Forum RSS Feed Follow @ Twitter Follow On Facebook

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[-]
Welcome
You have to register before you can post on our site.

Username:


Password:





[-]
Latest Threads
[REQUEST] Lenovo Thinkpad X230(i) (G2ETx...
Last Post: willow25565
Today 03:09 AM
» Replies: 1088
» Views: 448581
Lenovo ThinkPad SL510 Whitelist Removal....
Last Post: deepTeNk
Yesterday 03:32 PM
» Replies: 5
» Views: 6359
[REQUEST] HP Pavilion G42-272BR Whitelis...
Last Post: eepromm
11-22-2024 01:55 AM
» Replies: 0
» Views: 115
[REQUEST] Lenovo G710 BIOS Whitelist Rem...
Last Post: voyageur
11-21-2024 04:33 PM
» Replies: 475
» Views: 167471
[REQUEST] Acer Aspire 5738(G,Z): CPU Upg...
Last Post: DeathBringer
11-21-2024 03:44 PM
» Replies: 49
» Views: 32898
[REQUEST] HP Mini 110-4100 BIOS Unlock
Last Post: DSI INF
11-21-2024 09:24 AM
» Replies: 7
» Views: 263
[REQUEST] Lenovo IdeaPad U310 & U410 (65...
Last Post: Dudu2002
11-21-2024 03:11 AM
» Replies: 1780
» Views: 495891
Lenovo ThinkCentre M715q 2nd Gen & AMD R...
Last Post: Elmurley
11-20-2024 09:37 PM
» Replies: 2
» Views: 1297
[REQUEST] Lenovo Y50-70 (9ECNxxWW) White...
Last Post: SWZSSR
11-20-2024 09:34 PM
» Replies: 1775
» Views: 554218
[REQUEST] Lenovo Thinkpad X240 (GIETxxWW...
Last Post: Dudu2002
11-20-2024 04:58 PM
» Replies: 337
» Views: 143761
Unlock bios insyde
Last Post: Matox3140
11-19-2024 03:40 PM
» Replies: 0
» Views: 229
Whitelist WIFI card removal Lenovo Yoga ...
Last Post: Dudu2002
11-19-2024 12:58 PM
» Replies: 1
» Views: 234
[REQUEST] H310 MSI Gaming Infinite S (MS...
Last Post: awittyusername
11-19-2024 09:21 AM
» Replies: 10
» Views: 144
[REQUEST] Gigabyte GA-B85M-HD3 Rev 2.0 u...
Last Post: Maduli
11-19-2024 02:22 AM
» Replies: 0
» Views: 179
[REQUEST] Lenovo Ideapad 330-15ICH BIOS ...
Last Post: Dudu2002
11-18-2024 01:25 PM
» Replies: 8
» Views: 1910
[REQUEST] Lenovo ThinkPad Edge E330 (H3E...
Last Post: Dudu2002
11-18-2024 01:23 PM
» Replies: 640
» Views: 221505
[Request] Unlocked Bios for Asus TUF FX5...
Last Post: FlT4ever
11-18-2024 01:05 PM
» Replies: 1
» Views: 431
[REQUEST] Lenovo ThinkPad Edge E125(v1.1...
Last Post: kamome74
11-18-2024 10:43 AM
» Replies: 0
» Views: 222
[REQUEST] Xpg 15g 4070 2023ver InsydeH20...
Last Post: MireVelli
11-18-2024 07:26 AM
» Replies: 2
» Views: 216
Please help me recover my bios
Last Post: FuryOP
11-17-2024 12:37 PM
» Replies: 0
» Views: 234

[GUIDE] Removing Wi-Fi/WWAN whitelist on Lenovo (Insyde) BIOS
#1
Photo 
Hello,
As I haven't personally found any good or recent guide on this, I decided to give it a go and write my own.

Here's a link to the article:
https://medium.com/@p0358/removing-wlan-...033a5a5e5a

It is based on Lenovo G510 (where all mods are personal), and involves using SPI programmer + SOIC8 clip, since BIOS on this model is write-protected, so it is the only way to modify it.
Hope it's useful.
find
quote
#2
I've read you just need to remove the module with GUID starting with 11D378C2 and you're good to go. No need for digging deeper into it. Not sure if it works on this model though...
find
quote
#3
This could work tbh, since the whole module is dedicated to whitelist, haven't thought of it, that's pretty nice idea to speed things up. (that is unless something else checks for its presence)
find
quote
#4
I've read reports about this working that way. I can confirm it on a Yoga 2 13 20344. I just removed the whole module and new WiFi card was accepted. Didn't see any negative side effects so far.
find
quote
#5
Thank you for this guide.

