Forum RSS Feed Follow @ Twitter Follow On Facebook

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[-]
Welcome
You have to register before you can post on our site.

Username:


Password:





[-]
Latest Threads
Lenovo ThinkPad SL510 Whitelist Removal....
Last Post: deepTeNk
Yesterday 03:32 PM
» Replies: 5
» Views: 6359
[REQUEST] HP Pavilion G42-272BR Whitelis...
Last Post: eepromm
11-22-2024 01:55 AM
» Replies: 0
» Views: 112
[REQUEST] Lenovo G710 BIOS Whitelist Rem...
Last Post: voyageur
11-21-2024 04:33 PM
» Replies: 475
» Views: 167416
[REQUEST] Acer Aspire 5738(G,Z): CPU Upg...
Last Post: DeathBringer
11-21-2024 03:44 PM
» Replies: 49
» Views: 32892
[REQUEST] HP Mini 110-4100 BIOS Unlock
Last Post: DSI INF
11-21-2024 09:24 AM
» Replies: 7
» Views: 256
[REQUEST] Lenovo IdeaPad U310 & U410 (65...
Last Post: Dudu2002
11-21-2024 03:11 AM
» Replies: 1780
» Views: 495574
Lenovo ThinkCentre M715q 2nd Gen & AMD R...
Last Post: Elmurley
11-20-2024 09:37 PM
» Replies: 2
» Views: 1295
[REQUEST] Lenovo Y50-70 (9ECNxxWW) White...
Last Post: SWZSSR
11-20-2024 09:34 PM
» Replies: 1775
» Views: 554089
[REQUEST] Lenovo Thinkpad X240 (GIETxxWW...
Last Post: Dudu2002
11-20-2024 04:58 PM
» Replies: 337
» Views: 143730
Unlock bios insyde
Last Post: Matox3140
11-19-2024 03:40 PM
» Replies: 0
» Views: 224
Whitelist WIFI card removal Lenovo Yoga ...
Last Post: Dudu2002
11-19-2024 12:58 PM
» Replies: 1
» Views: 232
[REQUEST] H310 MSI Gaming Infinite S (MS...
Last Post: awittyusername
11-19-2024 09:21 AM
» Replies: 10
» Views: 140
[REQUEST] Gigabyte GA-B85M-HD3 Rev 2.0 u...
Last Post: Maduli
11-19-2024 02:22 AM
» Replies: 0
» Views: 176
[REQUEST] Lenovo Ideapad 330-15ICH BIOS ...
Last Post: Dudu2002
11-18-2024 01:25 PM
» Replies: 8
» Views: 1910
[REQUEST] Lenovo ThinkPad Edge E330 (H3E...
Last Post: Dudu2002
11-18-2024 01:23 PM
» Replies: 640
» Views: 221430
[Request] Unlocked Bios for Asus TUF FX5...
Last Post: FlT4ever
11-18-2024 01:05 PM
» Replies: 1
» Views: 431
[REQUEST] Lenovo ThinkPad Edge E125(v1.1...
Last Post: kamome74
11-18-2024 10:43 AM
» Replies: 0
» Views: 218
[REQUEST] Xpg 15g 4070 2023ver InsydeH20...
Last Post: MireVelli
11-18-2024 07:26 AM
» Replies: 2
» Views: 214
Please help me recover my bios
Last Post: FuryOP
11-17-2024 12:37 PM
» Replies: 0
» Views: 232
[Request-Camilo] Sony Vaio SA/SB/SC/SD/S...
Last Post: edit
11-17-2024 12:13 PM
» Replies: 107
» Views: 136981

[REQUEST] Lenovo Thinkpad X240 (GIETxxWW) Whitelist Removal
#11
hi friends,
interesting discussion you got here..
btw, i try to disassemble wintpup.exe and debug the process, found that process for reading bios image and bios in the chip was done by winflash64.exe (i use win7 64bit). in winflash64.exe, there's section that commented as 'oem check'.
when i debug the winflash64.exe with parameter using modified *.fl1, then change the status flag to the value when i run using lenovo's *.fl1, i manage to produce the same message as if i did the flash using proper procedure.
but after restart/reboot, i still got authenticaation failed.
i suspect that the authentication check is also done after reboot.
perhaps you want to also tried to reverse the process, you can check my thread (about T430). i record my process there.
find
quote
#12
(05-08-2014, 05:24 AM)ucupsz Wrote: hi friends,
interesting discussion you got here..
btw, i try to disassemble wintpup.exe and debug the process, found that process for reading bios image and bios in the chip was done by winflash64.exe (i use win7 64bit). in winflash64.exe, there's section that commented as 'oem check'.
when i debug the winflash64.exe with parameter using modified *.fl1, then change the status flag to the value when i run using lenovo's *.fl1, i manage to produce the same message as if i did the flash using proper procedure.
but after restart/reboot, i still got authenticaation failed.
i suspect that the authentication check is also done after reboot.
perhaps you want to also tried to reverse the process, you can check my thread (about T430). i record my process there.

