Insyde Bios Flash Utility Download
Pages
Saturday, 20 August 2016
Insyde Bios Modding Advanced and Power Tabs
Insyde Bios Modding Advanced and Power Tabs
Latest downloads from Toshiba in BIOS. Sort by: last update. Dynabook Satellite PSC08C-05P019 BIOS 1.40 0 downloads. BIOS Update Utility (Windows 10 64bit, Windows 8.1 64bit) Download. Applicable Models. About this download. This utility installs an updated version of the BIOS software and provides the following changes and benefits. Download the EP.exe file to a temporary or download directory.
Due to a request I received by drakonn, Ill be covering how to enable the advanced and power tabs in the setup utility. Also special thanks to Florin9doi for his impressive knowledge of BIOS. I rewrote my splash screen tutorial based on his input.Theres not really much background information I can put here, Its kind of public knowledge that there are hidden tabs in the setup utility. I think this decision is ultimately up to the OEM, so HP decided that we dont need to have access to these hidden tabs. This is most likely because changing some settings can damager you computer, so theyre actually looking out for us. So heres a picture of what my unmodified setup utility looks like. If youd like to follow along with this tutorial by using the same BIOS that I am, then heres where you can download it.
As you can see, it currently has Main, Security, Diagnostics, System Configuration, and Exit tabs. So Ill show you how to enable the hidden tabs.
Ill try to keep all my tutorials as generic as possible, but I already know that this will be impossible. Rarely do different BIOS implement these restrictions in the exact same way, so dont expect this to be a surefire way to unlock your hidden tabs. As simple as I make these tutorials seem, it still took me several weeks to get each modification working on my own BIOS.
To get started make sure you unpack your BIOS installer so that you have access to the BIOS rom. Then open it with Andys tool, go to the structure view, check the Decompress Extracted Modules box, and extract the DXE Core module. The latest version of Andys tool can be downloaded here.
My extracted module is named 4A538818-5AE0-4EB2-B2EB-488B23657022.MOD. Yours might be named something different. So lets open that module with a hex editor, and search for a familiar string so that we can locate what module contains the setup utility. The hex editor I use is HxD. As a side note, my BIOS uses Unicode strings. This means that after each letter, theres a 00 hex character. This is because each character is actually two bytes long. I think all Insyde BIOS are that way, but Im not sure. So heres what I am going to search for, notice how I have blank characters between each letter. The name of one of my tabs is System Configuration, so the module that contains this string should also contain the setup utility.
So lets search for this string in our DXE Core module and see if it exists. Awesome! It found it at offset 0x1A8B8C.
Now we know were in the correct module. Now search for the hex values 4D 5A. These values are always at the start of a module, and the name of a module is always at the end of a module. So heres what it finds:
I circled the modules name in red. So now we need to remember the GUID of the SetupUtility module. Lets go back to Andys tool to see what it is.
My SetupUtility GUID is FE3542FE-C1D3-4EF8-657C-8048606FF670. So lets disassemble this module to get a better understanding of how to mod it. To do this we need to go into the DUMP folder that Andys tool makes when opening a BIOS file, and open the SetupUtility in there with IDA Pro. Here what Im saying:
And make sure you open the largest file whos name is similar to your SetupUtilitys GUID. Since mine was FE3542FE-C1D3-4EF8-657C-8048606FF670, Im going to open up the 531 kB file which is named similar, FE3542FE-C1D3-4EF8-657C-8048606FF670_2_480.ROM. So IDA Pro should automatically determine the file type. For me, its a Portable executable for AMD64.
So now that its disassembled, we have to find out where the tabs are located, then we can see what calls them. I created a program that can dump the internal forms representation used in EFIs human interface infrastructure. This can assist in finding the tab offsets, so you can download it here if you want to try using it. If youd rather find them manually, then in IDA Pro go to Search sequence of bytes. Then enter DF 42 4D B5 52 39 51 and press Ok. These hex values seem to always be in the header of the tabs, and are about 13 bytes after the start of the beginning of the tabs offset.
