Forum RSS Feed Follow @ Twitter Follow @ Twitter

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[REQUEST] Acer Aspire V5-123 BIOS Unlock
#1
I am trying to mod this bios following donovan's tutorial I found these information :

Code:
UEFI Protocol Detected
--------------------------------------------------------------------------------


String Packages
--------------------------------------------------------------------------------
Offset: Language:
--------------------------------------------------------------------------------
0x2DF14 en-US (0x0)
0x373B3 fr-FR (0x1)
0x3D8D9 zh-TW (0x2)
0x40F22 ja-JA (0x3)
0x44DA3 it-IT (0x4)
0x4937A es-ES (0x5)
0x4DE67 de-DE (0x6)
0x52765 pt-PT (0x7)


Form Sets
--------------------------------------------------------------------------------
Offset: Title:
--------------------------------------------------------------------------------
0x29154 Boot (0xFD from string package 0x0)
0x29934 Security (0xE2 from string package 0x0)
0x29E44 Main (0xBB from string package 0x0)
0x2A404 Power (0x1F2 from string package 0x0)
0x2AAF4 Advanced (0x158 from string package 0x0)
0x2DA84 Exit (0x12A from string package 0x0)
0x2DC54 Information (0x2 from string package 0x0)

I found the tab offsets in IDA:
Code:
0x180028DF0
0x180029150
0x180029930
0x180029E40
0x18002A400
0x18002AAF0
0x18002DA80
0x18002DC50

I cannot find conditional jumps near to the offsets tab checking all calling functions

Note that I am a beginner in bios modding and I took a course in assembly in the past which helped me a lot.

In past two weeks I downloaded some moded bioses and analyzed it but all bioses were old versions.
find
quote
#2
I found the tab offsets in IDA = EFI IFR Package (Tatto = "BM.R9Q...= hex 0x424DB552395113h") :

0x28DF0 $IFRPKG!
0x29150 0x29154 Boot (0xFD)
0x29930 0x29934 Security (0xE2)
0x29E40 0x29E44 Main (0xBB)
0x2A400 0x2A404 Power (0x1F2)
0x2AAF0 0x2AAF4 Advanced (0x158)
0x2DA80 0x2DA84 Exit (0x12A)
0x2DC50 0x2DC54 Information (0x2)

This is an extract from Donovan Blog talking with me . . . (It needs to learn EFI Structure and FormSet)
Let me start by addressing the formset header. I'll keep everything in this post in little endian notation to avoid confusion.
The data structure I used for that is this:

struct EFI_IFR_FORM_SET {
uint32_t Offset;
uint32_t Length;
uint16_t Type;
string Guid;
uint16_t FormSetTitle;
uint16_t Help;
uint64_t CallbackHandle;
uint16_t Class;
uint16_t Subclass;
uint16_t NvDataSize;
};

So for:
84 00 00 00 03 00 0E 24 F4 27 4A A0 00
DF 42 4D B5 52 39 51 13 02 11 3D (Tattoo)
E4 00 7D 00 00 00 00 00 00 00 00 00 01 00 00 00
84 03 01 06 01 00 E4 00 02 04 7D 00 03 0B 6D 00
6C 00 7D 00 04 31 00 03 0B 70 00 6F 00 7D 00 04
32 00 19 03 00 12 07 81 00 01 01 00 12 07 80 00

The offset is just the location in the file that this formset starts.
The length is the first 4 bytes, so in this case this formset is 0x84000000 bytes long.
The type isn't too important, but it's 0x0300 which corresponds to formset.
The 0x0E is the op-code that indicates the beginning of a formset.
The GUID is the sequence that occurs in every formset. For this formset, it's 0x24F4274AA000DF424DB55239511302113D.
The FormSetTitle it 0xE400. This is the ID that is used for the blacklist.
The Help is 0x7D00. This is the ID of the string that displays the help text.
The callbackheader 0x0000000000000000.
The class is 0x0100.
Subclass is 0x0000.
NV data size is 0x8403.
The next byte 0x01 is the opcode that indicates that a new form is being created and it should be contained in he current form set.
The rest of this are the opcodes that correspond to what's inside that form.

Let me also mention the string packages. You'll see large groups of strings in your bios which are organized by languages.
These strings each get a string ID based on their order. So the first string is 0x0000, the second is 0x0100, third 0x0200, etc.
So for yours, the 0xE400 string is Exit.

