Forum RSS Feed Follow @ Twitter Follow On Facebook

Thread Rating:
  • 3 Vote(s) - 3.67 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[-]
Welcome
You have to register before you can post on our site.

Username:


Password:





[-]
Latest Threads
[Request] Unlock GPU Base Clock Offset l...
Last Post: feluchi
Yesterday 10:32 PM
» Replies: 3
» Views: 164
[REQUEST] ASUS FX506HM full unlock
Last Post: mikeyt
Yesterday 02:57 PM
» Replies: 0
» Views: 78
[REQUEST] Lenovo IdeaPad S400 (6DCNxxWW)...
Last Post: Dudu2002
Yesterday 01:35 PM
» Replies: 372
» Views: 66763
[REQUEST] Lenovo G580 (5ECNxxWW) Whiteli...
Last Post: Adrian_D_92
Yesterday 12:29 PM
» Replies: 2012
» Views: 399302
Unlocked BIOS for Gigabyte Aero 15 Class...
Last Post: Westcoast604
Yesterday 11:20 AM
» Replies: 3
» Views: 3055
[REQUEST] Lenovo Z50-70 & Z40-70 (9BCNxx...
Last Post: msh20502
Yesterday 11:02 AM
» Replies: 771
» Views: 130543
Request: Nitro 5 AN515-45-R0B6 BIOS unlo...
Last Post: dnhanhtai0147
Yesterday 08:51 AM
» Replies: 2
» Views: 126
[REQUEST] Lenovo IdeaPad P400, P500, Z40...
Last Post: Dudu2002
Yesterday 05:33 AM
» Replies: 698
» Views: 113828
ACER ASPIRE E1-510-4569 BIOS Recovery
Last Post: BlaqueGhost
12-02-2021 10:23 PM
» Replies: 3
» Views: 174
Lenovo M5400 CPU upgrade
Last Post: Biogent
12-02-2021 03:14 PM
» Replies: 33
» Views: 8461
[REQUEST] Lenovo G500 (78CNxxWW) Whiteli...
Last Post: Dudu2002
12-02-2021 02:07 PM
» Replies: 1220
» Views: 186105
[REQUEST] Lenovo Ideapad Z710 (7FCNxxWW)...
Last Post: Dudu2002
12-02-2021 02:05 PM
» Replies: 201
» Views: 48017
[REQUEST] Lenovo Z410 & Z510 (8DCNxxWW) ...
Last Post: Dudu2002
12-02-2021 11:40 AM
» Replies: 531
» Views: 93771
Gigabyte GA-870A-UD3 2.0 and BIOS F5a
Last Post: BIOTROBIOS
12-02-2021 06:59 AM
» Replies: 0
» Views: 76
[REQUEST] Lenovo V580(c) (H1ETxxWW) Whit...
Last Post: Dudu2002
12-02-2021 05:55 AM
» Replies: 624
» Views: 103567
[REQUEST] Asus Vivobook X412FLC BIOS Unl...
Last Post: motau12
12-02-2021 05:33 AM
» Replies: 6
» Views: 727
[REQUEST] Acer Predator Helios 300 PH315...
Last Post: Dudu2002
12-02-2021 04:57 AM
» Replies: 9
» Views: 4314
[REQUEST] Lenovo Y50-70 (9ECNxxWW) White...
Last Post: Dudu2002
12-02-2021 04:45 AM
» Replies: 1899
» Views: 311604
[Request] Thunderobot Zero
Last Post: genius239
12-01-2021 11:07 PM
» Replies: 65
» Views: 7775
[REQUEST] Acer Aspire E5-575(G) BIOS unl...
Last Post: Dudu2002
12-01-2021 01:55 PM
» Replies: 129
» Views: 40190

[Request] ROG Strix G15 Advantage Edition G513 (AMD)
#61
We know this but the problem is to get an bios dump the chip is unknown for the software and i tested some "compatible" chips but no chance so far. it looks like that this bios chip has some authentification security features.
I hope that our big player are abel to help us Smile Smile
find
quote
#62
Welcome to this growing thread XBlaster & Shadowdane and hello all,

I found the documentation for this BIOS chip again. Here is a link for all to reference: https://static6.arrow.com/aropdfconversi...20reva.pdf . It is 31 pages, but we'll probably mostly be looking at the authentication section, as jeanlegi has noted.

The pins section would be a good reference so that we are sure we are connecting the right pins together (BIOS SPI pinouts tend to be pretty standardized, so this probably isn't an issue but it would be great if someone could compare the CH341A pins to the BIOS chip pins).

For reference, from post #22, we know that the BIOS chip model number is Winbond 74M12JWPIQ/2111/6108/M0058 .

