[REQUEST] Lenovo Thinkpad T430 (G1ETxxWW) Whitelist Removal

[ucupsz]

hi BDMaster,
below is how i did the flashing. however, it's not too detail.
also, it's already long time ago, can't remember the detail.
1. back-up the bios from the T430 system board using tools provided in this forum.
it will also list the chip for bios.
in my process, i use flash programmer backup rather than back-up from this step.
2. diassembly T430 as per HMM, bios chip is located in area under the touchpad.
see below pic:

3. connect the flash programmer to the bios chip using SOIC as per below image:

4. access bios on the chip using flash programmer, make a backup.
compare the backup with the one that given by sovem in this thread.
i used HexD (free) to compare and cut the sovem's bios file.
i cut the file from first offset to 002FFFF0.
see below image for reason why i cut those part.
you may compare it yourself too.



both files will result in same size.

5. flash the cut file to the bios chip, consult the hardware manual.
do the write and verify process.
at that time, my first try was failed.
then i change some setting (afai remember, it's about writing speed),
then do the erase and blank test (??? )
then retry to write and verify. success.

6. reassembled the unit and install the broadcomm wifi card.

this is my disclaimer:
again, it's quite long time ago, so i can not remember the details.
*pardon my lazziness to document the process *
if i can remove the whitelist on latest bios, i will try this again and be more specific for the process.

[BDMaster]

Ok IDA Pro I think It's the only worked verion for all !
You have to use 64 bit version to open the right module (.ROM) We have before
to extract this or these (many) using PMTool here :

http://forums.mydigitallife.info/threads...EFI-BIOSes

I am using it and Andy did some corrections on my request, or using UEFI tool (wonderful prog generated by genious mind of CodeRush) It can do the same work, but does not make Slic or Others function.
I use It when PMTool cannot repack bios Structure, so It can extrat modules to and You can get PE32 to pass at IDA Pro.
It give many informations about Bios (Capsuled, Regions, Size etc.), so to check a bios It is the best one ! here (You'll find a CodeRush tool to extract bios Decapsulated too, He did it for me based on a Dirty Guide of mine) :

http://forums.mydigitallife.info/threads...and-editor

http://forums.mydigitallife.info/threads...tor/page12

Then, using PMTool You'll get a copy of bios and all modules extracted in DUMP folder so You can copy these from and edit.
PMTool can open .exe too and repack it automaticaly, but I prefer unpack all check and verify, then repack or use by InsydeFlash or FPT Intel tool.
So for Setuputility (PE) You can look into DUMP folder to find a module which ends with 670_xxxx.ROM , but your new bios is not EFI indeed is UEFI pure !
So There isn't a Setup Browser, but an SystemFormBrowserCoreDxe.efi and It works diffent.
So we can only to try to find Whitelist module and We have two ways or by
PCI\VEN_14E4&DEV_4727&SUBSYS_145C103C&REV_01

Means:
Vendor: 14E4
Device: 4727
SUBSYS: 145C103C

As You done :

so what i did so far:
- download latest T430 bios from http://download.lenovo.com/ibmdl/pub/pc/...uj31us.exe and extract by clicking the exe.
- open $01D2000.FL1 through phoenixtools, then got "DUMP" folder
- search through "Find in Files" menu in Neo Hex Editor for "8680850086801113". (it is hardware id for one of intel wifi card)
it found on the following files:
- "79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM"
- "BIOS\BIOS2208.BIOS" This is a Chunk of Bios
- "BIOS\BIOS9.BIOS" This is a copy of Whole Bios
from here i got lost. Smile)

And You did find this module :

79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM LenovoWmaPolicyDxe.efi

Or We can find Text Error which are displayed when You change the WLAN / WWAN Card into laptop and try to boot as :

“Unauthorized Wireless network card is plugged in Power off and remove it”

“Unauthorized WWAN network card is plugged in Power off and remove it”

So here the big expert in Whitelist is Sovem for me, but FjFc too and I would invite them too into discussion.
i will try to find all modules involved into Whitelist Lock to show you how to !
When We got the modules inquied, We have disassemble them and find where are the locks to remove them !
It's assembly game then . . .

For IDA Pro You have choice the 64 bit and run It, then select the module which You want to disassemble and choice Intel 80x86 processor Metapc as Processor Type and set it then OK and You'll be in IDA !
Then is another story . . .

