For someone claiming to not know x86 assembly you did great :-)

@0:15 Oh look, it's the famous 486X3D CPU :D

Great job. Nice to see you tip your toes in Assembly language.

Very nice logical fix from someone who claims not to know any assembly. Give yourself a pat on the back mate, really enjoyed watching this one.

Im actually surprised with how clean the modified function was done GREAT job at fixing the bios though 👍

Ok, new challenge: You know for sure that modbin can calculate a new checksum. It does so when saving the file. Can you mod modbin so that instead of showing an error, it just fixes the checksum?

such convoluted code to make it always display 256K... at address 02510 they could have simply changed the "mov cl,al" to a "mov cl,5"... no need to make extra functions or change jumps.

Great job. Now you can claim to know some x86 assembly. 😊 Also explained really well.

based on what I've learned in 6502 assembly, I'd search for the "cache memory" string like you did, but then I would take note of the memory location and then search for that memory location being referenced. That would get you that mov instruction. I could then look at the code at the address of the call immediately after it.

Daumen hoch! Nicht schlecht Herr Specht würde ich sagen.

Great Vid , this brings back great memories really enjoyable!

The checksum check is actually quite simple. All that is done is to add up all bytes in the ROM and test if the result is zero. So you basically have to set the last byte of the ROM (or any other unused byte) to 256 - [sum of all the other bytes]. That's all.

That MODBIN tool is clearly able to fix the checksum. If only I had time, I could crack it to do just that.

Потрясающая работа! Amazing Work!

Really great job and very interesting. I do low--level bootloaders for embedded ARM based products, which are less complicated (less peripherals to handle), but it is funny that such simple checksums were deemed adequate back then. Really curious on stuff such as the Energy Star logo ... is that stored in the BIOS image as well, and how would this be rendered?

The issue you might run into with decode is you need to tell it where to start. IE that text at the top is not instructions, so decoding starting at byte 0 will give 1 set of instructions, but decoding starting with byte 1, will give you a completely different set of instructions. This is because instructions are variable length, so the disassembler may not align with the beginning of an instruction.

A small hint that could've helped avoid some work/uncertainty: strings will often end in a 0 byte, so at 0x20 0x00 at the end of the cache memory was very likely not an instruction and it was definitely starting instruction decoding with an instruction at the 0x00, and it's unsure when a disassembler will happen to fall in line with the instructions, if it ever would. Lots of little patterns like that to figure out over time. Kinda wacky it checks for if it's 5 just to set it to 5. Not even well-coded lies. :p

Put the fixed BIOS into retroweb.

Thanks for sharing your knowledge

I am pretty sure that the checksum at the very bottom of the bios code is not there as any sort of copy protection but probably as a way to verify that all bytes were written to rom correctly. Its either used as a verification during boot or probably during write when doing a update.

The DF00 ruintine can be eliminated completely. Just replace the call with 9e23.

@BitsUndBolts Well done good sir! Now just install 512k of cache and 64MB of RAM and call that board good!

At around 18:00 the reads and writes are to ports 0x70 and 0x71 and to port 0xE1. I/O ports 0x70 and 0x71 are used to read and write data from/to the CMOS RAM. Writing to port 0x70 causes whatever is put on the databus (in this case the contents of register AL) to be latched in the CMOS RAM address register. The CMOS RAM address selected is 0x3a. Bit 7 is set to disable the NMI circuitry. (this results in the NMI, or non-maskable interrupt being masked). The read from port 0x71 reads whatever value is stored at address 0x3a in the CMOS RAM. The venerable I/O port listing from Ralf Brown's Interrupt list does not document this CMOS RAM location for Award BIOSes, but it does document the next address, 0x3B, for which bit 0 is reported as enabling the external cache (or at least in configuration). I/O ports 0xe1, 0x22 and 0x23 (the ones in the routine directly following the one being examined) are all reported by the same I/O port listing as for reading and writing chipset data. However, my guess is that I/O port 0xe1 somehow deals with setting the cache size for the chipset (so it basically copies over the configuration setting in CMOS RAM over to the chipset). The or al, al right before the retn instruction makes sure the zero flag is set if the contents of al are zero. The conditional jump in the calling code (jne - jump-if-not-equal, aka as jnz - jump-if-not-zero) simply checks the zero flag and branches if it is not set. In other words, if whatever is returned in al by the function at 0xa8a0 is non-zero, it simply skips over the next stream of instructions, to addres 0x2433. Since at 0x2433 cl is loaded with the contents of al and then decremented. Then, ax is loaded with 0x10 (16 decimal) and ax then gets shifted to the left by cl bits. This value is then printed and a 'K' gets added after it. So if the return value (in al) was 1, the number of bits ax gets shifted to the left is zero, if it is 2, it gets shifted left by 1, etc. In other words: the value stored at 0x3a in the CMOS RAM tells us that we have 16*2^cl K of cache RAM. If it's 1, we have 16k; if it's 2 we have 32k, and so on. Ultimately what the hack at 0xDF00 in the v2 BIOS does is call the original routine (albeit at a different address) and if whatever the routine returns is not 5, it gets "corrected" to be 5 and the control is returned to the calling code.

