How to properly identify OEM Certificates

Discussion in 'BIOS Mods' started by crypto, Mar 14, 2009.

  1. crypto

    crypto MDL Member

    Nov 3, 2008
    114
    364
    10
    #1 crypto, Mar 14, 2009
    Last edited by a moderator: Apr 20, 2017
    Unlike SLIC tables, OEM Certificates aren't as easy to identify.
    So here's a little tutorial that will allow you to properly identify an OEM Certificate, and match it with its correspondent SLIC table.

    Tools needed:
    - WinHex

    Note: I will use as an example, the ubiquitous Asus SLIC table and OEM Certificate.

    1. Open up the OEM Certificate with Winhex.


    2. Locate and highlight the software licensing data (it always starts with "kgAAAAAAA").
    In this case (Asus certificate) we will highlight this:
    Code:
    kgAAAAAAAgBfQVNVU18BAAEAb5Kd3LN57icmCPjcW9hfSyE0q2DskMfC1WDV9dmC+S6+6EM41cJbniW4k80VuBvDMH2tVWl5vRp+RMi8WVoXvoGt7+6WITfMikJixhQFCSFpeuGMSs7WyBh4eIYrMGOm5WS30hReK0S+MxJra6O9noW7vmzhsTPC2pGA80S0yp8= 

    3. Go to "Edit" > "Copy Block" > "Into New File".
    Give it any name you want and save. You will get this:
    Code:
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    
    00000000   6B 67 41 41 41 41 41 41  41 67 42 66 51 56 4E 56   kgAAAAAAAgBfQVNV
    00000010   55 31 38 42 41 41 45 41  62 35 4B 64 33 4C 4E 35   U18BAAEAb5Kd3LN5
    00000020   37 69 63 6D 43 50 6A 63  57 39 68 66 53 79 45 30   7icmCPjcW9hfSyE0
    00000030   71 32 44 73 6B 4D 66 43  31 57 44 56 39 64 6D 43   q2DskMfC1WDV9dmC
    00000040   2B 53 36 2B 36 45 4D 34  31 63 4A 62 6E 69 57 34   +S6+6EM41cJbniW4
    00000050   6B 38 30 56 75 42 76 44  4D 48 32 74 56 57 6C 35   k80VuBvDMH2tVWl5
    00000060   76 52 70 2B 52 4D 69 38  57 56 6F 58 76 6F 47 74   vRp+RMi8WVoXvoGt
    00000070   37 2B 36 57 49 54 66 4D  69 6B 4A 69 78 68 51 46   7+6WITfMikJixhQF
    00000080   43 53 46 70 65 75 47 4D  53 73 37 57 79 42 68 34   CSFpeuGMSs7WyBh4
    00000090   65 49 59 72 4D 47 4F 6D  35 57 53 33 30 68 52 65   eIYrMGOm5WS30hRe
    000000A0   4B 30 53 2B 4D 78 4A 72  61 36 4F 39 6E 6F 57 37   K0S+MxJra6O9noW7
    000000B0   76 6D 7A 68 73 54 50 43  32 70 47 41 38 30 53 30   vmzhsTPC2pGA80S0
    000000C0   79 70 38 3D                                        yp8=

    4. In the new file you've just created, go to "Edit" > "Convert..." > "Base64->Binary"
    You will get this:
    Code:
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    
    00000000   92 00 00 00 00 00 02 00  5F 41 53 55 53 5F 01 00   ’......._ASUS_..
    00000010   01 00 6F 92 9D DC B3 79  EE 27 26 08 F8 DC 5B D8   ..o’ܳyî'&.øÜ[Ø
    00000020   5F 4B 21 34 AB 60 EC 90  C7 C2 D5 60 D5 F5 D9 82   _K!4«`ìÇÂÕ`ÕõÙ‚
    00000030   F9 2E BE E8 43 38 D5 C2  5B 9E 25 B8 93 CD 15 B8   ù.¾èC8ÕÂ[ž%¸“Í.¸
    00000040   1B C3 30 7D AD 55 69 79  BD 1A 7E 44 C8 BC 59 5A   .Ã0}*Uiy½.~DȼYZ
    00000050   17 BE 81 AD EF EE 96 21  37 CC 8A 42 62 C6 14 05   .¾*ïî–!7ÌŠBbÆ..
    00000060   09 21 69 7A E1 8C 4A CE  D6 C8 18 78 78 86 2B 30   .!izáŒJÎÖÈ.xx†+0
    00000070   63 A6 E5 64 B7 D2 14 5E  2B 44 BE 33 12 6B 6B A3   c¦åd·Ò.^+D¾3.kk£
    00000080   BD 9E 85 BB BE 6C E1 B1  33 C2 DA 91 80 F3 44 B4   ½ž…»¾lá±3ÂÚ‘€óD´
    00000090   CA 9F 00                                           ÊŸ.

