Extracting boot logo & other stuff from a UEFI Tiano/Insyde .FD image

Discussion in 'BIOS Mods' started by Eman Resu, May 11, 2017.

  1. Eman Resu

    Eman Resu MDL Novice

    Aug 31, 2009
    2
    1
    0
    There are essentially two ways to extract graphics from an .FD UEFI BIOS image:

    (1) Look for capsules with specific GUIDs known to contain it, such as:
    Code:
    E5BBF7BE-2417-499B-97DB-39F4896391BC,SplashLogoPackage
    1FFF93C2-8C76-49E4-8AB3-43D92F5445EF,LogoJpg
    6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0,LogoPcx
    (2) Search for magic strings associated with particular image formats, for example:
    • BMP: "BM" string
    • GIF: "GIF89a" string
    • JPEG: "JFIF" string
    • PCX: hexadecimal 0A 05 01 08
    The .FD image can be decompressed with a number of tools, in particular: Phoenix Tool, UEFI Tool, or simply binwalk. The last two also include search capabilities. Otherwise, files can be searched with grepWin once decompressed.

    I've succesfully extracted boot logos and other graphics from a number of Lenovo laptop BIOSes using the above methods, all of which yield the same results. Here's an example of what can be found once decompressed:

    Code:
    # <GUID>
    [<LaptopModel>_<BiosVersion>] <File>
    
    # 1FFF93C2-8C76-49E4-8AB3-43D92F5445EF,LogoJpg
    [B460_1DCN26WW_4FCNAWW] 1024x768 JPEG: Boot logo (40,693 bytes; inside CRC32 GUID: FC1BCDB0-7D31-49AA-936A-A4600D9DD083)
    
    # 6F0CF054-AE6A-418C-A7CE-3C7A7CD74EC0,LogoPcx
    [Y700_CDCN53WW] 1024x768 PCX, 8-bit: All black (27,068 bytes)
    
    # 771F77D1-13AF-48BF-2584-773D389E33CA
    [Y700_CDCN53WW] 360x360 JPEG: "Invalid Public Key for Secure Flash" (17,656 bytes)
    
    # 931F00D1-10FE-48BF-AB72-773D389E3FDA
    [Y700_CDCN53WW] 208x157 BMP, 8-bit: Intel logo (33,236 bytes)
    
    # 931F77D1-10FE-48BF-AB72-773D389E3FAA
    [Y700_CDCN53WW] 300x300 BMP, 24-bit: Insyde logo (270,056 bytes)
    
    # 156A8FFE-62DB-4FF3-82AD-2EBD8A3E3DF7
    [Y520_4KCN24WW] [Y900_D0CN34WW] 768x432 GIF89a: Boot logo, animated (128,090 bytes)
    
    # 1F56B2F9-6E6D-4014-BFD4-37C9E5D398F1
    [Y520_4KCN24WW] 1536x864 GIF89a: Boot logo, animated (406,313 bytes)
    
    # E5BBF7BE-2417-499B-97DB-39F4896391BC,SplashLogoPackage
    [110_1QCN20WW] 548x308 JPEG: Boot logo (17,169 bytes; followed by a GIF w/icons)
    [110_1QCN31WW] 548x308 JPEG: Boot logo (53,046 bytes; followed by a GIF w/icons)
    [700_E5CN58WW] 548x308 JPEG: Boot logo (49,368 bytes; followed by several GIFs w/icons)

    However, none of the above methods manage to locate the boot logo in Lenovo Y700 images such as CDCN37WW.fd and CDCN53WW.fd, although it is clearly somewhere there. Can anyone tell me what I am missing?

    Download link for CDCN53WW.fd:
    • hxxp://rgho.st/8y47T65Hl (just unzip)
    • hxxps://download.lenovo.com/consumer/mobiles/cdcn53ww.exe (extract from .exe w/WinRAR or another tool)
    The logo that is somewhere inside the file:


    Lenovo Ugly Logo.jpg

    Possibly the logo is in a format other than BMP/GIF/JPG/PCX. The BIOS images have a "TgaDecoderDxe" module inside. Could there be any TGA (Targa) images there? If so, how to find them? Or is it something else altogether? Like obfuscation with XOR or something more sophisticated? Suggestions appreciated.
     
  2. Mikorist

    Mikorist MDL Member

    Dec 26, 2012
    205
    144
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Flipp3r

    Flipp3r MDL Expert

    Feb 11, 2009
    1,962
    904
    60
    You need to be careful with the FPT command as you can loose your Mac Address, UUID, etc from your bios/uefi...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Mikorist

    Mikorist MDL Member

    Dec 26, 2012
    205
    144
    10
    #5 Mikorist, Apr 29, 2020
    Last edited: Apr 29, 2020
    A few days ago a new board for the g50-70 arrived at my place. There was no Mac Address, UUID, serial, Computer Model ... in the bios.

    "9acn28ww" installed ...i downgrade it to version 9ACN26WW - then used same sleep bug to clone my old motheboard - backup of bios.bin

    now i have two laptops with cloned bios - with identical serial, UUID... otherwise I have a couple of bios chips in reserve if i bricked Bios;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...