I have followed it up to the point where you begin using IDA pro, a software I don't have. I have opened the extracted body (I'll attach it to this post) in Ghidra, and found out that the "Unauthorized ..." string is part of a function that I'll post below, but now I have no real clue on how to proceed. I don't know what that function does and where I should best change it without messing up the whole thing and being unable to boot.

Another thing: What you write is completely understandable up to the point where you mention that "you should be able to do this in a hex editor" - which I certainly don't. I'm sorry to bother you with it, but yours seems to be the only guide that can be found on google, so I imagine other people have similar problems trying to follow it.

Anyway, here is the function I mentioned:

void FUN_00010ec4(undefined8 param_1,undefined *param_2,undefined8 param_3,undefined8 param_4)

{
if (param_2 == (undefined *)0x0) {
param_2 = &DAT_00010ec0;
}
(**(code **)(DAT_00011040 + 0x170))(0x200,param_1,param_2,param_3,&DAT_000104d0,param_4);
return;
}


And this is the entry point from which the above function is called:

longlong entry(undefined8 param_1,longlong param_2)

{
longlong lVar1;
undefined8 local_res18;
undefined8 *local_res20;
undefined local_18 [24];

FUN_00010f08(param_1,param_2);
lVar1 = (**(code **)(DAT_00011040 + 0x140))(&LAB_00010480,0,&DAT_00011058);
if (-1 < lVar1) {
lVar1 = (**(code **)(DAT_00011040 + 0x140))(&LAB_00010410,0,&DAT_00011070);
if (-1 < lVar1) {
lVar1 = (**(code **)(DAT_00011040 + 0x140))(&DAT_000103f0,0,&DAT_00011078);
if (-1 < lVar1) {
lVar1 = (**(code **)(DAT_00011040 + 0x140))(&LAB_00010460,0);
if (-1 < lVar1) {
DAT_00011060 = *local_res20;
local_res18 = 0;
_DAT_00011068 = &LAB_00010b54;
(**(code **)(DAT_00011040 + 0x80))(&local_res18,&DAT_000103d0,0,&DAT_00011068);
DAT_00011028 = local_res18;
FUN_00010ec4(0x10,FUN_00010cf8,0,local_18);
lVar1 = 0;
}
}
}
}
return lVar1;
}
find
quote
#6
(05-28-2020, 10:17 AM)bravesentry Wrote: you should be able to do this in a hex editor

This means that you preferably need to change once found in the decompiler opcode with hex editor instead of collecting all the subroutines back.
find
quote
#7
Thanks for the clarification.

Just an update on my progress: I tried using a hex editor to change the values corresponding with the line (seeabove code) "FUN_00010ec4(0x10,FUN_00010cf8,0,local_18);" all to 90. That turned out not to boot. It gave me three beeps, another time three beeps, a longer pause, then the same again until I had to to a hard reset.

I then tried using UEFITool to just delete the whole module. That kind of worked, as in the device booted and the wifi worked in Win10 and Linux Mint. Sadly, Bluetooth seems to be connected to this module too, and refused to work even with the old whitelisted card. Another downside: Booting into hackintosh did not workl. It booted up until it had the verbose part done and then got stuck on an apple logo with an empty progress bar.

Now I'm back to my backupped bios. Any ideas what I should try next?
find
quote
#8
Hello, I have the g500s version - do those models also have write - protected bios or I can use software for flasing my bios after modification?
find
quote
#9
Hello p0358,

Thanks for this guide! I am currently learning how to perform various types of UEFI mods and this was very well written and informative!

~Steven

!!!!!PLEASE READ!!!!!! Our Ukrainian friends are undergoing atrocities right now and need support. There are two things you can do for starters:

1.) Donate to one of various organizations offering medical, military, and psychological support to those impacted: Support Organizations

2.) Combat misinformation on social media. 

