InsydeH2O hidden forms patch, new python scripts

Discussion in 'BIOS Mods' started by SnakyJake, Jan 23, 2012.

  1. SnakyJake

    SnakyJake MDL Novice

    Jan 23, 2012
    8
    0
    0
    #1 SnakyJake, Jan 23, 2012
    Last edited: Jan 23, 2012
    Hello there,

    over the last days I was working on some python scripts for extracting InsydeH2O EFI bioses, especially KAV80.fd (Packard Bell Dot-S GE 070), patching hidden forms and recompile the bios with hidden forms visible.

    It took me about two weeks and now it works with my own bios. So I am looking for some people to test the scripts and mail me their bioses if it fails. If the scripts work with your bios they will unhide all hidden forms.

    Important: Run the tool TWICE!
    First with your original bios like "./main.py -v orgbios patchedbios", use -v option for being verbose
    Second run it again like "./main.py -v patchedbios" - now it should not find any hidden forms anymore. But just see if it breaks with any errors. The second step will rip the patched bios apart, checking all checksums and CRCs, so if this does not fail the bios will most probably work.

    Make sure you have some <fn>+<esc> recovery function on your system - just for the case.
    Also check, that the origbios and the patchedbios have the same size. The contents of the files will be quite different, sind the compressed sections are different (hiding code lays inside a compressed section which needs to be uncompressed, patched and recompressed)

    Please contact me and mail me your results.

    Link: www:jakobheinemann:De/insydeh2o_e.html
    (I may not post links, I just registered: replace colons with dots; maybe some admin can change this for me after checking the link)

    Thanks for testing.
     
  2. KaminoReal

    KaminoReal MDL Junior Member

    Dec 20, 2007
    76
    4
    0
    #2 KaminoReal, Jan 23, 2012
    Last edited: Jan 23, 2012
    Looked on your site, the archives are corrupt and individual scripts the same ... :confused:

    L.E. LOL Seems Firefox does not like your site, worked with IE :biggrin5:

    L.L.E Seems the scripts are only for linux, cant pass the lzma stuff :(
     
  3. SnakyJake

    SnakyJake MDL Novice

    Jan 23, 2012
    8
    0
    0
    Thanks for your quick reply. Yes - I only tested on Fedora 16, 32bit.

    The lzma-libs are evil stuff. lzenc.py I wrote by myself, using lzdec.py as template. In those two files you will find a line starting with "library_path = ..." and one down is another line for windows, which is commented. Just remove the hash infront of the windows-line and instead place one infront of the linux-line.

    Then you might give it a try on windows. Please tell me if you get it working...

    I will check my site. I use chrome, which works ok. Probably my provider sends some wrong headers :)
     
  4. KaminoReal

    KaminoReal MDL Junior Member

    Dec 20, 2007
    76
    4
    0
    Tried that already, only for decoder still no go. :|

    I will look tomorrow on clean mind again, need to remember how I did it with original marcan scripts, I remember was PITA then, I hate scripts LOL.

    Thanks for sharing, did a quick look, nice job! :cool:
     
  5. SnakyJake

    SnakyJake MDL Novice

    Jan 23, 2012
    8
    0
    0
    #5 SnakyJake, Jan 23, 2012
    Last edited: Jan 23, 2012
    (OP)
    i searched in google for liblzma.dll (for encoding), there should be something around.

    have a look at the original marcan script. I remember I had to switch this for working with linux :)

    Oh, and if you find those two dlls working, I would be happy to put them on my site for download, if you dont mind.

    I will try it the other day, so a windows package should be out soon
     
  6. SnakyJake

    SnakyJake MDL Novice

    Jan 23, 2012
    8
    0
    0
    Windows package is out. Rewrote lzdec.py to use same lib as lzenc.py does; liblzma.dll included in package!
    www:jakobheinemann:De/insydeh2o_e.html (at the bottom, insydeh2o_win.zip)
     
  7. KaminoReal

    KaminoReal MDL Junior Member

    Dec 20, 2007
    76
    4
    0
    Thanks and sorry for late response, was a hell of the day...

    Now worked but:
    I am sure there are a lot of hidden stuff, since I do use now a hacked setup, take a look on attached original BIOS and tool dump: http://www.mediafire.com/?qgw84xzq6pxvbfx
     
  8. SnakyJake

    SnakyJake MDL Novice

    Jan 23, 2012
    8
    0
    0
    Hi there,

    my netbook bios seems to be quite outdated - they changed the way of hiding the forms in newer bioses.
    I am working on a 2MB 64bit bios right now - which has different hiding mechanisms. When I found out how they done it there it also might work with your bios. May take a few days, I have to get lucky to find the right spot :)

    Thanks for the files, I will have a look at them
     
  9. KaminoReal

    KaminoReal MDL Junior Member

    Dec 20, 2007
    76
    4
    0
    Hi,

    My netbook is outdated too (32 bit Insyde EFI) :biggrin5:

    Lemme know if you find something.

