1 ; **************************************************************************** 2 ; CACABOOT.ASM - ROMBIOS hacking by Erdogan Tan 3 ; ---------------------------------------------------------------------------- 4 ; Special fd boot sector for ROMBIOS (Int 13h etc.) (reverse bios engineering) 5 ; ((for TRDOS 386 v2 project, for SATA,USB disk functions in protected mode)) 6 ; ---------------------------------------------------------------------------- 7 ; Beginning & Last Update: 19/01/2024 8 ; ---------------------------------------------------------------------------- 9 ; Assembler: NASM version 2.15 10 ; ---------------------------------------------------------------------------- 11 ; nasm cacaboot.s -l cacaboot.lst -o CACABOOT.BIN -Z error.txt 12 ; ---------------------------------------------------------------------------- 13 ; Assembled/Compiled boot sector must be copied to fd0 sector 0 (bootable fd) 14 ; **************************************************************************** 15 16 ; Modified from gagaboot2.s (09/11/2020) - GAGABOOT v2 - 17 18 19 [BITS 16] 20 [ORG 7C00h] 21 22 00000000 EB01 jmp short BS_01 23 00000002 90 nop 24 BS_01: 25 00000003 8CC8 mov ax, cs 26 00000005 8ED8 mov ds, ax 27 00000007 8EC0 mov es, ax 28 29 00000009 FA cli 30 0000000A 8ED0 mov ss, ax 31 0000000C BCFEFF mov sp, 0FFFEh 32 0000000F FB sti 33 34 ; Display program name and version ! 35 00000010 BE[4801] mov si, program_info 36 00000013 E8A000 call print_msg 37 BS_02: 38 00000016 30E4 xor ah, ah 39 00000018 CD16 int 16h 40 0000001A 3C0D cmp al, 13 ; ENTER 41 0000001C 7409 je short BS_04 42 0000001E 3C1B cmp al, 27 ; ESC 43 00000020 7400 je short BS_03 44 BS_03: 45 00000022 E88800 call beep 46 00000025 EBEF jmp short BS_02 47 BS_04: 48 00000027 BB0010 mov bx, 1000h 49 0000002A 8EC3 mov es, bx ; buffer segment 50 51 0000002C BE[0E01] mov si, writing_vectors 52 0000002F E88400 call print_msg 53 54 ; copy interrupt vectors (0 to 127) 55 ; to the buffer 56 ;push ds 57 00000032 31F6 xor si, si 58 ;mov ds, si 59 00000034 29FF sub di, di 60 00000036 FA cli 61 00000037 B90001 mov cx, 256 62 0000003A F3A5 rep movsw 63 0000003C FB sti 64 ;pop ds 65 66 0000003D B80100 mov ax, 1 67 00000040 31DB xor bx, bx 68 ; es = buffer segment, 1000h 69 00000042 E88E00 call fd_write 70 00000045 7312 jnc short BS_07 71 BS_05: 72 ; error 73 00000047 BE[F600] mov si, error_msg 74 0000004A E86900 call print_msg 75 BS_06: 76 0000004D BE[B901] mov si, reboot_msg 77 00000050 E86300 call print_msg 78 79 00000053 31C0 xor ax, ax 80 00000055 CD16 int 16h ; BIOS Service func ( ah ) = 0 81 ; Read next kbd char 82 ; AH-scan code AL-char code 83 00000057 CD19 int 19h ; Reboot 84 BS_07: 85 00000059 BE[D601] mov si, msg_ok 86 0000005C E85700 call print_msg 87 88 ; copy rombios (64KB) 89 ; to the buffer 90 0000005F 1E push ds 91 00000060 BE00F0 mov si, 0F000h ; 19/01/2024 92 00000063 8EDE mov ds, si 93 00000065 31F6 xor si, si 94 00000067 31FF xor di, di 95 00000069 B90080 mov cx, 32768 96 0000006C F3A5 rep movsw 97 0000006E 1F pop ds 98 99 0000006F BE[3001] mov si, writing_rombios 100 00000072 E84100 call print_msg 101 102 00000075 31DB xor bx, bx 103 00000077 B80200 mov ax, 2 ; sector 2 104 0000007A B180 mov cl, 128 ; 128 sectors 105 BS_08: 106 0000007C E85400 call fd_write 107 0000007F 72C6 jc short BS_05 108 00000081 FEC9 dec cl 109 00000083 7407 jz short BS_09 110 00000085 81C30002 add bx, 512 111 00000089 40 inc ax 112 0000008A EBF0 jmp short BS_08 113 BS_09: 114 ;mov si, msg_ok 115 ;call print_msg 116 117 ; 19/01/2024 118 ; copy BIOS data area 119 0000008C 31DB xor bx, bx 120 0000008E 8EDB mov ds, bx 121 00000090 BE0004 mov si, 0400h 122 00000093 29FF sub di, di 123 00000095 B90001 mov cx, 512/2 