【我所认知的BIOS】->反汇编BIOS之Bootblock(10)

BIOS启动与内存检测
最新推荐文章于 2024-04-17 01:05:29 发布
最新推荐文章于 2024-04-17 01:05:29 发布 · 183 阅读 · 0
文章标签:

#Go #Blog

本文详细解析了BIOS启动过程中的基本内存检测方法及BIOS自我复制到RAM中的实现细节。

【我所认知的BIOS->反汇编BIOSBootblock(10)

-- 基本的内存检测copy BIOS to RAM

By Lightseed

6/28/2010

1BIOS的主流程

BIOS执行到这里,bootblock任务基本完成。内存初始化好了以后,为了能够安全地把BIOS copy到内存中,还需要做一些安全性的检测呀什么的。让我们来继续往下看吧。

1 BIOS主流程

2Copy BIOS之前test基本内存

废话不用多说,让我们来看看反汇编出来的代码吧。

_F000:E3B5 ;Test first 256Kb memory , Send endless beep if DRAM is bad

_F000:E3B5

_F000:E3B5 loc_FE3B5: ; CODE XREF: _F000:E3E7j

_F000:E3B5 mov es, dx

_F000:E3B7 assume es:seg000

_F000:E3B7 cld

_F000:E3B8 mov cx, 2000h

_F000:E3BB xor di, di

_F000:E3BD repe stosd

_F000:E3C0 not eax

_F000:E3C3 mov cx, 2000h

_F000:E3C6 repe stosd

_F000:E3C9 not eax

_F000:E3CC mov cx, 2000h

_F000:E3CF xor di, di

_F000:E3D1 repe scasd

_F000:E3D4 jnz Error_Beep_Out

_F000:E3D6 not eax

_F000:E3D9 mov cx, 2000h

_F000:E3DC repe scasd

_F000:E3DF jnz Error_Beep_Out

_F000:E3E1 add dh, 10h

_F000:E3E4 cmp dh, 40h ; '@'

_F000:E3E7 jnz loc_FE3B5

_F000:E3E9 jmp short Ok_256K

_F000:E3EB ; 哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪哪?

_F000:E3EB

_F000:E3EB Error_Beep_Out: ; CODE XREF: _F000:E3D4j

_F000:E3EB ; _F000:E3DFj ...

Call Sound_Speaker ;伪代码

;死循环,BIOS让自己死在这里,让beep一直响,因为最基本的内存检测出错了。

Ok_256K: ;到这里的话,说明基本的内存检测已经通过。

_F000:E439 cmp dword ptr [esi+0FFF5h], 'BRM*' ; Saginature of Compress

_F000:E445 jz Have_Find_compress_code

;Move entire BIOS from E0000-FFFFF to 10000-2FFFF

Call move_BIOS_code ;伪代码

_F000:E482 jmp far ptr 2000h:0E487h ; Here BIOS copy itself to RAM

_F000:E482 ; Althrough BIOS will use FAR JMP to run at 2000:0, but code is continuous.

_F000:E482 ; So we can go on disassembling in F0000

从上面的代码中,我们可以看到,BIOS会做一些其他的flag的处理。这没什么难度,看注释就好了。我主要是要说说关于那256KB基本内存的检测。原理很简单,就是向从0开始低端内存开始,往里面写入特殊的值,然后再读出来比对,从而来判断内存是否是存在的。如果不存在,那么在这里就会无限地beepout

3beepout子函数

关于beep的函数,其实在peterblog里面有很详细的阐述了,所以我在这里也就不多赘述。只是把反汇编出来的源码贴出来,让大家看看咱们的BIOS实际上是怎么写这这里的code的。很有参考价值哦。呵呵。。。

_F000:FBB8 Sound_Speaker proc near ; CODE XREF: _F000:E3F0j

_F000:FBB8 mov cx, 533h

_F000:FBBB mov al, 0B6h ; '?

