Welcome
|
You have to register before you can post on our site.
|
|
Can i get general instructions for modifying AMI bios ?
|
Posts: 23
Threads: 1
Joined: Feb 2019
Reputation:
0
02-20-2019, 12:37 AM
Hi, i have a lenovo m73 tiny model 10AY, want to patch the whitelist.
But i think it'd be more educational to learn how to patch it, rather than simply request it.
The bios can be downloaded here:
fhjt78usa.zip https://support.lenovo.com/au/en/downloads/ds038325
It has two large files that i suspect are the bios:
IMAGEFH.rom (7mb)
FHCT36A.bin (131kb)
Inside the rom file, there are plenty of subsections starting with 'MZ' which i assume are executable files? I'm not sure what to make of them.
I searched for the boot error text 'Error 1802: Unauthorized network card is plugged in' as well as sub-strings of that text, but couldn't find it (both in ascii and utf-16). So i'm kinda stuck.
I believe one of the whitelisted cards is: PCI\VEN_8086&DEV_08B2&SUBSYS_42628086&REV_73
Any suggestions appreciated
Posts: 1,776
Threads: 0
Joined: Aug 2018
Reputation:
42
Download the USB package, and then edit the IMAGEFH.rom, may or may not be same you mentioned (File size is 6.50MB)
Removing whitelist is done via assembly/disassembly app and hex editor, here is general info about that (not specific to this BIOS, BIOS type, or any BIOS really, just "in general")
https://www.bios-mods.com/forum/Thread-G...nsyde-BIOS
Is the error you are looking for the exact one you are shown? I don't find it either, using UEFITool or extracting setup and several other modules and checking those as well. Makes me think maybe you have wrong error terms? I even looked just Unauthorized network and could not find that either.
Found it! Use UEFITool, via search go to GUID CEC0D748-7232-413B-BDC6-2ED84F5338BC and extract PE32 as is, and the submodule with bunch of zero's on the end. The one with all the zero's holds the text for the error, the PE32 module is where your block coding will need to be edited
I find three instances of Test al, al in assembly that lead to infinite loops, so not sure which applies to your hardware issue, you'd have to test bypassing each one at a time.
Posts: 23
Threads: 1
Joined: Feb 2019
Reputation:
0
02-20-2019, 06:19 PM
Thanks so much for the tips!
I've opened it in UEFITool, extracted the message body, and here's my findings:
It contains English, French, and Chinese (traditional) blocks from what i can tell.
The file seems to have a 4 byte header being '1' (little endian). After which is a series of blocks.
From a quick look, it seems each block has a 46 byte header.
The first 2 bytes of the header are the size of the entire block (including those 2 bytes) in little endian.
After the header is the language code in ascii, eg en-US, then 0x00
Then 0x14, then 'English' in UTF16 (byte order: ascii byte then 0 byte), then 0x0000 (eg a null terminator)
Then 0x14, then 'Error 00CE: Blah blah blah' in UTF16, then 0x0000 null terminator
Then 0x14, then next error string, then null terminators
..and so on
The error '1802' i'm interested in is #30 (if 00CE, the first one, is #1). So i'll look for 30 (or 29, in case of off-by-one) in the disassembled code.
Will let you know how i go.
Posts: 23
Threads: 1
Joined: Feb 2019
Reputation:
0
At offset 23772 in the PE body, i found 0x8680b208
Which when converted to little endian, is:
0x8086 0x08b2
Which is one of the whitelisted cards!
Getting somewhere
Posts: 23
Threads: 1
Joined: Feb 2019
Reputation:
0
So heading north from there, the first likely looking whitelisted card is at offset 0x5cc4: 0x86 (then 0x80)
Just before that is 4 bytes that Hopper takes as a reference. Right click, find all references. There 2 options: cmp, lea, both around 0x41f3.
Those references are both within this function, which i assume is the white-list checking function, which disassembles to the following pseudocode:
Progress!
