Forum RSS Feed Follow @ Twitter Follow @ Twitter

Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
trying to modify acer 5536G bios
#11
(04-14-2011, 08:07 AM)AHMED HOSSAM Wrote: 1)my question is about the phoenix bios editor .......when it decompresses a rom file it creats a file called psi.log and contains information like this
File Name: _T00 (TEMPLATE)
ROM Offset: 0x95B41
Size: 12473 (0x30B9)
Type (1=bin,2=sectioned): 2
Status: 0xF8
Flags: 0x0
Section Type/Size: 0x1/12449 (0x30A1)
Compressed/Decompressed Size: 12437(0x3095)/31892(0x7C94)
so i ask if i opened bios.rom file with hex editor and jumped to offest 0x95B41 will i find the contents pf tmplat00.rom there!!!!.................
I didn't noticed this question since you edit your post after I post a reply (check the time at my previous post & the time when you edit your post). I checked this but I didn't get PSI.LOG after opening BIOS image with PBE. I'm using v2.2.1.3. But I did remember seeing this log file before (long time ago). The answer is yes, it is offset of the TEMPLAT00.ROM in BIOS image. Remember, all modules are in compressed format in BIOS image.
(04-14-2011, 08:07 AM)AHMED HOSSAM Wrote: 2) now i can`t find any over clocking options in the strings.rom to unlock.........so i`m wandering how can i create a new option in the bios !
i knew i have asked you alot of question i`m sorry for this but please help me finding some answersSmile
It is not easy unless you're very very very good in assembly language. All options found in STRINGS00.ROM & TEMPLAT00.ROM has token ID to media table (where the values of the settings are stored). Also you need to create new routines of the new options. If not the new option will be useless.

Just want to add a little bit here; on Phoenix BIOS, all options found in STRINGS00.ROM & TEMPLAT00.ROM does works because they're properly linked to their routines & appropriate media table. The only reason they don't work is because lack of hardware compatibility.

If you use my modified BIOS image & you like it, please consider making a donation. Thank you very much. Smile
Donate Here
find
quote
#12
WELL........THANKS FOR YOUR ANSWERS KIZWAN Smile ..........but now i just want to knew 1) when i opened the original rom file in phoenix bios editor i found this in the psi.log
File Name: _T00 (TEMPLATE)
ROM Offset: 0x95B41
Size: 12473 (0x30B9)
Type (1=bin,2=sectioned): 2
Status: 0xF8
Flags: 0x0
Section Type/Size: 0x1/12449 (0x30A1)
Compressed/Decompressed Size: 12437(0x3095)/31892(0x7C94)
then i just clicked anywhere to enable the build button and didn`t change any thing and built the image correctly..................after that i opened the built image with the phoenix editor and found this at psi.log
File Name: _T00 (TEMPLATE)
ROM Offset: 0x9CC81
Size: 12473 (0x30B9)
Type (1=bin,2=sectioned): 2
Status: 0xF8
Flags: 0x0
Section Type/Size: 0x1/12449 (0x30A1)
Compressed/Decompressed Size: 12437(0x3095)/31892(0x7C94)
you will notice that the templat00.rom offest have changed and it`s contents have changed too although i didn`t edit any thing and just extracted the file and build it again..........so i think the program extract my file with error......am i right!


2) do you think i`m good enough in editing bios to begin learning assembly language!........i really don`t knew but if you told me yes i will begin learning assembly and if you told me no i will try to do more to edit the bios ( the last thing i have done is unlocking 9 options and the amd menu in my acer 5536G phoenix trusted core bios ) and built the image with the phoenix editor cause i can`t use the phoenix mod tool now due to problems in my computer..............so check this image in the attachment of this post and tell me yes or no and i just want your opinion as you are a good bios editor and you can tell me what to do..........THANK YOU


Attached Files
.rar   ACER5536GBIOS.rar (Size: 585.18 KB / Downloads: 15)