[BDMaster]

Let's do a backup use this tool FPT and upload result so We can look better and have a bios backup to use for mod :

http://rghost.net/52417082

Regards

P.S. If You have old biosbackup and Sovem mod files, Can You upload here, please ?
I would to ask where You bought your SPI Programmer and how much cost it ?
. . . none is interesting to us (Sovem and FjFc ?!?)

This is your Whitelist complete present into your module,
79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM LenovoWmaPolicyDxe.efi :

Whitelist :

PCI\VEN_8086&DEV_0089&SUBSYS_13118086
8680890086801113
USB\VID_8086 USB\VID_8086&PID_0187
8680870100000000
PCI\VEN_8086&DEV_4238&SUBSYS_11118086
8680384286801111
PCI\VEN_8086&DEV_4238&SUBSYS_11188086
8680384286801811
PCI\VEN_8086&DEV_0085&SUBSYS_13188086
8680850086801113

8680850086801813
PCI\VEN_10EC&DEV_8176&SUBSYS_819510EC
EC107681EC109581

8680910886802242

E4145843E4144305

8C162B00AA17A130

9517200700000000

9517150700000000

9517220000000000

EE101220EE100900

EE101320EE100900

86808F0886806042


WLAN / WWAN Card = 8680850086801113

PCI\VEN_8086&DEV_0085&SUBSYS_13118086&REV_34

Means:

Vendor: 8086
Device: 0085
SUBSYS: 13118086

WLAN / WWAN Card = EC107681EC109581

PCI\VEN_10EC&DEV_8176&SUBSYS_819510EC

Means:

Vendor: 10EC
Device: 8176
SUBSYS: 819510EC

You can complete the description above, many times It's enough to change PCI\VEN data in same offset address and can
mount your Pci Card whitout problem, but to unlock completly We have to find where the code is checking for the Cards data.

This is the error that generate bad PCI Card :

.text:000000000000171D loc_171D: ; CODE XREF: sub_1660+AFj
.text:000000000000171D mov rdx, 8000000000000007h
.text:0000000000001727 cmp rcx, rdx
.text:000000000000172A jnz short loc_1738
.text:000000000000172C lea r9, aDeviceError ; "Device Error"
.text:0000000000001733 jmp loc_1934

So You understand how important is to look for the right things in any place !
Now Disassemble the module and start from Proc 0x0b10 and We have to find the locks jz, jnz,
or for the loops as many times It can stop to work the laptop forcing to restart it as here :

.text:0000000000000BE2 loc_BE2: ; CODE XREF: sub_B10+DBj
.text:0000000000000BE2 mov eax, [rsp+88h+arg_18]
.text:0000000000000BE9 test eax, eax
.text:0000000000000BEB jnz short loc_BE2

Regards

[ucupsz]

hi BDMaster,
sorry for late response.
this is the file that i got from sovem.
T430_G1ET41WW_NWL_ucupsz.rar
this is the backup of latest bios update that installed in my T430:
http://www.sendspace.com/file/cc742z
this is the link of that source:
http://download.lenovo.com/ibmdl/pub/pc/...uj31us.exe
i bought my flash programmer from mcumall.com
i'm aware that we had 2 possible way to install wwan/wlan card that not in the whitelist:
- replace the one that are in the whitelist, or
- alter the logic for checking procedure.
the 2nd option will be the most ideal way for the solution.

---

This is the error that generate bad PCI Card :

.text:000000000000171D loc_171D: ; CODE XREF: sub_1660+AFj
.text:000000000000171D mov rdx, 8000000000000007h
.text:0000000000001727 cmp rcx, rdx
.text:000000000000172A jnz short loc_1738
.text:000000000000172C lea r9, aDeviceError ; "Device Error"
.text:0000000000001733 jmp loc_1934

So You understand how important is to look for the right things in any place !
Now Disassemble the module and start from Proc 0x0b10 and We have to find the locks jz, jnz,
or for the loops as many times It can stop to work the laptop forcing to restart it as here :

.text:0000000000000BE2 loc_BE2: ; CODE XREF: sub_B10+DBj
.text:0000000000000BE2 mov eax, [rsp+88h+arg_18]
.text:0000000000000BE9 test eax, eax
.text:0000000000000BEB jnz short loc_BE2

Regards

is the above code coming from disassembling 79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM? seems i can't found that.
what i got is these:
- i looked for "1802 unauthorized ..." message, then i got it in a sub procedure (sub_9FC).
i thought it's the sub procedure that generate the error message.
so i tried to check which sub procedure calling that.
from the "function calls" tool (ctrl+F12), i got sub procedure that calling the error generator (sub_B10).
- then got lost from there.
IMO, we need to alter some command or logic in that sub procedure.
below is the screenshot that i got ilustrating above process.


is there a way to input some hardware id then see how the procedure working...?

