Welcome
|
You have to register before you can post on our site.
|
|
General method to remove whitelist from Insyde BIOS
|
Posts: 12
Threads: 1
Joined: Jul 2010
Reputation:
4
(06-30-2012, 11:08 AM)SST-P Wrote: (06-28-2012, 04:01 PM)hspumanti Wrote: (06-28-2012, 09:52 AM)SST-P Wrote: (01-22-2012, 10:56 AM)hspumanti Wrote: I finally got my hands on a 2MB ROM I could work with. I used the NAWA1110 (v1.10) ROM which is for a Lenovo G455/G555 laptop for this effort. The string to search for in this case was "Unauthorized Wireless network card is plugged in. Power off and remove it". So after loading up the .ROM file in EZH2O, I brought up WinHex (which keeps crashing so it takes longer than it would otherwise) and searched for the Unicode string. Finding that I then searched UP for the Hex Values '4d5a'. Finding this I copied from here to the end of the data region where the string was found and saved it to 'something.exe'. Since I'm on a 64 bit system I can't use debug.exe, so I used PEBrowser64, which worked fine for what I was needing. Using PEBrowser64, I opened 'something.exe' and then opened the sections list on the left pane and dbl-clicked the '.text' section which brings up a limited disassembly window. This allowed me to get the starting address and then going to the View->Disassemble At... and putting in the address '180000260' I get a disassembly of the main routine for checking the wifi card Ven/Dev ids (see fig1 and 2).
Disassembly 1 The device checking routine
Disassembly 2 The rest of the story
A quick inspection of this showed that to get out of this routine we need to get to the address '3d0' which quickly leads to the ret statement. We want to make as few changes as possible since we don't know what might happen with any of the returned values. Seeing the 'jne 305' looks like it could cause an endless loop since nothing that is tested would be changing (unless another thread was running that had access to the memory at SP+40). Also notice the 'lea cx, 960' at address 2eb, this is the address of the 'unauthorized' string. Changing the 'jne 2f9 at address 2c0 to a jmp 2f9 gets us past the string output and changing 'je 30d' at address 2fb to 'jmp 30d' gets us out no questions asked. See fig. 3 for the disassembly with the final modifications.
Disassembly 3 The Fix
I hope this helps in dealing with the 2mb version of the Insyde BIOS. Here is a link to the modded ROM:
Modded BIOS zipped
Can you please update the Disassembly 1, 2, 3 link?
Thanks,
Disassembly 1
Disassembly 2
Disassembly 3
message I received when try to download.
Sorry, the file link that you requested is not valid.
Reasons for this may include:
Invalid link
The file has been deleted because it was violating our Terms of user
The links work for me.
Posts: 12
Threads: 1
Joined: Jul 2010
Reputation:
4
(06-30-2012, 11:08 AM)SST-P Wrote: (06-28-2012, 04:01 PM)hspumanti Wrote: (06-28-2012, 09:52 AM)SST-P Wrote: (01-22-2012, 10:56 AM)hspumanti Wrote: I finally got my hands on a 2MB ROM I could work with. I used the NAWA1110 (v1.10) ROM which is for a Lenovo G455/G555 laptop for this effort. The string to search for in this case was "Unauthorized Wireless network card is plugged in. Power off and remove it". So after loading up the .ROM file in EZH2O, I brought up WinHex (which keeps crashing so it takes longer than it would otherwise) and searched for the Unicode string. Finding that I then searched UP for the Hex Values '4d5a'. Finding this I copied from here to the end of the data region where the string was found and saved it to 'something.exe'. Since I'm on a 64 bit system I can't use debug.exe, so I used PEBrowser64, which worked fine for what I was needing. Using PEBrowser64, I opened 'something.exe' and then opened the sections list on the left pane and dbl-clicked the '.text' section which brings up a limited disassembly window. This allowed me to get the starting address and then going to the View->Disassemble At... and putting in the address '180000260' I get a disassembly of the main routine for checking the wifi card Ven/Dev ids (see fig1 and 2).
Disassembly 1 The device checking routine
Disassembly 2 The rest of the story
A quick inspection of this showed that to get out of this routine we need to get to the address '3d0' which quickly leads to the ret statement. We want to make as few changes as possible since we don't know what might happen with any of the returned values. Seeing the 'jne 305' looks like it could cause an endless loop since nothing that is tested would be changing (unless another thread was running that had access to the memory at SP+40). Also notice the 'lea cx, 960' at address 2eb, this is the address of the 'unauthorized' string. Changing the 'jne 2f9 at address 2c0 to a jmp 2f9 gets us past the string output and changing 'je 30d' at address 2fb to 'jmp 30d' gets us out no questions asked. See fig. 3 for the disassembly with the final modifications.