"Many of life's failures are people who did not realize how close they were to success when they gave up." Smile
find
quote
#13
(04-14-2011, 01:33 PM)AHMED HOSSAM Wrote: WELL........THANKS FOR YOUR ANSWERS KIZWAN Smile ..........but now i just want to knew 1) when i opened the original rom file in phoenix bios editor i found this in the psi.log
File Name: _T00 (TEMPLATE)
ROM Offset: 0x95B41
Size: 12473 (0x30B9)
Type (1=bin,2=sectioned): 2
Status: 0xF8
Flags: 0x0
Section Type/Size: 0x1/12449 (0x30A1)
Compressed/Decompressed Size: 12437(0x3095)/31892(0x7C94)
then i just clicked anywhere to enable the build button and didn`t change any thing and built the image correctly..................after that i opened the built image with the phoenix editor and found this at psi.log
File Name: _T00 (TEMPLATE)
ROM Offset: 0x9CC81
Size: 12473 (0x30B9)
Type (1=bin,2=sectioned): 2
Status: 0xF8
Flags: 0x0
Section Type/Size: 0x1/12449 (0x30A1)
Compressed/Decompressed Size: 12437(0x3095)/31892(0x7C94)
you will notice that the templat00.rom offest have changed and it`s contents have changed too although i didn`t edit any thing and just extracted the file and build it again..........so i think the program extract my file with error......am i right!

It's not because PBE unable to extract the BIOS image properly. It's because whenever you build with PBE, it re-position the modules. That's why the offsets are different after each build. This feature is useful when you reintegrating modified module with file size bigger than the original one. PBE will shifted the modules so it will fitted properly. Regarding the offsets changed after building the same BIOS (no changes), I don't know why it does that but I guess PBE doesn't store/remember the original offsets. Actually this is what I expected from any good BIOS editor.

However, PBE has it own weakness, a fatal one. Sometime PBE has problem with read/write buffer (I believe this is what it's called) when opening BIOS image. This caused some modules not properly decompressed which leads to incomplete modules. If building & flashing with this BIOS, it will bricked the computer. So, make sure re-build the BIOS image a couple of times, let say 3 to 4 times & compared all of them. I usually make sure the BIOS image is identical in 3 to 4 straight re-build. If at the 2nd or 3rd or 4th time, the BIOS image is different, I'll start over again (meaning restart the count). Also don't ever use PBE in virtual machine's guest OS because PBE has serious problem with read/write buffer on it.

(04-14-2011, 01:33 PM)AHMED HOSSAM Wrote: 2) do you think i`m good enough in editing bios to begin learning assembly language!........i really don`t knew but if you told me yes i will begin learning assembly and if you told me no i will try to do more to edit the bios ( the last thing i have done is unlocking 9 options and the amd menu in my acer 5536G phoenix trusted core bios ) and built the image with the phoenix editor cause i can`t use the phoenix mod tool now due to problems in my computer..............so check this image in the attachment of this post and tell me yes or no and i just want your opinion as you are a good bios editor and you can tell me what to do..........THANK YOU

If you want to learn the assembly language, just learn it. There shouldn't be any reason preventing you from learning it.

I has checked your modified BIOS image & I can only say it's properly build. But it doesn't means it won't do any harm to your computer. By looking to the BIOS image, compared it with original BIOS image, it shouldn't bricked your computer but I can't give you the assurance. Just make sure you know how to recover your notebook with CRISIS disk.

If you use my modified BIOS image & you like it, please consider making a donation. Thank you very much. Smile
Donate Here
find
quote
#14
I THINK YOU ARE RIGHT...........THANKS FOR YOUR REPLY Smile...........now i will begin learning assembly and won`t stop learning till i knew how the bios image is written and how to make a new options......also i have read alot of books about cpu and all hardware so this will be useful for me in learning assembly...........
concerning the phoenix bios editor i think as you said it`s good when changing the module size..........but the phoenix mod tool doesn`t accept any modified module unless it`s the same size or smaller that`s why i delete some options when adding new options and editing the tmplat00.rom ( i have removed contents of the information menu to add 4 new options instead of it ) but i think the phoenix mod tool is safer than the bios editor...........
also i have a crisis disk so i won`t worry if i breacked the bios.............................THANKS FOR YOUR HELP KIZWAN Smile


"Many of life's failures are people who did not realize how close they were to success when they gave up." Smile
find
quote
#15
well, i started learning assembly as you told me but also i have been trying to find something about adding new options as well ...........so i have some questions and i hope you can help me Smile
well,my questios are :-
1) i knew that the name of any option is found in strings.rom and the functions of this option is found in templat.rom so is there any other file contains functions,routines or subprograms that are connected to the templat.rom file!!