    As you can see, the information in the OEM Certificate (encoded in Base64) matches the one in the Asus SLIC:

    Code:
    Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F
    
    00000000   53 4C 49 43 76 01 00 00  01 4B 5F 41 53 55 53 5F   SLICv....K_ASUS_
    00000010   4E 6F 74 65 62 6F 6F 6B  24 06 00 11 4D 53 46 54   Notebook$...MSFT
    00000020   97 00 00 00 00 00 00 00  9C 00 00 00 06 02 00 00   —.......œ.......
    00000030   00 24 00 00 52 53 41 31  00 04 00 00 01 00 01 00   .$..RSA1........
    00000040   6F 92 9D DC B3 79 EE 27  26 08 F8 DC 5B D8 5F 4B   o’ܳyî'&.øÜ[Ø_K
    00000050   21 34 AB 60 EC 90 C7 C2  D5 60 D5 F5 D9 82 F9 2E   !4«`ìÇÂÕ`ÕõÙ‚ù.
    00000060   BE E8 43 38 D5 C2 5B 9E  25 B8 93 CD 15 B8 1B C3   ¾èC8ÕÂ[ž%¸“Í.¸.Ã
    00000070   30 7D AD 55 69 79 BD 1A  7E 44 C8 BC 59 5A 17 BE   0}*Uiy½.~DȼYZ.¾
    00000080   81 AD EF EE 96 21 37 CC  8A 42 62 C6 14 05 09 21   *ïî–!7ÌŠBbÆ...!
    00000090   69 7A E1 8C 4A CE D6 C8  18 78 78 86 2B 30 63 A6   izáŒJÎÖÈ.xx†+0c¦
    000000A0   E5 64 B7 D2 14 5E 2B 44  BE 33 12 6B 6B A3 BD 9E   åd·Ò.^+D¾3.kk£½ž
    000000B0   85 BB BE 6C E1 B1 33 C2  DA 91 80 F3 44 B4 CA 9F   …»¾lá±3ÂÚ‘€óD´ÊŸ
    000000C0   01 00 00 00 B6 00 00 00  00 00 02 00 5F 41 53 55   ....¶......._ASU
    000000D0   53 5F 4E 6F 74 65 62 6F  6F 6B 57 49 4E 44 4F 57   S_NotebookWINDOW
    000000E0   53 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00   S ..............
    000000F0   00 00 00 00 00 00 24 B0  89 CF B1 F3 1D B8 7A 80   ......$°‰Ï±ó.¸z€
    00000100   35 CB CD 4A C8 2F 84 CE  99 A0 4F 38 76 B0 04 F9   5ËÍJÈ/„Ι*O8v°.ù
    00000110   6F 05 33 C7 EC A8 58 A6  D7 B7 3F 5B 82 B1 EE 2B   o.3Çì¨X¦×·?[‚±î+
    00000120   A7 81 52 F3 45 13 CE EE  D5 57 37 FE 75 5F 5C 62   §RóE.ÎîÕW7þu_\b
    00000130   C4 53 DA 86 F1 34 FA ED  91 86 73 9E D2 65 FD 8A   ÄSÚ†ñ4ú푆sžÒeýŠ
    00000140   3D 86 94 2F 2A 65 18 5C  D9 E5 7C 15 1E F2 08 C5   =†”/*e.\Ùå|..ò.Å
    00000150   85 C4 8F 0B FA A5 C3 A9  B0 F1 B2 E7 6A 46 FB 18   …Ä.ú¥Ã©°ñ²çjFû.
    00000160   01 5D 4C 36 33 DE FB E7  1D E8 15 C2 85 9F 8A A9   .]L63Þûç.è.Â…ŸŠ©
    00000170   32 68 1F B4 BC A8                                  2h.´¼¨
    BLUE - OEMID

    RED - RSA modulus

    ORANGE - RSA public exponent
    Always: 01 00 01 00 (65537)

    GREEN - Windows Marker version
    Always: 00 00 02 00 (0x20000)

    PURPLE - Size of the OEM Certificate's licensing data.
    Always: 92 00 00 00 (146 bytes)
     
  2. XcopyBR

    XcopyBR MDL Member

    Apr 25, 2008
    176
    2
    10
    Nice find, thanks !
     
