[REQUEST] Whitelist wifi removal for T430 - got hardware flash programmer.

[Symbiot]

There's a new bios out..

2.58.1.14

any chance the new bios can be modified to clear the whitelist?

The newest bios can be downloaded here:

http://download.lenovo.com/ibmdl/pub/pc/...uj12us.exe

would be truly appreciated!

[SXPC]

Need help with removing the White List Wi-fi adapter. BIOS dump shot by FPT_BACKUP-BIOS, link to dump http://rghost.ru/52375108

Please help! Thanks in advance!

[dickbaua]

I need a whiteliste removed BIOS for T430s where can i get this?

[ucupsz]

hi Sovem..
i'm back
i tried to do the whitelist removal myself, but still not success.
i hope you can shed some light to me on the process...

so, from my understanding through google thread in MDL forum, needed tools are:
- phoenixtools from andyp. i used the latest version. as per 29-march-2014, latest version is 2.51.
- rweverything. one post suggest that this report only need for SLIC modification, no need for whitelist removal.
- hex editor. i use Neo Hex Editor.
- disassembler (??) for whitelist check procedure removal/alter.
- phxnpatch.exe

so what i did so far:
- download latest T430 bios from http://download.lenovo.com/ibmdl/pub/pc/...uj31us.exe and extract by clicking the exe.
- open $01D2000.FL1 through phoenixtools, then got "DUMP" folder
- search through "Find in Files" menu in Neo Hex Editor for "8680850086801113". (it is hardware id for one of intel wifi card)
it found on the following files:
- "79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM"
- "BIOS\BIOS2208.BIOS"
- "BIOS\BIOS9.BIOS"
from here i got lost. )

what i understand from some posts, the first file (.ROM file) need to be modified in the checking procedure.
i tried the phxnpatch.exe method, but found it matched none.
so other method should be using disassembler.
tried the IDA, but i can't opened it into its assembly language format.
any suggestion how to open it in IDA? or perhaps you have alternative disassembler for this task?

thanks in advance for your help.
---------------------------
edit on 20140331:
- finally able to open the "79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM" using 64bit version of the software.

[BDMaster]

Ok I was interested in all experiments to reflash bios in Eeprom by SPI Programmer,
do followed the discussion of T530 and U :

"I will ask the guy who flashed with HW programer.
I send him an e-mail when I got the response I will post it.
thanks for your effort, however after sending my previous reply on your post,
i've got an idea to compare file provided with whitelist removed from this forum,
back-up from fpt64.exe and back-up from my flash programmer.
based on back-up from my flash programmer, i cut the file from first offset to 00300000.
the resulted file size is the same between those 2 files.
so i write to the ROM.
at first i got verification failed after writing to ROM.
then i decided to erase, blank check, then write again."

There was an wondeful Guide to use SPI PGM here :

http://www.bios-mods.com/forum/Thread-TU...ware-Flash

And here I started to write about Whitelist removing :

http://www.bios-mods.com/forum/Thread-He...-whitelist

I followed the discussion with Kenmod and I found some interesting things about bios file to write into Eeprom, It's all
knowledge from Sovem not mine and Ididn't spread it.
I can explain how to extract your decapsulated bios from original capsulated as I wrote a dirty Guide here and CodeRush have done a tool :

http://forums.mydigitallife.info/threads...post884317

http://rghost.net/52544682

It's mportant to extract Decapsulated Original Bios as with original Capsulated will brick the laptop, once You got the Decapsulated then You
can try to reflash it (if your Eeprom not have write protection active - error 280) by Recovery Mode or FPT using prr tool.
So many times It's to prefer doing a Bios Backup by FPT or Universal Bios Backup 2.0 and operate on It to mod,then use to reflash.
In Your case where Eeprom locked It needs to use SPI PGM to write directly into chip and the file to use is little bit different than
backup file (I looked with Kenmod files and can explain in PM).
I have got only two congratulations in Bios Mod Programming one from Donovan6000 and one from Sovem and I am proud of them.
I would ask some about your SPIPGM as I had read that You did program chip directly on board and only few guys could do it.

"i've done the flashing couple months ago using GQ-4X flash programmer bought from mcumall_dot_com.
got the modified BIOS from another forum.
the modified bios' size was bigger than the one that i got from backing-up using 'fpt64.exe' tool.
so i compared both files and cut the modified file to get same file size.
then successfully flashing with GQ-4X.
now my hackintosh on T430 can browse using any wifi card.
i didn't desolder the chip. just clipped the chip with POMONA SOIC."

So I would know about It, please as I would buy it too !

