Posts: 21
Threads: 1
Joined: Aug 2021
Reputation:
0
10-04-2021, 01:26 PM
(This post was last modified: 10-04-2021, 05:53 PM by jeanlegi.)
We know this but the problem is to get an bios dump the chip is unknown for the software and i tested some "compatible" chips but no chance so far. it looks like that this bios chip has some authentification security features.
I hope that our big player are abel to help us
Posts: 1,223
Threads: 62
Joined: Mar 2013
Reputation:
44
10-04-2021, 09:36 PM
(This post was last modified: 10-04-2021, 09:39 PM by Sml6397.)
Welcome to this growing thread XBlaster & Shadowdane and hello all,
I found the documentation for this BIOS chip again. Here is a link for all to reference: https://static6.arrow.com/aropdfconversi...20reva.pdf . It is 31 pages, but we'll probably mostly be looking at the authentication section, as jeanlegi has noted.
The pins section would be a good reference so that we are sure we are connecting the right pins together (BIOS SPI pinouts tend to be pretty standardized, so this probably isn't an issue but it would be great if someone could compare the CH341A pins to the BIOS chip pins).
For reference, from post #22, we know that the BIOS chip model number is Winbond 74M12JWPIQ/2111/6108/M0058 .
Right now, we need to familiarize ourselves with the authentication method that this chip uses. Maybe we can brainstorm (or Google search) a way to bypass this protection. I've never done this before, so this should be interesting.
Not sure if we'll get it in the end, but we are getting closer everyone (6 people now!!). Let's do this!
!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:
1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations
2.) Combat misinformation on social media.
Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
Posts: 1,223
Threads: 62
Joined: Mar 2013
Reputation:
44
10-04-2021, 10:31 PM
(This post was last modified: 10-04-2021, 10:35 PM by Sml6397.)
Okay, so the authentication process seems pretty complete and difficult to bypass (speaking as someone with security knowledge but zero experience attempting to bypass these types of mechanisms). I've read articles about people bypassing similar but less complete kinds of security mechanisms before to bypass laptop battery whitelists (yes, they exist unfortunately), but I lack the skills to do so by myself.
However, there are two different cases that the authenticate requirements could apply to:
1.) Microprocessor/CPU attempts to read/write the BIOS chip. This almost certainly makes use of the authentication procedure, with Asus providing any relevant signing of BIOS updates.
2.) Hardware programmer attempts to read/write the BIOS chip. I know the documentation says "SPI device" but I think this could refer to the CPU as well if it uses the "SPI interface" to interact with the BIOS chip. If the authentication procedure does not apply here, then I think I know how to read/write the BIOS.
This is from Winbond's documentation for this chip:
Code: - 5 -
PIN DESCRIPTIONS
Chip Select (/CS)
The SPI Chip Select (/CS) pin enables and disables device operation. When /CS is high the device is
deselected and the Serial Data Output (DO, or IO0, IO1, IO2, IO3) pins are at high impedance. When
deselected, the devices power consumption will be at standby levels unless an internal erase, program or
write status register cycle is in progress. When /CS is brought low the device will be selected, power
consumption will increase to active levels and instructions can be written to and data read from the device.
After power-up, /CS must transition from high to low before a new instruction will be accepted. The /CS
input must track the VCC supply level at power-up and power-down (see “Write Protection” and Figure 10a
& 10b). If needed a pull-up resister on the /CS pin can be used to accomplish this.
I found a page about pull-up and pull-down resistors: https://learn.sparkfun.com/tutorials/pul...istors/all
It seems that resistors can modify the voltage on the /CS pin to meet the requirements for reading from/writing to the device. Regardless of authentication requirements, this is going to be one of our requirements (crossing fingers that this is all we have to do). Please see page 5 of the BIOS chip documentation for a BIOS chip pinout. Descriptions of the pins are on the next page if you are curious.
I imagine we will be using a pull-up resistor. The resistor will have a button on it. When this button is not pressed, the resistor connects the /CS pin to the VCC pin, bringing up /CS's voltage to near VCC's (in other words, putting it in a "high" state). When the button is pressed, the resistor connects the /CS pin to the GND (ground) pin, which lowers the voltage on the /CS pin (in other words, putting it in a "low" state). When the voltage goes from a high state to a low state after power up (whatever "power up" means in this case - probably connecting the flash programmer or plugging in the computer), then read/write operations are allowed because the internal mechanisms in the BIOS chip allow it to use enough power to work properly.
