Unlock Bios

July 15, 2017 | Author: Igor Pamplona | Category: Bios, Booting, Usb Flash Drive, Subroutine, Advanced Micro Devices
Share Embed Donate

Short Description




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs


BIOS Modding



Assembly Language




Monday, June 10, 2013

Insyde Bios Modding: Advanced and Power Tabs Due to a request I received by drakonn, I'll be covering how to enable the advanced and power tabs in the setup utility. Also special thanks to Florin9doi for his impressive knowledge of BIOS. I rewrote my splash screen tutorial based on his input. There's not really much background information I can put here, It's kind of public knowledge that there are hidden tabs in the setup utility. I think this decision is ultimately up to the OEM, so HP decided that we don't need to have access to these hidden tabs. This is most likely because changing some settings can damager you computer, so they're actually looking out for us. So here's a picture of what my unmodified setup utility looks like. If you'd like to follow along with this tutorial by using the same BIOS that I am, then here's where you can download it.

As you can see, it currently has Main, Security, Diagnostics, System Configuration, and Exit tabs. So I'll show you how to enable the hidden tabs. I'll try to keep all my tutorials as generic as possible, but I already know that this will be impossible. Rarely do different BIOS implement these restrictions in the exact same way, so don't expect this to be a surefire way to unlock your hidden tabs. As simple as I make these tutorials seem, it still took me several weeks to get each modification working on my own BIOS. To get started make sure you unpack your BIOS installer so that you have access to the BIOS rom. Then open it with Andy's tool, go to the structure view, check the Decompress Extracted Modules box, and extract the DXE Core module. The latest version of Andy's tool can be downloaded here.




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

My extracted module is named 4A538818-5AE0-4EB2-B2EB-488B23657022.MOD. Yours might be named something different. So lets open that module with a hex editor, and search for a familiar string so that we can locate what module contains the setup utility. The hex editor I use is HxD. As a side note, my BIOS uses Unicode strings. This means that after each letter, there's a 00 hex character. This is because each character is actually two bytes long. I think all Insyde BIOS are that way, but I'm not sure. So here's what I am going to search for, notice how I have blank characters between each letter. The name of one of my tabs is System Configuration, so the module that contains this string should also contain the setup utility.

So lets search for this string in our DXE Core module and see if it exists. Awesome! It found it at offset 0x1A8B8C.

Now we know we're in the correct module. Now search for the hex values 4D 5A. These values are always at the start of a module, and the name of a module is always at the end of a module. So here's what it finds:




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

I circled the module's name in red. So now we need to remember the GUID of the SetupUtility module. Lets go back to Andy's tool to see what it is.

My SetupUtility' GUID is FE3542FE-C1D3-4EF8-657C-8048606FF670. So lets disassemble this module to get a better understanding of how to mod it. To do this we need to go into the DUMP folder that Andy's tool makes when opening a BIOS file, and open the SetupUtility in there with IDA Pro. Here what I'm saying:




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

And make sure you open the largest file whos name is similar to your SetupUtility's GUID. Since mine was FE3542FE-C1D3-4EF8-657C8048606FF670, I'm going to open up the 531 kB file which is named similar, FE3542FE-C1D3-4EF8-657C-8048606FF670_2_480.ROM. So IDA Pro should automatically determine the file type. For me, it's a Portable executable for AMD64.

So now that it's disassembled, we have to find out where the tabs are located, then we can see what calls them. I created a program that can dump the internal forms representation used in EFI's human interface infrastructure. This can assist in finding the tab offsets, so you can download it here if you want to try using it. If you'd rather find them manually, then in IDA Pro go to Search | sequence of bytes. Then enter DF 42 4D B5 52 39 51 and press Ok. These hex values seem to always be in the header of the tabs, and are about 13 bytes after the start of the beginning of the tab's offset.




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

Now this windows will come up that shows where these bytes were found. Each one of these locations could potentially lead to one of the tabs.

So lets double click on the first one, which takes us here. I said that that byte sequence was in the header, so we need to scroll up about 13 bytes to get to the start of the tab subroutine.

Just go to each one of the places where that bytes sequence occurred to find out the offsets we're looking for. Make sure you write them down. Here's all mine.