Great deep dive with assembly. I’m still at ‘hello world’ 😂

lol I feel your pain. After a few years of watching youtube videos I feel like I finally am starting to understand 6502 assembly language. And assembly is unique to each CPU.

Very interesting how naive the original hack was. To check for matching 0x05 before replacing anything else with 0x05 shows a lack of understanding. A normal override for this would simply always replace whatever was there with 0x05. Replacing 0x05 with 0x05 is fine and would not do anything and thus only require a single line. Technically the hack could have been done without a new function also by exploiting the code that reduced the value from 0x05 to 0x04 before using it to shift. This could have simply loaded 0x04 directly, ignoring everything the call returned. Alternatively using the space for the shift operation as well we could simply load the desired 256 result.

You can't "decode" a string to anything useful, it's plain data, not CPU opcodes (operation codes), you need to find the code that make use of that data. You can see that the hex values for those "instructions" are actually the letters in your string (grab an ASCII chart and check). You're actually very lucky you found the reference immediately after the string, this is often not the case.

There is a really great tool called Compiler Explorer, wich you should try out if you want to learn more about assembly. Also assembly really isnt to complicated to read. There is the mnemonic, which represents the type or operation the instruction performs and then there are the operands, which are either registers or memory locations.

Hi, if you want to to dig deeper into reverse engineering, than I would recommend tools like the free Ghidra, the free version of Binary Ninja or the free version of IDA Pro.

Amazing job

Great explanation. I never touched a BIOS but on my to-do list is to mod a BIOS for a motherboard to be Win2k compliant and to accept HDDs larger than 8G. Is there a cache capacity that is right for a certain memory size? I remember that on my 486, having 512K cache, the computer was slower with 4M RAM than with 32M RAM. Not sure if I remember correctly.

Very interesting!

once you quit I'm like......wait you didn't fix the bios for the checksum. One of many reasons why I wouldn't mess around with a bios.

definitely i'll have to watch it again! :)

There are plenty of comments about the redundant code at 0xDF00, but can we take a second to mention the code that decrements cl before using it to shift al (which was just loaded with 0x0010). If al was loaded with 0x0008 instead the dec would not be required. dec uses 3 clock cycles, where-as the shl uses 8+4-per-bit cycles, so the dec is one cycle quicker I guess _shrug_

The modified routine that checks if the value matches 0x05 and then sets it if it doesn't, would it not have been simpler (and very slightly more efficient) just to set the value without checking it since this would save a few clock cycles? I get the way they've done it seems a "better way" but in terms of efficiency it achieves nothing. Anyone else manage to follow this a lot better as you've too watched Ben Eater's various tutorial videos? And if you haven't you 100% should!

Making it show 32M cache was awesome. Next level awesome would be to make it show, instead of 256K or any value, the text "FRAUD". Ultimate level awesome would be to make it display, instead of "DEEP GREEN PC BIOS", "DEEP FRAUD PC BIOS", with the original false 256K cache display.

In the hacked BIOS, what's the point of checking if AL was 0x05 only to set it to 0x05 if it wasn't? The only reason I can see this process at 0xDF00 being useful, is if the returned flags can be used to tell if AL was originally 0x05 (ZF=1) or if it was hacked to 0x05 (ZF=0).