[BDMaster]

hi BDMaster,
sorry for late response.
this is the file that i got from sovem.
T430_G1ET41WW_NWL_ucupsz.rar
this is the backup of latest bios update that installed in my T430:
http://www.sendspace.com/file/cc742z
this is the link of that source:
http://download.lenovo.com/ibmdl/pub/pc/...uj31us.exe
i bought my flash programmer from mcumall.com
i'm aware that we had 2 possible way to install wwan/wlan card that not in the whitelist:
- replace the one that are in the whitelist, or
- alter the logic for checking procedure.
the 2nd option will be the most ideal way for the solution.

---

This is the error that generate bad PCI Card :

.text:000000000000171D loc_171D: ; CODE XREF: sub_1660+AFj
.text:000000000000171D mov rdx, 8000000000000007h
.text:0000000000001727 cmp rcx, rdx
.text:000000000000172A jnz short loc_1738
.text:000000000000172C lea r9, aDeviceError ; "Device Error"
.text:0000000000001733 jmp loc_1934

So You understand how important is to look for the right things in any place !
Now Disassemble the module and start from Proc 0x0b10 and We have to find the locks jz, jnz,
or for the loops as many times It can stop to work the laptop forcing to restart it as here :

.text:0000000000000BE2 loc_BE2: ; CODE XREF: sub_B10+DBj
.text:0000000000000BE2 mov eax, [rsp+88h+arg_18]
.text:0000000000000BE9 test eax, eax
.text:0000000000000BEB jnz short loc_BE2

Regards

is the above code coming from disassembling 79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM? seems i can't found that.
what i got is these:
- i looked for "1802 unauthorized ..." message, then i got it in a sub procedure (sub_9FC).
i thought it's the sub procedure that generate the error message.
so i tried to check which sub procedure calling that.
from the "function calls" tool (ctrl+F12), i got sub procedure that calling the error generator (sub_B10).
- then got lost from there.
IMO, we need to alter some command or logic in that sub procedure.
below is the screenshot that i got ilustrating above process.


is there a way to input some hardware id then see how the procedure working...?

Ok I will analyze all Code and try to find locks, I upload here a mine 2nd Dirty Guide (Not published yet) It based on a SOVEM post
(She is the best SLIC and WHITHELIST modder I know) :

http://rghost.net/53726016

It will show what We said here.
Regards

[BDMaster]

Here I uploaded a Code Analisys in a pdf look and let me know :

http://rghost.net/53745799

Can You upload a screen shot of bios at pc boot, I would look and so ask if 1802: Unauthorized . . .
error is shown when pc boots and if laptop stop to boot going into an infinite loop !
Normaly when WiFi Card is mounted at startup bios check whitelist card and if is wrong stamp an
error on display and stop to go (infinite loop), so We can bypass this loop for first !

.text:0000000000000BE2 loc_BE2: ; CODE XREF: sub_B10+DBj
.text:0000000000000BE2 mov eax, [rsp+88h+arg_18]
.text:0000000000000BE9 test eax, eax
.text:0000000000000BEB jnz short loc_BE2

0BEB : 75 F5 to 75 00 jnz short loc_BE2 to jnz $+2

Use PMTooll 2.51 with option Allow modify all modules etc. + NO_SLIC to repack Bios and replace modded module, read guide pdf here :

http://rghost.net/53758784

Here I uploaded biosback original, cutted (cut the file from first offset to 002FFFF0), cutted_NWL and modded module :

http://rghost.net/53760339

P.S. for future atudies, I suggest to use this wonderful tool from CoeRush to know offsets and sizes for any Bios Region :

http://forums.mydigitallife.info/threads...and-editor

let me know, please if We get some result !
Regards

[SheepReaper]

Hi BDMaster,

Is there any difference in changing:

.text:0000000000000BD8 jns short loc_BED

to jmp instruction instead?