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs Lets go back to the first tab and see where it's being referenced from. Right click on the location, and select Xrefs to. This will display the connections between this offset and other functions. You can zoom in to get a better view. Here's mine:

At one of these location the setup utility is determining which tabs to show. This calling function will probably be closer to the start of the module's code, because that's where it is initialing everything. So lets double click on the first calling location and see if it looks suspicious.

Here's the calling location:

You might be able to determine in IDA Pro's Graph overview that this subroutine is most likely what switches between the tabs when you press left and right. It does references all the tab offsets, but this is just to determine which one it's currently selecting. This function is not the one we're looking for. If you want to make sure of this, you can modify some conditional jumps, but you will probably brick your computer this way. I should make a tutorial on how to recover from a brick. Lets check out the next calling function.




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

If you ever have trouble selecting the different calling functions in IDA Pro you can right click on the DATA XREF and select Jump to cross reference. Then just double click on the address to jump to that location.

So here's what the second calling function looks like. Don't be surprised that it's not in a flow chart view. IDA Pro isn't perfect, so sometime it can't produce this style for all function. As a side note, you can press the space bar to swap back and forth between the flow chart view and the assembly view. Since I know how this tutorial is going to end, I'm going to tell you that this is the function that decides what tabs are available in my BIOS. In yours, you might have to go through several more of the calling function before you find the one your looking for.

Since we can't see the bigger picture of this subroutine easily, we'll have to look through it. The main things you want to search for are conditional jumps that avoid one of the tab offsets. So once again, here's the ones I'm searching for:




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

Back to the second calling function. Wow! Almost immediately I notice almost all of my tab locations being referenced. There's also two conditional jumps:

Let me know if you guys think I add too many pictures. I want these tutorials to be through, but I'm feeling like this is almost to slow. Let me know what you think. So lets see where these conditional jumps go to. I just scrolled down a little. So it seems like the first one it jumping over two of the tab locations. These could be the two hidden tabs. The second conditional jump is going directly to the two tab locations. And the third unconditional jump at the end is also going to bypass the two tabs.

So to make sure that those two tabs get referenced, we have to change the two conditional jumps. By changing the first one from a jump if zero (jz) to nothing, and by changing the second jz to a jmp, we can accomplish our objective. To view the hex values for the first jump, select it and go to IDA Pro's hex view by clicking on the hex view tab. As you can see it's 74 48. Since we want to remove it, lets change them to no operations (nop 90). Here's what we're actually changing:




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

And the second conditional jump's hex values are 74 0A. The first byte is the type of jump and the second is where it's going to jump to. This is a short jump, and the hex value for an unconditional short jump is EB. So here's what we're actually changing:

So here's what the resulting changes look like:

Now the program always jumps to 0x180001099 which references those two tabs. So lets try this out. Produce a DIF file in IDA Pro by going to File | Produce file | Create DIF file. I recommend you don't save it in the DUMP folder because it will most likely be deleted by Andy's tool at some point. A DIF file contains the offsets and changes that we made in IDA Pro. IDA Pro can't physically edit a file, so we have to use the information in the DIF file and a hex editor to apply the changes. You can close IDA Pro now. Before actually applying the changes with a hex editor, go back to Andy's tool and press the Advanced button. We want to enable the ability to make modifications to the modules. So these are the settings I changed. I also checked No SLIC because otherwise we would have to select a SLIC table in order to repack our changes. I'm fine with my BIOS current SLIC table.




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

Press Done to get back to the main screen of Andy's tool. Then press the Go button. When this message comes up, don't press Ok yet.

We need to modify the setup utility module first. So open the same file we disassembled with a hex editor and apply the changes based on what the DIF file says.




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

Save the file. Now you can press Ok on the message from Andy's tool, and it should repack your BIOS with your modified SetupUtility module. Lets try it out. Rename Andy's tool's outputted file, mine's named 01448F29_SLIC.bin, to what the original rom was called, mine's 01448F29.bin. This'll replace the original rom with the modified one. Now run InsydeFlash.exe. Press Start, wait for it to initialize, then press Ok. It will now flash your computer with you modified BIOS then restart. Upon startup, press the key that corresponds to your setup utility, mine's F10, to view your changes. Here's mine:

NO WAY!! An advanced tab! That's weird??? Why didn't it unlock two tabs? Shouldn't there be seven tabs now? As it turns out, I haven't found a way to enable all seven tabs at once in my BIOS. But I do have a way of replacing an existing tab with this hidden seventh tab. Lets go back to the disassembled code where we changed the jump locations. Now lets change one of the referenced tabs to the seventh tab. My hidden tab is at address 0x18007F490 (I know this because it's the only one not referenced in the disassembled function we edited), so lets change the line of code "lea rax, 0x18007FA00" to reference this tab.