Sovem is the best progrmmer I have meet in Slic and Whitelist mod, so if You want to talk about this with her I will glad to partecipate !
I will ask to You if You have these files yet (backups and Sovem to flash) to analize them and compare with Kenmod too.
Let me know what d You think.
Regrads

[ucupsz]

hi BDMaster,
thanks for replying.
regarding my problem with opening the *.ROM with IDA, it's about the version of IDA. i need to open it using 64version of IDA.
then using default option provided by open dialog form, the file is successfully open.
however i'm stuck in understanding which part need to be modified. LOL
i'll write more on that problem later, including your question to my previous attempt to flash into the ROM.
need to deal with my kids first.

[ucupsz]

hi BDMaster,
below is how i did the flashing. however, it's not too detail.
also, it's already long time ago, can't remember the detail.
1. back-up the bios from the T430 system board using tools provided in this forum.
it will also list the chip for bios.
in my process, i use flash programmer backup rather than back-up from this step.
2. diassembly T430 as per HMM, bios chip is located in area under the touchpad.
see below pic:

3. connect the flash programmer to the bios chip using SOIC as per below image:

4. access bios on the chip using flash programmer, make a backup.
compare the backup with the one that given by sovem in this thread.
i used HexD (free) to compare and cut the sovem's bios file.
i cut the file from first offset to 002FFFF0.
see below image for reason why i cut those part.
you may compare it yourself too.



both files will result in same size.

5. flash the cut file to the bios chip, consult the hardware manual.
do the write and verify process.
at that time, my first try was failed.
then i change some setting (afai remember, it's about writing speed),
then do the erase and blank test (??? )
then retry to write and verify. success.

6. reassembled the unit and install the broadcomm wifi card.

this is my disclaimer:
again, it's quite long time ago, so i can not remember the details.
*pardon my lazziness to document the process *
if i can remove the whitelist on latest bios, i will try this again and be more specific for the process.

[BDMaster]

Ok IDA Pro I think It's the only worked verion for all !
You have to use 64 bit version to open the right module (.ROM) We have before
to extract this or these (many) using PMTool here :

http://forums.mydigitallife.info/threads...EFI-BIOSes

I am using it and Andy did some corrections on my request, or using UEFI tool (wonderful prog generated by genious mind of CodeRush) It can do the same work, but does not make Slic or Others function.
I use It when PMTool cannot repack bios Structure, so It can extrat modules to and You can get PE32 to pass at IDA Pro.
It give many informations about Bios (Capsuled, Regions, Size etc.), so to check a bios It is the best one ! here (You'll find a CodeRush tool to extract bios Decapsulated too, He did it for me based on a Dirty Guide of mine) :

http://forums.mydigitallife.info/threads...and-editor

http://forums.mydigitallife.info/threads...tor/page12

Then, using PMTool You'll get a copy of bios and all modules extracted in DUMP folder so You can copy these from and edit.
PMTool can open .exe too and repack it automaticaly, but I prefer unpack all check and verify, then repack or use by InsydeFlash or FPT Intel tool.
So for Setuputility (PE) You can look into DUMP folder to find a module which ends with 670_xxxx.ROM , but your new bios is not EFI indeed is UEFI pure !
So There isn't a Setup Browser, but an SystemFormBrowserCoreDxe.efi and It works diffent.
So we can only to try to find Whitelist module and We have two ways or by
PCI\VEN_14E4&DEV_4727&SUBSYS_145C103C&REV_01

Means:
Vendor: 14E4
Device: 4727
SUBSYS: 145C103C

As You done :

so what i did so far:
- download latest T430 bios from http://download.lenovo.com/ibmdl/pub/pc/...uj31us.exe and extract by clicking the exe.
- open $01D2000.FL1 through phoenixtools, then got "DUMP" folder
- search through "Find in Files" menu in Neo Hex Editor for "8680850086801113". (it is hardware id for one of intel wifi card)
it found on the following files:
- "79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM"
- "BIOS\BIOS2208.BIOS" This is a Chunk of Bios
- "BIOS\BIOS9.BIOS" This is a copy of Whole Bios
from here i got lost. Smile)

And You did find this module :

79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM LenovoWmaPolicyDxe.efi

Or We can find Text Error which are displayed when You change the WLAN / WWAN Card into laptop and try to boot as :

“Unauthorized Wireless network card is plugged in Power off and remove it”

“Unauthorized WWAN network card is plugged in Power off and remove it”

So here the big expert in Whitelist is Sovem for me, but FjFc too and I would invite them too into discussion.
i will try to find all modules involved into Whitelist Lock to show you how to !
When We got the modules inquied, We have disassemble them and find where are the locks to remove them !
It's assembly game then . . .

For IDA Pro You have choice the 64 bit and run It, then select the module which You want to disassemble and choice Intel 80x86 processor Metapc as Processor Type and set it then OK and You'll be in IDA !
Then is another story . . .

