Friday, May 25, 2007

The book that I wrote - BIOS Disassembly Ninjutsu Uncovered

Read the latest availability update for this book in this post

This is the first ever book that I wrote. It's roughly 500 pages long. I'll talk more about it later. For now, you can order it at, in the following URL:

The Russian version of this book will be available in August this year. My chief editor said that the translation has been finished and they are working on the printing subsequently ;-).
Advertising of the Russian version of the book is at

Anyway, the open discussion regarding the book contents is open now.

I would like to thank Mr. David Feustel for his review on this book. Mr. Feustel described an issue that he face as follows:

This book and its cdrom are
heavily Microsoft Windows-centric.
Doing things with the files on the cdrom
using linux or *bsd instead of Microsoft
Windows, while not difficult, will be
accompanied by a certain amount of pain
as the doer massages file formatting to
make the files work with the gcc
toolchain. It's even worse in my case
since I am running 64-bit OpenBSD and I
can't run any 32-bit software (eg Fasm)
on the 64-bit version of OpenBSD.

This issue, particularly the fasm issue that might be faced by other Unix users, can be resolved easily by using the suitable version of Fasm which can be downloaded at To do so, download the Unix version of Fasm (flat assembler 1.67.21 for Unix/libc) and then use it as a replacement for the Fasmw mentioned in the book.

I'll try to evaluate another issues regarding Unix compatibility of the source code in the book when I have enough time quite soon.

Recently, I've been contacted by numerous people asking about the bios_probe source code from my book (BIOS Disassembly Ninjutsu Uncovered).

Here's what I have to say:

First, to be honest with you, the original source code is included in the accompanying CDROM. I think the megaupload link has long been dead.

Second, bios_probe development has been stopped for a while because I have made a replacement utility called winflashrom which is a remake of the bios_probe with a significantly different architecture and updated chip support. winflashrom source code is available for download in the following link:

Third, it has been almost a year since the last time I updated winflashrom. Therefore you have quite a lot of homework to do if you want leading edge motherboard support.

Anyway, about bios_probe and flash_n_burn. Both of them used to be derived from the very same code base, i.e. the flash_n_burn utility which comes from the first LinuxBIOS source code. FYI, the LinuxBIOS project has been renamed to Coreboot, a while ago. So, this bios_probe was derived from the very old LinuxBIOS utility to flash BIOS in Linux and other *NIX.

When I joined Google Summer of Code (GSoC) in 2007, I dismissed the old bios_probe and start a new similar utility which then named winflashrom as the original flash_n_burn utility in the LinuxBIOS project was renamed to flashrom about a year or two before that.

So, if you want the brand new flash_n_burn, just go to the LinuxBIOS/Coreboot download site at and download it from the subversion repository. It should be in the utility directory after you downloaded the source code of LinuxBIOS/coreboot. Don't forget that now it has been renamed to
flashrom utility.

As for the Windows version which is now named winflashrom, it's available in the GSoC link above (DarmawanMappatutuSalihun.tar.gz). I haven't got the time to update this utility to support Windows Vista.

I have received the contract termination for the English edition of BIOS Disassembly Ninjutsu Uncovered. Please read this post for further details.
Post a Comment


Anonymous said...

Hi !!

Finally i'll get your book as my birthday gift :P

How are you?
You remember me, isn't it?

Greetings from Italy...

Lonely Wolf

Darmawan Salihun said...

Hi Lonely Wolf,
How can I forget you :P. I'd be stupid if I forget you. Really nice you like it as your birthday present. Stay tuned d00d.

Greetings from Indonesia...


Jon said...

Hi there I discovered your book after a search, and I want to buy it as I am very interested in low-level programming on the PC. I have done a little bit of VGA programming in Assembler language but I'm already getting angry at BIOS peripheral access like disk i/o (if a disk is a peripheral?) I really want to know how to have direct hardware access so I don't use the BIOS functions. I have some experience of the Interface adaptor on a Commodore 64 and wanted to work with hard-disk access in a similar fashion on the PC: I don't like using other people's software! :) Can you point me in the right direction please?

Darmawan Salihun said...