_F000:FBBD ;----------------------------------------------------------------------

_F000:FBBD bit 7,6

_F000:FBBD 00 = Counter 0 select

_F000:FBBD 01 = Counter 1 select

_F000:FBBD 10 = Counter 2 select

_F000:FBBD 11 = Read Back Command

_F000:FBBD bit 5,4

_F000:FBBD 00 = Counter Latch Command

_F000:FBBD 01 = Read/Write Least Significant Byte (LSB)

_F000:FBBD 10 = Read/Write Most Significant Byte (MSB)

_F000:FBBD bit 3-1

_F000:FBBD 000b Mode 0 Out signal on end of count (=0)

_F000:FBBD 001b Mode 1 Hardware retriggerable one-shot

_F000:FBBD x10b Mode 2 Rate generator (divide by n counter)

_F000:FBBD x11b Mode 3 Square wave output

_F000:FBBD 100b Mode 4 Software triggered strobe

_F000:FBBD 101b Mode 5 Hardware triggered strobe

_F000:FBBD 11 = Read/Write LSB then MSB

_F000:FBBD bit 0

_F000:FBBD 0 = Binary countdown is used. The largest possible binary count is 216

_F000:FBBD 1 = Binary coded decimal (BCD) count is used. The largest possible BCD count is 104

_F000:FBBD

_F000:FBBD

_F000:FBBD B6H = select Counter 2, R/W MSB, mode 3, binary countdown is used.

_F000:FBBD ;----------------------------------------------------------------------

_F000:FBBD out 43h, al ; Timer Control Word Register

_F000:FBBF mov ax, cx ; CX = Initial value of timer 2

_F000:FBC1 out 0EBh, al

_F000:FBC3 out 42h, al ; Timer 8253-5 (AT: 8254.2).

_F000:FBC5 mov al, ah

_F000:FBC7 out 0EBh, al

_F000:FBC9 out 42h, al ; Timer 8253-5 (AT: 8254.2).

_F000:FBCB in al, 61h ; PC/XT PPI port B bits:

_F000:FBCB ; 0: Tmr 2 gate 退? OR 03H=spkr ON

_F000:FBCB ; 1: Tmr 2 data AND 0fcH=spkr OFF

_F000:FBCB ; 3: 1=read high switches

_F000:FBCB ; 4: 0=enable RAM parity checking

_F000:FBCB ; 5: 0=enable I/O channel check

_F000:FBCB ; 6: 0=hold keyboard clock low

_F000:FBCB ; 7: 0=enable kbrd

_F000:FBCD mov ah, al ; Save the data of 61h

_F000:FBCF or al, 3

_F000:FBD1 out 0EBh, al

_F000:FBD3 out 61h, al ; PC/XT PPI port B bits:

_F000:FBD3 ; 0: Tmr 2 gate 退? OR 03H=spkr ON

_F000:FBD3 ; 1: Tmr 2 data AND 0fcH=spkr OFF

_F000:FBD3 ; 3: 1=read high switches

_F000:FBD3 ; 4: 0=enable RAM parity checking

_F000:FBD3 ; 5: 0=enable I/O channel check

_F000:FBD3 ; 6: 0=hold keyboard clock low

_F000:FBD3 ; 7: 0=enable kbrd

_F000:FBD5

_F000:FBD5 loc_FFBD5: ; CODE XREF: Sound_Speaker+2Cj

_F000:FBD5 mov cx, 5000h ; Delay

_F000:FBD8

_F000:FBD8 loc_FFBD8: ; CODE XREF: Sound_Speaker+28j

_F000:FBD8 out 0EBh, al

_F000:FBDA out 0EBh, al

_F000:FBDC out 0EBh, al

_F000:FBDE out 0EBh, al

_F000:FBE0 loop loc_FFBD8

_F000:FBE2 dec bl

_F000:FBE4 jnz loc_FFBD5

_F000:FBE6 mov al, ah ; Restore the data of 61h

_F000:FBE8 out 61h, al ; PC/XT PPI port B bits:

