[UNLOCKED] Unlocking amd-v for Aspire AO725

[AlexKidd]

Finally I have won, we have won. Sorry for the latency but I have a scared shitless to brick my new netbook.

Epic win against the secure flash. I'll explain:

The FN+Esc method is able to flash whatever file with an .fd extension

Hence I'm could to write the modded BIOS provided by svl7, but I bust write a 4 MB of BIOS, the clear and raw BIOS without any "encapsulation"

I have attached the modded BIOS image (of a 4MB) in this post.

Seems to be possible to bypass all secure flash controls using the crisis bios recovery method.

I have found a "service manual" who contains some useful information related to my model. Here http://www.manualslib.com/manual/399342/...Ao725.html

In this manual it's documented the FN+ESC method, the crisis recovery seems to write the first .fd file found, however I have renamed my file ZHGIOS.FD, then I put it in the root of a flash drive of 256 MB (on the web I see a reccomendation, use a flash drive equals or small than 2GB) and I have prepared the netbook:

Machine: off
Battery: plugged
AC adaptor: unplugged
And any usb device unplugged.

Then I have plugged my USB flash drive in a USB 2.0 port and I have pressed (and hold) FN and ESC keys. I have plugged the AC adaptor and (without release FN+ESC keys) I have pressed the power button.

After this operation the netbook is started, the blue state led is blinking and I have released the FN+ESC keys after this led as stopped his blinking. Then the led on the flash usb (if exists) blinking for a couple of minutes and then the netbook remains as a living dead for a few minutes (about seven minutes) and the it reboots (two times when I have flashed the mod)

Now I paste some link contains some images to demostrating the success and make some consideration/question. I have loaded the setup default, then changed only 2 options: Legacy boot and SVM support

The information screen (censored)
http://www.alexkidd.altervista.org/alien...mation.JPG

The SVM support finally to be enabled
http://www.alexkidd.altervista.org/alien...upport.JPG
I have checked it on linux, kvm works!

The power configuration
http://www.alexkidd.altervista.org/alien.../Power.JPG
Is normal a Thermal fan control disabled?

The video configuration issue
http://www.alexkidd.altervista.org/alien...ration.JPG
Why, only here, the BIOS show me this message?

The boot configuration (unchanged)
http://www.alexkidd.altervista.org/alien/AO725/Boot.JPG
Is possible to have unlocked the "secure boot" option?

In anycase I can be satisfied.
Many, many thanks to svl7 for this mod

Edit: see my next post for the attachment

[boulbi]

Hello everyone this is my first post here.

After many hours fooling around in IDA trying to reimplement the process of setting the flag CR_VM.SVME=1 using an inline assembly patch on bios 1.05 i ended up in this topic with an unlocked 2.04 bios.

So i used linux/dd to get an aligned 4MiB file from the Acer 2.04 (4.4MiB) update and the usual windows InsydeFlash tool provided with bios 1.05 accepted to upgrade my netbook from 1.05 to 2.04. (ie: no need to use Fn+Esc recovery mode actually...)

Everything went fine, now i have a proper UEFI bios with shell and everything.

But then i still need the unlocked 2.04 bios to be able to use the SVM instructions.

I have tried to download the attached files in the previous posts for many many times, even letting a download manager on auto retry every minute during the night but i still cannot complete any download. This explains the huge number of hits. Sorry :p

Is the bios-mods.com server having some kind of problem ? It wont send files faster than 10-20Kib/s, dropping until it stops soon after. The farthest i could go it stopped transfering at 85%....
I'm confident my interwebs are working as they should and i've tryied downloading from multiple places including middle of the US where the server is located, still no luck.

Could someone upload those two files to somewhere else please ?

Anyways... i don't especially like using stuff i'm not able to reproduce manually.
Can "svl7" or anyone else explain how the 2.04 bios was modded to display the advanced menus please ?

I assume "FE3542FE-C1D3-4EF8-657C-8048606FF670_2_265.mod" is the setup module. It has the strings for every configuration option including SVM in multiple languages as well as some code Xreferencing to those strings.
It can be dumped from the 1st of 3 FV's (firmware volumes) using Phoenix SLIC tool or mmtool (the latter is unable to repack bios after, it won't fix CRCs).

Searching for the opcodes for function "EFI_IFR_SUPPRESS_IF_OP" (0x0A 0x82 0x45 0x8A) wasn't very helpful either.

So nowi'd be glad to know the offset of the call to nop/jump to invert for modding my bios by hand.

Thanks to svl7 and AlexKidd for the content of this thread.