Hello Jon,

You can try accessing the IDE Port directly using ATA standard commands.
I don't remember the details, but primary IDE channel is accessible via
port 1F7h. This is sample reverse-engineered BIOS code:

E000:09BA Read_IDE_Param_Direct proc near
E000:09BA 1E push ds
E000:09BB 06 push es
E000:09BC 57 push di
E000:09BD 56 push si
E000:09BE 53 push bx
E000:09BF 51 push cx
E000:09C0 FF B6 E4 01 push word ptr [bp+1E4h]
E000:09C4 52 push dx
E000:09C5 BE 40 00 mov si, 40h ; '@'
E000:09C8 8E DE mov ds, si
E000:09CA assume ds:nothing
E000:09CA 33 F6 xor si, si
E000:09CC 80 FA 81 cmp dl, 81h ;
'A' ; is primary channel?
E000:09CF 0F 87 70 04 ja
skip_IDE_dev_detection ; jmp if secondary channel
E000:09D3 90 nop
E000:09D4 BA F7 01 mov dx, 1F7h
; primary channel IDE port
E000:09D7 2B D6 sub dx, si
E000:09D9 33 C9 xor cx, cx
E000:09DB loc_E09DB:
; CODE XREF: Read_IDE_Param_Direct+28
E000:09DB EC in al, dx
; AT hard disk
; status register bits:
; 0: 1=prev cmd error
; 2: Corrected data
; 3: Data Request. Buffer is busy
; 4: Seek completed
; 5: Write fault
; 6: Drive ready (unless bit 4=0)
; 7: Busy
E000:09DC E6 EB out 0EBh, al
E000:09DE A8 80 test al, 80h
E000:09E0 74 02 jz short loc_E09E4
E000:09E2 E2 F7 loop loc_E09DB

You can use google to search for ATA IDE standard documents.

Anonymous said...

Your book looks interesting, does it give instructions for patching BIOS through the serial port?

Darmawan Salihun said...

Patching the BIOS through the serial port is not explained in my book. It's an interesting subject but the page count is already closing to 700 pages back then and I have a limit of 450 pages to make. So, it's not included and I haven't done depth research on the subject as well.

frodolai said...

Could you point out where I can get a copy of flash_n_burn? The megaupload link you provided in the book doesn't exist. Thanks.


Darmawan Salihun said...

Hello all,

FYI, those interested in the flash_n_burn utility source code can download a very similar utility that I have created based on the architecture of the flash_n_burn. Flash_n_burn has been abandoned due to some compatibility problems. This new utility called winflashrom. It can be downloaded in the following link:

I hope this can help anyone interested ;-)

Darmawan Salihun said...

I have updated the post to clarify about flash_and_burn and bios_probe issues.

Anonymous said...


I want to buy "BIOS Disassembly Ninjutsu Uncovered" buy is out of stock.

Anybody knows where Can I buy It?


Darmawan Salihun said...

I'll contact my publisher about the current out-of-stock situation and ask them when probably the new stock will be available. Thanks for the info.

Anyway, Happy New Year :)

Kristi said...

Any update yet on the current Out-Of-Stock situation for 2009? I've been trying to snatch up used copies out there because everyone seems to be out of stock. Help? :-) Many folks in my Computer & Network Security Department are wanting a copy of your book. Thanks!

Darmawan Salihun said...

I've contacted my publisher but he hasn't replied again yet. The last information I have from him was he will be giving update on the last situation this weekend (circa 23-25 January 2009). However, I'm sure there will be another new batches for 2009. I will post it in the blog once this problem has been resolved.

Anonymous said...

Any updates on the availability of the book? I placed an order from Amazon on April 10, 2009, but they have not been able to get hold of any copies yet.

Also do you plan to make an electronic copy available for purchase, maybe for version 2? This way you can go over the page limits imposed by the publisher and you can even sell the book yourself. :-)

Darmawan Salihun said...

Well, some people are getting the book via eBay. I think it's used ones or those sitting on physical book stores which is not sold yet.
I'm on the way of terminating the contract with my publisher for the English version but so far no reply from my publisher. So, your best bet is the last printed copies.

Sure, the second edition will be self-published and probably will be sold on eBay or other payment methods which will be directly accessible for me who lives in Indonesia ;-).
I'm planning to write the second edition of the book in the next 2 years. Probably available on 2011 or late 2010. Not sure, I have a hell of a work right now.

Anonymous said...

Hello Darmawan,

I could not find the executable Windows port of FLASHROM.

What I found was here but there is no executable contained within:

Darmawan Salihun said...