_F000:FBE8 ; 0: Tmr 2 gate 退? OR 03H=spkr ON

_F000:FBE8 ; 1: Tmr 2 data AND 0fcH=spkr OFF

_F000:FBE8 ; 3: 1=read high switches

_F000:FBE8 ; 4: 0=enable RAM parity checking

_F000:FBE8 ; 5: 0=enable I/O channel check

_F000:FBE8 ; 6: 0=hold keyboard clock low

_F000:FBE8 ; 7: 0=enable kbrd

_F000:FBEA retn

_F000:FBEA Sound_Speaker endp

3BIOScopy

当内存检测完毕,一切准备就绪的时候,award bios就会准备把biosROMcopy到实际的RAM中来。当然在做这些之前还做了其他的动作,比如说操作timer呀什么的,看上面的代码就好,不赘述了。

_F000:E439这行开始,bios先去在F000段搜索是否有压缩的字样(当然肯定是有啦。)找到后,把BIOSROM里面copy出来,分别放到了10000-2FFFFHE000F000分别对应10002000)对应的RAM里面,同时也备份了一份到180000H-19FFFFH里面。然后用一个FAR jmp_F000:E482这行就可以看出来。)彻底让CPURAM里面取指令了。

不过,需要说明的是:虽然bios是被copy到了10002000段里来,也确实用了FAR jmp指令来跳转,但是由于此时BIOS ROM里面的源码和在10002000段里面的源码是一模一样的。所以,我们目前还是可以继续在当前的bin文件里面反汇编的哦。所以我们可以假设目前的BIOS源码就是在2000(对应到了F000)段里了。这里的思维转换一定要转换过来!!因为后面还有难度更大的转换。

