Jump to content

Flash modified BIOS/UEFI which are digitally signed (circumvent secure flash)


svl7

Recommended Posts

**********

* This is only for systems with Intel chipsets.

*

* It still won't work for all of them, but for some it does.

*

This article is meant as an explanation for interested / advanced users. Since some of the more recent bios mods require the tool described below in order to allow flashing, I decided to share some information about it.

Also I really don't like how users get locked out of their own hardware, this is a way to circumvent a couple of the more recent restrictions of certain systems. I hope this will be useful to some of you.

If you know other ways to get around the current firmware updating restrictions (per software), please let me know.

The problem:

With the appearance of Windows 8 and Microsoft's requirement for OEMs to support 'secure boot' in order to get the Win8 certificate for their machines, a lot of the most recent systems (notebooks and desktops) use now firmware which is digitally signed.

Since secure boot looses its purpose if firmware updates aren't verified and protected as well, the latest UEFI implementations come with a secure firmware upgrading procedure which makes sure that only properly signed and unmodified images can be flashed. This updating protections is active even if you don't enable secure boot.

These two pictures explain the idea behind secure firmware updating very clearly:

post-80-14494993891172_thumb.jpg

On the second picture you can see that the system verifies the firmware image even before it loads the drivers required for the flash.

For bios modders or people who want to use modified firmware, the consequences of this are severe. It simply isn't possible anymore to flash digitally signed bios which have been modified, there's no way around the signature, at least not with the usual tools.

The solution (at least for some systems):

The only way to get around those new restrictions is to directly program the firmware flash memory and therefore leave out the verifying of the image. In Intel systems the flash chip is directly wired to the PCH, and it can be accessed by an Intel utility called Flash Programming Tool. It's a very powerful application which supports the most common flash memory chips.

The requirement for it to work on a system are the following:

- BIOS region of the flash memory must have write permissions

- The OEM or BIOS vendor omitted to set an additional flash lock.

- You can't flash an encapsulated firmware image, only the pure bios region.

You will have access to the BIOS region for obvious reasons, but the second point can only be figured out by trying to flash a BIOS.

If the tool comes up with an 'Error 28', download the attached 'prr' utility, as well as the DOS version of the flash tool. Put both on an USB drive which can boot DOS, boot from it and execute the prr.exe, if it manages to remove the protection on your system it will tell you 'ready to flash', in this case go ahead and directly flash with fpt, without rebooting before doing so.

If prr can't remove the protection you're most likely out of luck, even though might be ways for certain systems, but the chances are pretty small.

In order to flash a BIOS you will need to remove the capsule from the firmware image provided by your system manufacturer. You only want to update the bios.

Then flash it by using this command:

fptw64 -f FILE -bios

(FILE stands for the image you want to flash)

***WARNING***

This tool is only for very advanced users. If you mess up it will override your BIOS without a warning or waiting for you to confirm. This means you can easily brick your system beyond any chance of recovery.

You most likely don't need this tool. My BIOS mods which require this application for flashing will always come with a .bat file which will do the flashing for you. Again, for 99.9% of the users there's no need to mess with this.

This version of the tool works only for 7 series chipsets.

*InBeforeOmgMyYystemWontBootAnymore*

The tool provided here by svl7 (prr2.exe and former prr.exe) may not be hosted anywhere outside of Tech|Inferno without the previous approval of the author.

post-80-14494993890957_thumb.jpg

FPT_DOS.zip

Fptw64.zip

prr2.zip

  • Thumbs Up 27
Link to comment
Share on other sites

  • 11 months later...
What is the difference between prr.exe and prr2.exe?

Completely revised version that is more reliable and more properly coded. The old one was more a proof of concept. But essentially they're doing the same.

When you use the prr2.exe are there any commands that you need to put with it? or just run it?

Just run it.

Also I cleaned up a bit. Keep on topic.

Link to comment
Share on other sites

  • 2 months later...
  • 4 weeks later...
  • 1 month later...

Hi, I own an Lenovo T430u and want a Whitelist removal. So I disassembled and removed the check. But the trouble began with flashing the bios.