The hex values for this line are 48 8D 05 55 E9 07 00. The first three bytes are the load affective address into rax part, and the last four bytes are the offset of the address. This is a relative address based off of the current instructions address. And it's stored in little endian. So if your good with math you can determine the new values with a calculator, or you can just changes some values and see if they'll work right by seeing what IDA Pro displays. Here's what mine looked like when I was finished:




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs

Now do the same procedure as before with the DIF file, hex editor, and Andy's tool to produce a newly modified BIOS. Now flash it, and one of the tabs should be replaced with a different one.

HMMMM.... that power tab doesn't have anything new in it that the advanced tab didn't already have. I guess there is something new about interrupts under one of the settings, which I'll never change anyway. I hope your power tab isn't as lame as mine. So I'm just revert it back to having the advanced tab instead. This method of replacing one tab with another is probably the easiest way of unlocking one of the hidden tabs. The only downside to it is that you'll have to give up one of the other tabs. I hope you enjoyed this tutorial. I know it was a long one, but it was worth reading because it did cover some pretty good fundamentals of reverse engineering. IDA Pro makes this process much easier since it can quickly show what references what at any time. You can still do this same process with any other disassembler, but it probably won't be as easy.

Posted at 7:50 PM

+2   Recommend this on Google

Labels: advanced, bios, bios-modding, enable, insyde, insyde-bios, modding, power, setup, tab, tabs, unlock, utility

422 comments: drakonn June 11, 2013 at 3:54 AM Very good tutorial donovan but I can not get me to work ... my knowledge about this are null and not come out the same as you and. I can not find the tabs in the IDA ... It may be because I have a different version of InsydeH20 (3.7). I've been hours trying it and nothing. If one day you have time and are interested, you do me a favor modifying my bios to have these advanced options :) Good day. Sorry for my english, google traductor! Reply Replies donovan6000

June 11, 2013 at 1:27 PM

I can take a took at your bios. What's your computer's model?

drakonn June 11, 2013 at 2:39 PM




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs My notebook is a Lenovo g580 2189 with windows 8 64bits. Link to my bios: http://download.lenovo.com/consumer/mobiles/5ecn96ww.exe I would be very grateful and of course would contribute with a donation for you to take a few beers this summer!


June 11, 2013 at 3:16 PM

How many tabs are currently viewable in your setup utility? Just skimming though your bios reveals that there are potentially 9 tabs. I have run across a few bios that have duplicates of certain tabs for some reason. It also looks like it would be easy to replace the existing tabs with the hidden one, as I did with my Power tab in the tutorial. And do you know how to recover you laptop incase I mess up?

drakonn June 11, 2013 at 3:27 PM I can see 5 tabs in my bios. And no, i dont know how to recover my laptop in case of error. Thank you :)


June 11, 2013 at 5:50 PM

Just created a tutorial about bios recovery. If you can get it working, then I'll send you a modified version of your bios to try. I don't want to accidentally brick your computer while trying to help you.

drakonn June 12, 2013 at 12:52 AM

This comment has been removed by the author.

drakonn June 12, 2013 at 3:45 AM Wait. I put the bios on usb or cd with many different names and different extensions in case but when I turn on the computer by pressing windows + b seeks nothing, just the screen stays black until those loose buttons below to continue booting normally . I tried win + b, fn + b, fn + esc fn + r, ... and nothing. Not searching for anything, either usb or cd ... But continue to try I don't have a lot time because I am on exams. I'll tell you.

drakonn June 12, 2013 at 4:43 AM Yessssss. Recovery bios worked! Unplug ac and batery. Insert usb or cd(cd before unplug ac). Hold power button 10 seconds. Plug ac adapter. Press fn + b and press power button. Fan spin on and automatically search bios in cd or usb and install. After some minuts (5 because dont restart automatically) press power button 5 seconds to close pc. Then press power button and laptop restarts nornmally In my case no beep in any moment. :)

drakonn June 12, 2013 at 1:50 PM Good. I can enter the bios recovery ... but it seems that seeks nothing. If I have a CD set, it seems that it runs about 20 seconds and then stops reading, however if I have a usb or sd not even read them ... not search for files or anything. In all these media I have 28 copies of the bios with different names.


