How to Use New Phoenix Bios Mod Tool to Modify Phoenix/Dell/Insyde/EFI Bios Files

You need to login to view this posts content.

 

Is this statement out-of-date given that andyp says in his thread Tool-to-Insert-Replace-SLIC-in-Phoenix-Insyde-Dell-EFI-BIOSes "v1.40 - Can now mod Old Dell BIOSes!" ???? Sorry, I can't post a hyperlink.

I know of at least one mod that put a SLIC 2.1 into a DELL 3000 which was an XP only machine.

Benzofree​

 

sgkslt

Hello everyone!

I've got a problem while trying to backup an image with phlash16. Using a phlash16, i need an original *.wph file, even if i need just a backup of my image. Seems like the "WPH" part of file, which is not included into a ROM, provides flashing service. If I use an non-original BIOS image as an input (i.e. Phoenix trustedcore bios, but the other motherboard image), then either backup fails either i get a wrong image, that consists of a trash.

Is there is a way or an other flasher to read trustedcore image without specifying a original bios image?

 

Thanks for posting.
Just as as sharing point, I had to use DellBiosReset tool to unlock the Vostro 1014 SLIC (A07). Using the Asset.com from DOS didn't do the trick for me.

 

Easy to use tool. Thanks for sharing

 

Useful stuff to this thread I found

Quoted from url MJ0011 2009-10-15 14:54

Deactivate the Rootkit: Attacks on BIOS anti-theft
technologies
Alfredo Ortega, Anibal Sacco, Core Security Technologies
July 24, 2009
Contents
1 Introduction 2
2 Computrace Agent 2
2.1 BIOS code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Detail of agent operation . . . . . . . . . . . . . . . . . . . . . 3
3 Report URL redirection. Who is the thief? 4
3.1 Con guration block . . . . . . . . . . . . . . . . . . . . . . . . 4
4 Computrace Agent stub: Bios code execution 5
5 Factory-reset of permanent activation/deactivation 5
6 Further information 6
7 Conclusion 6
8 Acknowledgements 7
9 DCCU settings 7
Abstract
This is a report on our research into anti-theft technologies uti-
lized in the PC BIOS. In particular, we have analyzed the Computrace
BIOS agent and documented some design vulnerabilities that allow the
agents reporting address to be controlled. Additionally, we outline an
experimental method for re-setting the permanent activation/deacti-
vation capability of the persistent agent in the BIOS to the default
factory settings. We are certain that this available control of the anti-
theft agent allows a highly dangerous form of BIOS-enhanced rootkit
that can bypass all chipset or installation restrictions and reutilize
many existing features o ered in this kind of software.
1
1 Introduction
Computer-based anti-theft technologies are used to prevent or deter the
unauthorized appropriation of a physical system.
Embedded into the BIOS of most notebooks sold since 2005, when anti-
theft technology vendors Phoenix[2] and Absolute[1] reached a licensing
agreement[3] they are extremely popular today. According to the vendors
own corporate fact sheet[4], Phoenix is the dominant leader in the market
for portable BIOS, with 60% of all sales , and BIOS o ers a high level of
persistence, making it the ideal place for anti-theft technologies to reside.
The system works by periodically reporting back to a central authority.
In the event of theft, the central authority can instruct the resident agent to
wipe all information as a security measure, or to track the whereabouts of
the system, to help recover the stolen items via subsequent law enforcement
activities1. In order to be an e ective system, the anti-theft agent must be
stealthy, must have complete control of the system, and most importantly,
must be highly persistent because wiping of the whole system most often
occurs in the case of theft.
This activity is also consistent with rootkit behavior, the only di erence
being that rootkits are generally malicious, while anti-theft technologies act
as a form of protection against thieves.
However, in the course of researching matters of BIOS security we found
that a lack of strong authentication in the most popular anti-theft tech-
nologies are the source of vulnerabilities that can lead to a complete and
persistent compromise of an a ected system, as we will explain in the rest
of this article.
2 Computrace Agent
While doing the research that resulted in the publication of the 'Persistent
BIOS Infection' article at the CanSecWest and Syscan Conference in early
2009, the Computrace persistent Agent was found in multiple notebook
BIOS systems. Upon further investigation, a complete description of the
