Login

**ucupsz** · (This post was last modified: 04-06-2014, 10:33 AM by ucupsz.)

(04-06-2014, 08:58 AM)BDMaster Wrote:
(04-06-2014, 08:49 AM)ucupsz Wrote: nope...

it behave like before.
- showing 1802 error,
- then just stop there. asking to it stopped, just like prior flashing the modified bios.

(04-06-2014, 06:56 AM)BDMaster Wrote: It's normal that display error 1802: etc., but laptop have not stop in an infinite loop and have to continue to work normaly bypassing whitelist lock !
let me know
Regards

Ok I will check the mod and if it's all ok there will be another infinite loop into 1660 subroutine and I will check all code as in your picture
there is a longer string than which I found "System is halted" I haven't see before !
I will reply here the news
Regards

how about tracking which part calling the loc_BCD (the one that content message generator), and modify the logic so it won't directed there??
please see this pdf file below.
http://rghost.net/53821428
i put the big picture below:
here
tried to delete the 'jnz' in the hex to 0000, turns out to be disaster. Big Grin

**BDMaster** · 04-07-2014, 01:15 AM

(04-06-2014, 09:06 AM)ucupsz Wrote:
(04-06-2014, 08:58 AM)BDMaster Wrote:
(04-06-2014, 08:49 AM)ucupsz Wrote: nope...

it behave like before.
- showing 1802 error,
- then just stop there. asking to it stopped, just like prior flashing the modified bios.

(04-06-2014, 06:56 AM)BDMaster Wrote: It's normal that display error 1802: etc., but laptop have not stop in an infinite loop and have to continue to work normaly bypassing whitelist lock !
let me know
Regards

Ok I will check the mod and if it's all ok there will be another infinite loop into 1660 subroutine and I will check all code as in your picture
there is a longer string than which I found "System is halted" I haven't see before !
I will reply here the news
Regards

how about tracking which part calling the loc_BCD (the one that content message generator), and modify the logic so it won't directed there??
please see this pdf file below.
http://rghost.net/53821428
i put the big picture below:
here
tried to delete the 'jnz' in the hex to 0000, turns out to be disaster.

Ok I will lokk your pdf to mod use nop istruction = hex Code 0x90 so 90 90 !
will reply here
regards

**BDMaster** · (This post was last modified: 04-08-2014, 03:03 AM by BDMaster.)

Whitelist Table :

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00 00 00 00 86 80 89 00 86 80 11 13 01 00 00 00
05 00 00 00 86 80 87 01 00 00 00 00 00 00 00 00
00 00 00 00 86 80 38 42 86 80 11 11 01 00 00 00
00 00 00 00 86 80 38 42 86 80 18 11 01 00 00 00
00 00 00 00 86 80 85 00 86 80 11 13 01 00 00 00
00 00 00 00 86 80 85 00 86 80 18 13 01 00 00 00
00 00 00 00 EC 10 76 81 EC 10 95 81 00 00 00 00
00 00 00 00 86 80 91 08 86 80 22 42 00 00 00 00
00 00 00 00 E4 14 58 43 E4 14 43 05 00 00 00 00
00 00 00 00 8C 16 2B 00 AA 17 A1 30 00 00 00 00
00 00 00 00 95 17 20 07 00 00 00 00 00 00 00 00
00 00 00 00 95 17 15 07 00 00 00 00 00 00 00 00
00 00 00 00 95 17 22 00 00 00 00 00 00 00 00 00
00 00 00 00 EE 10 12 20 EE 10 09 00 00 00 00 00
00 00 00 00 EE 10 13 20 EE 10 09 00 00 00 00 00
00 00 00 00 86 80 8F 08 86 80 60 42 01 00 00 00
01 00 00 00 99 11 12 90 00 00 00 00 00 00 00 00
01 00 00 00 99 11 13 90 00 00 00 00 00 00 00 00
01 00 00 00 DB 0B 27 19 00 00 00 00 00 00 00 00
01 00 00 00 DB 0B 26 19 00 00 00 00 00 00 00 00
01 00 00 00 4F 11 A2 68 00 00 00 00 00 00 00 00
01 00 00 00 3D 0F A2 68 00 00 00 00 00 00 00 00
01 00 00 00 99 11 A2 68 00 00 00 00 00 00 00 00
06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