So lets double click on the first one, which takes us here. I said that that byte sequence was in the header, so we need to scroll up about 13 bytes to get to the start of the tab subroutine.
Just go to each one of the places where that bytes sequence occurred to find out the offsets were looking for. Make sure you write them down. Heres all mine.
Lets go back to the first tab and see where its being referenced from. Right click on the location, and select Xrefs to. This will display the connections between this offset and other functions. You can zoom in to get a better view. Heres mine:
At one of these location the setup utility is determining which tabs to show. This calling function will probably be closer to the start of the modules code, because thats where it is initialing everything. So lets double click on the first calling location and see if it looks suspicious.
Update Insydeh20 Bios
Heres the calling location:
You might be able to determine in IDA Pros Graph overview that this subroutine is most likely what switches between the tabs when you press left and right. It does references all the tab offsets, but this is just to determine which one its currently selecting. This function is not the one were looking for. If you want to make sure of this, you can modify some conditional jumps, but you will probably brick your computer this way. I should make a tutorial on how to recover from a brick. Lets check out the next calling function.
If you ever have trouble selecting the different calling functions in IDA Pro you can right click on the DATA XREF and select Jump to cross reference. Then just double click on the address to jump to that location.
So heres what the second calling function looks like. Dont be surprised that its not in a flow chart view. IDA Pro isnt perfect, so sometime it cant produce this style for all function. As a side note, you can press the space bar to swap back and forth between the flow chart view and the assembly view. Since I know how this tutorial is going to end, Im going to tell you that this is the function that decides what tabs are available in my BIOS. In yours, you might have to go through several more of the calling function before you find the one your looking for.
Since we cant see the bigger picture of this subroutine easily, well have to look through it. The main things you want to search for are conditional jumps that avoid one of the tab offsets. So once again, heres the ones Im searching for:
Back to the second calling function. Wow! Almost immediately I notice almost all of my tab locations being referenced. Theres also two conditional jumps:
And the second conditional jumps hex values are 74 0A. The first byte is the type of jump and the second is where its going to jump to. This is a short jump, and the hex value for an unconditional short jump is EB. So heres what were actually changing:
So heres what the resulting changes look like:
Now the program always jumps to 0x180001099 which references those two tabs. So lets try this out. Produce a DIF file in IDA Pro by going to File Produce file Create DIF file. I recommend you dont save it in the DUMP folder because it will most likely be deleted by Andys tool at some point. A DIF file contains the offsets and changes that we made in IDA Pro. IDA Pro cant physically edit a file, so we have to use the information in the DIF file and a hex editor to apply the changes. You can close IDA Pro now. Before actually applying the changes with a hex editor, go back to Andys tool and press the Advanced button. We want to enable the ability to make modifications to the modules. So these are the settings I changed. I also checked No SLIC because otherwise we would have to select a SLIC table in order to repack our changes. Im fine with my BIOS current SLIC table.
Press Done to get back to the main screen of Andys tool. Then press the Go button. When this message comes up, dont press Ok yet.
We need to modify the setup utility module first. So open the same file we disassembled with a hex editor and apply the changes based on what the DIF file says.
Save the file. Now you can press Ok on the message from Andys tool, and it should repack your BIOS with your modified SetupUtility module. Lets try it out. Rename Andys tools outputted file, mines named 01448F29_SLIC.bin, to what the original rom was called, mines 01448F29.bin. Thisll replace the original rom with the modified one. Now run InsydeFlash.exe. Press Start, wait for it to initialize, then press Ok. It will now flash your computer with you modified BIOS then restart. Upon startup, press the key that corresponds to your setup utility, mines F10, to view your changes. Heres mine:
NO WAY!! An advanced tab! Thats weird??? Why didnt it unlock two tabs? Shouldnt there be seven tabs now? As it turns out, I havent found a way to enable all seven tabs at once in my BIOS. But I do have a way of replacing an existing tab with this hidden seventh tab. Lets go back to the disassembled code where we changed the jump locations. Now lets change one of the referenced tabs to the seventh tab. My hidden tab is at address 0x18007F490 (I know this because its the only one not referenced in the disassembled function we edited), so lets change the line of code 'lea rax, 0x18007FA00' to reference this tab.