[BDMaster]

Let's do a backup use this tool FPT and upload result so We can look better and have a bios backup to use for mod :

http://rghost.net/52417082

Regards

P.S. If You have old biosbackup and Sovem mod files, Can You upload here, please ?
I would to ask where You bought your SPI Programmer and how much cost it ?
. . . none is interesting to us (Sovem and FjFc ?!?)

This is your Whitelist complete present into your module,
79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM LenovoWmaPolicyDxe.efi :

Whitelist :

PCI\VEN_8086&DEV_0089&SUBSYS_13118086
8680890086801113
USB\VID_8086 USB\VID_8086&PID_0187
8680870100000000
PCI\VEN_8086&DEV_4238&SUBSYS_11118086
8680384286801111
PCI\VEN_8086&DEV_4238&SUBSYS_11188086
8680384286801811
PCI\VEN_8086&DEV_0085&SUBSYS_13188086
8680850086801113

8680850086801813
PCI\VEN_10EC&DEV_8176&SUBSYS_819510EC
EC107681EC109581

8680910886802242

E4145843E4144305

8C162B00AA17A130

9517200700000000

9517150700000000

9517220000000000

EE101220EE100900

EE101320EE100900

86808F0886806042


WLAN / WWAN Card = 8680850086801113

PCI\VEN_8086&DEV_0085&SUBSYS_13118086&REV_34

Means:

Vendor: 8086
Device: 0085
SUBSYS: 13118086

WLAN / WWAN Card = EC107681EC109581

PCI\VEN_10EC&DEV_8176&SUBSYS_819510EC

Means:

Vendor: 10EC
Device: 8176
SUBSYS: 819510EC

You can complete the description above, many times It's enough to change PCI\VEN data in same offset address and can
mount your Pci Card whitout problem, but to unlock completly We have to find where the code is checking for the Cards data.

This is the error that generate bad PCI Card :

.text:000000000000171D loc_171D: ; CODE XREF: sub_1660+AFj
.text:000000000000171D mov rdx, 8000000000000007h
.text:0000000000001727 cmp rcx, rdx
.text:000000000000172A jnz short loc_1738
.text:000000000000172C lea r9, aDeviceError ; "Device Error"
.text:0000000000001733 jmp loc_1934

So You understand how important is to look for the right things in any place !
Now Disassemble the module and start from Proc 0x0b10 and We have to find the locks jz, jnz,
or for the loops as many times It can stop to work the laptop forcing to restart it as here :

.text:0000000000000BE2 loc_BE2: ; CODE XREF: sub_B10+DBj
.text:0000000000000BE2 mov eax, [rsp+88h+arg_18]
.text:0000000000000BE9 test eax, eax
.text:0000000000000BEB jnz short loc_BE2

Regards

[ucupsz]

hi BDMaster,
sorry for late response.
this is the file that i got from sovem.
T430_G1ET41WW_NWL_ucupsz.rar
this is the backup of latest bios update that installed in my T430:
http://www.sendspace.com/file/cc742z
this is the link of that source:
http://download.lenovo.com/ibmdl/pub/pc/...uj31us.exe
i bought my flash programmer from mcumall.com
i'm aware that we had 2 possible way to install wwan/wlan card that not in the whitelist:
- replace the one that are in the whitelist, or
- alter the logic for checking procedure.
the 2nd option will be the most ideal way for the solution.

---

This is the error that generate bad PCI Card :

.text:000000000000171D loc_171D: ; CODE XREF: sub_1660+AFj
.text:000000000000171D mov rdx, 8000000000000007h
.text:0000000000001727 cmp rcx, rdx
.text:000000000000172A jnz short loc_1738
.text:000000000000172C lea r9, aDeviceError ; "Device Error"
.text:0000000000001733 jmp loc_1934

So You understand how important is to look for the right things in any place !
Now Disassemble the module and start from Proc 0x0b10 and We have to find the locks jz, jnz,
or for the loops as many times It can stop to work the laptop forcing to restart it as here :

.text:0000000000000BE2 loc_BE2: ; CODE XREF: sub_B10+DBj
.text:0000000000000BE2 mov eax, [rsp+88h+arg_18]
.text:0000000000000BE9 test eax, eax
.text:0000000000000BEB jnz short loc_BE2

Regards

is the above code coming from disassembling 79E0EDD7-9D1D-4F41-AE1A-F896169E5216_2211.ROM? seems i can't found that.
what i got is these:
- i looked for "1802 unauthorized ..." message, then i got it in a sub procedure (sub_9FC).
i thought it's the sub procedure that generate the error message.
so i tried to check which sub procedure calling that.
from the "function calls" tool (ctrl+F12), i got sub procedure that calling the error generator (sub_B10).
- then got lost from there.
IMO, we need to alter some command or logic in that sub procedure.
below is the screenshot that i got ilustrating above process.


is there a way to input some hardware id then see how the procedure working...?