Code: int sub_1800040c4(int arg0, int arg1, int arg2, int arg3, int arg4, int arg5, int arg6, int arg7) {
var_32 = arg7;
var_24 = arg6;
stack[-8] = rbx;
stack[-16] = r12;
rsp = rsp - 0x68;
var_16 = arg5 & 0x0;
*(&stack[0] - 0x38) = *(&stack[0] - 0x38) & 0x0;
*(&stack[0] + 0x20) = *(&stack[0] + 0x20) & 0x0;
*(&stack[0] + 0x18) = *(&stack[0] + 0x18) & 0x0;
*(&stack[0] - 0x48) = &stack[0] - 0x38;
if ((0x8000000000000000 & (*(*qword_1800067f8 + 0x138))(0x2, &stack[0] - 0x30, 0x0, &stack[0] + 0x20)) != 0x0) goto loc_180004220;
loc_180004162:
rbx = 0x0;
if (var_32 <= rbx) goto loc_180004220;
loc_180004172:
var_30 = 0x4cf5b200;
rax = *qword_1800067f8;
rax = (*(rax + 0x98))(*(var_38 + rbx * 0x8), &var_30, &var_24);
if ((0x8000000000000000 & rax) != 0x0) goto loc_18000420f;
loc_18000419a:
(*(var_24 + 0x30))(var_24, 0x2, 0x0, 0x1);
if (var_16 == 0xffffffff) goto loc_18000420f;
loc_1800041c6:
(*(var_24 + 0x30))(var_24, 0x0, 0xb, 0x1);
if (0x0 != 0x2) goto loc_18000420f;
loc_1800041ef:
rcx = var_16;
if (rcx == *(int32_t *)dword_180005cc0) goto loc_18000420f;
loc_1800041fb:
rax = dword_180005cc0;
goto loc_180004202;
loc_180004202:
rax = rax + 0x4;
if (*(int32_t *)rax == 0x0) goto loc_18000422a;
loc_18000420b:
if (rcx != *(int32_t *)rax) goto loc_180004202;
loc_18000420f:
rbx = rbx + 0x1;
if (rbx < var_32) goto loc_180004172;
loc_180004220:
rax = 0x0;
return rax;
loc_18000422a:
rax = 0x1;
return rax;
}
Posts: 23
Threads: 1
Joined: Feb 2019
Reputation:
0
Looks to me that this line is testing if it's reached the end of the whitelist array:
if (*(int32_t *)rax == 0x0) goto loc_18000422a;
And this this is the return code for having failed:
loc_18000422a:
rax = 0x1;
return rax;
And this seems to be the successful exit:
loc_180004220:
rax = 0x0;
return rax;
So if i can change that 0x1 to 0, then it should allow anything. Not sure how to change that though.
Posts: 23
Threads: 1
Joined: Feb 2019
Reputation:
0
So i found the successful exit code in Hopper's hex editor, its value for rax=0 is '0x32c0' which is the opcode for 'xor rax,rax' (a shortcut for setting something to zero).
I found the failure return where 'rax = 1' - this is at file offset 0x422a (16938), and the bytes are 0xb001.
I opened the file in a hex editor, and changed it to 0x32c0, and reopened in hopper.
The disassembly now shows that in a failure exit, it will now return 0 instead of 1. Success! Now to integrate it back into the UEFI rom.
Posts: 23
Threads: 1
Joined: Feb 2019
Reputation:
0
So have to install an older version of UEFITool to be able to make changes:
https://github.com/LongSoft/UEFITool/rel...tag/0.26.0
From there it's a matter of finding the PE, right clicking and replacing the body, and saving the rom.
I'll now try loading it onto my BIOS and see if it bricks the thing!
Posts: 23
Threads: 1
Joined: Feb 2019
Reputation:
0
I use Rufus.ie to create a FreeDOS USB boot disk, unzip and copy the bios updates onto a subfolder, copy over my modified rom file, boot and run 'autoexec.bat' in the subfolder. All looks good but ends up with this error:
Error: Secure Flash Rom Verify fail.
So i'm not sure what to do now, any ideas?
Posts: 23
Threads: 1
Joined: Feb 2019
Reputation:
0
|
Users browsing this thread: 1 Guest(s)
|