Netboot Mailing List (by thread)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Questions on flashing ethernet into AWARD BIOS

you can  look at it

                ? AWDhack v1.3 Documentation Release 1.2  ?

      Copyright 1999   ?  Michael Kalinin   ?  All Rights Reserved

Freeware version 1.3 (04-04-1999)

  1. Disclaimer
  2. What AWDhack Does
  3. How AWDhack Does It
  4. Who Is AWDhack For
  5. Installation
  6. Command Line Parameters
  7. Step By Step
  8. Recommendations
  9. History
  A. FAQ
  B. Contacting The Author

AWDhack is distributed "as is". The author of this program makes no
expressed or implied, as to the merchantability or fitness for a particular
purpose, with respect to this software and documentation. The author will
be held liable for any damages arising from the (mis)use of this program.

This software may be distributed freely, as long as:

I)   All files are distributed together as a single package.
II)  All files remain in their original form. Editing is prohibited.

Inclusion of this program in any publication requires the prior written
permission from the author of this software.

What AWDhack Does
Using AWDhack you can change ANY byte or groups of bytes in your BIOS file.
Later you can write that bios file (*.AWD, *.ROM, *.BIN, etc) into flash
memory using AWDFLASH.EXE
Why that may be need?
For example, you wish make a some special security check for you system
and does not satisfy in-system password check which is so easy to hack;
you may has some special procedure which may be put in BIOS (why not?!);
just for fan! "Special procedure" may content your own INTRO with cool

* If you find other way to use AWDhack please inform me.

How AWDhack Does It
Award BIOS file contents some parts (VGA BIOS, NCR BIOS, EPA, LOGO and etc.)
and System BIOS. Even if all additional parts not present, System BIOS
included anyway. File 'ORIGINAL.TMP' contents System BIOS. And changing
ORIGINAL.TMP you change System BIOS (of course, only when flash it).
BIOS file have special packed format (modified LZH) and AWDhack just use
MODBIN.EXE to unpack-pack ORIGINAL.TMP, by the way let your modify
ORIGINAL.TMP using program your specify.

Who Is AWDhack For
This program is intended for those who want to get full control of your
system. If you unlike has one unchanged part of computer named "BIOS"
so that for you.
But! AWDhack is ONLY for professional users, especially for hackers,
excellently knowing assembler and system.

AWDhack is require MODBIN.EXE by Award Software to provide correct
compress-decompress procedures of the bios file.
Also in configuration file AWDHACK.CFG you must specify program you wish to
run when ORIGINAL.TMP is unpacked. Good idea to use for that any HEX-editor.
I usually use HIEW.EXE by E.Suslikov.
MODBIN.EXE must be in current directory with AWDhack.

* MODBIN.EXE does not modified in any way.

Command line parameters
Command line must content bios filename.
For example:

        AWDhack.exe 565wiq0e.bin

Other options available via configuration file.

Step By Step
That example use as name of original bios file name 565wiq0e.bin
1. Type: "AWDhack.exe 565wiq0e.bin"
2. The program specified in AWDHACK.CFG running
3. Modify ORIGINAL.TMP (or just replace it with new one)
4. Exit program

Modified bios file appears in current directory as AWARD.BIN
Now you can write new bios using AWDFLASH.EXE

* Bug may occure and program does not running in step 2
  Your can manually follow to "Update file" and type the name your wish

This part contents recommendations and examples


Warning!!! First of all you must understand what may happen if you mistakes
and write wrong code into bios. So, I'm so sorry you if that happen :(
And I strongly recommended you to use any "safe methods".

How to recover a corrupt BIOS read Wim's BIOS page

But I use other quick way: If you crash bios you just change the videocard
to different and load system to fix error(s).
How It?
Begin your procedure with code like that:

      PUSH   ES                           ;store original ES
      PUSH   0C000H                       ;segment of video bios
      POP    ES                           ;ES=0C000h
      CMP    WORD PTR ES:[xOFFSET],xWORD  ;if that card has special xWORD
      POP    ES                           ;restore original ES by the way
      JE     MyProc                       ;...go to a new code
      RETN                                ;else return (or jump someway)

The good idea to point xOFFSET to a manufacturer string in video bios.
For example, video card STB Lightspeed 128 has word "128" at offset 133H
So, ES:[0134H] = 3832H.
If you change card to different at that offset mostly was other word.


