Forum RSS Feed Follow @ Twitter Follow On Facebook

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[-]
Welcome
You have to register before you can post on our site.

Username:


Password:





[-]
Latest Threads
[REQUEST] Lenovo G510 (79CNxxWW) Whiteli...
Last Post: Sergio717
Today 05:17 AM
» Replies: 656
» Views: 167404
M2N32-SLI Deluxe AM3 Support Request
Last Post: Alxstroi
Yesterday 11:08 PM
» Replies: 105
» Views: 71420
[Request] HP Elitebook 6930P WLAN Whitel...
Last Post: Maxinator500
Yesterday 10:51 PM
» Replies: 17
» Views: 6605
[REQUEST] Lenovo G50-30 (A7CNxxWW) BIOS ...
Last Post: carmelletomato
Yesterday 07:29 PM
» Replies: 46
» Views: 22101
[REQUEST] Lenovo G50-70 (9ACNxxWW) BIOS ...
Last Post: colin89
Yesterday 06:04 PM
» Replies: 140
» Views: 41045
[REQUEST + BOUNTY] Lenovo Thinkpad P14s ...
Last Post: loadit
Yesterday 02:23 PM
» Replies: 3
» Views: 110
[REQUEST] Lenovo Yoga 2 Pro (76CNxxWW) W...
Last Post: Dudu2002
Yesterday 10:53 AM
» Replies: 845
» Views: 317323
[REQUEST] Lenovo Thinkpad E130 (H4ETxxWW...
Last Post: Dudu2002
Yesterday 10:51 AM
» Replies: 509
» Views: 101117
[REQUEST] Lenovo Yoga 11E (N15ETxxW) Whi...
Last Post: Dudu2002
Yesterday 08:15 AM
» Replies: 5
» Views: 2528
[REQUEST] CPU Support for Ryzen 5 3600 o...
Last Post: flexpavillion
Yesterday 04:32 AM
» Replies: 1
» Views: 346
Clevo P775TM1-G BIOS
Last Post: ActivatedNut
Yesterday 01:36 AM
» Replies: 145
» Views: 55361
ASUS P5G41T-M LX2/GB Unlocked Hidden Ove...
Last Post: GangsteR23
03-27-2024 04:58 PM
» Replies: 25
» Views: 64148
lenovo z570 Advanced Menu Unlocked
Last Post: Kaluva12345
03-27-2024 04:58 PM
» Replies: 7
» Views: 4109
Lenovo ThinkCentre M715q 2nd Gen & AMD R...
Last Post: RedfieldHUN1987
03-27-2024 09:23 AM
» Replies: 2
» Views: 155
L14 Gen 3 AMD , Need UEFI unlock advance...
Last Post: frankeinstein2532555
03-27-2024 04:08 AM
» Replies: 0
» Views: 105
[REQUEST] Lenovo Y400 & Y500 (6BCNxxWW) ...
Last Post: freedome
03-26-2024 11:00 PM
» Replies: 188
» Views: 52241
[Request] CPU support for Lenovo IQ57I
Last Post: DeathBringer
03-26-2024 10:02 AM
» Replies: 5
» Views: 247
unlocked Bios for Machenike s16
Last Post: Dudu2002
03-26-2024 09:06 AM
» Replies: 5
» Views: 338
[REQUEST] Bios Unlock Whitelist HP DV6-6...
Last Post: DimanTLT63
03-26-2024 03:03 AM
» Replies: 0
» Views: 154
[REQUEST] HP Pavilion G6-1252ss Whitelis...
Last Post: joseefitness
03-26-2024 01:40 AM
» Replies: 0
» Views: 140

[REQUEST] Lenovo Thinkpad X240 (GIETxxWW) Whitelist Removal
#11
hi friends,
interesting discussion you got here..
btw, i try to disassemble wintpup.exe and debug the process, found that process for reading bios image and bios in the chip was done by winflash64.exe (i use win7 64bit). in winflash64.exe, there's section that commented as 'oem check'.
when i debug the winflash64.exe with parameter using modified *.fl1, then change the status flag to the value when i run using lenovo's *.fl1, i manage to produce the same message as if i did the flash using proper procedure.
but after restart/reboot, i still got authenticaation failed.
i suspect that the authentication check is also done after reboot.
perhaps you want to also tried to reverse the process, you can check my thread (about T430). i record my process there.
find
quote
#12
(05-08-2014, 05:24 AM)ucupsz Wrote: hi friends,
interesting discussion you got here..
btw, i try to disassemble wintpup.exe and debug the process, found that process for reading bios image and bios in the chip was done by winflash64.exe (i use win7 64bit). in winflash64.exe, there's section that commented as 'oem check'.
when i debug the winflash64.exe with parameter using modified *.fl1, then change the status flag to the value when i run using lenovo's *.fl1, i manage to produce the same message as if i did the flash using proper procedure.
but after restart/reboot, i still got authenticaation failed.
i suspect that the authentication check is also done after reboot.
perhaps you want to also tried to reverse the process, you can check my thread (about T430). i record my process there.