agent was found on the United States Patent Application US 2006/0272020
A1. This information is in the public domain, and many complaints about
1from Absolute site: "Absolute has partnerships with tier one PC OEMs such as Dell,
Fujitsu, Gateway, HP, Lenovo, Motion Computing, Panasonic and Toshiba. Embedded
in the BIOS rmware of a computer, the Computrace Agent can survive operating system
re-installations, hard drive reformats and even hard drive replacements. The company
has reselling partnerships that extend beyond this list of OEMs that include global leaders
such as Apple and Toshiba. Absolute has also established strategic relationships with more
than 1000 police departments, government security agencies and private security rms
throughout North America and around the world."
2
the involved technology have been posted online, some even with valid in-
structions for erasing Computrace completely from the BIOS [6].
The Agent in question is a PCI Option ROM embedded version found
on most notebook BIOS, and some Desktop BIOS systems as well. The
Optional ROM is deactivated by default as the PCI device that it refers
to (1917:1234) doesn't exist. Upon activation, it modi es the underlying
Windows le system directly from the BIOS2, installing a new service and
modifying various core system les like the registry, and self-healing mech-
anisms including Autochk.exe.
The Computrace anti-theft system also has the capability to read Bit-
locked le systems on Windows Vista.
The BIOS Agent supports Windows 98/XP and Vista, with either FAT32
or NTFS le systems. We studied many versions of the Computrace Agent,
including V80.845 and V80.866. Once installed and with Windows fully
booted, the agent runs as a Windows service and proceeds to contact a
remote system and wait for orders. This process can consist in the down-
loading of additional software or reporting of various run-time parameters.
2.1 BIOS code
The following hexadecimal dump details the Computrace PCI Option ROM
header found inside the BIOS of a HP 9420 notebook computer. The Option
ROM is deactivated because it correspond to the PCI Device 1917:1234,
inexistent on the system.
00000000 55 aa 2a eb 15 43 6 f 6d 70 75 54 72 61 63 65 20 jU. . . CompuTrace j
00000010 56 38 30 2 e 38 36 36 78 1d 00 e9 5 c 01 50 43 49 jV80 .866 x . . . n . PCI j
00000020 52 17 19 34 12 00 00 18 00 00 06 00 00 2a 00 00 jR . . 4 . . . . . . . . . . . j
Interestingly, Computrace uses the UPX packing software, version 1.00,
you can see the UPX! signature near o set 0x200:
00000200 57 e9 45 e2 55 50 58 21 0b 01 04 09 45 78 74 75 jW.E.UPX! . . . . Extu j
00000210 c2 ae 1a 79 58 e2 b9 4 f 04 26 ed f f 8 c 16 00 f f j . . . yX . .O. & . . . . . . j
2.2 Detail of agent operation
When installed, the deployed agent registers itself as a normal windows ser-
vice using the name "Remote Procedure Call (RPC) Net". This name, with
slight variations, is also used by Windows to refer other legitimate services
as "Remote Procedure Call (RPC)" (Used to provide the endpoint map-
per and other RPC Services) and "Remote Procedure Call (RPC) Locator"
(In charge of managing the RPC name service database). In this way, the
registered service could be easily confused with these legitimate Windows
services, except for its lack of a description. The service is implemented on
the rpcnet.exe or rpcnetp.exe le.
2The Agent has small but functional le system drivers
3
3 Report URL redirection. Who is the thief?
The persistent agent uses a con guration method consisting in a 512-byte
block of data. This block contains con guration items like IP, port and URL
of report, as well as expiration date and AT commands (The agent also has
modem reporting capabilities). The block can reside in many places. It's
hard-coded inside the Option-ROM, with the 'search.namequery.com' URL
and IP used as the default reporting point, as we show in section3.1.
However, on the rst run this con guration block is copied in many
places, including the registry and hard-disk inter-partition space. Allowing
the agent in this way to survive hard disk formats. Again, the obfusca-
tion method used in this con guration block is a XOR operation, this time
against the 8-bit key 0xB5. The block is obfuscated on a slightly more con-
voluted way on the registry. But the encryption algorithm is similar, making
the modi cation trivial.
We are presenting a method to search and modify this con guration
block, pointing the IP and URL to a malicious site, where un-authenticated
payloads can be directed to the involved notebook. Modi cation of the block
