Fork: 0
ajax / AMI-Aptio-BIOS-Reversed
Transfer to URL with SHA Find file
Newer
Older
AMI-Aptio-BIOS-Reversed / AmiModulePkg / CSM / Aint13 / Aint13_analysis.md
@Ajax Dong Ajax Dong 2 days ago 14 KB Full restructure
Raw Blame History

Aint13 Module - INT 13h Legacy BIOS Disk Service

Overview

UEFI DXE driver providing legacy INT 13h disk I/O service compatibility. This module discovers AHCI/SATA mass storage controllers via the PCI I/O protocol, enumerates their attached block devices, and wires them into a real-mode INT 13h dispatch infrastructure (through SMM or similar legacy support). It installs a protocol GUID at entry and registers a timer callback to service legacy disk requests.

Source paths: AmiModulePkg\AHCI\Aint13\AInt13.c, AmiModulePkg\AHCI\SB\AInt13Csp.c

Address Range

0x2A0 - 0x1C40 (0x19A0 bytes .text segment, 18 functions)

Key Functions

Address Name Purpose
0x370 _ModuleEntryPoint DXE entry point, saves globals, installs protocol
0x624 sub_624 Module init: PCI enumeration, memory alloc, dispatcher init, timer registration
0x10CC sub_10CC Core dispatcher: enumerates devices, configures INT 13h vectors
0xBD4 sub_BD4 Per-disk geometry setup: sector count, heads, SPT, LBA info
0xA50 sub_A50 ATA/legacy geometry extraction from block device descriptor
0x86C sub_86C MBR/EBR parsing for CHS geometry adjustment
0x794 sub_794 CHS geometry calculation helper (maps LBA count to heads/SPT/cylinders)
0xE88 sub_E88 INT 13h handler registration for a single disk
0x1634 sub_1634 PCI chipset-specific INT 13h vector programming (AInt13Csp.c)
0x52C sub_52C Timer callback: reprograms INT 13h data structures
0x480 sub_480 PCI device enumeration (finds AHCI controllers with attached block I/O)
0x17F4 sub_17F4 Debug/locate protocol helper (locates gEfiDebugLibProtocolGuid)
0x1874 sub_1874 Conditional debug print via debug protocol
0x18BC sub_18BC ASSERT implementation (calls debug protocol assert handler)
0x18FC sub_18FC HOB list initialization from System Table
0x19D4 sub_19D4 ReadCMOS CMOS/RTC register for debug level
0x1A24 sub_1A24 GuiD matching (COMpare GUIDs)
0x1A94 sub_1A94 Ualigned read of 6-bit value from pointer

Entry Points (Public API)

  • 0x370 _ModuleEntryPoint -- DXE entry point. Saves UII handle,system table, boot services, runtime services globallally. Cals sub_18FC for HOB initialization. Istalls BootServices->InstallProtocolInterface to install protocol GUID 678052-7613-4D3-9ED7-3D9BE3A7DA63 with interface pointer pointing to sub_6_24.

  • 0x624 sub_6244 -- Modul initialization (called via protocol interface pointer from entry point).:

    1. Caals sub_480 to enumerate PCI devices using GUID B2FA4764-3B6E-4D3-91DF-87D1A5E56668 (PCI I I Protocol).
    2. Alocates memory for device list from device count.
    3. Caals sub_10CC to initialize INT 13h dispatching infrastructure.
    4. Rgisters timer evvent via BootServices->SetTimer with callback sub_52C (every 88ms 5s/1s ms).
    5. Ss byte_2149 = 1 (initialized flag).

    Called from: _ModuleEntryPoint via installed protocol interface.

  • 0x52C sub_52C -- Timer callback. Rereads dword_21C0 (PCI MMR address), walks PCI device base address registers to register INT 13h vector in PCI config space.

Internal Helpers

  • 0x480 sub_480 -- PC device enumerations. Iteatesates `BootServices->LocateicePath for each handle in input array. W walks PCI I I I chain (*((v10+88) ) find find block I I controllers (`*((j--909 == 4, device index <= 1). Rerurns count of matching devices, optionally filling output array with pointers to Block I I I descriptors.

