Notes on Hacking Insyde BIOSs

Posted by matt

Intro & prerequisites

At present, these notes mainly cover unpacking the BIOS into it's component parts. There are several ways of doing this, and the following is just how I did it - I use both Linux and Windows. Get these source files from Marcan's site, and make sure you have python, lzma and gcc installed on Linux.

dumpsetup.py
fsdump.py
fvdump.py
scanlzma.c

Extract the ROM image (*.fd)

The BIOS update is normally provided as a self-extracting Windows executable. In the case of the HP 311 this contains another self-extracting executable, which in turn contains the flash utility and ROM images. Open with 7-zip and extract the ROM image you wish to use (e.g. 3651F150.fd). If multiple images exist, check the size - they will apply to different size EEPROMs.

Decompress the image

The ROM image comprises an uncompressed header, followed by an LZMA compressed image. Switch over to Linux, where you can easily strip the header and decompress the image.

If you haven't already compiled scanlzma, do so now:

gcc -o scanlzma -O2 scanlzma.c

Use scanlzma to decompress the image, substituting 3651F150.fd with your fd file and 3651F150.bin with whatever you want the decompressed output to be called.

./scanlzma 0 < 3651F150.fd | lzma -c -d > 3651F150.bin

Dump the firmware volumes

./fvdump.py 3651F150.bin

You now have a number of files named fv-????????.bin. Before the next step, you need to choose the main volume (probably the biggest, with lowest file number). In the case of the F15 BIOS on the 311 this is named fv-00000010.bin.

Dump the file system and retrieve the setup program

./fsdump.py fv-00000010.bin

You have now pulled the BIOS apart into component modules. You should have a large number of files with the extensions .pe (portable executable) .name (name) and .depex (dependency expression). You will probably also have a number of .raw files, and maybe a .ver - these will not be of interest
The BIOS setup utility is a portable executable named 'SetupUtility'. At least for the 311, the python script identifies this as having a GUID (globally unique identifier) of fe3542fe-c1d3-4ef8-7c65-8048606ff670.

Examining and modifying the setup program

That's the straightforward part done - now you'll have to start using some initiative. You can use the dumpsetup.py script to construct a description of all EFI forms in the setup PE. However, you first need to find the offsets at which the forms are located, and set these in the array at the start of dumpsetup.py.

If you have a Windows machine with MS Visual Studio installed (the free Express version is OK), then the dumpbin utility is handy for the examining the structure of PE files. Use it with /HEADERS switch. There is also a free Windows tool, which may be useful, but I have not tried it.

Read up on the PE file spec - it is organised in a number of sections. The section labelled .text contains executable code. If you need to modify program function, you will have to make changes here, probably using a hex editor (e.g. XVI32 under Windows). To understand what you need to change, use a disassembler (such as IDA). For example, with the HP 311 BIOS, I could see from studying the disassembler output that a test was being performed to determine whether or not to enable the additional setup menus. By changing some opcodes from a JZ to a JNZ (see IA32 instruction set reference for more details) the menus would be enabled by default.

The EFI string tables and form definitions are in the .data section. So figure out where the .data section starts and take a look. For the HP 311 BIOS, the data section has a 16 byte header before the 1st string table. This header contains the address of the 1st form (found in the 2nd 32 bit word) and the address of the first string table (found in the 3rd 32-bit word). Read the EFI HII spec and you'll be able to figure out where the other forms are and how to modify them.

Regarding the actual hacking, that's all the help I can offer at the moment, but I may add to this in the future. It probably wouldn't take much work to modify Marcan's dumpsetup.py to parse the PE and figure out where each of the forms are.

Rebuild the image

Once you have modified your setup program (hopefully without breaking it) you can use EzH20 under Windows to open the original fd file and replace the setup program according to it's GUID. Take care, because Marcan's Python scripts and EzH20 display the GUID slightly differently. The GUID mentioned above should be fe3542fe-c1d3-4ef8-657c-8048606ff670 in EzH20. Ensure you save the modified image file.

Flash and test

Before programming the modified image using the Insyde utility under Windows, it would be a really good idea to create a USB flash disk with the unmodified image in the root directory. Read up on the emergency recovery procedure to get the complete details of this. It is extremely likely you will have screwed something up on your first attempt and your machine may then appear dead.

Resources

Intel EFI HII Spec
PE Format specification or Here
Marcan's original blog post
Intel IA32 Instruction set reference
'My Digital Life' forums (have quite a lot on Insyde BIOS hacking):
EzH20: This is a leaked Insyde utility for applying changes to Insyde BIOS images. Google it, and you should find somewhere to download it.

Tags:

hacking,
Mini 311

Thanks

Hi Matt

I will try this tomorrow, I'm a little busy tight now.

Thank you for all you've done.

Posted by xazeroag@gmail.com on Nov 16th, 2010 at 7:52 pm.