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#10
Ok my contribute is the patch for G500 and G510 , so it will be possible to follow the modifiies to get the Bios Unlock and NoWhitelist :

Lenovo Ideapad G500 bios ver. 78CN25WW(V2.03) - ver. 78CN24WW(V2.02)

Remove Whithelist Mod :

11D378C2-B472-412F-AD87-1BE4CD8B33A6 UEFI L05 BIOS Lock

0322 : 75 17 to EB 17 jnz short loc_18000033B to jmp short loc_18000033B
0360 : 75 18 to EB 18 jnz short loc_18000037A to jmp short loc_18000037A
03F4 : 74 10 to EB 10 jz short loc_180000406 to jmp short loc_180000406

CodeRush Patch
(O:0322:EB17)
(O:0360:EB18)
(O:03F4:EB10)

4082D1D0-1744-4EE3-803E-B8EE3F07B2FE OEM NVS Driver

0EF1 : 7D 1A to 7D 00 jge short loc_180000F0D to jge $+2
0EF3 : EB E3 to EB 00 jmp short loc_180000ED8 to jmp $+2
0FC4 : 7D 04 to 7D 00 jge short loc_180000FCA to jge $+2
0FC6 : EB E3 to EB 00 jmp short loc_180000FAB to jmp $+2

CodeRush Patch
(O:0EF1:7D00)
(O:0EF3:EB00)
(O:0FC4:7D00)
(O:0FC6:EB00)

SetupUtility Mod :

FE3542FE-C1D3-4EF8-657C-8048606FF670 SetupUtility

Form Sets
--------------------------------------------------------------------------------
Offset: Title:
--------------------------------------------------------------------------------
0x7B964 Boot (0x53)
0x7C704 Security (0x31)
0x7CD34 Main (0x3)
0x7D264 Power (0x399)
0x7F6A4 Advanced (0x168)
0x88964 Exit (0x85)
0x88BB4 Debug (0x13A)
0x88D54 Information (0xBB)
0x88F54 Configuration (0xCD)

0814 : 78 7D to 78 00 js short loc_180000893 to js $+2
0823 : 74 6E to 74 00 jz short loc_180000893 to jz $+2
082C : 74 65 to 74 00 jz short loc_180000893 to jz $+2
0832 : 74 5F to 74 00 jz short loc_180000893 to jz $+2
0838 : 74 59 to 74 00 jz short loc_180000893 to jz $+2

CodeRush Patch
(O:0814:7800)
(O:0823:7400)
(O:082C:7400)
(O:0832:7400)
(O:0838:7400)

-----------------------------------------------------------------------------------------------------------------------------------

Lenovo Ideapad G510 ver. 79CN50WW(3.09)

Remove Whithelist Mod :

11D378C2-B472-412F-AD87-1BE4CD8B33A6 UEFIL05BIOSLock

0342 : 75 17 to EB 17
036C : 74 2C to EB 2C
039C : 74 10 to EB 10

CodeRush Patch
(O:0342:EB17)
(O:036C:EB2C)
(O:039C:EB10)

4082D1D0-1744-4EE3-803E-B8EE3F07B2FE OEM NVS Driver

0BD5 : 7D 1A to 7D 00 jge short loc_180000BF1 to jge $+2
0BD7 : EB E3 to EB 00 jmp short loc_180000BBC to jmp $+2
0B9C : 7D 53 to 7D 00 jge short loc_180000BF1 to jge $+2
0B9E : EB E0 to EB 00 jmp short loc_180000B80 to jmp $+2

CodeRush Patch
(O:0BD5:7D00)
(O:0BD7:EB00)
(O:0B9C:7D00)
(O:0B9E:EB00)


SetupUtility Mod :

FE3542FE-C1D3-4EF8-657C-8048606FF670 SetupUtility

Form Sets
--------------------------------------------------------------------------------
Offset: Title:
--------------------------------------------------------------------------------
0x91434 Boot (0x54 from string package 0x0)
0x92154 Security (0x32 from string package 0x0)
0x927B4 Main (0x3 from string package 0x0)
0x92D54 Power (0x3B5 from string package 0x0)
0x95F44 Advanced (0x164 from string package 0x0)
0xA43B4 Exit (0x88 from string package 0x0)
0xA45F4 Debug (0x135 from string package 0x0)
0xA47A4 Information (0xA9 from string package 0x0)
0xA49C4 Configuration (0xBB from string package 0x0)

0850 : 78 7D to 78 00
085F : 74 6E to 74 00
0868 : 74 65 to 74 00
086E : 74 5F to 74 00
0874 : 74 59 to 74 00

CodeRush Patch
(O:0850:7800)
(O:085F:7400)
(O:0868:7400)
(O:086E:7400)
(O:0874:7400)


About the Flashing the Bios Mod then we can say that there are others ways to do that, like using the S3 Vulnerability aka Sleep Mode or unlocking
some variables into NVRAM to reflash the bios (last is the ME disable) ...
Regards

[size=undefined]Your Brain [/size]. . . . It's the best tool U can use ! Wink
[size=undefined]Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!! [/size]
Donate to me for my work, click here BDM
find
quote


Forum Jump:


Users browsing this thread: 1 Guest(s)