I believe this is the way we read/write data from the BIOS chip in any useful manner. I'm going to continue doing research on this. Hopefully this is the only thing we have to do.
If anyone is a regular hardware modifier/specialist/electrician and/or knows about this stuff, any input would be greatly appreciated!
!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:
1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations
2.) Combat misinformation on social media.
Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
Posts: 5
Threads: 1
Joined: Apr 2020
Reputation:
0
10-06-2021, 12:29 AM
(This post was last modified: 10-06-2021, 12:54 AM by XBlaster.)
Cant we use IDA pro to disassemble the installer for the bios?, or the bios itself?, maybe we could try and sign it so it runs modified
or find a leaked version of the most recent amibcp?
i heard gigabyte servers got hacked, and there were some AMI leaked stuff, maybe we could find something there
Posts: 1,223
Threads: 62
Joined: Mar 2013
Reputation:
44
10-06-2021, 06:56 PM
(This post was last modified: 10-06-2021, 06:57 PM by Sml6397.)
(10-06-2021, 12:29 AM)XBlaster Wrote: Cant we use IDA pro to disassemble the installer for the bios?, or the bios itself?, maybe we could try and sign it so it runs modified
or find a leaked version of the most recent amibcp?
i heard gigabyte servers got hacked, and there were some AMI leaked stuff, maybe we could find something there
Wow, 112GB of documents. That's wild. Assuming accuracy of the article I read, that data is in the hands of those who stole it, so we can't use it.
The problem that we are facing right now is that we will not be able to flash any BIOS mods without a hardware programmer. Only unlike all other cases I've seen, the hardware programmer cannot properly read the BIOS chip (we get some version of garbage each time we attempt it). If we can't read the chip, I certainly wouldn't trust the programmer to write to it without a brick occurring. Once we can reliably read the BIOS chips and I have good BIOS dumps, I will immediately provide mods for all 6 requesters in this thread.
Thanks to the Winbond document, we know of 1 or 2 protection mechanisms that are preventing us from reading from/writing to the BIOS chip properly - the first being that we need to modulate the voltage from high to low on the /CS pin and the second possibly being an authentication mechanism (hopefully for our purposes Asus did not make use of this mechanism). I am going to continue doing research on the pull-up resistor and how we might use it in tandem with the CH341A setup before suggesting next steps for obtaining BIOS backups.
It would be awesome if we could simply sign a BIOS update ourselves, but as far as I know, to do that we would need to have Asus's private key, which is probably at least 256 bits in length, making it prohibitively difficult to brute force. All computer security systems have vulnerabilities - without exception - but I do not presently know how to bypass anything involving private key cryptography - so hopefully we aren't dealing with this.
!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:
1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations
2.) Combat misinformation on social media.
Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
Posts: 5
Threads: 1
Joined: Apr 2020
Reputation:
0
10-07-2021, 05:10 PM
(This post was last modified: 10-07-2021, 05:12 PM by XBlaster.)
we would need to analize how the key is used, where it could be stored, maybe use rainbow tables, its worth a try, maybe it's 256, maybe it's not, and if it is, we could set up a multiple setupt to crack that hash, given time.
there is a forum where the leaked data is being distributed, i could attempt and download it, but i need to make a virtual machine or something cuz i don't really trust the leaks
Posts: 1,223
Threads: 62
Joined: Mar 2013
Reputation:
44
10-09-2021, 11:50 PM
(This post was last modified: 10-09-2021, 11:51 PM by Sml6397.)
(10-07-2021, 05:10 PM)XBlaster Wrote: we would need to analize how the key is used, where it could be stored, maybe use rainbow tables, its worth a try, maybe it's 256, maybe it's not, and if it is, we could set up a multiple setupt to crack that hash, given time.
there is a forum where the leaked data is being distributed, i could attempt and download it, but i need to make a virtual machine or something cuz i don't really trust the leaks
Yeah, if we are going to have to crack authentication, I think a great place to start would be to very seriously study how it works in the documentation - learn it inside and out. I don't know how much I can contribute here, but if it comes down to it, I will do what I can even if that is just summing up the info in the document concisely and pointing to areas that I think could be attacked.