Hi friend,
As I said Donovan has done many experiment so He is big expert, but
I remember that when I was studying Secure Flash Protection, i found that on UEFI Bios It is done by InsydeFlash which
Decapsule Bios and pass It to UEFI module to flash it after reboot, so there are many checks before flashing it
(the same as HP do on his laptop using HP_TOOLS Partition).
So if Original Bios is been modded has an incorrect Signature !
Only two ways to reflash Bios are :

1. Intel FPT Bios Region flashing
2. Recovery Mode Bios Decapsulated (so Generalized)

These is true only for Bios without Write Memory Protections (error 280)
Regards

[size=undefined]Your Brain [/size]. . . . It's the best tool U can use ! Wink
[size=undefined]Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!! [/size]
Donate to me for my work, click here BDM
find
quote
#13
Yep, it's not possible to flash a changed bios via any means using just WINTPUP, because it just checks the bios image and than creates a capsule to be flashed on the next reboot.

here's the diagram
http://forum.techinferno.com/general-not...flash.html

and intel FPT cannot flash it, cause the flash chip is protected, probably using some undocumented chipset registers. prr and prr2 cannot unprotect it. we need prr3 Smile

ucupz, you could disassembly and check the DXE/PEI module in UEFI that does the actual flashing after reboot. after checking for the correct bios signature it must unprotect the flash chip to do the flashing. if it's known how it does it, we could write our own prr3 to unprotect the bios and use Intel FPT Smile

BDMaster, what is Recovery Mode Bios Decapsulated and Generalized you mentioned? any link or info?
find
quote
#14
(05-08-2014, 06:28 AM)rozker Wrote: Yep, it's not possible to flash a changed bios via any means using just WINTPUP, because it just checks the bios image and than creates a capsule to be flashed on the next reboot.

here's the diagram
http://forum.techinferno.com/general-not...flash.html

and intel FPT cannot flash it, cause the flash chip is protected, probably using some undocumented chipset registers. prr and prr2 cannot unprotect it. we need prr3 Smile

ucupz, you could disassembly and check the DXE/PEI module in UEFI that does the actual flashing after reboot. after checking for the correct bios signature it must unprotect the flash chip to do the flashing. if it's known how it does it, we could write our own prr3 to unprotect the bios and use Intel FPT Smile

BDMaster, what is Recovery Mode Bios Decapsulated and Generalized you mentioned? any link or info?

The Recovery Mode is Procedure to Recover a Bios when flash goes bad !
Before all Bioses were Pure (not Capsulatedas in UEFI) and the procedure was simply.
Actualy to Recover Bios It needs to Decapsulate Bios to get It Pure or Generalized (It is base to make a mod for all same models laptop without a bios backup for any user).
If You try to Recovery Bios with a capsulated Bios You'll get a brick !
Regards

Here is mine old Dirty Guide How to get Decapsulated Bios :

http://rghost.net/52544682

[size=undefined]Your Brain [/size]. . . . It's the best tool U can use ! Wink
[size=undefined]Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!! [/size]
Donate to me for my work, click here BDM
find
quote
#15
yeah... just as what i guessed.
thanks for the pict.

(05-08-2014, 06:28 AM)rozker Wrote: Yep, it's not possible to flash a changed bios via any means using just WINTPUP, because it just checks the bios image and than creates a capsule to be flashed on the next reboot.

here's the diagram
http://forum.techinferno.com/general-not...flash.html

and intel FPT cannot flash it, cause the flash chip is protected, probably using some undocumented chipset registers. prr and prr2 cannot unprotect it. we need prr3 Smile

ucupz, you could disassembly and check the DXE/PEI module in UEFI that does the actual flashing after reboot. after checking for the correct bios signature it must unprotect the flash chip to do the flashing. if it's known how it does it, we could write our own prr3 to unprotect the bios and use Intel FPT Smile

BDMaster, what is Recovery Mode Bios Decapsulated and Generalized you mentioned? any link or info?

is there any tools to debug .pei module or .dxe driver?
afaik, we can only dissassemble those things and manually analyze the assembly.