[aricart]

I'm going to try and make these instructions as general as possible. They usually work for reversing Insyde BIOS.

A few things you might want/need:

IDA and ida-efiutils
HT Editor
j-bios
Python 2.x

First use j-bios to extract the SetupUtility binary from the firmware.

j-bios -dump BIOS.fd

"BIOS" is the name of your BIOS file. This will separate the firmware into its requisite parts. The part we're interested in is the one named SetupUtility_0xxxxxx.bin. You can get rid of the rest.

So now you have the SetupUtility. Fire up IDA and load the .bin file. Assuming you have python installed, you can use ida-efiutils to make this binary a bit more readable. You don't have to, but it helps in understanding things.

Now, in IDA, do a search for the text for "00000E". The first or second result should put you in the function we need to patch. You'll know you're in the right place if the function looks similar to the one in the Graph Overview in the following screenshot.



Now scroll down a bit until you get to a part with an instruction that looks like this:

Code:

xor edi, edi
cmp byte ptr [rdx+49h], 0Ah ; This is what you're looking for
mov r14b, dil
jnb short loc_180000815

Now the fun starts. Either directly above or below this part, there are going to be some cmp instructions with conditional jumps attached. You can see them in the image above. What's happening is a test for certain form TitleIDs that are then skipped if matched. This is what suppresses the display of various forms like "Power" or "Advanced".

So now you have two options. Either change these to non-existent TitleIDs like so:

Code:

.text:0000000180000837 cmp rsi, 6
.text:000000018000083B

becomes

Code:

.text:0000000180000837 cmp rsi, F
.text:000000018000083B

Or, you can change the jumps so they point towards the function that's being skipped. Now remember what you did, and do it in a hex editor (I use HT Editor) against the SetupUtility binary.

Now, copy the SetupUtility binary and rename it to SetupUtility_0xxxxxx_manuallypatched.bin. This is so we can use j-bios to recompress and insert it back into the BIOS file.

Code:

python2 j-bios.py BIOS.fd BIOS_patched.fd

TADA! Now flash and test for a good time

[boulbi]

wow... i d'ont know what to say. It's precisely the kind of information i was expecting.

Thank you so much Aricart, i can go back to work and suceed this time !

Also i can stop hammering the "retry download" button at last :p

Thanks you very much Aricart, Alexkidd and svl7 you were of great help and for sure this thread will help many other owners of the AO725.

Have a happy new year you all !

[AlexKidd]

this forum has a serious problems.... I'm able to upload only 1.97 MB of 2 MB of a zip file.

I have uploaded the zip file here http://www.alexkidd.altervista.org/alien...IOS.fd.zip (it redirect to a download page, this is the best possible for me)

edit: this is the modded version 2.04 of the BIOS

[boulbi]

Oh so i'm not the only one encountering DL/UL problems here.

Thanks you for reuploading the file, that will be usefull for comparison !


edit: indeed that link downloaded the file instantly, that's better

[AlexKidd]

j-bios is crashing when I attempt to do a dump/analyzing of this bios file
I'm very curious to see how svl7 is succeeded to modify the bios

[boulbi]

New bios flashed successfully through recovery mode.

SVM enabled and virtualbox/kvm tested and working.

Well done everyone, thank you very much !

---

j-bios is crashing when I attempt to do a dump/analyzing of this bios file
I'm very curious to see how svl7 is succeeded to modify the bios

Same problem here. I could dump the files with j-bios but i get some error at the end, extracted files are recoverable though.

I could then do the binary patch by hand but j-bios was unable to repack the whole thing up.

But "phoenixtool 2.12" will do it fine as long as you unpack AND repack with this same tool. Using a module dumped with j-bios will crash phoenix too 2.12 upon repacking.

So i assume svl7 used phoenixtool all the way or some custom tool.

Anyways it will be interesting to compare hist unlocking patch to what i had been doing while not able to download the file :p

---

Well i just extracted stock bios and modded bios with phoenixtool:

svl7's bios has setup utility patched (nop'ed jumps) at offsets 0x969 and 0x973.

And Aricart's method was the proper one because on my side i had prepared a patched module at 0x958, 0x969 and 0x973 with the same jumps noped.

I wasn't too sure about the first jump so after some trial and error the second try with only two jumps would have been identical to svl7's file.

At last bios modding doesn't look to me as an arcane science anymore. ^-^/

[boulbi]

For those interested, here's the patch, vanilla bios on the left and modded bios on the right:

[AlexKidd]

Very interesting

Is here the only difference?

For example, svl7 also adding his nickname instead of "Rev 3.5" string in the top right of the corner.