in the inter-partition space allows for a format-resistant malicious agent.
On unsigned BIOSes, direct Option ROM modi cation of the con guration
block allows for a very persistent and dangerous form of rootkit, taking in
account that anti-virus software will ignore the agent, recognizing it as the
normal Computrace agent, as no modi cation to the Agent itself is being
made.
3.1 Con guration block
Below is the con guration block used by the Computrace agent V80.866, it
was extracted from the Option ROM with the UPX utility. The Con gura-
tion block starts at o set 0x3c38:
00003 c30 00 00 00 00 00 00 00 00 04 02 00 00 80 1 e 04 01 j . . . . . . . . . . . . . . . . j
00003 c40 00 40 00 1 f 04 00 00 00 00 10 0a f 4 f 4 85 f 8 84 j .@ . . . . . . . . . . . . . . j
00003 c50 ec 85 85 85 85 1d 02 00 00 46 06 00 00 00 00 00 j . . . . . . . . . F . . . . . . j
00003 c60 00 47 06 00 00 00 00 00 00 48 1a b5 e5 64 80 c4 j .G. . . . . . . H. . . d . . j
00003 c70 a2 c6 d0 d4 c7 d6 dd 9b db d4 d8 d0 c4 c0 d0 c7 j . . . . . . . . . . . . . . . . j
00003 c80 cc 9b d6 da d8 0a 02 07 10 06 06 00 00 00 00 00 j . . . . . . . . . . . . . . . . j
00003 c90 00 07 06 00 00 00 00 00 00 0 f 06 b6 69 ce 05 05 j . . . . . . . . . . . . i . . . j
00003 ca0 96 08 06 19 99 08 08 12 12 0b 02 62 03 14 04 39 j . . . . . . . . . . . b . . . 9 j
00003 cb0 00 80 00 20 04 00 00 00 00 15 04 00 00 00 00 19 j . . . . . . . . . . . . . . . j
00003 cc0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 j . . . . . . . . . . . . . . . . j
00003 cd0 00 00 00 00 00 00 00 00 00 00 00 00 1a 01 00 1b j . . . . . . . . . . . . . . . . j
00003 ce0 06 00 00 00 00 00 00 2d 01 b8 2d 01 b8 33 01 b8 j . . . . . . . . . . . 3 . . j
00003 c f 0 2b 04 f 4 e1 f 1 e1 28 03 00 00 00 01 38 01 e1 ed j + . . . . . ( . . . . . 8 . . . j
00003 d00 81 b8 33 01 b8 2b 04 f 4 e1 f 1 e1 28 03 00 00 00 j . . 3 . . + . . . . . ( . . . . j
00003 d10 01 23 01 00 00 00 00 00 00 00 00 00 00 00 00 00 j . # . . . . . . . . . . . . . . j
00003 d20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 j . . . . . . . . . . . . . . . . j
00003 e30 00 00 00 00 00 00 7 f 00 00 00 00 00 00 00 00 00 j . . . . . . . . . . . . . . . . j
Doing a 8-bit XOR with 0xB5, we can see the plain-text con guration:
00000000 b1 b7 b5 b5 35 ab b1 b4 b5 f 5 b5 aa b1 b5 b5 b5 j . . . . 5 . . . . . . . . . . . j
00000010 b5 a5 bf 41 41 30 4d 31 59 30 30 30 30 a8 b7 b5 j . . . AA0M1Y0000 . . . j
00000020 b5 f 3 b3 b5 b5 b5 b5 b5 b5 f 2 b3 b5 b5 b5 b5 b5 j . . . . . . . . . . . . . . . . j
00000030 b5 fd a f 00 50 d1 35 71 17 73 65 61 72 63 68 2 e j . . . . P. 5 q . s ear ch . j
00000040 6 e 61 6d 65 71 75 65 72 79 2 e 63 6 f 6d bf b7 b2 j namequery . com . . . j
00000050 a5 b3 b3 b5 b5 b5 b5 b5 b5 b2 b3 b5 b5 b5 b5 b5 j . . . . . . . . . . . . . . . . j
00000060 b5 ba b3 03 dc 7b b0 b0 23 bd b3 ac 2 c bd bd a7 j . . . . . f . . # . . . , . . . j
00000070 a7 be b7 d7 b6 a1 b1 8 c b5 35 b5 95 b1 b5 b5 b5 j . . . . . . . . . 5 . . . . . . j
4
00000080 b5 a0 b1 b5 b5 b5 b5 ac ae b5 b5 b5 b5 b5 b5 b5 j . . . . . . . . . . . . . . . . j
00000090 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 j . . . . . . . . . . . . . . . . j
000000 a0 b5 b5 b5 b5 a f b4 b5 ae b3 b5 b5 b5 b5 b5 b5 98 j . . . . . . . . . . . . . . . . j
000000b0 b4 0d 98 b4 0d 86 b4 0d 9 e b1 41 54 44 54 9d b6 j . . . . . . . . . .ATDT. . j
000000 c0 b5 b5 b5 b4 8d b4 54 58 34 0d 86 b4 0d 9 e b1 41 j . . . . . . TX4 . . . . . . Aj
000000d0 54 44 54 9d b6 b5 b5 b5 b4 96 b4 b5 b5 b5 b5 b5 jTDT . . . . . . . . . . . . . j
000000 e0 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 j . . . . . . . . . . . . . . . . j
000001 f 0 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 b5 ca j . . . . . . . . . . . . . . . j
With the port clearly visible at o set 0x32, IP at o set 0x35 and URL
at 0x39. The communication is made via plain HTTP connections, using
wininet.dll exported functions.
This is the hard-coded block located on BIOS. When installed, the agent
copies this block to the registry keys:
HKEY LOCAL MACHINEnSYSTEMnCurrentControlSetnServicesnrpcnetnParameters
or
HKEY LOCAL MACHINEnSYSTEMnCurrentControlSetnServicesnrpcnetnParameters
subkey Security, depending if the Persistent (BIOS) agent is used or not.
Unpacked, the con guration block is easily modi able. By simply chang-
ing the URL or IP, we can redirect the agent queries to our site. This is very
easy to accomplish in the registry, but we don't have persistence for merely
modifying the registry. To modify the con guration of the persistent agent
