hello
you can look at it
? AWDhack v1.3 Documentation Release 1.2 ?
Copyright 1999 ? Michael Kalinin ? All Rights Reserved
Freeware version 1.3 (04-04-1999)
Internet: plexer@sakhalin.ru
TABLE OF CONTENTS
-----------------
-----------------
1. Disclaimer
2. What AWDhack Does
3. How AWDhack Does It
4. Who Is AWDhack For
5. Installation
6. Command Line Parameters
7. Step By Step
8. Recommendations
9. History
A. FAQ
B. Contacting The Author
Disclaimer
----------
----------
AWDhack is distributed "as is". The author of this program makes no
warranty,
expressed or implied, as to the merchantability or fitness for a particular
purpose, with respect to this software and documentation. The author will
not
be held liable for any damages arising from the (mis)use of this program.
This software may be distributed freely, as long as:
I) All files are distributed together as a single package.
II) All files remain in their original form. Editing is prohibited.
Inclusion of this program in any publication requires the prior written
permission from the author of this software.
What AWDhack Does
-----------------
-----------------
Using AWDhack you can change ANY byte or groups of bytes in your BIOS file.
Later you can write that bios file (*.AWD, *.ROM, *.BIN, etc) into flash
memory using AWDFLASH.EXE
Why that may be need?
For example, you wish make a some special security check for you system
and does not satisfy in-system password check which is so easy to hack;
or,
you may has some special procedure which may be put in BIOS (why not?!);
or,
just for fan! "Special procedure" may content your own INTRO with cool
effects.
* If you find other way to use AWDhack please inform me.
How AWDhack Does It
-------------------
-------------------
Award BIOS file contents some parts (VGA BIOS, NCR BIOS, EPA, LOGO and etc.)
and System BIOS. Even if all additional parts not present, System BIOS
included anyway. File 'ORIGINAL.TMP' contents System BIOS. And changing
ORIGINAL.TMP you change System BIOS (of course, only when flash it).
BIOS file have special packed format (modified LZH) and AWDhack just use
MODBIN.EXE to unpack-pack ORIGINAL.TMP, by the way let your modify
ORIGINAL.TMP using program your specify.
Who Is AWDhack For
------------------
------------------
This program is intended for those who want to get full control of your
system. If you unlike has one unchanged part of computer named "BIOS"
so that for you.
But! AWDhack is ONLY for professional users, especially for hackers,
excellently knowing assembler and system.
Installation
------------
------------
AWDhack is require MODBIN.EXE by Award Software to provide correct
compress-decompress procedures of the bios file.
Also in configuration file AWDHACK.CFG you must specify program you wish to
run when ORIGINAL.TMP is unpacked. Good idea to use for that any HEX-editor.
I usually use HIEW.EXE by E.Suslikov.
MODBIN.EXE must be in current directory with AWDhack.
* MODBIN.EXE does not modified in any way.
Command line parameters
----------------------
----------------------
Command line must content bios filename.
For example:
AWDhack.exe 565wiq0e.bin
Other options available via configuration file.
Step By Step
------------
------------
That example use as name of original bios file name 565wiq0e.bin
1. Type: "AWDhack.exe 565wiq0e.bin"
2. The program specified in AWDHACK.CFG running
3. Modify ORIGINAL.TMP (or just replace it with new one)
4. Exit program
Modified bios file appears in current directory as AWARD.BIN
Now you can write new bios using AWDFLASH.EXE
* Bug may occure and program does not running in step 2
Your can manually follow to "Update file" and type the name your wish
Recommendations
---------------
---------------
This part contents recommendations and examples
***-1-**************************************
Warning!!! First of all you must understand what may happen if you mistakes
and write wrong code into bios. So, I'm so sorry you if that happen :(
And I strongly recommended you to use any "safe methods".
How to recover a corrupt BIOS read Wim's BIOS page
http://www.ping.be/bios/faq.html#q9
But I use other quick way: If you crash bios you just change the videocard
to different and load system to fix error(s).
How It?
Easy!
Begin your procedure with code like that:
PUSH ES ;store original ES
PUSH 0C000H ;segment of video bios
POP ES ;ES=0C000h
CMP WORD PTR ES:[xOFFSET],xWORD ;if that card has special xWORD
...
POP ES ;restore original ES by the way
JE MyProc ;...go to a new code
RETN ;else return (or jump someway)
MyProc:
.
