Login

***DeathBringer*** · 10-29-2017, 11:36 PM

OK. I need such screenshot from your friend.

veewus · 11-17-2017, 03:20 AM

Hi, any update on this topic cause I'm also intrested in it.
In my case I own a Chinese version 3rd gen S1 which is the counter part of Yoga 370, with AES-NI disabled.
I've successfully changed the model number to the Yoga 370 one using the HMD usb key, which OP suspects to be the controlling flag.
The result is underwhelming though, AES-NI is still disabled.
So I'm really intrested in what the real magic switch DeathBringer discovered is.
Anyway I'm posting the memory dump at FF89D000 in my box, it may be useless, but just in case.

***DeathBringer*** · (This post was last modified: 11-18-2017, 02:36 AM by DeathBringer.)

veewus
Have you a hardware programmer?
Describe how you "changed the model number".

veewus · 11-18-2017, 07:44 AM

(11-18-2017, 02:28 AM)DeathBringer Wrote: veewus
Have you a hardware programmer?
Describe how you "changed the model number".

Thanks for the reply Smile

.
I do not have a hardware programmer, Lenovo has official service tool for the propose.
See this reddit topic. After changing the model number successfuly in this service tool, I can verify it in the BIOS.

***DeathBringer*** · (This post was last modified: 11-18-2017, 10:25 AM by DeathBringer.)

1. Download original COMMAND.COM from IBM PC DOS 5.0.
2. Put it in HMD usb stick (with replacement).
3. Boot up with HMD usb stick.
4. Type serupdt S data.bin and press Enter.
5. Make a photo of the result.
6. Reboot in Windows and upload data.bin file from HMD usb stick.

veewus · (This post was last modified: 11-18-2017, 12:37 PM by veewus.)

Replaced the COMMAND.COM file as instructed, but the HMD disk boots to the same interface as before:

I'm suspecting it's because I booted with the EFI mode?
For reference I dumped the HMD usb key content as VHD.
Anyway from your instructions I'm guessing that you requested the EEPROM dump, so I made one using the 5th function in the HMD.
My system unit SN is replace with string SERIALNO in this dump. And since changing the model didn't do the trick, I've already changed it back to original before this dump.

.zip

usbkey_and_eeprom_dump.zip (Size: 910.68 KB / Downloads: 17)
Edit: I think it might also be useful to attatch the SiInit PE image of my bios.

.zip

299D6F8B-2EC9-4E40-9EC6-DDAA7EBF5FD9-SiInit.zip (Size: 76.64 KB / Downloads: 5)

***DeathBringer*** · (This post was last modified: 11-18-2017, 02:30 PM by DeathBringer.)

(11-18-2017, 12:08 PM)veewus Wrote: I'm suspecting it's because I booted with the EFI mode?

Can you boot in DOS?
Attached EEPROM dump doesn't contains the necessary information. So HMD will not help to change bytes in NVRAM.

(11-18-2017, 12:08 PM)veewus Wrote: I think it might also be useful to attatch the SiInit PE image of my bios.

Replace in your SiInit PE image bytes 74 08 83 E0 FD with 74 00 83 E0 FD.
But you can't flash modded BIOS without a hardware programmer. Ask Dudu2002 for the reason of it.
P.S. But if you had a hardware programmer, you could make it easier - just set two bytes to FF.

veewus · 11-18-2017, 10:24 PM

Much appreciated for your help DeathBringer!
I have a job in creating software, not deep down into assembly and hardware though.
So could you help me to clear something up to satisfy my inner curiosity?

Quote:Attached EEPROM dump doesn't contains the necessary information. So HMD will not help to change bytes in NVRAM.

In laptops isn't EEPROM equal to NVRAM? or the HMD dumps/maintains only part of the EEPROM/NVRAM so it's not useful?
In my understanding, since the BIOS provided by lenovo is identical across all models worldwide, it must be some bits in the NVRAM/EEPROM that switchs certain functions on and off. So we can find what's lenovo's magic bit for AES-NI by reverse engineering the BIOS, probably the SiInit module right?

Quote:Replace in your SiInit PE image bytes 74 08 83 E0 FD with 74 00 83 E0 FD.

Could you elaborate a bit more on what's been done here?
I'm learning to read assembly instructions my self currently, in the aim that finding where the BIOS is reading from EEPROM/NVRAM for the AES-NI control bit, is this approach practical?

Quote:But you can't flash modded BIOS without a hardware programmer. Ask Dudu2002 for the reason of it.
P.S. But if you had a hardware programmer, you could make it easier - just set two bytes to FF.

It's a pitty that I don't have a hardware programmer, plus I don't want to risk damaging the board with my limited hardware knowledge.
If direct programming on the BIOS chip is possible, I think that replacing rmsr to noop is enough right?
And one more question, how did you find out the address FF89D000 and where does it points to? the NVRAM I guess?

Really appreciated for your help and time!

***DeathBringer*** · 11-19-2017, 02:07 AM

(11-18-2017, 10:24 PM)veewus Wrote: In laptops isn't EEPROM equal to NVRAM?

HMD doesn't grant access to necessary part of NVRAM.

(11-18-2017, 10:24 PM)veewus Wrote: Could you elaborate a bit more on what's been done here?

No, I'm not a tutor.

(11-18-2017, 10:24 PM)veewus Wrote: And one more question, how did you find out the address FF89D000 and where does it points to? the NVRAM I guess?

By disassembly modules of BIOS.

veewus · 11-19-2017, 02:50 AM

(11-19-2017, 02:07 AM)DeathBringer Wrote:
(11-18-2017, 10:24 PM)veewus Wrote: In laptops isn't EEPROM equal to NVRAM?
HMD doesn't grant access to necessary part of NVRAM.

(11-18-2017, 10:24 PM)veewus Wrote: Could you elaborate a bit more on what's been done here?
No, I'm not a tutor.

(11-18-2017, 10:24 PM)veewus Wrote: And one more question, how did you find out the address FF89D000 and where does it points to? the NVRAM I guess?
By disassembly modules of BIOS.

Sorry for the noise and thank you for the valuable information.

Login
Username:
Password:	Lost Password?
	Remember me