Every single day I get mails with Hewlett-Packard BIOSes attached for patching. HP bios patching is quite ugly since I have not yet found an ultimate way for patching them all with a common patch. Reason: I have no HP for analysis. Therefore I am looking for a sponsor who has a spare HP notebook not older than two years (so I have a current BIOS for analysis). Please contact me!
Please, PLEASE: do not ask for HP patches until this message changes. This will not happen before anyone sends me his or her HP notebook. I call sending it in "sponsoring" since I cannot guarantee for what is happening while playing around with the BIOS/UEFI.
InsydeH2O Bios - unhiding secrets
First of all I want to thank all the people out there doing their fine work, which helped me doing my work.
First person to mention is Hector Martin Cantero, better known as "marcan", which had done the first step analysing the InsydeH2O bioses, which had disabled VT (Vanderpool Technology). He managed to enable VT by patching the Setup Variables inside the bios file. His python scripts were base of some modifications by some people - thanks to them even if I don't know their names - and those tools are the base of what I am introducing here.
Also I want to say thanks to all the people from tianocore, who developed the EDK and EDKII, which are the basic sources of EFI bios development. To understand the whole biosstuff I was digging through their docs and sources over the last couple of days to understand that InsydeH2O bios.
Also thanks to Packard Bell (or mother Acer) for selling me that Netbook DOT-S/GE/070 with that crippled Insyde-Bios. If they wouldn't have done so I still would not know a bit about bioses.
All trademarks and copyright-stuff belong to their holders. This work is intended to be private, there is no commercial intent in doing this stuff. If someone feels betrayed in any kind: please contact me and I will correct or add anything or take stuff offline.
I also did not link to any site - I just don't know what people say about linking to them. All things can be easily found in the internet.
I do not give any guarantee for anything on this site. I tested only with ONE netbook, a packard bell DOT-S GE 070 (KAV80 bios) so don't blame me if it does not work!
What's this about?
Many people are complaining about their Insyde-Bioses not showing lots of stuff, like powersettings or the weird somewhere mentioned "adanced" settings form.
So was I and searching the internet did not get me any further. I decided to have a look myself.
With marcans scripts and the EDK it was possible to build a much more powerful script, which can completely rip apart an InsydeH2O biosfile, extract compressed sections and so on.
The problem of the hidden forms is: they are hidden by code, not just by some hidden variable setting. The code, which is responsible for hiding those forms, resides within the SetupBrowser (EDK) or SetupUtility (Insyde). That SetupUtility is within a compressed section, guarded by some checksums, inside the bios file.
Extracting that SetupUtility was quite simple, since already implemented in marcans tools.
But I wanted to change that SetupUtility an re-insert it into the compressed section within the biosfile.
First I had to rewrite some parts of marcans scripts, since they did not care about most of the checksums nor keeping track of positions, where the file has been torn apart. After some days I managed to extract the SetupUtility and re-insert it with no change (except for a slightly different compression) - and that bios worked! Seems useless, but this was the most important step. If I was not able to rebuilt the bios, why should I try to patch the SetupUtility?
Now some days of reverse engineering (IDA Free 5.0 and studying EDK). I uploaded that SetupUtility and the IDA database with many comments and structs, so if you are interested just have a look at it.
Inside the SetupUtility finally I found the function, where the setup forms are initialized (in IDA I think I called it GetAndShowForms, it is visible when you load the file). In that function I located two jumps, where it checks for special TitleIDs of the forms and skips those forms! Finally I just had to put some patching routine in my scripts to replace those TitleIDs with some non-existent TitleIDs. Done!
Make sure your system has a bios recovery function. Some modern machines do. This will help if the bios is corrupted or flashing interrupts for some reason.
On my netbook I flash like this:
- Put bios-file to FAT32-USB-Stick. The file needs to have a machine-specific filename. Mine is KAV80.fd. The new version of j-bios includes detection of that name! Run it like: "python j-bios.py mybios.fd" and it should show you possible names to try!
- Turn off netbook (or whatever machine)
- Remove battery
- Remove powercord
- Press and hold <fn> and <esc>
- Insert powercord (no battery!), powerlight should shortly flash once
- Still holding <fn> and <esc> press and release powerbutton and then release keys
- Screen stays black, but computer should do something, like searching USB stick. A stick with some reading indication is cool.
- After a while the computer should wake up
TEST THESE RECOVERY STEPS WITH A WORKING BIOS! If this works you can even recover from a brick :-)
All python files need python 2.7, python 3 will not work
The fmem Linux module is not needed, except you want to extract your own bios.
Mine is located at 4GB-size (1MB) so you can extract it with:
dd if=/dev/fmem of=mybios bs=1M count=1 skip=4095
Actually the script tries to do that (superuser needed!) if you specify an input file, which it cannot read from (e.g. not existent)
fmem is compiled for 32bit Fedora16. If you cannot load it with sudo ./run.sh you need to run make to compile it for your linux platform.