The hex values for this line are 48 8D 05 55 E9 07 00. The first three bytes are the load affective address into rax part, and the last four bytes are the offset of the address. This is a relative address based off of the current instructions address. And its stored in little endian. So if your good with math you can determine the new values with a calculator, or you can just changes some values and see if theyll work right by seeing what IDA Pro displays. Heres what mine looked like when I was finished:
Now do the same procedure as before with the DIF file, hex editor, and Andys tool to produce a newly modified BIOS. Now flash it, and one of the tabs should be replaced with a different one.
HMMMM.. that power tab doesnt have anything new in it that the advanced tab didnt already have. I guess there is something new about interrupts under one of the settings, which Ill never change anyway. I hope your power tab isnt as lame as mine. So Im just revert it back to having the advanced tab instead.
This method of replacing one tab with another is probably the easiest way of unlocking one of the hidden tabs. The only downside to it is that youll have to give up one of the other tabs.
Insyde Bios Flash Utility Downloads
I hope you enjoyed this tutorial. I know it was a long one, but it was worth reading because it did cover some pretty good fundamentals of reverse engineering. IDA Pro makes this process much easier since it can quickly show what references what at any time. You can still do this same process with any other disassembler, but it probably wont be as easy.
Available link for download
Some time ago I bought an Alienware M14xR2 as my last laptop broke down. Lately, Alienware published an update for my BIOS that I can't burn in my computer because I only use Archlinux. W d gann pdf. By googling a bit I quickly found a tool for burning the BIOS in a DOS command line but I would need to have a look to the update package.
Just by executing the update file in a virtual machine in windows I soon figured out it was a self extracting package. I just searched %TEMP% files for the extracted version.
Ding.wav is just audio. I suppose it is played when flash is finished.Just by reading the header of the ini files we can guess they are configuration files for the flasher utility. The format is self explained in comments. In line 61 I found that the file I wanted for flashing was isflashWin.bin but after a fast attempt with FreeDOS and the tool I mentioned before I realised that the format was not FD as it should so I googled a bit more. As it turns out, Insyde has released a new update file format and as it seems it isn't documented.
Inside the file I found a section that is exactly the same as the configuration file and it is preceded by a string quite suspicious.
Insyde Bios Flash Utility Download Free
I think these headers separate sections of the file as they are all 16 characters long. By having a look inside Hexedit I found that there is a padding of 8 bytes between the last character and some famous file magic numbers. I've done a simple python script (filesplitter) for splitting this kind of files and continue the analysis.
Part number four is clearly the configuration file. If you are trying to tweak parameters in platform.ini note that it wont work, but if you modify this part of the binary file it will. It seems that Insyde is now using the platform.ini only to point to the update file (isflashWin.bin) and then the utility just parses the configuration from there.I had no success in running one and two. I've tried FreeDOS and Windows 98 in DOS mode which should have support for MZ executables but in the best case I got no output and in the worse some memory address exceptions.I found that number three is related to a utility called Flashrom but I don't have much time to investigate. Maybe some readers can point me in the right direction.After having a look to five in Hexedit I think it can be a BIOS image although I don't really know about this topic.
Although I could not flash my BIOS I could find some little information about this new format and I also found that MZ executable signatures weren't in the binary analysis tool I use (binwalk). The latest version of binwalk now looks for MZ executables.
Please enable JavaScript to view the comments powered by Disqus.comments powered by Disqus