    Thanks!
     
  10. SnakyJake

    SnakyJake MDL Novice

    Jan 23, 2012
    8
    0
    0
    Hi again,

    Your bios hides the forms differently - i even think, they are not hidden :) I found a piece of code within the SetupUtility, which checks for pressing key "a" or "A" and displays advanced and power forms if done so.

    So what you could check: press and hold "a", probably directly after pressing the key for entering the setup?

    Since I cannot test it I would appreciate your help. To what machine exactly does the bios belong to?
     
  11. KaminoReal

    KaminoReal MDL Junior Member

    Dec 20, 2007
    76
    4
    0
    Hi,

    Machine is Hp/Compaq Mini 311, you can read more about it and the hacks I made here:http://www.projectosx.com/forum/index.php?showtopic=1647

    Pressing a or A never worked, as you can read on that topic I already use a hacked setup, but i want to do my own and understand how Insyde make things... :rolleyes:

    Thanks for help!
     
  12. SnakyJake

    SnakyJake MDL Novice

    Jan 23, 2012
    8
    0
    0
    Insyde uses EFI, you will find lots of stuff searching for tianocore and edk/edk2.
    Lots of stuff to read, many hours of debugging and reading edk sources, huge bunches of structs typed into IDA and days later you will have quite a good idea of whats going on in their bios :)
     
  13. KaminoReal

    KaminoReal MDL Junior Member

    Dec 20, 2007
    76
    4
    0
    I know, playing with EDK stuff all day, just that I'm not "good friend" with IDA, not my thing, well I said the same about coding some time ago, who knows maybe one day IDA will go on my "like" list... :rolleyes:
     
  14. gabuclia

    gabuclia MDL Novice

    Feb 4, 2012
    2
    0
    0
    #14 gabuclia, Feb 4, 2012
    Last edited by a moderator: Apr 20, 2017
    Interesting project :) I tried your tool with two BIOS files (see below) for my own Sony Vaio VGN-TT11VN, but it fails in both cases:

    Code:
    Traceback (most recent call last):
      File "./main.py", line 2443, in <module>
        main()
      File "./main.py", line 2416, in main
        bios = BIOS(infile)
      File "./main.py", line 2157, in __init__
        v.showinfo()
      File "./main.py", line 2003, in showinfo
        self.vssdata.showinfo(depth+2)
      File "./main.py", line 2116, in showinfo
        print " "*depth, "Variables: %d"%len(self.vars)
    AttributeError: 'VSSData' object has no attribute 'vars'
    In both files it claims to find six visible forms, but 'Advanced' and 'Power' are definitely not accessible.

    Code:
    Found VISIBLE form with titleId 0x02B0 'Exit' at 0x0000E5C0
    Found VISIBLE form with titleId 0x02A5 'Boot' at 0x0000E690
    Found VISIBLE form with titleId 0x01F4 'Security' at 0x0000E740
    Found VISIBLE form with titleId 0x023E 'Power' at 0x0000EBF0
    Found VISIBLE form with titleId 0x0044 'Advanced' at 0x0000F570
    Found VISIBLE form with titleId 0x0029 'Main' at 0x000125A0
    The BIOS files are (uploaded to ge.tt/8ScsABD for easy access):
    R2020M4.rom extracted from ftp.vaio-link.com/pub/VAIO/Updates/EP0000181116.exe: api2.ge.tt/0/8ScsABD/1/blob/download
    R2021M4.rom extracted from ftp.vaio-link.com/pub/VAIO/Updates/EP0000209902.exe: api2.ge.tt/0/8ScsABD/0/blob/download
     
  15. SnakyJake

    SnakyJake MDL Novice

    Jan 23, 2012
    8
    0
    0
    #15 SnakyJake, Feb 4, 2012
    Last edited: Feb 4, 2012
    (OP)
    Hi,

    I updated my tools today. The empty-vars bug is removed now and some additional patches are implemented. Please retry. with new tools and gimme some feedback

    edit:
    I tried it myself. It works now but cannot detect patching method, so I have to take some closer look.

    What forms are visible in your setup, can you tell me? Here it seems only "power" is hidden...
     
  16. gabuclia

    gabuclia MDL Novice

    Feb 4, 2012
    2
    0
    0
    'Power' is hidden in both files, in R2020M4 'Advanced' should be hidden as well. With R2021M4 Sony enabled VT, so this option appears on the 'Advanced' form.
     
  17. whhaatt

    whhaatt MDL Novice

    May 15, 2011
    16
    0
    0
    Hi I have tried in windows and get the following error

    C:\Python32>python main.py -v XEWxx214.fd patched.fd
    Traceback (most recent call last):
    File "main.py", line 14, in <module>
    from . import refactor
    ValueError: Attempted relative import in non-package

    TM81 Packard Bell

    Any help?