Steps I did

1. Download the bios ISO from lenovo, http://download.lenovo.com/ibmdl/pub/pc/pccbbs/mobiles/h6uj04wd.iso

2. Unpacked/Disassembled the interesting module (Phoenixtool/IDA) Iso -> *.fl1 -> *.mod file

3. Modified the program to always successfuly return the whitelist check

4. Packaged the new bios together (Phoenixtool) *.mod -> *.fl1 -> *.iso

However, when flashing the bios with the lenovo tool dosflash.exe /mb /sd /file $0ah6000.fl1 the dosflash tool output is as follows:

C:\FLASH>dosflash -mb -sd -file h6etxxww/$0ab6000.fl1

SCT Flash Utility tool for Lenovo

for DOS V1.0.0.6.

Copyright © 2011 Phoenix Technologies Ltd.

Copyright © 2011-2012 Lenovo Group Limited.

Read Bios image.

Initialize Flash module.

Read current BIOS

ERROR 234 - SecureFlash verification fail! Status = 234.

So i just wanted to verify if the packaging with Phoenixtool, I just unpackaged and packaged the fl1 file with the phoenixtool. This was successful and i was even able to flash the bios again with the original version. So this proves to me that the Phoenixtool works fine. However, somewhere there must be any checksum.

I guess this is related to the secure flash verification outlined here? May I use this tool introduced in this thread to flash the bios?

Link to comment
Share on other sites

  • 1 month later...

Hi!

I got a t540p that bricked because of https://forums.lenovo.com/t5/W-Series-ThinkPad-Laptops/HOWTO-Brick-a-W540-in-easy-steps/m-p/1400393 when I tried to boot an Ubuntu disk. It has ruined my life since there is no Lenovo Support Center where I live, my work depends on it, and I used up most of my money on it. I gave it to a repair shop but they failed to fix it. I think it's because of security measures mentioned in this topic.

I'm really sorry for barging in, and asking for help like this, (I have the feeling it might not be right place, or my post may have not followed some rules) but I'm really desperate and in need of help.

Please can someone can guide me what to do? I'm willing to pay for your efforts.

Thanks a lot.

Link to comment
Share on other sites

  • 3 months later...
  • 2 weeks later...

when i backed up my bios and tried to flash it back using fptw64.exe -f output.bin -bios not even modified bios yet i use my backed up bios it gives me error 28 same issue here Y 500 and I have no access to bios cause i changed password and forgot it any way i feel disappointed caue i won't be able to make any progress in my courses with enable virtualization . any solution here

Link to comment
Share on other sites

  • 2 months later...

What's the difference between prr and prr2?

I used fpt to flash a backup bios and encounter the error 28.

After running prr.exe, it tells me that ready to flash bios.

And then i run fpt again, and there is still error 28.

So what can i do now?

Thanks in advance.

Link to comment
Share on other sites

  • 2 weeks later...
**********

* This is only for systems with Intel chipsets.

*

* It still won't work for all of them, but for some it does.

*

This article is meant as an explanation for interested / advanced users. Since some of the more recent bios mods require the tool described below in order to allow flashing, I decided to share some information about it.

Also I really don't like how users get locked out of their own hardware, this is a way to circumvent a couple of the more recent restrictions of certain systems. I hope this will be useful to some of you.

If you know other ways to get around the current firmware updating restrictions (per software), please let me know.

The problem:

With the appearance of Windows 8 and Microsoft's requirement for OEMs to support 'secure boot' in order to get the Win8 certificate for their machines, a lot of the most recent systems (notebooks and desktops) use now firmware which is digitally signed.

Since secure boot looses its purpose if firmware updates aren't verified and protected as well, the latest UEFI implementations come with a secure firmware upgrading procedure which makes sure that only properly signed and unmodified images can be flashed. This updating protections is active even if you don't enable secure boot.

These two pictures explain the idea behind secure firmware updating very clearly:

[ATTACH=CONFIG]5383[/ATTACH] [ATTACH=CONFIG]5384[/ATTACH]

On the second picture you can see that the system verifies the firmware image even before it loads the drivers required for the flash.

For bios modders or people who want to use modified firmware, the consequences of this are severe. It simply isn't possible anymore to flash digitally signed bios which have been modified, there's no way around the signature, at least not with the usual tools.

The solution (at least for some systems):

The only way to get around those new restrictions is to directly program the firmware flash memory and therefore leave out the verifying of the image. In Intel systems the flash chip is directly wired to the PCH, and it can be accessed by an Intel utility called Flash Programming Tool. It's a very powerful application which supports the most common flash memory chips.

The requirement for it to work on a system are the following:

- BIOS region of the flash memory must have write permissions

- The OEM or BIOS vendor omitted to set an additional flash lock.