June 12, 2013 at 4:20 PM

Ok, that too bad. I haven't found many things online about Lenovo insyde recovery, so it might be different. We'll just be extra careful when modding your bios as to avoid bricking it. I would feel really bad if you bricked your computer because of me. Try this one and let me know if there is anything different about your setup utility's tabs. All I did was replace one of the referenced tabs with a different one: www.mediafire.com/?vls5a9adth40njs


June 12, 2013 at 4:21 PM

Oh and let me know if insideflash.exe gives you an error. I didn't check you iscflash.dll for any anti-mod protection.

drakonn June 13, 2013 at 3:56 AM When laptop restarts to install bios, say that firmware image invalid! Thanks :)


June 13, 2013 at 1:41 PM

Would you mind uploading a picture of the error here www.tinypic.com/ So I can see it.




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs drakonn June 13, 2013 at 2:18 PM http://tinypic.com/r/fvkx95/5 This is the error.


June 13, 2013 at 3:26 PM

People have confirmed that they we're able to bypass this error by flashing their modified bios with the recovery procedure. So we just have to get that working. Here's a new modified bios rom www.mediafire.com/download/zteb3hyo3uw8930/new.zip








The two file's in there are what I think the recovery rom will be named. So just put them on the root of a FAT32 usb and try to recover. I've also read that if the recovery finds the correct file it'll beep once. Would you also mind making me a backup of your bios rom with flashit.exe. You can get it here:www.mediafire.com/? nz968aqc6tjoaq2 It can only be run in dos, so I also included Rufus, which can easily install dos onto a flashdrive and make it bootable. So after doing that, copy the flashit.exe file onto that dos flash drive and restart your computer to boot to it. Now run flashit.exe -G which will make a backup.

drakonn June 14, 2013 at 1:56 PM If I try to make a backup with flashit... error : http://tinypic.com/r/muwhuf/5 Now, try to flash the modified bios. Thanks.

drakonn June 14, 2013 at 2:53 PM Bios recovery works...read the usb but dont found bios files. In my usb i have 28 files with diferents names, including QIWG5.BIN and G5901.bin

drakonn June 14, 2013 at 3:04 PM Here is a backup of my bios with universal bios backup toolkit. https://www.dropbox.com/s/1sz2unmrqms2743/LENOVO-5ECN96WW%28V9.01%29.fd


June 14, 2013 at 4:07 PM

I'm kind of out of ideas. If we can't get it to flash the rom with the recovery procedure then we're out of options. It's too bad Lenovo never release any information about it. Reply

OJ Williams June 13, 2013 at 8:55 AM im having a bit of problems with mine... what version of andy's tool are u using? i dont have the decompress option and when i try to do it any way the cmd prompt step gives me an errror Reply Replies drakonn June 13, 2013 at 10:29 AM Here are the last version with decompress option! : http://www.sendspace.com/file/xxd63k

OJ Williams June 13, 2013 at 10:59 AM thx but im stil having abit of problems... is ther any way u can mod my hp dv4 2145dx bios plz? i need advanced options only...i gtg for 4 hours now but heres the link incase u agree.. thx alot even if u do or not http://ftp.hp.com/pub/softpaq/sp4950150000/sp49543.exe


June 13, 2013 at 1:43 PM

Unless your willing to donate after I'm done, then I'm not going to do it for you. One of the goals of this blog is to more people involved in modding their own bios.

OJ Williams June 13, 2013 at 2:05 PM ahh i understand.. i would donate but no credit card yet... any way yeah ill do it but in that tutorial some of the steps were kinda hard to follow and im using the ida pro demo and its telling me use 64 bit version to extract amd64? ive tried it on 64 bit and 32 bit oses and same thing... whats that about?




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs donovan6000

June 13, 2013 at 2:16 PM

Most the bios I've used have been 64bit, so you do need the 64bit version of IDA Pro to disassemble them. The demo doesn't have support for that though. Here you go: www.mediafire.com/?fp9o9px7n54nwj3 Just run Insydeflash.exe or Insydeflsh64.exe to install it. Let me know if you get an error when you try to install it. I didn't check your iscflash.dll for mod protection.