Is there any way to suppress the message from displaying?

[BDMaster]

Hi BDMaster,

Is there any difference in changing:

.text:0000000000000BD8 jns short loc_BED

to jmp instruction instead?

Is there any way to suppress the message from displaying?

Hi friend,
I will explain the difference :

.text:0000000000000BCD loc_BCD: ; CODE XREF: sub_B10+105j
.text:0000000000000BCD ; sub_B10+149j ...
.text:0000000000000BCD mov rcx, rdi
.text:0000000000000BD0 call sub_9FC
.text:0000000000000BD5 test rax, rax
.text:0000000000000BD8 jns short loc_BED
.text:0000000000000BDA mov [rsp+88h+arg_18], r13d
.text:0000000000000BE2
.text:0000000000000BE2 loc_BE2: ; CODE XREF: sub_B10+DBj
.text:0000000000000BE2 mov eax, [rsp+88h+arg_18]
.text:0000000000000BE9 test eax, eax
.text:0000000000000BEB jnz short loc_BE2
.text:0000000000000BED
.text:0000000000000BED loc_BED: ; CODE XREF: sub_B10+C8j
.text:0000000000000BED mov rax, 8000000000000007h
.text:0000000000000BF7
.text:0000000000000BF7 loc_BF7: ; CODE XREF: sub_B10+2Aj
.text:0000000000000BF7 ; sub_B10+2E7j ...
.text:0000000000000BF7 mov rbx, [rsp+88h+arg_0]
.text:0000000000000BFF add rsp, 70h
.text:0000000000000C03 pop r13
.text:0000000000000C05 pop rdi
.text:0000000000000C06 pop rsi
.text:0000000000000C07 retn

I needed some Code displayed to show what It's doing, in that Conditional Branch the instruction "test eax, eax" say compare
eax with 0x01 (but also not 0x00 is true) so then set Z = 1 next instuction conditional jump say if Z = 0 then go to "loc_BE2" when
this condition It's true so eax diffent than 0x00 (so may be 0x01 - 0x02 - etc.) the jump will be executed and Code jump to loc_BE2
in an INFINTE LOOP ! , so if I would get jmp more than jnz It will be Always infinite loop without any chance to continue the normal
bios work ! to bypass loop use jnz $+2 It jump to next instruction at "loc_BED" as if Z=0 then Code continue to "loc_BED" and
if Z=1 It will jmp 2bytes forward always at "loc_BED" so always next instruction will be at "loc_BED" !!!
Laptop, before this instrction into sub 1640 has checked error Unauthorized . . .
and Printed on Screen the complete error :
“1802: Unauthorized network card is plugged in - Power off and remove the miniPCI network card”
Then lock the laptop !
If removing the loop and so the whitelist lock all works, it's possible to write at offset error string address many 0x20 or space char as all
the string deleting the error message, or going to mod more code yet to eliminate the print !
I did it many time ago for Matrock user on MyDigitalLife forum as Bluethoot was not working modding all code, but i haven't tried on this
new firmware for TE430.
So I don't know if It's working or not It needs a SPIPMG, laptop to use and patience !
I was waiting for Ucupsz to understand, but may be You have this requisites to do !
I hope this expaination It could be exhaustive for You.
Let me know
Regards

[SheepReaper]

Thank you BDMaster, your explanation does make it clearer. I have a T430 laptop, which explains my interest in the subject. I am also just a beginner with assembly code so my understanding of the loop was unclear until you explained it.

I modified the module but got an error when trying to insert it into the new bios. I need to retrace my steps and try again. Spent almost the entire day yesterday learning how to do this and how to use the tools.

[BDMaster]

Thank you BDMaster, your explanation does make it clearer. I have a T430 laptop, which explains my interest in the subject. I am also just a beginner with assembly code so my understanding of the loop was unclear until you explained it.

I modified the module but got an error when trying to insert it into the new bios. I need to retrace my steps and try again. Spent almost the entire day yesterday learning how to do this and how to use the tools.

Hi thanks for reply,
I uploaded in post before Bios modded and Module Modded too, It needs to replace Module modded to original only and repack bios by PMTool and that's it.
Let me know what and where You got error i can help You
(I am happy when can help someone)
Regards