(05-08-2014, 12:58 PM)BDMaster Wrote:
(05-08-2014, 06:28 AM)rozker Wrote: Yep, it's not possible to flash a changed bios via any means using just WINTPUP, because it just checks the bios image and than creates a capsule to be flashed on the next reboot.

here's the diagram
http://forum.techinferno.com/general-not...flash.html

and intel FPT cannot flash it, cause the flash chip is protected, probably using some undocumented chipset registers. prr and prr2 cannot unprotect it. we need prr3 Smile

ucupz, you could disassembly and check the DXE/PEI module in UEFI that does the actual flashing after reboot. after checking for the correct bios signature it must unprotect the flash chip to do the flashing. if it's known how it does it, we could write our own prr3 to unprotect the bios and use Intel FPT Smile

BDMaster, what is Recovery Mode Bios Decapsulated and Generalized you mentioned? any link or info?

The Recovery Mode is Procedure to Recover a Bios when flash goes bad !
Before all Bioses were Pure (not Capsulatedas in UEFI) and the procedure was simply.
Actualy to Recover Bios It needs to Decapsulate Bios to get It Pure or Generalized (It is base to make a mod for all same models laptop without a bios backup for any user).
If You try to Recovery Bios with a capsulated Bios You'll get a brick !
Regards

Here is mine old Dirty Guide How to get Decapsulated Bios :

http://rghost.net/52544682
find
quote
#16
Look here Donovan reply for You, so can ask to him :

http://www.bios-mods.com/forum/Thread-RE...mer?page=5

Regards

[size=undefined]Your Brain [/size]. . . . It's the best tool U can use ! Wink
[size=undefined]Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!! [/size]
Donate to me for my work, click here BDM
find
quote
#17
something about patching the UEFI flasher module:

http://www.insanelymac.com/forum/topic/2...try1993117

And yes, live debugging of UEFI is not easily possible. We can only analyze static assembly in our case I guess.
find
quote
#18
@rozker:
The Bios Lock Enable (BLE) bit setting popped up some time ago when Haswell motherboards were released and prevented any BIOS modifications. The bit is set according to a preference in the BIOS and is write protected until a platform reset is performed, which usually happens when after you flash a new BIOS. You see the problem ..

CodeRush's patch will bypass the setting of the Bios Lock Enable (BLE) bit after! you flash the patched BIOS, so further modifications are easily possible.
It won't help you flash a modified BIOS, if you already have this kind of lock.

I'm not familiar with the protection used in these notebooks. Most probably it is something else anyway.
If you want to check, if you have the BLE bit set, refer to these two posts: 1, 2.
find
quote
#19
wohoo...
thanks for the info.
.efi mentioned by coderush if found also inside T430's bios.
(PchBiosWriteProtect.efi)

looks like we had 2 problems here:
1. passing the authentification check
2. pass the bios write protect mechanism

IMO, if we can make the flasher think that modified bios is coming from manufacturer, then passing the bios write protect will be automatically done by the flasher.
looking at the structure, i get SystemFlashUpdateDriverDxe.efi
opening it in the IDA, i get same 'oem check' like the one in winflash64.exe

[Image: 13971003518_74bbc469ce_o.png]


but even if we able to modify that file or other, we still need to be able to hardware flashing first. once our modified code reside in the bios, then next update gonna be easier, no need hardware flashing. cmiiw.

(05-10-2014, 01:08 PM)rozker Wrote: something about patching the UEFI flasher module:

http://www.insanelymac.com/forum/topic/2...try1993117

And yes, live debugging of UEFI is not easily possible. We can only analyze static assembly in our case I guess.

in thinkpad T4x0 case,
the authentification check and bios write protect is starting in T430.
(ivy bridge, prior haswell)

(05-10-2014, 04:29 PM)xsmile Wrote: @rozker:
The Bios Lock Enable (BLE) bit setting popped up some time ago when Haswell motherboards were released and prevented any BIOS modifications. The bit is set according to a preference in the BIOS and is write protected until a platform reset is performed, which usually happens when after you flash a new BIOS. You see the problem ..

CodeRush's patch will bypass the setting of the Bios Lock Enable (BLE) bit after! you flash the patched BIOS, so further modifications are easily possible.
It won't help you flash a modified BIOS, if you already have this kind of lock.

I'm not familiar with the protection used in these notebooks. Most probably it is something else anyway.
If you want to check, if you have the BLE bit set, refer to these two posts: 1, 2.
find
quote
#20
In the latest BIOS versions of both X240 and T440 module PlatformHiiAdvancedDxe (CFEF94C4-4167-466A-8893-8779459DFA86) contains settings "BIOS Lock" and "SMM Lock". BIOS Lock is disabled by default, so you don't need to worry about it.
find
quote


Forum Jump:


Users browsing this thread: 9 Guest(s)