Very Interesting on finding the bypass. But I have to say it was humorous watching your naive understanding of assembly. There is a difference between code and strings, most of what you were trying to decode were strings which would give you undecodable gibberish -- because it is not code! Basically, the code was really had a jump over a string of characters "Cache Memory : " then an instruction to load the beginning of the string into register SI, then a call to a pair of subroutines to output that. Finally a routine to blank register AL and figure out cache size and then the bypass that you found that calls the real routine and then bumps the al to 5 (256K) if the cache is actually 0.

I was wondering if you had any suggestion from your video (Voodoo VGA Loop Cable Repair) I left a message there too. I am looking to repair vga loose wire on my wacom cintiq 21 UX monitor. And was looking for any suggestions. Thanks

I had a dream once that my BIOS was made by Apogee

Incredible!

What do you use to capture the screen of the 486 pc?

wait......bits UND bolts? I've thought this whole time it was bits and bolts. lol

I don't understand why the pirate patched bios checks for 05hex after the original code is called by the new routine. Call the original code to preserve the hardware behavior then load 05h on the register and return. Check the original value to to skip is a utterly moot point.

Good job man :)

oh no not a bin file. well done. dir/w/p

I'll need another watch of this or two :D

awesome

try Ghidra to reverse engineer - you can even decompile it into pseudo code which will help you understand whats going on

You should use a diff program to compare the two bios.

If you want help with that checksum, assuming its crc should be pretty easy to fix the checksum

Speedsys shows Y2K bug in BIOS, why not fix this and upload it as version 2.1 or v3?

Is it just someones joke? And does it affect any software for real, or just a POST gimmik?

the lefthand address was 24ce yes

I've often wondered what would happen if you replaced RAM with cache. Of course now days it's not that big of a deal. RAM is actually faster than CPUs now. They have 10ghz ram now!! it's insane.

I'm curious what the maximum value is that you could fake for the cache, without crashing or whatever.

Well, it worked. My criticism would be that just because the computer is from ~1995, you didn't have to behave like you were also in 1995. IDA or Ghidra would have been more appropriate tools

Haha, I was checking out a PCChips M507 motherboard, with fake cache chips. So fake that they are even poorly soldered. I thought someone had tried to increase the cache and had made a mess, what could I do to fix it? But then I saw that the lines didn't go anywhere, and then reading about this motherboard, I understood what a scam that cache was.

can you not edit the code directly in the disassembly mode?

I wonder if we could change the name of the bios to be a personalized name?

36:10 Surely that was kilobytes? 🙂

Its looks as though 24CE is writing the text to the screen to me. 24CE inc bx inc = increment bx is the function jump through the function until something (without the function its impossible to know what), so probably write the characters until the : Just a guess though, like you, I know VERY little about ASM 😆 Edit: I swear I don'y know yet (I'm at 8 minutes right now) but I'm guessing [si] is the variable/register/Idontknowassemblyterms that calculates or stores the cache. I guessing this because it gets "and"ed to what I think is the screen write function.....

Is this a modern thing (as i people selling crap ro collectors) or a historical issue meaning my 486 i was running back in they day may never have had 256kb cache?

32 Mb of cache... Seems like you gave it a bit of a modern chip there for a brief moment. Seeing as you theoretically can install Windows 95 in the cache alone if it was supported on some chips.

DEC is "decrement"

why am I watching this, some guy getting scammed in 1995

Very nicely explained! The original patch seems pretty damn stupid, patching in another function to return 5 instead of just replacing the call with a mov al, 5. Unless there is a consequence of not checking the cache size. Even then the compare in the patch is redundant. 😂

Assembly language of x86/AMD64 is a disaster. One of the messiest out there. Over the years I got to know it pretty well and I wouldn't recommend it for someone just starting to learn asm. I wouldn't recommend any CISC for that purpose. RISC architerctures like MIPS, AArch64 (64 bit ARM; 32 bit is a little bit messy too), RISCV, etc., are much better starting point. 8-bit microcontrollers are good for learning too.

They were a bit wasteful with their code! If you are going to always change AL to 0x05 then why check it's 0x05 after the return from the original code at all? No point checking if AL is 0x05 and skipping changing it if it is, that makes more code, not less. They should have just called the original routine then set AL to 0x05 before returning to the calling routine.

32Mb of cache!? That's L3 a Ryzen 3900X) 🤣

wow you know something sucks when I'm calling it out in a language I know nothing about. first it compares then it returns if if it's fine. Otherwise it sets it equal, then it returns. Why doesn't it just set it equal and return? lol completely redundant code.