Extracting boot logo & other stuff from a UEFI Tiano/Insyde .FD image

Discussion in 'BIOS Mods' started by Eman Resu, May 11, 2017.

  1. Eman Resu

    Eman Resu MDL Novice

    Aug 31, 2009
    1
    0
    0
    There are essentially two ways to extract graphics from an .FD UEFI BIOS image:

    (1) Look for capsules with specific GUIDs known to contain it, such as:
    Code:
    E5BBF7BE-2417-499B-97DB-39F4896391BC,SplashLogoPackage
    1FFF93C2-8C76-49E4-8AB3-43D92F5445EF,LogoJpg
    6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0,LogoPcx
    (2) Search for magic strings associated with particular image formats, for example:
    • BMP: "BM" string
    • GIF: "GIF89a" string
    • JPEG: "JFIF" string
    • PCX: hexadecimal 0A 05 01 08
    The .FD image can be decompressed with a number of tools, in particular: Phoenix Tool, UEFI Tool, or simply binwalk. The last two also include search capabilities. Otherwise, files can be searched with grepWin once decompressed.

    I've succesfully extracted boot logos and other graphics from a number of Lenovo laptop BIOSes using the above methods, all of which yield the same results. Here's an example of what can be found once decompressed:

    Code:
    # <GUID>
    [<LaptopModel>_<BiosVersion>] <File>
    
    # 1FFF93C2-8C76-49E4-8AB3-43D92F5445EF,LogoJpg
    [B460_1DCN26WW_4FCNAWW] 1024x768 JPEG: Boot logo (40,693 bytes; inside CRC32 GUID: FC1BCDB0-7D31-49AA-936A-A4600D9DD083)
    
    # 6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0,LogoPcx
    [Y700_CDCN53WW] 1024x768 PCX, 8-bit: All black (27,068 bytes)
    
    # 771F77D1-13AF-48BF-2584-773D389E33CA
    [Y700_CDCN53WW] 360x360 JPEG: "Invalid Public Key for Secure Flash" (17,656 bytes)
    
    # 931F00D1-10FE-48BF-AB72-773D389E3FDA
    [Y700_CDCN53WW] 208x157 BMP, 8-bit: Intel logo (33,236 bytes)
    
    # 931F77D1-10FE-48BF-AB72-773D389E3FAA
    [Y700_CDCN53WW] 300x300 BMP, 24-bit: Insyde logo (270,056 bytes)
    
    # 156A8FFE-62DB-4FF3-82AD-2EBD8A3E3DF7
    [Y520_4KCN24WW] [Y900_D0CN34WW] 768x432 GIF89a: Boot logo, animated (128,090 bytes)
    
    # 1F56B2F9-6E6D-4014-BFD4-37C9E5D398F1
    [Y520_4KCN24WW] 1536x864 GIF89a: Boot logo, animated (406,313 bytes)
    
    # E5BBF7BE-2417-499B-97DB-39F4896391BC,SplashLogoPackage
    [110_1QCN20WW] 548x308 JPEG: Boot logo (17,169 bytes; followed by a GIF w/icons)
    [110_1QCN31WW] 548x308 JPEG: Boot logo (53,046 bytes; followed by a GIF w/icons)
    [700_E5CN58WW] 548x308 JPEG: Boot logo (49,368 bytes; followed by several GIFs w/icons)

    However, none of the above methods manage to locate the boot logo in Lenovo Y700 images such as CDCN37WW.fd and CDCN53WW.fd, although it is clearly somewhere there. Can anyone tell me what I am missing?

    Download link for CDCN53WW.fd:
    • hxxp://rgho.st/8y47T65Hl (just unzip)
    • hxxps://download.lenovo.com/consumer/mobiles/cdcn53ww.exe (extract from .exe w/WinRAR or another tool)
    The logo that is somewhere inside the file:


    Lenovo Ugly Logo.jpg

    Possibly the logo is in a format other than BMP/GIF/JPG/PCX. The BIOS images have a "TgaDecoderDxe" module inside. Could there be any TGA (Targa) images there? If so, how to find them? Or is it something else altogether? Like obfuscation with XOR or something more sophisticated? Suggestions appreciated.