Login

**jkbuha** · 02-05-2012, 12:41 PM

(02-01-2012, 07:10 PM)AHMED HOSSAM Wrote: i will make another 2 or 3 mods now for the Jkbuha to try as i have disassembled his module and managed to do some changes in it ......... then i will make all mods into your modules to try if you want that .

Hey Ahmed hope you're well Smile

Just a quick heads up to let you know that a new version of the 15z BIOS came out today (A09) but there were no changes in the setup module CFEF94C4-4167-466A-8893-8779459DFA86_1_1048.ROM - so that means that we can continue making changes on the same file Smile

Let me know if/when you have any new mods to test!

Cheers
jkbuha

**AHMED HOSSAM** · 02-06-2012, 12:37 AM

Hi All ,

I will be busy for the next 2 or 3 days and have just uploaded all finished mods for requests in PHOENIX section for this reason ...... aslo i don`t want you to wait for me .... we all will solve this and unlock the BIOS soon , i`m sure from this .

here is somethings to try :-

---This is where menus are initialized in Jkbuha`s BIOS ........ the first marked instruction is the one calling the ADVANCED tab ( which has disappeared as i noped this instruction ) .
and the second marked one is a menus as well but haven`t tried noping this instruction to knew what menu is it .

--------- i think you see that after these instructions is lea instruction for CFEF94C4.......etc which is the name of your setup module ! Big Grin

-------------

[Image: uefisetup1.png]

---------- double click on the advanced menu instruction ( double click on the qword_3FB90 ) then you will be directed to this pic .

-- the q_word marked by yellow is the advanced menu and the one above it is the other menus which i don`t knew its name .

-- the other q_word found under the advanced menu ....... some of them are menus and the others are not .

[Image: uefisetup2.png]

------- then you will go down slowly and find more q_word which some of them are menus till you reach the UNICODE and sure this is not a menu .

-- the next two q_word after the UNICODE string may be menus .......... but after these 2 you will not find any valid things for menus .

[Image: uefisetup2.png]

what i`m managing to do is replacing the ADVANCED tab calling instruction :-

at offset 414A0

lea rcx , qword_3F9B0

replace the 3F9B0 with another one from what we have found in this pic :-

[Image: uefisetup2.png]

for example we the 3F9B0 with 3F9A0 or 3FA00 or any other one .
if we replaced the ADVANCED tab with a hidden tab , the hidden tab will appear and we get this BIOS unlocked .

sure the final mod will not replace the ADVANCED tab but we try first to see the hidden menus .

for you KASAR , you setup utility has the same structure but not the same offests , its easy to try it as well .

i will be back in 3 days to continue with you , and post any results here to let me knew any news .
aslo , you are free if you want to wait for me to modify it but i told my self that i don`t want you to wait more time Smile

**kasar** · (This post was last modified: 02-07-2012, 07:17 AM by kasar.)

@ahmed

well, I will wait for you ^_^
thanks to you, we did huge progress, also to be honest I dont have to many idea about those stuff, thats why I still need you Big Grin

question: what version of IDA software are you using? also,free or non free version?
(It looks a bit difficult to use anyway :o)

oh, I noticed about another file wich can be opened with the phoenix slic tool

it is 4A538818-5AE0-4EB2-B2EB-488B23657022_0_4.ROM

Since my bios seems like a tree extructure, making neccesary to unpack and repack everything in order, this is the current bios extructure I discovered for the moment.

[Image: biose.png]

**jkbuha** · 02-07-2012, 05:27 AM

Hey Ahmed

Thanks for the useful info. Unfortunately replacing lea rcx , qword_3F9B0 with the following offsets:

qword_3F9C0
qword_3FA00
qword_3FA90
qword_3FAC0

successfully removed the Advanced Menu, but did not replace it with anything else! So all that changed was that the Advanced Menu disappeared, leaving only the remaining menus.

Any thoughts?

Cheers
jkbuha

**AHMED HOSSAM** · 02-07-2012, 06:15 AM

after replacing the call of the advanced menu to a call for another qword_xxxx ...... have you made sure its called correctly in the file by disassembling it again to see if the call was replaced correctly !

after you replace bytes and save the file ..... disassemble it using IDA to see if the call was correctly replaced and the new call points to the correct offset you need .

**jkbuha** · 02-07-2012, 07:19 AM

(02-07-2012, 06:15 AM)AHMED HOSSAM Wrote: after replacing the call of the advanced menu to a call for another qword_xxxx ...... have you made sure its called correctly in the file by disassembling it again to see if the call was replaced correctly !

after you replace bytes and save the file ..... disassemble it using IDA to see if the call was correctly replaced and the new call points to the correct offset you need .

Yes I did - in IDA in fact. It's quite easy to do so (and check).
Unfortunately no success with unlocking the menu!

I also tried the same approach on offset 414c8 (lea rcx, qword_3F9A0) but same thing (Advanced Menu disappears).

**AHMED HOSSAM** · (This post was last modified: 02-07-2012, 07:28 AM by AHMED HOSSAM.)

Hmmmm, seems more complex than i have expected.
I will look into this when I'm back home in 2 days.

Another thing , try noping the other call for the offest you are using.
For example, you replaced advanced with another qword, this qword was called from another routine, nop this call and make it only called from one routine .

**jkbuha** · 02-07-2012, 08:22 AM

(02-07-2012, 07:25 AM)AHMED HOSSAM Wrote: Hmmmm, seems more complex than i have expected.
I will look into this when I'm back home in 2 days.
Another thing , try noping the other call for the offest you are using.
For example, you replaced advanced with another qword, this qword was called from another routine, nop this call and make it only called from one routine .

Not sure I've understood that, but I'll have a play about and see what happens.

On a related note, something just occurred to me. Surely there must be a way to load the BIOS in an emulator/simulator such as what we do in Vmware/Virtualbox? Any thoughts or ideas?

Cheers
jkbuha

**kasar** · 02-07-2012, 08:41 AM

(02-07-2012, 08:22 AM)jkbuha Wrote: On a related note, something just occurred to me. Surely there must be a way to load the BIOS in an emulator/simulator such as what we do in Vmware/Virtualbox? Any thoughts or ideas?

yeah, I also though about that, it will decrease the risk since the number of flashes would drastically reduced, and also it would be faster while testing stuff,also would be really usefull to test custom menus, however not sure if there is already something like that avalible, googled several times for it and didnt found anything even similar.

maybe it could be a way to replace vmware stock BIOS with ours, but probaly not easy as it has been said.

well, I heard phoenix bios editor software had a feature to edit and test bios menus, the bad news is that i never got PBE working with my bios :o

ScruffyITA · 02-07-2012, 08:53 AM

hi, im the owner of a l502x that is mentioned on ur topic so i picked up the 550 bios mod and flashed. all was ok under windows. pc rebooted and the flash program popped up normally, so the programming process was all quite good. after 5 seconds pc rebooted and nothing happened. the caps led is on, screen is off and the fan speed is stuck at 100% and pc is frozen. any suggestion on how to rcover it?

Login
Username:
Password:	Lost Password?
	Remember me