2) i have downloaded another phoenix bios based laptop which contains the options of oc so im trying to copy the option`s functions from this bios templat.rom file to my bios templat.rom file...............i have traced the option from strings.rom and found it`s offest in templat.rom and opened the templat.rom file with IDA disassembler then jumoed to the offest of this option and found it`s function
seg000:0A41 ; ---------------------------------------------------------------------------
seg000:0A41 add [bx+si+54h], dl
seg000:0A44 add dx, [bp+3]
seg000:0A47 xchg ch, [bp+si]
seg000:0A49 or ch, [bp+si]
seg000:0A4B push ss
seg000:0A4C sub bh, bh
seg000:0A4E sub [bx+si], dx
seg000:0A50 add ah, byte ptr ds:loc_2803
seg000:0A54 add di, word ptr ds:locret_4603
seg000:0A58 add cx, [bx+si+3]
seg000:0A5B dec dx
seg000:0A5C add cx, [si+3]
seg000:0A5F dec si
seg000:0A60 add dx, [bx+si+3]
seg000:0A63 push dx
seg000:0A64 add bp, [bp+si]
seg000:0A66 add bp, [si]
seg000:0A68 add bp, word ptr ds:loc_3003
seg000:0A6C add si, [bp+si]
seg000:0A6E add si, [si]
seg000:0A70 add si, word ptr ds:loc_3803
seg000:0A74 add di, [bp+si]
seg000:0A76 add di, [si]
seg000:0A78 add ax, [bx+si+3]
seg000:0A7B inc dx
seg000:0A7C add ax, [si+3]
seg000:0A7C ; ---------------------------------------------------------------------------

and it also have subprograms.........so i want to copy this option to my templat.rom file.................will this be successful!!!
thanks in advance..Smile


"Many of life's failures are people who did not realize how close they were to success when they gave up." Smile
find
quote
#16
As far as I know, routines in TEMPLAT00.ROM are only to control the menu behavior. For example Virtualization menu has a routine which check the processor capability. If the processor doesn't support virtualization, the Virtualization menu will not visible in BIOS menu.
Example (Aspire 9420):-
Intel® Virtualization Technology
(templat0)
loc 0913: 00 14 C6 02 C8 02 AC 28 A1 28 8B 28 96 28 88 02
loc 0923: 8C 04 8E 04

00 Pick Field
14 Length
C6 02 - Offset in strings (item)
C8 02 - Offset in strings (description)
AC 28 A1 28 8B 28 96 28 - (routines offsets - control the menu behavior)
TOKEN ID 288
8C 04 - Offset in strings (Disabled) <-- these two are the available options you can select
8E 04 - Offset in strings (Enabled)


In the above example, there are 4 routines (AC 28, A1 28, 8B 28 & 96 28). Lets look to the first routine at offset 0x28AC:-
Code:
seg000:28AC ; ---------------------------------------------------------------------------
seg000:28AC                 push    bp
seg000:28AD                 mov     bp, sp
seg000:28AF                 call    sub_28B4
seg000:28B2                 pop     bp
seg000:28B3                 retf
seg000:28B4
seg000:28B4 ; =============== S U B R O U T I N E =======================================
seg000:28B4
seg000:28B4
seg000:28B4 sub_28B4        proc near               ; CODE XREF: seg000:28AFp
seg000:28B4                 mov     ax, 285h
seg000:28B7                 call    far ptr 0F000h:296Ch
seg000:28BC                 jz      short loc_28C3
seg000:28BE                 mov     ax, 0
seg000:28C1                 jmp     short locret_28C6
seg000:28C3 ; ---------------------------------------------------------------------------
seg000:28C3
seg000:28C3 loc_28C3:                               ; CODE XREF: sub_28B4+8j
seg000:28C3                 mov     ax, 13h
seg000:28C6
seg000:28C6 locret_28C6:                            ; CODE XREF: sub_28B4+Dj
seg000:28C6                 retn
seg000:28C6 sub_28B4        endp
seg000:28C6
The instruction mov ax, 13h is basically hide the menu while mov ax, 0 will make it visible. This is the part where the routine read the register 0x285:-
Code:
seg000:28B4                 mov     ax, 285h
seg000:28B7                 call    far ptr 0F000h:296Ch
This line telling to jump to location (offset) 0x28C3 when the condition met (skipping the mov ax, 0 instruction):-
Code:
seg000:28BC                 jz      short loc_28C3
The TOKEN ID is the location of the Media table in ROMEXEC0x.ROM (if I'm not mistaken. hasn't explore this myself yet). The Media table contain the default settings & probably locations to the rest of the routines.
(Sorry, I'm not very good with assembly language. This is the best I can do.)