Disassembly 3 The Fix
I hope this helps in dealing with the 2mb version of the Insyde BIOS. Here is a link to the modded ROM:
Modded BIOS zipped
Can you please update the Disassembly 1, 2, 3 link?
Thanks,
Disassembly 1
Disassembly 2
Disassembly 3
message I received when try to download.
Sorry, the file link that you requested is not valid.
Reasons for this may include:
Invalid link
The file has been deleted because it was violating our Terms of user
The links work for me.
Posts: 8
Threads: 4
Joined: Jul 2012
Reputation:
0
(04-19-2012, 07:30 AM)hspumanti Wrote: new link
http://www.mediafire.com/?3u1ejhghbreqet3
Thanks
MB-Asus Rampage III Extreme *** CPU-i7 980X @ 4.44GHz *** CPU HSF-TRSA *** Mem-Mushkin Redline 6GB 1644MHz @ 6-7-6-18
GPU-Zotax Amp GTX480 *** OS SSD-Crucial RealSSD C300 128GB *** OS-Windows 7 Ultimate 64b *** PS-Corsair CMPSU-850AX
Case-Cooler Master HAF X *** Monitor-Viewsonic VP2655wb 26” LCD
Posts: 2
Threads: 1
Joined: Jul 2012
Reputation:
0
Hi , This My First Request Pliz if anyone have Unlocked Insyde Bios For HP G62-219CA Give it to me i need it for Change the amount of Card video ram 'Vram' , I need To Unlock Advanced Settings For this Bios
PC : HP G62-219CA
Bios Link : http://ftp.hp.com/pub/softpaq/sp52501-53000/sp52604.exe
MotherBoard :
Hewlett-Packard 1484 77.39
OS
Windows 7 Edition Familiale Premium (X64) (build 7600
And Plizz The Method how to flash is it by flashinsyde.exe or by usb and if u have any theard and Thanks TTAV134
Posts: 5
Threads: 2
Joined: Nov 2012
Reputation:
0
11-22-2012, 05:56 PM
(This post was last modified: 11-22-2012, 06:31 PM by nickking.)
*** Apologies, I've just read through the entire thread, I'll make a new thread for my request.
Evening, I have a new HP DV6 notebook and I'm looking for a bios hack to allow me to use a different wifi card (to utilise 5GHz), I'm not quite sure if one of the links on page 1 will help me or not :-)
-Notebook Model: HP Pavilion dv6-6c98sa
-Manufacturer: Hewlett-Packard
-Motherboard Model: Hewlett-Packard 17F9 (Intel HM65 (Cougar Point) [B3])
-Bios revision: F.1A (17FC)
-Bios Type: Legacy (Insyde)
-Bios Download Link: http://h10025.www1.hp.com/ewfrf/wc/softw...b-109917-1&cc=uk&dlc=en&lc=en&os=4063&product=5262700&sw_lang=
-Current original card : PCI\VEN_8086&DEV_008B&SUBSYS_53158086&REV_34
-Card to be added : PCI\VEN_8086&DEV_0091&SUBSYS_52018086&REV_00
Thanks in advance to anyone who is able to assist.
Regards,
Nick.
Posts: 3
Threads: 0
Joined: Feb 2013
Reputation:
0
-Manufacturer: HP
-Model: Pavilion dv6-3125er
-BIOS: F.29 (RSA Signed)
-Bios Download Link:ftp://ftp.hp.com/pub/softpaq/sp55001-55500/sp55299.exe
-Current Card: Ralink RT3090BC4 802.11b/g/n 1x1 WiFi and Bluetooth 2.1+EDR Combo Adapter
PCI\VEN_1814&DEV_3090&SUBSYS_1453103C&REV_00
a
-Card to be Added: Original HP COMPAQ INTEL 6230 636672-001
PCI\VEN_8086&DEV_0091&SUBSYS_52018086&REV_34
I try to use different firmware from Camiloml , but after 3-5 reboot - semi-brick (and i restore by USB-FLASHdrive)
Pls help, remove whitelist or add new card , I will donate for your hard work.
p/s : My laptop official support Intel 6250 (from service manual)
Posts: 1
Threads: 0
Joined: Jul 2013
Reputation:
1
07-18-2013, 06:29 PM
(This post was last modified: 07-18-2013, 06:30 PM by scaricone.)
Ok I tried the first page method...
I have an Insyde H2O 1MB BIOS (HP DV3550EL).
I got the idea to what have to be done and I did it. I spent 2 hours total, but it is pretty simple once you understand what to do:
- load your BIOS in EZH2O
- read the RAW data of EZH2O from your RAM with WinHEX, so to bypass compression methods and whatever (this is by far the best part)
- copy the part of the BIOS after and before the "104" message in a DOS EXECUTABLE file (.com)
- (optional) use dosbox for launching "the good old" debug.exe in a 64-bit environment
- debug the file for finding the right code "JUMP IF"
- find its address in the file loaded at the start so to change it to "JUMP" (you need a paid license of WinHEX for that)
- save the file
- inject the modded firmware (in my case it overwrited without problems)
It worked the second time: don't use EzH2O 2.1.0.13 but 2.1.0.4 instead.