4、小结

这个章节里面主要和大家讨论了BIOS把自身从ROM里面copyRAM里面的过程。也说明了,为什么我们还要继续用当前的bin文件来反汇编。

iteye_19871
关注
【我所认知BIOS->反汇编BIOSBootblock(2)
肢解BIOS
05-13 8188
【我所认知BIOS->反汇编BIOSBootblock(2)--CPU micro code updateBy Lightseed5/12/20101、CPU micro code的背景先做个铺垫为什么要在BIOS刚刚开始跑的时候就来讲CPU的micro code。以下引用自网络:;-------------------------------------在十
【我所认知BIOS->反汇编BIOSBootblock(9)
肢解BIOS
06-24 1万+
为什么会有bootblock和非bootblock这么一说呢?其实就是因为有没有真正的内存可以用的区别。这个章节里我们一起来看看经过之前那些章节的讨论后,BIOS在初始化memory之前会做的一些动作。(稍微比较琐碎点,看起来比较枯燥。)Memory initial这个函数里面,会再做一些前期的准备工作。比如8259的中断控制器的初始化,PCIE的初始化,等等然后进入到intel提供的MRC里面去。那么这节就讲讲这个函数里面具体接触的东西。
【我所认知BIOS->反汇编BIOSBootblock(6)
肢解BIOS
05-18 4495
【我所认知BIOS->反汇编BIOSBootblock(6)--关于S3与Normal reset BIOS的走向By Lightseed5/18/2010一、BIOS的主流程我们的BIOS主流程如图1所示,上一个章节我们的BIOS执行到了记录CPU type的东东,当时我们就发现其实在Record_CPU_type的前面还有其他函数。那么我们这节就来单独讨论这个问题。这
【我所认知BIOS->反汇编BIOS之准备工作
热门推荐
肢解BIOS
03-12 1万+
【我所认知BIOS->反汇编BIOS之准备工作              LightSeed3/11/2010上海      在我们进入反汇编的旅途之前,我想我应该把一些大家应该准备的东西都列一下,只有有了这样的针对性准备嘛,我想我写的文章才更能引起大家的共鸣。我用的主板是915GS+ICH6+Winbond83627HF的主板。Bios也就是用awardflash.exe
【我所认知BIOS->反汇编BIOSBootblock(1)
肢解BIOS
05-13 1万+
【我所认知BIOS->反汇编BIOSBootblock(1)By Lightseed5/12/2010 先说明,我用来反汇编BIOS bin文件是512KB的。它是研XXX出的一块板子AIMB552主板上的BIOS。呵呵。。。有兴趣的,大家可以买块板子搞里面的BIOS哦。不过,我想这种文件应该只要用AwardFlash都可以dump出来,所以也应该不会侵权。我就在这里和大家
【我所认知BIOS->反汇编BIOSBootblock(4)
肢解BIOS
05-14 5766
【我所认知BIOS->反汇编BIOSBootblock(4)--initialize Super IOBy Lightseed5/13/2010一、BIOS的主流程到目前为止,我们已经看了两个重要的函数了,也是BIOS的必经之路。如下面的代码片段,BT_CPU_Init和Chipset_Reg_Init_Early我们都详细探讨过,那么随着流程下去,就是讨论SuperIO
【我所认知BIOS->反汇编BIOS之‘开始’
肢解BIOS
03-11 7843
【我所认知BIOS->反汇编BIOS之‘开始’               LightSeed3/11/2010上海   我想稍微懂点BIOS的人都应该知道,目前blog里面的文章其实都是很基础很基础的东西。说白了呢就是没什么技术含量,说好听点呢,就是对技术的细节理解比较深刻。总之就是只能看看,不能排上实际用途了。不得不又要说一点就是,X86的东西,确实很多很杂,只有把这些小的
【我所认知BIOS->反汇编BIOSBootblock(3)
肢解BIOS
05-14 8471
【我所认知BIOS->反汇编BIOSBootblock(3)--initialize some chipset registerBy Lightseed5/13/2010在上一篇中,我和大家探讨了下面代码中的BT_CPU_Init这个函数,它主要是一些特殊CPU的micro code的update。那么我们继续往下走,就会发现初始化chipset寄存器的函数,如_F000:E
【我所认知BIOS->反汇编BIOSBootblock(7)
肢解BIOS
05-20 6655
【我所认知BIOS->反汇编BIOSBootblock(7)-- Memory initial 之前的一些初始化DMA,8259By Lightseed5/20/20101、BIOS的主流程为什么会有bootblock和非bootblock这么一说呢?其实就是因为有没有真正的内存可以用的区别。这个章节里我们一起来看看经过之前那些章节的讨论后,BIOS在初始化memory之
IBM PC早期计算机BIOS及其汇编源代码
02-20
代码部分来自Google的重建IBMPC BIOS项目(https://sites.google.com/site/pcdosretro/ibmpcbios),其中的BIOS镜像(*.rom)可用于各种IBM PC模拟器,可按情况使用。源代码可以用masm编译,站内英文说明文件如下: IBM PC BIOS source code reconstruction This is a reconstruction of the IBM PC, PC XT, PC AT and PC XT 286 BIOS source code using scanning and transcription of the BIOS listings found in the IBM Technical Reference manuals. This historically relevant source code is presented here for software preservation. The following BIOS source code has been reconstructed: IBM PC version 1 04/21/81 IBM PC version 2 10/19/81 IBM PC version 3 10/27/82 IBM PC XT version 1 11/08/82 (also used on the Portable PC) IBM PC XT version 2 01/10/86 IBM PC XT version 3 05/09/86 IBM PC AT version 1 01/10/84 IBM PC AT version 2 06/10/85 IBM PC AT version 3 11/15/85 (used on the PC AT models 319 and 339) IBM PC XT 286 04/21/86 Notes: • All 3 versions of the IBM PC BIOS and the first version of the IBM PC XT BIOS were built using Intel ASM86 on an Intel development system. In each case the BIOS source code is a single large file and the BIOS code is 8KB which resides at F000:E000 • The IBM PC AT version 1 