Right now, we need to familiarize ourselves with the authentication method that this chip uses. Maybe we can brainstorm (or Google search) a way to bypass this protection. I've never done this before, so this should be interesting.

Not sure if we'll get it in the end, but we are getting closer everyone (6 people now!!). Let's do this!

Smile Hi there! Please consider making a donation if my BIOS mod has helped you. This allows me to purchase new BIOS mod testing hardware so that I can offer new types of mods. Thank you! ->Donate via PayPal here<- Smile

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#63
Okay, so the authentication process seems pretty complete and difficult to bypass (speaking as someone with security knowledge but zero experience attempting to bypass these types of mechanisms). I've read articles about people bypassing similar but less complete kinds of security mechanisms before to bypass laptop battery whitelists (yes, they exist unfortunately), but I lack the skills to do so by myself.

However, there are two different cases that the authenticate requirements could apply to:
1.) Microprocessor/CPU attempts to read/write the BIOS chip. This almost certainly makes use of the authentication procedure, with Asus providing any relevant signing of BIOS updates.
2.) Hardware programmer attempts to read/write the BIOS chip. I know the documentation says "SPI device" but I think this could refer to the CPU as well if it uses the "SPI interface" to interact with the BIOS chip. If the authentication procedure does not apply here, then I think I know how to read/write the BIOS.

This is from Winbond's documentation for this chip:
Code:
- 5 -
PIN DESCRIPTIONS
Chip Select (/CS)
The  SPI  Chip  Select  (/CS)  pin  enables  and  disables  device  operation.  When  /CS  is  high  the  device  is
deselected  and  the  Serial  Data  Output  (DO,  or  IO0,  IO1,  IO2,  IO3)  pins  are  at  high  impedance.  When
deselected, the devices power consumption will be at standby levels unless an internal erase, program or
write  status  register  cycle  is  in  progress.  When  /CS  is  brought  low  the  device  will  be  selected,  power
consumption will increase to active levels and instructions can be written to and data read from the device.
After  power-up, /CS  must transition from high to low  before a new  instruction  will  be accepted. The /CS
input must track the VCC supply level at power-up and power-down (see “Write Protection” and Figure 10a
& 10b). If needed a pull-up resister on the /CS pin can be used to accomplish this.

I found a page about pull-up and pull-down resistors: https://learn.sparkfun.com/tutorials/pul...istors/all

It seems that resistors can modify the voltage on the /CS pin to meet the requirements for reading from/writing to the device. Regardless of authentication requirements, this is going to be one of our requirements (crossing fingers that this is all we have to do). Please see page 5 of the BIOS chip documentation for a BIOS chip pinout. Descriptions of the pins are on the next page if you are curious.

I imagine we will be using a pull-up resistor. The resistor will have a button on it. When this button is not pressed, the resistor connects the /CS pin to the VCC pin, bringing up /CS's voltage to near VCC's (in other words, putting it in a "high" state). When the button is pressed, the resistor connects the /CS pin to the GND (ground) pin, which lowers the voltage on the /CS pin (in other words, putting it in a "low" state). When the voltage goes from a high state to a low state after power up (whatever "power up" means in this case - probably connecting the flash programmer or plugging in the computer), then read/write operations are allowed because the internal mechanisms in the BIOS chip allow it to use enough power to work properly.

I believe this is the way we read/write data from the BIOS chip in any useful manner. I'm going to continue doing research on this. Hopefully this is the only thing we have to do.

If anyone is a regular hardware modifier/specialist/electrician and/or knows about this stuff, any input would be greatly appreciated!

Smile Hi there! Please consider making a donation if my BIOS mod has helped you. This allows me to purchase new BIOS mod testing hardware so that I can offer new types of mods. Thank you! ->Donate via PayPal here<- Smile

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#64
Cant we use IDA pro to disassemble the installer for the bios?, or the bios itself?, maybe we could try and sign it so it runs modified

or find a leaked version of the most recent amibcp?

i heard gigabyte servers got hacked, and there were some AMI leaked stuff, maybe we could find something there
find
quote
#65
(10-06-2021, 12:29 AM)XBlaster Wrote: Cant we use IDA pro to disassemble the installer for the bios?, or the bios itself?, maybe we could try and sign it so it runs modified

or find a leaked version of the most recent amibcp?

i heard gigabyte servers got hacked, and there were some AMI leaked stuff, maybe we could find something there

Wow, 112GB of documents. That's wild. Assuming accuracy of the article I read, that data is in the hands of those who stole it, so we can't use it.

The problem that we are facing right now is that we will not be able to flash any BIOS mods without a hardware programmer. Only unlike all other cases I've seen, the hardware programmer cannot properly read the BIOS chip (we get some version of garbage each time we attempt it). If we can't read the chip, I certainly wouldn't trust the programmer to write to it without a brick occurring. Once we can reliably read the BIOS chips and I have good BIOS dumps, I will immediately provide mods for all 6 requesters in this thread.