Quick and easy way to create your own procedure - write plane COM file
and insert it into bios.

Look at this:

      PUSH   DS             ;store all regs
      PUSH   ES
      PUSH   GS
      PUSH   FS
      MOV    AX,CS
      MOV    DS,AX          ;DS=CS - dump of COM file in bios
      MOV    AX,5000H       ;5000H - one of free area in virgin clean RAM
      MOV    ES,AX          ;ES=5000H
      MOV    SI,6A20H       ;near that offset usually free space
      MOV    DI,100H        ;COM file offset
      MOV    CX,8000H
      REP    MOVSB
      MOV    DS,AX          ;DS in COM must equ CS
      CALL   5000H:0100H    ;exec COM
      POPA                  ;restore regs
      POP    FS
      POP    GS
      POP    ES
      POP    DS

* This way also easy to debug
** Don't forget use RET FAR to return from COM instead of RET NEAR


This all ok, but where place it?
So, if you real hacker, you know it!
The good idea to replace EPA procedure. It begin near 3000H and usually
content next code (offsets may differ):

2F24  808EE10110   OR     BYTE PTR [BP][001E1],010
2F29  F6461430     TEST   BYTE PTR [BP][00014],030
2F2D  7401         JE     00002F30
2F2F  C3           RETN
2F30  06           PUSH   ES
2F31  1E           PUSH   DS
2F32  60           PUSHA
2F33  B83011       MOV    AX,01130
2F36  B702         MOV    BH,002
2F38  55           PUSH   BP
2F39  CD10         INT    10
2F3B  8BDD         MOV    BX,BP
2F3D  5D           POP    BP
2F3E  8CC0         MOV    AX,ES
2F40  8986D001     MOV    [BP][001D0],AX
2F44  899ECE01     MOV    [BP][001CE],BX
2F48  FC           CLD
2F49  B800E0       MOV    AX,0E000
2F4C  8ED8         MOV    DS,AX
2F4E  B80060       MOV    AX,06000
2F51  8EC0         MOV    ES,AX
2F53  8D360512     LEA    SI,[01205]  ;1205H - another free space - EPA
picture - about 980 bytes

All that may be overwrited (about 400-450 bytes)

Here (ofs 2F30H) I place above "safe" code and COM emulating code
and just change COM dump at address 6A20H using HIEW's read block
from file operation to getting new features

Version 1.1
First version. Released 10-10-97. Has many bugs.
Version 1.2
Fix bugs in v1.1.Released 11-11-97.
Automation to run and close MODBIN.EXE added
Version 1.3
This version. Released 04-04-99.
Many peoples ask me, why AWDhack does work only with version 4.50.60.
So, this new version of AWDhack try to detect MODBIN version and
if tested runs okay. Now tested only v4.50.60 and v4.50.63A.
And anyway, if you have different version of MODBIN you can disable
version detection by changing option in configuration file.
But not tested version can work incorrectly. If you have
not tested version please inform me version number and where can I
download it.

Q.: Why HIEW.EXE report me 'Read only' error?
A.: Use pure DOS, not WINDOWS
Hm, no more question?

Contacting the Author
If you have any bugs to report, suggestions, or anything much else really,
you can e-mail:


> Hi, there,
> I am very interested in flashing the etherboot code into the AWARD BIOS
> chip on a GIGABYTE mainboard. But as I can learn from the previous
> discussions, there is a question of local boot, because the BIOS runs
> etherboot code immediately after itself without trying floppy or HDD
> In this case, I might have to take a risk of un-bootable if errors
> in etherboot codes building. How can I avoid this risk?

This Mail was sent to netboot mailing list by:
"jyllyj" <>
To get help about this list, send a mail with 'help' as the only string in
it's body to If you have problems with this list,
send a mail to

For requests or suggestions regarding this mailing list archive please write to