I would help You but I don't know what You learned and not !
The FormSets offsets will be present only in a Code Chunck where They all will be initialized, then You
will find them in others locations, but for inner scope.

So I can explain better what Donovan said :

E4 00

The FormSetTitle is 0xE400 (is in little endians so big endians = 0x 00 E4)
This is the ID that is used for the blacklist.

Looking your Bios :

0x2A404 Power (0x 01 F2 = Menu Tab ID)
0x2AAF4 Advanced (0x 01 58 = Menu Tab ID)

So We will have :

424DB55239511302113D = BM.R9Q...= (Tatto)
5801BC00

0x 01 58

0x2AAF0 0x2AAF4 Advanced (0x 01 58)

424DB55239511302113D = BM.R9Q...= (Tatto)
F201BC00

0x 01 F2

0x2A404 Power (0x 01 F2 = Menu Tab ID)

So We have to find these IDs to get where into Code is doing the lock !
I can say that into older Bioses You can find this template to understand so easy can find IDs to
modify Bioses, but into new EFI all is changing and into UEFI many times the lock is done by EFI IFR only !

0x0158
0x01F2

I think I am helped a lot Wink
So let me know better
Regards


http://rghost.net/58439608

http://rghost.net/58439615

http://rghost.net/58439613

Your Brain . . . . It's the best tool U can use ! Wink
Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!!
Donate to me for my work, click here BDM
find
quote
#3
I read your reply and now I have a better understanding.
I want to know what the next step after finding the menu tab ID's, Where do I have to search them and what is the lock and what is the blacklist?

Thank you for helping me so far Blush
find
quote
#4
(10-11-2014, 10:30 AM)sasuke99 Wrote: I read your reply and now I have a better understanding.
I want to know what the next step after finding the menu tab ID's, Where do I have to search them and what is the lock and what is the blacklist?

Thank you for helping me so far Blush

You are not studing on Donovan Blog ?
Blacklist is a list of Menu Tabs locked by manufacturers alias "blacklisted formset IDs" !
When a Developer is preparing a Bios File He has all code opened whitout locks to check everything and adapt It to many laptop configurations !
Before distibute It, when will be compiled (today Bios Code is developed in C Programming Language) He makes modifies to apply the locks = Blacklist for IDs We saw before.
Now how You saw there are some controls (IDs checks) to prevent that these IDs FormSet will be initialized and They are Code's chunk (instructions to verify ID number) so into older Bioses It was easy to find !

Look this example (Acer Aspire 5942 - G) :

EFI / Insyde BIOS
Recovery filenames are:

NCQD1X64.fd

SLIC header found in 7E374E25-8E01-4FEE-87F2-390C23C606CD_906.ROM at 0
Pubkey found in 4CAC73B1-7C53-4DC1-B6FA-42A15260409A_1155.ROM at 0
Marker found in F306F460-2DC9-4B5D-9410-83585F1ADD80_1161.ROM at 0
'SLIC' string found in AFC04099-0D39-405D-BE46-846F08C51A31_920.ROM at 39A
'SLIC' string found in AFC04099-0D39-405D-BE46-846F08C51A31_920.ROM at 127E
'SLIC' string found in AFC04099-0D39-405D-BE46-846F08C51A31_920.ROM at 129F
OEM/Table IDs identified are:
1. INSYDECalpella
2. ACRSYSACRPRDCT
Header (INSYDECalpella SLIC) (x1)
Pubkey (x1)
Marker (2.1) (ACRSYSACRPRDCT) (x1)

Slic 2.1 Mod :

7E374E25-8E01-4FEE-87F2-390C23C606CD_906.ROM Header RSA Key + Marker 2.1

SetupUtility Menu Tabs Unlock Mod :

FE3542FE-C1D3-4EF8-657C-8048606FF670_710.ROM Setuputilty

Form Sets
--------------------------------------------------------------------------------
Offset: Name:
--------------------------------------------------------------------------------
0x79B60 Main (0x48)
0x79F10 Exit (0x2EA)
0x79FA0 Boot (0x2D0)
0x7A120 Power (0x271)
0x7A620 Security (0x235)
0x7A780 Advanced (0x5F)
0x7E6E0 Information (0x3)


012DC : 0F 84 9E 00 00 00 to 0F 84 00 00 00 00 jz loc_180001380 to jz $+6

012F0 : 0F 84 8A 00 00 00 to 0F 84 00 00 00 00 jz loc_180001380 to jz $+6


.text:00000001800012D9 cmp eax, 5Fh ; Advanced
.text:00000001800012DC jz loc_180001380

.text:00000001800012EB cmp eax, 271h ; Power
.text:00000001800012F0 jz loc_180001380

Now all is more cleared Wink
Regards

P.S. actualy many EFI Bioses haven't IDs out, They are hidden into Assembly Registers ! UEFI is different as many times do using Others Modules or IFR only.