To run the script:
python j-bios.py orgbios outfile
Linux should also do
./j-bios.py orgbios outfile
Run it with no parameters to get more help about switches
Here are the files:
NEW VERSION (Aug 05, 2012)! (not tested on windows, need feedback!
New in this version:
- Tiano Compression
- Sony Vaio AMD Page and Intel Page patching
- j-asm used for finding patching locations
- Showing Recovery Name of BIOS needed for USB-Method!
Short note to the Sony Vaio patches:
Great thanks to a friend from Austria, who sent me his bricked Sony Vaio for having a look at it, making this patching possible and supporting this project with 100€!!!
Hello Sony: I called your support line and asked, if it was possible to recover from a brick (since I did not know the recovery name of the BIOS)
Costs: 80€ for sending it in and having a look at! Includes shipping to Sony and back home and analyses. After that they probably tell you stuff about a new motherboard. Extimated Costs: 200€. Even when I asked for the USB method: "No way. Only if you have a second BIOS chip onboard there will be a jumper for recovering the BIOS". There are many cusswords I can think of while writing this :-)
Dear Sony, why do you not tell people how they can recover from their bricks? You actually should know about your own implemented BIOSes. And furthermore why do you put such a crippled BIOS in your laptops?
Howto (Example: Sony Vaio):
- DO NOT FLASH ON WINDOWS!
YOU CANNOT RECOVER FROM BRICK IF YOU ARE NOT FAMILIAR WITH THE USB RECOVERY!
- Download BIOS from Sony website
- unzip downloaded file (if unsure, use 7zip. Should extract some .fd-file)
- Run my j-bios.py script:
python j-bios.py SONYBIOS.fd PATCHEDBIOS.fd
- Take a look: if found, it should write something like:
Possible BIOS Recovery Name found: TucanaBRX64.fd
- rename the PATCHEDBIOS.fd to the mentioned name.
- put it on an empty FAT32 USB stick
- plug it into Sony Vaio USB port (any)
- turn off Sony Vaio
- Take out battery (I tried, it even works without removing it - better still do it)
- Pull off powercord
- press <fn> and <esc> - both keys and hold while plugging in powercord
- still holding the keys power on Sony Vaio
- When USB-stick starts flashing let go the keys!
- Sony Vaio should ask for flashing from stick
Ok, here are the instructions and files:
Do not run this on an already patched BIOS! This version does some dynamic analyses which might patch wrong spots in bioses already patched!
- Download & Install Python 2.7
- unzip file
- on commandline run "python j-bios.py -v biosfile newbiosfile"
- Install Python 2.7 (Ubuntu: sudo apt-get install python; Fedora: yum install python)
- Install lzma-utils (Ubuntu: sudo apt-get install lzma; Fedora: yum install lzma)
- extract downloaded file (unzip j-bios.zip)
- on commandline run "python j-bios.py -v biosfile newbiosfile"
Complete toolchain package (zip): j-bios.zip
Contents: (To view the python files best visit this page with Google Chrome)
- j-bios.py (depends on all other py-scripts!)
- liblzma.dll (only needed on windows)
- KAV80.fd (original bios file from PackardBell website)
- KAV80patched.fd (patched bios with power and advanced settings)
- SetupUtility2_0x95fc8.bin (extracted SetupUtility)
- SetupUtility2_0x95fc8.idb (IDA Free 5.0 database)
- HP-F46.fd (original 64bit bios file from HP website)
- HP-F46_patched.fd (For 'akbar': "Diagnostics" and "Security" replaced with "Power" and "Advanced", no other patching possible right now)
- HP-F48.fd (original 64bit bios file from HP website)
- HP-F48_patched.fd (For 'Paula': advanced settings enabled)
fmem: fmem_1.6-0.tgz (Only needed for reading BIOS dump from memory)
Questions? Just contact me.
Please feel free to send me your changes and testing results and/or not working firmwares for me to analyse them.
Sony Vaio & Co.
Aug. 5, 2012
- Tiano decompression AND compression implemented
- Sony Vaio AMD/Intel Page patching implemented
- Recovery Name will be detected and shown!
- j-asm is used for patch location detection
Read here for more details.
Mar. 16, 2012
Implementing compression type 1 to j-bios (tiano compression). The files are not implemented in the main toolchain yet. Decompression has already been ported to python, if you want to have a look: tianodec.py
It is quite slow (takes ages compared to C/C++) but works on all systems.
Compression file is in work...
The type-1 tiano compression is used in some bioses, so far seen in Sony Vaio bioses.
Feb. 6, 2012
Thanks to help from Dan living in Grand Junction, Co., I managed to enable Advanced settings on his Acer 5810tz. The patch is not yet implemented in the tools or at least it does not work yet. So hold on some days until it is released.