we need to modify and re
ash the BIOS. This is possible in many systems
at the date of publication for this article, as unsigned BIOS are common.
4 Computrace Agent stub: Bios code execution
As we said on section 2, we found many incarnations of the persistent agent.
One particular example , found on notebooks like Dell Vostro 1510, is
the Computrace V 70.785 agent (this number may change with the BIOS
version). This agent doesn't contain any code except for a small stub used to
load additional code from a sector on the hard disk located outside normal
partitions. This is also documented on the public patent application US
2006/027220 A1.
The code on the hard-disk contains a small header that indicates the
stub where to load the code in the memory, and carry out a CRC-16 check.
We found the lack of code authentication in this particular case provides an
easy way to build a BIOS- rootkit attack, as an unauthorized privileged user
could put code on hard disk that will be executing directly on the BIOS.
5 Factory-reset of permanent activation/deactiva-
tion
On some notebooks models like the Dell Inspiron series, the persistent agent
can be permanently activated or deactivated with an option on the BIOS
setup utility. This is accomplished using SMBIOS Tokens, number 0x175
5
and 0x176 for activation and deactivation respectively, and the con guration
data is stored in NVRAM instead of CMOS.
We will show a method to reset the NVRAM via a malfunction of the
SMBIOS, producing a race-condition with the Dell Client Con guration
Utility (DCCU), therefore resetting the persistent agent activation status
to factory defaults. This allows for an all-software activation-deactivation
method, demonstrating that no permanent activation or deactivation can
be achieved. Please refer to Section 9 for instructions on how to reproduce
this failure in Dell Inspiron 1525 models.
6 Further information
There are other anti-theft technologies today that contains a BIOS-component,
like Phoenix Failsafe and Intel Anti-theft technology[5], but no research has
been conducted on those systems so far by CoreLabs.
7 Conclusion
At this time, we found three major problems with common Absolute-Computrace
Implementations:
1. Lack of authentication of con guration options, leading to report redi-
rection.
2. Lack of authentication of code in stub agent, leading to bios code
execution.
3. On at least one speci c setup, activation/deactivation of the Compu-
trace Agent can be reverted to factory defaults.
For issues 1 and 2 a digital signature scheme would x the issues. We
don't have any recommendation for the issue number 3 at this moment.
Furthermore, there are couple of issues that at the time of this report we
can't con rm:
4 Unauthenticated code download from the Agent once activated.
5 Unauthenticated BIOS agent activation.
Issues 1, 4 and 5 combined would allow for an extremely dangerous BIOS-
assisted rootkit software attack to be deployed on the majority of notebooks
today.
Issue 2 is dangerous by itself, providing a simple and reliable method
to execute any code in the context of the BIOS, once the Option-ROM is
activated.
6
8 Acknowledgements
Thanks to Core Security for giving us the space and resources to work in
this project.
To Anton Borisov for his excellent bios analysis tools, phnxdeco, awardeco
and many others.
Finally, to the Coreboot project for his FlashRom tool, that did the heavy
lifting work on our research.
9 DCCU settings
You can use the following XML le as TaskResult.xml, loading it via the
DCCU web interface. The version used is DCCU 3.0.1213. Loading into
DCCU and applying the settings to the BIOS will cause the malfunction
that will reset the NVRAM.
<root>
<command name=" Inventory ">
<prope r ty name="OnBoardDevices . AGPSlot" value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . Bui l t inNIC" value="3" e r r o r c ode="0x0" />
<prope r ty name="OnBoardDevices . Bui l t inFloppy " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . Bui l t inNIC2 " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . Bui l t inPo int ingDev i c e " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . Int egrat edAudio " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . InternalMiniPCI " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices .MediaCardAnd1394" value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . Microphone " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . Onboard1394" value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices .OnboardModem" value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . Pa r a l l e lPo r tCo n f i g u r a t i o n " value="3" e r r o r c ode="0xFFFFFFFE" />