I believe the routines which make the option does works are in BIOSCOD0x.ROM modules. This is part of the routine which enabled/disabled Virtualization in Aspire 9420's BIOS (BIOSCOD6.ROM):-
Code:
seg000:C3FD                 mov     ecx, 3Ah ; ':'
seg000:C403                 rdmsr
seg000:C405                 mov     ebx, eax
seg000:C408                 mov     ax, 285h
seg000:C40B                 call    far ptr 0F000h:296Ch
seg000:C410                 jz      short loc_C42E
seg000:C412                 mov     ax, 288h
seg000:C415                 call    far ptr 0F000h:296Ch
seg000:C41A                 jz      short loc_C42E
seg000:C41C                 or      ebx, 4
seg000:C420                 mov     ax, 2A6h
seg000:C423                 call    far ptr 0F000h:296Ch
seg000:C428                 jz      short loc_C42E
seg000:C42A                 or      ebx, 2
seg000:C42E
seg000:C42E loc_C42E:                               ; CODE XREF: sub_C3E5+2Bj
seg000:C42E                                         ; sub_C3E5+35j ...
seg000:C42E                 mov     eax, ebx
seg000:C431                 test    al, 1
seg000:C433                 jnz     short loc_C43B
seg000:C435                 or      eax, 1
seg000:C439                 wrmsr
seg000:C43B
seg000:C43B loc_C43B:                               ; CODE XREF: sub_C3E5+11j
seg000:C43B                                         ; sub_C3E5+16j ...
seg000:C43B                 popad
seg000:C43D                 retn
seg000:C43D sub_C3E5        endp
seg000:C43D
This part where it read register 0x288 (the TOKEN ID):-
Code:
seg000:C412                 mov     ax, 288h
seg000:C415                 call    far ptr 0F000h:296Ch
seg000:C41A                 jz      short loc_C42E
If register 0x288 is set to 1, it will jump to location 0xC42E.

I believe the STRINGS00.ROM is linked to TEMPLAT00.ROM, TEMPLAT00.ROM is linked to ROMEXEC0x.ROM & ROMEXEC0x.ROM is linked to BIOSCOD0x.ROM. So, at least you'll need to modify these modules if you want to add new options.

It looks impossible but if you able to study it, you could open more mods method. What I know is only just the tip of the iceberg. Please read this thread for more information:-
Decode Edit NVRAM Phoenix plus Setup Menu

(P/S: The person you contacted at MyDigitalLife forum is me. The same person. Smile)

If you use my modified BIOS image & you like it, please consider making a donation. Thank you very much. Smile
Donate Here
find
quote
#17
THANKS ALOT FOR YOUR USEFUL INFORMATION Smile Smile
your information about calling the token id and the bioscode0x.rom is very useful for me
but after i have read your reply and the thread you posted ......i still don`t knew how is romexe0x.rom file is linked to bioscode0x.rom file ..........in other words what offests will i search for in the bioscode0x.rom ( i knew to search for token id in romexe0x.rom and searching for any options in strings.rom or templat,rom but i still don`t knew how bioscode0x.rom is connected to it............eg,
loc 0913: 00 14 C6 02 C8 02 AC 28 A1 28 8B 28 96 28 88 02
loc 0923: 8C 04 8E 04
00 Pick Field
14 Length
C6 02 - Offset in strings (item)
C8 02 - Offset in strings (description)
AC 28 A1 28 8B 28 96 28 - (routines offsets - control the menu behavior)
TOKEN ID 288
8C 04 - Offset in strings (Disabled) <-- these two are the available options you can select
8E 04 - Offset in strings (Enabled)

the token id is given here so i can search for it in romexe0x.rom and offests which are connected to strings.rom are given too but what will i search for in bioscode0x.rom i mean where is the offests that i will search for it in bioscode0x.rom file !!!

also i think i don`t need to modify the romexe0x.rom file because it contains the nvram defaults..................as i try to put the new option instead of an already existed option so the nvram will show the new option noramally with the default of the last option ( enable or disable ) so i only need to modify the strings.rom , templat.rom and it`s an easy job but also i will need to modify bioscode0x.rom as you said which i don`t knew about it..................
so my question is what offests will i search for in the bioscode0x.rom..!!!
thanks for your reply Smile Smile
( BEFORE I HAVE POSTED THIS THREAD FROM THE BEGINING IN BIOS-MODS , I HAVE DOWNLOADED YOUR BIOS TUTORIAL ABOUT EDITING BIOS BUT I DON`T REMEMBER FROM NOTEBOOK REVIEW OR MYDIGITALLIFE .......BUT THIS TUTORIAL IS THE ONE MAKES ME ABLE TO EDIT THE BIOS WITHMYSELF............I HAVE UNLOCKED ABOUT 30 OPTIONS WITH HELP FROM THIS TUTORIAL ANA THE AMD MENU WITH HELP FROM YOU IN THIS THREAD...........THANKS ALOT FOR YOYR HELP Smile Smile )


"Many of life's failures are people who did not realize how close they were to success when they gave up." Smile
find
quote
#18
I only has take a quick look at ROMEXEC0x.ROM & BIOSCOD0x.ROM. I don't know how they exactly connected with each other yet. When it come to adding new options, it basically a whole new subject. I don't know how to suggest you on it. Even if you able to modify STRINGS00.ROM & TEMPLAT00.ROM to add new options, the new options is just a dummy options without any function. I think you'll need to learn how Media table in ROMEXEC0x.ROM is constructed & how they relate with other modules such as BIOSCOD0x.ROM. Sorry, I'm afraid I can't be of much help. Read the rbjack's post & understand it.