But before we get into that, we should experiment with a pull-up resistor that has a button. In the next few days, I will get to actually looking up examples of their use, examples that could help guide us in modulating the voltage on the /CS pin from high to low to allow the BIOS chip to use the voltage it needs for properly reading from/writing to the chip.
The backups that I have gotten thus far are indeed the proper 16MB in size but seem to have very little actual data in them. They consist primarily of large sequences of contiguous FF bytes, intermittently interrupted by small, contiguous, non-FF regions of data or garbage - either of which is probably indicative of a lack of necessary power (or an inconsistently adequate supply of power) for a read operation.
Once we get a backup with the proper setup, I imagine we will have a lot more insight into if/how encryption is working against us here. Hopefully it isn't. I'll post more info in the next day or two, but please feel free to post examples of pull-up resistors being used in the manor I described in Post #63.
!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:
1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations
2.) Combat misinformation on social media.
Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
Posts: 1,223
Threads: 62
Joined: Mar 2013
Reputation:
44
Hello everyone,
Apologies for the delays.
For those still interested in this BIOS mod, the first (and hopefully only) thing we are going to need to do is to modulate the voltage on the /CS pin from a high state to a low state during power on using a pull-up resister to cause the BIOS chip to draw enough voltage to enable read/write operations via an SPI flash programmer (the CH341A).
At first, I thought that it might be difficult to do this as the pins are small (not tiny like many other chips on the motherboard, but still very little wiggle room). Fortunately, the 3 pins we need to connect together are on 3 of the edges of the BIOS chip.
The pull up resister, which has a button, will be attached to a breadboard, as will the resister, to simplify things. The resister - without the button pressed - will initially connect the /VCC (power) pin to the /CS (let's call it the "input" pin to match up with diagrams from guides) to put the /CS pin in a high voltage state. On power up, the button will be pressed to connect the /CS pin to the /GND (ground) pin instead. This will bring the /CS pin to a low voltage state, which is the parameter required for allowing read/write operations to take place.
I will post more information this week, hopefully sooner rather than later. Please let me know if you are still interested. I am still learning this stuff myself.
!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:
1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations
2.) Combat misinformation on social media.
Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
Posts: 7
Threads: 2
Joined: Jan 2022
Reputation:
0
(11-30-2021, 01:06 AM)Sml6397 Wrote: Hello everyone,
Apologies for the delays.
For those still interested in this BIOS mod, the first (and hopefully only) thing we are going to need to do is to modulate the voltage on the /CS pin from a high state to a low state during power on using a pull-up resister to cause the BIOS chip to draw enough voltage to enable read/write operations via an SPI flash programmer (the CH341A).
At first, I thought that it might be difficult to do this as the pins are small (not tiny like many other chips on the motherboard, but still very little wiggle room). Fortunately, the 3 pins we need to connect together are on 3 of the edges of the BIOS chip.
The pull up resister, which has a button, will be attached to a breadboard, as will the resister, to simplify things. The resister - without the button pressed - will initially connect the /VCC (power) pin to the /CS (let's call it the "input" pin to match up with diagrams from guides) to put the /CS pin in a high voltage state. On power up, the button will be pressed to connect the /CS pin to the /GND (ground) pin instead. This will bring the /CS pin to a low voltage state, which is the parameter required for allowing read/write operations to take place.
I will post more information this week, hopefully sooner rather than later. Please let me know if you are still interested. I am still learning this stuff myself. Hello, I know im kinda late to this thread, but I have a G513IM(4800H 3060) and I wanted to tweak the memory and CPU a little bit. I opened the laptop and found the bios chip(W25Q16JWNIQ) but I was only able to get info on the W25Q16JW chip, I think it souldnt matter so much, thankfully there is no HMEC so I
sould be good with a 1.8V logic level shifter right?
Posts: 1
Threads: 0
Joined: Feb 2022
Reputation:
0
02-13-2022, 08:54 AM
(This post was last modified: 02-13-2022, 08:55 AM by mr.nice..)
Hello bios-mods, I just wanted to tell you that I have found a program that is acutally able to read the G15 Advantage Edition BIOS file.
It is called UefiTool and can be found here: https://m.majorgeeks.com/mg/getmirror/uefitool,1.html
The fun part is in 8C8CE578-8A3D-4F1C-9935-896185C32DD3 there are DXE drivers and SMM modules listed.
I hope this information provides you some usefull help
|