BIOS was built using IBM MASM 1.0 on DOS. This is the first IBM BIOS which uses multiple source files. Since IBM MASM 1.0 did not support the 80286 there is a macro file (IAPX286.MAC) which is used to generate the necessary opcodes. This is also the first BIOS to be split into two parts: the main BIOS code resides at F000:0000 and the compatibility section (ORGS.ASM) resides at F000:E000. An additional file FILL.ASM has been added to define the area between the end of the main BIOS code and the compatibility section to allow the BIOS to be linked properly. It is currently unknown how this was originally handled. • The IBM PC AT version 2 and 3 BIOS and the IBM PC XT 286 BIOS were built using IBM MASM 2.0 on DOS. These are similar to the PC AT version 1 BIOS but there are fewer source files as some files were combined and a bit of cleanup was done. IAPX286.INC is used to generate the protected-mode 80286 opcodes which IBM MASM 2.0 did not support. FILL.ASM serves the same purpose as it does for the PC AT version 1 BIOS though in each case the file is specific to the particular BIOS being built. • The IBM PC XT version 2 and 3 BIOS were built using IBM MASM 2.0 on DOS. The later PC XT BIOS code was restructured to be similar to the PC AT BIOS code so there are multiple source files. Like the PC AT BIOS the code is split into two parts though the compatibility section is in the file POST.ASM. Again the additional file FILL.ASM is used to define the area between the end of the main BIOS code and the compatibility section. • The following code is present in all versions of the PC AT BIOS and the PC XT 286 BIOS but does not appear in the published listings. It is inferred from the public symbols in ORGS.ASM and code disassembly. It is unknown what purpose this code serves. .XLIST ;;- ORG 0FF5AH ORG 01F5AH HRD PROC FAR CALL DISK_SETUP RET HRD ENDP FLOPPY PROC FAR CALL DSKETTE_SETUP RET FLOPPY ENDP SEEKS_1 PROC FAR CALL SEEK RET SEEKS_1 ENDP TUTOR: JMP K16 .LIST • In all cases the 32KB ROM BASIC code which resides at F6000 is not available as its source code was never published. • Versions of MASM later than 4.0 cannot be used to build the IBM BIOS source code since older constructs and macros are used. More information about functionality changes in the IBM PC BIOS code is listed here: IBM PC BIOS version history
AwardBIOS逆向工程指导
04-17
这是一篇Award BIOS逆向工程的文章,可以加深对BIOS工作流程的认知,提到很多我们在逆向工程中经常犯的错误, 是一篇很好的文章
用汇编语言编写的读取BIOS设置CMOS信息的程序(含源代码)
06-22
自己编写的用汇编语言读取BIOS设置CMOS信息的程序(含源代码),分两个版本:动态版和静态版,能读取即时信息或随时间改变的动态信息
Bread:一款功能强大的BIOS逆向工程和高级调试工具_bios 逆向(1)
最新发布
2401_84267528的博客
04-17 1277
当前版本的Bread支持下列功能:1、读取内存;2、写入内存;3、读取和写入寄存器;4、单步模式;5、断点;6、硬件监控点;
Bread:一款功能强大的BIOS逆向工程和高级调试工具
FreeBuf_的博客
01-24 1889
当前版本的Bread支持下列功能:1、读取内存;2、写入内存;3、读取和写入寄存器;4、单步模式;5、断点;6、硬件监控点;
英特尔确认Alder Lake CPU的UEFI BIOS源代码泄漏
一棹春风一叶舟,一纶茧缕一轻钩
12-05 1288
英特尔确认Alder Lake CPU的UEFI BIOS源代码泄漏
Hayden Luo BIOS 总体结构及部分源代码分析
aaronychen的专栏
07-31 8237
ARM 学习报告003——HaydenLuo BIOS 总体结构及部分源代码分析杜云海( duyunhai@hotmail.com ,(wwww.seajia.com)这段时间事情真的是很多,老板要文章,这已经要人命了,还要翻译成英文投到国际会议,还有本科生毕业设计… ,于是报告003 就这么被推迟了。不过,鲁迅先生说时间是海绵,的确有道理,终于还是基本上看完了Bootload
探索1999年的Phoenix BIOS源代码
Phoenix BIOS是早期计算机BIOS的代表性产品之一,它是计算机启动时加载操作系统前运行的一个基本输入输出系统程序。BIOS全称为Basic Input/Output System(基本输入输出系统),位于主板上的一块可擦写只读存储器...
评论
成就一亿技术人!
拼手气红包6.0元
还能输入1000个字符
 
红包 添加红包
表情包 插入表情
表情包 代码片
 条评论被折叠 查看
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值