ASUS Bioses, new way, anyone who wants to test it? Disassembly skills are welcome!

You need to login to view this posts content.

 

Here is my analysis of p5qbios from helps on this forum, not sure it is correct:

_4000:9C3A db 1
_4000:9C3B db 2
_4000:9C3C
_4000:9C3C ; =============== S U B R O U T I N E =======================================
_4000:9C3C
_4000:9C3C
_4000:9C3C sub_9C3C proc far
_4000:9C3C pushad
_4000:9C3E push ds
_4000:9C3F push 0F000h
_4000:9C42 pop ds
_4000:9C43 assume ds:nothing
_4000:9C43 mov al, 1
_4000:9C45 mov ds:0A0E0h, al
_4000:9C48 push cs
_4000:9C49 call near ptr sub_9DB5 ; loop through the PUBKEY+MAKER block
_4000:9C49 ; starting from the 2nd byte
_4000:9C49 ; plus one byte after it
_4000:9C49 ; length = 0x152
_4000:9C4C jb short loc_9C62 ; jump if not all 0xFF
_4000:9C4C ;
_4000:9C4E mov bx, 9C3Ah
_4000:9C51 mov al, cs:[bx]
_4000:9C54 cmp al, 0
_4000:9C56 jz short loc_9C5E
_4000:9C58 push cs
_4000:9C59 call near ptr sub_9DF0
_4000:9C5C jb short loc_9C62
_4000:9C5E
_4000:9C5E loc_9C5E: ; CODE XREF: sub_9C3C+1Aj
_4000:9C5E push cs
_4000:9C5F call near ptr sub_9E7C
_4000:9C62
_4000:9C62 loc_9C62: ; CODE XREF: sub_9C3C+10j
_4000:9C62 ; sub_9C3C+20j
_4000:9C62 pop ds
_4000:9C63 assume ds:nothing
_4000:9C63 popad
_4000:9C65 retf
_4000:9C65 sub_9C3C endp
_4000:9C65
_4000:9C66
_4000:9C66 ; =============== S U B R O U T I N E =======================================
_4000:9C66
_4000:9C66
_4000:9C66 sub_9C66 proc far
_4000:9C66 pushf
_4000:9C67 pushad
_4000:9C69 push ds
_4000:9C6A push cs
_4000:9C6B call near ptr sub_9DB5
_4000:9C6E jnb short loc_9C8A ; Jump if all 0xFF
_4000:9C70 push cs
_4000:9C71 call near ptr sub_9CF6 ; xor the PUBKEY+MAKER block
_4000:9C71 ; with 0xFF
_4000:9C74 jnb short loc_9C8A ; jump if there is an error
_4000:9C76 push cs
_4000:9C77 call near ptr sub_9D22 ; copy OEM string to
_4000:9C77 ; SLIC header, RSDT, XSDT
_4000:9C7A push 2CCFh
_4000:9C7D pop ds
_4000:9C7E assume ds:nothing
_4000:9C7E lea esi, ds:0C25h
_4000:9C83 call far ptr 5936h:9EDEh ; Copy SLIC to High Memory
_4000:9C83 ; and add it to RSDT, XSDT
_4000:9C88 jb short $+2
_4000:9C8A
_4000:9C8A loc_9C8A: ; CODE XREF: sub_9C66+8j
_4000:9C8A ; sub_9C66+Ej
_4000:9C8A pop ds
_4000:9C8B assume ds:nothing
_4000:9C8B popad
_4000:9C8D popf
_4000:9C8E retf
_4000:9C8E sub_9C66 endp

 

Hi, Yen,
I didn't see any configlock. But there is a little piece of code in f000:72bd which pull values at f000:e1a0 (0f00 0000 6201 0000 00) and set al to 0:

E1A000F0 => 0F00 0000 6201 0000 00

ds = 0xf000
si = 0xA0E1
bx = [si+2] = 0
cx = [si+4] = 0x162
dx = [si+4]-0x10 = 0x152
al = [si+8] = 0
si = [si+6] = 0

later on the function branched based on the al value. What happens next is the part I am not so sure of. But since the edi was pointing to the PUBKEY+MAKER block, I guess one of the branch will change the data preventing it being copied to high memory.
I don't have a eprom programmer.
So I need someone test it first. If it is correct, then we can start a new thread
I didn't find the configlock. I just skipped it Not sure I am correct.
I am not good at assembly language. So don't be surprised if I made a mistake

 

Here are the flow charts I created when I traced function at f000:72bd.
Hope it will help if anyone wants to take a look into it too.

 

waiting for the result if the mod bios is safe.

 

what is this mod suppose to do exactly?

 

ahh yes that would be great for future reference

 

Sorry I cant help because I only have 1 Rampage Formula board and I do not have the skills to recover if it screws up

 

You need to login to view this posts content.

 

Hi, Yen,

I used 'amimmwin.exe romfile /r 1b 1b-mod' to replace the 1b module

I did re-insert ASUSTEK bios signature

I didn't flash using 'afudos /ixxxx.rom /pbnc /n'. I only tried the method on P5Q's user manual --- 'afudos /ixxxx.rom'

I have the latest MMtool 3.22 available on the internet.

BIOS files created by MMtool 3.22 are not flashable by EZ-flash nor afudos. ASUS has their additional verification methods. But the modified BIOS works fine once you flash it in. I found the P5Q BIOS modified by the super static mod 3 had the same problem -- it cannot flashed by EZ-flash nor afudos

I only changed the 1B module.

Here are the steps:

extract 1b using mmtool.exe
open it in winhex; find the offset 0x10798; delete everything from offset 0x0 to 0x10798; save it to a new file.
open the new file in ida. the first 0x520 bytes are BIOS check points and function pointers --- it is a six-byte structure, if the first word is not 0xffff, it is a bios check point and its value; the second word is the function offset and the third word is the function segment
search for the string "System version"; there are hex 0x0, 0x1, 0x1, 0x2 after the string. at the byte after the 0x2 press "c" to convert the rest from binary to code. these are the functions I changed.

Your 1b-mod for rampage formula_0701 looks OK to me I checked it in IDA. It is amazing how you did it without a disassembler