.text:0000000000000C74 lea rdx, byte_270
.text:0000000000000C7B
.text:0000000000000C7B loc_C7B: ; CODE XREF: sub_B10+1B3j
.text:0000000000000C7B test eax, eax
.text:0000000000000C7D jnz short loc_CAA
.text:0000000000000C7F movzx ecx, word ptr [r8+rdx+6]
.text:0000000000000C85 movzx eax, word ptr [r8+rdx+4]
.text:0000000000000C8B shl ecx, 10h
.text:0000000000000C8E or ecx, eax
.text:0000000000000C90 cmp [rdi], ecx
.text:0000000000000C92 jnz short loc_CAA
.text:0000000000000C94 movzx ecx, word ptr [r8+rdx+0Ah]
.text:0000000000000C9A movzx eax, word ptr [r8+rdx+8]
.text:0000000000000CA0 shl ecx, 10h
.text:0000000000000CA3 or ecx, eax
.text:0000000000000CA5 cmp [rdi+4], ecx
.text:0000000000000CA8 jz short loc_CC5
.text:0000000000000CAA

00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00 00 00 00 86 80 89 00 86 80 11 13 01 00 00 00

.text:0000000000000C7F movzx ecx, word ptr [r8+rdx+6]
.text:0000000000000C85 movzx eax, word ptr [r8+rdx+4]

00 00 00 00 86 80 89 00 ---> ecx = 89 00

00 00 00 00 86 80 ---> eax = 86 80

.text:0000000000000C8B shl ecx, 10h

ecx = 89 00 00 00

or ecx, eax

ecx = 89 00 86 80 (PCI/VEN to check)

cmp [rdi], ecx ; check the PCI/VEN first part is wrong ? go to . . . is right continue to 2nd part

.text:0000000000000C94 movzx ecx, word ptr [r8+rdx+0Ah]
.text:0000000000000C9A movzx eax, word ptr [r8+rdx+8]
.text:0000000000000CA0 shl ecx, 10h
.text:0000000000000CA3 or ecx, eax
.text:0000000000000CA5 cmp [rdi+4], ecx
.text:0000000000000CA8 jz short loc_CC5

00 00 00 00 86 80 89 00 86 80 11 13

ecx = 11 13

eax = 86 80

Ecx = 11 13 00 00

ecx = 11 13 86 80

cmp [rdi+4], ecx ; check the next PCI/VEN part +4 is right go to loc_CC5 otherwise continue

Here is where is going to check hex Wwan Card number (PCI/VEN) so here We have to mod . . .

Regards

**ucupsz** · 04-09-2014, 11:30 AM

wohoooo...!!!!
we've made it.... Smile

)

based on your explanation, i changed the two jnz to nop, and one jz to jmp.
and it works!
i type this from T430 with broadcomm wifi card. Smile

)

i'll post more detail steps tomorrow.
getting late here, need to drive early morning tomorrow.

zillion thanks BDmaster!! you're my hero!

**BDMaster** · (This post was last modified: 04-10-2014, 11:35 AM by BDMaster.)

(04-09-2014, 11:30 AM)ucupsz Wrote: wohoooo...!!!!
we've made it.... )

based on your explanation, i changed the two jnz to nop, and one jz to jmp.
and it works!
i type this from T430 with broadcomm wifi card. )

i'll post more detail steps tomorrow.
getting late here, need to drive early morning tomorrow.

zillion thanks BDmaster!! you're my hero!