<prope r ty name="OnBoardDevices .PCCard" value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . PCCardAnd1394" value="3" e r r o r c ode="0x0" />
<prope r ty name="OnBoardDevices . PCISlot s " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . SmartCardReader" value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="OnBoardDevices . TabletBut tons " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="Dr ive s . IDECont rol ler " value="3" e r r o r c ode="0x0" />
<prope r ty name="Dr ive s . IntegratedSATACont rol ler " value="5" e r r o r c ode="0x0" />
<prope r ty name="USB. USBPortsExternal " value="3" e r r o r c ode="0x0" />
<prope r ty name="USB.USBWake" value="4" e r r o r c ode="0x0" />
<prope r ty name="MTN. ModuleBayDevice" value="3" e r r o r c ode="0x0" />
<prope r ty name="PWR.AutoOn" value="3" e r r o r c ode="0x0" />
<prope r ty name="PWR. AutoOnHour" value="0" e r r o r c ode="0x0" />
<prope r ty name="PWR. AutoOnMinute" value="0" e r r o r c ode="0x0" />
<prope r ty name="PWR. CPUVi r tual izat ion " value="4" e r r o r c ode="0x0" />
<prope r ty name="PWR. HardDiskAcousticMode " value="3" e r r o r c ode="0x0" />
<prope r ty name="PWR. MultiCore " value="3" e r r o r c ode="0x0" />
<prope r ty name="PWR. SingleCoreTurboMode " value="3" e r r o r c ode="0x0" />
<prope r ty name="PWR. SpeedStep " value="3" e r r o r c ode="0x0" />
<prope r ty name="PWR.WakeupOnLAN" value="3" e r r o r c ode="0x0" />
<prope r ty name="POST. ExternalHotkey " value="3" e r r o r c ode="0x0" />
<prope r ty name="POST. FastBoot " value="4" e r r o r c ode="0x0" />
<prope r ty name="POST. Keypad" value="2" e r r o r c ode="0x0" />
<prope r ty name="POST.NumLock" value="3" e r r o r c ode="0x0" />
<prope r ty name="POST. USBEmulation" value="4" e r r o r c ode="0x0" />
<prope r ty name=" Se cur i t y . Ch a s s i s I n t r u s i o n " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name=" Se cur i t y . Cha s s i s Int rus i onSt a tus " value="4" e r r o r c ode="0xFFFFFFFE" />
<prope r ty name=" Se cur i t y . NoExecute" value="4" e r r o r c ode="0x0" />
<prope r ty name=" Se cur i t y . PasswordBypass " value="3" e r r o r c ode="0x0" />
<prope r ty name=" Se cur i t y . TrustedPlatformModule " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name=" Se cur i t y . Trus tedPlat formModuleAct ivat ion " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="Wi r e l e s s . Blue toothDevi c e s " value="3" e r r o r c ode="0x0" />
<prope r ty name="Wi r e l e s s . Ce l lul a rRadi o " value="3" e r r o r c ode="0x0" />
<prope r ty name="Wi r e l e s s . RadioTransmi s s ion " value="2" e r r o r c ode="0xFFFFFFFC" />
<prope r ty name="Wi r e l e s s .WiFiCatcherChanges " value="4" e r r o r c ode="0x0" />
<prope r ty name="Wi r e l e s s .WiFiLocator " value="3" e r r o r c ode="0x0" />
<prope r ty name="Wi r e l e s s .WirelessLAN" value="3" e r r o r c ode="0x0" />
<prope r ty name="Wi r e l e s s . Wi r e l e s sSwi t chBlue toothCont rol " value="3" e r r o r c ode="0x0" />
<prope r ty name="Wi r e l e s s . Wi r e l e s sSwi t chCe l lul a rCont r o l " value="3" e r r o r c ode="0x0" />
<prope r ty name="Wi r e l e s s . Wi reles sSwi tchWi reles sLANCont rol " value="3" e r r o r c ode="0x0" />
<prope r ty name="SS . AssetTag " value="Hola l o c o " e r r o r c ode="0x0" />
<prope r ty name="Conf i gur a t i on . PropertyOwnershipTag " value="Tags e rvi c e " e r r o r c ode="0x0" />
7
<prope r ty name="SS . BIOSDate" value="20060609T00:00:00 " e r r o r c ode="0x0"/>
<prope r ty name="SS . BIOSVersion" value="XXXX" e r r o r c ode="0x0"/>
<prope r ty name="SS . SystemName" value="Test " e r r o r c ode="0x0"/>
<prope r ty name="SS . PowerMgtSupported" value="5" e r r o r c ode="0x0"/>
<prope r ty name="SS . Status " value="" e r r o r c ode="0x8004100E"/>
<prope r ty name="SS . ServiceTag " value=" " e r r o r c ode="0x0"/>
<prope r ty name="SS . Sys t emDe s c r ipt ion " value=" " e r r o r c ode="0x0<prope r ty name="SS . SystemVendor" value=" " e r r o r c ode="0x0"/>
<prope r ty name="SS . Proces sorType " value="1" e r r o r c ode="0x0"/>
<prope r ty name="SS . Proc e s sorSpe ed " value=" 2666 " e r r o r c ode="0x0"/>
<prope r ty name="SS . SystemClass " value="1" e r r o r c ode="0x0"/>
<prope r ty name="SS . AssetTag " value=" " e r r o r c ode="0x0"/>
<prope r ty name="SS . ManufacturerDate " value="" e r r o r c ode="0x8004100E"/>
</command>
</ root>