.
.
The good idea to point xOFFSET to a manufacturer string in video bios.
For example, video card STB Lightspeed 128 has word "128" at offset 133H
So, ES:[0134H] = 3832H.
If you change card to different at that offset mostly was other word.
***-2-**************************************
Quick and easy way to create your own procedure - write plane COM file
and insert it into bios.
How?
Look at this:
MyProc:
PUSH DS ;store all regs
PUSH ES
PUSH GS
PUSH FS
PUSHA
MOV AX,CS
MOV DS,AX ;DS=CS - dump of COM file in bios
MOV AX,5000H ;5000H - one of free area in virgin clean RAM
MOV ES,AX ;ES=5000H
MOV SI,6A20H ;near that offset usually free space
MOV DI,100H ;COM file offset
MOV CX,8000H
CLD
REP MOVSB
MOV DS,AX ;DS in COM must equ CS
CALL 5000H:0100H ;exec COM
POPA ;restore regs
POP FS
POP GS
POP ES
POP DS
RETN
* This way also easy to debug
** Don't forget use RET FAR to return from COM instead of RET NEAR
***-3-**************************************
This all ok, but where place it?
So, if you real hacker, you know it!
The good idea to replace EPA procedure. It begin near 3000H and usually
content next code (offsets may differ):
2F24 808EE10110 OR BYTE PTR [BP][001E1],010
2F29 F6461430 TEST BYTE PTR [BP][00014],030
2F2D 7401 JE 00002F30
2F2F C3 RETN
2F30 06 PUSH ES
2F31 1E PUSH DS
2F32 60 PUSHA
2F33 B83011 MOV AX,01130
2F36 B702 MOV BH,002
2F38 55 PUSH BP
2F39 CD10 INT 10
2F3B 8BDD MOV BX,BP
2F3D 5D POP BP
2F3E 8CC0 MOV AX,ES
2F40 8986D001 MOV [BP][001D0],AX
2F44 899ECE01 MOV [BP][001CE],BX
2F48 FC CLD
2F49 B800E0 MOV AX,0E000
2F4C 8ED8 MOV DS,AX
2F4E B80060 MOV AX,06000
2F51 8EC0 MOV ES,AX
2F53 8D360512 LEA SI,[01205] ;1205H - another free space - EPA
picture - about 980 bytes
.
.
.
All that may be overwrited (about 400-450 bytes)
Here (ofs 2F30H) I place above "safe" code and COM emulating code
and just change COM dump at address 6A20H using HIEW's read block
from file operation to getting new features
History
---------------------
---------------------
Version 1.1
First version. Released 10-10-97. Has many bugs.
Version 1.2
Fix bugs in v1.1.Released 11-11-97.
Automation to run and close MODBIN.EXE added
Version 1.3
This version. Released 04-04-99.
Many peoples ask me, why AWDhack does work only with version 4.50.60.
So, this new version of AWDhack try to detect MODBIN version and
if tested runs okay. Now tested only v4.50.60 and v4.50.63A.
And anyway, if you have different version of MODBIN you can disable
version detection by changing option in configuration file.
But not tested version can work incorrectly. If you have
not tested version please inform me version number and where can I
download it.
FAQ
---------------------
---------------------
Q.: Why HIEW.EXE report me 'Read only' error?
A.: Use pure DOS, not WINDOWS
Hm, no more question?
Contacting the Author
---------------------
---------------------
If you have any bugs to report, suggestions, or anything much else really,
you can e-mail:
plexer@sakhalin.ru
UIN#5359887
>
>
> Hi, there,
>
> I am very interested in flashing the etherboot code into the AWARD BIOS
> chip on a GIGABYTE mainboard. But as I can learn from the previous
> discussions, there is a question of local boot, because the BIOS runs
> etherboot code immediately after itself without trying floppy or HDD
first.
> In this case, I might have to take a risk of un-bootable if errors
happened
> in etherboot codes building. How can I avoid this risk?
>
===========================================================================
This Mail was sent to netboot mailing list by:
"jyllyj" <jyllyj@163.net>
To get help about this list, send a mail with 'help' as the only string in
it's body to majordomo@baghira.han.de. If you have problems with this list,
send a mail to netboot-owner@baghira.han.de.
For requests or suggestions regarding this mailing list archive please write to netboot@gkminix.han.de.