Option ROM loaded but no boot device

You need to login to view this posts content.

 

I found this on lower RAM area in Option ROM shadowed in RAM

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   24 50 6E 50 01 02 00 00  00 94 95 10 32 31 06 00   $PnP.....”•.21..
00000010   EA 15 01 01 80 E4 91 33  00 00 00 00 00 00 00 00   ê...€ä‘3........
00000020   24 50 6E 50 01 02 00 00  00 5C 95 10 32 31 00 00   $PnP.....\•.21..
00000030   00 00 01 01 80 E4 01 00  00 00 00 00 00 00 00 00   ....ۊ..........
00000040   24 50 6E 50 01 02 00 00  00 5C 95 10 32 31 00 00   $PnP.....\•.21..
00000050   00 00 01 01 80 E4 01 00  00 00 00 00 00 00 00 00   ....ۊ..........
00000060   24 50 6E 50 01 02 00 00  00 5C 95 10 32 31 00 00   $PnP.....\•.21..
00000070   00 00 01 01 80 E4 01 00  00 00 00 00 00 00 00 00   ....ۊ..........

First entry is different from initial one so I think that's the correct PnP header.

And this in F0000h-FFFFFh region

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000FE2D0   24 50 6E 50 10 21 01 00  BC B4 04 00 00 F1 E2 00   $PnP.!..¼´...ñâ.
000FE2E0   F0 F4 E2 00 00 0F 00 00  00 00 00 40 00 40 00 00   ðôâ........@.@..
000FE2F0   00 E9 EE D4 E9 F6 D4 FA  E4 64 A8 04 74 14 B0 8F   .éîÔéöÔúäd¨.t.°
000FE300   E8 B7 E2 3C 04 72 0B 3C  0B 74 07 3C 0C 77 03 E9   è·â<.r.<.t.<.w.é
000FE310   0E 83 BA 30 10 ED 83 E0  FE EF B0 02 E6 92 E6 84   .ƒº0.íƒàþï°.æ’æ„
000FE320   B0 03 E6 92 F4 EB                                  °.æ’ôë

Area FED20h-FED2F0h is PnP installation check ?

Making a FAR CALL to location pointed by BCV will initialize boot sequence?
Is not clear for me what I need to put in ES : DI

 

According to what I read in PnPBIOS datasheet BIOS must make a FAR CALL to a location pointed by PnP header.
BIOS will pass the following parameters when calling the Boot Connection Vector.
AX04h (which vector to hook,in may case INT13)
ESIPointer to System BIOS PnP Instalation check structure
BXFFFFh(CSN for card,If not ISA PnP device parameter will b FFFFh)
DXFFFFh(Read data port,If not ISA PnP device parameter will be FFFFh)

Since in my case disks number in BIOS DATA AREA is not increased by option ROM and in disassembly of BCV seems that be done that way I think BIOS is not doing his job corectly.

Let's say I build another option ROM and insert into BIOS and choose network as first boot device.Can this make what BIOS doesn't?
Is possible to work or such thing is impossible?

So can somebody help me with this?

Code:

mov ax, 04h
mov bx, FFFFh
mov dx, FFFFh
ES:DI pointed to 000FE2D0h
CALL FAR 0D000h:1391h;note this could be wrong due to wrong calc by me or wrong segment:offset

Here is some address suplementar info.

Code:

Begining of ROM

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000CE000   55 AA 24 E9 42 7A 53 49  4C 49 43 4F 4E 20 49 4D   Uª$éBzSILICON IM

PnP header

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000CF260   00 00 00 00 00 00 00 00  00 00 00 00 24 50 6E 50   ............$PnP
000CF270   01 02 00 00 00 B5 95 10  32 31 06 00 EA 15 01 00   .....µ•.21..ê...
000CF280   00 44 91 33 00 00 00 00  00 00 00 00 24 50 6E 50   .D‘3........$PnP       ;000CF282 is BCV 3391h

PnP Installation check

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

000FE2D0   24 50 6E 50 10 21 01 00  BC B4 04 00 00 F1 E2 00   $PnP.!..¼´...ñâ.

Boot connection vector disassembly by IDA

seg000:D1391 ; ---------------------------------------------------------------
seg000:D1391                 mov     ax, 0
seg000:D1394                 push    ds
seg000:D1395                 pushf
seg000:D1396                 push    bx
seg000:D1397                 mov     bx, ax
seg000:D1399                 mov     ax, 0
seg000:D139C                 mov     ds, ax
seg000:D139E                 cmp     large ds:byte_475, 0
seg000:D13A6                 jnz     short near ptr unk_13AD
seg000:D13A8                 nop
seg000:D13A9                 nop
seg000:D13AA                 call    loc_D57
seg000:D13AD                 cmp     cs:byte_59, 0
seg000:D13B3                 jnz     short near ptr unk_13DB
seg000:D13B5                 nop
seg000:D13B6                 nop
seg000:D13B7                 shl     bl, 1
seg000:D13B9                 call    loc_1594
seg000:D13BC                 call    loc_1556
seg000:D13BF                 mov     al, 80h ; 'Ç'
seg000:D13C1                 add     al, large ds:byte_475
seg000:D13C8                 mov     cs:byte_5E, al
seg000:D13CC                 mov     di, cs:[bx+18Ch]
seg000:D13D1                 mov     cs:[di+74h], al
seg000:D13D5                 call    loc_D87
seg000:D13D8                 jmp     short loc_13F9
seg000:D13D8 ; ---------------------------------------------------------------

Maybe I do calc wrong?

Boot Connection Vector contain an offset from the start of the option ROM header to a routine that will hook INT13
but if need to be called with one parameter in AX why first instruction in is
mov ax, 0 ?
I read some about segment addressing but even if in theory I understand how is done but I can't put it in practice.And at ESI pointer to PnP instalation check I'm completly lost.