- You can't flash an encapsulated firmware image, only the pure bios region.

You will have access to the BIOS region for obvious reasons, but the second point can only be figured out by trying to flash a BIOS.

If the tool comes up with an 'Error 28', download the attached 'prr' utility, as well as the DOS version of the flash tool. Put both on an USB drive which can boot DOS, boot from it and execute the prr.exe, if it manages to remove the protection on your system it will tell you 'ready to flash', in this case go ahead and directly flash with fpt, without rebooting before doing so.

If prr can't remove the protection you're most likely out of luck, even though might be ways for certain systems, but the chances are pretty small.

In order to flash a BIOS you will need to remove the capsule from the firmware image provided by your system manufacturer. You only want to update the bios.

Then flash it by using this command:

fptw64 -f FILE -bios

(FILE stands for the image you want to flash)

***WARNING***

This tool is only for very advanced users. If you mess up it will override your BIOS without a warning or waiting for you to confirm. This means you can easily brick your system beyond any chance of recovery.

You most likely don't need this tool. My BIOS mods which require this application for flashing will always come with a .bat file which will do the flashing for you. Again, for 99.9% of the users there's no need to mess with this.

This version of the tool works only for 7 series chipsets.

*InBeforeOmgMyYystemWontBootAnymore*

The tool provided here by svl7 (prr2.exe and former prr.exe) may not be hosted anywhere outside of Tech|Inferno without the previous approval of the author.

Well of course.
Well of course.

Hey man, I bricked my asus g751jt by doing too low of undervolt and now it turns on, sits for few minutes and then turns off. Screen is black and the keyboard lights up but nothing else. You can hear the hard drive going but the system shuts of after 10 or so seconds. I took it apart, pulled the CMOS plus out and waited for 10 minute, disconnected the battery connector and did power drain nothing. Last thing is RMA but is there anything else I could do?

Link to comment
Share on other sites

Pulling cmos battery wont help, settings are stored in nvram, so you can't reset cmos/bios that way. In fact i think you can pull the battery and put it in a drawer, it will work the same with or without it.

How did you managed to undervolt?

One simple chance for you to reset nvram would be to try with one memory stick only or use other memory.

Also what happens if you keep ctrl+home pressed and then press the powerbutton? You get a slight delay?

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Try what works for un-bricking the newer Alienware Haswell systems with this NVRAM BIOS settings storage trash.

Pull out all RAM sticks. Power up the machine and let is beep or whatever an ASUS does when it doesn't like what it finds. If it shuts down, immediate slap one RAM stick into a slot before it has a chance to reboot. This will dump anything stored in NVRAM and the BIOS will re-write defaults. You may get a memory error on the first attempt to reboot (which is 5 beeps on an Alienware) but the second attempt completes POST.

Link to comment
Share on other sites

  • 3 months later...
  • 3 weeks later...

Hi,

I'm a bit new in BIOS moding, usually I don't touch it too risky.

I've got a Lenovo L540 that I don't use, so I decided to move it under Maverick OSX, so everything works great, I've got a really cool and stable iLenovo! ^^ exept Wifi card, I purchase a Broadcom BCM94352Z to replace the Intel 7260 OEM to solve that. But Lenovo has whitelist that locked computer from starting, and I haven't any bios network option to deactivate the card.

Here is the backup log : https://www.dropbox.com/sh/zloub0m1ezpczte/AACPzC7xmx42nd1SAp5vzTlTa?dl=0

It seems that I have error 280 that locked bios flashable option, I find tuto to flash the bios with hardware tool, I find information about FPT TOOL too that could bypass this problem without buying hardware tool.

Does anyone can clarify that a bit for me? ^^ I'm pretty confused! :)

Thks by advance, regard FF

Link to comment
Share on other sites

  • 4 weeks later...

Hello.

Recently I got my hands on alienware 18 with two 970m and 4940mx. And was very saddened to find out how system that has so great potential is crippled beyond imagination. So I asking here for help in managing to unlock this nice machine.

I have already hooked programmer to vbios chip for testing and so far have tested msi and dell 970m vbios and result is same as with clevo vbios. Maxwell gpu's post only in true uefi mode which make installing windows 7 impossible.

I am ready to use programmer on bios to but are not clear if there isway to unlock this bios at all even with direct access to bios chip. So I ask for help here. Laptop has latest bios version A10.

Thanks forward guys.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use. We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.