Finally thanks for your reply !
I think these would be the mods :

unlock infinite loop :
0BEB : 75 F5 to 75 00 or 90 90 jnz short loc_BE2 to jnz $+2

unlock whitelist :
0C7D : 75 2B to 75 00 or 90 90 jnz short loc_CAA to jnz $+2

0C92 : 75 16 to 75 00 or 90 90 jnz short loc_CAA to jnz $+2

0CA8 : 74 1B to EB 1B jz short loc_CC5 to jmp short loc_CC5

Let me know, if It's right !

Can You explain how to flash and setting to use Soic Clamp Adapter ? as You said You will
write a new Tutorial detailed about use of SPI Programmer and I am interesting to it !
Regards

devasish · 04-09-2014, 12:23 PM

sovem please help me for e420 at my post http://www.bios-mods.com/forum/Thread-le...-whitelist posted this here bcoz no one replied so far Sad

**BDMaster** · 04-10-2014, 02:09 AM

(04-09-2014, 12:23 PM)devasish Wrote: sovem please help me for e420 at my post http://www.bios-mods.com/forum/Thread-le...-whitelist posted this here bcoz no one replied so far

I replied on your original post.
Regards

**ucupsz** · 04-10-2014, 07:45 PM

BDMaster,
these are what i changed:
- 75 2B at offset C7D into 90 90
- 75 16 at offset C92 into 90 90
- 74 1B at offset CA8 into EB 1B
below is how i remove the whitelist check using some tools.
i had difficulties when dealing with softwares for the first time.
so i try to put the instruction that way. hope it helps anyone want to learn removing whitelist and how to use of IDA and HxD.
removing whitelist check on T430 bios
i'll post more on how i use my True GQ 4X to flash the BIOS when i get back home.

regards.

(04-09-2014, 12:12 PM)BDMaster Wrote:
(04-09-2014, 11:30 AM)ucupsz Wrote: wohoooo...!!!!
we've made it.... )

based on your explanation, i changed the two jnz to nop, and one jz to jmp.
and it works!
i type this from T430 with broadcomm wifi card. )

i'll post more detail steps tomorrow.
getting late here, need to drive early morning tomorrow.

zillion thanks BDmaster!! you're my hero!

Finally thanks for your reply !
I think these would be the mods :

unlock infinite loop :
0BEB : 75 F5 to 75 00 or 90 90 jnz short loc_BE2 to jnz $+2

unlock whitelist :
0C7D : 75 2B to 75 00 or 90 90 jnz short loc_CAA to jnz $+2

0C92 : 75 16 to 75 00 or 90 90 jnz short loc_CAA to jnz $+2

0CA8 : 74 1B to EB 1B jz short loc_CC5 to jmp short loc_CC5

Let me know, if It's right !

Can You explain how to flash and setting to use Soic Clamp Adapter ? as You said You will
write a new Tutorial detailed about use of SPI Programmer and I am interesting to it !
Regards

**BDMaster** · 04-11-2014, 01:20 AM

Ok Thanks, and I will wait Your tutorial about using SPI programmer
without desoldering chips ! (I will buy SPIPGM so iwould be shure I will use on-board as You done).
Regards

**ucupsz** · 04-11-2014, 04:30 AM

BDMaster,
sure... will do it.
btw, another issue with Thinkpad starting T430 and next release is the keyboard.
thinkpad veteran like old keyboard.
do you know how to find which .ROM module contains keyboard command/mapping?

i'm thinking of swapping .rom module in T420 BIOS with .rom module in T430.
want to see if that might enable all T420 keyboard in T430 hardware.

(04-11-2014, 01:20 AM)BDMaster Wrote: Ok Thanks, and I will wait Your tutorial about using SPI programmer
without desoldering chips ! (I will buy SPIPGM so iwould be shure I will use on-board as You done).
Regards

Login
Username:
Password:	Lost Password?
	Remember me