Hello, you can build the executable with MinGW or Visual C++ in Windows. The driver code will be "lumped" into the executable as a resource. Read "winflashrom.rc" to see how this mechanism work.

BrianWaite said...


I'm interested in getting your book published sooner rather than later. Any interest in cooperating to get this done? I'm not sure exactly what arrangement would work for you, but let me know. I can come up with a proposal if you are interested.



Darmawan Salihun said...

Hello Brian, how can I contact you. I tried your website URL but it seems to be parked domain.

f said...

Hello, for everyone who's having problems compiling WINFLASHROM, I made it compile in DEVC++ and I attached a binary aswell.

Anonymous said...

This is a well written and very informative book. I learned things from it I never knew!

Thank you so much for writing it!!

You have a talent for explaining complex things in easygoing and plain language. Believe me -- that is rare.

My congratulations on an excellent book!


David Small

Darmawan Salihun said...

Hi David,

Thanks for the compliment :-).

Anyway, I'm currently working on the second edition of the book. If you want to know the latest developments, you can check at:

I have consolidated my "ramblings" on BIOS there.

Dmitriy said...

Help me please start winflashrom.
When compiling such errors:

C:\winflashrom\Debug\82802ab.o: In function `write_82802ab':
C:\winflashrom\82802ab.c:181: undefined reference to `protect_82802ab'
C:\winflashrom\Debug\am29f040b.o: In function `erase_29f040b':
C:\winflashrom\am29f040b.c:113: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\am29f040b.o: In function `write_sector_29f040b':
C:\winflashrom\am29f040b.c:69: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\am29f040b.o: In function `erase_sector_29f040b':
C:\winflashrom\am29f040b.c:46: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\jedec.o: In function `erase_sector_jedec':
C:\winflashrom\jedec.c:86: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\jedec.o: In function `erase_block_jedec':
C:\winflashrom\jedec.c:109: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\jedec.o:C:\winflashrom\jedec.c:133: more undefined references to `toggle_ready_jedec' follow
C:\winflashrom\Debug\jedec.o: In function `write_jedec':
C:\winflashrom\jedec.c:252: undefined reference to `protect_jedec'
C:\winflashrom\Debug\m29f400bt.o: In function `erase_m29f400bt':
C:\winflashrom\m29f400bt.c:71: undefined reference to `toggle_ready_m29f400bt'
C:\winflashrom\Debug\m29f400bt.o: In function `block_erase_m29f400bt':
C:\winflashrom\m29f400bt.c:89: undefined reference to `toggle_ready_m29f400bt'
C:\winflashrom\Debug\m29f400bt.o: In function `write_m29f400bt':
C:\winflashrom\m29f400bt.c:122: undefined reference to `write_page_m29f400bt'
C:\winflashrom\m29f400bt.c:129: undefined reference to `write_page_m29f400bt'
C:\winflashrom\m29f400bt.c:133: undefined reference to `write_page_m29f400bt'
C:\winflashrom\m29f400bt.c:137: undefined reference to `write_page_m29f400bt'
C:\winflashrom\m29f400bt.c:141: undefined reference to `write_page_m29f400bt'
C:\winflashrom\Debug\m29f400bt.o:C:\winflashrom\m29f400bt.c:171: more undefined references to `write_page_m29f400bt' follow
C:\winflashrom\Debug\mx29f002.o: In function `erase_29f002':
C:\winflashrom\mx29f002.c:70: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\mx29f002.o: In function `write_29f002':
C:\winflashrom\mx29f002.c:111: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\sharplhf00l04.o: In function `write_lhf00l04':
C:\winflashrom\sharplhf00l04.c:183: undefined reference to `protect_lhf00l04'
C:\winflashrom\Debug\sst28sf040.o: In function `erase_28sf040':
C:\winflashrom\sst28sf040.c:140: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\sst28sf040.o: In function `write_sector_28sf040':
C:\winflashrom\sst28sf040.c:100: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\sst28sf040.o: In function `erase_sector_28sf040':
C:\winflashrom\sst28sf040.c:76: undefined reference to `toggle_ready_jedec'
C:\winflashrom\Debug\sst_fwhub.o: In function `erase_sst_fwhub_block':
C:\winflashrom\sst_fwhub.c:60: undefined reference to `toggle_ready_jedec'
collect2: ld returned 1 exit status

winflashrom.exe - 23 error(s), 0 warning(s)