May hspumanti be blessed. And frack HP, of course.
Posts: 1
Threads: 0
Joined: Aug 2013
Reputation:
0
08-04-2013, 03:07 AM
(This post was last modified: 08-04-2013, 05:08 AM by sabber.)
Okay I have read through all the steps and have got both programs ... all good so far ,,, Here comes the problem ..
Open bios.fd file in EzH20 .. yep
open Winhex get> Ezh20.> bios> entire memory.. yep
but cant find "Hex Value " listed anywhere in bios ???
want to install new Intel 6235 Wi-Fi+Bluetooth card but system freezes after bios load
..... black screen with solid cursor in top left corner.
Have tried modded bios From Camilomi ( Thanks ) but no luck with install.
Maybe does not work on:-
Toshiba satellite C665D
InsydeH20 1.80 Bios ????
Or is it a chipset issue!!!
Any help or am I wasting my time !
Thanks
Posts: 2
Threads: 1
Joined: Aug 2013
Reputation:
0
(08-03-2010, 02:00 PM)hspumanti Wrote: I have figured out how to remove the whitelist from most (all) Insyde BIOSes. I used the F.34 BIOS for a Compaq Presario C700 series for this how to. You will need the EzH2O and WinHex tools. Using these tools I was able to figure out the byte that needed to be changed to ignore the PCIe wireless whitelist altogether. After not being able to find my subsys codes, I started looking around a bit. I found the 104 - Unsupported wireless network device detected string in the memory dump and the Microsoft EXE signature just above which lead to the breakthrough (at least for me). What follows is a general procedure to allow you to modify your own BIOS safely (I hope).
1. obtain your bios.fd file obtained from HP (or whatever manufacturer)
2. use Insyde BIOS editor - EZH2O (I used EZH20 2.1.0.4)
3. run exh2o.exe, open the file bios.fd
4. run WINHEX
5. Tools -> OpenRAM -> Ezh2o -> Entire Memory
6. Find HEX Values -> «31 00 30 00 34 00 2d 00 55», this should be the be the first part of the '104-U...' error string in wide character format (2 bytes/char) see step1.jpg.
7. from here search up and find HEX values «4d 5a», you can just scroll up a few pages till you see 'MZ' in the ASCII pane. This is the code that MS uses for start of an EXE. Somewhere between here and the 104 string is where we need to find and modify the JNZ (byte code 75)
8. You will notice that there is a lot of blank space around and below the 'MZ', this is header information and is of no interest. Scroll down till the ASCII pane no longer is mostly blanks, about a page, you should see «55 8b ec», this is the start of the program and is setting up the stack
9. Now click on the 55 and drag the mouse down to the next 'MZ' code about 1-2 pages on my BIOS, and then click Edit -> Copy Block -> Into New File and name the file Something.com. The .com is important as we will load it with debug. Refer to step2.jpg.
10. Open a command prompt and navigate to where you saved the file and type debug something.com, you should get a '-' prompt, type u and hit enter and you should see something like this. See step3.jpg.
The first column is memory addresses, the 2nd column is instruction bytes and the rest are Intel mnemonics.
11. Now we need some elementary assembly skills to find what we are looking for. Debug will show the mnemonics for the instructions. Debug doesn't handle 386 instructions well so you may see a few ??? but we should be able to find what we need. Look for a test al,al followed by a jnz {address}. The unassemble should have addresses on the left and they should correspond to the addresses in the debug so you can then -u {address} to see what happens at the jump to locations. See step4.jpg.
12. Now that we know what to change write down a about 6 or so of the bytes ending with the 75 and the following byte (27 in the step 4 example) and go back to WinHex and from the start of our program (the «55 8b ec» bytes) search for the bytes you recorded. Make sure everything around matches your debug window and replace 75 (JNZ short) with eb (JMP short). eb is an unconditional jump and will exit the routine so we don't get to the infinite loop. See step5.jpg.
13. In WinHex save your change by clicking on the disk icon
14. Switch to EzH2O, File -> Save AS
15. Put your modified BIOS (and only that BIOS) where the flash utility can find it and start InsydeFlash and let it do it's thing.
16. Sometimes after flashing the machine may appear bricked but turn it off remove power and battery and then reapply power and turn it on. If it still doesn't come up Google for the procedure to use a USB memory stick to get your computer back. Might be a good idea to prepare the flash drive before you flash your BIOS.
Mark
Hi,
It is possible to delete whitelist VGA on my laptop Acer 6530 g?
thank you Jakub
|
Users browsing this thread: 5 Guest(s)
|