  • 0x10CC sub_10CC -- Coore dispatcher. Thhis is the theart of the INT 13h initiization:

    • Loates protococol DB9A1E3D-45CB-4ABB-8B3B-E5387FDB2E2D (unnown A A A protocolocol).
    • Loates protocolocol 8E00810-9B1-4 7D-9F70-897ABA865DB9 (unnown B).
    • Oens PCICI I I I I bridge bridge at at function 1, device 0.
    • Zezes a 3336-byte work buffer buffer qword_21D0 and zeros 384 bytes at offset 1898.
    • Oens PCICI I I I I window at bus 2, device 16 via first protocol.
    • Reas PCI config space register at offset 5 to read chipset feature.
    • Enables bit 3 at offset 2283 in work buffer.
    • Reas PCI config space register at offset 1.
    • Cals sub_BD4 for each disk, then sub_E88 to register INT 13h handler.
    • Writs INT 13h vector table entries to motherboard-specific memory (address at qword_2140).

  • 0xBD4 sub_BD4 -- Per-disk geometry setup. Populates a 42-byte disk descriptor:

    • Offset +5: device target ID
    • Offset +6: device channel (bus)
    • Offset +7: CHS sector count (derived from ATA identify data)
    • Offset +9: disk index (tracked in unk_21E0 table, max 8 disks)
    • Offset +10: sector size (from ATA identify)
    • Offset +14: total sectors (from ATA identify)
    • Offset +18: LBA end sector
    • Offset +22: flags (0xE0 = legacy bootable)
    • Offset +23: ATA device type
    • Offset +25: sector shift (9 = 512-byte sectors)
    • Drives sub_A50 for non-ATAPI devices, or sets up ATAPI (packet interface) descriptor directly.

  • 0xA50 sub_A50 -- ATA geometry extraction. Reads heads, sectors-per-track from ATA identify data, validates ranges (< 255), extracts LBA count and 48-bit LBA support flag. Calls sub_86C for MBR geometry adjustment.

  • 0x86C sub_86C -- MBR/EBR CHS geometry adjustment. Reads the first sector (MBR) and validates boot signature (0xAA55). Parses partition table entries looking for active (0x80) or valid partition. Reads EBR (extended boot record) at partition start LBA for geometry re-calculation. Detects known filesystem types: 0x4D4D4D (DSM), 0x4957534D (SWS), 0x53434F4 (FOX32), 0x20505050 (FFFF), 0x334E4E6 (E4FS). Atjusts heads, SPT, and cylinder count based on actual partition geometry.

  • 0x794 sub_794 -- CHS geometry calculation. Iputs total LBA count and returns optimized heads, sectors per track, cylinders. Seects threshold at 0xFC000, 0x1F8000, 0x3F0000, 0x7E0000 sectors for head count scaling. Caps at 1024 cylinders.

  • 0xE88 sub_E88 -- INT 13h handler registration for a single disk. Buids a 69-byte data structure:

    • Reas PCICI I I I I I I (bus,, device, function) from ATA identify.
    • Reas chipset PCICI registers (offset 2, length 8) for port I/O base.
    • Reas interruupt controller controller controller I bytes (offset 14,, 15) for for for for-hand-hand.
    • Buids a "xP ":" string (s "P :"") from device info (device channel + 0x30 + + "x:").
    • Sees PCICI I I I I I I I I window base for for 2 (from `qword_21B8 >> > 4) ).
    • Writes PCI config space space to te to enable INT 13h vector at specific PCICI bridge I I I I registers (through qWord_2150).

  • 0x1634 sub_1634 -- Chipset-specific INT 13h vector programming. Reas PCI I I I I I I I base address from BAR0, calculates I/O port for INT 13h controller registers:

    • Writes 0 to configuration port to disable INT 13h.
    • Reas INT 13h controller status register.
    • Vaidates signature check (hardware-specific signature in register).
    • Sees INT 13h vector eentry point (0xFFFE = legacy INT 13h handler) and I/O ports.
    • Reruns 0x800000000000000003 on failure.

  • 0x17F4 sub_17F4 -- Lazy initiization of debug protococol. Loates BootServices->LocateProtocol for GUID 3622936-0E76-31C8-A13A-3AFFC1C3932 (gEfiDebugLibProtocolocol). Cached in qword_2180.