Hi friend,
As I said Donovan has done many experiment so He is big expert, but
I remember that when I was studying Secure Flash Protection, i found that on UEFI Bios It is done by InsydeFlash which
Decapsule Bios and pass It to UEFI module to flash it after reboot, so there are many checks before flashing it
(the same as HP do on his laptop using HP_TOOLS Partition).
So if Original Bios is been modded has an incorrect Signature !
Only two ways to reflash Bios are :

1. Intel FPT Bios Region flashing
2. Recovery Mode Bios Decapsulated (so Generalized)

These is true only for Bios without Write Memory Protections (error 280)
Regards

[size=undefined]Your Brain [/size]. . . . It's the best tool U can use ! Wink
[size=undefined]Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!! [/size]
Donate to me for my work, click here BDM
find
quote
#13
Yep, it's not possible to flash a changed bios via any means using just WINTPUP, because it just checks the bios image and than creates a capsule to be flashed on the next reboot.

here's the diagram
http://forum.techinferno.com/general-not...flash.html

and intel FPT cannot flash it, cause the flash chip is protected, probably using some undocumented chipset registers. prr and prr2 cannot unprotect it. we need prr3 Smile

ucupz, you could disassembly and check the DXE/PEI module in UEFI that does the actual flashing after reboot. after checking for the correct bios signature it must unprotect the flash chip to do the flashing. if it's known how it does it, we could write our own prr3 to unprotect the bios and use Intel FPT Smile

BDMaster, what is Recovery Mode Bios Decapsulated and Generalized you mentioned? any link or info?
find
quote
#14
(05-08-2014, 06:28 AM)rozker Wrote: Yep, it's not possible to flash a changed bios via any means using just WINTPUP, because it just checks the bios image and than creates a capsule to be flashed on the next reboot.

here's the diagram
http://forum.techinferno.com/general-not...flash.html

and intel FPT cannot flash it, cause the flash chip is protected, probably using some undocumented chipset registers. prr and prr2 cannot unprotect it. we need prr3 Smile

ucupz, you could disassembly and check the DXE/PEI module in UEFI that does the actual flashing after reboot. after checking for the correct bios signature it must unprotect the flash chip to do the flashing. if it's known how it does it, we could write our own prr3 to unprotect the bios and use Intel FPT Smile

BDMaster, what is Recovery Mode Bios Decapsulated and Generalized you mentioned? any link or info?

The Recovery Mode is Procedure to Recover a Bios when flash goes bad !
Before all Bioses were Pure (not Capsulatedas in UEFI) and the procedure was simply.
Actualy to Recover Bios It needs to Decapsulate Bios to get It Pure or Generalized (It is base to make a mod for all same models laptop without a bios backup for any user).
If You try to Recovery Bios with a capsulated Bios You'll get a brick !
Regards

Here is mine old Dirty Guide How to get Decapsulated Bios :

http://rghost.net/52544682

[size=undefined]Your Brain [/size]. . . . It's the best tool U can use ! Wink
[size=undefined]Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!! [/size]
Donate to me for my work, click here BDM
find
quote
#15
yeah... just as what i guessed.
thanks for the pict.

(05-08-2014, 06:28 AM)rozker Wrote: Yep, it's not possible to flash a changed bios via any means using just WINTPUP, because it just checks the bios image and than creates a capsule to be flashed on the next reboot.

here's the diagram
http://forum.techinferno.com/general-not...flash.html

and intel FPT cannot flash it, cause the flash chip is protected, probably using some undocumented chipset registers. prr and prr2 cannot unprotect it. we need prr3 Smile

ucupz, you could disassembly and check the DXE/PEI module in UEFI that does the actual flashing after reboot. after checking for the correct bios signature it must unprotect the flash chip to do the flashing. if it's known how it does it, we could write our own prr3 to unprotect the bios and use Intel FPT Smile

BDMaster, what is Recovery Mode Bios Decapsulated and Generalized you mentioned? any link or info?

is there any tools to debug .pei module or .dxe driver?
afaik, we can only dissassemble those things and manually analyze the assembly.

