![[-]](https://www.bios-mods.com/forum/images/black/collapse.png "[-]")
05-10-2017, 03:17 AM
(This post was last modified: 05-10-2017, 04:14 AM by Outsyde.
Edit Reason: minor edits to improve clarity
)
There are essentially two ways to extract graphics from an .FD UEFI BIOS image:
(1) Look for capsules with specific GUIDs known to contain it, such as:
(2) Search for magic strings associated with particular image formats, for example:
I've succesfully extracted boot logos and other graphics from a number of Lenovo laptop BIOSes using the above methods, all of which yield the same results. Here's an example of what can be found once decompressed:
However, none of the above methods manage to locate the boot logo in Lenovo Y700 images such as CDCN37WW.fd and CDCN53WW.fd (attached), although it is clearly somewhere there. Can anyone tell me what I am missing?
Possibly the logo is in a format other than BMP/GIF/JPG/PCX. The BIOS images have a "TgaDecoderDxe" module inside. Could there be any TGA (Targa) images there? If so, how to find them? Or is it something else altogether? Like obfuscation with XOR or something more sophisticated? Suggestions appreciated.
(1) Look for capsules with specific GUIDs known to contain it, such as:
Code:
E5BBF7BE-2417-499B-97DB-39F4896391BC,SplashLogoPackage
1FFF93C2-8C76-49E4-8AB3-43D92F5445EF,LogoJpg
6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0,LogoPcx(2) Search for magic strings associated with particular image formats, for example:
- BMP: "BM" string
- GIF: "GIF89a" string
- JPEG: "JFIF" string
- PCX: hexadecimal 0A 05 01 08
I've succesfully extracted boot logos and other graphics from a number of Lenovo laptop BIOSes using the above methods, all of which yield the same results. Here's an example of what can be found once decompressed:
Code:
# <GUID>
[<LaptopModel>_<BiosVersion>] <File>
# 1FFF93C2-8C76-49E4-8AB3-43D92F5445EF,LogoJpg
[B460_1DCN26WW_4FCNAWW] 1024x768 JPEG: Boot logo (40,693 bytes; inside CRC32 GUID: FC1BCDB0-7D31-49AA-936A-A4600D9DD083)
# 6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0,LogoPcx
[Y700_CDCN53WW] 1024x768 PCX, 8-bit: All black (27,068 bytes)
# 771F77D1-13AF-48BF-2584-773D389E33CA
[Y700_CDCN53WW] 360x360 JPEG: "Invalid Public Key for Secure Flash" (17,656 bytes)
# 931F00D1-10FE-48BF-AB72-773D389E3FDA
[Y700_CDCN53WW] 208x157 BMP, 8-bit: Intel logo (33,236 bytes)
# 931F77D1-10FE-48BF-AB72-773D389E3FAA
[Y700_CDCN53WW] 300x300 BMP, 24-bit: Insyde logo (270,056 bytes)
# 156A8FFE-62DB-4FF3-82AD-2EBD8A3E3DF7
[Y520_4KCN24WW] [Y900_D0CN34WW] 768x432 GIF89a: Boot logo, animated (128,090 bytes)
# 1F56B2F9-6E6D-4014-BFD4-37C9E5D398F1
[Y520_4KCN24WW] 1536x864 GIF89a: Boot logo, animated (406,313 bytes)
# E5BBF7BE-2417-499B-97DB-39F4896391BC,SplashLogoPackage
[110_1QCN20WW] 548x308 JPEG: Boot logo (17,169 bytes; followed by a GIF w/icons)
[110_1QCN31WW] 548x308 JPEG: Boot logo (53,046 bytes; followed by a GIF w/icons)
[700_E5CN58WW] 548x308 JPEG: Boot logo (49,368 bytes; followed by several GIFs w/icons)However, none of the above methods manage to locate the boot logo in Lenovo Y700 images such as CDCN37WW.fd and CDCN53WW.fd (attached), although it is clearly somewhere there. Can anyone tell me what I am missing?
Possibly the logo is in a format other than BMP/GIF/JPG/PCX. The BIOS images have a "TgaDecoderDxe" module inside. Could there be any TGA (Targa) images there? If so, how to find them? Or is it something else altogether? Like obfuscation with XOR or something more sophisticated? Suggestions appreciated.
![[Valid RSS]](valid-rss.png "Validate my RSS feed")