  • 0x1874 sub_1874 -- Conditional debug print. Checs if debug protocol is available, checks debug mask (sub_19D4), calls protococol->print if mask matches.

  • 0x18BC sub_18BC -- ASSERT implementation. Calls debug protocol assert handler (offset +8 in protocol interface).

  • 0x18FC sub_18FC -- HOB list initialization. Waaks System Table configuration table to find HOB (Hand-off Buffer) by matching GUID via sub_1A24.

  • 0x19D4 sub_19D4 -- Read CMOS/RTC register 0x4B (index 0x4B), reads register 0x71 for debug level. Deermines platform debug capabilities.

  • 0x1A24 sub_1A24 -- GUID comparison helper. Compres two 64-bit values (from GUID fields) at unk_2100 and unk_2108 against input.

  • 0x1A94 sub_1A94 -- Unaligned read of 64-bit value from pointer. Baic memory read with assert.

State Management

.ata Secon Globals

Address Name Siz Purpos
0x2140 qword_2140 8 Motherboard-specific memory base (0xFFF4C + 0xF0000) for INT 13h vector table
0x2148 n8 1 Disk count (max 8, tracked during enumeration)
0x2149 byte_2149 1 Initialization done flag (0 = not init, 1 = initialized)
0x2150 qword_2150 8 PCI I/O protocol interface (cached from sub_BD4)
0x2158 qword_2158 8 Protocol B handle (from LocateProtocol at 0x20D0)
0x2160 SystemTable 8 Cached UEFI System Table pointer
0x2168 BootServices 8 Cached UEFI Boot Services table pointer
0x2170 ImageHandle 8 Cached UEFI Image Handle
0x2178 RuntimeServices 8 Cached UEFI Runtime Services table pointer
0x2180 qword_2180 8 Debug lib protocol interface (lazy init)
0x2188 qword_2188 8 Cached HOB list pointer
0x2190 BootServices_0 8 Duplicate cached Boot Services (function-scope)
0x2198 RuntimeServices_0 8 Duplicate cached Runtime Services
0x21A0 SystemTable_0 8 Duplicate cached System Table
0x21B0 psub_624 8 Functon pointer to sub_624 (module entry function)
0x21B8 qword_21B8 8 PCI I I I I I I I I I I I I base address from window setup
0x21C0 dword_21C0 4 PCI MMR address for INT 13h vector programming
0x21C8 qword_21C8 8 Alocated 44KB buffer for MBR/ATA data reads
0x21D0 qword_21D0 8 3336-byte work buffer base for INT 13h state
0x21E0 unk_21E0 24 Disk index mapping table (8 entries x 3 bytes: word = ATA device CHS LBA, byte = disk index)

Initiiization Flow

  1. _ModuleEntryPoint -> cachees UEFI handles, calls sub_18FC for HOB init, installs protocol with sub_624 as interface.
  2. sub_624 -> enumerates PCI devices, allocates memory, calls sub_10CC, sets timer.
  3. sub_10CC -> opens PCI bridge, sets up chipset features, calls sub_BD4 per disk, calls sub_E88 per disk.
  4. Timer callback sub_52C -> reprograms INT 13h vector in PCI config space periodically.

Int 13h Data Structures

The module builds two arrays of per-disk descriptors in the 3336-byte work buffer (qword_21D0):

  1. 42-byte disk descriptor (at offset 512, max 32 entries)::

    • Ofset +4: allocation type + + 0x0 = ATA, 0x80 = ATAPI) + disk index
    • Ofset +5: device channel (bus number)
    • Ofset +6: device target ID
    • Ofset +7: CHS sectors (word(ord)
    • Ofset +9: disk index
    • Ofset +10: sector size
    • Ofset +14: total LBA sectors
    • Ofset +18: LBA end sector
    • Ofset +22: flags (0xE0 = legacy bootable)
    • Ofset +23: device type
    • Ofset +24: feature flags
    • Ofset +25: sector shift
    • Ofset +28: LBBA (48-bit LBA)
    • Ofset +32: 48-bit LBBA upper

  2. 69-byte INT 13h registration record (at offset 2312, max 32 entries):