 

Does anyone by any chance have the slic 2.1 bios 1.7 for the Aopen i945GTt-VFA phoenix bios please ?

 

Can anyone help me.
SLIC 2.1 MOD Request
-Model & Machine Type: ThinkPad x201i 3249-PF8
-Bios Revision : 1.32
-Bios Type : Phoenix
-Bios SLIC : now no have SLIC, wants 2.1
-RW-Everything: View attachment 8152

i don't understand what of this file's i must modify whith phoenixtool:
$01C2100.FL1 1.6MB
$01C2100.FL2 3MB
$01C3100.FL2 3MB

thx
-----------------------------------------
UPD. thx for all, already done whith $01C2100.FL1

 

If this is true with phlash16 which I already tried already. I looking for a bios viewer or edit tool.

 

You need to login to view this posts content.

 

You need to login to view this posts content.

 

hmm, but what is the mistake i made

 

You need to login to view this posts content.

 

@roman

but i see you use a RW too?? i thought not needed?

no certificate needed?

i am

 

RW report yes, certificate no.

 

many THX - i have succesfuly do it

but one question... must the RW file made for every new moding bios?...so, comes a new version of bios i must build the RW file new?

 

Yes. New BIOS = new RW report.

 

Extremely interesting information. I will have to try this out on a couple of different test machines. Thank you.

 

Greetings to all!

I had a pair of questions.
In last 2 months I see Acer Aspire 5742ZG with Insyde bios that cant be moded by me. I was tried latest tools by andys but:
1.When i flash via Windows it brick notebook (after i restore it)
2.When i try to flash via FLAs**t.EXe it gives me errors something about IHISI.

I`m using latest andys tool+AcpiTbl.rw+cert. Nothing more.
Only one metod works when Phoenix Tool says that SLIC perfomed sucessfuly it when i use "Dynamic" method.
SSV2 and Module wont work for me and tools gives a Error.

After. Past time i see that many advanced people from this forum (big thx for them! ) when replying to somebody BIOS mod request answer like:

I understand that BIOS what moded whith Phoenix Tool and without SLIC(?! SLIC already in NoteBook but DISABLED/HIDDEN?)+HEX EDIT.

I dont understand what there need to be HEXED? Can anybody give me a some more information regarding this procedure or some more information?

 

only the moder can give you the answer, but something you can do, is to compare all modules from original bios with modules from moded bios with the command FC /b.