(05-08-2014, 12:58 PM)BDMaster Wrote:
(05-08-2014, 06:28 AM)rozker Wrote: Yep, it's not possible to flash a changed bios via any means using just WINTPUP, because it just checks the bios image and than creates a capsule to be flashed on the next reboot.

here's the diagram
http://forum.techinferno.com/general-not...flash.html

and intel FPT cannot flash it, cause the flash chip is protected, probably using some undocumented chipset registers. prr and prr2 cannot unprotect it. we need prr3 Smile

ucupz, you could disassembly and check the DXE/PEI module in UEFI that does the actual flashing after reboot. after checking for the correct bios signature it must unprotect the flash chip to do the flashing. if it's known how it does it, we could write our own prr3 to unprotect the bios and use Intel FPT Smile

BDMaster, what is Recovery Mode Bios Decapsulated and Generalized you mentioned? any link or info?

The Recovery Mode is Procedure to Recover a Bios when flash goes bad !
Before all Bioses were Pure (not Capsulatedas in UEFI) and the procedure was simply.
Actualy to Recover Bios It needs to Decapsulate Bios to get It Pure or Generalized (It is base to make a mod for all same models laptop without a bios backup for any user).
If You try to Recovery Bios with a capsulated Bios You'll get a brick !
Regards

Here is mine old Dirty Guide How to get Decapsulated Bios :

http://rghost.net/52544682
find
quote
#16
Look here Donovan reply for You, so can ask to him :

http://www.bios-mods.com/forum/Thread-RE...mer?page=5

Regards

[size=undefined]Your Brain [/size]. . . . It's the best tool U can use ! Wink
[size=undefined]Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!! [/size]
Donate to me for my work, click here BDM
find
quote
#17
something about patching the UEFI flasher module:

http://www.insanelymac.com/forum/topic/2...try1993117

And yes, live debugging of UEFI is not easily possible. We can only analyze static assembly in our case I guess.
find
quote
#18
@rozker:
The Bios Lock Enable (BLE) bit setting popped up some time ago when Haswell motherboards were released and prevented any BIOS modifications. The bit is set according to a preference in the BIOS and is write protected until a platform reset is performed, which usually happens when after you flash a new BIOS. You see the problem ..

CodeRush's patch will bypass the setting of the Bios Lock Enable (BLE) bit after! you flash the patched BIOS, so further modifications are easily possible.
It won't help you flash a modified BIOS, if you already have this kind of lock.

I'm not familiar with the protection used in these notebooks. Most probably it is something else anyway.
If you want to check, if you have the BLE bit set, refer to these two posts: 1, 2.
find
quote
#19
wohoo...
thanks for the info.
.efi mentioned by coderush if found also inside T430's bios.
(PchBiosWriteProtect.efi)

looks like we had 2 problems here:
1. passing the authentification check
2. pass the bios write protect mechanism

IMO, if we can make the flasher think that modified bios is coming from manufacturer, then passing the bios write protect will be automatically done by the flasher.
looking at the structure, i get SystemFlashUpdateDriverDxe.efi
opening it in the IDA, i get same 'oem check' like the one in winflash64.exe

[Image: 13971003518_74bbc469ce_o.png]


but even if we able to modify that file or other, we still need to be able to hardware flashing first. once our modified code reside in the bios, then next update gonna be easier, no need hardware flashing. cmiiw.

(05-10-2014, 01:08 PM)rozker Wrote: something about patching the UEFI flasher module:

http://www.insanelymac.com/forum/topic/2...try1993117

And yes, live debugging of UEFI is not easily possible. We can only analyze static assembly in our case I guess.

in thinkpad T4x0 case,
the authentification check and bios write protect is starting in T430.
(ivy bridge, prior haswell)

(05-10-2014, 04:29 PM)xsmile Wrote: @rozker:
The Bios Lock Enable (BLE) bit setting popped up some time ago when Haswell motherboards were released and prevented any BIOS modifications. The bit is set according to a preference in the BIOS and is write protected until a platform reset is performed, which usually happens when after you flash a new BIOS. You see the problem ..

CodeRush's patch will bypass the setting of the Bios Lock Enable (BLE) bit after! you flash the patched BIOS, so further modifications are easily possible.
It won't help you flash a modified BIOS, if you already have this kind of lock.

I'm not familiar with the protection used in these notebooks. Most probably it is something else anyway.
If you want to check, if you have the BLE bit set, refer to these two posts: 1, 2.
find
quote
#20
In the latest BIOS versions of both X240 and T440 module PlatformHiiAdvancedDxe (CFEF94C4-4167-466A-8893-8779459DFA86) contains settings "BIOS Lock" and "SMM Lock". BIOS Lock is disabled by default, so you don't need to worry about it.
find
quote


Forum Jump:


Users browsing this thread: 7 Guest(s)