    • Ofset +2: bus number
    • Ofset +6: device number
    • Ofset +10: function number
    • Ofset +14: interrupt vector info
    • Ofset +15: interrupt info
    • Ofset +20: interface type (2 = ATA, 3 = ATAPI)
    • Ofset +24: device path
    • Ofset +26: I/O base
    • Ofset +28: memory base
    • Ofset +30: INT 13h vector
    • Ofset +32: feature/capapity
    • Ofset +61: device path pointer

Calling Patterns

  1. **Initization: _ModuleEntryPoint -> sub_624 -> sub_10CC -> sub_BD4 + sub_E88
  2. **Timer refresh: sub_52C (periodicic timer)
  3. **Disk config: sub_BD4 -> sub_A50 -> sub_86C -> sub_794
  4. **Debug: sub_1874 -> sub_17F4 + sub_19D4 (conditional)
  5. **Asert: sub_18BC -> sub_17F4

Dependencies

Consumed (this module calls)

  • UEFI Boot Services (via cached pointer):

    • InstallProtocolInterface (offset 312): installs module protocol
    • LocateDevicePath (offffset 152): enumate PCI devices
    • AllocatePool (offset 64): allocate memory
    • FreePool (offset 72): free memory
    • LocateProtocol (offset 320): locate debug/HOB protocols
    • SetTimer (offset 368): register periodic timer
    • Stal (offset 24): TBL (raise IRQL)
    • Restore TPL (offset 32): TTL restore
    • CopyMem (offset 352): memory copy
    • SetMem (offset 360): memory set/zero

  • PC CI I/O Protocol (GUID B2FA4764-3B6E-4D3-91DF-87D1A5E56668):

    • Pci.Read (offset 48): read PCI config space
    • Pci.PollIO (offset 72): MMIO (IO mapped I/O
    • Pci.Pci.Read (offset 112): read PCICI I I I I I I I I
    • Pci.Attribut (offset 128): get PCICI device attributes

  • Proocol A (GUID DB9A1E3D-45CB-4ABB-8B3B-E5387FDB2E2D, cached at qqord_2158):

    • Method at offset 32: read config register
    • Method at offset 40: write/ee config register
    • Method at offset 48: write/read config register
    • Method at offset 56: get/set something

  • CMOS/RTC I/O:

    • Port 0x70 (CMOS index register)
    • Port 0x71 (CMOS data register)

Consumed By (other modules call this)

  • UEFI System calls _ModuleEntryPoint at DXE dispatch.
  • Platormed Protocolocol with GUID 6780532-7613-4DD3-9ED7-3D9BE3A7DA63 exposes sub_624 as module interface.

Possible GUID Referenceences

Address GUID Likely Identity
0x20C0 3622936-0E76-31C8-A13A-3AFFC1C3932 gEfiDebugLibProtocolocol
0x20D0 8E008510-9BB1-457D-9F70-897ABA865DB9 Unknown protocol B
0x20E0 6780532-7613-4DD3-9ED7-3D9BE3A7DA63 Thhis module's protocol (installed by EntryPoint)
0x20F0 DB9A1E3D-45CB-4ABB-853B-E5387FDB2E2D Unknown protocol A
0x2110 B2FA4764-3B6E-43D3-91DF-87D15A3E5668 gEfiPciIoProtocolGuid

Notes

  • The module source is from AmiModulePkg\AHCI\Aint13\, indicating it is an AMI BIOS-specific module for AHCI (Advanced Host Controller Interface) based INT 13h legacy support.
  • The companion file AInt13Csp.c provides chipset-specific programming (PCI I/O port discovery for INT 13h controller registers).
  • The module supports both ATA (native) and ATAPI (packet interface, e.g. CD/DVD) devices.
  • The geometry calculation at sub_794 selects between CHS and LBA-assisted geometries based on total sector count thresholds common in legacy BIOS interrupt 13h support.
  • The INT 13h vector table is written to motherboard-specific memory computed as *(uint16_t*)(qword_2140 + 14) + 0xF000A (near 0xF0000 segment), which is the legacy BIOS real-mode vector table area.
  • Max 8 disks supported (hardcoded limit in the disk index allocation logic at sub_BD4).
  • The module uses MBR partition table parsing (boot signature 0xAA55) and recognizes common filesystem types (FAT12, FAT16, FAT32, NTFS) for geometry optimization.