  3. oho77

    oho77 MDL Junior Member

    Mar 8, 2009
    50
    2
    0
    I have broaden my horizons.Thank you
     
  4. האח_הגדול

    האח_הגדול MDL Novice

    Dec 22, 2008
    44
    1
    0
    #5 האח_הגדול, Apr 24, 2009
    Last edited by a moderator: Apr 20, 2017
    HEY!!...
    if you play with this more you can make for your name SLIC and cert :)

    i wonder if it can work :rolleyes: (slic from האח הגדול)
     
  5. offon7544

    offon7544 MDL Expert

    Sep 27, 2007
    1,018
    8
    60
    no you can't, this is digitally signed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. FreeStyler

    FreeStyler MDL Guru

    Jun 23, 2007
    3,503
    3,614
    120
    #7 FreeStyler, May 9, 2009
    Last edited by a moderator: May 23, 2017
  7. xinso

    xinso MDL Guru

    Mar 5, 2009
    4,502
    5,601
    150
    Different LENOVO SLICs share the only same CERT

    Different TOSHBA SLICs must match different CERTs

    BOTH have got the same PUBKEY but didderent MARKERs!

    (Sorry, didn't mean to offend anybody, just to tell the truth)
     
  8. crypto

    crypto MDL Member

    Nov 3, 2008
    114
    364
    10
    I'm sorry, but I don't see what the problem is. :confused:
    The certificate authenticates both the Public Key AND OEMID.

    Lenovo SLICs have the same pubkey & OEMID ("LENOVO").
    This means that the same certificate will successfully authenticate all Lenovo SLICs.

    Toshiba SLICs have the same pubkey, but have different OEMIDs ("TOSHIB", "TOSINV", "TOSCPL", etc.).
    This means that you'll need different certs to authenticate different OEMIDs.
     
  9. xinso

    xinso MDL Guru

    Mar 5, 2009
    4,502
    5,601
    150
    Well, how about Packard Bell?
     
  10. crypto

    crypto MDL Member

    Nov 3, 2008
    114
    364
    10
    #12 crypto, Jun 27, 2009
    Last edited by a moderator: May 23, 2017
    (OP)
    What about it?
    As far as I'm aware, they all have the same OEMID ("PacBel"), but there are at least 2 different pubkeys, which means you'll need 2 different certs:
    - One is available here in the collection
    - The other was found by Yen, here
     
  11. telovoz

    telovoz MDL Novice

    Jul 13, 2009
    2
    0
    0
    #13 telovoz, Jul 13, 2009
    Last edited by a moderator: Apr 20, 2017
    Windows 7 RTM кеу?
     
  12. ruban George

    ruban George MDL Novice

    Jul 15, 2009
    7
    0
    0
    Hi crypto

    i need a favour from you .. can you please let me know what is the best tool to edit tokens.dat .. and it would be great if you could give me any tutorial about Winhex
     
  13. urie

    urie Moderator
    Staff Member

    May 21, 2007
    8,709
    3,066
    300
  14. tonyliu42

    tonyliu42 MDL Novice

    Aug 1, 2009
    1
    0
    0
    OH, thanx, learnt a lot
     
  15. elffin

    elffin MDL Novice

    Sep 12, 2009
    3
    0
    0
    Thank for the pubkeycompare.

    But, It seems that it can't verify the validation of Cert.

    I create a fake cert, and pubkeycompare says it match the SLIC.
     
  16. HPDV3

    HPDV3 MDL Novice

    Oct 9, 2009
    17
    0
    0
    - d e l e t e d -
     
  17. nutsergeakung

    nutsergeakung MDL Novice

    Mar 5, 2010
    10
    0
    0
    Nice find, thanks !