Welcome to the dark corner of BIOS reverse engineering, code injection and various modification techniques only deemed by those immensely curious about BIOS

Thursday, October 7, 2010

How to Read The ACPI Specification

The ACPI specification is a huge documentation. Especially ACPI v4.0 spec. It's 727 pages. The how to read it? It depends. For now, I'd like to focus from the perspective of someone who read ASL (ACPI Source Language) source code. Reading ASL code is particularly rather frustrating for beginners. Here's how to do it:
  1. If you're total newbie to ACPI, read Chapter 1. Otherwise, proceed to step 2.
  2. Read Chapter 4 - ACPI Hardware Specification briefly.
  3. Read Chapter 5 - ACPI Software Programming Model briefly.
  4. Read Chapter 18 - ACPI Source Language Reference briefly.
Now, go back to the ASL source code that you want to understand and look-up the meaning of the operators in Chapter 18 - ACPI Source Language Reference. Sometimes, you have to repeat this several times to get used to the operator. Now, let's see an example:
// Define a Lid switch
OperationRegion(\PHO, SystemIO, 0x201, 0x1)
       Field(\PHO, ByteAcc, NoLock, Preserve) {
          LPOL, 1 // Lid polarity control bit
       }

Device(\_SB.LID){
       Name(_HID, EISAID(“PNP0C0D”))
       Method(_LID){Return(LPOL)}
       Name(_PRW, Package(2){
          1, // bit 1 of GPE to enable Lid wakeup
          0x04} // can wakeup from S4 state
       )
}

Scope(\_GPE){ // Root level event handlers
       Method(_L01){ // uses bit 1 of GP0_STS register
          Not(LPOL, LPOL) // Flip the lid polarity bit
          Notify(LID, 0x80) // Notify OS of event
     }
}
In the code above, the words: OperationRegion, Method, Scope, Name, and Field are ASL "operators". Therefore, to know what these operators do, look at the ASL Operator Reference in Chapter 18 (section 18.5) in ACPI specification revision 4.0. There are more things left to be explained to understand the ASL source code above. I'll leave for another time. The most important thing is: now we can read the ACPI specification much more efficiently. Cheers :)

Last news about BIOS Disassembly Ninjutsu Uncovered 2nd Edition

OK. First, I'd like to apologize because of the very lengthy delay on the BIOS Disassembly Ninjutsu Uncovered 2nd Edition. I've got the got to go sign from No Starch Press, but I'm still waiting for my co-author (Luis Miras) to be ready. For sure, you'll get more computer-security-related stuff in the second edition. I have finished the materials for several hardware oriented chapters but they still requires a huge amount of edits. Well, hopefully this second edition don't need to wait until Christmas to complete. I'll be posting more regularly in this blog from now on.

BIOS Security Training

It's been ages since I update this blog. Sorry guys. Anyway, I gave a BIOS Security Training a while ago in Europe and I'd like to inform you that if you are interested about such a training, you can contact me by email and we can talk about it. I prefer it to be a small class when giving a training so that the interaction will be more engaging and you can get the most out of it.

Monday, April 26, 2010

Fixes and Update to AMI BIOS Reverse Engineering Article

I've made some fixes to the AMI BIOS Reverse Engineering article. The fixes mostly deal with the interpretation of the "headers" of the component in the decompressed AMI System BIOS module a.k.a AMI 1B module (near the end of section 4.4 until the end of the article). I have add some new information regarding the structure of AMI system BIOS as well. Anyway, I built 2 utilities to work with the AMI system BIOS module. The first one, to split the AMI system BIOS module into its components (or to "extract" one component from it) and the second one to insert a modified AMI system BIOS module's component into the AMI system BIOS module. You can download their source code here (both utilities source code are lumped together into one compressed file). The explanation about the utilities can be found here. I don't have enough time yet to make an article to explain them. Well, it should be clear from the source code even though they were quick hacks.

Monday, March 15, 2010

Award BIOS "support" for DLL Reversed

Just finished new article which reveal the inner working of DLL "support" in recent Award BIOS: Pinczakko's Guide to Reversing Award BIOS DLL "Support".

Friday, March 12, 2010

Using Modbin6 in Linux

You can use the wineconsole application to run a console BIOS utility such as modbin6 in Linux. Wineconsole is part of Wine. Now, let's see an example. Let say, I have installed Wine and I want to run modbin6 from my home directory (which should already contain the modbin6 executable), I would invoke it like this:
pinczakko@opusera:~/$ wineconsole MODBIN6.EXE
This is how the snapshot of the console which is spawned by the command above: Now, you can use the spawned console (which already runs modbin6) to navigate to the BIOS binary which you want to edit. Note that the path to the binary will default to "C:\" in wineconsole which would be in your wine "home directory". In my case the wine "home directory" is at ~/.wine and drive C in that directory is at ~/.wine/drive_c. Therefore, if you want to place the BIOS binary which you want to edit in drive C (C:\), you should copy the biary over to your drive_c directory, which is in my case at ~/.wine/drive_c. Below is the screen shot from a running Modbin6 in wineconsole. That's it. Now you should be able to work with modbin6 in linux.

Sunday, February 7, 2010

BIOS Disassembly Ninjutsu 2nd Edition Progress

Hello all. I just want to inform about the latest status of the manuscript. It'll be considerably longer than the previous one and the chapter count will increase rather dramatically because I decided to divide the "monster" chapters in the previous edition into smaller chapters which hopefully easier to understand. I didn't realize about the really huge (read: hard to grasp) chapters prior to re-reading the copy that I have at hand. Some reorganization happens in it as well. Aside from those issues, I really want to dedicate a chapter to Coreboot this time around. Hopefully, I can make it in time. Cheers :-)

UPDATE:
========
You can check the latest state of the book in this post: http://bioshacking.blogspot.com/2011/03/latest-state-of-bios-disassembly-book.html