassembler that is used is IDAPro, the freeware version. | The disassembler that is used is IDAPro, the freeware version. | ||
Line 23: | Line 27: | ||
</code> | </code> | ||
== Hints | === Hints and facts === | ||
Facts: | Facts: | ||
* ZFLPF is found at 0x40 | * ZFLPF is found at 0x40 | ||
* len(ZFLPH) = 5 | * len(ZFLPH) = 5 | ||
The location of the entrypoint is stored at 0x51: | The location of the entrypoint is stored at 0x51: | ||
(base of ZFLPF) + len(ZFLPF) + 0xc = 0x40 + 5 + 0xc = 0x51 | |||
0x40 + 5 + | |||
Let's take a look at position 0x51: | Let's take a look at position 0x51: | ||
Line 49: | Line 47: | ||
* 0x2de + 0x1b = 0x2f9 | * 0x2de + 0x1b = 0x2f9 | ||
== Preview of the begin of the board specific code == | === Preview of the begin of the board specific code === | ||
<code> | <code> |
Latest revision as of 21:18, 31 August 2014
Intro
- http://flashrom.org/Board_Enable
- http://flashrom.org/Laptops
- http://www.coreboot.org/Embedded_controller
- http://www.coreboot.org/Laptop#Embedded_controllers
Most (all?) laptop designs use an EC (embedded controller) to control the backlight, watch the battery status, etcetera.
To access the flash chip (safely), the EC needs to be suspended/stopped. The code to stop the EC typically is found at the end of a BIOS binary. This page is about that trailing part of a binary.
PhoenixBIOS specifics
This subsection is about the disassembly of a laptop BIOS file (Compal HTW20, ENE KB910QF, SMC LPC47B227?, Phoenix TrustedCore) that is 1052598 bytes large, the trailer starts at 0x100000 (1024 * 1024) and is 4022 bytes in size.
To extract the trailer, use dd:
dd if=<romfile> of=bios.bin bs=1024k skip=1
Example of a disassembly
The disassembler that is used is IDAPro, the freeware version.
Example of how the disassembly of the trailer looks:
TRAILER:0010 09 00 00 00 00 00 00 00 00 00 00 43 6F 6D 70 61 ..........Compa
TRAILER:0020 6C 20 57 69 6E 50 68 6C 61 73 68 20 2D 20 46 6C l WinPhlash - Fl
TRAILER:0030 61 73 68 69 6E 74 2E 61 73 6D 20 76 30 2E 30 33 ashint.asm v0.03
TRAILER:0040 5A 46 4C 50 46 25 00 00 00 00 00 00 00 59 02 00 ZFLPF%
Hints and facts
Facts:
- ZFLPF is found at 0x40
- len(ZFLPH) = 5
The location of the entrypoint is stored at 0x51:
(base of ZFLPF) + len(ZFLPF) + 0xc = 0x40 + 5 + 0xc = 0x51
Let's take a look at position 0x51:
TRAILER:0051 DE 02 dw 2DEh
Fact:
- 0x2de + 0x1b = 0x2f9
Preview of the begin of the board specific code
TRAILER:02F9 ; ---------------------------------------------------------------------------
TRAILER:02F9 9C pushf
TRAILER:02FA 60 pusha
TRAILER:02FB E8 C2 00 call determine_lpc_pci_id