Thanks to the Winbond document, we know of 1 or 2 protection mechanisms that are preventing us from reading from/writing to the BIOS chip properly - the first being that we need to modulate the voltage from high to low on the /CS pin and the second possibly being an authentication mechanism (hopefully for our purposes Asus did not make use of this mechanism). I am going to continue doing research on the pull-up resistor and how we might use it in tandem with the CH341A setup before suggesting next steps for obtaining BIOS backups.

It would be awesome if we could simply sign a BIOS update ourselves, but as far as I know, to do that we would need to have Asus's private key, which is probably at least 256 bits in length, making it prohibitively difficult to brute force. All computer security systems have vulnerabilities - without exception - but I do not presently know how to bypass anything involving private key cryptography - so hopefully we aren't dealing with this.

Smile Hi there! Please consider making a donation if my BIOS mod has helped you. This allows me to purchase new BIOS mod testing hardware so that I can offer new types of mods. Thank you! ->Donate via PayPal here<- Smile

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#66
we would need to analize how the key is used, where it could be stored, maybe use rainbow tables, its worth a try, maybe it's 256, maybe it's not, and if it is, we could set up a multiple setupt to crack that hash, given time.

there is a forum where the leaked data is being distributed, i could attempt and download it, but i need to make a virtual machine or something cuz i don't really trust the leaks
find
quote
#67
(10-07-2021, 05:10 PM)XBlaster Wrote: we would need to analize how the key is used, where it could be stored, maybe use rainbow tables, its worth a try, maybe it's 256, maybe it's not, and if it is, we could set up a multiple setupt to crack that hash, given time.

there is a forum where the leaked data is being distributed, i could attempt and download it, but i need to make a virtual machine or something cuz i don't really trust the leaks

Yeah, if we are going to have to crack authentication, I think a great place to start would be to very seriously study how it works in the documentation - learn it inside and out. I don't know how much I can contribute here, but if it comes down to it, I will do what I can even if that is just summing up the info in the document concisely and pointing to areas that I think could be attacked.

But before we get into that, we should experiment with a pull-up resistor that has a button. In the next few days, I will get to actually looking up examples of their use, examples that could help guide us in modulating the voltage on the /CS pin from high to low to allow the BIOS chip to use the voltage it needs for properly reading from/writing to the chip.

The backups that I have gotten thus far are indeed the proper 16MB in size but seem to have very little actual data in them. They consist primarily of large sequences of contiguous FF bytes, intermittently interrupted by small, contiguous, non-FF regions of data or garbage - either of which is probably indicative of a lack of necessary power (or an inconsistently adequate supply of power) for a read operation.

Once we get a backup with the proper setup, I imagine we will have a lot more insight into if/how encryption is working against us here. Hopefully it isn't. I'll post more info in the next day or two, but please feel free to post examples of pull-up resistors being used in the manor I described in Post #63.

Smile Hi there! Please consider making a donation if my BIOS mod has helped you. This allows me to purchase new BIOS mod testing hardware so that I can offer new types of mods. Thank you! ->Donate via PayPal here<- Smile

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote
#68
Hello everyone,

Apologies for the delays.

For those still interested in this BIOS mod, the first (and hopefully only) thing we are going to need to do is to modulate the voltage on the /CS pin from a high state to a low state during power on using a pull-up resister to cause the BIOS chip to draw enough voltage to enable read/write operations via an SPI flash programmer (the CH341A).

At first, I thought that it might be difficult to do this as the pins are small (not tiny like many other chips on the motherboard, but still very little wiggle room). Fortunately, the 3 pins we need to connect together are on 3 of the edges of the BIOS chip.

The pull up resister, which has a button, will be attached to a breadboard, as will the resister, to simplify things. The resister - without the button pressed - will initially connect the /VCC (power) pin to the /CS (let's call it the "input" pin to match up with diagrams from guides) to put the /CS pin in a high voltage state. On power up, the button will be pressed to connect the /CS pin to the /GND (ground) pin instead. This will bring the /CS pin to a low voltage state, which is the parameter required for allowing read/write operations to take place.

I will post more information this week, hopefully sooner rather than later. Please let me know if you are still interested. I am still learning this stuff myself.

Smile Hi there! Please consider making a donation if my BIOS mod has helped you. This allows me to purchase new BIOS mod testing hardware so that I can offer new types of mods. Thank you! ->Donate via PayPal here<- Smile

Also, please feel free to PM me if I have not replied again about your BIOS mod request after 5 days.
www find
quote


Forum Jump:


Users browsing this thread: 4 Guest(s)