OJ Williams June 13, 2013 at 3:04 PM what exactly did u do to that file? are the stuff decompressed in it? i havent installed it asyet


June 13, 2013 at 3:29 PM

I modified the setup utility to unlock the power and advanced tabs. Hopefully it'll work. If by the off chance that it bricks your computer, them follow the brick recovery procedure I posted.


June 13, 2013 at 3:31 PM

My bad, I only modified your to replace the diagnostics tab with the advanced tab. I got confused thinking of a different one I was working on.

OJ Williams June 13, 2013 at 3:40 PM wow thx! ur the best! the power tab wasnt unlocked tho and my pc is booting up and operating like 10x slower but i still appreciate it! btw do u know how to increase dedicated memory for an ati radeon hd 4200 video card? i have over 2gbs video card and only 320mb dedicated for graphics n gaming which sux...and is there any way i can message u facebook,msn, something? i would like to learn more about this so i can help others also.. im a computer tech>>>programmer and graphic design/hacker but im only 18 so i have alot to learn and always wanting to learn more


June 13, 2013 at 9:10 PM

You can send me your email through my Contact page. I'll get a hold of you after that.

OJ Williams June 13, 2013 at 10:14 PM done (y) Reply

avinash bommina June 20, 2013 at 12:52 AM how to have access to the BIOS rom Reply Replies donovan6000

June 20, 2013 at 11:44 AM

Sometimes it's as easy as renaming the installer's extension from .exe to .zip. But sometimes this doesn't work, so you'll have to run the installer and find out where it extracts the rom to before installing. Reply

avinash bommina June 20, 2013 at 1:13 AM please send me the whole video of advanced tab Reply Replies donovan6000

June 20, 2013 at 11:47 AM

I don't have any way of recording the advance tab right now. Sorry. If your curious about which options are there, you can browse through your setup utility module with a hex editor to see the strings of the settings. Be aware though that some of these settings are still hidden. Reply

MARKO LUCIC June 20, 2013 at 3:17 PM




donovan6000's Blog: Insyde Bios Modding: Advanced and Power Tabs can you help me i tried to follow this tutorial and i get messed up with all the things that needs to be done is there by any chance that you could do this for me my laptop is a hp dv7 2105ez bios download link http://ftp.hp.com/pub/softpaq/sp50501-51000/sp50677.exe Reply Replies donovan6000

June 20, 2013 at 10:11 PM

Sorry, but unless your willing to donate I wont do it for you. I want more people to be able to do it themselves. I'd recommend trying to change one of the current tabs with one of the hidden as this is easier than unlocking one. I know how hard it is to get started. When I began modding insyde bios, I spent my first 3 weeks starring at assembly code and bricking my computer lol. Perseverance pays off though. Good luck :)

MARKO LUCIC June 21, 2013 at 2:44 AM if i could i would donate but i am i living in a shit country where is hard to get a job or a card for internet payment so i cant.thanx for a quick answer P.s sorry for my bad english Reply

Anonymous June 22, 2013 at 9:49 AM I got to the part where it has If that python script didn't work for your BIOS, here's a second option that might work. I don't know what the next step is cause i don't need that part. You don't make it clear what the next part is if you don't need that option. Reply Replies donovan6000

June 22, 2013 at 11:06 AM

Sorry for the inconvenience. I've added a few asterisks to the beginning of the paragraph that assumes that you now know the location of the tabs. I hope that clears things up :) Reply

Anonymous June 23, 2013 at 8:18 AM Hi, I can't see any conditional jumps as show here https://lh3.ggpht.com/-9CBBmPdF3i4/UbeUxK725YI/AAAAAAAAAXI/4j8LUdvw5s4/s1600/11.png. I have no options with jz before them. Does that mean my bios doesn't have advanced options? thanks. Reply Replies donovan6000

June 23, 2013 at 12:29 PM

I try to keep these tutorials as generic as possible, but no two bios versions are implemented the same way. I've only seen a handful of them that have the hidden tab's initialization set up like mine. It doesn't mean that you don't have an advanced option, it just means that it is initialized a different way. Try changing one of the referenced tabs to on of the hidden ones like I did at the end with switching in the power tab. Reply

Anonymous July 11, 2013 at 7:57 AM If You can do it with ? I tried to do it with j-bios but the items on the menu and did not appear and try on your article did not have the opportunity because I do not have a computer windows http://ftp.hp.com/pub/softpaq/sp47501-48000/sp47531.exe http://rghost.ru/47354628
View more...


Copyright ©2017 KUPDF Inc.