![[-]](https://www.bios-mods.com/forum/images/black/collapse.png "[-]")
06-30-2012, 11:08 AM
(06-28-2012, 04:01 PM)hspumanti Wrote:(06-28-2012, 09:52 AM)SST-P Wrote:(01-22-2012, 10:56 AM)hspumanti Wrote: I finally got my hands on a 2MB ROM I could work with. I used the NAWA1110 (v1.10) ROM which is for a Lenovo G455/G555 laptop for this effort. The string to search for in this case was "Unauthorized Wireless network card is plugged in. Power off and remove it". So after loading up the .ROM file in EZH2O, I brought up WinHex (which keeps crashing so it takes longer than it would otherwise) and searched for the Unicode string. Finding that I then searched UP for the Hex Values '4d5a'. Finding this I copied from here to the end of the data region where the string was found and saved it to 'something.exe'. Since I'm on a 64 bit system I can't use debug.exe, so I used PEBrowser64, which worked fine for what I was needing. Using PEBrowser64, I opened 'something.exe' and then opened the sections list on the left pane and dbl-clicked the '.text' section which brings up a limited disassembly window. This allowed me to get the starting address and then going to the View->Disassemble At... and putting in the address '180000260' I get a disassembly of the main routine for checking the wifi card Ven/Dev ids (see fig1 and 2).
Disassembly 1 The device checking routine
Disassembly 2 The rest of the story
A quick inspection of this showed that to get out of this routine we need to get to the address '3d0' which quickly leads to the ret statement. We want to make as few changes as possible since we don't know what might happen with any of the returned values. Seeing the 'jne 305' looks like it could cause an endless loop since nothing that is tested would be changing (unless another thread was running that had access to the memory at SP+40). Also notice the 'lea cx, 960' at address 2eb, this is the address of the 'unauthorized' string. Changing the 'jne 2f9 at address 2c0 to a jmp 2f9 gets us past the string output and changing 'je 30d' at address 2fb to 'jmp 30d' gets us out no questions asked. See fig. 3 for the disassembly with the final modifications.
Disassembly 3 The Fix
I hope this helps in dealing with the 2mb version of the Insyde BIOS. Here is a link to the modded ROM:
Modded BIOS zipped
Can you please update the Disassembly 1, 2, 3 link?
Thanks,
Disassembly 1
Disassembly 2
Disassembly 3
message I received when try to download.
Sorry, the file link that you requested is not valid.
Reasons for this may include:
Invalid link
The file has been deleted because it was violating our Terms of user
![[Valid RSS]](valid-rss.png "Validate my RSS feed")