Login

**jkbuha** · (This post was last modified: 02-22-2012, 12:52 PM by jkbuha.)

Hey Ahmed

Hope you're well. Have you had time to peek at the ROM?
I've spent some time this afternoon, and I think we're getting closer, but I need your help with something:

off_41504:
lea r9, off_310c0 <- possible index table?
lea r8, off_3e0 <- string index to all "Advanced" settings
lea rdx, qword_2f0 <- another possible table?
lea ecx, [rbx+2] <- rbx is set to arg_0 at the beginning of the subroutine

From your experience, how are the index tables usually set up, and how long would they be as a sequence in the file? Would it make sense to modify off_310c0 or qword_2f0 (or the locations they point to respectively), and if so, to what?

Cheers
jkbuha

**AHMED HOSSAM** · 02-24-2012, 01:45 PM

i`m busy these days as i have started the 2nd term in my college , but i will have some time to look into this today and tomorrow Smile

i can answer some questions before i look into this .......... the index table is working like a pointer to a string ( in c++ ) like this :-

15 07 00 00 19 07 00 00 05 06 00 00 ....... etc . 15 07 is 0715 ( endian format ) and this is the string offset in the file ....... if you got to offset 0715 , you will find a string in the BIOS like ADVANCED or any other word .
the 00 00 seperates between the offsets in this index ......... 15 07 ( 0715 ) is a word and 1907 ( 07 19 ) is another word and so on ........... sothat strings table is like this .

the strings table can`t hide any options or menus , its just pointing to it no more .......... the menu structure itself may have specials bytes working as flags telling that this menu is hidden or not and as a result determine if the BIOS will show it or not ( and this is what we are looking for now ) so , we should knew where is the strings table and where are the pointers inside the index is called ( sure its only called from menu ) if we found this , then we begin to play with the bytes there to find out the one reponsible for hiding the menu .

**jkbuha** · (This post was last modified: 02-25-2012, 02:45 AM by jkbuha.)

(02-24-2012, 01:45 PM)AHMED HOSSAM Wrote: i`m busy these days as i have started the 2nd term in my college , but i will have some time to look into this today and tomorrow
i can answer some questions before i look into this .......... the index table is working like a pointer to a string ( in c++ ) like this :-

15 07 00 00 19 07 00 00 05 06 00 00 ....... etc . 15 07 is 0715 ( endian format ) and this is the string offset in the file ....... if you got to offset 0715 , you will find a string in the BIOS like ADVANCED or any other word .
the 00 00 seperates between the offsets in this index ......... 15 07 ( 0715 ) is a word and 1907 ( 07 19 ) is another word and so on ........... sothat strings table is like this .

the strings table can`t hide any options or menus , its just pointing to it no more .......... the menu structure itself may have specials bytes working as flags telling that this menu is hidden or not and as a result determine if the BIOS will show it or not ( and this is what we are looking for now ) so , we should knew where is the strings table and where are the pointers inside the index is called ( sure its only called from menu ) if we found this , then we begin to play with the bytes there to find out the one reponsible for hiding the menu .

I think we have already found the index to the strings table: lea r8, off_3e0. What I'm not sure of is how big the index table should be (eg: 2/3/4/6/10 bytes per menu item?) off_310c0 and off_2f0 both have what looks like pointer tables, but in my opinion they look far to small to contain info for all the menu items.

I think 3e0 is the start pointer to the top of the strings table, and another register is responsible for advancing the pointer offset gradually down the table. If I'm correct there also should be another register pointing to another "menu" table to determine whether this menu is english/french, on/off, hardware dependent etc

It's a real shame we can't emulate the bios under some run-time environment. Unlocking all this would take sooooo much less time!

Cheers
jkbuha

**AHMED HOSSAM** · 03-06-2012, 02:44 PM

Hi Jkbuha ,

Sorry for my late response , i had started reading the UEFI spec. documentation to find out how this works .......... it will take some time to knew this .
also , this is not the strings table and its still unknown till now ............ strings table will be much longer from this and will not be in this address .
currently , no simulation tool for the UEFI BIOS is available ...... we have to do it the hard way Smile

Thank you,
Ahmed

**jkbuha** · 03-11-2012, 11:05 AM

(03-06-2012, 02:44 PM)AHMED HOSSAM Wrote: Hi Jkbuha ,

Sorry for my late response , i had started reading the UEFI spec. documentation to find out how this works .......... it will take some time to knew this .
also , this is not the strings table and its still unknown till now ............ strings table will be much longer from this and will not be in this address .
currently , no simulation tool for the UEFI BIOS is available ...... we have to do it the hard way

Thank you,
Ahmed

Hey Ahmed

Thanks for this - I too downloaded & reviewed the UEFI spec too (note: on Dell UEFI Laptops its currently impossible to boot to a UEFI shell unless we manage to unlock this in some way). My concern is that finding the strings table is less of a UEFI design and more of Dell or PhoenixTiano's way of implementing specific functionality in their BIOSes. I think we need to look further at Dell/Phoenix and how they've done this elsewhere, if that makes sense?

jkbuha

dkinsano · (This post was last modified: 03-11-2012, 03:55 PM by dkinsano.)

(03-11-2012, 11:05 AM)jkbuha Wrote: Hey Ahmed

Thanks for this - I too downloaded & reviewed the UEFI spec too (note: on Dell UEFI Laptops its currently impossible to boot to a UEFI shell unless we manage to unlock this in some way). My concern is that finding the strings table is less of a UEFI design and more of Dell or PhoenixTiano's way of implementing specific functionality in their BIOSes. I think we need to look further at Dell/Phoenix and how they've done this elsewhere, if that makes sense?

jkbuha

Here in my CCE 746LE+ i can boot into the UEFI shell. Bios type is SecureCore Tiano from phoenix if i can do anything for you folks just ask

**jkbuha** · 03-12-2012, 03:31 AM

(03-11-2012, 03:54 PM)dkinsano Wrote: Here in my CCE 746LE+ i can boot into the UEFI shell. Bios type is SecureCore Tiano from phoenix if i can do anything for you folks just ask

Yes please - any extra info at this stage would definitely be useful Smile

**jkbuha** · 03-12-2012, 04:45 PM

Hi Ahmed

Further to my post above, I've done some research - would this be of any help?
http://wiki.phoenix.com/wiki/index.php/E...TION_TABLE

jkbuha

**jkbuha** · 03-18-2012, 01:39 PM

Sorry all for delay but have been busy on some other (non-IT related) stuff.
I've noticed that Dell have slipped an update for the 15z on their FTP site so I've modded it as well. Fan seems to work quieter - which is nice.

@Ahmed - I could really use your help on unlocking this UEFI, if you have time.

jkbuha

**AHMED HOSSAM** · 03-18-2012, 06:39 PM

I`m still up for helping you unlocking UEFI but i`m just very busy in my studies and hardly find time for researching UEFI ........... i have reached another few results about strings index but i try to find out more to make sure of it ....... i will post again in 4 or 5 days showing all new results Smile

Login
Username:
Password:	Lost Password?
	Remember me