Your Brain . . . . It's the best tool U can use ! Wink
Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!!
Donate to me for my work, click here BDM
find
quote
#5
According to this example I believe it will follow the red arrow (in flow chart view) instead of green arrow which (in .text view) will jump to next line.

Should I search for registers ID values comparison or it differs from bios to another ?
find
quote
#6
Hi friend,
You can follow many ways try to find only IDs 0x5F and 0x271 or find instructions :

cmp eax, 5Fh ; Advanced hex data = 83 F8 5F
cmp eax, 271h ; Power hex data = 3D 71 02 00 00

But all this search today is unuseful as developers are using others ways to lock FormSets !
Use It for training on older Bioses !!!
Get IDs then try to find them using IDApro or HexEditor and get an offset, then disassemble Code at that offset . . .
Remember that IDs are different for any Bios so use Doovan Tool to get EFI IFR.
Regards

Your Brain . . . . It's the best tool U can use ! Wink
Don't FLASH the Bios Mod if You get a Size Alert, You risk a Brick !!!
Donate to me for my work, click here BDM
find
quote
#7
Hello 

i am not really looking for an unlocked BIOS , i am looking for anything that may help me get the laptop running again , it is simply dead (when i power it on , it lights up the backlight of the screen , and just stays there ! no post , no beeps , nothing)
it all started when the USB devices started acting in a strange way , i lost the right 2 USB slots 1st , then the Camera , and only the left side USB was working ! , then it started to go to this dead state , but it normally came back with a restart or removing the battery 
i got to ACER website , when i understood that i need to Flash the Bios , but all i got from Acer is an .exe file that needs an OS to run (looks like an upgrade tool for Windows) , and no instructions on what to do ! so i am bit lost here  Huh

http://global-download.acer.com/GDFiles/...R&SC=AAP_5

i searched and reached some understanding that i may try the recovery mode , but i need some BIOS.fd file , which i dont have , and i dont know where to get ?!!! 
please help me if you have more information 

-Shico


Attached Files Thumbnail(s)
   
find
quote
#8
Dear Community,

This netbook (Acer Aspire V5-123) is becoming useless to me without being able to enable AMD Virtualization. Please help me mod my bios. I can donate to anyone who will help me.

The Acer Aspire V5-123 Insyde Bios V2.05 is attached. All I need is to have the mod of it to enable VT and how to flash the Bios.


Attached Files
.zip   InsydeCorp.-V2.05_ACER_ASPIRE_V5_123.rom.zip (Size: 2.03 MB / Downloads: 27)
find
quote
#9
(02-05-2017, 02:37 AM)tobleron Wrote: Dear Community,

This netbook (Acer Aspire V5-123) is becoming useless to me without being able to enable AMD Virtualization. Please help me mod my bios. I can donate to anyone who will help me.

The Acer Aspire V5-123 Insyde Bios V2.05 is attached. All I need is to have the mod of it to enable VT and how to flash the Bios.
Hi
Your mod completed, read PM
find
quote
#10
(02-05-2017, 06:38 AM)Dudu2002 Wrote:
(02-05-2017, 02:37 AM)tobleron Wrote: Dear Community,

This netbook (Acer Aspire V5-123) is becoming useless to me without being able to enable AMD Virtualization. Please help me mod my bios. I can donate to anyone who will help me.

The Acer Aspire V5-123 Insyde Bios V2.05 is attached. All I need is to have the mod of it to enable VT and how to flash the Bios.
Hi
Your mod completed, read PM

Thank you for your efforts. I tried your modified BIOS file but I wasn't able to flash it. The blue front LED is blinking but it seems that the ZHL.fd file is not being read from the USB drive. I tried all usb ports.
find
quote


Forum Jump:


Users browsing this thread: 1 Guest(s)
Expand chat
Expand chat
Expand chat

To join us in the community live chat, please register or log-in