If you use my modified BIOS image & you like it, please consider making a donation. Thank you very much. Smile
Donate Here
find
quote
#19
well,i have read member`s rjback thread but it`s only talking about nvram,bcnp and the media table which all connected to the templat.rom and strings.rom only no bioscode.rom file ......
member rjback says at post 8 as i tried to make excactly.......( bios is written the same way so that i will get only the code not the whole file then write it to my bios files )
((Yeah you can substitute it in place of a call to blank space. You could substitute any item in the bios menu you don't want. I have not tested inserting padding bytes yet, making the templat0.rom larger for custom menus. If there is a large submenu that is hidden, there is probably room to add it as part of the root menu if it was intentionally left out.
Part of the documentation from Phoenix states the format allows them to quickly integrate into another machine. Of course you can not just swap out a template and strings from another machine. Like many of the offbrand notebooks, the same internals are often found in brand name machines. Sold the same parts from same mfg. The firmware strings are rebadged with the oem name. Comparing some of the templates and strings they are very close to being the same. Looked a few Acer's and they use the same crippled firmware on several models. Fujitsu, some firmware are the same on different models going back for last two years. Yet a newer model may post an update for Win 7 but they don't update the older model. Point being, you can make assumptions some items like the token ID's will match. Observe what is the same and what makes them different across the firmware modules, ie bootblock, romexec, dmi, hole roms and templates. - excluding the info that is preloaded into hole roms. These values can be seen by using the bios dump tool found in the tools thread. Create a dump rom and unpack it into modules. Compare that with the oem unpacked firmware, you will find the hole roms now contain info about your machine shipped from oem. part numbers, serial number, uid, os installation, configurations, etc. This is not the same as what can be found in DMI but does contain some matching items. ))

first i will try replacing existed option with a new one so if it doesn`t work i will try knewing about the bioscode0x.rom................and if it was successful i will try completely adding the new option not replacing it .
i knew that strings.rom , templat.rom and setup.rom are only responsible for the menu view and behaviour so the functions is written in another file...
and ofcourse you are 100% right that the template,strings and romexe files are connected to bioscode.rom but i will try not to change bioscode.rom at first and see if the option will be shown but doesn`t work or it won`t be shown ( i will see what exactly happens so that i will exactly knew the benefit of every file and the codes written in it ) ..........after that i happens i would have known the missing functions comparing it to the original file then i`ll try modifying bioscode0x.rom file.........
also you are right i must knew all about media table in my bios.................
so i will try making this and if i have reached to a good result i will post the method for you it in this thread...
ALSO I CAN`T UNDERSATND HOW RJBACK KNEWS THAT HIS PDM TABLW CONNECTED TO BIOSCOD02.ROM AS HE SAID
(((PDM_2:

In the few roms I have looked at the $PDM has been found in the ROMEXEC0.ROM file. The entire BCP table structure can be found below the $PDM entry. The PDM call locations for me is in the BIOSCOD02.ROM file. I loaded up my ROM in IDA and adjusted it to get the correct offsets. To get your actual offsets will require forcing the memory locations when loading in IDA. You can also use a NDISASM to decompile your rom images but this is not always accurate because you don't know what the start location of the CODE section is. The rom has no structure like an exe does. You need to load up in 16 bit mode. example of using NDISASM.)))
ndisasm -a -p intel -b 16 input.rom > output.dasm
i knew you have answered alot of questions and there is no more you can do for me.............thanks alot for your great help Smile and please contact me when you knew ANYTHING about the bioscode0x.rom files.....thank you Smile



"Many of life's failures are people who did not realize how close they were to success when they gave up." Smile
find
quote
#20
hello try to upload the bios, the problem is I can not upload the. rom and I can not update the BIOS, I ace a great contribution, my laptop is 5536, not a model g, do you think that's the problem?
find
quote


Forum Jump:


Users browsing this thread: 1 Guest(s)
Expand chat
Expand chat
Expand chat

To join us in the community live chat, please register or log-in