Saturday, 20 August 2016

Insyde Bios Modding Advanced and Power Tabs

Insyde Bios Modding Advanced and Power Tabs


Due to a request I received by drakonn, Ill be covering how to enable the advanced and power tabs in the setup utility. Also special thanks to Florin9doi for his impressive knowledge of BIOS. I rewrote my splash screen tutorial based on his input.

Theres not really much background information I can put here, Its kind of public knowledge that there are hidden tabs in the setup utility. I think this decision is ultimately up to the OEM, so HP decided that we dont need to have access to these hidden tabs. This is most likely because changing some settings can damager you computer, so theyre actually looking out for us. So heres a picture of what my unmodified setup utility looks like. If youd like to follow along with this tutorial by using the same BIOS that I am, then heres where you can download it.


As you can see, it currently has Main, Security, Diagnostics, System Configuration, and Exit tabs. So Ill show you how to enable the hidden tabs.

Ill try to keep all my tutorials as generic as possible, but I already know that this will be impossible. Rarely do different BIOS implement these restrictions in the exact same way, so dont expect this to be a surefire way to unlock your hidden tabs. As simple as I make these tutorials seem, it still took me several weeks to get each modification working on my own BIOS.

To get started make sure you unpack your BIOS installer so that you have access to the BIOS rom. Then open it with Andys tool, go to the structure view, check the Decompress Extracted Modules box, and extract the DXE Core module. The latest version of Andys tool can be downloaded here.


My extracted module is named 4A538818-5AE0-4EB2-B2EB-488B23657022.MOD. Yours might be named something different. So lets open that module with a hex editor, and search for a familiar string so that we can locate what module contains the setup utility. The hex editor I use is HxD. As a side note, my BIOS uses Unicode strings. This means that after each letter, theres a 00 hex character. This is because each character is actually two bytes long. I think all Insyde BIOS are that way, but Im not sure. So heres what I am going to search for, notice how I have blank characters between each letter. The name of one of my tabs is System Configuration, so the module that contains this string should also contain the setup utility.


So lets search for this string in our DXE Core module and see if it exists. Awesome! It found it at offset 0x1A8B8C.


Now we know were in the correct module. Now search for the hex values 4D 5A. These values are always at the start of a module, and the name of a module is always at the end of a module. So heres what it finds:


I circled the modules name in red. So now we need to remember the GUID of the SetupUtility module. Lets go back to Andys tool to see what it is.


My SetupUtility GUID is FE3542FE-C1D3-4EF8-657C-8048606FF670. So lets disassemble this module to get a better understanding of how to mod it. To do this we need to go into the DUMP folder that Andys tool makes when opening a BIOS file, and open the SetupUtility in there with IDA Pro. Here what Im saying:


And make sure you open the largest file whos name is similar to your SetupUtilitys GUID. Since mine was FE3542FE-C1D3-4EF8-657C-8048606FF670, Im going to open up the 531 kB file which is named similar, FE3542FE-C1D3-4EF8-657C-8048606FF670_2_480.ROM. So IDA Pro should automatically determine the file type. For me, its a Portable executable for AMD64.


So now that its disassembled, we have to find out where the tabs are located, then we can see what calls them. I created a program that can dump the internal forms representation used in EFIs human interface infrastructure. This can assist in finding the tab offsets, so you can download it here if you want to try using it. If youd rather find them manually, then in IDA Pro go to Search | sequence of bytes. Then enter DF 42 4D B5 52 39 51 and press Ok. These hex values seem to always be in the header of the tabs, and are about 13 bytes after the start of the beginning of the tabs offset.

?

Now this windows will come up that shows where these bytes were found. Each one of these locations could potentially lead to one of the tabs.


So lets double click on the first one, which takes us here. I said that that byte sequence was in the header, so we need to scroll up about 13 bytes to get to the start of the tab subroutine.


Just go to each one of the places where that bytes sequence occurred to find out the offsets were looking for. Make sure you write them down. Heres all mine.


Lets go back to the first tab and see where its being referenced from. Right click on the location, and select Xrefs to. This will display the connections between this offset and other functions. You can zoom in to get a better view. Heres mine:


At one of these location the setup utility is determining which tabs to show. This calling function will probably be closer to the start of the modules code, because thats where it is initialing everything. So lets double click on the first calling location and see if it looks suspicious.


Heres the calling location:


You might be able to determine in IDA Pros Graph overview that this subroutine is most likely what switches between the tabs when you press left and right. It does references all the tab offsets, but this is just to determine which one its currently selecting. This function is not the one were looking for. If you want to make sure of this, you can modify some conditional jumps, but you will probably brick your computer this way. I should make a tutorial on how to recover from a brick. Lets check out the next calling function.


If you ever have trouble selecting the different calling functions in IDA Pro you can right click on the DATA XREF and select Jump to cross reference. Then just double click on the address to jump to that location.