124 00000098 F3A5 rep movsw 125 0000009A 0E push cs 126 0000009B 1F pop ds 127 128 0000009C B88200 mov ax, 130 ; sector 130 129 130 0000009F E83100 call fd_write 131 BS_14: 132 000000A2 BE[D601] mov si, msg_ok 133 000000A5 E80E00 call print_msg 134 135 000000A8 E80200 call beep 136 137 000000AB EBA0 jmp short BS_06 138 139 beep: 140 000000AD B007 mov al, 07h 141 000000AF B40E mov ah, 0Eh 142 000000B1 B700 mov bh, 0 143 000000B3 CD10 int 10h 144 000000B5 C3 retn 145 146 print_msg: 147 000000B6 AC lodsb ; Load byte at DS:SI to AL 148 000000B7 20C0 and al, al 149 000000B9 7417 jz short BS_11 ; If AL = 0 then stop 150 151 000000BB B40E mov ah, 0Eh 152 000000BD BB0700 mov bx, 07h 153 000000C0 CD10 int 10h ; BIOS Service func ( ah ) = 0Eh 154 ; Write char as TTY 155 ; AL-char BH-page BL-color 156 000000C2 EBF2 jmp short print_msg 157 158 BS_10: 159 000000C4 FE0E[F500] dec byte [RetryCount] 160 000000C8 7408 jz short BS_11 ; cf = 1 161 162 ; Reset disk system 163 000000CA 50 push ax 164 000000CB 30E4 xor ah, ah 165 ;mov dl, 0 166 000000CD CD13 int 13h 167 000000CF 58 pop ax 168 000000D0 7306 jnc short BS_12 169 BS_11: 170 000000D2 C3 retn 171 172 fd_write: 173 ; Only for FAT12 Floppy Disks 174 175 000000D3 C606[F500]07 mov byte [RetryCount], 7 176 BS_12: 177 000000D8 51 push cx 178 000000D9 50 push ax ; PHYSICAL ADDRESS CALCULATION 179 000000DA B112 mov cl, 18 ; Sectors per track 180 000000DC F6F1 div cl 181 000000DE 88E1 mov cl, ah ; Sector (zero based) 182 000000E0 FEC1 inc cl ; To make it 1 based 183 ; AL=cyl, AH=head, CL=sector 184 000000E2 29D2 sub dx, dx 185 000000E4 D0E8 shr al, 1 186 000000E6 80D600 adc dh, 0 187 000000E9 88C5 mov ch, al 188 189 000000EB B80103 mov ax, 0301h 190 000000EE CD13 int 13h ; BIOS Service func ( ah ) = 3 191 ; Write disk sectors 192 ; AL-sec num CH-track CL-sec 193 ; DH-head DL-drive ES:BX-buffer 194 ; CF-flag AH-stat AL-sec read 195 000000F0 58 pop ax 196 000000F1 59 pop cx 197 000000F2 72D0 jc short BS_10 198 000000F4 C3 retn 199 RetryCount: 200 000000F5 07 db 07h ; Filler 201 error_msg: 202 000000F6 0D0A db 0Dh, 0Ah 203 000000F8 4469736B2057726974- db "Disk Writing Error!" 203 00000101 696E67204572726F72- 203 0000010A 21 204 0000010B 0D0A00 db 0Dh, 0Ah, 0 205 206 writing_vectors: 207 0000010E 0D0A db 0Dh, 0Ah 208 00000110 57726974696E672069- db "Writing interrupt vectors ..." 208 00000119 6E7465727275707420- 208 00000122 766563746F7273202E- 208 0000012B 2E2E 209 0000012D 0D0A00 db 0Dh, 0Ah, 0 210 211 writing_rombios: 212 00000130 0D0A db 0Dh, 0Ah 213 00000132 57726974696E672072- db "Writing rombios ..." 213 0000013B 6F6D62696F73202E2E- 213 00000144 2E 214 00000145 0D0A00 db 0Dh, 0Ah, 0 215 216 program_info: 217 00000148 0D0A db 0Dh, 0Ah 218 0000014A 43414341424F4F5420- db "CACABOOT v1 for ROMBIOS hacking by Erdogan Tan [19/01/2024]" 218 00000153 763120666F7220524F- 218 0000015C 4D42494F5320686163- 218 00000165 6B696E672062792045- 218 0000016E 72646F67616E205461- 218 00000177 6E205B31392F30312F- 218 00000180 323032345D 219 00000185 0D0A db 0Dh, 0Ah 220 00000187 0D0A db 0Dh, 0Ah 221 00000189 507265737320454E54- db "Press ENTER to continue or press ESC to exit." 221 00000192 455220746F20636F6E- 221 0000019B 74696E7565206F7220- 221 000001A4 707265737320455343- 221 000001AD 20746F20657869742E 222 000001B6 0D0A00 db 0Dh, 0Ah, 0 223 224 000001B9 0D0A reboot_msg: db 0Dh, 0Ah 225 000001BB 507265737320616E79- db "Press any key to reboot." 225 000001C4 206B657920746F2072- 225 000001CD 65626F6F742E 226 000001D3 0D0A00 db 0Dh, 0Ah, 0 227 228 000001D6 0D0A msg_ok: db 0Dh, 0Ah 229 000001D8 4F4B2E db "OK." 230 000001DB 0D0A00 db 0Dh, 0Ah, 0 231 232 000001DE 00 times 510 - ($ - $$) db 0 233 234 000001FE 55AA bootsignature: db 55h, 0AAh