So heres what the second calling function looks like. Dont be surprised that its not in a flow chart view. IDA Pro isnt perfect, so sometime it cant produce this style for all function. As a side note, you can press the space bar to swap back and forth between the flow chart view and the assembly view. Since I know how this tutorial is going to end, Im going to tell you that this is the function that decides what tabs are available in my BIOS. In yours, you might have to go through several more of the calling function before you find the one your looking for.


Since we cant see the bigger picture of this subroutine easily, well have to look through it. The main things you want to search for are conditional jumps that avoid one of the tab offsets. So once again, heres the ones Im searching for:



Back to the second calling function. Wow! Almost immediately I notice almost all of my tab locations being referenced. Theres also two conditional jumps:


Let me know if you guys think I add too many pictures. I want these tutorials to be through, but Im feeling like this is almost to slow. Let me know what you think. So lets see where these conditional jumps go to. I just scrolled down a little. So it seems like the first one it jumping over two of the tab locations. These could be the two hidden tabs. The second conditional jump is going directly to the two tab locations. And the third unconditional jump at the end is also going to bypass the two tabs.


So to make sure that those two tabs get referenced, we have to change the two conditional jumps. By changing the first one from a jump if zero (jz) to nothing, and by changing the second jz to a jmp, we can accomplish our objective. To view the hex values for the first jump, select it and go to IDA Pros hex view by clicking on the hex view tab. As you can see its 74 48. Since we want to remove it, lets change them to no operations (nop 90). Heres what were actually changing:


And the second conditional jumps hex values are 74 0A. The first byte is the type of jump and the second is where its going to jump to. This is a short jump, and the hex value for an unconditional short jump is EB. So heres what were actually changing:


So heres what the resulting changes look like:


Now the program always jumps to 0x180001099 which references those two tabs. So lets try this out. Produce a DIF file in IDA Pro by going to File | Produce file | Create DIF file. I recommend you dont save it in the DUMP folder because it will most likely be deleted by Andys tool at some point. A DIF file contains the offsets and changes that we made in IDA Pro. IDA Pro cant physically edit a file, so we have to use the information in the DIF file and a hex editor to apply the changes. You can close IDA Pro now. Before actually applying the changes with a hex editor, go back to Andys tool and press the Advanced button. We want to enable the ability to make modifications to the modules. So these are the settings I changed. I also checked No SLIC because otherwise we would have to select a SLIC table in order to repack our changes. Im fine with my BIOS current SLIC table.


Press Done to get back to the main screen of Andys tool. Then press the Go button. When this message comes up, dont press Ok yet.


We need to modify the setup utility module first. So open the same file we disassembled with a hex editor and apply the changes based on what the DIF file says.


Save the file. Now you can press Ok on the message from Andys tool, and it should repack your BIOS with your modified SetupUtility module. Lets try it out. Rename Andys tools outputted file, mines named 01448F29_SLIC.bin, to what the original rom was called, mines 01448F29.bin. Thisll replace the original rom with the modified one. Now run InsydeFlash.exe. Press Start, wait for it to initialize, then press Ok. It will now flash your computer with you modified BIOS then restart. Upon startup, press the key that corresponds to your setup utility, mines F10, to view your changes. Heres mine:


NO WAY!! An advanced tab! Thats weird??? Why didnt it unlock two tabs? Shouldnt there be seven tabs now? As it turns out, I havent found a way to enable all seven tabs at once in my BIOS. But I do have a way of replacing an existing tab with this hidden seventh tab. Lets go back to the disassembled code where we changed the jump locations. Now lets change one of the referenced tabs to the seventh tab. My hidden tab is at address 0x18007F490 (I know this because its the only one not referenced in the disassembled function we edited), so lets change the line of code "lea rax, 0x18007FA00" to reference this tab.


The hex values for this line are 48 8D 05 55 E9 07 00. The first three bytes are the load affective address into rax part, and the last four bytes are the offset of the address. This is a relative address based off of the current instructions address. And its stored in little endian. So if your good with math you can determine the new values with a calculator, or you can just changes some values and see if theyll work right by seeing what IDA Pro displays. Heres what mine looked like when I was finished:


Now do the same procedure as before with the DIF file, hex editor, and Andys tool to produce a newly modified BIOS. Now flash it, and one of the tabs should be replaced with a different one.


HMMMM.... that power tab doesnt have anything new in it that the advanced tab didnt already have. I guess there is something new about interrupts under one of the settings, which Ill never change anyway. I hope your power tab isnt as lame as mine. So Im just revert it back to having the advanced tab instead.

This method of replacing one tab with another is probably the easiest way of unlocking one of the hidden tabs. The only downside to it is that youll have to give up one of the other tabs.

I hope you enjoyed this tutorial. I know it was a long one, but it was worth reading because it did cover some pretty good fundamentals of reverse engineering. IDA Pro makes this process much easier since it can quickly show what references what at any time. You can still do this same process with any other disassembler, but it probably wont be as easy.

Available link for download